CN113206734B - Method for detecting and resisting differential fault attack - Google Patents

Abstract

The invention discloses a method for detecting and resisting differential fault attack, which comprises the steps of firstly constructing a redundant encryption module according to an original encryption module; secondly, detecting whether the redundant encryption module has fault injection or not based on a message authentication code method, comparing the redundant encryption module with the original encryption module, and detecting whether the original encryption module has fault injection or not, so as to finish double differential fault attack or differential fault attack detection; and finally, after the differential fault injection is determined, based on the ciphertext differential value and each round of ciphertext differential value of the infection function detection target algorithm, positioning a fault source injected by an attacker, and hiding the ciphertext differential value by using a random number and an infection function to realize protection. The method can quickly determine the specific position of the differential fault injected by the attacker in the target algorithm, and protects the injected differential fault by using the random number and the infection function, so that the attacker cannot attack the differential fault.

Description

Method for detecting and resisting differential fault attack

Technical Field

The invention relates to the field of information security, in particular to a method for detecting and resisting differential fault attack.

Background

Fault Attack (FA) can enable an attacker to randomly select the value and the position of an injected Fault aiming at the password equipment, thereby greatly reducing the data volume required for acquiring the key information and realizing the target of the attacker in a shorter time. Differential Fault Attack (DFA) is a very effective Attack technique in FA, and mainly relies on malicious Fault injection during the execution of encryption equipment, and then related key information is derived by analyzing the difference between Fault output and non-Fault output, and the DFA has the characteristics of flexible Fault injection, high analysis efficiency, low Attack complexity and the like. How to design an effective protection method to resist the threat of such attacks and protect the password equipment is of great importance.

Over the past decade, many countermeasures have been proposed to protect the security of cryptographic devices against DFA attacks. For example, Beierle et al [1] propose a tunable block cipher algorithm CRAFT and use a tunable model to protect against differential fault attacks. Aghaie et al [2] propose a scheme based on bottom layer error detection coding to achieve the goal of hundreds of percent detection of faults. Feng et al [3] proposed an idea to separate the infective function from the unprotected cryptographic algorithm as an evaluation framework applicable to various infection countermeasures and attack scenarios. These protection strategies can be roughly classified into two types, i.e., detection-based protection strategies and infection-based protection strategies. The protection strategy based on detection mainly judges whether a fault is injected in the execution process of the cryptographic equipment by explicitly checking whether a difference value delta between a fault ciphertext and a non-fault ciphertext is equal to 0, if the fault is injected, the ciphertext difference value delta is not equal to 0, the detection strategy can inhibit output or randomize the output to prevent the cryptographic equipment from generating a wrong output value, and therefore the purpose of preventing an attacker from obtaining any valid information is achieved. The idea of detection is generally accomplished by knowledge of the coding and information theory, such as linear parity check, non-linear [ n, k ] coding, etc. However, the detection strategy is usually only specific to a certain target algorithm and has no generality. Infection countermeasures have been proposed to remedy this disadvantage of detection countermeasures, mainly by implicitly checking whether the ciphertext difference value Δ is equal to 0, and likewise Δ ≠ 0 implies faulty injection. In contrast, after the infection countermeasure detects a failure, an infection function is introduced to randomize the ciphertext differential value Δ and output the original value after the infection to an attacker, so that the attacker cannot perform DFA on the encryption device.

The working process of the infection scheme mainly relies on the (non-zero) difference between the actual and redundant calculations of the cryptographic algorithm. If both the actual calculation and the redundant calculation are affected by the same fault, the outputs of both calculations will be the same, i.e. the corresponding differential value Δ is 0. In this case, the infection scheme would assume that the encryption algorithm was not injecting a failure, and would output the failed ciphertext for use by an attacker. This type of failure can render the infection protection scheme ineffective, referred to as a double failure. Therefore, how to effectively detect the attack of the double differential fault, quickly find the fault source and protect the fault source is a problem to be solved urgently at present.

