CN115412360A - Side channel correlation energy analysis method and system applied to ring polynomial multiplier - Google Patents
Side channel correlation energy analysis method and system applied to ring polynomial multiplier Download PDFInfo
- Publication number
- CN115412360A CN115412360A CN202211074981.5A CN202211074981A CN115412360A CN 115412360 A CN115412360 A CN 115412360A CN 202211074981 A CN202211074981 A CN 202211074981A CN 115412360 A CN115412360 A CN 115412360A
- Authority
- CN
- China
- Prior art keywords
- energy
- private key
- trace
- hypothesis
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 86
- 239000013598 vector Substances 0.000 claims abstract description 90
- 238000012545 processing Methods 0.000 claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 43
- 230000008569 process Effects 0.000 claims abstract description 18
- 238000005070 sampling Methods 0.000 claims description 21
- 239000011159 matrix material Substances 0.000 claims description 19
- 238000004364 calculation method Methods 0.000 claims description 13
- 238000004891 communication Methods 0.000 claims description 7
- 230000007774 longterm Effects 0.000 claims description 5
- 230000007704 transition Effects 0.000 claims description 5
- 238000011161 development Methods 0.000 claims description 4
- 229910002056 binary alloy Inorganic materials 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims 2
- 239000013604 expression vector Substances 0.000 claims 1
- 230000014509 gene expression Effects 0.000 claims 1
- 238000011156 evaluation Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 6
- 238000003672 processing method Methods 0.000 description 4
- 238000004454 trace mineral analysis Methods 0.000 description 3
- 230000001052 transient effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000005670 electromagnetic radiation Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000000996 additive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a side channel correlation energy analysis method applied to a ring polynomial multiplier, which comprises the following steps: acquiring all possible values of a sub-private key to be attacked, wherein one sub-private key refers to a coefficient in a polynomial vector of the private key; step two, multiplying all possible values of the sub-private keys with the ciphertext vectors respectively to obtain a plurality of hypothesis product vectors; step three, adopting an attack function to process each hypothesis product vector respectively to obtain a plurality of hypothesis intermediate value traces; step four, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain a plurality of hypothesis energy traces; step five, acquiring an actually measured energy trace; step six, processing the actually measured energy trace; step seven, calculating a correlation coefficient between the assumed energy trace and the processed actually-measured energy trace; and step eight, drawing a correlation curve to obtain the best candidate sub-private key. The invention can provide a powerful and effective evaluation for the security of the cryptographic chip.
Description
Technical Field
The invention belongs to the technical field of side channel analysis, and particularly relates to a side channel correlation energy analysis method and system applied to a ring polynomial multiplier.
Background
Two areas of research in information security include cryptography and cryptanalysis. Cryptography, which is the basis of information encryption technology, has become an independent discipline to develop new mechanisms for ensuring confidentiality, integrity and non-repudiation of data. Cryptanalysis is a scientific technology which can exploit the loophole or the characteristic of a cryptosystem to attack and possibly provide corresponding protective measures through deep research and analysis of the cryptosystem. In short, the process of obtaining the secret information of the cryptosystem through various means is a successful cryptoanalysis case on the premise of not knowing the secret information (such as plaintext and key) of the cryptosystem.
The cryptographic chip is used as a carrier for realizing the cryptographic algorithm, and the system architecture and the process of the cryptographic chip have important influence on the execution efficiency and the anti-attack characteristic of the encryption scheme. The method is characterized in that optimization and protection strategies of the continuously-appearing novel cryptographic algorithm are explored, a hardware architecture of a cryptographic scheme is researched to accelerate execution speed, enhance flexibility and reduce cost, and the method is a key for promoting development and application of a new cryptology system. However, the crypto chip can reveal various physical information in the process of execution, and the crypto chip is a main security threat problem faced by information security equipment.
Although most cryptographic systems are theoretically secure, in practice, the specific implementation of the cryptographic system on an embedded device (such as a smart card, a sensor or a security module) can often attack by analyzing information such as power consumption, running time, electromagnetic radiation and the like of a specific operation, and such an attack method is called side channel attack, and the side channel attack poses a serious threat to the security of the embedded device.
The most important attack method in the side channel attack method is the side channel attack method based on energy, and the attack methods comprise three typical methods of simple energy analysis, differential energy analysis and related energy analysis. Under the actual cryptographic chip application environment, the simple energy analysis method usually cannot achieve the effect of directly visually observing the key due to the influence of unpredictable factors such as noise, random delay and random burrs. Therefore, a side channel correlation energy analysis method is needed to provide a powerful and effective evaluation for the security of the cryptographic chip.
Disclosure of Invention
The present invention provides a side channel correlation energy analysis method and system applied to a ring polynomial multiplier, aiming at the above-mentioned deficiencies of the prior art.
In order to achieve the technical purpose, the technical scheme adopted by the invention is as follows:
the side channel correlation energy analysis method applied to the ring polynomial multiplier comprises the following steps:
the method comprises the steps of firstly, obtaining all possible values of a sub private key to be attacked, wherein one sub private key refers to a coefficient in a polynomial vector of the private key;
step two, multiplying all possible values of the sub-private keys with the ciphertext vectors respectively to obtain a plurality of hypothesis product vectors;
step three, adopting an attack function to process each hypothesis product vector respectively to obtain a plurality of hypothesis intermediate value traces;
step four, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain a plurality of hypothesis energy traces;
step five, acquiring an actually measured energy trace;
step six, processing the actually measured energy trace;
step seven, calculating a correlation coefficient between the assumed energy trace and the processed actually-measured energy trace;
and step eight, drawing a correlation curve to obtain the best candidate sub-private key.
In order to optimize the technical scheme, the specific measures adopted further comprise:
the Hamming distance model refers to the total number of 0 → 1 transition and 1 → 0 transition of corresponding bits in the process of binary number change, the Hamming distance between two numbers x and y is represented by HD (x, y), the two numbers are subjected to XOR operation under binary system, the number of 1 in the XOR result is counted, and the obtained number is the Hamming distance value.
When the security level of the sub private key to be attacked is high, the cryptographic system uses a group of new private keys for encryption and decryption each time, and a horizontal correlation energy analysis method is adopted at the moment, and specifically:
step S101, all possible values of the sub-private key to be attacked are obtained, and each sub-private key of the private key polynomial vector is assumed to have K possible values, so that a K-dimensional column vector (K-dimension) formed by all assumed values can be obtained in the step 1 ,k 2 ,…,k K ) T ,
Step S102, obtaining a ciphertext polynomial vector (c) from a communication channel 1 ,c 2 ,…,c N ) Wherein N corresponds to the known lattice-based dimension in the lattice cryptographic algorithm, multiplying the column vector of the K-dimensional hypothesis sub-private key by the row vector of the N-dimensional ciphertext polynomial to obtain a matrix V with K rows and N columns K*N Splitting the vector by rows to obtain K N-dimensional hypothesis product vectors V i,1 ,V i,2 ,…,V i,N Wherein i =1,2, \8230;, K,
step S103, processing each hypothesis product vector by adopting an attack function to obtain a plurality of hypothesis intermediate value traces,
step S104, respectively processing each hypothesis intermediate value track by adopting a Hamming distance model to obtain K hypothesis energy tracks h i,1 ,h i,2 ,…,h i,N Wherein, i =1,2, \8230, K,
step S105, collecting the power consumption waveform of the encryption and decryption operation of the cryptosystem to obtain the actually measured energy trace,
step S106, processing the actually measured energy trace, sampling the actually measured energy trace, acquiring T sampling points, constructing the energy trace for correlation calculation, and obtaining the T processed actually measured energy tracesEnergy trace t i,1 ,t i,2 ,…,t i,N Wherein i =1,2, \8230;, T,
step S107, calculating the correlation coefficient between the assumed energy trace and the processed measured energy trace,
calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the measured energy trace; cov () is covariance; var () is the variance; x is a hypothetical energy trace, X = h i,1 ,h i,2 ,…,h i,N Wherein i =1,2, \8230, K; y is the measured energy trace after treatment, Y = t i,1 ,t i,2 ,…,t i,N Wherein i =1,2, \ 8230, T, the correlation coefficient matrix r can be obtained by the step K*T ,
Step S108, a correlation curve is drawn to obtain the best candidate sub-private key,
and when the correlation coefficient curve is drawn, drawing according to the serial number of the calibrated initial sampling point, if a certain point is the point with the largest median value in the whole correlation curve, the point is aligned with the starting point of the actually-measured energy trace, and the assumed child private key value of the point is the optimal candidate child private key value.
When the security level of the sub private key to be attacked is moderate, the cryptosystem uses a short private key, the encryption and decryption operations in a period of time all use the same group of private keys, and at the moment, a combined correlation energy analysis method is adopted, and the method specifically comprises the following steps:
step S201, all possible values of the sub-private key to be attacked are obtained, and each sub-private key of the private key polynomial vector is assumed to have K possible values, so that a K-dimensional column vector (K-dimension) composed of all assumed values can be obtained in the step 1 ,k 2 ,…,k K ) T ,
Step S202, under the condition of medium safety level, obtaining d groups of cryptograph polynomials from a communication channel, and combining the d groups of cryptograph polynomialsQuantity c d_1 ,c d_2 ,…,c d_N Performing head-to-tail splicing to obtain ciphertext polynomial combination vector c 1 ,c 2 ,…,c d*N Multiplying the column vector of the K-dimensional hypothesis sub private key with the d-X-N-dimensional ciphertext polynomial combined row vector to obtain a K-row d-X-N-column matrix V K*(d*N) Splitting the vector by rows to obtain K d x N-dimensional hypothesis product vectors V i,1 ,V i,2 ,…,V i,d*N Wherein, i =1,2, \8230, K,
step S203, processing each hypothesis product vector by adopting an attack function to obtain a plurality of hypothesis intermediate value traces,
step S204, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain K hypothesis energy traces h i,1 ,h i,2 ,…,h i,N Wherein, i =1,2, \8230, K,
step S205, collecting the power consumption waveform of the encryption and decryption operation of the cryptographic system to obtain d groups of measured energy traces,
step S206, processing the measured energy traces, sampling each group of measured energy traces, obtaining d T sampling points, constructing an energy trace for correlation calculation, obtaining d T measured energy traces after primary processing, splicing the measured energy traces after primary processing into T measured energy traces after secondary processing i,1 ,t i,2 ,…,t i,d*N Wherein i =1,2, \8230;, T,
step S207, calculating the correlation coefficient between the assumed energy trace and the processed measured energy trace,
calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the actually measured energy trace; cov () is covariance; var () is the variance; x is a hypothetical energy trace, X = h i,1 ,h i,2 ,…,h i,d*N Wherein i =1,2, \8230, K; y is the processed measured energy trace, Y = t i,1 ,t i,2 ,…,t i,d*N Wherein, i =1,2, \8230, T, the correlation coefficient matrix r can be obtained by the step K*T ,
Step S208, a correlation curve is drawn to obtain the best candidate sub-private key,
and when the correlation coefficient curve is drawn, drawing according to the serial number of the calibrated initial sampling point, if a certain point is the point with the largest median value in the whole correlation curve, the point is aligned with the starting point of the actually-measured energy trace, and the assumed child private key value of the point is the optimal candidate child private key value.
When the security level of the sub-private key to be attacked is low, the long-term private key is used by the cryptosystem, and a vertical correlation energy analysis method is adopted at the moment, and specifically comprises the following steps:
step S301, all possible values of the sub-private key to be attacked are obtained, and K possible values of each sub-private key of the private key polynomial vector are assumed, so that a K-dimensional column vector (K-dimension) composed of all assumed values can be obtained in the step 1 ,k 2 ,…,k K ) T ,
Step S302, under the condition of low security level, obtaining d groups of ciphertext polynomial vectors from a communication channel, only selecting the same position coefficient to combine to obtain a sub-ciphertext combination vector c 1_i ,c 2_i ,…,c d_i ,i∈[1,N]Multiplying the column vector of the K-dimensional hypothesis sub private key with the d-dimensional sub ciphertext combined row vector to obtain a K-row d-column matrix V K*d Splitting the vector according to lines to obtain K d-dimensional hypothesis product vectors V i,1 ,V i,2 ,…,V i,d ,i=1,2,…,K,
Step S303, processing each hypothesis product vector by adopting an attack function to obtain a plurality of hypothesis intermediate value traces,
step S304, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain K hypothesis energy traces h i,1 ,h i,2 ,…,h i,N Wherein, i =1,2, \8230, K,
step S305, collecting the power consumption waveform of the encryption and decryption operation of the cryptosystem to obtain d groups of measured energy traces,
step S306, the data of the same position point on each energy trace are combined, and the energy traces with the T processed points can be obtained by processing the energy traces with the d T points i,1 ,t i,2 ,…,t i,d Wherein i =1,2, \8230;, T,
step S307, calculating a correlation coefficient between the assumed energy trace and the processed measured energy trace,
calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the actually measured energy trace; cov () is covariance; var () is the variance; x is a hypothetical energy trace, X = h i,1 ,h i,2 ,…,h i,d*N Wherein i =1,2, \8230, K; y is the measured energy trace after treatment, Y = t i,1 ,t i,2 ,…,t i,d Wherein, i =1,2, \8230, T, the correlation coefficient matrix r can be obtained by the step K*T ,
Step S308, a correlation curve is drawn to obtain the best candidate sub-private key,
and when the correlation coefficient curve is drawn, drawing according to the serial number of the calibrated initial sampling point, if a certain point is the point with the largest median value in the whole correlation curve, the point is aligned with the starting point of the actually-measured energy trace, and the assumed child private key value of the point is the optimal candidate child private key value.
The method for acquiring the actually measured energy trace comprises the following steps: a resistor is connected in series on a power supply branch of the password system, the current of the password system can fluctuate in the operation process and reflects the voltage difference which can be constantly changed at the two ends of the resistor, and the voltage drop at the two ends of the resistor is measured by using an oscilloscope to obtain the actually measured energy trace.
The side channel correlation energy analysis system applied to the ring polynomial multiplier comprises a development board, a chip, a resistor and an oscilloscope, wherein the chip is fixed on the development board, a programmed password system is arranged in the chip, the resistor is connected in series on a chip power supply branch, the resistor is connected in series on the chip power supply branch, and the oscilloscope is connected with the resistor and used for detecting the voltage drop at two ends of the resistor.
The invention has the beneficial effects that:
the method of the invention is composed of three side channel analysis methods of horizontal correlation energy analysis, vertical correlation energy analysis and combined correlation energy analysis. The three energy analysis methods are designed to cope with different safety levels respectively: aiming at the condition of extremely high security level, the attack effect of the horizontal correlation energy analysis method is the best, in this condition, a group of new private keys are used for encryption and decryption each time, and only one available energy trace can be captured; aiming at the condition of medium security level, a transient private key is used in the condition, so that fewer available energy traces can be captured, and the attack effect is better by using a combined correlation energy analysis method; aiming at the condition of lower security level, a long-term private key is used in the condition, more available energy traces can be captured, and the attack is better by using a vertical correlation energy analysis method. Through a plurality of side channel analysis methods, powerful and effective evaluation can be provided for the safety of the cryptographic chip.
Drawings
Fig. 1 is a schematic structural diagram of a side channel correlation energy analysis method system applied to a ring polynomial multiplier according to the present invention;
FIG. 2 is a general operational flow diagram of three analytical methods;
FIG. 3 is a general data flow diagram of three analysis methods;
FIG. 4 is a circuit model of an attack function used in the horizontal correlation energy analysis method;
FIG. 5 is an experimental acquisition environment of a horizontal correlation energy analysis method for acquiring a measured energy trace;
FIG. 6 is a waveform of an actually measured energy trace in a sub-private key calculation interval collected in a horizontal correlation energy analysis method;
FIG. 7 is a schematic view of a process of a measured energy trace of a horizontal correlation energy analysis method;
FIG. 8 is a graph illustrating the results of an attack on the energy trace of FIG. 6;
FIG. 9 is a diagram illustrating the accuracy of the attack results;
FIG. 10 is a schematic diagram of measured energy trace processing for a combined correlation energy analysis method;
FIG. 11 is a graphical representation of the results of an attack using a combined correlation energy analysis method;
FIG. 12 is a schematic diagram of measured energy trace processing for a vertical correlation energy analysis method;
fig. 13 is a graph of the results of an attack test on 100 energy traces using a vertical correlation energy analysis method.
Detailed Description
Embodiments of the present invention are described in further detail below with reference to the accompanying drawings.
Although most cryptographic systems are theoretically secure, in practice, the specific implementation of the cryptographic systems on the embedded device can often be attacked by analyzing information such as power consumption, running time, electromagnetic radiation and the like of a specific operation, and such an attack method is called as a side channel attack, and the side channel attack poses a serious threat to the security of the embedded device. In order to ensure the absolute safety and reliability of the function of the cryptographic chip, a powerful and effective test method and system for safety evaluation are urgently needed.
Therefore, the present invention provides a side channel correlation energy analysis method system applied to a ring polynomial multiplier, as shown in fig. 1, fig. 1 is a schematic structural diagram of a side channel correlation energy analysis method system applied to a ring polynomial multiplier provided by the present invention.
The method system comprises three side channel analysis methods of horizontal correlation energy analysis, vertical correlation energy analysis and combined correlation energy analysis. The three energy analysis methods are designed to cope with different safety levels respectively: aiming at the condition of extremely high security level, the attack effect of the horizontal correlation energy analysis method is best, in this condition, a group of new private keys are used for encryption and decryption each time, and only one available energy trace can be captured; aiming at the condition of medium security level, a transient private key is used in the condition, so that the available energy traces captured by the transient private key are fewer, and the attack effect of using a combined correlation energy analysis method is better; aiming at the condition of low security level, a long-term private key is used in the condition, more available energy traces can be captured, and the attack is better by using a vertical correlation energy analysis method.
The invention provides three methods for analyzing the correlation energy of a side channel applied to a ring polynomial multiplier, fig. 2 is a general operation flow chart of the three analysis methods, and fig. 3 is a general data flow chart of the three analysis methods, including:
the method comprises the following steps: horizontal correlation energy analysis method
The horizontal correlation energy analysis method is designed for the case of extremely high security level, in which case a new set of private keys is used for each encryption and decryption.
Step S101, all possible values of the sub private keys to be attacked are obtained, wherein one sub private key refers to one coefficient in the polynomial vector of the private key.
Assuming that each sub-private key of the polynomial vector of the private key has K possible occurrence values, this step can result in a K-dimensional column vector (K) consisting of all assumed values 1 ,k 2 ,…,k K ) T 。
Step S102, all possible values of the sub-private keys are multiplied by the ciphertext polynomial vectors respectively to obtain a plurality of hypothesis product vectors.
Since the lattice cipher algorithm is used in this embodiment, a public key encryption scheme can easily obtain the ciphertext polynomial vector (c) from the communication channel 1 ,c 2 ,…,c N ) Where N corresponds to the lattice base dimension known in lattice cryptographic algorithms. Multiplying the column vector of the K-dimensional hypothesis sub private key with the row vector of the N-dimensional ciphertext polynomial to obtain a matrix V with K rows and N columns K*N Splitting by rows to obtain K N-dimensional hypothesis product vectors (V) i,1 ,V i,2 ,…,V i,N )(i=1,2,…,K)。
Step S103, each hypothesis product vector is processed by adopting an attack function, and a plurality of hypothesis intermediate value traces are obtained.
Fig. 4 is a circuit model of an attack function used in the present embodiment. a. b is two inputs with 13 bits of bit width, the two inputs are multiplied by a multiplier to obtain a product value x with 26 bits of bit width, and then a modulo reduction operation x% q is carried out, wherein the modulo value q is a prime number 7681, and the calculation process is simplified by a shift operation method:
1、t←(x>>13)+(x>>17)+(x>>21);
2、tq←(t<<13)-(t<<9)+t;
3、r←x-tq。
and (3) symbolic annotation: ">" is the right shift operation, "< <" > is the left shift operation, and "←" is the assignment operation.
In fig. 4, x [25 ]; the value t is stored through a primary register; then, t is calculated, and the value of t left shift by 13 bits is subtracted by the value of t left shift by 9 bits and the value of t is added to complete the calculation of the process 2; then the value tq is stored in a first-level register; because of the influence of two stages of registers of t and tq, the direct storage of the two stages of registers of x is needed, and then the direct storage of x and the value tq are subtracted to complete the calculation of the process 3, and the value r is stored in the first stage of register; the value r obtained at this time is only approximate remainder, and the three times of data selector processing are needed, the three times of processing are the same, the selection is carried out between r and (r-q), the selection standard is to compare the sizes of r and q, when r is smaller than q, q is selected, when r is larger than q, r-q is selected, and the finally obtained result r is within the modulus q. To balance the path delay, three data selector processing operations are divided to be performed, one and then two.
The construction method of the attack function is determined by a specific hardware circuit design structure, and the attack function in the embodiment is as follows: intermediate value combinations [ x ] in the process of obtaining r from x n ,t n-1 ,tq n-2 ,r′ n-3 ,r n-4 ]。
And step S104, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain a plurality of hypothesis energy traces.
The Hamming distance model refers to the total number of 0 → 1 and 1 → 0 transitions occurring in the corresponding bits during the binary number change. The Hamming distance between two numbers x and y is represented by HD (x, y), the two numbers are subjected to XOR operation under binary system, then the number of 1 in the XOR result is counted, and the obtained number is the Hamming distance value.
For hardware implemented cryptosystems, the hamming distance model is more efficient. The attack function and the Hamming distance model are in one-to-one mapping relation, so that the structure of a matrix formed by the hypothesis product vectors cannot be changed. K hypothetical energy traces (h) can be obtained by the step i,1 ,h i,2 ,…,h i,N )(i=1,2,…,K)。
And step S105, acquiring the actually measured energy trace.
Fig. 5 is an experimental acquisition environment of the present embodiment, for acquiring a measured energy trace, including:
the main equipment is a PC, an FPGA board and an oscilloscope. The hardware burned on the FPGA board is designed into an R-LWE grid password system adopting a Schoolboot polynomial multiplication algorithm. The model of the oscilloscope used for acquisition is Pico 3206D, two channels can be used for acquisition at the same time, one channel is set to be in a trigger state and used for triggering the oscilloscope to start acquisition, and the other channel is used for acquiring power consumption data during chip operation.
The PC machine and the FPGA board are communicated to receive and transmit plaintext/ciphertext to carry out encryption and decryption operations, meanwhile, the oscilloscope is triggered to carry out power consumption acquisition, and the PC machine receives power consumption data returned by the oscilloscope and then carries out analysis processing on the data. The horizontal correlation energy analysis method is designed for the case of extremely high security level, in this case, a new group of private keys is used for encryption and decryption each time, and only one available energy trace can be captured.
A resistor is connected in series with a chip power supply branch of the FPGA board, the current of the chip fluctuates along with the chip in the operation process, the voltage difference which changes constantly is reflected at two ends of the resistor, and the voltage drop at two ends of the resistor is measured by using an oscilloscope, so that the actually measured energy trace is obtained.
Fig. 6 is a waveform of the measured energy trace in the sub private key calculation interval collected in the present embodiment.
And step S106, processing the actually measured energy trace.
The hardware design of the attack in this example was run on a Xilinx Spartan-6 (XC 6SLX 9) chip, with a clock frequency of 50MHz, and the oscilloscope was set to collect at 2ns intervals (500 MS/s).
The processing method of the actually measured energy trace is determined by the sampling frequency of the oscilloscope and the clock frequency of the on-board chip, and the energy trace used for correlation calculation is constructed by taking sampling points at intervals on the actually measured energy trace according to the multiple relation of the oscilloscope and the clock frequency. In the experimental environment of this embodiment, there are 10 sampling points (500M/50m = 10) in each clock cycle, so we take 1 data point every 10 sampling points, and take N times in total to construct an energy trace for correlation calculation. FIG. 7 is a schematic view of measured energy trace processing.
The initial sampling point for constructing the energy trace is not fixed, T points are total in the whole calculation interval of the traversal of the sub private key, and the energy trace needs to be constructed point by point in a sliding manner. The measured energy trace (T) processed by the T strips can be obtained through the step i,1 ,t i,2 ,…,t i,N )(i=1,2,…,T)。
And step S107, calculating a correlation coefficient between the assumed energy trace and the processed measured energy trace.
The correlation coefficient (pearson correlation coefficient) between the assumed energy trace and the measured energy trace is calculated according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the actually measured energy trace; cov () is covariance; var () is the variance; x is a hypothetical energy trace, X = (h) i,1 ,h i,2 ,…,h i,N ) (i =1,2, \8230;, K); y is the measured energy trace after treatment, Y = (t) i,1 ,t i,2 ,…,t i,N ) (i =1,2, \8230;, T). Through the steps, a correlation coefficient matrix r can be obtained K*T 。
And step S108, drawing a correlation curve to obtain the best candidate sub-private key.
And drawing the correlation coefficient curve according to the serial number of the calibrated initial sampling point. Therefore, if a point is the point with the largest value in the entire correlation curve, it represents that the point is aligned with the start point of the measured energy trace, and the assumed child private key value to which the point belongs is the best candidate child private key value.
The results of the attack on the energy trace of fig. 6 are shown in fig. 8, where the light gray curves represent the additive effect of the correlation curves of all the incorrectly hypothesized sub-private keys and the dark black curves represent the correlation curves of the correctly hypothesized sub-private keys. It can be seen that the peak of the black curve is higher than the gray curve, indicating that the attack successfully recovered the private key at that point. The sub-private keys can be recovered one by repeatedly executing all attack steps, and then a whole private key polynomial vector is recovered.
In this embodiment, 5000 energy traces are collected for evaluating the accuracy of the analysis method of the present invention on a single energy trace, the attack result is shown in fig. 9, the horizontal axis represents the serial number of the sub-private key, the vertical axis represents the average accuracy of the attack, and the result shows that the average accuracy of successfully recovering any sub-private key is 99.90%. However, the value of each other sub-private key causes that a plurality of registers in the circuit structure are always 0 in the calculation process of the sub-private key at the position, so that the description effect of the attack function is greatly reduced, the successful recovery accuracy of each other sub-private key is obviously lower than that of other sub-private keys, and finally, all the sub-private keys are successfully recovered, namely, the accuracy of successfully recovering the polynomial vector of the whole private key is reduced to 76.41%.
The second method comprises the following steps: combined correlation energy analysis method
The combined correlation energy analysis method is different from the horizontal correlation energy analysis method in that: the attack functions have different input preparation data (corresponding to step 2), different acquirable numbers of measured energy traces (corresponding to step 5), and different processing methods of the measured energy traces (corresponding to step 6).
The combined correlation energy analysis method is designed for the condition of medium security level, in this case, a short-time private key is used, and the same group of private keys are used for encryption and decryption operation in a short time.
Step S202, multiplying all possible values of the sub-private keys with the ciphertext polynomial combination vector to obtain a plurality of hypothesis product vectors.
Under the condition of the security level, a plurality of groups of different ciphertexts can be transmitted for decryption, and d groups of cipher text polynomial vectors (c) are transmitted d_1 ,c d_2 ,…,c d_N ) Performing head-to-tail splicing to obtain ciphertext polynomial combined vector (c) 1 ,c 2 ,…,c d*N ). Multiplying the column vector of the K-dimensional hypothesis sub private key with the d-X-N-dimensional ciphertext polynomial combined row vector to obtain a K-row d-X-N-column matrix V K*(d*N) Splitting the vector by rows to obtain K d × N hypothetical product vectors (V) i,1 ,V i,2 ,…,V i,d*N )(i=1,2,…,K)。
And step S205, acquiring the measured energy trace.
Under the condition of the security level, energy traces of a plurality of different ciphertexts can be obtained, and only one available energy trace is not available any more. The experimental collection environment and collection procedure were the same as before.
And step S206, processing the actually measured energy trace.
Taking points on the actually measured energy trace is still to take 1 data point every 10 sampling points in a sliding way, and the data points are taken for N times in total to construct the energy trace. Except that a plurality of energy traces are respectively removed according to the same sites (T sites are shared), and then d x T energy traces are processed once (T) d_i,1 ,t d_i,2 ,…,t d_i,N ) (i =1,2, \8230;, T) are spliced into T energy traces after secondary treatment (T) i,1 ,t i,2 ,…,t i,d*N ) (i =1,2, \8230;, T). FIG. 10 is a schematic view of measured energy trace processing.
Finally, the assumed energy trace X = (h) is calculated again i,1 ,h i,2 ,…,h i,d*N ) (i =1,2, \8230;, K) and the measured energy trace after treatment Y = (t) i,1 ,t i,2 ,…,t i,d*N ) (i =1,2, \8230;, T) to obtain a correlation coefficient matrix r K*T 。
Fig. 11 shows the results of an attack using the combined correlation energy analysis method, in which the horizontal axis represents the number of energy traces and the vertical axis represents the attack average accuracy. The attack accuracy when only one energy trace is available is 76.41% of the attack accuracy of the horizontal correlation energy analysis method. The attack accuracy of the combined two energy trace analysis was 99.24%, the attack accuracy of the combined three energy trace analysis was 99.96%, and the attack accuracy of the combined four energy trace analysis was 100%.
The third method comprises the following steps: vertical correlation energy analysis method
The vertical correlation energy analysis method is different from the horizontal correlation energy analysis method and the combined correlation energy analysis method in that: the attack functions have different input preparation data (corresponding to step 2), different attack functions (corresponding to step 3), different obtainable numbers of measured energy traces (corresponding to step 5), and different processing methods of the measured energy traces (corresponding to step 6).
The vertical correlation energy analysis method is designed for the case of low security level, in this case, a long-term private key is used, and the same group of private keys are used for encryption and decryption operations in a large period of time. The application condition of the method is only different from the effective time of a private key in comparison with the combined related energy analysis method in rough inspection, the combined related energy analysis method is also applicable to the condition that the vertical related energy analysis method is applicable, and the vertical related energy analysis method seems to lose the uniqueness of the application. In fact, this analysis method is not a more general analysis method, which is applicable to any ring polynomial multiplier structure, and the two analysis methods are designed for the schoolboost polynomial multiplication algorithm, but are no longer applicable to NTT polynomial multiplication algorithm attacks.
Step S302, multiply all possible values of the sub-private keys with the sub-ciphertext combining vectors respectively to obtain a plurality of hypothesis product vectors.
Under the condition of lower safety level, it can send several groups of different cryptographs to make decryption, and only uses same place coefficient to make combination to d groups of cryptograph polynomial vectors so as to obtain sub-cryptograph combined vector (c) 1_i ,c 2_i ,…,c d_i )(i∈[1,N]). Multiplying the column vector of the K-dimensional hypothesis sub private key with the column vector of the d-dimensional sub ciphertext combination to obtain a matrix V with K rows and d columns K*d Are split according to lines to obtainK d-dimensional hypothetical product vectors (V) i,1 ,V i,2 ,…,V i,d )(i=1,2,…,K)。
Step S303, each hypothesis product vector is processed by adopting an attack function, and a plurality of hypothesis intermediate value traces are obtained.
The Schoolboost polynomial multiplication algorithm relates to N 2 Secondary private key multiplication a i *b j (i =1,2, \8230;, N; j =1,2, \8230;, N), the NTT polynomial multiplication algorithm involves multiplying a by the private key N times i *b j (i =1,2, \8230;, N). Compared with the schoolboost polynomial multiplication algorithm, the multiplication times of the private key in the NTT polynomial multiplication algorithm are greatly reduced. If the NTT ring polynomial multiplier structure is attacked, the attack functions constructed in the two analysis methods are no longer applicable, and the new attack function no longer combines the intermediate value data, and only includes one key intermediate value data, that is, the 26-bit product value x in fig. 4.
Step S305, acquiring the measured energy trace.
Under the condition of the security level, a plurality of energy traces of different ciphertexts can be obtained, and the experimental acquisition environment and the acquisition operation process are the same as before.
And step S306, processing the actually measured energy trace.
The processing method of the analysis method is different from the two analysis methods, the same point data on each energy trace needs to be combined, and the energy traces (T) after T pieces of processing can be obtained by processing d T points of the energy traces i,1 ,t i,2 ,…,t i,d ) (i =1,2, \8230;, T). FIG. 12 is a schematic view of measured energy trace processing.
Finally, the assumed energy trace X = (h) is calculated again i,1 ,h i,2 ,…,h i,d ) (i =1,2, \8230;, K) and the measured energy trace after treatment Y = (t) i,1 ,t i,2 ,…,t i,d ) (i =1,2, \8230;, T) to obtain a correlation coefficient matrix r K*T 。
Fig. 13 is a result of an attack test performed on 100 energy traces using a vertical correlation energy analysis method, the horizontal axis representing the number of energy traces and the vertical axis representing the success rate of attack. It can be seen that as the number of energy traces increases, the attack success rate also increases, so that the minimum number of energy traces required for the attack success rate to stabilize to 100% is 72, which is marked by a red dot in fig. 13.
The invention has been described in detail with reference to specific embodiments and illustrative examples, but the description is not intended to be construed in a limiting sense. Those skilled in the art will appreciate that various equivalent substitutions, modifications or improvements may be made to the embodiments and implementations of the invention without departing from the spirit and scope of the invention, and are within the scope of the invention. The scope of the invention is defined by the appended claims.
Claims (7)
1. The side channel correlation energy analysis method applied to the ring polynomial multiplier is characterized in that: the method comprises the following steps:
acquiring all possible values of a sub-private key to be attacked, wherein one sub-private key refers to a coefficient in a polynomial vector of the private key;
step two, multiplying all possible values of the sub-private keys with the ciphertext vectors respectively to obtain a plurality of hypothesis product vectors;
step three, adopting an attack function to process each hypothesis product vector respectively to obtain a plurality of hypothesis intermediate value traces;
step four, respectively processing each hypothesis intermediate value track by adopting a Hamming distance model to obtain a plurality of hypothesis energy tracks;
step five, acquiring an actually measured energy trace;
step six, processing the actually measured energy trace;
step seven, calculating a correlation coefficient between the hypothesis energy trace and the processed actual measurement energy trace;
and step eight, drawing a correlation curve to obtain the best candidate sub-private key.
2. The side-channel correlation energy analysis method applied to the ring polynomial multiplier of claim 1, wherein: the Hamming distance model refers to the total number of 0 → 1 transition and 1 → 0 transition of corresponding bits in the process of binary number change, the Hamming distance between two numbers x and y is represented by HD (x, y), the two numbers are subjected to XOR operation under binary system, the number of 1 in the XOR result is counted, and the obtained number is the Hamming distance value.
3. The side-channel correlation energy analysis method applied to the ring polynomial multiplier of claim 1, wherein: when the security level of the sub private key to be attacked is high, the cryptographic system uses a group of new private keys for encryption and decryption each time, and a horizontal correlation energy analysis method is adopted at the moment, and specifically:
step S101, all possible values of the sub-private key to be attacked are obtained, and each sub-private key of the private key polynomial vector is assumed to have K possible values, so that a K-dimensional column vector (K-dimension) formed by all assumed values can be obtained in the step 1 ,k 2 ,…,k K ) T ,
Step S102, obtaining the cryptogram polynomial vector (c) from the communication channel 1 ,c 2 ,…,c N ) Wherein N corresponds to the known lattice-based dimension in the lattice cryptographic algorithm, multiplying the column vector of the K-dimensional hypothesis sub-private key by the row vector of the N-dimensional ciphertext polynomial to obtain a matrix V with K rows and N columns K*N Splitting the vector by rows to obtain K N-dimensional hypothesis product vectors V i,1 ,V i,2 ,…,V i,N Wherein i =1,2, \8230;, K,
step S103, processing each hypothesis product vector by adopting an attack function to obtain a plurality of hypothesis intermediate value traces,
step S104, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain K hypothesis energy traces h i,1 ,h i,2 ,…,h i,N Wherein i =1,2, \8230;, K,
step S105, collecting the power consumption waveform of the encryption and decryption operation of the cryptographic system to obtain the measured energy trace,
step S106, processing the actually measured energy trace, sampling the actually measured energy trace, acquiring T sampling points, constructing the energy trace for correlation calculation, and obtaining T processed actual energy tracesMeasuring energy trace t i,1 ,t i,2 ,…,t i,N Wherein i =1,2, \8230, T,
step S107, calculating the correlation coefficient between the hypothesis energy trace and the processed actual measurement energy trace,
calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the measured energy trace; cov () is covariance; var () is the variance; x is a hypothetical energy trace, X = h i,1 ,h i,2 ,…,h i,N Wherein, i =1,2, \8230, K; y is the processed measured energy trace, Y = t i,1 ,t i,2 ,…,t i,N Wherein, i =1,2, \8230, T, the correlation coefficient matrix r can be obtained by the step K*T ,
Step S108, a correlation curve is drawn to obtain the best candidate sub-private key,
and when the correlation coefficient curve is drawn, drawing according to the serial number of the calibrated initial sampling point, if a certain point is the point with the largest median value in the whole correlation curve, the point is aligned with the starting point of the actually-measured energy trace, and the assumed child private key value of the point is the optimal candidate child private key value.
4. The side-channel correlation energy analysis method applied to a ring polynomial multiplier of claim 1, wherein: when the security level of the sub private key to be attacked is moderate, the cryptosystem uses a short private key, the encryption and decryption operations in a period of time all use the same group of private keys, and at the moment, a combined correlation energy analysis method is adopted, and the method specifically comprises the following steps:
step S201, all possible values of the sub-private key to be attacked are obtained, and each sub-private key of the private key polynomial vector is assumed to have K possible values, so that a K-dimensional column vector (K-dimension) composed of all assumed values can be obtained in the step 1 ,k 2 ,…,k K ) T ,
Step S202, under the condition of moderate safety level, obtaining d groups of cryptograph polynomial expressions from a communication channel, and carrying out d groups of cryptograph polynomial expression vectors c d_1 ,c d_2 ,…,c d_N Performing head-to-tail splicing to obtain ciphertext polynomial combination vector c 1 ,c 2 ,…,c d*N Multiplying the column vector of the K-dimensional hypothesis sub-private key with the d x N-dimensional ciphertext polynomial combined row vector to obtain a K row d x N column matrix V K*(d*N) Splitting the data into K d x N dimensional hypothesis product vectors V i,1 ,V i,2 ,…,V i,d*N Wherein i =1,2, \8230;, K,
step S203, processing each hypothesis product vector by adopting an attack function to obtain a plurality of hypothesis intermediate value traces,
step S204, respectively processing each hypothesis intermediate value trace by adopting a Hamming distance model to obtain K hypothesis energy traces h i,1 ,h i,2 ,…,h i,N Wherein i =1,2, \8230;, K,
step S205, collecting the power consumption waveform of the encryption and decryption operation of the cryptographic system to obtain d groups of measured energy traces,
step S206, processing the measured energy trace, sampling each group of measured energy trace, obtaining d T sampling points, constructing an energy trace for correlation calculation, obtaining d T measured energy traces after primary processing, splicing the measured energy traces after primary processing into T measured energy traces after secondary processing i,1 ,t i,2 ,…,t i,d*N Wherein i =1,2, \8230;, T,
step S207, calculating the correlation coefficient between the assumed energy trace and the processed measured energy trace,
calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the actually measured energy trace; cov () as a coordinatorA difference; var () is the variance; x is a hypothetical energy trace, X = h i,1 ,h i,2 ,…,h i,d*N Wherein, i =1,2, \8230, K; y is the measured energy trace after treatment, Y = t i,1 ,t i,2 ,…,t i,d*N Wherein i =1,2, \ 8230, T, the correlation coefficient matrix r can be obtained by the step K*T ,
Step S208, a correlation curve is drawn to obtain the best candidate sub-private key,
and drawing the correlation coefficient curve according to the sequence number of the calibrated initial sampling point, if a certain point is the point with the largest value in the whole correlation curve, indicating that the point is aligned with the starting point of the actually measured energy trace, and the assumed private key value to which the point belongs is the optimal candidate private key value.
5. The side-channel correlation energy analysis method applied to a ring polynomial multiplier of claim 1, wherein: when the security level of the sub private key to be attacked is low, the long-term private key is used by the cryptosystem, and at the moment, a vertical correlation energy analysis method is adopted, and the method specifically comprises the following steps:
step S301, all possible values of the sub-private key to be attacked are obtained, and it is assumed that each sub-private key of the private key polynomial vector has K possible values, so that a K-dimensional column vector (K-dimension) composed of all assumed values can be obtained in the step 1 ,k 2 ,…,k K ) T ,
Step S302, under the condition of low security level, obtaining d groups of ciphertext polynomial vectors from a communication channel, only selecting the same position coefficient to combine to obtain a sub-ciphertext combination vector c 1_i ,c 2_i ,…,c d_i ,i∈[1,N]Multiplying the column vector of the K-dimensional hypothesis sub private key with the row vector of the d-dimensional sub ciphertext combination to obtain a matrix V with K rows and d columns K*d Splitting the vector according to lines to obtain K d-dimensional hypothesis product vectors V i,1 ,V i,2 ,…,V i,d ,i=1,2,…,K,
Step S303, processing each hypothesis product vector by adopting an attack function to obtain a plurality of hypothesis intermediate value traces,
step S304, adopting ChineseRespectively processing each hypothesis intermediate value trace by the clear distance model to obtain K hypothesis energy traces h i,1 ,h i,2 ,…,h i,N Wherein i =1,2, \8230;, K,
step S305, collecting the power consumption waveform of the encryption and decryption operation of the cryptosystem to obtain d groups of measured energy traces,
step S306, the data of the same position point on each energy trace are combined, and the energy traces with the d T points are processed to obtain T processed energy traces T i,1 ,t i,2 ,…,t i,d Wherein i =1,2, \8230;, T,
step S307, calculating a correlation coefficient between the assumed energy trace and the processed measured energy trace,
calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:
wherein rho is a correlation coefficient between the assumed energy trace and the actually measured energy trace; cov () is covariance; var () is the variance; x is a hypothetical energy trace, X = h i,1 ,h i,2 ,…,h i,d*N Wherein i =1,2, \8230, K; y is the processed measured energy trace, Y = t i,1 ,t i,2 ,…,t i,d Wherein i =1,2, \ 8230, T, the correlation coefficient matrix r can be obtained by the step K*T ,
Step S308, a correlation curve is drawn to obtain the best candidate sub-private key,
and when the correlation coefficient curve is drawn, drawing according to the serial number of the calibrated initial sampling point, if a certain point is the point with the largest median value in the whole correlation curve, the point is aligned with the starting point of the actually-measured energy trace, and the assumed child private key value of the point is the optimal candidate child private key value.
6. The side-channel correlation energy analysis method applied to a ring polynomial multiplier of claim 1, wherein: the method for acquiring the actually measured energy trace comprises the following steps: a resistor is connected in series on a power supply branch of the password system, the current of the password system can fluctuate in the operation process, the constant changing voltage difference can be generated at the two ends of the resistor, and the voltage drop at the two ends of the resistor is measured by using an oscilloscope to obtain the actually measured energy trace.
7. The side channel correlation energy analysis system applied to the ring polynomial multiplier is characterized in that: the chip is fixed on the development board, a programmed password system is arranged in the chip, the resistor is connected in series on a chip power supply branch circuit, the resistor is connected in series on the chip power supply branch circuit, and the oscilloscope is connected with the resistor and used for detecting the voltage drop at two ends of the resistor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211074981.5A CN115412360A (en) | 2022-09-02 | 2022-09-02 | Side channel correlation energy analysis method and system applied to ring polynomial multiplier |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211074981.5A CN115412360A (en) | 2022-09-02 | 2022-09-02 | Side channel correlation energy analysis method and system applied to ring polynomial multiplier |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115412360A true CN115412360A (en) | 2022-11-29 |
Family
ID=84163173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211074981.5A Pending CN115412360A (en) | 2022-09-02 | 2022-09-02 | Side channel correlation energy analysis method and system applied to ring polynomial multiplier |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115412360A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760612A (en) * | 2016-02-26 | 2016-07-13 | 中国科学院计算技术研究所 | Assertion detection device, method, system and chip for post-silicon chip verification |
| US20200313845A1 (en) * | 2016-04-01 | 2020-10-01 | Institut Mines-Telecom | Secret key estimation methods and devices |
| CN112966290A (en) * | 2021-04-01 | 2021-06-15 | 清华大学 | Side channel energy analysis method and device, storage medium and electronic equipment |
| CN114785478A (en) * | 2022-03-30 | 2022-07-22 | 南京航空航天大学 | Side channel correlation energy analysis method and system applied to polynomial hardware multiplication |
-
2022
- 2022-09-02 CN CN202211074981.5A patent/CN115412360A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760612A (en) * | 2016-02-26 | 2016-07-13 | 中国科学院计算技术研究所 | Assertion detection device, method, system and chip for post-silicon chip verification |
| US20200313845A1 (en) * | 2016-04-01 | 2020-10-01 | Institut Mines-Telecom | Secret key estimation methods and devices |
| CN112966290A (en) * | 2021-04-01 | 2021-06-15 | 清华大学 | Side channel energy analysis method and device, storage medium and electronic equipment |
| CN114785478A (en) * | 2022-03-30 | 2022-07-22 | 南京航空航天大学 | Side channel correlation energy analysis method and system applied to polynomial hardware multiplication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103457719B (en) | A kind of side channel energy to SM3 cryptographic algorithm HMAC pattern analyzes method | |
| CN104836666A (en) | Power analysis attack method for SM2 decryption algorithm | |
| Reparaz et al. | Selecting time samples for multivariate DPA attacks | |
| CN103825722B (en) | Second order side channel energy analysis method for SM4 cipher algorithm | |
| CN104796250B (en) | The side-channel attack method realized for rsa cryptosystem algorithm M-ary | |
| CN111817842A (en) | Energy analysis attack testing device and method for RSA-CRT operation | |
| Hu et al. | An effective differential power attack method for advanced encryption standard | |
| CN104811297B (en) | Modular multiplication remainder input side-channel attack is realized for the M-ary of RSA | |
| CN114785478A (en) | Side channel correlation energy analysis method and system applied to polynomial hardware multiplication | |
| Ngo et al. | Side-channel attacks on lattice-based KEMs are not prevented by higher-order masking | |
| Wang et al. | New methods of template attack based on fault sensitivity analysis | |
| Zhao et al. | Efficient Hamming weight-based side-channel cube attacks on PRESENT | |
| CN104811295A (en) | Side channel energy analysis method for ZUC cryptographic algorithm with mask protection | |
| Liptak et al. | Power analysis side channel attacks and countermeasures for the internet of things | |
| CN115412360A (en) | Side channel correlation energy analysis method and system applied to ring polynomial multiplier | |
| Steinwandt et al. | A theoretical DPA-based cryptanalysis of the NESSIE candidates FLASH and SFLASH | |
| Tang et al. | Polar differential power attacks and evaluation | |
| Ali et al. | Timing attack prospect for RSA cryptanalysis using genetic algorithm technique | |
| Lu et al. | A novel combined correlation power analysis (CPA) attack on schoolbook polynomial multiplication in lattice-based cryptosystems | |
| Bollo et al. | Composite fields against side channel analysis for the advanced encryption standard | |
| Moradi et al. | Comprehensive evaluation of AES dual ciphers as a side-channel countermeasure | |
| Li et al. | Assessment of Addition-Chain-Based Masked S-Box Using Deep-Learning-Based Side-Channel Attacks | |
| Yu et al. | The research of DPA attacks against AES implementations | |
| CN110730062B (en) | Chaos grouping encryption analysis method based on template attack | |
| Zhang et al. | Correlation power analysis for AES encryption device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |