作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2022, Vol. 48 ›› Issue (6): 139-145,153. doi: 10.19678/j.issn.1000-3428.0061797

• 网络空间安全 • 上一篇    下一篇

针对重用掩码AES算法的随机明文碰撞攻击

赵秉宇1, 王柳生1, 张美玲1,2, 郑东1,2   

  1. 1. 西安邮电大学 网络空间安全学院, 西安 710121;
    2. 西安邮电大学 无线网络安全技术国家工程实验室, 西安 710121
  • 收稿日期:2021-05-31 修回日期:2021-08-10 发布日期:2022-06-11
  • 作者简介:赵秉宇(1996—),男,硕士研究生,主研方向为侧信道攻击;王柳生,硕士研究生;张美玲,讲师;郑东,教授。
  • 基金资助:
    国家重点研发计划项目(2017YFB0802000);陕西省重点研发计划项目(2020ZDLGY08-04)。

Random Plaintext Collision Attack Against AES Algorithm with Reused Masks

ZHAO Bingyu1, WANG Liusheng1, ZHANG Meiling1,2, ZHENG Dong1,2   

  1. 1. School of Cyberspace Security, Xi'an University of Posts & Communications, Xi'an 710121, China;
    2. National Engineering Laboratory for Wireless Security, Xi'an University of Posts & Telecommunications, Xi'an 710121, China
  • Received:2021-05-31 Revised:2021-08-10 Published:2022-06-11

摘要: 侧信道攻击是密码学研究的热点方向,碰撞攻击作为侧信道攻击的重要分支,可从泄露能量中有效提取中间值信息,根据中间值信息检测不同S盒之间的碰撞,并利用碰撞建立不同密钥字节之间的线性关系,缩小密钥候选值的空间。针对使用重用掩码的高级加密标准(AES)算法,自适应选择明文碰撞攻击方法需要预先建立攻击模板,并且实施攻击所需的前提条件较多。提出一种高效的随机明文碰撞攻击方法,基于2个不同S盒输入值的汉明距离及其对应能量迹的欧氏距离之间的关系,从256个密钥异或值中找出正确的密钥异或值。通过理论分析得出该方法无需预先确定碰撞阈值及建立攻击模板,即可有效利用能量迹中未发生碰撞的信息,并且所加密的明文是随机的,能在没有目标设备的情况下实施攻击。实验结果表明,与自适应选择明文碰撞攻击、改进型相关性碰撞攻击等方法相比,该方法减少了实现碰撞攻击所需的前提条件,并且扩大了攻击范围。

关键词: 侧信道攻击, 碰撞攻击, 汉明距离, 欧氏距离, 高级加密标准

Abstract: The topic of side-channel attacks is popular in cryptographic research. As an important branch of side-channel attacks, collision attacks can effectively extract information related to intermediate values from energy leakage. The attacker can detect collisions between two different S-boxes through an analysis of intermediate-value information, whereby a linear relationship between the different key bytes can be established through the collisions. These linear relationships can reduce the key candidate space. For the Advanced Encryption Standard(AES) algorithm with reused masks, an adaptive chosen-plaintext collision attack is proposed, requiring a pre-established attack template and high conditions to launch the attack. To address this problem, this study proposes an efficient random plaintext collision attack method. Based on the relationship between the Hamming distance of two different S-box input values and the Euclidean distance of the corresponding energy trace, the method determines the correct key XOR value from 256 key XOR values. Theoretical analysis is offered to prove that the method utilizes the information in power traces that do not collide while requiring neither a pre-established template nor a pre-determined suitable collision threshold in advance. In addition, this method is a known plaintext attack; therefore, it can be implemented when the attacker is unable to operate the target devices. The experimental results show that, compared with the adaptive chosen-plaintext collision attack, the Improved Collision-Correlation Attack(ICCA), and other methods, this method reduces the conditions to launch the attack, expanding the attack ranges.

Key words: side-channel attack, collision attack, Hamming distance, Euclidean distance, Advanced Encryption Standard(AES)

中图分类号: