面向Feistel密码的基于故障传播模式的差分故障分析
文献类型:学位论文
| 作者 | 陈海宁 |
| 学位类别 | 硕士 |
| 答辩日期 | 2010-06-02 |
| 授予单位 | 中国科学院研究生院 |
| 授予地点 | 北京 |
| 导师 | 周永彬 |
| 关键词 | Feistel密码 差分故障分析 故障传播模式 故障传播路径 Camellia |
| 学位专业 | 信息安全 |
| 中文摘要 | 密码算法是信息安全研究的核心内容之一,其实际安全性不仅依赖于密码自身的数学特性,也依赖于具体的实现特性。基于实现的密码分析是一种有别于传统密码分析的新型密码分析方法,它利用算法实现时的信息泄露来恢复秘密信息。差分故障分析(Differential Fault Analysis,简称DFA)就是这样一类重要的密码分析方法。 现代密码学中,密码设计通常基于混淆和扩散这两大基本原则。对于一个分组密码而言,选择一个合适的轮函数并进行若干次迭代可以提供必要的混淆和扩散。因此,目前流行的分组密码均为迭代型密码,所采用的典型结构包括Feistel结构、SPN结构和广义Feistel结构等。这些密码结构及其所采用的基础密码组件(例如,S盒和P置换等)的性质,完全决定了故障在传播过程中所呈现的一些模式。直观上,这种内在特征可以用于挖掘DFA攻击和密码结构之间的关系。因此,完全可能利用这种特征来建立一种面向密码结构的系统化DFA攻击方法。 本文主要研究面向Feistel密码的差分故障分析方法,并探讨这类分析方法与已有可证明安全性理论分析结论之间的关系。为此,引入了故障传播路径(Fault Propagation Path,简称FPPath)和故障传播模式(Fault Propagation Pattern,简称FPPattern)的概念,给出了适用于Feistel结构的 FPPath 和 FPPattern 计算方法,建立了与已有可证明安全性理论结果之间的关系。在此基础上,提出了一种面向Feistel密码的基于故障传播模式的 系统化差分故障分析方法。使用该方法,可编程实现FPPath和FPPattern的自动计算,这将有助于针对Feistel密码的自动化DFA攻击的实施。这种情形下,可将FPPath的长度视作评估DFA攻击有效性的一种度量指标。此外,该系统化方法的必然结果是攻击性能的显著提高:不但攻击轮数有所减少,而且故障植入点数量也会减少,这将迅速降低实施一次成功攻击所需的故障密文数。最后,为验证该方法的正确性和有效性,以Camellia密码算法为具体实例,进行了相关模拟攻击实验研究,并给出了相应的数据复杂度分析和时间复杂度分析。通过充分利用Camellia算法中P置换的性质,在不需要穷举搜索的情况下,新攻击方法仅需要6个故障密文即可完全恢复出128位密钥,而成功恢复出192位或256位密钥所需要的故障密文数则为22个。结果表明,基于FPPattern的DFA方法要优于所有已有同类方法。 |
| 英文摘要 | Cryptographic algorithm is one of the core elements for information security, and its physical security relies not only on the mathematical characteristics but also on the implementation characteristics. Unlike traditional cryptanalysis, implementation based cryptanalysis is a new type attack which utilizes the leakage information of cryptographic algorithm's implementation in order to retrieve secrets. Differential Fault Analysis (DFA for short) is such a powerful cryptanalytic method. In modern cryptography, confusion and diffusion have been widely accepted as two fundamental principles to design secure ciphers. For block ciphers, a carefully chosen round function, if iterated couples of times, can provide the necessary properties of confusion and diffusion. As a result, most popular block ciphers are iterated ones, with typical structures such as Feistel, SPN, Generalized Feistel, etc. These cryptographic structures, as well as the special properties of underlying cryptographic components like S-boxes and permutation functions, will fully determine the patterns that faults will have in the process of propagation. Intuitively, this inherent characteristic can be (and should be) used to exploit the relationship between DFA and cryptographic structures. Therefore, it is totally possible to take advantages of this characteristic to establish a systematic DFA method on cryptographic structures. This thesis mainly focuses on studying the DFA method on Feistel ciphers and discussing the relationship between this method and the established results of theoretical cryptanalysis with provable security. For this purpose, this thesis introduces two new notions of Fault Propagation Path (FPPath for short) and Fault Propagation Pattern (FPPattern for short), and presents the algorithms for computing FPPath and FPPattern for Feistel ciphers. The relation between those two fundamental notions and the established results of theoretical cryptanalysis with provable security is built. Based on those notions, this thesis presents a FPPattern based systematic DFA method on Feistel ciphers. By this method, it can be programmed to automatically compute FPPaths and FPPatterns, which will facilitate the automatic DFA on Feistel ciphers. In this case, the length of FPPath can be regarded as a quantitative metric to evaluate the efficiency of DFA attacks. Moreover, one consequent result of this systematic method is remarkable performance enhancement. Specifically, not only the number of attacked rounds but also the number of fault injection points is reduced, which rapidly decrease the amount of required faulty ciphertexts for successful attacks. To verify both the correctness and the efficiency of this method, the FPPattern based DFA simulations are performed to attack Camellia, and corresponding analyses of both data complexity and time complexity are provided. By making better use of the fundamental property of P-function utilized in Camellia, our attack, without any brute-force search, only requires 6 faulty ciphertexts to retrieve the 128-bit key and 22 faulty ciphertexts to recover 192/256-bit keys. The results demonstrate that the FPPattern based DFA method is better than all the existing DFA methods. |
| 学科主题 | 数据安全与计算机安全 |
| 语种 | 中文 |
| 公开日期 | 2010-06-09 |
| 源URL | [http://124.16.136.157/handle/311060/2362]  |
| 专题 | 软件研究所_信息安全国家重点实验室_学位论文 |
| 推荐引用方式 GB/T 7714 | 陈海宁. 面向Feistel密码的基于故障传播模式的差分故障分析[D]. 北京. 中国科学院研究生院. 2010. |
入库方式: OAI收割
来源:软件研究所
浏览0
下载0
收藏0
其他版本
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。