輕量級分組密碼PUFFIN的差分故障攻擊

袁慶軍; 張勛成; 高楊; 王永娟

doi:10.11999/JEIT190506

輕量級分組密碼PUFFIN的差分故障攻擊

doi: 10.11999/JEIT190506 cstr: 32379.14.JEIT190506

袁慶軍^{1, 2},
張勛成^1, ,,
高楊¹,
王永娟^{1, 2}

1.
戰(zhàn)略支援部隊信息工程大學鄭州 450001
2.
河南省網(wǎng)絡密碼技術(shù)重點實驗室鄭州 450001

基金項目: 國家自然科學基金(61602512)，河南省網(wǎng)絡密碼技術(shù)重點實驗室開放基金(LNCT2019-S02)

詳細信息

作者簡介:
袁慶軍：男，1993年生，講師，研究方向為側(cè)信道分析

張勛成：男，1997年生，實習研究員，研究方向為側(cè)信道分析

高楊：男，1994年生，研究方向為密碼算法設計與分析

王永娟：女，1982年生，研究員，研究方向為側(cè)信道分析與密碼系統(tǒng)安全

通訊作者:
張勛成　zhangxunc1122@gmail.com

中圖分類號: TN918.4; TP309.7
計量
- 文章訪問數(shù): 3137
- HTML全文瀏覽量: 1275
- PDF下載量: 84
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-07-05
- 修回日期: 2020-01-23
- 網(wǎng)絡出版日期: 2020-02-25
- 刊出日期: 2020-06-22

Differential Fault Attack on the Lightweight Block Cipher PUFFIN

Qingjun YUAN^{1, 2},
Xuncheng ZHANG^{1
, ,},
Yang GAO¹,
Yongjuan WANG^{1, 2}

1.
PLA Strategic Support Force Information Engineering University, Zhengzhou 450001, China
2.
Henan Key Laboratory of Network Cryptography Technology, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China(61602512), Henan Key Laboratory of Network Cryptography Technology(LNCT2019-S02)

摘要

摘要:
基于代換–置換網(wǎng)絡結(jié)構(gòu)的輕量級分組密碼算法PUFFIN在資源受限的硬件環(huán)境中使用較廣泛，差分故障攻擊是針對硬件密碼算法較為有效的攻擊手段。該文針對PUFFIN算法，改進多比特故障模型，通過構(gòu)建輸出差分和可能輸入值之間的關(guān)系，注入5次故障即可確定單個S盒唯一輸入值；在最后一輪加密過程中注入10次故障，成功恢復輪密鑰的概率為78.64%，進而可恢復初始密鑰。
- 差分故障攻擊 /
- 代換–置換網(wǎng)絡結(jié)構(gòu) /
- PUFFIN算法
Abstract:
The lightweight block cipher algorithm PUFFIN based on substitution-permutation network structure is widely used in resource-constrained hardware environments. Differential fault attack is a more effective attack method for hardware cryptographic algorithms. The multi-bit fault model for PUFFIN algorithm is improved. By constructing the relationship between the output difference and the possible input values, the single input value of a single S-box can be determined by injecting 5 faults. The probability of successfully recovering the round key is 78.64%, and the initial key can be recovered.
- Differential fault attack /
- Substitution-permutation network structure /
- PUFFIN algorithm

HTML全文

圖 1 PUFFIN算法輪密鑰恢復概率

下載: 全尺寸圖片幻燈片

表 1 S盒映射(16進制表示)

x	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
S(x)	D	7	3	2	9	A	C	1	F	4	5	E	6	0	B	8

下載: 導出CSV

表 2 P64置換

	0	1	2	3	4	5	6	7
0	13	2	60	50	51	27	10	36
1	25	7	32	61	1	49	47	19
2	34	53	16	22	57	20	48	41
3	9	52	6	31	62	30	28	11
4	37	17	58	8	33	44	46	59
5	24	55	63	38	56	39	15	23
6	14	4	5	26	18	54	42	45
7	21	35	40	3	12	29	43	64

下載: 導出CSV

表 3 PUFFIN密鑰擴展算法

輸入：初始密鑰$K$。
輸出：輪密鑰${{\rm RK}_i}$, $i \in 1,2, ···,33$。
(1) 依據(jù)輪密鑰選擇表，從$K$提取64 bit的第1輪輪密鑰${\rm{R}}{{\rm{K}}_1}$, 輪　　密鑰選擇表見文獻[1]；
(2) for i in range(2～33), do
(3)　　依據(jù)密鑰狀態(tài)置換表，更新主密鑰$K$，密鑰狀態(tài)置換表　　　　見文獻[1]；
(4)　　 if $i \ne (2,5,6,8)$, do
(5)　　　　翻轉(zhuǎn)主密鑰$K$第0, 1, 2, 4個比特；
(6)　　end
(7)　　依據(jù)輪密鑰選擇表，從$K$提取64 bit的第$i$輪輪密鑰${\rm{R}}{{\rm{K}}_i}$；
(8) end
(9) return ${\rm{R}}{{\rm{K}}_i}$.

下載: 導出CSV

表 4 PUFFIN算法S盒差分分布表

$f$	輸入差分固定情況下輸出差分與輸入值的對應關(guān)系
1	$f'$	1	3	6	A	B	D
1	$a$	2,3	4,5,E,F	C,D	0,1	8,9,A,B	6,7
2	$f'$	5	8	A	B	D	E
2	$a$	1,3,4,6	D,F	8,9,A,B	5,7	C,E	0,2
3	$f'$	1	4	6	8	B	E	F
3	$a$	8,9,A,B	1,2	5,6	4,7	D,E	C,F	0,3
4	$f'$	3	4	6	9	D	E	F
4	$a$	3,7	0,4,9,D	B,F	8,C	1,5	A,E	2,6
5	$f'$	2	5	7	D	E	F
5	$a$	2,7,9,C	B,E	0,5	A,F	1,3,4,6	8,D
6	$f'$	1	3	4	6	8	A	C	E
6	$a$	0,6	A,C	8,E	1,7	3,5	2,4	9,F	B,D
7	$f'$	5	7	8	9	B	C	F
7	$a$	A,D	8,F	B,C	2,5	1,3,4,6	0,7	9,E
8	$f'$	2	3	6	7	9	A	C	F
8	$a$	0,8	1,9	2,A	6,E	7,F	5,D	3,B	4,C
9	$f'$	4	7	8	9	A	C	D
9	$a$	6,F	3,A	1,8	0,4,9,D	7,E	5,C	2,B
A	$f'$	1	2	6	8	9	A	C
A	$a$	7,D	4,5,E,F	3,9	0,A	1,B	6,C	2,8
B	$f'$	1	2	3	7	C	D
B	$a$	4,5,E,F	1,A	0,B	2,7,9,C	6,D	3,8
C	$f'$	6	7	8	9	A	B	E	F
C	$a$	4,8	1,D	2,E	6,A	3,F	0,C	5,9	7,B
D	$f'$	1	2	4	5	9	B	D
D	$a$	1,C	6,B	7,A	5,8	3,E	2,F	0,4,9,D
E	$f'$	2	3	4	5	6	C	F
E	$a$	3,D	6,8	5,B	2,7,9,C	0,E	4,A	1,F
F	$f'$	3	4	5	7	8	C	E	F
F	$a$	2,D	3,C	0,F	4,B	6,9	1,E	7,8	5,A

下載: 導出CSV

表 5 PUFFIN算法S盒局部差分分布表

$f$	輸入差分固定情況下輸出差分與輸入值的對應關(guān)系
1	$f'$	1	3	6	A	B	D
1	$a$	2,3	4,5,E,F	C,D	0,1	8,9,A,B	6,7
2	$f'$	5	8	A	B	D	E
2	$a$	1,3,4,6	D,F	8,9,A,B	5,7	C,E	0,2
4	$f'$	3	4	6	9	D	E	F
4	$a$	3,7	0,4,9,D	B,F	8,C	1,5	A,E	2,6
8	$f'$	2	3	6	7	9	A	C	F
8	$a$	0,8	1,9	2,A	6,E	7,F	5,D	3,B	4,C

下載: 導出CSV

表 6 PUFFIN輸出差分表

輸出差分$f'$	可能的輸入值集合
1	2, 3
2	0, 8
3	1, 3, 4, 5, 7, 9, E, F
4	0,4,9,D
5	1, 3, 4, 6
6	2, A, B, C, D, F
7	6,E
8	D, F
9	7, 8, C, F
A	0, 1, 5, 8, 9, A, B, D
B	5, 7, 8, 9, A, B
C	3, B
D	1, 5, 6, 7, C, E
E	0, 2, A, E
F	2, 4, 6, C

下載: 導出CSV

表 7 PUFFIN算法10次故障注入以內(nèi)單個S盒輸入值恢復情況

$L$	2	3	4	5	6	7	8	9	10
${N_L}$	76	564	2932	13380	57556	240324	987412	4019460	20389796
${N'_L}$	63	183	493	1335	3663	10263	29295	84855	308491
$P$	0.55	0.76	0.86	0.91	0.94	0.96	0.97	0.98	0.99

下載: 導出CSV

參考文獻(18)

CHENG Huiju, HEYS H M, and WANG Cheng. Puffin: A novel compact block cipher targeted to embedded digital systems[C]. The 11th EUROMICRO Conference on Digital System Design Architectures, Methods and Tools, Parma, 2008: 383–390. doi: 10.1109/DSD.2008.34.

BIHAM E, SHAMIR A. Differential cryptanalysis of DES-like cryptosystems[J]. Journal of Cryptology, 1991, 4(1): 3–72. doi: 10.1007/bf00630563

MATSUI M. Linear Cryptanalysis Method for DES Cipher[M]. HELLESETH T. Advances in Cryptology - EUROCRYPT ’93. Berlin: Springer, 1994: 386-397. doi: 10.1007/3-540-48285-7_33.

BIHAM E. New types of cryptanalytic attacks using related keys[C]. The Workshop on the Theory and Application of Cryptographic Techniques, Berlin, Germany, 1994: 398–409.

MOORE J H and SIMMONS G J. Cycle structure of the DES for keys having palindromic (or Antipalindromic) sequences of round keys[J]. IEEE Transactions on Software Engineering, 1987, 13(2): 262–273. doi: 10.1109/TSE.1987.233150

LEANDER G. On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN[C]. The 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, ESTOnia, 2011: 303–322. doi: 10.1007/978-3-642-20465-4_18.

魏悅川, 孫兵, 李超. 一種PUFFIN類SPN型分組密碼的積分攻擊[J]. 國防科技大學學報, 2010, 32(3): 139–143, 148. doi: 10.3969/j.issn.1001-2486.2010.03.026

WEI Yuechuan, SUN Bing, and LI Chao. An integral attack on PUFFIN and PUFFIN-like SPN Cipher[J]. Journal of National University of Defense Technology, 2010, 32(3): 139–143, 148. doi: 10.3969/j.issn.1001-2486.2010.03.026

王永娟, 張詩怡, 王濤, 等. 對MIBS分組密碼的差分故障攻擊[J]. 電子科技大學學報, 2018, 47(4): 601–605. doi: 10.3969/j.issn.1001-0548.2018.04.020

WANG Yongjuan, ZHANG Shiyi, WANG Tao, et al. Differential fault attack on block cipher MIBS[J]. Journal of University of Electronic Science and Technology of China, 2018, 47(4): 601–605. doi: 10.3969/j.issn.1001-0548.2018.04.020

歐慶于, 羅芳, 葉偉偉, 等. 分組密碼算法抗故障攻擊能力度量方法研究[J]. 電子與信息學報, 2017, 39(5): 1266–1270. doi: 10.11999/JEIT160548

OU Qingyu, LUO Fang, YE Weiwei, et al. Metric for Defences against fault attacks of block ciphers[J]. Journal of Electronics &Information Technology, 2017, 39(5): 1266–1270. doi: 10.11999/JEIT160548

李卷孺, 谷大武. PRESENT算法的差分故障攻擊[C]. 中國密碼學會2009年會論文集, 廣州, 2009: 1–13.

LI Juanru and GU Dawu. Differential fault attack on PRESENT[C]. inaCrypt2009, Guangzhou, China, 2009: 1–13.

GAO Yang, WANG Yongjuan, YUAN Qingjun, et al. Probabilistic analysis of differential fault attack on MIBS[J]. IEICE Transactions on Information and Systems, 2019, 102(2): 299–306. doi: 10.1587/transinf.2018EDP7168

GRUBER M and SELMKE B. Differential fault attacks on KLEIN[C]. The 10th International Workshop on Constructive Side-Channel Analysis and Secure Design, Darmstadt, Germany, 2019: 80–95. doi: 10.1007/978-3-030-16350-1_6.

ANAND R, SIDDHANTI A, MAITRA S, et al. Differential fault attack on SIMON with very few faults[C]. Progress in Cryptology-INDOCRYPT 2018: The 19th International Conference on Cryptology in India, New Delhi, India, 2018: 107–119. doi: 10.1007/978-3-030-05378-9_6.

GAO Yang, WANG Yongjuan, YUAN Qingjun, et al. Methods of differential fault attack on LBlock with analysis of probability[C]. The 3rd IEEE Advanced Information Technology, Electronic and Automation Control Conference, Chongqing, China, 2018: 474–479. doi: 10.1109/IAEAC.2018.8577744.

AGOYAN M, DUTERTRE J M, MIRBAHA A P, et al. Single-bit DFA using multiple-byte laser fault injection[C]. 2010 IEEE International Conference on Technologies for Homeland Security, Waltham, USA, 2010: 113–119. doi: 10.1109/THS.2010.5655079.

AYATOLAHI F, SANGCHOOLIE B, JOHANSSON R, et al. A Study of the Impact of Single Bit-flip and Double Bit-flip Errors on Program Execution[M]. BITSCH F, GUIOCHET J, and KA?NICHE M. Computer Safety, Reliability, and Security. Berlin: Springer, 2013: 265–276. doi: 10.1007/978-3-642-40793-2_24.

SANGCHOOLIE B, PATTABIRAMAN K, and KARLSSON J. One bit is (not) enough: An empirical study of the impact of single and multiple bit-flip errors[C]. The 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Denver, USA, 2017: 97–108.

高楊, 王永娟, 王磊, 等. 輕量級分組密碼算法TWINE差分故障攻擊的改進[J]. 通信學報, 2017, 38(S2): 178–184. doi: 10.11959/j.issn.1000-436x.2017274

GAO Yang, WANG Yongjuan, WANG Lei, et al. Improvement Differential fault attack on TWINE[J]. Journal on Communications, 2017, 38(S2): 178–184. doi: 10.11959/j.issn.1000-436x.2017274

相關(guān)文章

施引文獻

資源附件(0)

訪問統(tǒng)計