Reference documents:

[1]C.Beierle,G.Leander,A.Moradi,S.Rasoolzadeh.CRAFT:Lightweight Tweakable Block Cipher with Efficient Protection Against DFA Attacks[J].IACR Trans.Symmetric Cryptol.,2019(1)5-45。

[2]A.Aghaie,A.Moradi,S.Rasoolzadeh,A.R.Shahmirzadi,F.Schellenberg,T.Schneider.Impeccable Circuits[J].IEEE Transactions on Computers,2020,69(3)361-376。

[3]J.Feng,H.Chen,Y.Li,Z.P.Jiao,W.Xi.A Framework for Evaluation and Analysis on Infection Countermeasures Against Fault Attacks.IEEE Transactions on Information Forensics and Security,(2020)391-406。

disclosure of Invention

The invention aims to provide a novel method for detecting and resisting differential fault attack in a universal mode. The method can detect double differential fault attacks, and can locate and protect a fault source aiming at the differential fault attacks.

The technical scheme for realizing the purpose of the invention is as follows:

a method for detecting and defending against differential fault attacks, characterized in that the method comprises three parts:

(1) constructing redundancy;

constructing a redundant encryption module according to the original encryption module;

(2) double differential fault detection;

detecting whether the redundant encryption module has fault injection or not based on a message authentication code method, comparing the redundant encryption module with the original encryption module, and detecting whether the original encryption module has fault injection or not, so as to complete double differential fault attack or differential fault attack detection;

(3) positioning a fault source and protecting;

after the differential fault injection is determined, based on the ciphertext differential value and each round of ciphertext differential value of the infection function detection target algorithm, the fault source injected by an attacker is located, and the ciphertext differential value is hidden by using a random number and an infection function to realize protection.

The redundancy construction is that a certain block encryption algorithm E is completely copied to be an E ', namely the E is an original encryption module, and the E' is a redundant encryption module; e and E' are respectively input with the same plaintext P and key K for encryption, and the output original ciphertext is C-E_K(P), the redundant ciphertext is C ═ E'_K(P)。

The double differential fault detection adopts a message authentication code for detection, and the specific process is as follows:

(2.1) in order to detect whether fault injection exists in the redundant encryption, a detection module is added in the redundant encryption module and is used for detecting the message authentication code;

(2.2) before redundant encryption, the redundant encryption module calculates the message authentication code MAC of the plaintext P of E' according to the key K by adopting a Hash function, sends MAC (P) to the detection module, and the detection module receives and stores the MAC (P); the redundant encryption module combines the plaintext P and the MAC (P) together and takes the combined plaintext P and MAC (P) as x as input to carry out redundant encryption;

(2.3) the detection module acquires input data x ' subjected to redundant encryption from the redundant encryption module and performs data separation on the input data x ', and since whether the original plaintext information P is uncertain to change or not, the separated plaintext information is marked as P ', and the MAC value of P ' is calculated by adopting a hash function and a secret key K and is marked as MAC (P ');

(2.4) the detection module judges whether the MAC (P) value is consistent with the MAC (P ') value, if the MAC (P) value is the same with the MAC (P'), the operation is switched to (2.5); if the two are different, turning to (2.6);

(2.5) if MAC (P) ═ MAC (P ') indicates that the information P in the redundant cryptographic module has not been tampered and has not been failed, normal encryption is performed, and after the message authentication code is removed, the redundantly encrypted ciphertext C' ═ E 'is output'_K(P), turn (2.7);

(2.6) if MAC (P) ≠ MAC (P ') indicates that the information P in the redundant cryptographic module has been tampered with, and if there is a failure in the redundant cryptographic module, the plaintext information with the failure is recorded as P ', and a redundantly encrypted ciphertext C ' ═ E ' is output '_K(P'), go (2.11);

(2.7) converting the original encrypted ciphertext C to E_K(P) and redundant encrypted ciphertext C '═ E'_K(P) XOR-ing to obtain ciphertext difference value

C is an original ciphertext, and C' is a redundant ciphertext;

(2.8) judging whether delta is 0, and if delta is 0, rotating (2.9); if Δ ≠ 0, turn (2.10);

(2.9) if Δ is 0, indicating that no fault is injected in the original encryption algorithm E, and ending the detection;

(2.10) if the delta is not equal to 0, indicating that a fault is injected in the original encryption algorithm E, and turning to (2.15);

(2.11) converting the original encrypted ciphertext C to E_K(P) and redundant encrypted ciphertext C '═ E'_K(P') XOR-ing the ciphertext difference values to obtain ciphertext difference values

(2.12) judging whether delta is 0, and if delta is 0, rotating (2.13); if Δ ≠ 0, go (2.14);

(2.13) if Δ is 0, indicating that the same fault as the redundant encryption algorithm E' is injected into the original encryption algorithm E, that is, detecting a double fault, and ending the detection;

(2.14) if the delta is not equal to 0, indicating that no fault is injected in the original encryption algorithm E, and the fault only exists in the redundant encryption module E';

and (2.15) positioning the fault source and protecting operation, and finishing detection.

Aiming at existing fault injection, the fault injection needs to be positioned, and the fault source and protection are positioned, the specific process is as follows:

(3.1) setting the total round number of the encryption algorithm E as r rounds, sequentially detecting each round of the encryption algorithm E from high to low, and setting the detected round number as i, wherein i is r-1;

(3.2) calculating ciphertext difference value of the ith round

Wherein, C_iThe encrypted ciphertext of the ith round of the original encryption algorithm E, C_i'is the encrypted ciphertext of the ith round of the redundant encryption algorithm E';

(3.3) determination of Δ_iIf it is 0, if Δ _i0, turn (3.4); if Δ_iNot equal to 0, turn (3.5);

(3.4) if.DELTA._i0, indicating that the fault injected is in round i +1, revolution (3.7);

(3.5) if.DELTA._iNot equal to 0, to prevent attackers from obtaining ciphertext difference value Δ_iCarrying out differential fault attack and infecting the ciphertext of the ith round with a value

Outputting and storing, wherein C_iFor the correctly encrypted ciphertext of the ith round of the original encryption algorithm E, Z (-) is an infection function, Δ_iIs the ciphertext differential value of the ith round, alpha_iAnd beta_iThe two different random values are respectively of the ith round, and i represents that the number of the detected rounds is the ith round;

(3.6) converting i to i-1 to (3.2);

(3.7) ciphertext differential value Delta according to round i +1_i+1Is bit queried to find Δ_i+1The bit n of which is not 0 is the encryption algorithmE, determining a positioning result according to the bit position injected with the fault;

(3.8) outputting a positioning result, namely, the fault is positioned at the nth bit of the (i + 1) th round;

(3.9) to avoid attackers obtaining ciphertext differential value delta after fault injection_i+1Using random numbers and an infection function vs. delta_i+1Hiding and outputting the ciphertext infection value of the (i + 1) th round

Wherein, C_i+1The ciphertext correctly encrypted in round i +1 of the original encryption algorithm E, Z (-) is an infection function, Delta_i+1The ciphertext differential value, alpha, of the original encryption algorithm E and the redundant encryption algorithm E' in the (i + 1) th round_i+1And beta_i+1The two different random values of the (i + 1) th round are respectively, and for the ciphertext infection value output after being hidden, an attacker cannot carry out differential fault attack, and the positioning process is ended.

The invention has the beneficial effects that:

(1) the method can effectively detect the attack of the double differential fault.

(2) The method can quickly determine the specific position of the differential fault injected by the attacker in the target algorithm, and protects the injected differential fault by using the random number and the infection function, so that the attacker cannot attack the differential fault.

(3) The method of the invention has relatively small calculated amount under the condition of single data block.

(4) The method has high accuracy and universality, and is suitable for all encryption algorithms.

Drawings

FIG. 1 is a flow chart of a method of detecting and defending against differential fault attacks in accordance with the present invention;

FIG. 2 is a flow chart of double differential fault detection in the method of the present invention;

FIG. 3 is a flow chart of the method of locating a fault source and protection of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the following examples and drawings, but the present invention is not limited thereto.

Examples

Referring to fig. 1, the invention is a method for detecting and defending differential fault attack, the method includes three parts:

(1) constructing redundancy; constructing a redundant encryption module according to the original encryption module;

(2) double differential fault detection;

detecting whether the redundant encryption module has fault injection or not based on a message authentication code method, comparing the redundant encryption module with the original encryption module, and detecting whether the original encryption module has fault injection or not, so as to complete double differential fault attack or differential fault attack detection;

(3) positioning a fault source and protecting;

after the differential fault injection is determined, based on the ciphertext differential value and each round of ciphertext differential value of the infection function detection target algorithm, the fault source injected by an attacker is located, and the ciphertext differential value is hidden by using a random number and an infection function to realize protection.

Referring to fig. 2, the double differential fault detection is performed by using a message authentication code, and the specific process is as follows:

(2.1) in order to detect whether fault injection exists in the redundant encryption, a detection module is added in the redundant encryption module and is used for detecting the message authentication code;

(2.2) before redundant encryption, the redundant encryption module calculates the message authentication code MAC of the plaintext P of E' according to the key K by adopting a Hash function, sends MAC (P) to the detection module, and the detection module receives and stores the MAC (P); the redundant encryption module combines the plaintext P and the MAC (P) together and takes the combined plaintext P and MAC (P) as x as input to carry out redundant encryption;

(2.3) the detection module acquires input data x ' subjected to redundant encryption from the redundant encryption module and performs data separation on the input data x ', and since whether the original plaintext information P is uncertain to change or not, the separated plaintext information is marked as P ', and the MAC value of P ' is calculated by adopting a hash function and a secret key K and is marked as MAC (P ');

(2.4) the detection module judges whether the MAC (P) value is consistent with the MAC (P ') value, if the MAC (P) value is the same with the MAC (P'), the operation is switched to (2.5); if the two are different, turning to (2.6);

(2.5) if MAC (P) ═ MAC (P ') indicates that the information P in the redundant cryptographic module has not been tampered and has not been failed, normal encryption is performed, and after the message authentication code is removed, the redundantly encrypted ciphertext C' ═ E 'is output'_K(P), turn (2.7);

(2.6) if MAC (P) ≠ MAC (P ') indicates that the information P in the redundant cryptographic module has been tampered with, and if there is a failure in the redundant cryptographic module, the plaintext information with the failure is recorded as P ', and a redundantly encrypted ciphertext C ' ═ E ' is output '_K(P'), go (2.11);

(2.7) converting the original encrypted ciphertext C to E_K(P) and redundant encrypted ciphertext C '═ E'_K(P) XOR-ing to obtain ciphertext difference value

C is an original ciphertext, and C' is a redundant ciphertext;

(2.8) judging whether delta is 0, and if delta is 0, rotating (2.9); if Δ ≠ 0, turn (2.10);

(2.9) if Δ is 0, indicating that no fault is injected in the original encryption algorithm E, and ending the detection;

(2.10) if the delta is not equal to 0, indicating that a fault is injected in the original encryption algorithm E, and turning to (2.15);

(2.11) converting the original encrypted ciphertext C to E_K(P) and redundant encrypted ciphertext C '═ E'_K(P') XOR-ing the ciphertext difference values to obtain ciphertext difference values

(2.12) judging whether delta is 0, and if delta is 0, rotating (2.13); if Δ ≠ 0, go (2.14);

(2.13) if Δ is 0, indicating that the same fault as the redundant encryption algorithm E' is injected into the original encryption algorithm E, that is, detecting a double fault, and ending the detection;

(2.14) if the delta is not equal to 0, indicating that no fault is injected in the original encryption algorithm E, and the fault only exists in the redundant encryption module E';

and (2.15) positioning the fault source and protecting operation, and finishing detection.

Referring to fig. 3, the fault source and protection are located, and the specific process is as follows:

(3.1) setting the total round number of the encryption algorithm E as r rounds, sequentially detecting each round of the encryption algorithm E from high to low, and setting the detected round number as i, wherein i is r-1;

(3.2) calculating ciphertext difference value of the ith round

Wherein, C_iThe encrypted ciphertext of the ith round of the original encryption algorithm E, C_i'is the encrypted ciphertext of the ith round of the redundant encryption algorithm E';

(3.3) determination of Δ_iIf it is 0, if Δ _i0, turn (3.4); if Δ_iNot equal to 0, turn (3.5);

(3.4) if.DELTA._i0, indicating that the fault injected is in round i +1, revolution (3.7);

(3.5) if.DELTA._iNot equal to 0, to prevent attackers from obtaining ciphertext difference value Δ_iCarrying out differential fault attack and infecting the ciphertext of the ith round with a value

Outputting and storing, wherein C_iFor the correctly encrypted ciphertext of the ith round of the original encryption algorithm E, Z (-) is an infection function, Δ_iIs the ciphertext differential value of the ith round, alpha_iAnd beta_iThe two different random values are respectively of the ith round, and i represents that the number of the detected rounds is the ith round;

(3.6) converting i to i-1 to (3.2);

(3.7) ciphertext differential value Delta according to round i +1_i+1Is bit queried to find Δ_i+1The bit n which is not 0 in the encryption algorithm E is the bit with the fault injected in the encryption algorithm E, and a positioning result is determined;

(3.8) outputting a positioning result, namely, the fault is positioned at the nth bit of the (i + 1) th round;

(3.9) to avoid attackers obtaining ciphertext differential value delta after fault injection_i+1Using random numbers and an infection functionFor a_i+1Hiding and outputting the ciphertext infection value of the (i + 1) th round

Wherein, C_i+1The ciphertext correctly encrypted in round i +1 of the original encryption algorithm E, Z (-) is an infection function, Delta_i+1The ciphertext differential value, alpha, of the original encryption algorithm E and the redundant encryption algorithm E' in the (i + 1) th round_i+1And beta_i+1The two different random values of the (i + 1) th round are respectively, and for the ciphertext infection value output after being hidden, an attacker cannot carry out differential fault attack, and the positioning process is ended.

Claims (1)

1. A method for detecting and defending against differential fault attacks, characterized in that the method comprises three parts:

(1) constructing redundancy;

constructing a redundant encryption module according to the original encryption module;

(2) double differential fault detection;

detecting whether the redundant encryption module has fault injection or not based on a message authentication code method, comparing the redundant encryption module with the original encryption module, and detecting whether the original encryption module has fault injection or not, so as to complete double differential fault attack or differential fault attack detection;

(3) positioning a fault source and protecting;

after the differential fault injection is determined, based on the ciphertext differential value and each round of ciphertext differential value of an infection function detection target algorithm, locating a fault source injected by an attacker, and hiding the ciphertext differential value by using a random number and an infection function to realize protection;

the redundancy construction is that a certain block encryption algorithm E is completely copied to be an E ', namely the E is an original encryption module, and the E' is a redundant encryption module; e and E' are respectively input with the same plaintext P and key K for encryption, and the output original ciphertext is C-E_K(P), the redundant ciphertext is C ═ E'_K(P)；

The double differential fault detection comprises the following specific processes:

(2.1) in order to detect whether fault injection exists in the redundant encryption, a detection module is added in the redundant encryption module and is used for detecting the message authentication code;

(2.2) before redundant encryption, the redundant encryption module calculates the message authentication code MAC of the plaintext P of E' according to the key K by adopting a Hash function, sends MAC (P) to the detection module, and the detection module receives and stores the MAC (P); the redundant encryption module combines the plaintext P and the MAC (P) together and takes the combined plaintext P and MAC (P) as x as input to carry out redundant encryption;

(2.3) the detection module acquires input data x ' subjected to redundant encryption from the redundant encryption module and performs data separation on the input data x ', and since whether the original plaintext information P is uncertain to change or not, the separated plaintext information is marked as P ', and the MAC value of P ' is calculated by adopting a hash function and a secret key K and is marked as MAC (P ');

(2.4) the detection module judges whether the MAC (P) value is consistent with the MAC (P ') value, if the MAC (P) value is the same with the MAC (P'), the operation is switched to (2.5); if the two are different, turning to (2.6);

(2.5) if MAC (P) ═ MAC (P ') indicates that the information P in the redundant cryptographic module has not been tampered and has not been failed, normal encryption is performed, and after the message authentication code is removed, the redundantly encrypted ciphertext C' ═ E 'is output'_K(P), turn (2.7);

(2.6) if MAC (P) ≠ MAC (P ') indicates that the information P in the redundant cryptographic module has been tampered with, and if there is a failure in the redundant cryptographic module, the plaintext information with the failure is recorded as P ', and a redundantly encrypted ciphertext C ' ═ E ' is output '_K(P'), go (2.11);

(2.7) converting the original encrypted ciphertext C to E_K(P) and redundant encrypted ciphertext C '═ E'_K(P) XOR-ing to obtain ciphertext difference value

C is an original ciphertext, and C' is a redundant ciphertext;

(2.8) judging whether delta is 0, and if delta is 0, rotating (2.9); if Δ ≠ 0, turn (2.10);

(2.9) if Δ is 0, indicating that no fault is injected in the original encryption algorithm E, and ending the detection;

(2.10) if delta is not equal to 0, indicating that a fault is injected in the original encryption algorithm E, and entering an operation (3) of positioning a fault source and protecting;

(2.11) converting the original encrypted ciphertext C to E_K(P) and redundant encrypted ciphertext C '═ E'_K(P') XOR-ing the ciphertext difference values to obtain ciphertext difference values

(2.12) judging whether delta is 0, and if delta is 0, rotating (2.13); if Δ ≠ 0, go (2.14);

(2.13) if Δ is 0, indicating that the same fault as the redundant encryption algorithm E' is injected into the original encryption algorithm E, that is, detecting a double fault, and ending the detection;

(2.14) if delta is not equal to 0, indicating that no fault is injected in the original encryption algorithm E, and the fault only exists in the redundant encryption module E', and entering an operation (3) of positioning a fault source and protecting;

the fault source positioning and protection method specifically comprises the following processes:

(3.1) setting the total round number of the encryption algorithm E as r rounds, sequentially detecting each round of the encryption algorithm E from high to low, and setting the detected round number as i, wherein i is r-1; (3.2) calculating ciphertext difference value of the ith round

Wherein, C_iThe encrypted ciphertext of the ith round of the original encryption algorithm E, C_i'is the encrypted ciphertext of the ith round of the redundant encryption algorithm E';

(3.3) determination of Δ_iIf it is 0, if Δ_i0, turn (3.4); if Δ_iNot equal to 0, turn (3.5);

(3.4) if.DELTA._i0, indicating that the fault injected is in round i +1, revolution (3.7);

(3.5) if.DELTA._iNot equal to 0, to prevent attackers from obtaining ciphertext difference value Δ_iCarrying out differential fault attack and infecting the ciphertext of the ith round with a value

Outputting and storing, wherein C_iFor the correctly encrypted ciphertext of the ith round of the original encryption algorithm E, Z (-) is an infection function, Δ_iIs the ciphertext differential value of the ith round, alpha_iAnd beta_iThe two different random values are respectively of the ith round, and i represents that the number of the detected rounds is the ith round;

(3.6) converting i to i-1 to (3.2);

(3.7) ciphertext differential value Delta according to round i +1_i+1Is bit queried to find Δ_i+1The bit n which is not 0 in the encryption algorithm E is the bit with the fault injected in the encryption algorithm E, and a positioning result is determined;

(3.8) outputting a positioning result, namely, the fault is positioned at the nth bit of the (i + 1) th round;

(3.9) to avoid attackers obtaining ciphertext differential value delta after fault injection_i+1Using random numbers and an infection function vs. delta_i+1Hiding and outputting the ciphertext infection value of the (i + 1) th round

Wherein, C_i+1The ciphertext correctly encrypted in round i +1 of the original encryption algorithm E, Z (-) is an infection function, Delta_i+1The ciphertext differential value, alpha, of the original encryption algorithm E and the redundant encryption algorithm E' in the (i + 1) th round_i+1And beta_i+1The two different random values of the (i + 1) th round are respectively, and for the ciphertext infection value output after being hidden, an attacker cannot carry out differential fault attack, and the positioning process is ended.

Images