AES資料加密標準之能量密碼分析研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：8

、訪客IP：13.58.232.22

姓名

郭遠翰(Yuan-Han Kuo) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

AES資料加密標準之能量密碼分析研究
(The Research of Power Analysis against AES)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ 小額電子付費系統之設計與密碼分析
★ 公平電子現金系統之研究	★ RSA公開金鑰系統之實體密碼分析研究
★ 保護行動代理人所收集資料之研究	★ 選擇密文攻擊法之研究與實作

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在當今的日常生活中，網路與數位資訊的應用日漸普及。隨之而來的是，資訊安全日益受到重視。密碼系統可以保障秘密資訊在不可信任的通道中傳遞，防篡改之電子設備(諸如智慧卡)提供儲存個人私密資料及執行密碼系統演算法。然而，當密碼系統被應用於開放式的環境中時，即使是使用密碼系統保護資訊，人們皆無法完全保證系統的安全性。
對稱式區塊加密標準DES自西元1977年被採用至今，已超過二十年。面對各種新式攻擊法，DES在某些應用上已不堪使用。因此，在西元2000年十月，美國國家標準暨技術局(NIST)選定Rijndael為新式對稱式區塊加密標準AES。近幾年來，物理攻擊法自成一門新的研究領域，並且對於實作在防篡改之電子設備的密碼系統造成極大的威脅。其中能量攻擊法為目前最有效且最可行之物理攻擊法。在本論文中將討論AES與能量攻擊之相關研究。
能量攻擊最早由Kocher等人在西元1998年所提出，包含簡單能量攻擊與差分能量攻擊法。針對簡單能量攻擊法，在第三章中會提出一個改進MixColumn運算來防禦簡單能量攻擊法。另一方面，本論文將回顧針對AES之差分能量攻擊法與防禦法。然而，Messerges在西元2000年提出高階差分能量攻擊法，使得差分能量防禦法仍有可能被攻擊。因此，一種針對高階差分能量防禦法會被提出。
Kocher所提出的能量攻擊法主要是基於漢明值與能量的消耗關係。本論文第四章將回顧平衡漢明值的機制用以防禦Kocher所提出的能量攻擊法。接著，一種由Akkar所提出的狀態轉換能量消耗模型將分析具有平衡漢明值機制的KeyAddition運算，並提出狀態轉換差分能量攻擊法。
在實際進行能量攻擊時，為了要排除雜訊的干擾，設計低通過濾器是一種常見的方法。在本論文第五章中，如何針對能量攻擊設計數位低通過濾器會被提出。另一方面，針對差分能量攻擊法，一種評估攻擊強度的方法會被討論，並且討論利用此評估方法找出適當的過濾器等相關問題。

摘要(英)

Nowadays, digital information grows extremely in our daily life, and the requirement of tamper-resistant device that endowed with executing the procedures of cryptosystems or storing the ersonal
secret information increases correspondingly. The smart cards are becoming the representative of tamper-resistant device. However, when these cryptosystems are operated in the open environment, no one can ensure the security of information even information is protected by cryptosystems. Physical cryptanalysis is a modern and increasingly potent threat to the security of information held on smart cards. By measuring physical features such as power consumption, time spending or electromagnetic emission, the attackers can infer secret information from smart cards with naive implementations of cryptosystems.
The Advanced Encryption Standard (AES) is the next generation standard block cipher selected by NIST to replace DES in 2000. AES will become the most widespread block cipher standard. Power
analysis attack is the most useful cryptanalysis at present, and it is also practicable on the AES. In this thesis, the power analysis against AES will be discussed.
The simple power analysis (SPA) is easy to realize in real world. In order to defend the AES against SPA, the weakness of existence SPA-resistant countermeasures are analyzed, and an
improvement is proposed. Second, the DPA-resistant algorithms of AES suffer from high-order differential power analysis (HODPA). To
this end, possible countermeasure is also discussed.
The balanced Hamming weight scheme is one of the effective ways to prevent from power analysis attack. We found that even involving the balanced Hamming weight to protect AES, it may not secure enough under some careless implementations. The weaknesses of balanced Hamming weight scheme will be analyzed and the procedure of the proposed flipping DPA attack is described to derive the secret key of AES.
In this thesis, the experiments will be shown at the end of each proposed method to confirm our contentions. Some experiments, especially the SPA-based attack, the power trace will be pre-process before analyzing. At the end of this thesis, the
pre-process technique will be described.

關鍵字(中)

★ 進階資料加密標準
★ 簡單能量攻擊
★ 差分能量攻擊
★ 物理攻擊法
★ 智慧卡

關鍵字(英)

★ Physical cryptanalysis
★ AES
★ Power analysis attack
★ Smart cards
★ DPA
★ SPA

論文目次

{1}Introduction{1}
{1.1}Motivation{1}
{1.2}Power Analysis on AES{2}
{1.3}Overview of the Thesis{4}
{2}Review of Power Analysis Attack and AES{6}
{2.1}Review of Power Analysis Attack{6}
{2.1.1}Simple power analysis{6}
{2.1.2}Differential power analysis{7}
{2.1.3}High-order differential power analysis{9}
{2.2}Review of AES: the Rijndeal Cipher{10}
{2.2.1}Round transformation{11}
{2.2.2}Key expansion of Rijndael{12}
{2.3}Examinations of Power Analysis against AES{14}
{2.3.1}Experimental setup{14}
{2.3.2}DPA against AES{14}
{3}Improvements of AES against Power Analysis Attack{17}
{3.1}Motivation{17}
{3.2}An Improvement of MixColumn against SPA{18}
{3.2.1}SPA attack on MixColumn operation{18}
{3.2.2}Possible countermeasures{19}
{3.2.3}Experimental results{21}
{3.3}An Improvement of Masking Method against High-Order DPA{22}
{3.3.1}Review of masking method on AES{24}
{3.3.2}Proposed algorithm against HODPA{28}
{3.3.3}Discussion{31}
{3.4}Summary{33}
{4}Flipping DPA Attack against AES{35}
{4.1}Motivation{35}
{4.2}Software Balanced Hamming Weight Schemes{36}
{4.3}Analyses of Flipping Model{37}
{4.3.1}Akkar's flipping model{38}
{4.3.2}Analysis of KeyAddition on flipping model{38}
{4.4}Flipping DPA Attack Procedures{39}
{4.5}Experimental Results{43}
{4.6}Discussions{44}
{4.6.1}The disadvantage of balanced Hamming weight scheme{44}
{4.6.2}Hamming weight leakage from loading the secret key{44}
{5}Enhancement of Power Analysis Attack{48}
{5.1}Motivation{48}
{5.2}Frequency Domain Analysis{49}
{5.3}Basic Idea of Digital Filter Design{52}
{5.3.1}Digital transfer functions{53}
{5.3.2}Digital filter implementations{55}
{5.4}Applications of DSP on Power Analysis Attack{56}
{5.4.1}Frequency domain analysis of power trace{57}
{5.4.2}Filtering technique on power analysis{57}
{5.4.3}Design an appropriate filter for DPA{59}
{6}Conclusions{63}
{6.1}Brief Review of Main Contributions{63}
{6.2}Further Research Topics and Directions{64}

參考文獻

[1]
The ATMEL, Inc.,
[2]
The MathWorks, Inc., {
[3]
The Tektronix, Inc., {
[4]
National Bureau of Standards, ``Data Encryption Standard,'
Federal Information Processing Standards Publication 46,
Jan. 1977.
[5]
M. Akkar, R. Bevan, P. Dischamp and D. Moyart, ``Power Analysis,
What Is Now Possible,' Advances in Cryptology - ASIACRYPT
2000, Lecture Notes in Computer Science vol.1976, pp.489-502,
Springer-Verlag, 2000.
[6]
M. Akkar and C. Giraud, ``An Implementation of DES and AES, Secure
against Some Attacks,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2001, Lecture
Notes in Computer Science vol.2162, pp.309-318, Springer-Verlag,
2001.
[7]
M. Akkar and C. Giraud, ``A Generic Protection against High-Order
Differential Power Analaysis,' Proceedings of Fast
Software Encryption - FSE 2003, Lecture Notes in Computer Science
vol.2887, pp.192-205, Springer-Verlag, 2003.
[8]
M. Akkar, R. Bevan and L. Goubin, ``Two Power Analysis Attacks
against One-Mask Methods,' Proceedings of Fast Software
Encryption - FSE 2004, Lecture Notes in Computer Science
vol.3017, Springer-Verlag, 2004.
[9]
E. Biham and A. Shamir, ``A New Cryptanalytic Attack on DES:
Differential Fault Analysis,' Oct. 1996
[10]
E. Biham and A. Shamir, ``Differential Fault Analysis of Secret
Key Cryptosystems,' Advances in Cryptology - CRYPT0'97,
Lecture Notes in Computer Science vol.1249, pp.513-525,
Springer-Verlag, 1997.
[11]
E. Biham and A. Shamir, ``Power Analysis of the Key Scheduling of
the AES Candidates,' Proceedings of the Second Advanced
Encryption Standard (AES) Candidate Conference, Mar. 1999
[12]
J.Blomer and J.P. Seifert, ``Fault based cryptanalysis of the
Advanced Encryption Standard (AES),' Cryptology ePrint
Archive of IACR, No.075, 2002,
available at URL .
[13]
E. Brier, H. Handschuh and C. Tymen, ``Fast Primitives for
Internal Data Scrambling in Tamper Resistant Hardware,"
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 2001, Lecture Notes in Computer Science
vol.2162, pp.16-27, Springer-Verlag, 2001.
[14]
S. Chari, C.S. Jutla, J.R. Rao and P.J. Rohatgi, ``Towards Sound
Approaches to Counteract Power-Analysis Attacks,'
Advances in Cryptology - CRYPTO'99, Springer-Verlag,
pp.398-412, 1999.
[15]
C. Clavier, J.S. Coron and N.Dabbous, ``Differential Power
Analysis in the Presence of Hardware Countermeasures,'
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems '00, Lecture Notes in Computer Science vol.1965,
pp.252-263, Springer-Verlag, 2000.
[16]
C. Clavier and M. Joye, ``Universal Exponentiation Algorithm: A
First Step Towards Provable SPA-Resistance,' Proceedings
of Workshop on Cryptographic Hardware and Embedded Systems - CHES
2001, Lecture Notes in Computer Science vol.2162, pp.300-308,
Springer-Verlag, 2001.
[17]
J.S. Coron, ``Resistance against Differential Power Analysis for
Elliptic Curve Cryptosystems,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 1999, Lecture
Notes in Computer Science vol.1717, pp.292-302, Springer-Verlag,
1999.
[18]
J.S. Coron and L. Goubin, ``On Boolean and Arithmetic Masking
against Differential Power Analysis,' Proceedings of
Workshop on Cryptographic Hardware and Embedded Systems - CHES
2000, Lecture Notes in Computer Science vol.1965, pp.231-237,
Springer-Verlag, 2000.
[19]
J.S. Coron and L. Goubin, ``New switch of Boolean and Arithmetic
Masking against Differential Power Analysis,' Proceedings
of Workshop on Cryptographic Hardware and Embedded Systems - CHES
2003, Lecture Notes in Computer Science vol.2779, pp.89-97,
Springer-Verlag, 2003.
[20]
J. Daemen, L.R. Knudsen and V. Rijmen, ``The block cipher
Square,' Proceedings of Fast Software Encryption Workshop
- 1997, Lecture Notes in Computer Science vol.1267, pp.149-165,
Springer-Verlag, 1997.
[21]
J. Daemen and V. Rijmen, ``AES Proposal : Rijndael,' The
First Advanced Encryption Standard Candidate Conference,
N.I.S.T., 1998.
[22]
J. Daemen, M. Peeters and G.V. Assche, ``Bitslice Ciphers and
Power Analysis Attacks,' Proceedings of Fast Software
Encryption - FSE 2000, Lecture Notes in Computer Science vol.
1978, pp.134-149, Springer-Verlag, 2000.
[23]
J.F. Dhem, F. Koeune, P.A. Leroux, P. Mestre, J.J. Quisquater and
J.L. Willems, ``A Practical Implementation of the Timing Attack,"
Crypto Group Technical Report Series CG-1998/1,
Universit'e Catholique de Louvain and Proceedings of the CARDIS
1998, 1998.
[24]
D.M. Etter, ``Engineering Problem Solving with MATLAB,'
Prentice-Hall, 1997.
[25]
P. Fahn and P. Pearson, ``IPA: A New Class of Power Attacks,'
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 1999, Lecture Notes in Computer Science
vol.1717, pp.173-186, Springer-Verlag, 1999.
[26]
K. Gandolfi, C. Mourtel and F. Olivier, ``Electromagnetic
Analysis: Concrete Results,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2001, Lecture
Notes in Computer Science vol.2162, pp.251-272, Springer-Verlag,
2001.
[27]
L. Goubin and J. Patarin, ``DES and Differential Power Analysis -
the Duplication Method,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 1999, Lecture
Notes in Computer Science vol.1717, pp.158-172, Springer-Verlag,
1999.
[28]
J.D. Golic and C. Tymen, ``Multiplicative Masking and Power
Analysis of AES,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2002, Lecture
Notes in Computer Science vol.2523, pp.198-212, Springer-Verlag,
2002.
[29]
L. Goubin, ``A Sound Method for Switching Between Boolean and
Arithmetic Masking," Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2001, Lecture
Notes in Computer Science vol.2162, pp.3-15, Springer-Verlag,
2001.
[30]
M. Gomulkiewicz and M. Kutylowski, ``Hamming Weight Attacks on
Crytopraphic Hardware - Breaking Masking Defense,'
European Symposium on Research in Computer Security -
ESORICS 2002, Lecture Notes in Computer Science vol.2502,
pp.90-103, Springer-Verlag, 2002.
[31]
K. Itoh, M. Takenaka and N. Torii, ``DPA Countermeasure Based on
the ``Masking Method',' Information Security and
Cryptology - ICISC 2001, Lecture Notes in Computer Science
vol.2288, pp.440-456, Springer-Verlag, 2002.
[32]
K. Itoh, M. Takenaka and N. Torii, ``Address-Bit Differential
Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA,'
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 2002, Lecture Notes in Computer Science
vol.2523, pp.129-143, Springer-Verlag, 2002.
[33]
K. Itoh, M. Takenaka and N. Torii, ``A Practical Countermeasure
against Address-Bit Differential Power Analysis,'
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 2003, Lecture Notes in Computer Science
vol.2779, pp.382-396, Springer-Verlag, 2003.
[34]
J. Wiley and Sons, ``Programs for Digital Signal Processing,'
IEEE Press, 1979.
[35]
M. Joye and C. Tymen, ``Protections against Differential Analysis
for Elliptic Curve Cryptography: An Algebraic Approach,"
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 2001, Lecture Notes in Computer Science
vol.2162, pp.377-390, Springer-Verlag, 2001.
[36]
M. Joye and S.M. Yen, ``The Montgomery Powering Ladder,'
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 2002, Lecture Notes in Computer Science
vol.2523, pp.291-302, Springer-Verlag, 2003.
[37]
J. Kelsey, B. Schneier, D. Wagner and C. Hall, ``Side Channel
Cryptanalysis of Product Ciphers,' European Symposium on
Research in Computer Security - ESORICS 1998, Lecture Notes in
Computer Science vol.1485, Springer-Verlag, 1998.
[38]
J. Kessels, ``Applying Asynchronous Circuits in Contactless
Smartcards,' Proceedings of ACiD-WG Workshop, Grenoble,
Feb. 2000.
[39]
P. Kocher, ``Timing Attacks on Implementations of Diffie-Hellman,
RSA, DSS, and Other Systems,' Advances in Cryptology -
CRYPTO'96, Lecture Notes in Computer Science, pp.104-113,
Springer-Verlag, 1996.
[40]
P. Kocher, J. Jaffe and B. Jun, ``Introduction to Differential
Power Analysis and Related Attacks,' 1998,
available at URL

[41]
P. Kocher, J. Jaffe and B. Jun, ``Differential Power Analysis,'
Advances in Cryptology - CRYPTO'99, pp.388-397,
Springer-Verlag, 1999.
[42]
F. Koeune and J.J. Quisquater, ``A Timing Attack against
Rijndael,' Crypto Group Technical Report Series
CG-1999/1, Uinversit'e Catholique de Louvain, 1999.
[43]
P.Y. Liardet and N.P. Smart, ``Preventing SPA/DPA in ECC Systems
Using the Jacobi form,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2001, Lecture
Notes in Computer Science vol.2162, pp.391-401, Springer-Verlag,
2001.
[44]
D. May, H.L. Muller and N.P. Smart, ``Random Register Renaming to
Foil DPA,' Proceedings of Workshop on Cryptographic
Hardware and Embedded Systems - CHES 2001, Lecture Notes in
Computer Science vol.2162, pp.28-38, Springer-Verlag, 2001.
[45]
T.S. Messerges, E.A. Dabbish and R.H. Sloan, ``Power Analysis
Attacks of Modular Exponentiation in Smartcards,'
extit{Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 1999, Lecture Notes in Computer Science
vol.1717, pp.144-157, Springer-Verlag, 1999.
[46]
T.S. Messerges, ``Power Analysis Attacks And Countermeasures For
Cryptographic Algorithms,' Ph.D. Dissertation, Dept. of
Electrical Engineering and Computer Science at the University of
Illinois at Chicago, Aug. 2000.
[47]
T.S. Messerges, ``Securing the AES Finalists against Power
Analysis Attacks,' Proceedings of Fast Software
Encryption - FSE 2000, Lecture Notes in Computer Science
vol.1978, pp.150-164, Springer-Verlag, 2000.
[48]
T.S. Messerges, ``Using 2nd-Order Power Analysis to Attack DPA
Resistant Software,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems - CHES 2000, Lecture
Notes in Computer Science vol.1965, pp.238-251, Springer-Verlag,
2000.
[49]
T.S. Messerges, E.A. Dabbish, R.H. Sloan, ``Examining Smart-Card
Security under the Threat of Power Analysis Attacks,'
IEEE Transactions on Computers, Vol.51, No.4, April 2002.
[50]
S.W. Moore, R. Anderson and M. Kuhn, ``Self-timed Technology to
Reduce Smartcard Fraud,' in proceedings of ACiD-WG
Workshop, Grenoble, February 2000.
[51]
S.W. Moore, R. Anderson, P. Cunnungham, R. Mullins and G. Taylor,
``Improving Smart Card Security using Self-timed Circuits,'
ASYNC 2002, The Eighth IEEE International Symposium on
Asynchronous Circuits and Systems, 2002.
[52]
S.W. Moore, R. Anderson, R. Mullins and G. Taylor, ``Balanced
Self-Checking Asynchronous Logic for Smart Card Applications,'
Journal of Microprocessors and Microsystems Journal,
27(9):421430, October 2003.
[53]
E. Oswald and M. Aigner, ``Randomized Addition-Subtraction Chains
As a Countermeasure against Power Attacks,' Proceedings
of Workshop on Cryptographic Hardware and Embedded Systems - CHES
2001, Lecture Notes in Computer Science vol. 2162, pp.39-50,
Springer-Verlag, 2001.
[54]
F. Sano, M. Koike, S. Kawamura, and M. Shiba, ``Performance
evaluation of AES finalists on the high-end smart card,'
In Proceedings of the Third Advanced Encryption Standard
(AES) Candidate Conference, pp. 82-93, April 13-14, 2000.
[55]
A. Shamir, ``Protecting Smart Cards from Passive Power Analysis
with Detached Power Supplies,' Proceedings of Workshop on
Cryptographic Hardware and Embedded Systems '00, Lecture Notes in
Computer Science vol.1965, pp.71-77, Springer-Verlag, 2000.
[56]
E. Trichina, D.D. Seta and L. Germani, ``Simplified Adaptive
Multiplicative Masking for AES,' Proceedings of Workshop
on Cryptographic Hardware and Embedded Systems - CHES 2002,
Lecture Notes in Computer Science vol.2523, pp.187-192,
Springer-Verlag, 2003.
[57]
W.van Eck, ``Electromagnetic Radiation from Video Display Units:
An Evasdropping Risk,' Computers and Security, v4,
pp.269-286, 1985.
[58]
C.D. Walter, ``Sliding Windows Succumbs to Big Mac Attack,'
Proceedings of Workshop on Cryptographic Hardware and
Embedded Systems - CHES 2001, Lecture Notes in Computer Science
vol. 2162, pp.286-299, Springer-Verlag, 2001.
[59]
S.M. Yen, S. Kim, S. Lim and S. Moon, ``A Countermeasure against
One Physical Cryptanalysis May Benfit Another Attack,'
Information Security and Cryptology - ICISC 2001, Lecture
Notes in Computer Science vol.2288, pp.414-427, Springer-Verlag,
2002.
[60]
S.M. Yen, ``Amplified Differential Power Cryptanalysis on Rijndael
Implementations with Exponentially Fewer Power Traces,'
Information Security and Privacy - ACISP 2003, Lecture
Notes in Computer Science vol.2727, pp.106-117, Springer-Verlag,
2003.

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2004-6-23

推文