CN117811725A - Novel fault attack method for SKINNY-N-N algorithm - Google Patents
Novel fault attack method for SKINNY-N-N algorithm Download PDFInfo
- Publication number
- CN117811725A CN117811725A CN202311852799.2A CN202311852799A CN117811725A CN 117811725 A CN117811725 A CN 117811725A CN 202311852799 A CN202311852799 A CN 202311852799A CN 117811725 A CN117811725 A CN 117811725A
- Authority
- CN
- China
- Prior art keywords
- key
- round
- ciphertext
- error
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000011084 recovery Methods 0.000 claims abstract description 10
- 230000001939 inductive effect Effects 0.000 claims description 15
- 238000002347 injection Methods 0.000 claims description 12
- 239000007924 injection Substances 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 11
- 238000012216 screening Methods 0.000 claims description 9
- 230000009699 differential effect Effects 0.000 claims description 6
- 230000007257 malfunction Effects 0.000 claims description 6
- 238000006467 substitution reaction Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 abstract description 13
- 230000006698 induction Effects 0.000 abstract description 4
- 238000005516 engineering process Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000000053 physical method Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Landscapes
- Detection And Prevention Of Errors In Transmission (AREA)
Abstract
The invention discloses a novel fault attack method aiming at a SKINNY-N-N algorithm, which comprises the following steps: firstly, an attacker randomly selects a plaintext and acquires a correct ciphertext under the action of an initial key; then, an attacker carries out multi-word random fault induction on an R-3 round key in the key expansion process to obtain an error sub-key, inputs a plaintext selected randomly and the obtained error key into encryption operation to obtain an error ciphertext, and the attacker restores the first two rows of the R round key by using the correct error ciphertext pair; then, the attacker conducts multisection random fault induction on the R-4 round subkeys so as to recover the second two rows of the R-4 round subkeys; and then reversely calculating to obtain the initial key. The method has the advantages of high fault propagation speed, more available differential state units in the two latter rounds, reduced fault quantity required by key recovery, reduced use of deep constraint, and low analysis difficulty in key recovery process and time complexity of key recovery algorithm.
Description
Technical Field
The invention relates to a fault attack technology of a SKINNY algorithm, in particular to a novel fault attack method aiming at the SKINNY-N-N algorithm, and belongs to the technical field of information security.
Background
With the continuous development of the internet of things technology, various small-sized devices are connected to the internet, the computing resources of the devices are limited, and the data security and the integrity of the traditional passwords are difficult to ensure. The lightweight cryptographic algorithm has the characteristics of low power consumption, small throughput, high execution efficiency, good safety performance and the like, achieves a better balance between computing resources and performance, has higher practicability than the traditional password, and simultaneously puts forward higher requirements on the safety of the cryptographic algorithm.
The password analysis technology is continuously improved, and the lightweight block password algorithm actually used in the Internet of things equipment increasingly highlights security holes, so that analysis and research on the algorithm are required, the attack process and method are continuously perfected, the updating of the password algorithm is realized, the defensive capability of the lightweight block password algorithm is improved, and the security of the Internet of things technology is further improved.
SKINNY is a new lightweight, tunable block cipher that was proposed to compete with the latest design SIMON by the national security agency of the united states. The algorithm is an SPN structure and supports two different packet lengths of 64 bits and 128 bits, and half words and words are taken as basic units of operation. The key is referred to in the skunny specification as a tunable key and may vary in size to 512 bits. Variant parameterized representations of the original specification are described as SKINNY n-n, SKINNY n-2n, and SKINNY n-3n, where n represents the packet size of the cipher and n, 2n, and 3n represent the adjustable key size.
The SKINNY-N encryption algorithm requires 32 rounds (n=64) and 40 rounds (n=128) of encryption, as shown in fig. 1, each round of encryption sequentially performs byte Substitution (SC), round constant Addition (AC), round adjustable key Addition (ART), row Shift (SR), and column aliasing (MC), and the result generated by each operation is called a State (State), where the states are arranged in rows into a 4×4 matrix.
Each round of encryption process of the SKINNY-N encryption algorithm requires a set of subkeys K n (n=1, 2, …, R), the subkeys are generated by a key expansion algorithm. The key expansion algorithm consists of unit-level permutation operations PT, pt= [9,15,8,13,10,14,12,11,0,1,2,3,4,5,6,7 ]]。
The internet of things devices are often exposed to an open environment, are prone to physical contact, and lack expensive tamper protection, making them ideal targets for side channel Such (SCA) physical attacks. One of the most popular attacks in side channel analysis is a fault attack. Fault attacks were proposed and applied to public key cryptography RSA by Boneh et al in 1996, after which they have taken an important role in the cryptanalysis approach. And various attack methods, such as differential fault attack, collision fault attack, invalid fault attack and the like, are derived in the later development. Differential Fault Attack (DFA) was first proposed by Biham and Shamir in 1997 and used to successfully attack DES algorithm, and its analysis process is efficient and simple, usually the preferred method of symmetric cryptographic algorithm fault analysis. An attacker uses physical methods such as voltage transient, external clock abrupt change, laser beam, X-ray and the like to intentionally change the processed value to interfere with calculation to obtain error output in the operation process of the hardware encryption equipment, and then obtains secret information by comparing the error output with correct output. Differential fault analysis has been applied to many lightweight cryptographic algorithm analyses after being proposed. Differential fault attacks include various types of fault injection, including a fault injection model in bit units, a fault injection model in nibbles, a fault injection model in bytes, and the like.
The conventional differential fault attack scheme is mainly divided into two types according to the difference of fault induction positions: the first is to introduce a fault into the encryption process of the algorithm, and recover the initial key of the algorithm by introducing a random fault into a designated storage unit in the encryption process and utilizing the differential characteristic of a nonlinear layer; the second is to introduce faults into the key expansion process of the algorithm, modify the state in the generation process of the subkeys at specific moments, and recover the initial keys by utilizing a differential analysis technology.
A practitioner puts forward a differential fault attack method based on single fault aiming at a SKINNY algorithm, and the technical scheme sets attack conditions, so that the attacker can be required to import random faults at any position of any round of intermediate state, and can repeatedly import the faults and obtain corresponding error ciphertext for the same position. The attack principle is as follows: and randomly selecting a plaintext P for encryption to obtain a correct ciphertext. And for the same selected plaintext, introducing faults to the state when the algorithm runs to the R-4 round to obtain a corresponding error ciphertext. And listing equations related to the R round key according to the difference distribution characteristics of the correct ciphertext, the error ciphertext and the S box, exhausting all values of the round key unit, and determining the R round key by utilizing the difference characteristic of the S box. And decrypting the correct ciphertext by using the R round key to obtain R-1 round output, and determining the R-1 round key according to the difference of the R-1 round S box. The attack process is summarized as that faults in units of words are respectively imported into 10 (N=64) or 21 (N=128) units in the intermediate state of the R-4 round to carry out key analysis, and the key analysis method has high requirement on the times of fault injection.
The traditional technical scheme still has the defects of high event complexity, high data complexity, complex operation, high cost and the like, and finally influences the efficiency of the whole scheme.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a novel fault attack method aiming at the SKINNY-N-N algorithm, which can carry out fault induction attack on subkeys required by key addition operation, has simple operation and low data volume, and can ensure that the key search space is reduced to the minimum.
The technical scheme for realizing the aim of the invention is as follows:
the invention provides a novel fault attack method aiming at a SKINNY-N-N algorithm, which comprises the following steps:
(1) Selecting a random plaintext and carrying out one-time correct encryption;
selecting a random plaintext, carrying out one-time correct encryption under the fault-free condition, and collecting ciphertext output;
(2) Inducing faults in a key expansion algorithm of SKINNY to recover the first two rows of the last round of keys;
inducing a multiword fault before R-2 rounds of SKINNY key expansion algorithm to generate an error key, completing error encryption, collecting corresponding error ciphertext, and recovering a last round of key K by utilizing the differential characteristic of a last two rounds of S boxes R 8 sub-key units of the first two rows;
(3) Inducing partial keys of the first two rows of the last round keys to be recovered by faults in a key expansion algorithm of SKINNY;
inducing a multiword event before the R-3 round of the SKINNY key expansion algorithmBarrier, generating error key, completing error encryption, collecting corresponding error ciphertext, and recovering penultimate round key K by using penultimate round S box differential characteristic R-1 Partial subkey units of the first two rows;
(4) Restoring the residual key unit of the last-last round key, and acquiring the last two rows of sub-keys of the last round key;
solving the induced fault value by using the correct ciphertext in the step (1) and the error ciphertext in the step (3), and recovering K R-1 The remaining sub-key units of (2) are used to obtain K according to the key arrangement algorithm R The latter two rows of subkeys;
(5) Recovering an initial key;
an attacker recovers the obtained K according to the working principle of the SKINNY key expansion algorithm R And reversely calculating to obtain the initial key.
In the novel fault attack method of the SKINNY-N-N algorithm, preferably, the random plaintext is selected and correctly encrypted once in the step (1), and the specific steps are as follows:
(1.1) an attacker randomly selects a plaintext, inputs the plaintext and the initial key into the SKINNY algorithm, outputs and collects the correct ciphertext, and marks the input of the S-box substitution sub-operation asThe input of the wheel constant plus sub-operation is noted +.>The input of the round adjustable key plus sub-operation is denoted +.>The input of the row shift sub-operation is denoted +.>The input of the column mix sub-operation is denoted +.>Marking the correct ciphertext as C;
(1.2) the S-box substitution sub-operation of the SKINNY algorithm is denoted as SC, the round constant addition sub-operation is denoted as AC, the round adjustable key addition sub-operation is denoted as ART, the row shift sub-operation is denoted as SR, the column mixing sub-operation is denoted as MC, and the round key of the r-th round is denoted as K r ,For exclusive OR operation symbol, ">
In the novel fault attack method of the SKINNY-N-N algorithm, in the step (2), the first two rows of the last round of keys are recovered by inducing faults in the key expansion algorithm of the SKINNY, and the specific steps are as follows:
(2.1) at K when the Key expansion Algorithm runs to round R-2 R-3 In the first two key units of row 1, i.eInducing a random multiword fault, and outputting R-4 correct subkeys and 4 wrong subkeys after the key expansion algorithm is finished;
(2.2) the attacker inputs the plaintext randomly selected in the step (1) and the error key generated in the step (2.1) into the encryption algorithm, outputs and outputs an error ciphertext, and the error ciphertext is recorded as
(2.3) guessing the KeyPerforming one round of inverse operation on the state units corresponding to the correct ciphertext and the error ciphertext to obtain X R ,/>Using a differential state matrix DeltaX R,1 Establishing a differential equation of S-box input and output, and recovering +.>The 6 subkey units of the first two rows;
(2.4) guessing the KeyPerforming two-round inverse operation on the state units corresponding to the correct ciphertext and the error ciphertext to obtain X R-1 ,/>Using a differential state matrix DeltaX R-1,1 Establishing a differential equation of S-box input and output, and recovering +.>The remaining 2 subkey units of the first two rows;
(2.5) known from key expansion algorithmThere is no difference in the first two lines of (a), the recovered 8 subkey units are K R Key values of the first two rows.
In the novel fault attack method of the SKINNY-N algorithm of the present invention, preferably, in the step (3), partial keys of the first two rows of the last round keys are induced to be recovered by faults in the key expansion algorithm of the SKINNY, and the specific steps are as follows:
(3.1) when the Key expansion Algorithm runs to round R-3, at K R-4 In the first two key units of row 1, i.eInducing a random multiword fault, and outputting R-5 correct subkeys and 5 wrong subkeys after the key expansion algorithm is finished;
(3.2) the attacker inputs the plaintext randomly selected in the step (1) and the error key generated in the step (3.1) into the encryption algorithm, outputs and outputs an error ciphertext, and the error ciphertext is recorded as
(3.3) for the correct ciphertext C and the incorrect ciphertextA round of inverse operation is performed to obtain the state X R And->Guessing a keyFor state X R ,/>The corresponding state unit performs a round of inverse operation to obtain X R-1 ,/>Using a differential state matrix DeltaX R-1 Establishing a differential equation of S-box input and output, and recovering +.>The 5 subkey units of the first two rows;
in the novel fault attack method of the SKINNY-N algorithm of the present invention, preferably, the recovering the remaining key unit of the penultimate round key in step (4) and obtaining the remaining key unit includes the following specific steps:
(4.1) for the correct ciphertext C and the incorrect ciphertextA round of inverse operation is performed to obtain the state X R And->Re-aligning state X R ,The corresponding state unit performs a round of inverse operation to find +.>The status value of (2) is exclusive-ored to obtain +.>Fault value f of site injection 1 Recovery +.>
(4.2) guessingFault value f of site injection 2 And->Establishing a differential equation for the S boxes of the R-2 round and the R-3 round, and screening f by utilizing differential characteristics 2 And->Acquiring f 2 After which the method of step (3.3) is used to recover +.>
(4.3) known from key expansion algorithmThe first two lines of (a) have no difference, and the 8 subkey units recovered in the step (3) and the step (4) are K R-1 Key values of the first two rows.
(4.4) according to the key expansion algorithm principle and K R-1 Key value of the first two rows, obtain K R Is a complete key of (a).
In the novel fault attack method of SKINNY-N-N algorithm, the S box in the step (5) screens an initial key to recover, and recovers K R Inputting a key expansion algorithm, and performing inverse operation of key expansionThe key to obtain the first round is the initial key TK 1 。
The beneficial effects of the invention are as follows:
(1) The method of the invention is based on the multiword faults in the SKINNY key expansion algorithm, accelerates the propagation speed of the faults in the state, makes the faults spread to the whole state matrix more quickly, increases the available differential state units in the two later rounds, and reduces the number of faults required by key recovery;
(2) The method can reduce the use of deep constraint, only uses two rounds of constraint to recover the key, and reduces the analysis difficulty of the key recovery process and the time complexity of the key recovery algorithm.
Drawings
FIG. 1 is a schematic flow chart of a SKINNY-N encryption algorithm.
FIG. 2 is at K R-3 When the fault is injected, the propagation path of the fault is shown schematically.
FIG. 3 is at K R-4 When the fault is injected, the propagation path of the fault is shown schematically.
Detailed Description
The invention is described in further detail below with reference to the embodiments of the drawings.
The novel fault attack method for the SKINNY-N-N algorithm mainly comprises the following steps:
(1) Selecting a random plaintext and carrying out one-time correct encryption;
selecting a random plaintext, carrying out one-time correct encryption under the fault-free condition, and collecting ciphertext output;
(2) Inducing faults in a key expansion algorithm of SKINNY to recover the first two rows of the last round of keys;
inducing a multiword fault before R-2 rounds of SKINNY key expansion algorithm to generate an error key, completing error encryption, collecting corresponding error ciphertext, and recovering a last round of key K by utilizing the difference characteristic of a last round of S box R 8 sub-key units of the first two rows;
in this particular embodiment, when the fault-inducing operation selects K R-3 The first two cells of the first rowWhen a valid error ciphertext is obtained +>And recover to obtain K R The key units of the first two rows have the following specific processes:
(2.1) at K when the Key expansion Algorithm runs to round R-2 R-3 In the first two key units of row 1, i.eInducing a random multiword fault, outputting R-4 correct sub-keys and 4 wrong sub-keys after the key expansion algorithm is finished, wherein the propagation paths of the fault in the key expansion and encryption algorithm are shown in figure 2;
(2.2) the attacker inputs the plaintext randomly selected in the step (1) and the error key generated in the step (2.1) into the encryption algorithm, outputs and outputs an error ciphertext, and the error ciphertext is recorded as
(2.3) guessing the KeyPerforming one round of inverse operation on the state units corresponding to the correct ciphertext and the error ciphertext to obtain X R ,/>Using a differential state matrix DeltaX R,1 Internal relation of (2)Screening for S-box differential properties>The 6 subkey units of the first two rows;
(2.4) guessing the KeyPerforming two-round inverse operation on the state units corresponding to the correct ciphertext and the error ciphertext to obtain X R-1 ,/>Using a differential state matrix DeltaX R-1,1 Internal relation of->Screening for S-box differential properties>The remaining 2 subkey units of the first two rows;
(2.5) known from key expansion algorithmNo faults exist in the first two lines of the key, and the recovered 8 subkey units are K R Key value of the first two lines,/->Obtaining the R round key K through the step (2) R The values of the 8 subkey units of the first two rows.
(3) Inducing partial keys of the first two rows of the last round keys to be recovered by faults in a key expansion algorithm of SKINNY;
inducing a multiword fault before R-3 rounds of SKINNY key expansion algorithm to generate an error key, completing error encryption, collecting corresponding error ciphertext, and recovering a penultimate round key K by using the differential characteristic of a penultimate round S box R-1 Partial subkey units of the first two rows;
in this particular embodiment, when the fault-inducing operation selects K R-4 The first two cells of the first rowWhen a valid error ciphertext is obtained +>And recover to obtain K R-1 The key units of the first two rows of keys comprise the following specific processes:
(3.1) when the Key expansion Algorithm runs to round R-3, at K R-4 In the first two key units of row 1, i.eInducing a random multiword fault, outputting R-5 correct sub-keys and 5 wrong sub-keys after the key expansion algorithm is finished, wherein the propagation paths of the fault in the key expansion and encryption algorithm are shown in figure 3;
(3.2) the attacker inputs the plaintext randomly selected in the step (1) and the error key generated in the step (3.1) into the encryption algorithm, outputs and outputs an error ciphertext, and the error ciphertext is recorded as
(3.3) for the correct ciphertext C and the incorrect ciphertextA round of inverse operation is performed to obtain the state X R And->Guessing a keyFor state X R ,/>The corresponding state unit performs a round of inverse operation to obtain X R-1 ,/>Using a differential state matrix DeltaX R-1,2 Internal relation of (2)
Screening for S-box differential properties>The 5 subkey units of the first two rows;
(3.4) known from key expansion algorithmNo faults exist in the first two lines of the system, and the recovered 5 subkey units are K R Key value of the first two lines,/->Obtaining the R-1 round key K through the step (3) R-1 The values of the 5 subkey units of the first two rows.
(4) Restoring the residual key unit of the penultimate round key and acquiring the residual key unit;
solving the induced fault value by using the correct ciphertext in the step (1) and the error ciphertext in the step (3), and recovering K R-1 Remaining subkey units and obtain K R The second two rows of keys;
in this embodiment, the error ciphertext is usedSolving->Failure value f of 1 ,f 2 And recover to obtain K R-1 The first two rows of key remaining key units and obtaining K R The specific process of the keys of the last two rows is as follows:
(4.1) for the correct ciphertext C and the incorrect ciphertextA round of inverse operation is performed to obtain the state X R And->Re-aligning state X R ,The corresponding state unit performs a round of inverse operation to find +.>The state value of (2) is known by key expansion algorithmExclusive OR is performed to obtain +.>Fault value f of site injection 1 Using the input differential relationship of the R-2 round S boxScreening->And->No malfunction is present in->Recovery through this step(4.2) guess +.>Fault value f of site injection 2 And->Using the differential relationship of R-2 and R-3 round S boxesScreening f using differential characteristics 2 And->And->No malfunction is present in->Restoring +.>
(4.3) obtaining f 2 The differential relation of the step R-1 round S is used laterScreening->And->No malfunction is present in->Restoring +.>
(4.4) recovering the first two rows of 8 sub-key units of the R-1 round key in step (4), according to the key expansion algorithm principle and K R-1 Key value of the first two rows, for K R-1 Obtaining K using inverse of unit level substitution operation PT R Is a complete key of (a).
(5) Recovering an initial key;
an attacker recovers the obtained K according to the working principle of the SKINNY key expansion algorithm R Performing inverse operation of key expansion until the key of the first round is obtained to obtain the initial key TK 1 。
By using the analysis method, the invention uses Java language to simulate fault injection, plaintext processing and key recovery processes on a computer with Intel (R) Core (TM) i5-5250U CPU@1.60GHz 8GB memory, and experimental results show that the attack method is accurate. The method provides a reference for evaluating the safety of the SKINNY algorithm, and is simple and quick to operate.
Claims (4)
1. A novel fault attack method for SKINNY-N-N algorithm is characterized by comprising the following steps:
(1) Selecting a random plaintext and carrying out one-time correct encryption;
selecting a random plaintext, carrying out one-time correct encryption under the fault-free condition, and collecting ciphertext output;
(2) Inducing faults in a key expansion algorithm of SKINNY to recover the first two rows of the last round of keys;
inducing a multiword fault before R-2 rounds of SKINNY key expansion algorithm to generate an error key, completing error encryption, collecting corresponding error ciphertext, and recovering a last round of key K by utilizing the differential characteristic of a last two rounds of S boxes R 8 sub-key units of the first two rows;
(3) Inducing partial keys of the first two rows of the last round keys to be recovered by faults in a key expansion algorithm of SKINNY;
inducing a multiword fault before R-3 rounds of SKINNY key expansion algorithm to generate an error key, completing error encryption, collecting corresponding error ciphertext, and recovering a penultimate round key K by using the differential characteristic of a penultimate round S box R-1 Partial subkey units of the first two rows;
(4) Restoring the residual key unit of the last-last round key, and acquiring the last two rows of sub-keys of the last round key;
solving the induced fault value by using the correct ciphertext in the step (1) and the error ciphertext in the step (3), and recovering K R-1 The remaining sub-key units of (2) are used to obtain K according to the key arrangement algorithm R The latter two rows of subkeys;
(5) Recovering an initial key;
an attacker works according to the working principle of the SKINNY key expansion algorithmRecovering the obtained K R And reversely calculating to obtain the initial key.
2. The new fault attack method for the SKINNY-N algorithm according to claim 1, wherein in the step 2), a multiple word fault is induced before the R-2 round of the SKINNY key expansion algorithm to obtain a valid error ciphertext, and K is recovered therefrom R The specific process of the first two rows of keys is as follows:
(2.1) at K when the Key expansion Algorithm runs to round R-2 R-3 In the first two key units of row 1, i.eInducing a random multiword fault, and outputting R-4 correct subkeys and 4 wrong subkeys after the key expansion algorithm is finished;
(2.2) the attacker inputs the randomly selected plaintext and the error key generated in the step (2.1) into the encryption algorithm, outputs and outputs an error ciphertext, and the error ciphertext is recorded as
(2.3) guessing the KeyPerforming one round of inverse operation on the state units corresponding to the correct ciphertext and the error ciphertext to obtain X R ,/>Using a differential state matrix DeltaX R,1 Internal relation of (2)
Screening for S-box differential properties>The 6 subkey units of the first two rows;
(2.4) guessing the KeyPerforming two-round inverse operation on the state units corresponding to the correct ciphertext and the error ciphertext to obtain X R-1 ,/>Using a differential state matrix DeltaX R-1,1 Internal relation of->Screening for S-box differential properties>The remaining 2 subkey units of the first two rows;
(2.5) known from key expansion algorithmNo faults exist in the first two lines of the key, and the recovered 8 subkey units are K R Key value of the first two lines,/->Obtaining the R round key K through the step (2) R The values of the 8 subkey units of the first two rows.
3. The new fault attack method for the SKINNY-N algorithm according to claim 1, wherein in the step 3), a multiple word fault is induced before the R-3 round of the SKINNY key expansion algorithm to obtain a valid error ciphertext, and K is recovered therefrom R-1 The specific process of the first two lines of partial keys is as follows:
(3.1) when the Key expansion Algorithm runs to round R-3, at K R-4 In the first two key units of row 1, i.eInducing a random multiword fault, and outputting R-5 correct subkeys and 5 wrong subkeys after the key expansion algorithm is finished;
(3.2) the attacker inputs the randomly selected plaintext and the error key generated in the step (3.1) into the encryption algorithm, outputs and outputs an error ciphertext, and the error ciphertext is recorded as
(3.3) for the correct ciphertext C and the incorrect ciphertextA round of inverse operation is performed to obtain the state X R And->Guessing a keyFor state X R ,/>The corresponding state unit performs a round of inverse operation to obtain X R-1 ,/>Using a differential state matrix DeltaX R-1,2 Internal relation of->Screening for S-box differential properties>The 5 subkey units of the first two rows;
(3.4) known from key expansion algorithmNo faults exist in the first two lines of the system, and the recovered 5 subkey units are K R Key value of the first two lines,/->Obtaining the R-1 round key K through the step (3) R-1 The values of the 5 subkey units of the first two rows.
4. The novel fault attack method for the SKINNY-N algorithm according to claim 1, wherein in the step 4), the error ciphertext in the step (3) is used to solve the induced fault value to recover K R-1 Remaining subkey units and obtain K R The specific process of the keys of the last two rows is as follows:
(4.1) for the correct ciphertext C and the incorrect ciphertextA round of inverse operation is performed to obtain the state X R And->Re-aligning state X R ,/>The corresponding state unit performs a round of inverse operation to find +.>The state value of (2) is known by key expansion algorithmExclusive OR is performed to obtain +.>Fault value f of site injection 1 Using the input differential relationship of the R-2 round S boxScreening->And->No malfunction is present in->Recovery through this step
(4.2) guessingFault value f of site injection 2 And->Using the differential relationship of R-2 and R-3 round S boxesScreening f using differential characteristics 2 And->And->No malfunction is present in->Restoring +.>
(4.3) acquisitionf 2 The differential relation of the step R-1 round S is used laterScreening->And is also provided withNo malfunction is present in->Restoring +.>
(4.4) recovering the first two rows of 8 sub-key units of the R-1 round key in step (4), according to the key expansion algorithm principle and K R-1 Key value of the first two rows, for K R-1 Obtaining K using inverse of unit level substitution operation PT R Is a complete key of (a).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311852799.2A CN117811725A (en) | 2023-12-29 | 2023-12-29 | Novel fault attack method for SKINNY-N-N algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311852799.2A CN117811725A (en) | 2023-12-29 | 2023-12-29 | Novel fault attack method for SKINNY-N-N algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117811725A true CN117811725A (en) | 2024-04-02 |
Family
ID=90423354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311852799.2A Pending CN117811725A (en) | 2023-12-29 | 2023-12-29 | Novel fault attack method for SKINNY-N-N algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117811725A (en) |
-
2023
- 2023-12-29 CN CN202311852799.2A patent/CN117811725A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Differential fault analysis on the ARIA algorithm | |
| EP2316189B1 (en) | Method for generating a cipher-based message authentication code | |
| EP2523385B1 (en) | Method and circuit for cryptographic operation | |
| CN107204841B (en) | Method for realizing multiple S boxes of block cipher for resisting differential power attack | |
| CN112653546A (en) | Fault attack detection method based on power consumption analysis | |
| CN109936437B (en) | power consumption attack resisting method based on d +1 order mask | |
| Zhang et al. | Fault attack on the authenticated cipher ACORN v2 | |
| Hou et al. | DNFA: Differential no-fault analysis of bit permutation based ciphers assisted by side-channel | |
| Mu et al. | A voltage template attack on the modular polynomial subtraction in Kyber | |
| CN117811725A (en) | Novel fault attack method for SKINNY-N-N algorithm | |
| Singh et al. | Study & analysis of cryptography algorithms: RSA, AES, DES, T-DES, blowfish | |
| CN110417540B (en) | Information encryption method for resisting differential power analysis | |
| Bae et al. | Differential fault analysis on AES by round reduction | |
| CN113434332B (en) | Fault propagation-based key recovery method for DES/3DES middle wheel attack | |
| Li et al. | Single byte differential fault analysis on the LED lightweight cipher in the wireless sensor network | |
| Ghafoori et al. | PNB based differential cryptanalysis of Salsa20 and Chacha | |
| Khaleel et al. | A new block cipher based on finite automata systems | |
| Smart et al. | The enigma machine | |
| CN113949500A (en) | Attack method aiming at SM4 second-order energy analysis | |
| CN112532373B (en) | Differential fault analysis method, system and storage medium for stream cipher algorithm | |
| Wang et al. | Fault Analysis of the ARIA and uBlock Block Ciphers | |
| Xiutao et al. | A realtime key recovery attack on the authenticated cipher FASER128 | |
| Vafaei et al. | Practical Differential Fault Analysis on SKINNY. | |
| Kumar et al. | A heuristic approach towards variability of HC-128 | |
| Liu et al. | SCARE and power attack on AES-like block ciphers with secret S-box |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |