CN108055120B - Method for detecting AES-OTR algorithm to resist differential fault attack - Google Patents

Method for detecting AES-OTR algorithm to resist differential fault attack Download PDF

Info

Publication number
CN108055120B
CN108055120B CN201711452230.1A CN201711452230A CN108055120B CN 108055120 B CN108055120 B CN 108055120B CN 201711452230 A CN201711452230 A CN 201711452230A CN 108055120 B CN108055120 B CN 108055120B
Authority
CN
China
Prior art keywords
fault
byte
round
key
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711452230.1A
Other languages
Chinese (zh)
Other versions
CN108055120A (en
Inventor
李玮
曹珊
廖林峰
吴益鑫
孙莉
姜霖霖
刘以一
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhixun Password Shanghai Testing Technology Co ltd
Original Assignee
Donghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Donghua University filed Critical Donghua University
Priority to CN201711452230.1A priority Critical patent/CN108055120B/en
Publication of CN108055120A publication Critical patent/CN108055120A/en
Application granted granted Critical
Publication of CN108055120B publication Critical patent/CN108055120B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Investigating Or Analysing Biological Materials (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)

Abstract

The invention provides a method for detecting the resistance of an AES-OTR algorithm to differential fault attack. Firstly, operation and output are ensured to be carried out in a safe environment without adding any fault; then, the message is encrypted again, and in the process, a series of operations such as changing a clock, voltage, humidity and the like induce fault generation in the artificial control encryption process, so that an error output is obtained. And then, establishing a functional relation among correct output, wrong output and the key through analysis, deducing the position where the fault possibly exists so as to reduce the guessing space of the key, obtaining a sub-key through an exhaustion method, and obtaining an original key through a key expansion algorithm. The method can deduce the key only by introducing one fault, is easy to realize and simple in principle, and can effectively protect an encryption mechanism from being damaged. The method provides an important theoretical basis for evaluating the software and hardware safety system using the AES-OTR algorithm.

Description

Method for detecting AES-OTR algorithm to resist differential fault attack
Technical Field
The invention relates to a method for detecting the resistance of an AES-OTR algorithm to differential fault attack, which is mainly applied to the detection of products packaged with the method and belongs to the technical field of information security.
Background
With the rapid development of information technology, great convenience is provided for people's life, however, a large amount of data is generated in the process of applying the information technology, and a secure cryptographic algorithm is required to ensure the security of the data. The cryptographic algorithm is used as the core of information security and mainly depends on the security of a secret key. The AES-OTR algorithm is a new authentication encryption algorithm proposed by Kazuhiko Minematsu in 3 months 2014, which can provide both confidentiality and integrity authentication for data transfer.
The differential fault attack combines the fault attack and the differential attack, allows an attacker to introduce faults in the encryption process, so that the intermediate state of the encryption algorithm changes, and then partial or complete intermediate state information can be obtained by analyzing correct data streams and error data streams generated after the faults are introduced, so as to recover the information of the secret key.
Currently, there is no published report evaluating the ability of the AES-OTR algorithm to resist differential fault attacks, which leaves a potential safety hazard for products being packaged using the AES-OTR algorithm.
Disclosure of Invention
The invention aims to provide a method for evaluating the capability of an AES-OTR algorithm for resisting differential fault attack.
In order to solve the technical problem, the technical scheme of the invention is to provide a method for detecting the resistance of an AES-OTR algorithm to differential fault attack, which is characterized by comprising an encryption part and an authentication part;
the encryption part comprises the following steps:
step 1: randomly generating a plaintext message to be processed, and marking the plaintext message as M;
step 2: processing the message M by using an AES-OTR algorithm to obtain correct output and error output which are respectively marked as C and C*
And step 3: according to the proportion existing in the encryption process, a function f between correct output, error output and a secret key K is constructed as g (C, C)*,K);
And 4, step 4: observing the proportion of the establishment of an equation according to the constructed function, deducing a fault import position, and judging whether the imported fault is effective or not;
and 5: guessing the key by an exhaustion method so as to reduce the guessing space and further crack the key;
the authentication part includes the following steps:
step 1: by making a final pass at EKIn the process, a fault is introduced to obtain a correct encryption result and an error encryption result, which are recorded as TE and TE*
Step 2: let MSB|C|(X) represents a sequence taking the high C bit of the binary string X, tau represents a mark number, and TA represents an unauthenticated data label; by using
Figure BDA0001527103320000021
Obtaining T;
and step 3: by using
Figure BDA0001527103320000022
To obtain T*
And 4, step 4: judging whether the result is influenced by the differential fault attack or not, and establishing a differential relation, wherein f is g (T, T)*K) deducing the position of fault import and analyzing the effectiveness of the fault import;
and 5: through the proportional relation of the fault difference, the guessing space is reduced, and then the key is guessed by utilizing an exhaustion method, so that the key is broken;
the failure analysis formula of the authentication part is similar to that of the encryption part, except that the formula quantity of the obtained difference ratio is different according to the different cipher text numbers, theoretically, if tau is less than 32 bits, the key cannot be estimated by using the method, but in the AES-OTR algorithm, 32 tau is less than or equal to |128, and in the range, the key can be guessed by the difference ratio; the specific analysis is as follows:
calculating a difference
Figure BDA0001527103320000023
Wherein
Figure BDA0001527103320000024
Representing an exclusive-or operation, deltac is the fault difference of the ciphertext output,
Figure BDA0001527103320000025
inputting an ith index value into an S box in a tenth round of representing the algorithm, wherein F represents a difference proportion corresponding to the index value, and Δ C is stored in a buffer area with 128 bits; then, carrying out differential analysis on the Δ C and determining the fault position, wherein the specific analysis is as follows:
firstly, effective failure:
I) when the 9 th round and the 1 st row have the intermediate state difference ratio of 2:1: 3 and Δ C1、ΔC8、ΔC11、ΔC14When all the fault introduction positions are not 0, the fault introduction positions may be 1, 6, 11 and 16 of the 8 th round;
II) when only the 1 st column of the 9 th round has the intermediate state difference, the positions of fault introduction can be 1, 6, 11 and 16 of the 9 th round;
III) when the 9 th round and the 1 st row have a difference ratio of 3:2:1 and Δ C2、ΔC5、ΔC12、ΔC15When all the fault introduction positions are not 0, the fault introduction positions may be 4, 5, 10 and 15 of the 8 th round;
IV) when only the 2 nd row of the 9 th round has the intermediate state difference, the positions of fault introduction can be 4, 5, 10 and 15 of the 9 th round;
v) when the 9 th wheel and the 1 st row have the intermediate state difference ratio of 1:3:2:1 and deltaC3、ΔC6、ΔC9、ΔC16When all the fault lead-in positions are not 0, the fault lead-in positions may be 3, 8, 9 and 14 of the 8 th round;
VI) when only the 3 rd row of the 9 th round has the intermediate state differential ratio, the fault leading-in position can be 3, 8, 9 and 14 of the 9 th round;
VII) when the intermediate state difference ratio of the 9 th round and the 1 st column is 1:3:2, and Δ C4、ΔC7、ΔC10、ΔC13When all the fault introduction positions are not 0, the fault introduction positions may be 2, 7, 12 and 13 of the 8 th round;
VIII) when only the 4 th column of the 9 th round has the intermediate state differential ratio, the position of fault introduction may be 2, 7, 12, 13 of the 9 th round;
secondly, invalid failure:
I) when the Δ C is equal to 0, it indicates that the introduced fault value is equal to the original value at the current position, which is equivalent to that no fault is introduced, and the fault is invalid;
II) when the delta C is not equal to 0, the obtained ciphertext can not recover the key, and the fault is an invalid fault.
Preferably, in step 2 of the encryption part, two experimental environments are controlled in the process of processing the message M by using the AES-OTR algorithm, and the specific steps are as follows:
1) inputting a message M, controlling the experimental environment not to be interfered by any other irrelevant objects, and enabling the AES-OTR algorithm to be carried out correctly, so that a correct output result is obtained and is marked as C;
2) re-inputting the message M, processing the message M by using the AES-OTR algorithm again, changing the operation environment by means of other physical equipment, inducing to generate faults to interfere the processing process of the AES-OTR algorithm, and recording the output result as C*
More preferably, the method for inducing the fault by changing the operating environment comprises the following steps: changing clock, voltage, humidity, radiation, pressure, light and eddy current, and introducing the fault into AES-OTR algorithm processing flow to obtain wrong output result, which is marked as C*
Preferably, in step 4 of the encryption part, it is determined whether the AES-OTR algorithm is affected by differential fault attack, and a location of fault introduction is deduced, and validity thereof is analyzed, and the specific method is as follows:
firstly, an equation is established by using the consistent relation of the result difference after the previous round of encryption and the result difference after the next round of decryption, then, the secret key K is guessed by using an exhaustion method according to the equation, and then, the root secret key is guessed by using the relation between the secret key of the previous round and the secret key of the next round.
Preferably, in step 1 of the authentication part, E is usedkIn the process of processing the message, two experimental environments are controlled, and the specific steps are as follows:
1) the experimental environment is controlled not to be interfered by other irrelevant things, so that the AES-OTR algorithm can be carried out correctly, a correct output result is obtained and is recorded as TE;
2) encrypting the encrypted AES-OTR algorithm again, changing the operation environment by other physical equipment, inducing a fault in the middle state of the 8 th round of line displacement to interfere the processing process of the AES-OTR algorithm, and recording the output result as TE*
The invention provides a method for detecting the resistance of an AES-OTR algorithm to differential fault attack. Firstly, operation and output are ensured to be carried out in a safe environment without adding any fault; this message is then encrypted again, in which case an error output should be derived by varying a series of operations such as clock, voltage, humidity, radiation, pressure, light and eddy currents to induce fault generation during the artificially controlled encryption process. And then, establishing a functional relation among correct output, wrong output and the key through analysis, deducing the position where the fault possibly exists so as to reduce the guessing space of the key, obtaining a sub-key through an exhaustion method, and obtaining an original key through a key expansion algorithm. The method can deduce the key only by introducing one fault, is easy to realize and simple in principle, and can effectively protect an encryption mechanism from being damaged. The method provides an important theoretical basis for evaluating the software and hardware safety system using the AES-OTR algorithm.
The method provided by the invention is accurate and simple, is easy to realize, not only can evaluate the resistance of the AES-OTR algorithm to differential fault attack, but also can deduce the position of the differential fault attack, and provides a theoretical basis for the safety evaluation of products packaged by the AES-OTR algorithm.
Drawings
FIG. 1 is a flowchart of a method for detecting the AES-OTR algorithm against differential fault attack according to the present invention;
FIG. 2 is an AES-OTR algorithm encryption iteration graph; (a) when m is an even number; (b) when m is an odd number;
FIG. 3 shows the AES-OTR algorithm EkImporting a fault analysis graph;
fig. 4 is a diagram of an authentication process.
Detailed Description
The invention will be further illustrated with reference to the following specific examples.
The symbols used in this example are illustrated below:
m: a plaintext message;
m: number of blocks of plaintext or ciphertext;
m [ p ]: p-th block in plaintext, wherein p is more than or equal to 1 and less than or equal to m;
c [ q ]: the p-th group of the ciphertext, wherein q is more than or equal to 1 and less than or equal to m;
Ci,ΔCi: the i-th byte of the ciphertext and the fault difference of the i-th byte, wherein i is more than or equal to 1 and less than or equal to 16;
k: an original key; ki: the ith byte of the key, wherein i is more than or equal to 1 and less than or equal to 16;
Figure BDA0001527103320000055
: the ith index value is input into the S box of the tenth round of the expression algorithm, i is more than or equal to 1 and less than or equal to 16,
f: differential ratio corresponding to S box input index value of tenth round of representing algorithm
C: correct output after the algorithm processes the message;
C*: when the algorithm processes the message, the error output generated after the fault is introduced;
EK: an encryption algorithm with a key of K;
Δ: performing exclusive or difference;
Figure BDA0001527103320000051
performing exclusive or operation;
f: adding the XOR difference of the two intermediate states before and after the fault (round 8);
Kj.
Figure BDA0001527103320000052
j is more than or equal to 1 and less than or equal to 10, and i is more than or equal to 1 and less than or equal to 16;
n: random number, if the length of the random number N is not less than the length of the plaintext block, the tail part does not need to be filled;
