Early analysis of fault-attack effects for cryptographic hardware

International audience

SMS4密码算法的差分故障攻击

SMS4是用于WAPI的分组密码算法,是国内官方公布的第一个商用密码算法.由于公布时间不长,关于它的安全性研究尚没有公开结果发表.该文研究SMS4密码算法对差分故障攻击的安全性.攻击采用面向字节的随机故障模型,并且结合了差分分析技术.该攻击方法理论上仅需要32个错误密文就可以完全恢复出SMS4的128比特种子密钥.因为实际中故障发生的字节位置是不可能完全平均的,所以实际攻击所需错误密文数将略大于理论值;文中的实验结果也验证了这一事实,恢复SMS4的128bit种子密钥平均大约需要47个错误密文.文章结果显示SMS4对差分故障攻击是脆弱的.为了避免这类攻击,建议用户对加密设备进行保护,阻止攻击者对其进行故障诱导.

面向Feistel密码的基于故障传播模式的差分故障分析

密码算法是信息安全研究的核心内容之一，其实际安全性不仅依赖于密码自身的数学特性，也依赖于具体的实现特性。基于实现的密码分析是一种有别于传统密码分析的新型密码分析方法，它利用算法实现时的信息泄露来恢复秘密信息。差分故障分析(Differential Fault Analysis，简称DFA)就是这样一类重要的密码分析方法。 现代密码学中，密码设计通常基于混淆和扩散这两大基本原则。对于一个分组密码而言，选择一个合适的轮函数并进行若干次迭代可以提供必要的混淆和扩散。因此，目前流行的分组密码均为迭代型密码，所采用的典型结构包括Feistel结构、SPN结构和广义Feistel结构等。这些密码结构及其所采用的基础密码组件(例如，S盒和P置换等)的性质，完全决定了故障在传播过程中所呈现的一些模式。直观上，这种内在特征可以用于挖掘DFA攻击和密码结构之间的关系。因此，完全可能利用这种特征来建立一种面向密码结构的系统化DFA攻击方法。 本文主要研究面向Feistel密码的差分故障分析方法，并探讨这类分析方法与已有可证明安全性理论分析结论之间的关系。为此，引入了故障传播路径(Fault Propagation Path，简称FPPath)和故障传播模式(Fault Propagation Pattern，简称FPPattern)的概念，给出了适用于Feistel结构的 FPPath 和 FPPattern 计算方法，建立了与已有可证明安全性理论结果之间的关系。在此基础上，提出了一种面向Feistel密码的基于故障传播模式的 系统化差分故障分析方法。使用该方法，可编程实现FPPath和FPPattern的自动计算，这将有助于针对Feistel密码的自动化DFA攻击的实施。这种情形下，可将FPPath的长度视作评估DFA攻击有效性的一种度量指标。此外，该系统化方法的必然结果是攻击性能的显著提高：不但攻击轮数有所减少，而且故障植入点数量也会减少，这将迅速降低实施一次成功攻击所需的故障密文数。最后，为验证该方法的正确性和有效性，以Camellia密码算法为具体实例，进行了相关模拟攻击实验研究，并给出了相应的数据复杂度分析和时间复杂度分析。通过充分利用Camellia算法中P置换的性质，在不需要穷举搜索的情况下，新攻击方法仅需要6个故障密文即可完全恢复出128位密钥，而成功恢复出192位或256位密钥所需要的故障密文数则为22个。结果表明，基于FPPattern的DFA方法要优于所有已有同类方法。

SHACAL-2算法的差分故障攻击

该文采用面向字的随机故障模型,结合差分分析技术,评估了SHACAL-2算法对差分故障攻击的安全性。结果显示:SHACAL-2算法对差分故障攻击是不免疫的。恢复出32 bit子密钥的平均复杂度为8个错误密文,完全恢复出512 bit密钥的复杂度为128个错误密文。

33轮SHACAL-2的差分非线性攻击

利用SHACAL-2的一个17轮差分非线性区分器,结合被猜测子密钥空间分割的方法和快速傅立叶变换,提出了一种攻击33轮SHACAL-2的新方法.该方法攻击33轮SHACAL-2需要244的选择明文、2496.6的33轮SHACAL-2加密和2502次算术运算,攻击成功概率为99%.与已有的结果相比较,新攻击有效地提高了单密钥下SHACAL-2的攻击轮数.

