TWI611682B - Cracking devices and methods thereof - Google Patents

Cracking devices and methods thereof Download PDF

Info

Publication number
TWI611682B
TWI611682B TW105117521A TW105117521A TWI611682B TW I611682 B TWI611682 B TW I611682B TW 105117521 A TW105117521 A TW 105117521A TW 105117521 A TW105117521 A TW 105117521A TW I611682 B TWI611682 B TW I611682B
Authority
TW
Taiwan
Prior art keywords
key
data
complex array
hypothetical
leakage
Prior art date
Application number
TW105117521A
Other languages
Chinese (zh)
Other versions
TW201743585A (en
Inventor
李嵩聲
鍾思齊
游鈞元
張錫嘉
李鎭宜
Original Assignee
華邦電子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 華邦電子股份有限公司 filed Critical 華邦電子股份有限公司
Priority to TW105117521A priority Critical patent/TWI611682B/en
Publication of TW201743585A publication Critical patent/TW201743585A/en
Application granted granted Critical
Publication of TWI611682B publication Critical patent/TWI611682B/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

一種破解方法,用以揭露加密裝置之密鑰,包括:建立加密裝置之洩漏模型;根據複數組的輸入資料,對洩漏模型進行數學運算而產生數學模型;產生複數組的假設密鑰;利用數學模型產生對應假設密鑰之複數組的模擬資料;將輸入資料輸入至加密裝置,並偵測加密裝置所產生的複數組的洩漏資料;對洩漏資料進行數學運算而產生運算資料;判斷模擬資料之每一者與運算資料之間的一相關性;以及根據相關性判斷假設密鑰之一者為密鑰。 A cracking method for exposing a key of an encryption device includes: establishing a leakage model of the encryption device; performing mathematical operations on the leakage model according to input data of the complex array to generate a mathematical model; generating a hypothetical key of the complex array; using mathematics The model generates simulation data corresponding to the complex array of hypothetical keys; inputs the input data to the encryption device, and detects the leakage data of the complex array generated by the encryption device; performs mathematical operations on the leakage data to generate the operational data; and determines the analog data a correlation between each of the computing materials; and determining one of the hypothetical keys as a key based on the correlation.

Description

破解裝置以及方法 Cracking device and method

本發明係有關於一種側通道攻擊之破解裝置以及方法,特別係有關於一種針對相關性功耗分析之洩漏模型進行運算以提升破解效率之破解裝置以及方法。 The invention relates to a device and a method for cracking a side channel attack, in particular to a device and a method for calculating a leakage model for correlation power consumption analysis to improve the efficiency of cracking.

由於物聯網裝置大多數的時間無人值守,容易成為駭客攻擊的目標,因此物聯網裝置之實體安全的重要性隨之增加。側通道攻擊(Side-Channel Attack,SCA)利用裝置的物理特性,如功率、電磁波、溫度等等,而能揭露密鑰(secret key)以及目標裝置之資訊。側通道攻擊的研究能夠揭露裝置的潛在弱點,進而讓設計者瞭解可能的安全性缺口。為了確保安全性,設計者必須將側通道攻擊在設計過程中列入考量,並且以各種側通道攻擊的技巧進行測試。 Because IoT devices are unattended for most of the time and are easily targeted by hackers, the importance of physical security for IoT devices increases. Side-Channel Attack (SCA) exploits the physical characteristics of the device, such as power, electromagnetic waves, temperature, etc., to reveal the secret key and information about the target device. The study of side channel attacks can reveal potential weaknesses in the device, allowing designers to understand possible security gaps. To ensure security, designers must consider side channel attacks during the design process and test them with various side channel attack techniques.

為了縮短側通道攻擊之攻擊時間,我們有必要降低量測雜訊以及演算法雜訊,以減少所需處理的資料量以及資料的複雜度,進而增加攻擊效率。 In order to shorten the attack time of the side channel attack, it is necessary to reduce the noise and algorithm noise to reduce the amount of data to be processed and the complexity of the data, thereby increasing the attack efficiency.

有鑑於此,本發明提出一種破解方法,用以揭露一加密裝置之一密鑰,上述破解方法包括:建立上述加密裝置之一洩漏模型;根據複數組的輸入資料,對上述洩漏模型進行 一數學運算而產生一數學模型;產生複數組的假設密鑰;利用上述數學模型產生對應上述假設密鑰之複數組的模擬資料;輸入上述輸入資料至上述加密裝置,並偵測上述加密裝置所產生的複數組的洩漏資料;對上述洩漏資料進行上述數學運算而產生一運算資料;以及根據上述相關性,判斷上述假設密鑰之一者為上述密鑰。 In view of this, the present invention provides a cracking method for exposing a key of an encryption device. The cracking method includes: establishing a leakage model of the encryption device; and performing the leakage model according to the input data of the complex array. Generating a mathematical model; generating a hypothetical key of the complex array; generating the analog data corresponding to the complex array of the hypothetical keys by using the mathematical model; inputting the input data to the encryption device, and detecting the encryption device And generating the leakage data of the complex array; performing the above mathematical operation on the leakage data to generate an operation data; and determining, according to the correlation, one of the hypothetical keys as the key.

根據本發明之一實施例,上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:計算上述模擬資料之每一者與上述運算資料之間的一相關係數;根據上述相關係數選擇上述模擬資料之一者為一目標資料,其中上述目標資料具有最高的上述相關係數;以及判斷上述目標資料對應之上述假設密鑰為上述密鑰。 According to an embodiment of the present invention, the step of determining that one of the hypothetical keys is the key further comprises: calculating a correlation coefficient between each of the analog data and the operation data; and selecting according to the correlation coefficient One of the above simulation data is a target data, wherein the target data has the highest correlation coefficient; and the above-mentioned hypothesis key corresponding to the target data is the key.

根據本發明之一實施例,上述洩漏模型係根據與上述輸入資料有關之一第一變數、與上述假設密鑰有關之一第二變數以及與上述輸入資料以及上述假設密鑰皆有關之一第三變數,而輸出不同的上述洩漏資料,其中上述數學運算用以消除上述洩漏模型之上述第二變數之影響。 According to an embodiment of the present invention, the leakage model is based on a first variable related to the input data, a second variable related to the hypothetical key, and one of the input data and the hypothetical key. Three variables, and outputting different leakage data, wherein the mathematical operation is used to eliminate the influence of the second variable of the leakage model.

根據本發明之一實施例,上述加密裝置係根據上述密鑰,將上述複數組的輸入資料加密而產生不同的上述洩漏資料,其中上述數學運算更用以消除上述加密裝置之上述第二變數之影響。 According to an embodiment of the present invention, the encryption device encrypts the input data of the complex array according to the key to generate different leakage data, wherein the mathematical operation is further used to eliminate the second variable of the encryption device. influences.

根據本發明之一實施例,上述產生上述假設密鑰之步驟更包括:將上述密鑰劃分為N個部份;以及對上述密鑰的上述N個部份的每一者進行假設而產生N個上述複數組的假 設密鑰;其中,在對上述N個部分的另一者進行假設之前,先判斷上述N個部分的一者所對應的上述複數組假設密鑰的一者為上述N個部分的一者。 According to an embodiment of the present invention, the step of generating the hypothesis key further includes: dividing the key into N parts; and performing hypothesis on each of the N parts of the key to generate N False of the above complex array A key is provided, wherein one of the complex array hypothesis keys corresponding to one of the N parts is determined to be one of the N parts before the assumption of the other of the N parts.

根據本發明之一實施例,上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:判斷上述N個部分的每一者所對應的上述複數組假設密鑰的一者為上述密鑰的各部分;以及結合N個上述假設密鑰而得到上述密鑰。 According to an embodiment of the present invention, the step of determining that one of the hypothesis keys is the key further comprises: determining that one of the complex array hypothesis keys corresponding to each of the N parts is the secret Each part of the key; and the above-mentioned key is obtained by combining N of the above-mentioned hypothetical keys.