Figure BDA0001527103320000056
: random number, if the length of the random number N is less than the length of the plaintext block, the tail is filled with 0;
δ, L: an intermediate value encrypted using a random number, L ═ 4 δ;
0n: a string of zeros of length n;
γ, Q: using 0nThe encrypted intermediate value, Q ═ 4 γ;
a: the number of packets of the relevant data;
ADP: processing related data;
MSB|C|(X): taking the highest C bit of a binary string X;
τ: the number of marks, tau is more than or equal to 32 and less than or equal to 128;
t: in a normal state, the AES-OTR algorithm authenticates and processes the correct output of the message;
T*: leading in fault error output during authentication of an AES-OTR algorithm;
sigma: when m is an even number, the number of the bits is,
Figure BDA0001527103320000053
when m is an odd number, the number of the first,
Figure BDA0001527103320000054
TA: an unauthenticated data tag;
TE: a plaintext tag that is not authenticated;
Ar: the r-th grouping of related data, where 1 ≦ r ≦ a.
When the same secret key is used for processing the same message M by using the AES-OTR algorithm, if the experimental environments (such as clock, voltage, humidity, radiation, pressure, light, eddy current and the like) are different, an attacker can respectively obtain correct output C and wrong output C*. By calculating the output difference relationship of the two values
Figure BDA0001527103320000061
The key information can be deduced. An attacker may induce a fault to occur during a row-shifting state or during a column-obfuscating state of the processing device running the AES-OTR algorithm, but does not know the specific location of the fault occurrence and the specific error value. Under certain conditions, we can deduce the location of the fault lead-in from the difference Δ C, when the lead-in fault is called a valid fault. Conversely, when an imported fault does not help us to analyze the key, i.e. important information cannot be obtained by Δ C, the imported fault is an invalid fault.
Fig. 1 is a flowchart of a method for detecting that an AES-OTR algorithm resists differential fault attack, which is provided by the present invention, and the method for detecting that the AES-OTR algorithm resists differential fault attack includes the following steps:
step 1: randomly generating a message to be processed currently, and recording the message as M;
step 2: processing the message M to obtain correct output and error output, which are respectively marked as C and C*
And step 3: according to the proportion existing in the encryption process, correct output C and wrong output C are constructed*The function f between the keys K is g (C, C)*,K);
And 4, step 4: and according to the constructed function, observing the proportion of the established equation, deducing the fault introduction position, and judging whether the introduced fault is effective or not.
And 5: the key is guessed by exhaustion method to reduce guess space and further break the key.
Aiming at the step 2, an AES-OTR algorithm is used for processing M, and in the experimental process, two different controls are implemented on the operation environment, namely:
(1) inputting a message M, controlling the experimental environment not to be interfered by any other irrelevant objects, and enabling the AES-OTR algorithm to be carried out correctly, so that a correct output result is obtained and is marked as C;
(2) re-inputting the message M, processing the message M again by using the AES-OTR algorithm, changing the operation environment by means of other physical equipment, and inducing to generate faults to interfere the AES-OTR algorithmThe processing procedure of (2), recording the output result as C*
The method for inducing the fault generation in the step (2) comprises the following steps: changing clock, voltage, humidity, radiation, pressure, light and eddy currents, etc.
For step 3, calculate the difference
Figure BDA0001527103320000071
Wherein
Figure BDA00015271033200000715
Representing an exclusive-or operation, deltac is the fault difference of the ciphertext output,
Figure BDA0001527103320000072
and inputting an ith index value into an S box representing the tenth round of the algorithm, wherein F represents a difference proportion corresponding to the index value, and Δ C is stored in a buffer area with 128 bits.
Aiming at the step 4, the principle of analyzing the difference of the delta C, determining the fault position and judging whether the fault is effective is as follows:
the AES-OTR algorithm belongs to a block cipher algorithm in which the input block, the output block, and the intermediate block in the encryption/decryption process are 128 bits. The length K of the key is 128, 192 or 256 bits. The block cipher algorithm with the key length of 128 bits has 10 rounds of iterative operations, each iteration has four operations, the last round has no column confusion layer, the output is a 128-bit encryption matrix, and the iteration process of the last two rounds of AES-OTR is shown in figure 2.
Fig. 3 is a fault diffusion diagram of faults introduced at the first byte in the 8 th round of line displacement state, and the diffusion diagram of faults introduced at other arbitrary positions can be analogized from the diagram. The correct output of the AES-OTR algorithm is C, and the wrong output is C*
The first stage can be based on the difference proportion relationship that the correct ciphertext and the wrong ciphertext deduced by the tenth round are deduced backwards to the first column of the 9 th round:
Figure BDA0001527103320000073
Figure BDA0001527103320000074
Figure BDA0001527103320000075
Figure BDA0001527103320000076
wherein f is1、K1、K8、K14、K11Are unknown values, the purpose being to extrapolate from this relationship by exhaustive means K corresponding to the relationship1、K8、K14、K11Similarly, to obtain other K values we can follow the following three relationships:
Figure BDA0001527103320000077
Figure BDA0001527103320000078
Figure BDA0001527103320000079
Figure BDA00015271033200000710
Figure BDA00015271033200000711
Figure BDA00015271033200000712
Figure BDA00015271033200000713
Figure BDA00015271033200000714
Figure BDA0001527103320000081
Figure BDA0001527103320000082
Figure BDA0001527103320000083
Figure BDA0001527103320000084
the position where four faults may exist can be inferred from the order of the differential ratios.