Improving DPA and DFA resistance of circuits using asynchronous logic

International audience

Protection of microgrids using differential relays

A microgrid provides economical and reliable power to customers by integrating distributed resources more effectively. Islanded operation enables a continuous power supply for loads during a major grid disturbance. Reliability of a microgrid can be further increased by forming a mesh configuration. However, the protection of mesh microgrids is a challenging task. In this paper, protection schemes are discussed using current differential protection of a microgrid. The protection challenges associated with bi-directional power flow, meshed configuration, changing fault current level due to intermittent nature of DGs and reduced fault current level in an islanded mode are considered in proposing the protection solutions. Relay setting criterion and current transformer (CT) selection guidelines are also discussed. The results are verified using MATLAB calculations and PSCAD simulations.

Truncated differential analysis of reduced-round LBlock

In this paper we present truncated differential analysis of reduced-round LBlock by computing the differential distribution of every nibble of the state. LLR statistical test is used as a tool to apply the distinguishing and key-recovery attacks. To build the distinguisher, all possible differences are traced through the cipher and the truncated differential probability distribution is determined for every output nibble. We concatenate additional rounds to the beginning and end of the truncated differential distribution to apply the key-recovery attack. By exploiting properties of the key schedule, we obtain a large overlap of key bits used in the beginning and final rounds. This allows us to significantly increase the differential probabilities and hence reduce the attack complexity. We validate the analysis by implementing the attack on LBlock reduced to 12 rounds. Finally, we apply single-key and related-key attacks on 18 and 21-round LBlock, respectively.

Known and chosen key differential distinguishers for block ciphers

In this paper we investigate the differential properties of block ciphers in hash function modes of operation. First we show the impact of differential trails for block ciphers on collision attacks for various hash function constructions based on block ciphers. Further, we prove the lower bound for finding a pair that follows some truncated differential in case of a random permutation. Then we present open-key differential distinguishers for some well known round-reduced block ciphers.

Finding good differential patterns for attacks on SHA-1

In this paper we analyse properties of the message expansion algorithm of SHA-1 and describe a method of finding differential patterns that may be used to attack reduced versions of SHA-1. We show that the problem of finding optimal differential patterns for SHA-1 is equivalent to the problem of finding minimal weight codeword in a large linear code. Finally, we present a number of patterns of different lengths suitable for finding collisions and near-collisions and discuss some bounds on minimal weights of them.

A multi-microprocessor architecture for solving partial differential equations

This paper presents the architecture of a fault-tolerant, special-purpose multi-microprocessor system for solving Partial Differential Equations (PDEs). The modular nature of the architecture allows the use of hundreds of Processing Elements (PEs) for high throughput. Its performance is evaluated by both analytical and simulation methods. The results indicate that the system can achieve high operation rates and is not sensitive to inter-processor communication delay.

Application of Haar functions for transmission line and transformer differential protection

The development of algorithms, based on Haar functions, for extracting the desired frequency components from transient power-system relaying signals is presented. The applications of these algorithms to impedance detection in transmission line protection and to harmonic restraint in transformer differential protection are discussed. For transmission line protection, three modes of application of the Haar algorithms are described: a full-cycle window algorithm, an approximate full-cycle window algorithm, and a half-cycle window algorithm. For power transformer differential protection, the combined second and fifth harmonic magnitude of the differential current is compared with that of fundamental to arrive at a trip decision. The proposed line protection algorithms are evaluated, under different fault conditions, using realistic relaying signals obtained from transient analysis conducted on a model 400 kV, 3-phase system. The transformer differential protection algorithms are also evaluated using a variety of simulated inrush and internal fault signals.