AES相关故障注入攻击

doi:10.19665/j.issn1001-2400.2021.04.025

Abstract

Abstract:

Fault injection attack is an effective cryptanalysis method.However,most existing fault injection attacks have strict restrictions on the location,time and number of faults injected,require complicated mathematical derivation during the key recovery process or need a huge amount of time to train fault attack templates.This paper proposes a comprehensive correlation fault injection attack on AES implementations of different key lengths,leveraging the correlation in the fault effect propagation in AES to recover the key.Our attack method uses a more flexible fault model in terms of the location and number of fault injections while only requiring simple correlation analysis to recover the key.Experimental results using AES implementations of variable key sizes show that random faults injected at any position before the mix-columns operation in the-2 round will allow successful recovery of the last round key through correlation analysis of the fault effects at the inputs of the S-Box in the final round.Additional random faults injected at any position before the mix-columns operation in the-3 round will allow the recovery of the round key before the final round.The key search complexity of the proposed method is 2¹⁶.Two correct and faulty ciphertext pairs or four faulty ciphertexts under the same plaintext are sufficient to recover the original key of AES-128 and four correct and faulty ciphertext pairs or eight faulty ciphertexts under the same plaintext are sufficient to recover the original key of AES-192 and AES-256.

Key words: side channel analysis, fault injection attack, correlation fault analysis, advanced encryption standard

CLC Number:

TP309

WANG Xingxin,HU Wei,TAN Jing,ZHU Jiacheng,TANG Shibo. Correlation fault attack on AES[J].Journal of Xidian University, 2021, 48(4): 192-199.

Figures/Tables 11

References 15

[1]	王庆, 屠晨阳, 沈嘉荟. 侧信道攻击通用框架设计及应用[J]. 信息网络安全, 2017(5):57-62.
	WANG Qing, TU Chenyang, SHEN Jiahui. Design and Application of General Framework for Side Channel Attack[J]. Netinfo Security, 2017(5):57-62.
[2]	王安, 葛婧, 商宁, 等. 侧信道分析实用案例概述[J]. 密码学报, 2018, 5(4):383-398.
	WANG An, GE Jing, SHANG Ning, et al. Practical Cases of Side-channel Analysis[J]. Journal of Cryptologic Research, 2018, 5(4):383-398.
[3]	毛保磊, 慕德俊, 胡伟等. RSA时间信道滑动窗口攻击方法及量化分析[J]. 西安电子科技大学学报, 2017, 44(5):114-120.
	MAO Baolei, MU Dejun, HU Wei, et al. Quantitative Analysis of Sliding Window Attack for the RSA Timing Channel[J]. Journal of Xidian University, 2017, 44(5):114-120.
[4]	葛景全, 屠晨阳, 高能. 侧信道分析技术概览与实例[J]. 信息安全研究, 2019, 5(1):75-87.
	GE Jingquan, TU Chenyang, GAO Neng. Technology Overview of Side Channel Analysis[J]. Journal of Information Security Research, 2019, 5(1):75-87.
[5]	SAVAS E. Attacks on Implementations of Cryptographic Algorithms:Side-channel and Fault Attacks[C]// Proceedings of the 6th International Conference on Security of Information and Networks.New York:ACM, 2013:7-14.
[6]	孙维东, 俞军, 沈磊. 对称加密算法AES和DES的差分错误分析[J]. 复旦学报:自然科学版, 2013, 52(3):297-302.
	SUN Weidong, YU Jun, SHEN Lei. Differential Fault Analysis on AES and DES[J]. Journal of Fudan University:Natural Science, 2013, 52(3):297-302.
[7]	FU S, XU G, PAN J, et al. Differential Fault Attack on ITUbee Block Cipher[J]. ACM Transactions on Embedded Computing Systems, 2016, 16(2):1-10.
[8]	PARK J, SANGJAE M, DOOHO C, et al. Fault Attack for the Iterative Operation of AES S-Box[C]//Proceedings of the 5th International Conference on Computer Sciences and Convergence Information Technology.Piscataway:IEEE, 2010:550-555.
[9]	杜育松, 王大星, 沈静. 一种对AES-128的差分错误分析原理[J]. 计算机工程, 2006, 23:174-176.
	DU Yusong, WANG Daxing, SHEN Jing. Principle of a Kind Differential Fault Analysis on AES-128[J]. Computer Engineering, 2006, 23:174-176.
[10]	ALI S S, MUKHOPADHYAY D. A Differential Fault Analysis on AES Key Schedule Using Single Fault[C]//Proceedings of the 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.Piscataway:IEEE, 2011:35-42.
[11]	MOMENI H, MASOUMI M, DEHGHAN A. A Practical Fault Induction Attack Against an FPGA Implementation of AES Cryptosystem[C]//Proceedings of the World Congress on Internet Security(WorldCIS-2013).Piscataway:IEEE, 2013:134-138.
[12]	DASSANCE F, VENELLI A. Combined Fault and Side-Channel Attacks on the AES Key Schedule[C]//Proceedings of the 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.Piscataway:IEEE, 2012:63-71.
[13]	GHALATY N F, YUCE B, TAHA M, et al. Differential Fault Intensity Analysis[C]//Proceedings of the 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.Piscataway:IEEE, 2014:49-58.
[14]	ZHANG J, WU N, LI J, et al. A novel differential fault analysis using two-byte fault model on AES Key schedule[J]. IET Circuits,Devices & Systems, 2019, 13(5):661-666. doi: 10.1049/cds2.v13.5
[15]	POGUE T E, NICOLICI N. Incremental Fault Analysis:Relaxing the Fault Model of Differential Fault Attacks[J]. IEEE Transactions on Very Large Scale Integration(VLSI) Systems, 2020, 28(3):750-763.

B_i	字节组合	恢复的密钥字节	B_i	字节组合	恢复的密钥字节
B₀	S₀,S₇,S₁₀,S₁₃	k₀,k₇,k₁₀,k₁₃	B₂	S₂,S₅,S₈,S₁₅	k₂,k₅,k₈,k₁₅
B₁	S₁,S₄,S₁₁,S₁₄	k₁,k₄,k₁₁,k₁₄	B₃	S₃,S₆,S₉,S₁₂	k₃,k₆,k₉,k₁₂

密钥长度	攻击位置	字节位置	获取密钥	攻击次数	攻击位置	字节位置	获取密钥	攻击次数
128位	第8轮	S₀~S₁₅	128位-K₁₀	1
	第9轮	S₀~S₁₅	32位-K₁₀	1
192位	第10轮	S₀~S₁₅	128位-K₁₂	1	第9轮	S₀~S₁₅	64位-K₁₁	1
	第11轮	S₀~S₁₅	32位-K₁₂	≥4	第10轮	S₀~S₁₅	32位-K₁₁	≥2
256位	第12轮	S₀~S₁₅	128位-K₁₄	1	第11轮	S₀~S₁₅	128位-K₁₃	1
	第13轮	S₀~S₁₅	32位-K₁₄	≥4	第12轮	S₀~S₁₅	32位-K₁₃	≥4

恢复密钥长度	密文对数	最大备选密钥数量	最小备选密钥数量	平均备选密钥数量	标准差
32位	1对	2 075	883	1161	123.11
32位	2对	3	1	1	0.32
32位	3对	1	1	1	0

恢复密钥长度	密文对数	最大备选密钥数量	最小备选密钥数量	平均备选密钥数量	标准差
32位	1对	2 194	842	1165	123.08
32位	2对	4	1	1	0.35
32位	3对	1	1	1	0

恢复密钥长度	密文对数	最大备选密钥数量	最小备选密钥数量	平均备选密钥数量	标准差
32位	1对	2 422	888	1 154	124.19
32位	2对	4	1	1	0.37
32位	3对	1	1	1	0

Correlation fault attack on AES

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 15

Related Articles 1

Metrics

Comments

Recommended 10