The second stage performs a ninth round of failure analysis:
the round mainly utilizes the key predicted in the tenth round, obtains the key of the ninth round through the key arrangement of the key predicted in the tenth round, and predicts four differential faults of the S box of the ninth round by using the ciphertext C, so that the key search space of the AES-OTR can be further reduced.
The key of the ninth round can be represented by the key of the 10 th round in a specific analysis method as follows:
Figure BDA0001527103320000085
according to the encryption principle and the fault propagation process of the algorithm, the S box input difference of the 9 th round is as follows:
Figure BDA0001527103320000086
Figure BDA0001527103320000087
Figure BDA0001527103320000088
Figure BDA0001527103320000089
the failure analysis formula in the authentication stage is similar to that in the first stage, except that the number of equations of the difference ratio obtained is different according to the different cipher text lengths, theoretically, if τ is less than 32 bits, the key cannot be estimated by using the method, but τ e (32, 128) in the AES-OTR algorithm can be guessed by the difference ratio within this range, and fig. 4 is a process of encrypting relevant data required in the authentication stage.
The effectiveness of the fault position is specifically analyzed as follows:
firstly, effective failure:
I) when the 9 th round and the 1 st row have the intermediate state difference ratio of 2:1: 3 and Δ C1、ΔC8、ΔC11、ΔC14When all the fault introduction positions are not 0, the fault introduction positions may be 1, 6, 11 and 16 of the 8 th round;
II) when only the 1 st column of the 9 th round has the intermediate state difference, the positions of fault introduction can be 1, 6, 11 and 16 of the 9 th round;
III) 9 th round, 1 st column, intermediate State differential ratio of 3:2:1 and Δ C2、ΔCs、ΔC12、ΔC15When all the fault introduction positions are not 0, the fault introduction positions may be 4, 5, 10 and 15 of the 8 th round;
IV) when only the 2 nd row of the 9 th round has the intermediate state difference, the positions of fault introduction can be 4, 5, 10 and 15 of the 9 th round;
v) when 9 th round and 1 st columnThe difference ratio of the intermediate state is 1:3:2:1 and Δ C3、ΔC6、ΔC9、ΔC16When all the fault lead-in positions are not 0, the fault lead-in positions may be 3, 8, 9 and 14 of the 8 th round;
VI) when only the 3 rd row of the 9 th round has the intermediate state differential ratio, the fault leading-in position can be 3, 8, 9 and 14 of the 9 th round;
VII) when the intermediate state difference ratio of the 9 th round and the 1 st column is 1:3:2, and Δ C4、ΔC7、ΔC10、ΔC13When all the fault introduction positions are not 0, the fault introduction positions may be 2, 7, 12 and 13 of the 8 th round;
VIII) when only the 4 th column of the 9 th round has the intermediate state differential ratio, the position of fault introduction may be 2, 7, 12, 13 of the 9 th round;
secondly, invalid failure:
I) when the Δ C is equal to 0, it indicates that the introduced fault value is equal to the original value at the current position, which is equivalent to that no fault is introduced, and the fault is invalid;
II) when the delta C is not equal to 0, the obtained ciphertext can not recover the key, and the fault is an invalid fault.
In summary, the analysis:
fault differential ac for 10 th round1、ΔC8、ΔC11And Δ C14When the difference fault ratios are not 0 and are 2:1: 3, or when the 9 th round of reverse byte substitution only has the difference in the 1 st column, the fault leading-in positions may be 1, 6, 11 and 16; when fault difference Δ C2、ΔC5、ΔC12And Δ C15When the difference ratio of the faults is not 0 and is 3:2:1, or when the 9 th round of reverse byte substitution only has the difference of the 2 nd column, the positions of fault introduction can be 4, 5, 10 and 15; when fault difference Δ C3、ΔC6、ΔC9And Δ C16When the difference ratios of the faults are not 0 and the fault difference ratio is 1:3:2:1, or when the reverse byte substitution of the 9 th round only has the difference of the 3 rd column, the positions of fault introduction can be 3, 8, 9 and 14; when fault difference Δ C4、ΔC7、ΔC10And Δ C13Are all not 0 and have fault difference ratioAt 1:3:2, or when the 9 th round inverse byte substitution has only a difference in column 4, the location of the fault lead-in may be 2, 7, 12, and 13. These locations are all valid fault lead-in locations.
Aiming at the execution steps, selecting a corresponding experimental environment, wherein a computer is used for generating an input message M of AES-OTR and analyzing an output result; the equipment encapsulated with AES-OTR algorithm is used for processing the input message, namely encrypting the message M; the equipment generating the fault is used for changing the experiment execution environment, and aims to interfere the processing process of the input message, so that the function of introducing the fault is realized, and an error output result is generated.
By utilizing the analysis method, the invention adopts Java language programming to simulate the fault import and message processing processes under an Eclipse development tool on a computer with an Intel (R) core (TM) i3-2350M CPU 2.30GHz 4GB memory, and the execution is repeated for 1000 times, and the experimental result shows that the detection method is accurate. The method provides a sufficient theoretical basis for evaluating the safety of the AES-OTR algorithm, and the method is simple to operate and accurate in calculation result.
While the invention has been described with respect to a preferred embodiment, it will be understood by those skilled in the art that the foregoing and other changes, omissions and deviations in the form and detail thereof may be made without departing from the scope of this invention. Those skilled in the art can make various changes, modifications and equivalent arrangements, which are equivalent to the embodiments of the present invention, without departing from the spirit and scope of the present invention, and which may be made by utilizing the techniques disclosed above; meanwhile, any changes, modifications and variations of the above-described embodiments, which are equivalent to those of the technical spirit of the present invention, are within the scope of the technical solution of the present invention.

Claims (2)

1. A method for detecting the AES-OTR algorithm to resist differential fault attack is characterized in that: the method comprises an encryption part:
the encryption part comprises the following steps:
step 1: randomly generating a plaintext message matrix to be processed, and marking as M;
step 2: processing a plaintext message matrix M by using an AES-OTR algorithm to obtain correct output and error output which are respectively C and C*
In the step 2, two experimental environments are controlled in the process of processing the plaintext message matrix M by using the AES-OTR algorithm, and the specific steps are as follows:
1) inputting a plaintext message matrix M, controlling the experimental environment not to be interfered by a clock, voltage, humidity, radiation, pressure, light and eddy current, and enabling the AES-OTR algorithm to be carried out correctly so as to obtain a correct output result C;
2) re-inputting the plaintext message matrix M, processing the plaintext message matrix M by using the AES-OTR algorithm again, changing the operation environment by using equipment with faults, inducing the faults to interfere the processing process of the AES-OTR algorithm, and outputting a result C*
And step 3: in the process of processing the plaintext message matrix M by using the AES-OTR algorithm, a function between correct output, error output and a secret key K is constructed according to a difference proportion existing in the encryption process
Figure FDA0002979858420000011
f is an exclusive or operation result of two intermediate states before and after the fault is added;
and 4, step 4: the function f, which is formed according to step 3, is g (C, C)*K), observing a difference proportional relation of an equation obtained based on the function f, deducing a fault leading-in position, and judging whether the led-in fault is effective or not;
the method for deducing the fault import position comprises the following steps:
when the AES-OTR algorithm is applied to encrypt the plaintext message matrix M, a fault is introduced into the first byte in the 8 th round of line displacement state of the AES-OTR algorithm, and the difference proportion relation of the 9 th round and the first column is deduced through the correct ciphertext and the error ciphertext deduced in the 10 th round of the AES-OTR algorithm:
Figure FDA0002979858420000012
Figure FDA0002979858420000013
Figure FDA0002979858420000014
Figure FDA0002979858420000015
wherein f is1、K1、K8、K14、K11Are all unknown values, KiRepresenting the ith byte of the key, wherein i is more than or equal to 1 and less than or equal to 16; s-1A reverse operation indicating byte replacement; ciRepresenting the ith byte of the ciphertext in correct output, wherein i is more than or equal to 1 and less than or equal to 16; ciRepresenting the ith byte of the ciphertext in the error output, wherein i is more than or equal to 1 and less than or equal to 16;
Figure FDA0002979858420000021
represents an exclusive or operation; the relation is used for estimating K meeting the relation by an exhaustive method1、K8、K14、K11To obtain other K values, the following three relationships are used:
Figure FDA0002979858420000022
Figure FDA0002979858420000023
Figure FDA0002979858420000024
Figure FDA0002979858420000025
Figure FDA0002979858420000026
Figure FDA0002979858420000027
Figure FDA0002979858420000028
Figure FDA0002979858420000029
Figure FDA00029798584200000210
Figure FDA00029798584200000211
Figure FDA00029798584200000212
Figure FDA00029798584200000213
four possible locations of failure can be inferred from the order of the differential ratios:
wherein, whether the introduced fault is effective or not is judged as follows:
firstly, effective failure:
I) when the differential ratio of the 9 th round and the 1 st column is 2:1:1:3 and Δ C1、ΔC8、ΔC11、ΔC14When the number of the error is not 0, the position of fault introduction is byte 1, byte 6, byte 11 or byte 16 of the 8 th round;
II) when only the 1 st column of the 9 th round has a differential proportional relation, the position of fault introduction is at byte 1, byte 6, byte 11 or byte 16 of the 9 th round;
III) 9 th round, 1 st column, differential ratio of 3:2:1:1 and Δ C2、ΔC5、ΔC12、ΔC15When the number of the error is not 0, the position of fault introduction is byte 4, byte 5, byte 10 or byte 15 of the 8 th round;
IV) when only the 2 nd column in the 9 th round has a differential proportional relation, the position of fault introduction is at byte 4, byte 5, byte 10 or byte 15 in the 9 th round;
v) when the difference ratio of the 9 th round and the 1 st row is 1:3:2:1 and Δ C3、ΔC6、ΔC9、ΔC16When the fault is not 0, the fault leading-in position is at byte 3, byte 8, byte 9 or byte 14 of the 8 th round;
VI) when only the 3 rd column of the 9 th round has a differential proportional relation, the position of fault introduction is at byte 3, byte 8, byte 9 or byte 14 of the 9 th round;
VII) when the differential ratio of the 9 th round and the 1 st column is 1:1:3:2, and Δ C4、ΔC7、ΔC10、ΔC13When the fault is not 0, the fault leading-in position is at byte 2, byte 7, byte 12 or byte 13 of the 8 th round;
VIII) when only the 4 th column of the 9 th round has a differential proportional relation, the fault leading-in position is at byte 2, byte 7, byte 12 or byte 13 of the 9 th round;
wherein C isiAnd Δ CiRespectively representing the fault difference of the ith byte and the ith byte of the ciphertext, wherein i is more than or equal to 1 and less than or equal to 16;
secondly, invalid failure:
I) when the Δ C is equal to 0, it indicates that the introduced fault value is equal to the original value at the current position, that is, no fault is introduced, and the fault is invalid;
II) when the delta C is not equal to 0 and the obtained ciphertext cannot recover the key, determining that the fault is an invalid fault;
and 5: an exhaustive method is used to guess the key so as to reduce the guessing space and further crack the key, and the method comprises the following steps:
performing 9 th round fault analysis, wherein the 10 th round predicted key is used in the 9 th round, the 10 th round predicted key is arranged through the key to obtain the 9 th round key, and the ciphertext C is used for predicting four differential faults of the 9 th round S box, so that the key search space of AES-OTR is further reduced;
wherein the key of the 9 th round is represented by the key of the 10 th round as follows, and CH is a constant given in the key expansion process:
Figure FDA0002979858420000031
the four differential failures for the S-box of round 9 were:
Figure FDA0002979858420000041
Figure FDA0002979858420000042
Figure FDA0002979858420000043
Figure FDA0002979858420000044
wherein KjAnd
Figure FDA0002979858420000045
respectively represents the ith byte of the jth round key and the jth round key, j is more than or equal to 1 and less than or equal to 10, and i is more than or equal to 1 and less than or equal to 16.
2. The method for detecting the AES-OTR algorithm against differential fault attacks as claimed in claim 1, wherein: the method for changing the operating environment by means of the fault-generating device comprises the following steps: changing clock, voltage, humidity, radiation, pressure, light and eddy current, and introducing the fault into the first byte of the 8 th round line displacement state of the AES-OTR algorithm to obtain an error output result C*
CN201711452230.1A 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack Active CN108055120B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711452230.1A CN108055120B (en) 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711452230.1A CN108055120B (en) 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack

Publications (2)

Publication Number Publication Date
CN108055120A CN108055120A (en) 2018-05-18
CN108055120B true CN108055120B (en) 2021-07-09

Family

ID=62127971

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711452230.1A Active CN108055120B (en) 2017-12-27 2017-12-27 Method for detecting AES-OTR algorithm to resist differential fault attack

Country Status (1)

Country Link
CN (1) CN108055120B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109842483A (en) * 2019-03-18 2019-06-04 东华大学 A method of detection AES-JAMBU resists differential fault attack
CN110601818B (en) * 2019-09-25 2022-12-06 东华大学 Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack
CN110912672A (en) * 2019-11-12 2020-03-24 东华大学 Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack
CN112532374A (en) * 2020-11-25 2021-03-19 东华大学 Method for detecting SILC authentication encryption algorithm to resist differential fault attack
CN112511291A (en) * 2020-11-25 2021-03-16 东华大学 Method for detecting OCB authentication encryption algorithm to resist differential fault attack
CN112468283A (en) * 2020-11-25 2021-03-09 东华大学 Method for detecting iFeed [ AES ] algorithm to resist differential fault attack
CN113014377B (en) * 2021-02-01 2022-07-22 中国科学院软件研究所 Persistent fault attack protection method and device by utilizing bijection characteristic of block cipher S box
CN113032791B (en) * 2021-04-01 2024-05-31 深圳市纽创信安科技开发有限公司 IP core, IP core management method and chip

