针对双线性对密码算法的分支故障攻击  

作　　者：丁兆晶 姚晓旭[2] 魏继增[1] 顾海华[3,4] 郭炜[1] 

机构地区：[1]天津大学计算机科学与技术学院,天津300072 [2]香港城市大学电子工程系 [3]上海华虹集成电路有限责任公司,上海201203 [4]上海交通大学计算机科学与工程系,上海201240

出　　处：《密码学报》2014年第3期268-278,共11页Journal of Cryptologic Research

基　　金：国家自然科学基金项目(61202372);天津市应用基础及前沿技术研究计划重点项目(11JCZDJC1580)

摘　　要：由于双线性对在构造密码协议方面的固有优势,它已经被越来越多的国内外学者所关注.近年来,双线性对密码算法在运行速度方面取得了较大的提升,其实用价值被进一步挖掘.针对双线性对加密机制的标准化工作正在展开,双线性对的密码体系标准IEEE P1363.3已在筹备之中,我国也已启动了基于身份的密码体制的标准化工作.为了保证其在实际使用中的安全性,双线性对密码算法的物理安全性也开始成为密码学界研究的重点.目前,针对双线性对密码算法的物理攻击主要有能量分析攻击和故障攻击.本文对双线性对密码算法在故障攻击下的安全性进行了深入地分析和研究,并提出了针对双线性对密码算法主要步骤(即Miller循环)的分支故障攻击方法.这种攻击方法适用于几乎所有含有Miller循环的双线性对密码算法,且具有植入错误方式多样的优点.此外,不论密钥点是P点还是Q点,此攻击方法均可以成功地窃取密钥信息.为了证明此方法的可行性与正确性,本文以基于素域上Barreto-Naehrig曲线的Tate双线性对为例,详细论述了该攻击的实施原理和具体流程.最后,本文从动态和静态两方面分别讨论了植入分支故障的实际方法,并给出了抵抗该故障攻击的多种防御策略.这些防御策略几乎不影响原始算法的运行速度,并且具有低成本的优势.Bilinear pairing has attracted more and more attention due to its inherent advantages in constructing cryptographic protocols. In recent years, the speed of pairing-based cryptographic algorithms has made great improvement, and their practical values are being excavated. Currently, the standardization work about bilinear pairing encryption mechanism is being undertaken. The pairing-based cryptosystem standard IEEE P1363.3 is in preparation, and China also has started a standardization of identity-based cryptography. In order to ensure the security of the practical use of the crypto algorithms, the physical security of pairing-based cryptographic algorithms have started to become the focus of academic research. Now the attacks against pairing-based cryptographic algorithms are mainly about power analysis attacks and fault attacks. In this paper, an in-depth analysis on the security of the pairing-based cryptographic algorithms under the fault attack is carried out. Moreover, a branch-based fault attack method against the Miller Loop is proposed. This attack method is applicable to almost all of the pairing-based cryptographic algorithms including Miller Loop, and another advantage is that various fault injection methods can be used. In addition, no matter the key point is P or Q, the secret key can be successfully revealed. Furthermore, to prove the feasibility and validity of the proposed attack, this paper discusses in detail the principle and process of the attack and takes the attack on Tate pairing on Barreto-Naehrig curve as an example. Finally, this paper describes the actual method about fault injection from both dynamic and static respects. And multiple defensive strategies to resist the attack are provided. These defense strategies have little affect on the speed of the original algorithm and have the advantage of low cost implementation.

关 键 词：双线性对 故障攻击 Miller循环 毛刺攻击 

分 类 号：TN918.4[电子电信—通信与信息系统]