CN108055120A - A kind of method for detecting AES-OTR algorithms and resisting differential fault attack - Google Patents
A kind of method for detecting AES-OTR algorithms and resisting differential fault attack Download PDFInfo
- Publication number
- CN108055120A CN108055120A CN201711452230.1A CN201711452230A CN108055120A CN 108055120 A CN108055120 A CN 108055120A CN 201711452230 A CN201711452230 A CN 201711452230A CN 108055120 A CN108055120 A CN 108055120A
- Authority
- CN
- China
- Prior art keywords
- failure
- wheel
- otr
- aes
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/004—Countermeasures against attacks on cryptographic mechanisms for fault attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
- Investigating Or Analysing Biological Materials (AREA)
Abstract
The present invention provides a kind of methods for detecting AES OTR algorithms and resisting differential fault attack.Ensure first one safely, be not added with carrying out computing in the environment of any failure and export;Then this message is encrypted again, should be generated in the process in artificially control ciphering process by changing the sequence of operations such as clock, voltage, humidity induced failure, must make mistake output.Then, by analysis, establish on the functional relation between correct output, mistake output, key, derivation is out of order position that may be present, the conjecture space of key is reduced with this, then sub-key is obtained by the method for exhaustion, then primary key is obtained by key schedule.This method only need import a failure can derive key, be not only easy to realize, principle it is simple, encryption mechanism can also be effectively protected to prevent wrecking.This method has used the software and hardware security system of AES OTR algorithms to provide important theoretical foundation in evaluation and test.
Description
Technical field
The present invention relates to a kind of methods for detecting AES-OTR algorithms and resisting differential fault attack, are mainly used in inspection envelope
Product equipped with this method, belongs to field of information security technology.
Background technology
With the fast development of information technology, great convenience is provided to people’s lives, however is using information skill
Substantial amounts of data can be generated during art, it is ensured that the security of these data, it is necessary to by the cryptographic algorithm of safety.It is close
Core of the code algorithm as information security depends on the security of key.AES-OTR algorithms are by Japanese scholars
A kind of new authentication encryption algorithm that Kazuhiko Minematsu are proposed in March, 2014 can be that data transmission carries simultaneously
For confidentiality and integrated authentication.
Differential fault attack combines fault attacks and differential attack, and attacker is allowed to introduce failure in ciphering process,
So that the intermediate state of Encryption Algorithm changes, then by analyzing correct data stream and introducing the error number generated after failure
According to stream, it can be deduced that the message of part or complete intermediate state, and then recover the information of key.
At present, there are no the ability that disclosed report review AES-OTR algorithms resist differential fault attack, this is made
Security risk is left with the product of AES-OTR algorithm packagings.
The content of the invention
AES-OTR algorithms, which can be evaluated and tested out, the technical problem to be solved in the present invention is to provide one kind resists differential fault attack
The method of ability.
In order to solve the above-mentioned technical problem, the technical scheme is that providing a kind of detection AES-OTR algorithms resists difference
Divide the method for fault attacks, which is characterized in that including encryption part and authentication section;
The encryption part, comprises the following steps:
Step 1:Clear-text message to be processed is generated at random, is denoted as M;
Step 2:Using AES-OTR algorithm process message M, correctly output and mistake output are obtained, is denoted as C and C respectively*;
Step 3:The ratio according to present in ciphering process is built between correct output, mistake output, key K
Function f=g (C, C*, K);
Step 4:According to the ratio that the function of construction, observation equation are set up, deduction, which is out of order, imports position, and judges to import
Failure it is whether effective;
Step 5:Guess key using the method for exhaustion, space is guessed to reduce with this, and then breaking cryptographic keys;
The authentication section, comprises the following steps:
Step 1:By in last wheel EKMiddle importing failure obtains correct encrypted result and wrong encrypted result, is denoted as
TE and TE*;
Step 2:Make MSB|C|(X) represent to take the sequence of binary string X high C, τ represents reference numerals, TA expressions without
The data label of certification;WithObtain T;
Step 3:WithObtain T*;
Step 4:Whether judging result is influenced be subject to differential fault attack, and establishes differential relationship formula, f=g (T,
T*, K) and derive the position analysis of importing its validity of being out of order;
Step 5:By the proportionate relationship of failure difference, space is guessed to reduce with this, is then guessed using the method for exhaustion
Key, and then breaking cryptographic keys;
The accident analysis formula of authentication section with encryption unit split-phase seemingly, unlike, it is different according to ciphertext number, obtain
The formula quantity of differential ratio is different, theoretically can not deduce key using this method if 32 bits of τ <, but in AES-
32 in OTR algorithms≤| τ≤| 128, in the range of this, can key be guessed by difference ratio;Concrete analysis is as follows:
Calculate differenceWhereinXOR operation is represented, Δ C is the failure difference of ciphertext output,Represent that the tenth wheel S boxes of algorithm input i-th of index value, F represents the corresponding difference ratio of index value, and Δ C is stored in 128 ratios
In special buffer area;Then difference analysis and definite abort situation are carried out to Δ C, concrete analysis is as follows:
1. effective failure:
I) when the intermediate state difference ratio of the 1st row of the 9th wheel is 2: 1: 1: 3 and Δ C1、ΔC8、ΔC11、ΔC14It is not 0
When, then the position that failure imports may be 1,6,11, the 16 of the 8th wheel;
II) when the 9th wheel only the 1st show intermediate state difference when, failure import position may be the 9th wheel 1,6,
11、16;
III) when the intermediate state difference ratio of the 1st row of the 9th wheel is 3: 2: 1: 1 and Δ C2、ΔC5、ΔC12、ΔC15Not
For 0 when, then failure import position may be the 8th wheel 4,5,10,15;
IV) when the 9th wheel only the 2nd show intermediate state difference when, failure import position may be the 9th wheel 4,5,
10、15;
V) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 3: 2: 1 and Δ C3、ΔC6、ΔC9、ΔC16It is not 0
When, then the position that failure imports may be 3,8,9, the 14 of the 8th wheel;
VI) when the 9th wheel the only the 3rd shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel
3、8、9、14;
VII) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 1: 3: 2, and Δ C4、ΔC7、ΔC10、ΔC13
When not being 0, then the position that failure imports may be 2,7,12, the 13 of the 8th wheel;
VIII) when the 9th wheel the only the 4th shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel
2,7,12,13;
2. invalid failures:
I) as Δ C=0, illustrate the initial value that the fault value imported is equal on current location, be equivalently employed without importing failure,
Failure is invalid;
II) as Δ C ≠ 0, obtained ciphertext can not recover key, then the failure is invalid failures.
Preferably, in the step 2 of the encryption part, during using AES-OTR algorithm process message M, control out
Two kinds of experimental situations, are as follows:
1) message M is inputted, controls interference of the experimental situation from other any uncorrelated things so that AES-OTR algorithms
It can correctly carry out, so as to correctly be exported as a result, being denoted as C;
2) message M is re-entered, it is handled with AES-OTR algorithms again, while is changed by other physical equipments
Become running environment, induction generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as C*。
It is highly preferred that the method for changing running environment induction generation failure includes:Change clock, voltage, humidity, spoke
Penetrate, pressure, light and vortex flow, failure randomly imported to AES-OTR algorithm process flows, to obtain the output of mistake as a result,
It is denoted as C*。
Preferably, in the step 4 of the encryption part, judge whether AES-OTR algorithms are subject to the shadow of differential fault attack
It rings, and derives the position for importing of being out of order, analyze its validity, specific method is as follows:
First, established using the encrypted result difference of previous round and the concord of the result difference after latter wheel decryption
Then equation, guesses key K, followed by between the key of previous round key and latter wheel according to equation using the method for exhaustion
Relation, thus it is speculated that go out root key.
Preferably, in the step 1 of the authentication section, E is usedkDuring handling message, two kinds of experimental rings are controlled out
Border is as follows:
1) interference of the experimental situation from other any uncorrelated things is controlled so that AES-OTR algorithms being capable of correct nothing
It carries out by mistake, so as to correctly be exported as a result, being denoted as TE;
2) again with AES-OTR algorithms to its encryption, while running environment is changed by other physical equipments, the
The intermediate state induction that 8 wheel line positions are moved generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as TE*。
The present invention proposes a kind of method for detecting AES-OTR algorithms and resisting differential fault attack.First, ensure at one
Safely, it is not added with carrying out computing in the environment of any failure and exports;Then, this message is encrypted again, in this process
In should artificially control ciphering process in, by changing a system such as clock, voltage, humidity, radiation, pressure, light and vortex flow
Row operation induced failure generates, and must make mistake output.Then, by analysis, establish on correct output, mistake output, key
Between functional relation, derivation is out of order position that may be present, the conjecture space of key reduced with this, then passes through the method for exhaustion
Sub-key is obtained, then primary key is obtained by key schedule.This method only needs one failure of importing that can derive
Go out key, be not only easy to realize, principle it is simple, encryption mechanism can also be effectively protected to prevent wrecking.This method is being commented
Survey has used the software and hardware security system of AES-OTR algorithms to provide important theoretical foundation.
Method provided by the invention is accurate and simple, it is easy to accomplish, AES-OTR algorithms can be not only assessed to Differential fault
The resistivity of attack, moreover it is possible to the position of differential fault attack is derived, to the peace for the product for using AES-OTR algorithm packagings
Full property test and appraisal provide theoretical foundation.
Description of the drawings
Fig. 1 is the method flow diagram that detection AES-OTR algorithms provided by the invention resist differential fault attack;
Fig. 2 is AES-OTR algorithm for encryption iteration diagrams;(a) when m is even number;(b) when m is odd number;
Fig. 3 is AES-OTR algorithms EkImport accident analysis figure;
Fig. 4 is verification process figure.
Specific embodiment
With reference to specific embodiment, the present invention is further explained.
Used symbol description is as follows in the present embodiment:
M:Clear-text message;
m:The packet count of plaintext or cipher text;
M[p]:P-th of grouping in plain text, wherein 1≤p≤m;
C[q]:P-th of grouping of ciphertext, wherein 1≤q≤m;
Ci, Δ Ci:The failure difference of i-th of byte of ciphertext and i-th of byte, wherein 1≤i≤16;
K:Primary key;Ki:I-th of byte of key, wherein 1≤i≤16;
:Tenth wheel S box i-th of index value of input of expression algorithm, 1≤i≤16,
F:Represent the corresponding difference ratio of the tenth wheel S box input index values of algorithm
C:Correct output after algorithm process message;
C*:During algorithm process message, the mistake output generated after failure is imported;
EK:Key is the Encryption Algorithm of K;
Δ:Exclusive or difference;
XOR operation;
f:Add in the exclusive or difference (the 8th wheel) of former and later two intermediate state of failure;
Kj.I-th of byte of jth respective loops and jth respective loops, wherein 1≤j≤10 and 1≤i≤16;
N:Random number, if random number N length is not less than clear packets length, afterbody does not have to filling;
:Random number, if random number N length is less than clear packets length, afterbody filling 0;
δ, L:Use the median after random number encryption, L=4 δ;
0n:Length is zero string of n;
γ, Q:Use 0nEncrypted median, Q=4 γ;
a:The packet count of related data;
ADP:Correlation method for data processing;
MSB|C|(X):Take binary string X highests C;
τ:Reference numerals, 32≤τ≤128;
T:Under normal condition, the correct output after AES-OTR algorithm authentication processing message;
T*:The mistake output of failure is imported during AES-OTR algorithm certifications;
∑:When m is even number,When m is odd number
It waits,
TA:Without the data label of certification;
TE:Without the plaintext label of certification;
Ar:R-th of grouping of related data, wherein 1≤r≤a.
When being handled using AES-OTR algorithms for same message M using same key, if experimental situation
(such as clock, voltage, humidity, radiation, pressure, light and vortex flow) is different, and attacker can obtain correct output C and mistake respectively
Output C by mistake*.By the output difference relation for calculating the two valuesIt can derive crucial letter
Breath.Attacker can induce during processing equipment runs the line position shifting state of AES-OTR algorithms or during row obscure state
Failure occurs, but does not know the specific location of failure generation and specific error value.Under given conditions, Wo Menneng
The position for importing of being out of order is derived from difference delta C, the failure imported at this time is known as effective failure.On the contrary, when the failure imported
Key can not be analyzed to us, help is provided, i.e., important information cannot be obtained by Δ C, the failure imported at this time is invalid
Failure.
Fig. 1 resists the method flow diagram of differential fault attack, the inspection for detection AES-OTR algorithms provided by the invention
The method that survey AES-OTR algorithms resist differential fault attack includes the following steps:
Step 1:The random current message to be processed of generation, is denoted as M;
Step 2:Message M is handled, correctly output and mistake output is obtained, is denoted as C and C respectively*;
Step 3:The ratio according to present in ciphering process is built on correct output C, mistake output C*, between key K
Function f=g (C, C*, K);
Step 4:According to the ratio that the function of construction, observation equation are set up, deduction, which is out of order, imports position, and judges to import
Failure it is whether effective.
Step 5:Guess key using the method for exhaustion, space is guessed to reduce with this, and then breaking cryptographic keys.
For step 2, with AES-OTR algorithms to M processing, in experimentation, two kinds of differences are implemented to running environment
Control, i.e.,:
(1) message M is inputted, controls interference of the experimental situation from other any uncorrelated things so that AES-OTR is calculated
Method can correctly carry out, so as to correctly be exported as a result, being denoted as C;
(2) message M is re-entered, it is handled with AES-OTR algorithms again, while is changed by other physical equipments
Become running environment, induction generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as C*。
Wherein, the method that induced failure generates in step (2) includes:Change clock, voltage, humidity, radiation, pressure, light
With vortex flow etc..
For step 3, difference is calculatedWhereinXOR operation is represented, Δ C exports for ciphertext
Failure difference,Represent that the tenth wheel S boxes of algorithm input i-th of index value, F represents the corresponding difference ratio of index value, Δ C
It is stored in the buffer area of 128 bits.
For step 4, whether effective difference analysis and definite abort situation and failure judgement principle to Δ C be as follows:
AES-OTR algorithms belong to a kind of block cipher, input grouping, output grouping and the enciphering/deciphering of the algorithm
Intermediate packets in the process are all 128 bits.The length K of key is 128,192 or 256 bits.Key length is 128 bits
Block cipher one shares 10 wheel interative computations, and each iteration shares four computings, last wheel obscures layer without row, exports
For the scrambled matrix of 128 bits, the iterative process of the last two-wheeleds of AES-OTR is as shown in Figure 2.
Fig. 3 is the fault pervasion figure for importing failure at first character section in the 8th wheel line position shifting state, can be with by this figure
Analogize the scatter diagram that any other position imports failure.The correct output of AES-OTR algorithms is C, and mistake output is C*。
The correct ciphertext and wrong ciphertext that first stage can be released by the tenth wheel are retrodicted to the 9th wheel first row
Difference proportionate relationship:
Wherein, f1、K1、K8、K14、K11All it is unknown value, it is therefore an objective to be speculated by this relational expression using the method for exhaustion
Go out to meet the K of the relational expression1、K8、K14、K11, likewise, we can be according to following three relations in order to obtain other K values
Formula:
Four failure positions that may be present can be deduced according to the order of the difference ratio.
Second stage carries out the 9th wheel accident analysis:
The wheel is mainly using the key in the tenth wheel prediction, and the is obtained by the key of the tenth wheel prediction by key schedule
The key of nine wheels predicts four Differential faults of the 9th wheel S boxes using ciphertext C, can further reduce the key of AES-OTR
Search space.
The key of 9th wheel can represent that specific analytical method sees below formula with the key of the 10th wheel:
According to the encryption principle and fault propagation process of algorithm, the S box input differences of the 9th wheel are:
The accident analysis formula of authentication phase is similar to its first stage, unlike, it is different according to ciphertext length, it obtains
The equation quantity of the difference ratio arrived is different, theoretically can not deduce key using this method if 32 bits of τ <, still
τ ∈ (32,128) in AES-OTR algorithms in the range of this, can guess key by difference ratio, and Fig. 4 is certification rank
The encrypted process of related data that section needs.
Wherein, to the validity of abort situation, make a concrete analysis of as follows:
1. effective failure:
I) when the intermediate state difference ratio of the 1st row of the 9th wheel is 2: 1: 1: 3 and Δ C1、ΔC8、ΔC11、ΔC14It is not 0
When, then the position that failure imports may be 1,6,11, the 16 of the 8th wheel;
II) when the 9th wheel only the 1st show intermediate state difference when, failure import position may be the 9th wheel 1,6,
11、16;
III) the intermediate state difference ratio of the 1st row of the 9th wheel is 3: 2: 1: 1 and Δ C2、ΔCs、ΔC12、ΔC15It is not 0
When, then the position that failure imports may be 4,5,10, the 15 of the 8th wheel;
IV) when the 9th wheel only the 2nd show intermediate state difference when, failure import position may be the 9th wheel 4,5,
10、15;
V) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 3: 2: 1 and Δ C3、ΔC6、ΔC9、ΔC16It is not 0
When, then the position that failure imports may be 3,8,9, the 14 of the 8th wheel;
VI) when the 9th wheel the only the 3rd shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel
3、8、9、14;
VII) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 1: 3: 2, and Δ C4、ΔC7、ΔC10、ΔC13
When not being 0, then the position that failure imports may be 2,7,12, the 13 of the 8th wheel;
VIII) when the 9th wheel the only the 4th shows intermediate state difference ratio, then the position that failure imports may be the 9th wheel
2,7,12,13;
2. invalid failures:
I) as Δ C=0, illustrate the initial value that the fault value imported is equal on current location, be equivalently employed without importing failure,
Failure is invalid;
II) when Δ C ≠ 0, when obtained ciphertext can not recover key, then the failure is invalid failures.
To sum up analyze:
The failure difference delta C of 10th wheel1、ΔC8、ΔC11With Δ C14It is 2: 1: 1: 3 not for 0 and Differential fault ratio
When or the 9th inverse byte substitution of wheel only have the 1st show difference when, then the position that failure imports may be 1,6,11 and 16;When
Failure difference delta C2、ΔC5、ΔC12With Δ C15For 0 and failure difference ratio be 3: 2: 1: 1 when or the 9th inverse byte of wheel
Replacement only the 2nd show difference when, then failure import position may be 4,5,10 and 15;As failure difference delta C3、ΔC6、
ΔC9With Δ C16For 0 and failure difference ratio be 1: 3: 2: 1 when or the 9th inverse byte substitution of wheel only have the 3rd to show difference
Point when, then failure import position may be 3,8,9 and 14;As failure difference delta C4、ΔC7、ΔC10With Δ C13It is not 0
And failure difference ratio when being 1: 1: 3: 2 or the 9th inverse byte substitution of wheel only have the 4th show difference when, then failure imports
Position possible 2,7,12 and 13.These positions are that effective failure imports position.
For above-mentioned execution step, corresponding experimental situation is selected, Computer is used for generating the defeated of AES-OTR
Enter message M and analysis output result;The equipment for being packaged with AES-OTR algorithms is used for handling the message of input, i.e., to message M into
Row encryption;The equipment for generating failure is used for changing experiment performing environment, it is therefore an objective to the processing procedure to inputting message is disturbed, so as to
It realizes and imports failure function, generate the output result of mistake.
Using above-mentioned analysis method, the present invention is in Intel (R) Core (TM) i3-2350M CPU 2.30GHz 4GB
On the computer deposited, under Eclipse developing instruments using Java language programming come simulated failure import and message processing procedure,
It repeats 1000 times, the experimental results showed that above-mentioned detection method is accurate.This method is the safety of assessment AES-OTR algorithms
Property provides sufficient theoretical foundation, and the method is easy to operate, and result of calculation is accurate.
The above, be only presently preferred embodiments of the present invention, not to the present invention in any form with substantial limitation,
It should be pointed out that for those skilled in the art, on the premise of the method for the present invention is not departed from, can also make
Several improvement and supplement, these are improved and supplement also should be regarded as protection scope of the present invention.All those skilled in the art,
Without departing from the spirit and scope of the present invention, when made using disclosed above technology contents it is a little more
Dynamic, modification and the equivalent variations developed are the equivalent embodiment of the present invention;Meanwhile all substantial technologicals pair according to the invention
The variation, modification and evolution for any equivalent variations that above-described embodiment is made still fall within the scope of technical scheme
It is interior.
Claims (5)
- A kind of 1. method for detecting AES-OTR algorithms and resisting differential fault attack, it is characterised in that:Including encryption part and certification Part;The encryption part, comprises the following steps:Step 1:Clear-text message to be processed is generated at random, is denoted as M;Step 2:Using AES-OTR algorithm process message M, correctly output and mistake output are obtained, is denoted as C and C respectively*;Step 3:The ratio according to present in ciphering process is built on the function f between correct output, mistake output, key K =g (C, C*K);Step 4:According to the ratio that the function of construction, observation equation are set up, deduction, which is out of order, imports position, and judges the event imported Whether barrier is effective;Step 5:Guess key using the method for exhaustion, space is guessed to reduce with this, and then breaking cryptographic keys;The authentication section, comprises the following steps:Step 1:By in last wheel EKMiddle importing failure obtains correct encrypted result and wrong encrypted result, be denoted as TE and TE*;Step 2:Make MSB|C|(X) expression takes the sequence of binary string X high C, and τ represents reference numerals, and TA is represented without certification Data label;WithObtain T;Step 3:WithObtain T*;Step 4:Whether judging result is influenced be subject to differential fault attack, and establishes differential relationship formula, and derivation, which is out of order, to be led Its validity of the position analysis entered;Step 5:By the proportionate relationship of failure difference, space is guessed to reduce with this, then guesses key using the method for exhaustion, And then breaking cryptographic keys;The accident analysis formula of authentication section with encryption unit split-phase seemingly, unlike, obtained difference different according to ciphertext number The formula quantity of ratio is different, theoretically can not deduce key using this method if 32 bits of τ <, but in AES-OTR 32≤τ≤128 in algorithm in the range of this, can guess key by difference ratio;Concrete analysis is as follows:Calculate differenceWhereinXOR operation is represented, Δ C is the failure difference of ciphertext output,Table Show that the tenth wheel S boxes of algorithm input i-th of index value, F represents the corresponding difference ratio of index value, and Δ C is stored in 128 bits In buffer area;Then difference analysis and definite abort situation are carried out to Δ C, concrete analysis is as follows:1. effective failure:I) when the intermediate state difference ratio of the 1st row of the 9th wheel is 2: 1: 1: 3 and Δ C1、ΔC8、ΔC11、ΔC14When not being 0, The position that then failure imports may be 1,6,11, the 16 of the 8th wheel;II) when the 9th wheel the only the 1st shows intermediate state difference, the position that failure imports may be 1,6,11, the 16 of the 9th wheel;III) when the intermediate state difference ratio of the 1st row of the 9th wheel is 3: 2: 1: 1 and Δ C2、ΔC5、ΔC12、ΔC15It is not 0 When, then the position that failure imports may be 4,5,10, the 15 of the 8th wheel;IV) when the 9th wheel the only the 2nd shows intermediate state difference, the position that failure imports may be 4,5,10, the 15 of the 9th wheel;V) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 3: 2: 1 and Δ C3、ΔC6、ΔC9、ΔC16When not being 0, then The position that failure imports may be 3,8,9, the 14 of the 8th wheel;VI) when the 9th wheel only the 3rd show intermediate state difference ratio when, then failure import position may be the 9th wheel 3,8, 9、14;VII) when the intermediate state difference ratio of the 1st row of the 9th wheel is 1: 1: 3: 2, and Δ C4、ΔC7、ΔC10、ΔC13It is not When 0, then the position that failure imports may be 2,7,12, the 13 of the 8th wheel;VIII) when the 9th wheel only the 4th show intermediate state difference ratio when, then failure import position may be the 9th wheel 2, 7、12、13;2. invalid failures:I) as Δ C=0, illustrate the initial value that the fault value imported is equal on current location, be equivalently employed without importing failure, failure It is invalid;II) as Δ C ≠ 0, obtained ciphertext can not recover key, then the failure is invalid failures.
- 2. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as described in claim 1, it is characterised in that: In the step 2 of the encryption part, during using AES-OTR algorithm process message M, two kinds of experimental situations are controlled out, are had Body step is as follows:1) message M is inputted, controls interference of the experimental situation from other any uncorrelated things so that AES-OTR algorithms can It correctly carries out, so as to correctly be exported as a result, being denoted as C;2) message M is re-entered, it is handled with AES-OTR algorithms again, while changes by other physical equipments and transports Row environment, induction generate failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as C*。
- 3. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as claimed in claim 2, it is characterised in that: The method for changing running environment induction generation failure includes:Change clock, voltage, humidity, radiation, pressure, light and whirlpool electricity Failure, is randomly imported AES-OTR algorithm process flows by stream, to obtain the output of mistake as a result, being denoted as C*。
- 4. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as described in claim 1, it is characterised in that: In the step 4 of the encryption part, judge whether AES-OTR algorithms are influenced be subject to differential fault attack, and derive and be out of order The position of importing, analyzes its validity, and specific method is as follows:First, the concord foundation side of the encrypted result difference of previous round and the result difference after latter wheel decryption is utilized Then journey, guesses key K, followed by the pass between the key of previous round key and latter wheel according to equation using the method for exhaustion System, thus it is speculated that go out root key.
- 5. a kind of method for detecting AES-OTR algorithms and resisting differential fault attack as described in claim 1, it is characterised in that: In the step 1 of the authentication section, E is usedkDuring handling message, two kinds of experimental situations are controlled out, are as follows:1) interference of the experimental situation from other any uncorrelated things is controlled so that AES-OTR algorithms can correctly It carries out, so as to correctly be exported as a result, being denoted as TE;2) again with AES-OTR algorithms to its encryption, while running environment is changed by other physical equipments, in the 8th wheel The intermediate state induction that line position is moved generates failure to disturb the processing procedure of AES-OTR algorithms, and output result is denoted as TE*。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711452230.1A CN108055120B (en) | 2017-12-27 | 2017-12-27 | Method for detecting AES-OTR algorithm to resist differential fault attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711452230.1A CN108055120B (en) | 2017-12-27 | 2017-12-27 | Method for detecting AES-OTR algorithm to resist differential fault attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108055120A true CN108055120A (en) | 2018-05-18 |
CN108055120B CN108055120B (en) | 2021-07-09 |
Family
ID=62127971
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711452230.1A Active CN108055120B (en) | 2017-12-27 | 2017-12-27 | Method for detecting AES-OTR algorithm to resist differential fault attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108055120B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109842483A (en) * | 2019-03-18 | 2019-06-04 | 东华大学 | A method of detection AES-JAMBU resists differential fault attack |
CN110601818A (en) * | 2019-09-25 | 2019-12-20 | 东华大学 | Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack |
CN110912672A (en) * | 2019-11-12 | 2020-03-24 | 东华大学 | Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack |
CN112468283A (en) * | 2020-11-25 | 2021-03-09 | 东华大学 | Method for detecting iFeed [ AES ] algorithm to resist differential fault attack |
CN112511291A (en) * | 2020-11-25 | 2021-03-16 | 东华大学 | Method for detecting OCB authentication encryption algorithm to resist differential fault attack |
CN112532374A (en) * | 2020-11-25 | 2021-03-19 | 东华大学 | Method for detecting SILC authentication encryption algorithm to resist differential fault attack |
CN113014377A (en) * | 2021-02-01 | 2021-06-22 | 中国科学院软件研究所 | Persistent fault attack protection method and device by utilizing bijective characteristic of block cipher S box |
CN113032791A (en) * | 2021-04-01 | 2021-06-25 | 深圳市纽创信安科技开发有限公司 | IP core, IP core management method and chip |
CN113032791B (en) * | 2021-04-01 | 2024-05-31 | 深圳市纽创信安科技开发有限公司 | IP core, IP core management method and chip |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102404108A (en) * | 2011-10-25 | 2012-04-04 | 宁波大学 | Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm |
CN104158656A (en) * | 2014-06-04 | 2014-11-19 | 东华大学 | Method for detecting resistance to difference fault attack of MD4 hash function |
CN104639310A (en) * | 2014-12-31 | 2015-05-20 | 东华大学 | Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault |
CN104836668A (en) * | 2015-05-06 | 2015-08-12 | 东华大学 | Detection method for resistance of MD5 hash function against differential fault attack |
CN105703896A (en) * | 2015-12-18 | 2016-06-22 | 东华大学 | Method for detecting resistance of HAS-160 algorithm to differential fault attack |
CN106411496A (en) * | 2016-11-02 | 2017-02-15 | 东华大学 | Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks |
CN106850186A (en) * | 2017-01-06 | 2017-06-13 | 东华大学 | The hashing algorithms of SHA 256 resist the detection method of differential fault attack |
US20170201504A1 (en) * | 2016-01-11 | 2017-07-13 | Centurylink Intellectual Property Llc | System and Method for Implementing Secure Communications for Internet of Things (IOT) Devices |
-
2017
- 2017-12-27 CN CN201711452230.1A patent/CN108055120B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102404108A (en) * | 2011-10-25 | 2012-04-04 | 宁波大学 | Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm |
CN104158656A (en) * | 2014-06-04 | 2014-11-19 | 东华大学 | Method for detecting resistance to difference fault attack of MD4 hash function |
CN104639310A (en) * | 2014-12-31 | 2015-05-20 | 东华大学 | Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault |
CN104836668A (en) * | 2015-05-06 | 2015-08-12 | 东华大学 | Detection method for resistance of MD5 hash function against differential fault attack |
CN105703896A (en) * | 2015-12-18 | 2016-06-22 | 东华大学 | Method for detecting resistance of HAS-160 algorithm to differential fault attack |
US20170201504A1 (en) * | 2016-01-11 | 2017-07-13 | Centurylink Intellectual Property Llc | System and Method for Implementing Secure Communications for Internet of Things (IOT) Devices |
CN106411496A (en) * | 2016-11-02 | 2017-02-15 | 东华大学 | Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks |
CN106850186A (en) * | 2017-01-06 | 2017-06-13 | 东华大学 | The hashing algorithms of SHA 256 resist the detection method of differential fault attack |
Non-Patent Citations (1)
Title |
---|
LI WEI ET AL: "An effective differential fault analysis on the Serpent cryptosystem in the Internet of Things", 《CHINA COMMUNICATIONS》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109842483A (en) * | 2019-03-18 | 2019-06-04 | 东华大学 | A method of detection AES-JAMBU resists differential fault attack |
CN110601818A (en) * | 2019-09-25 | 2019-12-20 | 东华大学 | Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack |
CN110912672A (en) * | 2019-11-12 | 2020-03-24 | 东华大学 | Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack |
CN112468283A (en) * | 2020-11-25 | 2021-03-09 | 东华大学 | Method for detecting iFeed [ AES ] algorithm to resist differential fault attack |
CN112511291A (en) * | 2020-11-25 | 2021-03-16 | 东华大学 | Method for detecting OCB authentication encryption algorithm to resist differential fault attack |
CN112532374A (en) * | 2020-11-25 | 2021-03-19 | 东华大学 | Method for detecting SILC authentication encryption algorithm to resist differential fault attack |
CN113014377A (en) * | 2021-02-01 | 2021-06-22 | 中国科学院软件研究所 | Persistent fault attack protection method and device by utilizing bijective characteristic of block cipher S box |
CN113014377B (en) * | 2021-02-01 | 2022-07-22 | 中国科学院软件研究所 | Persistent fault attack protection method and device by utilizing bijection characteristic of block cipher S box |
CN113032791A (en) * | 2021-04-01 | 2021-06-25 | 深圳市纽创信安科技开发有限公司 | IP core, IP core management method and chip |
CN113032791B (en) * | 2021-04-01 | 2024-05-31 | 深圳市纽创信安科技开发有限公司 | IP core, IP core management method and chip |
Also Published As
Publication number | Publication date |
---|---|
CN108055120B (en) | 2021-07-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108055120A (en) | A kind of method for detecting AES-OTR algorithms and resisting differential fault attack | |
US8615079B2 (en) | Cryptography circuit protected against observation attacks, in particular of a high order | |
US20140068765A1 (en) | Method and apparatus for authenticating user in multiparty quantum communications | |
CN109842483A (en) | A method of detection AES-JAMBU resists differential fault attack | |
Meadows | Using narrowing in the analysis of key management protocols | |
CN108683669A (en) | Data verification method and multi-party computations system | |
Abid et al. | RETRACTED ARTICLE: An optimised homomorphic CRT-RSA algorithm for secure and efficient communication | |
CN108199832B (en) | Detection method for CLOC authentication encryption algorithm to resist differential fault attack | |
CN104639310B (en) | A kind of method that detection algorithms of SHA 1 resist differential fault attack | |
CN108964872A (en) | A kind of encryption method and device based on AES | |
Limbong et al. | Testing the classic caesar cipher cryptography using of matlab | |
Jueneman | Electronic document authentication | |
CN110912672A (en) | Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack | |
Iavich et al. | Novel certification method for quantum random number generators | |
CN105703896A (en) | Method for detecting resistance of HAS-160 algorithm to differential fault attack | |
CN112532374A (en) | Method for detecting SILC authentication encryption algorithm to resist differential fault attack | |
Arshinov et al. | Modeling of quantum channel parameters impact on information exchange security | |
CN106411496A (en) | Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks | |
EP3475825B1 (en) | Cryptographic operations employing non-linear share encoding for protecting from external monitoring attacks | |
CN107667368A (en) | Non- extending obfuscator for sparse functions | |
CN112468283A (en) | Method for detecting iFeed [ AES ] algorithm to resist differential fault attack | |
Diffie et al. | Privacy and Authentication: An Introduction to Cryptography | |
CN112511291A (en) | Method for detecting OCB authentication encryption algorithm to resist differential fault attack | |
Heinl et al. | AntiPatterns regarding the application of cryptographic primitives by the example of ransomware | |
Munukur et al. | Neural network based decryption for random encryption algorithms |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230601 Address after: 201601 3 / F and 4 / F, building 18, No. 51, ZHAOFEI Road, Sijing Town, Songjiang District, Shanghai Patentee after: Zhixun password (Shanghai) Testing Technology Co.,Ltd. Address before: 200050 No. 1882, Changning District, Shanghai, West Yan'an Road Patentee before: DONGHUA University |