遮罩保護機制防禦差分能量攻擊之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：48

、訪客IP：3.144.124.195

姓名

吳香翰(Shain-Han Wu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

遮罩保護機制防禦差分能量攻擊之研究
(The Research on Masking Countermeasure Against Differential Power Analysis)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ AES資料加密標準之能量密碼分析研究	★ 小額電子付費系統之設計與密碼分析
★ 公平電子現金系統之研究	★ RSA公開金鑰系統之實體密碼分析研究
★ 保護行動代理人所收集資料之研究	★ 選擇密文攻擊法之研究與實作

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著資訊科技與網際網路的蓬勃發展，資訊安全的問題與需求，與人們的生活息息相關，因此，密碼學之相關研究已然成為現今重要的議題。除了探討密碼演算法本身的特性與結構，密碼系統的實作過程也必須納入安全分析。物理攻擊法便是藉由密碼系統運算過程中所洩漏的物理現象進行攻擊，因此即使是保證安全的密碼演算法，也會因實作過程洩漏些許資訊而可破解密碼系統。
論文中將說明物理攻擊法的基本概念，並特別針對能量消攻擊法加以說明。以現階段技術而言，差分能量攻擊法是目前最有效且易於實施的物理攻擊法。為了有效防禦差分能量攻擊法，對應的防禦方式也被廣泛的討論，其中一類利用導入亂數，致使攻擊法統計分析失效的遮罩保護機制，將於第三章介紹其概念及演進。文中用以介紹防禦技術的新一代加密器AES，將於第二章先行簡介。
在西元2001年，Akkar與Giraud發表新類型的遮罩保護機制，以提昇軟體實作的效能。由於此方法應用到AES，仍無法防止差分能量攻擊，於是，在西元2002年，Trichina等人發表提昇效能與增加安全的改進發法。然而，論文中將針對Trichina發表的方法進行弱點分析，並提出一種應用於此的差分能量攻擊法。
為了兼顧執行效率與系統安全，基於遮罩保護機制的原理，於第四章提出改進的防禦方法。並進行安全分析，證明此防禦法能夠有效防止能量攻擊。接著，針對三種遮罩保護機制比較執行效能，提出的防禦法法提昇效能至少十倍以上。最後，第五章呈現攻擊後的實驗成果，顯示未受保護的密碼系統易於破解，相對地，加上提出的防禦法確實能抵抗差分能量攻擊。

摘要(英)

Since the explosive growth in the use of computer and Internet, the requirements for information security generate higher influence in our daily life. Therefore, cryptography becomes an important issue, which not only considers the cryptographic algorithm but also takes their implementations into account. Physical attacks on the security of a cryptosystem are characterized by viewing the information leaking from the cryptosystem being processed.
The preliminary knowledge and requirements of physical cryptanalysis will be discussed. The discussion of physical security is extended to include an important standard, the Advanced Encryption Standard (AES). Further, an approach to the protection of cryptosystem in software-based implementation from power analysis is also addressed.
For opposing differential power analysis, an improved technique to perform the security transformation will be developed. A masking countermeasure resisted power analysis and integrated transformations into original cryptographic architecture is presented. The principles of improved technique are discussed and the analysis of performance and security are provided completely.
Finally, the techniques used to construct improved masking method are examined. The practical masking countermeasure has been implemented and provides the information security against the DPA attack. The experimental results demonstrated the practicality of the DPA attacks on straightforward AES and the security of AES could be achieved by using improved method.

關鍵字(中)

★ 差分能量攻擊
★ 遮罩保護機制
★ 乘法反元素
★ 乘法遮罩保護
★ 物理攻擊法
★ 晶片卡
★ 新一代加密器
★ 密碼學
★ 能量攻擊法

關鍵字(英)

★ Physical cryptanalysis
★ Side channel attack
★ Power analysis attack
★ Smart cards
★ Transformed masking
★ Cryptography
★ DPA
★ AES
★ Multiplicative mask
★ Inversion

論文目次

1 Introduction
1.1 Motivation
1.2 Conventional Mathematical Attacks Versus Physical Cryptanalysis
1.2.1 Conventional mathematical attacks
1.2.2 Physical cryptanalysis
1.3 Overview of The Thesis
2 Preliminary Background of Power Analysis Attack and AES
2.1 Power Analysis Attack
2.2 Simple Power Analysis
2.3 Differential Power Analysis
2.4 Brief Review of AES
2.4.1 Physical cryptanalysis against AES
2 Introduction to Masking Countermeasure
3.1 Random Masking Technique
3.2 Masking Conversions
3.3 Transformed Masking Method
3.3.1 Transformed masking on AES
3.3.2 Vulnerability and cryptanalysis procedures
3.3.3 Simplified and enhanced transformed masking
4 An Improved Transformed Masking for AES Implementation
4.1 Motivation
4.2The Proposed Countermeasure
4.2.1 Secure implementation on S-Box transactions
4.2.2 Updating m-Inversion tables
4.3 Security Analysis
4.3.1 Proposed DPA on simplified and enhanced transformed masking
4.3.2 Security against first-order DPA
4.3.3 Security against second-order DPA
4.4 Performance Comparisons with Other Methods
4.4.1 Multiplication in GF(2^8)
4.5 Main Contribution
5 Experimental Work
5.1 Description of Experimental Equipment
5.1.1 Experimental environment
5.1.2 The selection function of DPA
5.2 Experimental Results
5.2.1 Experimental results of straightforward AES implementation
5.2.2 Experimental results of proposed masking method
6 Concluding Remarks
6.1 Brief Review of Main Contributions
6.2 Further Research Topic and Directions

參考文獻

[1] E. Biham and A. Shimar,``Differential Cryptanalysis of DES-like Cryptosystem," In advances in Cryptology -- CRYPTO'90, LNCS537, pp.2-21, Springer-Verlag, 1991.
[2] E. Biham and A. Shimar,``Differential Cryptanalysis of DES-like Cryptosystem," Journal of Cryptology, vol.~4, no.~1, pp. 3-72, 1991.
[3] E. Biham and A. Shimar,``Differential Cryptanalysis of Snefru Khafre, REDOC, LOKI and Lucifer," In Advances in Cryptology -- CRYPTO'91,pp. 156-171, Spribger-Verlag, 1991.
[4] M. Matsui,``Linear Cryptanalysis Method for DES Cipher," In Advances in Cryptology -- EUROCRYPT'93, LNCS765, pp. 386-397, Springer-Verlag, 1994.
[5] E. Biham, ``On Matusi's Linear Cryptanalysis," In Advances in Cryptology -- EUROCRYPT'94, pp. 341-355, Springer-Verlag, 1994.
[6] R. Anderson and M. Kuhn, ``Tamper Resistance -- A Cautionary Note," In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp.1--11, 1996.
[7] P. Kocher, J. Jaffe and B. Jun, ``Introduction to Differential Power Analysis and Related Attacks," 1998, available at URL .
[8] P. Kocher, J. Jaffe and B. Jun, ``Differential Power Analysis," In Advances in Cryptology -- CRYPTO'99, LNCS1666, pp.388--397, Springer-Verlag, 1999.
[9] E. Biham and A. Shamir, ``Power Analysis of the Key Scheduling of the AES Candidates," In Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, pp.115--121, 1999.
[10] S. Mangrad, ``A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion," In Proceedings of the International Conference on Information Security and Cryptology - ICISC 2002, LNCS2587, pp.343--358, Springer-Verlag, 2002.
[11] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, ``Investigations of Power Analysis Attacks on Smartcards," In Proceedings of USENIX Workshop on Smartcard Technology, pp.151--161, 1999.
[12] J. Kelsey, B. Schneier, D. Wagner and C. Hall, ``Side Channel Cryptanalysis of Product Ciphers," In Proceedings of ESORICS '98, pp. 97-110, Springer-Verlag, 1998.
[13] NBS FIPS PUB 46, ``Data Encryption Standard," National Bureau of Standard, U.S. Department of Commerce, Jan. 1977.
[14] R. M. Davis, ``Some Regular Properties of DES," Computer Security and the Data Encryption Standard, National Bureau of Standards Special Publication, 1978.
[15] NBA FIPS PUB 46-1, ``Data Encryption Standard," National Bureau of Standards, U.S. Department of Commerce, 1988.
[16] S. Chari, C.S. Jutla, J.R. Rao, and P. Rohatgi, ``A Cautionary Note Regarding Evaluation of AES Candidates on Smart-cards," In Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, pp.133--147, 1999.
[17] J. Daemen and V. Rijmen, ``Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals," In Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, pp.122--132, 1999.
[18] J. Daemen, V. Rijnmen, ``AES Proposal : Rijndael," In Proceedings of the First Advanced Encryption Standard Candidate Conference (AES), 1998.
[19] T.S. Messerges, ``Securing the AES Finalists Against Power Analysis Attacks,' In Proceedings of Fast Software Encryption Workshop -- FSE2000, LNCS1978, pp.150--164, Springer-Verlag, 2000.
[20]F. Sano, M. Koike, S. Kawamura and M. Shiba, ``Performance Evaluation of AES Finalists on the High-End Smart Card," Presented in the 3rd AES conference, pp.82--93, NY, USA, April 2000.
[21] National Institute of Standards and Technology, ``FIPS-197:Advanced Encryption Standard," Federal Information Processing Standard, FIPS-197, 2001.
[22] http://csrc.nist.gov/encryption/aes/
[23] L. May, M. Henricksen, W. Millan, G. Carter and E. Dawson, ``Strengthening the Key Schedule of the AES," In Proceedings of the Australasian Conference on Information Security and Privacy - ACISP 2002, LNCS2384, pp.226--240, Springer-Verlag, 2002.
[24] L. Goubin and J. Patarin, ``DES and Differential Power Analysis--The Duplication Method," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES'99, LNCS1717, pp.158--172, Springer-Verlag, 1999.
[25] S. Chari, C.S. Jutla, J.R. Rao, and P. Rohatgi, ``Towards Sound Approaches to Counteract Power-analysis Attacks," In Advances in Cryptology -- CRYPTO'99, LNCS1666, pp.398--412, Springer-Verlag, 1999.
[26] J.S. Coron and L. Goubin, ``On Boolean and Arithmetic Masking Against Differential Power Analysis," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.231--237, Springer-Verlag, 2000.
[27] L. Goubin, ``A Sound Method for Switching Between Boolean and Arithmetic Masking," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2001, LNCS 2162, pp.3-15, Springer-Verlag, 2001.
[28] J.S. Coron and A. Tchulkine, ``A New Algorithm for Switching from Arithmetic to Boolean Masking," Cryptographic Hardware and Embedded Systems -- CHES2003, LNCS2779, pp.89-97, Springer-Verlag, 2003.
[29] K. Itoh, M. Takenaka and N. Torii, ``DPA Countermeasure Based on the "Masking Method"," In Proceedings of the International Conference on Information Security and Cryptology - ICISC 2001, LNCS 2288, pp. 440-456, Springer-Verlag, 2001.
[30] M.L. Akkar and C. Giraud, ``An Implementation of DES and AES, Secure Against Some Attacks," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2001, LNCS 2162, pp. 309-318, Springer-Verlag, 2001.
[31] E. Trichina, D. De Seta, and L. Germani, ``Simplified Adaptive Multiplicative Masking for AES and its Secure Implementation," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2002, LNCS2523, pp.187--197, Springer-Verlag, 2002.
[32] J. Dj. Golic and C. Tymen, ``Multiplicative Masking and Power Analysis of AES," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2002, LNCS2523, pp.198--212, Springer-Verlag, 2002.
[33] E. Barkan and E. Biham, ``In How Many Ways Can You Write Rijndael?," In Proceedings of ASIACRYPT 2002, LNCS2501, pp.160--175, Springer-Verlag, 2002.
[34] P. Kocher, ``Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,' In Advances in Cryptology -- CRYPTO'96, LNCS1109, pp.104--113, Springer-Verlag, 1996.
[35] J.F. Dhem, F. Koeune, P.A. Leroux, P. Mestre, J.J. Quisquater, and J.L. Willems, ``A Practical Implementation of the Timing Attack,' Technical Report CG-1998/1, UCL Crypto Group, Universite catholique de Louvain, 1998.
[36] J.F. Dhem, F. Koeune, P.A. Leroux, P. Mestre, J.J. Quisquater, and J.L. Willems, ``A Practical Implementation of the Timing Attack," In Proceedings of CARDIS'98 -- Third Smart Card Research and Advanced Application Conference, UCL, Louvain-la-Neuve, Belgium, Sep. 14-16, 1998.
[37] H. Handschuh, ``A timing attack on RC5," In Proceedings of the Workshop on Selected Areas in Cryptography - SAC'98, Springer-Verlag, 1998.
[38] G. Hachez, F. Koeune, and J.-J. Quisquater, ``Timing Attack: What Can Be Achieved By A Powerful Adversary?," Proceedings of the 20th Symposium on Information Theory, pp. 63--70, 1999.
[39] F. Koeune and J.-J. Quisquater, ``A Timing Attack Against Rijndael," Crypto Group Technical Report Series CG--1999/1, Universit'e Catholique de Louvain, 1999.
[40] A. Hevia and M. Kiwi, ``Strength of Two Data Encryption Standard Implementations under Timing Attack," ACM Transactions on Information and System Security (TISSEC), Vol.2, no.4, pp.416--437, 1999.
[41] W. Schindler, ``A Timing Attack Against RSA with the Chinese Remainder Theorem," Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.109--124, Springer-Verlag, 2000.
[42] C. D. Walter and S. Thompson, ``Distinguishing Exponent Digits by Observing Modular Subtractions," In Proceedings of the Cryptographers' Track at the RSA conference -- CT-RSA~2001, LNCS2020, pp.192--207, 2001.
[43] W. Schindler, F. Koeune, J.J. Quisquater, ``Unleashing the Full Power of Timing Attack,' UCL Crypto Group, Technical report CG-2001-3, 2001.
[44] T.S. Messerges, ``Using 2nd-order Power Analysis to Attack DPA Resistant Software," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.238--251, Springer-Verlag, 2000.
[45] M.-L. Akkar and L. Goubin, ``A Generic Protection against High-Order Differential Power Analysis," In Proceedings of FSE 2003, LNCS2887, pp.192--205, Springer-Verlag, 2003.
[46] S. Young, ``Zilog Z80 CPU Specifications," 1997, available at URL .
[47] B.S. Kaliski Jr. and M.J.B. Robshaw, ``Comments on Some New Attacks on Cryptographic Devices," RSA Laboratories Bulletin, no.~5, 1997.
[48] R. Anderson and M. Kuhn, ``Low Cost Attacks on Tamper Resistant Devices," In Proceedings of the 1997 Security Protocols Workshop, Lecture Notes in Computer Science 1361, pp. 125--136, Springer-Verlag, 1997.
[49] J.S. Coron, ``Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES'99, LNCS1717, pp.292--302, Springer-Verlag, 1999.
[50] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, ``Power Analysis Attacks of Modular Exponentiation in Smartcards," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES'99, LNCS1717, pp.144--157, Springer-Verlag, 1999.
[51] C. Clavier, J.S. Coron, and N. Dabbous, ``Differential power analysis
in the presence of hardware countermeasures," Cryptographic Hardware and Embedded Systems -- CHES2000, LNCS1965, pp.252--263, Springer-Verlag, 2000.
[52] C.D. Walter, ``Sliding windows succumbs to big mac attack," Cryptographic Hardware and Embedded Systems -- CHES,2001, LNCS2162, pp.286--299, Springer-Verlag, 2001.
[53] C. Clavier and M. Joye, ``Universal exponentiation algorithm: A first step towards provable SPA-resistance," Cryptographic Hardware and Embedded Systems -- CHES2001, LNCS2162, pp.300--308, Springer-Verlag, 2001.
[54] T.S. Messerges, E.A. Dabbish and R.H. Sloan, ``Examing Smart-Card Security under the Threat of Power Analysis Attacks," IEEE Trans. on Computers, vol.51, no.~5, 2002.
[55] M.L. Akkar, R. Bevan, P. Dischamp and D. Moyart, ``Power Analysis, What is Now Possible," Advance in Cryptology - ASIACRYPT 2000, LNCS1976, pp.489--502, Springer-Verlag, 2000.
[56] S.M. Yen, ``Amplified Differential Power Cryptanalysis on Rijndael Implementations with Exponentially Fewer Power Traces," In Proceedings of the Australasian Conference on Information Security and Privacy - ACISP 2003, LNCS2727, pp.106--117, Springer-Verlag, 2003.
[57] A. Shamir, ``Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.71--77, Springer-Verlag, 2000.
[58] C.N. Chen and S.M. Yen, ``Differential Fault Analysis on AES Key Schedule and Some Countermeasures," In Proceedings of the International Conference on Information Security and Cryptology - ICISC 2003, LNCS2727, pp.118--129, Springer-Verlag, 2003.

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2004-6-21

推文