CN108055120A - A kind of method for detecting AES-OTR algorithms and resisting differential fault attack - Google Patents

A kind of method for detecting AES-OTR algorithms and resisting differential fault attack Download PDF

Info

Publication number
CN108055120A
CN108055120A CN201711452230.1A CN201711452230A CN108055120A CN 108055120 A CN108055120 A CN 108055120A CN 201711452230 A CN201711452230 A CN 201711452230A CN 108055120 A CN108055120 A CN 108055120A
Authority
CN
China
Prior art keywords
failure
wheel
otr
aes
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711452230.1A
Other languages
Chinese (zh)
Other versions
CN108055120B (en
Inventor
李玮
曹珊
廖林峰
吴益鑫
孙莉
姜霖霖
刘以
刘以一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhixun Password Shanghai Testing Technology Co ltd
Original Assignee
Donghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Donghua University filed Critical Donghua University
Priority to CN201711452230.1A priority Critical patent/CN108055120B/en
Publication of CN108055120A publication Critical patent/CN108055120A/en
Application granted granted Critical
Publication of CN108055120B publication Critical patent/CN108055120B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)
  • Investigating Or Analysing Biological Materials (AREA)

Abstract

The present invention provides a kind of methods for detecting AES OTR algorithms and resisting differential fault attack.Ensure first one safely, be not added with carrying out computing in the environment of any failure and export;Then this message is encrypted again, should be generated in the process in artificially control ciphering process by changing the sequence of operations such as clock, voltage, humidity induced failure, must make mistake output.Then, by analysis, establish on the functional relation between correct output, mistake output, key, derivation is out of order position that may be present, the conjecture space of key is reduced with this, then sub-key is obtained by the method for exhaustion, then primary key is obtained by key schedule.This method only need import a failure can derive key, be not only easy to realize, principle it is simple, encryption mechanism can also be effectively protected to prevent wrecking.This method has used the software and hardware security system of AES OTR algorithms to provide important theoretical foundation in evaluation and test.

Description

A kind of method for detecting AES-OTR algorithms and resisting differential fault attack
Technical field
The present invention relates to a kind of methods for detecting AES-OTR algorithms and resisting differential fault attack, are mainly used in inspection envelope Product equipped with this method, belongs to field of information security technology.
Background technology
With the fast development of information technology, great convenience is provided to people’s lives, however is using information skill Substantial amounts of data can be generated during art, it is ensured that the security of these data, it is necessary to by the cryptographic algorithm of safety.It is close Core of the code algorithm as information security depends on the security of key.AES-OTR algorithms are by Japanese scholars A kind of new authentication encryption algorithm that Kazuhiko Minematsu are proposed in March, 2014 can be that data transmission carries simultaneously For confidentiality and integrated authentication.
Differential fault attack combines fault attacks and differential attack, and attacker is allowed to introduce failure in ciphering process, So that the intermediate state of Encryption Algorithm changes, then by analyzing correct data stream and introducing the error number generated after failure According to stream, it can be deduced that the message of part or complete intermediate state, and then recover the information of key.
At present, there are no the ability that disclosed report review AES-OTR algorithms resist differential fault attack, this is made Security risk is left with the product of AES-OTR algorithm packagings.
The content of the invention
AES-OTR algorithms, which can be evaluated and tested out, the technical problem to be solved in the present invention is to provide one kind resists differential fault attack The method of ability.
In order to solve the above-mentioned technical problem, the technical scheme is that providing a kind of detection AES-OTR algorithms resists difference Divide the method for fault attacks, which is characterized in that including encryption part and authentication section;
The encryption part, comprises the following steps:
Step 1:Clear-text message to be processed is generated at random, is denoted as M;
Step 2:Using AES-OTR algorithm process message M, correctly output and mistake output are obtained, is denoted as C and C respectively*
Step 3:The ratio according to present in ciphering process is built between correct output, mistake output, key K Function f=g (C, C*, K);
Step 4:According to the ratio that the function of construction, observation equation are set up, deduction, which is out of order, imports position, and judges to import Failure it is whether effective;
Step 5:Guess key using the method for exhaustion, space is guessed to reduce with this, and then breaking cryptographic keys;
The authentication section, comprises the following steps:
Step 1:By in last wheel EKMiddle importing failure obtains correct encrypted result and wrong encrypted result, is denoted as TE and TE*
Step 2:Make MSB|C|(X) represent to take the sequence of binary string X high C, τ represents reference numerals, TA expressions without The data label of certification;WithObtain T;
Step 3:WithObtain T*
Step 4:Whether judging result is influenced be subject to differential fault attack, and establishes differential relationship formula, f=g (T, T*, K) and derive the position analysis of importing its validity of being out of order;
Step 5:By the proportionate relationship of failure difference, space is guessed to reduce with this, is then guessed using the method for exhaustion Key, and then breaking cryptographic keys;
The accident analysis formula of authentication section with encryption unit split-phase seemingly, unlike, it is different according to ciphertext number, obtain The formula quantity of differential ratio is different, theoretically can not deduce key using this method if 32 bits of τ <, but in AES- 32 in OTR algorithms≤| τ≤| 128, in the range of this, can key be guessed by difference ratio;Concrete analysis is as follows:
Calculate differenceWhereinXOR operation is represented, Δ C is the failure difference of ciphertext output,Represent that the tenth wheel S boxes of algorithm input i-th of index value, F represents the corresponding difference ratio of index value, and Δ C is stored in 128 ratios In special buffer area;Then difference analysis and definite abort situation are carried out to Δ C, concrete analysis is as follows:
1. effective failure:
I) when the intermediate state difference ratio of the 1st row of the 9th wheel is 2: 1: 1: 3 and Δ C1、ΔC8、ΔC11、ΔC14It is not 0 When, then the position that failure imports may be 1,6,11, the 16 of the 8th wheel;
II) when the 9th wheel only the 1st show intermediate state difference when, failure import position may be the 9th wheel 1,6, 11、16;
III) when the intermediate state difference ratio of the 1st row of the 9th wheel is 3: 2: 1: 1 and Δ C2、ΔC5、ΔC12、ΔC15Not For 0 when, then failure import position may be the 8th wheel 4,5,10,15;
IV) when the 9th wheel only the 2nd show intermediate state difference when, failure import position may be the 9th wheel 4,5, 10、15;
V) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 3: 2: 1 and Δ C3、ΔC6、ΔC9、ΔC16It is not 0 When, then the position that failure imports may be 3,8,9, the 14 of the 8th wheel;
VI) when the 9th wheel the only the 3rd shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel 3、8、9、14;
VII) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 1: 3: 2, and Δ C4、ΔC7、ΔC10、ΔC13 When not being 0, then the position that failure imports may be 2,7,12, the 13 of the 8th wheel;
VIII) when the 9th wheel the only the 4th shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel 2,7,12,13;
2. invalid failures:
I) as Δ C=0, illustrate the initial value that the fault value imported is equal on current location, be equivalently employed without importing failure, Failure is invalid;
II) as Δ C ≠ 0, obtained ciphertext can not recover key, then the failure is invalid failures.
Preferably, in the step 2 of the encryption part, during using AES-OTR algorithm process message M, control out Two kinds of experimental situations, are as follows:
1) message M is inputted, controls interference of the experimental situation from other any uncorrelated things so that AES-OTR algorithms It can correctly carry out, so as to correctly be exported as a result, being denoted as C;
2) message M is re-entered, it is handled with AES-OTR algorithms again, while is changed by other physical equipments Become running environment, induction generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as C*
It is highly preferred that the method for changing running environment induction generation failure includes:Change clock, voltage, humidity, spoke Penetrate, pressure, light and vortex flow, failure randomly imported to AES-OTR algorithm process flows, to obtain the output of mistake as a result, It is denoted as C*
Preferably, in the step 4 of the encryption part, judge whether AES-OTR algorithms are subject to the shadow of differential fault attack It rings, and derives the position for importing of being out of order, analyze its validity, specific method is as follows:
First, established using the encrypted result difference of previous round and the concord of the result difference after latter wheel decryption Then equation, guesses key K, followed by between the key of previous round key and latter wheel according to equation using the method for exhaustion Relation, thus it is speculated that go out root key.
Preferably, in the step 1 of the authentication section, E is usedkDuring handling message, two kinds of experimental rings are controlled out Border is as follows:
1) interference of the experimental situation from other any uncorrelated things is controlled so that AES-OTR algorithms being capable of correct nothing It carries out by mistake, so as to correctly be exported as a result, being denoted as TE;
2) again with AES-OTR algorithms to its encryption, while running environment is changed by other physical equipments, the The intermediate state induction that 8 wheel line positions are moved generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as TE*
The present invention proposes a kind of method for detecting AES-OTR algorithms and resisting differential fault attack.First, ensure at one Safely, it is not added with carrying out computing in the environment of any failure and exports;Then, this message is encrypted again, in this process In should artificially control ciphering process in, by changing a system such as clock, voltage, humidity, radiation, pressure, light and vortex flow Row operation induced failure generates, and must make mistake output.Then, by analysis, establish on correct output, mistake output, key Between functional relation, derivation is out of order position that may be present, the conjecture space of key reduced with this, then passes through the method for exhaustion Sub-key is obtained, then primary key is obtained by key schedule.This method only needs one failure of importing that can derive Go out key, be not only easy to realize, principle it is simple, encryption mechanism can also be effectively protected to prevent wrecking.This method is being commented Survey has used the software and hardware security system of AES-OTR algorithms to provide important theoretical foundation.
Method provided by the invention is accurate and simple, it is easy to accomplish, AES-OTR algorithms can be not only assessed to Differential fault The resistivity of attack, moreover it is possible to the position of differential fault attack is derived, to the peace for the product for using AES-OTR algorithm packagings Full property test and appraisal provide theoretical foundation.
Description of the drawings
Fig. 1 is the method flow diagram that detection AES-OTR algorithms provided by the invention resist differential fault attack;
Fig. 2 is AES-OTR algorithm for encryption iteration diagrams;(a) when m is even number;(b) when m is odd number;
Fig. 3 is AES-OTR algorithms EkImport accident analysis figure;
Fig. 4 is verification process figure.
Specific embodiment
With reference to specific embodiment, the present invention is further explained.
Used symbol description is as follows in the present embodiment:
M:Clear-text message;
m:The packet count of plaintext or cipher text;
M[p]:P-th of grouping in plain text, wherein 1≤p≤m;
C[q]:P-th of grouping of ciphertext, wherein 1≤q≤m;
Ci, Δ Ci:The failure difference of i-th of byte of ciphertext and i-th of byte, wherein 1≤i≤16;
K:Primary key;Ki:I-th of byte of key, wherein 1≤i≤16;
:Tenth wheel S box i-th of index value of input of expression algorithm, 1≤i≤16,
F:Represent the corresponding difference ratio of the tenth wheel S box input index values of algorithm
C:Correct output after algorithm process message;
C*:During algorithm process message, the mistake output generated after failure is imported;
EK:Key is the Encryption Algorithm of K;
Δ:Exclusive or difference;
XOR operation;
f:Add in the exclusive or difference (the 8th wheel) of former and later two intermediate state of failure;
Kj.I-th of byte of jth respective loops and jth respective loops, wherein 1≤j≤10 and 1≤i≤16;
N:Random number, if random number N length is not less than clear packets length, afterbody does not have to filling;
:Random number, if random number N length is less than clear packets length, afterbody filling 0;
δ, L:Use the median after random number encryption, L=4 δ;
0n:Length is zero string of n;
γ, Q:Use 0nEncrypted median, Q=4 γ;
a:The packet count of related data;
ADP:Correlation method for data processing;
MSB|C|(X):Take binary string X highests C;
τ:Reference numerals, 32≤τ≤128;
T:Under normal condition, the correct output after AES-OTR algorithm authentication processing message;
T*:The mistake output of failure is imported during AES-OTR algorithm certifications;
∑:When m is even number,When m is odd number It waits,
TA:Without the data label of certification;
TE:Without the plaintext label of certification;
Ar:R-th of grouping of related data, wherein 1≤r≤a.
When being handled using AES-OTR algorithms for same message M using same key, if experimental situation (such as clock, voltage, humidity, radiation, pressure, light and vortex flow) is different, and attacker can obtain correct output C and mistake respectively Output C by mistake*.By the output difference relation for calculating the two valuesIt can derive crucial letter Breath.Attacker can induce during processing equipment runs the line position shifting state of AES-OTR algorithms or during row obscure state Failure occurs, but does not know the specific location of failure generation and specific error value.Under given conditions, Wo Menneng The position for importing of being out of order is derived from difference delta C, the failure imported at this time is known as effective failure.On the contrary, when the failure imported Key can not be analyzed to us, help is provided, i.e., important information cannot be obtained by Δ C, the failure imported at this time is invalid Failure.
Fig. 1 resists the method flow diagram of differential fault attack, the inspection for detection AES-OTR algorithms provided by the invention The method that survey AES-OTR algorithms resist differential fault attack includes the following steps:
Step 1:The random current message to be processed of generation, is denoted as M;
Step 2:Message M is handled, correctly output and mistake output is obtained, is denoted as C and C respectively*
Step 3:The ratio according to present in ciphering process is built on correct output C, mistake output C*, between key K Function f=g (C, C*, K);
Step 4:According to the ratio that the function of construction, observation equation are set up, deduction, which is out of order, imports position, and judges to import Failure it is whether effective.
Step 5:Guess key using the method for exhaustion, space is guessed to reduce with this, and then breaking cryptographic keys.
For step 2, with AES-OTR algorithms to M processing, in experimentation, two kinds of differences are implemented to running environment Control, i.e.,:
(1) message M is inputted, controls interference of the experimental situation from other any uncorrelated things so that AES-OTR is calculated Method can correctly carry out, so as to correctly be exported as a result, being denoted as C;
(2) message M is re-entered, it is handled with AES-OTR algorithms again, while is changed by other physical equipments Become running environment, induction generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as C*
Wherein, the method that induced failure generates in step (2) includes:Change clock, voltage, humidity, radiation, pressure, light With vortex flow etc..
For step 3, difference is calculatedWhereinXOR operation is represented, Δ C exports for ciphertext Failure difference,Represent that the tenth wheel S boxes of algorithm input i-th of index value, F represents the corresponding difference ratio of index value, Δ C It is stored in the buffer area of 128 bits.
For step 4, whether effective difference analysis and definite abort situation and failure judgement principle to Δ C be as follows:
AES-OTR algorithms belong to a kind of block cipher, input grouping, output grouping and the enciphering/deciphering of the algorithm Intermediate packets in the process are all 128 bits.The length K of key is 128,192 or 256 bits.Key length is 128 bits Block cipher one shares 10 wheel interative computations, and each iteration shares four computings, last wheel obscures layer without row, exports For the scrambled matrix of 128 bits, the iterative process of the last two-wheeleds of AES-OTR is as shown in Figure 2.
Fig. 3 is the fault pervasion figure for importing failure at first character section in the 8th wheel line position shifting state, can be with by this figure Analogize the scatter diagram that any other position imports failure.The correct output of AES-OTR algorithms is C, and mistake output is C*
The correct ciphertext and wrong ciphertext that first stage can be released by the tenth wheel are retrodicted to the 9th wheel first row Difference proportionate relationship:
Wherein, f1、K1、K8、K14、K11All it is unknown value, it is therefore an objective to be speculated by this relational expression using the method for exhaustion Go out to meet the K of the relational expression1、K8、K14、K11, likewise, we can be according to following three relations in order to obtain other K values Formula:
Four failure positions that may be present can be deduced according to the order of the difference ratio.
Second stage carries out the 9th wheel accident analysis:
The wheel is mainly using the key in the tenth wheel prediction, and the is obtained by the key of the tenth wheel prediction by key schedule The key of nine wheels predicts four Differential faults of the 9th wheel S boxes using ciphertext C, can further reduce the key of AES-OTR Search space.
The key of 9th wheel can represent that specific analytical method sees below formula with the key of the 10th wheel:
According to the encryption principle and fault propagation process of algorithm, the S box input differences of the 9th wheel are:
The accident analysis formula of authentication phase is similar to its first stage, unlike, it is different according to ciphertext length, it obtains The equation quantity of the difference ratio arrived is different, theoretically can not deduce key using this method if 32 bits of τ <, still τ ∈ (32,128) in AES-OTR algorithms in the range of this, can guess key by difference ratio, and Fig. 4 is certification rank The encrypted process of related data that section needs.
Wherein, to the validity of abort situation, make a concrete analysis of as follows:
1. effective failure:
I) when the intermediate state difference ratio of the 1st row of the 9th wheel is 2: 1: 1: 3 and Δ C1、ΔC8、ΔC11、ΔC14It is not 0 When, then the position that failure imports may be 1,6,11, the 16 of the 8th wheel;
II) when the 9th wheel only the 1st show intermediate state difference when, failure import position may be the 9th wheel 1,6, 11、16;
III) the intermediate state difference ratio of the 1st row of the 9th wheel is 3: 2: 1: 1 and Δ C2、ΔCs、ΔC12、ΔC15It is not 0 When, then the position that failure imports may be 4,5,10, the 15 of the 8th wheel;
IV) when the 9th wheel only the 2nd show intermediate state difference when, failure import position may be the 9th wheel 4,5, 10、15;
V) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 3: 2: 1 and Δ C3、ΔC6、ΔC9、ΔC16It is not 0 When, then the position that failure imports may be 3,8,9, the 14 of the 8th wheel;
VI) when the 9th wheel the only the 3rd shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel 3、8、9、14;
VII) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 1: 3: 2, and Δ C4、ΔC7、ΔC10、ΔC13 When not being 0, then the position that failure imports may be 2,7,12, the 13 of the 8th wheel;
VIII) when the 9th wheel the only the 4th shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel 2,7,12,13;
2. invalid failures:
I) as Δ C=0, illustrate the initial value that the fault value imported is equal on current location, be equivalently employed without importing failure, Failure is invalid;
II) when Δ C ≠ 0, when obtained ciphertext can not recover key, then the failure is invalid failures.
To sum up analyze:
The failure difference delta C of 10th wheel1、ΔC8、ΔC11With Δ C14It is 2: 1: 1: 3 not for 0 and Differential fault ratio When or the 9th inverse byte substitution of wheel only have the 1st show difference when, then the position that failure imports may be 1,6,11 and 16;When Failure difference delta C2、ΔC5、ΔC12With Δ C15For 0 and failure difference ratio be 3: 2: 1: 1 when or the 9th inverse byte of wheel Replacement only the 2nd show difference when, then failure import position may be 4,5,10 and 15;As failure difference delta C3、ΔC6、 ΔC9With Δ C16For 0 and failure difference ratio be 1: 3: 2: 1 when or the 9th inverse byte substitution of wheel only have the 3rd to show difference Point when, then failure import position may be 3,8,9 and 14;As failure difference delta C4、ΔC7、ΔC10With Δ C13It is not 0 And failure difference ratio when being 1: 1: 3: 2 or the 9th inverse byte substitution of wheel only have the 4th show difference when, then failure imports Position possible 2,7,12 and 13.These positions are that effective failure imports position.
For above-mentioned execution step, corresponding experimental situation is selected, Computer is used for generating the defeated of AES-OTR Enter message M and analysis output result;The equipment for being packaged with AES-OTR algorithms is used for handling the message of input, i.e., to message M into Row encryption;The equipment for generating failure is used for changing experiment performing environment, it is therefore an objective to the processing procedure to inputting message is disturbed, so as to It realizes and imports failure function, generate the output result of mistake.
Using above-mentioned analysis method, the present invention is in Intel (R) Core (TM) i3-2350M CPU 2.30GHz 4GB On the computer deposited, under Eclipse developing instruments using Java language programming come simulated failure import and message processing procedure, It repeats 1000 times, the experimental results showed that above-mentioned detection method is accurate.This method is the safety of assessment AES-OTR algorithms Property provides sufficient theoretical foundation, and the method is easy to operate, and result of calculation is accurate.
The above, be only presently preferred embodiments of the present invention, not to the present invention in any form with substantial limitation, It should be pointed out that for those skilled in the art, on the premise of the method for the present invention is not departed from, can also make Several improvement and supplement, these are improved and supplement also should be regarded as protection scope of the present invention.All those skilled in the art, Without departing from the spirit and scope of the present invention, when made using disclosed above technology contents it is a little more Dynamic, modification and the equivalent variations developed are the equivalent embodiment of the present invention;Meanwhile all substantial technologicals pair according to the invention The variation, modification and evolution for any equivalent variations that above-described embodiment is made still fall within the scope of technical scheme It is interior.

Claims (5)

  1. A kind of 1. method for detecting AES-OTR algorithms and resisting differential fault attack, it is characterised in that:Including encryption part and certification Part;
    The encryption part, comprises the following steps:
    Step 1:Clear-text message to be processed is generated at random, is denoted as M;
    Step 2:Using AES-OTR algorithm process message M, correctly output and mistake output are obtained, is denoted as C and C respectively*
    Step 3:The ratio according to present in ciphering process is built on the function f between correct output, mistake output, key K =g (C, C*K);
    Step 4:According to the ratio that the function of construction, observation equation are set up, deduction, which is out of order, imports position, and judges the event imported Whether barrier is effective;
    Step 5:Guess key using the method for exhaustion, space is guessed to reduce with this, and then breaking cryptographic keys;
    The authentication section, comprises the following steps:
    Step 1:By in last wheel EKMiddle importing failure obtains correct encrypted result and wrong encrypted result, be denoted as TE and TE*
    Step 2:Make MSB|C|(X) expression takes the sequence of binary string X high C, and τ represents reference numerals, and TA is represented without certification Data label;WithObtain T;
    Step 3:WithObtain T*
    Step 4:Whether judging result is influenced be subject to differential fault attack, and establishes differential relationship formula, and derivation, which is out of order, to be led Its validity of the position analysis entered;
    Step 5:By the proportionate relationship of failure difference, space is guessed to reduce with this, then guesses key using the method for exhaustion, And then breaking cryptographic keys;
    The accident analysis formula of authentication section with encryption unit split-phase seemingly, unlike, obtained difference different according to ciphertext number The formula quantity of ratio is different, theoretically can not deduce key using this method if 32 bits of τ <, but in AES-OTR 32≤τ≤128 in algorithm in the range of this, can guess key by difference ratio;Concrete analysis is as follows:
    Calculate differenceWhereinXOR operation is represented, Δ C is the failure difference of ciphertext output,Table Show that the tenth wheel S boxes of algorithm input i-th of index value, F represents the corresponding difference ratio of index value, and Δ C is stored in 128 bits In buffer area;Then difference analysis and definite abort situation are carried out to Δ C, concrete analysis is as follows:
    1. effective failure:
    I) when the intermediate state difference ratio of the 1st row of the 9th wheel is 2: 1: 1: 3 and Δ C1、ΔC8、ΔC11、ΔC14When not being 0, The position that then failure imports may be 1,6,11, the 16 of the 8th wheel;
    II) when the 9th wheel the only the 1st shows intermediate state difference, the position that failure imports may be 1,6,11, the 16 of the 9th wheel;
    III) when the intermediate state difference ratio of the 1st row of the 9th wheel is 3: 2: 1: 1 and Δ C2、ΔC5、ΔC12、ΔC15It is not 0 When, then the position that failure imports may be 4,5,10, the 15 of the 8th wheel;
    IV) when the 9th wheel the only the 2nd shows intermediate state difference, the position that failure imports may be 4,5,10, the 15 of the 9th wheel;
    V) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 3: 2: 1 and Δ C3、ΔC6、ΔC9、ΔC16When not being 0, then The position that failure imports may be 3,8,9, the 14 of the 8th wheel;
    VI) when the 9th wheel only the 3rd show intermediate state difference ratio when, then failure import position may be the 9th wheel 3,8, 9、14;
    VII) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 1: 3: 2, and Δ C4、ΔC7、ΔC10、ΔC13It is not When 0, then the position that failure imports may be 2,7,12, the 13 of the 8th wheel;
    VIII) when the 9th wheel only the 4th show intermediate state difference ratio when, then failure import position may be the 9th wheel 2, 7、12、13;
    2. invalid failures:
    I) as Δ C=0, illustrate the initial value that the fault value imported is equal on current location, be equivalently employed without importing failure, failure It is invalid;
    II) as Δ C ≠ 0, obtained ciphertext can not recover key, then the failure is invalid failures.
  2. 2. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as described in claim 1, it is characterised in that: In the step 2 of the encryption part, during using AES-OTR algorithm process message M, two kinds of experimental situations are controlled out, are had Body step is as follows:
    1) message M is inputted, controls interference of the experimental situation from other any uncorrelated things so that AES-OTR algorithms can It correctly carries out, so as to correctly be exported as a result, being denoted as C;
    2) message M is re-entered, it is handled with AES-OTR algorithms again, while changes by other physical equipments and transports Row environment, induction generate failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as C*
  3. 3. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as claimed in claim 2, it is characterised in that: The method for changing running environment induction generation failure includes:Change clock, voltage, humidity, radiation, pressure, light and whirlpool electricity Failure, is randomly imported AES-OTR algorithm process flows by stream, to obtain the output of mistake as a result, being denoted as C*
  4. 4. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as described in claim 1, it is characterised in that: In the step 4 of the encryption part, judge whether AES-OTR algorithms are influenced be subject to differential fault attack, and derive and be out of order The position of importing, analyzes its validity, and specific method is as follows:
    First, the concord foundation side of the encrypted result difference of previous round and the result difference after latter wheel decryption is utilized Then journey, guesses key K, followed by the pass between the key of previous round key and latter wheel according to equation using the method for exhaustion System, thus it is speculated that go out root key.
  5. 5. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as described in claim 1, it is characterised in that: In the step 1 of the authentication section, E is usedkDuring handling message, two kinds of experimental situations are controlled out, are as follows:
    1) interference of the experimental situation from other any uncorrelated things is controlled so that AES-OTR algorithms can correctly It carries out, so as to correctly be exported as a result, being denoted as TE;
    2) again with AES-OTR algorithms to its encryption, while running environment is changed by other physical equipments, in the 8th wheel The intermediate state induction that line position is moved generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as TE*
CN201711452230.1A 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack Active CN108055120B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711452230.1A CN108055120B (en) 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711452230.1A CN108055120B (en) 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack

Publications (2)

Publication Number Publication Date
CN108055120A true CN108055120A (en) 2018-05-18
CN108055120B CN108055120B (en) 2021-07-09

Family

ID=62127971

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711452230.1A Active CN108055120B (en) 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack

Country Status (1)

Country Link
CN (1) CN108055120B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109842483A (en) * 2019-03-18 2019-06-04 东华大学 A method of detection AES-JAMBU resists differential fault attack
CN110601818A (en) * 2019-09-25 2019-12-20 东华大学 Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack
CN110912672A (en) * 2019-11-12 2020-03-24 东华大学 Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack
CN112468283A (en) * 2020-11-25 2021-03-09 东华大学 Method for detecting iFeed [ AES ] algorithm to resist differential fault attack
CN112511291A (en) * 2020-11-25 2021-03-16 东华大学 Method for detecting OCB authentication encryption algorithm to resist differential fault attack
CN112532374A (en) * 2020-11-25 2021-03-19 东华大学 Method for detecting SILC authentication encryption algorithm to resist differential fault attack
CN113014377A (en) * 2021-02-01 2021-06-22 中国科学院软件研究所 Persistent fault attack protection method and device by utilizing bijective characteristic of block cipher S box
CN113032791A (en) * 2021-04-01 2021-06-25 深圳市纽创信安科技开发有限公司 IP core, IP core management method and chip
CN113032791B (en) * 2021-04-01 2024-05-31 深圳市纽创信安科技开发有限公司 IP core, IP core management method and chip

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404108A (en) * 2011-10-25 2012-04-04 宁波大学 Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm
CN104158656A (en) * 2014-06-04 2014-11-19 东华大学 Method for detecting resistance to difference fault attack of MD4 hash function
CN104639310A (en) * 2014-12-31 2015-05-20 东华大学 Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault
CN104836668A (en) * 2015-05-06 2015-08-12 东华大学 Detection method for resistance of MD5 hash function against differential fault attack
CN105703896A (en) * 2015-12-18 2016-06-22 东华大学 Method for detecting resistance of HAS-160 algorithm to differential fault attack
CN106411496A (en) * 2016-11-02 2017-02-15 东华大学 Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks
CN106850186A (en) * 2017-01-06 2017-06-13 东华大学 The hashing algorithms of SHA 256 resist the detection method of differential fault attack
US20170201504A1 (en) * 2016-01-11 2017-07-13 Centurylink Intellectual Property Llc System and Method for Implementing Secure Communications for Internet of Things (IOT) Devices

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404108A (en) * 2011-10-25 2012-04-04 宁波大学 Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm
CN104158656A (en) * 2014-06-04 2014-11-19 东华大学 Method for detecting resistance to difference fault attack of MD4 hash function
CN104639310A (en) * 2014-12-31 2015-05-20 东华大学 Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault
CN104836668A (en) * 2015-05-06 2015-08-12 东华大学 Detection method for resistance of MD5 hash function against differential fault attack
CN105703896A (en) * 2015-12-18 2016-06-22 东华大学 Method for detecting resistance of HAS-160 algorithm to differential fault attack
US20170201504A1 (en) * 2016-01-11 2017-07-13 Centurylink Intellectual Property Llc System and Method for Implementing Secure Communications for Internet of Things (IOT) Devices
CN106411496A (en) * 2016-11-02 2017-02-15 东华大学 Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks
CN106850186A (en) * 2017-01-06 2017-06-13 东华大学 The hashing algorithms of SHA 256 resist the detection method of differential fault attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LI WEI ET AL: "An effective differential fault analysis on the Serpent cryptosystem in the Internet of Things", 《CHINA COMMUNICATIONS》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109842483A (en) * 2019-03-18 2019-06-04 东华大学 A method of detection AES-JAMBU resists differential fault attack
CN110601818A (en) * 2019-09-25 2019-12-20 东华大学 Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack
CN110912672A (en) * 2019-11-12 2020-03-24 东华大学 Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack
CN112468283A (en) * 2020-11-25 2021-03-09 东华大学 Method for detecting iFeed [ AES ] algorithm to resist differential fault attack
CN112511291A (en) * 2020-11-25 2021-03-16 东华大学 Method for detecting OCB authentication encryption algorithm to resist differential fault attack
CN112532374A (en) * 2020-11-25 2021-03-19 东华大学 Method for detecting SILC authentication encryption algorithm to resist differential fault attack
CN113014377A (en) * 2021-02-01 2021-06-22 中国科学院软件研究所 Persistent fault attack protection method and device by utilizing bijective characteristic of block cipher S box
CN113014377B (en) * 2021-02-01 2022-07-22 中国科学院软件研究所 Persistent fault attack protection method and device by utilizing bijection characteristic of block cipher S box
CN113032791A (en) * 2021-04-01 2021-06-25 深圳市纽创信安科技开发有限公司 IP core, IP core management method and chip
CN113032791B (en) * 2021-04-01 2024-05-31 深圳市纽创信安科技开发有限公司 IP core, IP core management method and chip

Also Published As

Publication number Publication date
CN108055120B (en) 2021-07-09

Similar Documents

Publication Publication Date Title
CN108055120A (en) A kind of method for detecting AES-OTR algorithms and resisting differential fault attack
US8615079B2 (en) Cryptography circuit protected against observation attacks, in particular of a high order
US20140068765A1 (en) Method and apparatus for authenticating user in multiparty quantum communications
CN109842483A (en) A method of detection AES-JAMBU resists differential fault attack
Meadows Using narrowing in the analysis of key management protocols
CN108683669A (en) Data verification method and multi-party computations system
Abid et al. RETRACTED ARTICLE: An optimised homomorphic CRT-RSA algorithm for secure and efficient communication
CN108199832B (en) Detection method for CLOC authentication encryption algorithm to resist differential fault attack
CN104639310B (en) A kind of method that detection algorithms of SHA 1 resist differential fault attack
CN108964872A (en) A kind of encryption method and device based on AES
Limbong et al. Testing the classic caesar cipher cryptography using of matlab
Jueneman Electronic document authentication
CN110912672A (en) Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack
Iavich et al. Novel certification method for quantum random number generators
CN105703896A (en) Method for detecting resistance of HAS-160 algorithm to differential fault attack
CN112532374A (en) Method for detecting SILC authentication encryption algorithm to resist differential fault attack
Arshinov et al. Modeling of quantum channel parameters impact on information exchange security
CN106411496A (en) Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks
EP3475825B1 (en) Cryptographic operations employing non-linear share encoding for protecting from external monitoring attacks
CN107667368A (en) Non- extending obfuscator for sparse functions
CN112468283A (en) Method for detecting iFeed [ AES ] algorithm to resist differential fault attack
Diffie et al. Privacy and Authentication: An Introduction to Cryptography
CN112511291A (en) Method for detecting OCB authentication encryption algorithm to resist differential fault attack
Heinl et al. AntiPatterns regarding the application of cryptographic primitives by the example of ransomware
Munukur et al. Neural network based decryption for random encryption algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230601

Address after: 201601 3 / F and 4 / F, building 18, No. 51, ZHAOFEI Road, Sijing Town, Songjiang District, Shanghai

Patentee after: Zhixun password (Shanghai) Testing Technology Co.,Ltd.

Address before: 200050 No. 1882, Changning District, Shanghai, West Yan'an Road

Patentee before: DONGHUA University