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404108A (en) * 2011-10-25 2012-04-04 宁波大学 Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm
CN104158656A (en) * 2014-06-04 2014-11-19 东华大学 Method for detecting resistance to difference fault attack of MD4 hash function
CN104639310A (en) * 2014-12-31 2015-05-20 东华大学 Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault
CN104836668A (en) * 2015-05-06 2015-08-12 东华大学 Detection method for resistance of MD5 hash function against differential fault attack
CN105703896A (en) * 2015-12-18 2016-06-22 东华大学 Method for detecting resistance of HAS-160 algorithm to differential fault attack
CN106411496A (en) * 2016-11-02 2017-02-15 东华大学 Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks
CN106850186A (en) * 2017-01-06 2017-06-13 东华大学 The hashing algorithms of SHA 256 resist the detection method of differential fault attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10412064B2 (en) * 2016-01-11 2019-09-10 Centurylink Intellectual Property Llc System and method for implementing secure communications for internet of things (IOT) devices

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102404108A (en) * 2011-10-25 2012-04-04 宁波大学 Novel fault attack method aiming at Advanced Encryption Standard (AES-128) algorithm
CN104158656A (en) * 2014-06-04 2014-11-19 东华大学 Method for detecting resistance to difference fault attack of MD4 hash function
CN104639310A (en) * 2014-12-31 2015-05-20 东华大学 Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault
CN104836668A (en) * 2015-05-06 2015-08-12 东华大学 Detection method for resistance of MD5 hash function against differential fault attack
CN105703896A (en) * 2015-12-18 2016-06-22 东华大学 Method for detecting resistance of HAS-160 algorithm to differential fault attack
CN106411496A (en) * 2016-11-02 2017-02-15 东华大学 Method for detecting capability of RIPEMD-160 algorithm in defending differential fault attacks
CN106850186A (en) * 2017-01-06 2017-06-13 东华大学 The hashing algorithms of SHA 256 resist the detection method of differential fault attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
An effective differential fault analysis on the Serpent cryptosystem in the Internet of Things;Li Wei et al;《China Communications》;20140630;第11卷(第6期);第129-139页 *

Also Published As

Publication number Publication date
CN108055120A (en) 2018-05-18

Similar Documents

Publication Publication Date Title
CN108055120B (en) Method for detecting AES-OTR algorithm to resist differential fault attack
Saha et al. RK‐AES: An Improved Version of AES Using a New Key Generation Process with Random Keys
CN107005415A (en) For encrypting/decrypting the block encryption method of message and realize the encryption device of this method
CN108199832B (en) Detection method for CLOC authentication encryption algorithm to resist differential fault attack
Sleem et al. TestU01 and Practrand: Tools for a randomness evaluation for famous multimedia ciphers
CN104639310A (en) Method for detecting capacity of SHA-1 algorithm for resisting attack of differential fault
CN110912672A (en) Method for detecting resistance of COLM authentication encryption algorithm to differential fault attack
CN112653546A (en) Fault attack detection method based on power consumption analysis
CN113141247A (en) Homomorphic encryption method, device and system and readable storage medium
CN105703896A (en) Method for detecting resistance of HAS-160 algorithm to differential fault attack
Soni et al. Key generation using genetic algorithm for image encryption
CN112532374A (en) Method for detecting SILC authentication encryption algorithm to resist differential fault attack
CN110601818B (en) Method for detecting SMS4 cryptographic algorithm to resist statistical fault attack
WO2016063512A1 (en) Mac tag list generating apparatus, mac tag list verifying apparatus, mac tag list generating method, mac tag list verifying method and program recording medium
Lim et al. Differential fault attack on lightweight block cipher PIPO
Carlson et al. Using the collision attack for breaking cryptographic modes
CN108632033B (en) Homomorphic encryption method based on random weighted unitary matrix in outsourcing calculation
CN114422130B (en) Quantum encryption method based on quantum power function confusion
CN115714641A (en) Method for detecting SATURNIN cryptographic algorithm to resist impossible differential fault attack
Tayal et al. Analysis of various cryptography techniques: a survey
CN112511291A (en) Method for detecting OCB authentication encryption algorithm to resist differential fault attack
CN112468283A (en) Method for detecting iFeed [ AES ] algorithm to resist differential fault attack
Heinl et al. AntiPatterns regarding the application of cryptographic primitives by the example of ransomware
CN106850186A (en) The hashing algorithms of SHA 256 resist the detection method of differential fault attack
Seck et al. A Side-Channel Attack Against Classic McEliece When Loading the Goppa Polynomial

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230601

Address after: 201601 3 / F and 4 / F, building 18, No. 51, ZHAOFEI Road, Sijing Town, Songjiang District, Shanghai

Patentee after: Zhixun password (Shanghai) Testing Technology Co.,Ltd.

Address before: 200050 No. 1882, Changning District, Shanghai, West Yan'an Road

Patentee before: DONGHUA University