西安电子科技大学学报 ›› 2021, Vol. 48 ›› Issue (4): 192-199.doi: 10.19665/j.issn1001-2400.2021.04.025

• 计算机科学与技术&网络空间安全 • 上一篇    下一篇

AES相关故障注入攻击

王省欣(),胡伟(),谭静(),朱嘉诚(),唐时博()   

  1. 西北工业大学 网络空间安全学院,陕西 西安 710072
  • 收稿日期:2020-03-16 出版日期:2021-08-30 发布日期:2021-08-31
  • 通讯作者: 胡伟
  • 作者简介:王省欣(1998—),女,西北工业大学硕士研究生,E-mail: w2x@mail.nwpu.edu.cn|谭 静(1997—),女,西北工业大学硕士研究生,E-mail: tanjing@mail.nwpu.edu.cn|朱嘉诚(1996—),男,西北工业大学硕士研究生,E-mail: zhu_jc@mail.nwpu.edu.cn|唐时博(1994—),男,西北工业大学博士研究生,E-mail: tangshibo@mail.nwpu.edu.cn
  • 基金资助:
    国家自然科学基金(62074131);陕西省自然科学基金(2019JM-244);西北工业大学硕士研究生创意创新种子基金(CX2020297)

Correlation fault attack on AES

WANG Xingxin(),HU Wei(),TAN Jing(),ZHU Jiacheng(),TANG Shibo()   

  1. School of Cybersecurity,Northwestern Polytechnical University,Xi’an 710072,China
  • Received:2020-03-16 Online:2021-08-30 Published:2021-08-31
  • Contact: Wei HU

摘要:

由于故障注入攻击方法大多对故障注入的位置、时机和数量有严格的要求,密钥恢复过程中往往需要复杂的数学分析,或者需要大量时间来训练故障攻击模板,故提出一种针对不同密钥长度高级加密标准算法实现的简单相关故障注入攻击方法,利用高级加密标准故障效应传播中的相关关系恢复密钥。该攻击方法对故障注入位置和数量要求更为灵活,且只需通过简单的相关性分析即可破解密钥。实验结果表明:在不同密钥长度高级加密标准算法实现倒数第3轮(Nr- 2)列混合变换前至S盒变换之间任意位置注入随机故障后,分析最后一轮S盒输入的故障效应相关关系即可恢复最后一轮的轮密钥;在192位和256位高级加密标准算法实现倒数第4轮(Nr- 3)列混合变换前至S盒变换之间任意位置注入随机故障后可恢复倒数第2轮(Nr- 1)列的轮密钥。该方法的密钥搜索复杂度为216,只需2个正确-错误密文对或同一明文下的4条错误密文即可恢复128位高级加密标准初始密钥;只需4个正确-错误密文对或同一明文下的8条错误密文即可恢复192和256位高级加密标准初始密钥。

关键词: 侧信道分析, 故障注入攻击, 相关故障分析, 高级加密标准

Abstract:

Fault injection attack is an effective cryptanalysis method.However,most existing fault injection attacks have strict restrictions on the location,time and number of faults injected,require complicated mathematical derivation during the key recovery process or need a huge amount of time to train fault attack templates.This paper proposes a comprehensive correlation fault injection attack on AES implementations of different key lengths,leveraging the correlation in the fault effect propagation in AES to recover the key.Our attack method uses a more flexible fault model in terms of the location and number of fault injections while only requiring simple correlation analysis to recover the key.Experimental results using AES implementations of variable key sizes show that random faults injected at any position before the mix-columns operation in the-2 round will allow successful recovery of the last round key through correlation analysis of the fault effects at the inputs of the S-Box in the final round.Additional random faults injected at any position before the mix-columns operation in the-3 round will allow the recovery of the round key before the final round.The key search complexity of the proposed method is 216.Two correct and faulty ciphertext pairs or four faulty ciphertexts under the same plaintext are sufficient to recover the original key of AES-128 and four correct and faulty ciphertext pairs or eight faulty ciphertexts under the same plaintext are sufficient to recover the original key of AES-192 and AES-256.

Key words: side channel analysis, fault injection attack, correlation fault analysis, advanced encryption standard

中图分类号: 

  • TP309