本發明更提出一種破解裝置,用以揭露一加密裝置之一密鑰,包括:一控制器;以及一非時變儲存裝置。上述非時變儲存裝置用以儲存複數指令,其中上述控制器根據上述指令執行對應之步驟,包括:建立上述加密裝置之一洩漏模型;根據複數組的輸入資料,對上述洩漏模型進行一數學運算而產生一數學模型;產生複數組的假設密鑰;利用上述數學模型產生對應上述假設密鑰之複數組的模擬資料;輸入上述輸入資料至上述加密裝置,並偵測上述加密裝置所產生的複數組的洩漏資料;對上述洩漏資料進行上述數學運算而產生一運算資料;以及根據上述模擬資料之每一者與上述運算資料之相關性,判斷上述假設密鑰之一者為上述密鑰。 The invention further provides a cracking device for exposing a key of an encryption device, comprising: a controller; and a time-invariant storage device. The non-time-varying storage device is configured to store a plurality of instructions, wherein the controller executes the corresponding step according to the instruction, including: establishing a leakage model of the encryption device; performing a mathematical operation on the leakage model according to the input data of the complex array Generating a mathematical model; generating a hypothetical key of the complex array; generating the analog data corresponding to the complex array of the hypothetical keys by using the mathematical model; inputting the input data to the encryption device, and detecting the complex number generated by the encryption device a leakage data of the group; performing the above mathematical operation on the leakage data to generate an operation data; and determining, according to the correlation between each of the simulation data and the operation data, that one of the hypothetical keys is the key.

根據本發明之一實施例,上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:計算上述模擬資料之每一者與上述運算資料之間的一相關係數;根據上述相關係數選擇上述模擬資料之一者為一目標資料,其中上述目標資料具有最高的上述相關係數;以及判斷上述目標資料對應之上述假設密鑰為上述密鑰。 According to an embodiment of the present invention, the step of determining that one of the hypothetical keys is the key further comprises: calculating a correlation coefficient between each of the analog data and the operation data; and selecting according to the correlation coefficient One of the above simulation data is a target data, wherein the target data has the highest correlation coefficient; and the above-mentioned hypothesis key corresponding to the target data is the key.

根據本發明之一實施例,上述洩漏模型係根據與上述輸入資料有關之一第一變數、與上述假設密鑰有關之一第二變數以及與上述輸入資料以及上述假設密鑰皆有關之一第三變數,而輸出不同的上述洩漏資料,其中上述數學運算用以消除上述洩漏模型之上述第二變數之影響。 According to an embodiment of the present invention, the leakage model is based on a first variable related to the input data, a second variable related to the hypothetical key, and one of the input data and the hypothetical key. Three variables, and outputting different leakage data, wherein the mathematical operation is used to eliminate the influence of the second variable of the leakage model.

根據本發明之一實施例,上述加密裝置根據上述密鑰,將上述複數組的輸入資料加密而產生不同的上述洩漏資料,其中上述數學運算更用以消除上述加密裝置之上述第二變數之影響。 According to an embodiment of the present invention, the encryption device encrypts the input data of the complex array according to the key to generate different leakage data, wherein the mathematical operation is further used to eliminate the influence of the second variable of the encryption device. .

根據本發明之一實施例,上述產生上述假設密鑰之步驟更包括:將上述密鑰劃分為N個部份;以及對上述密鑰的上述N個部份的每一者進行假設而產生N個上述複數組的假設密鑰;其中,在對上述N個部分的另一者進行假設之前,先判斷上述N個部分的一者所對應的上述複數組假設密鑰的一者為上述N個部分的一者。 According to an embodiment of the present invention, the step of generating the hypothesis key further includes: dividing the key into N parts; and performing hypothesis on each of the N parts of the key to generate N a hypothesis key of the above complex array; wherein, before making an assumption about the other of the N parts, determining one of the complex array hypothesis keys corresponding to one of the N parts is the N One of the parts.

根據本發明之一實施例,上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:判斷上述N個部分的每一者所對應的上述複數組假設密鑰的一者為上述密鑰的各部分;以及結合N個上述假設密鑰而得到上述密鑰。 According to an embodiment of the present invention, the step of determining that one of the hypothesis keys is the key further comprises: determining that one of the complex array hypothesis keys corresponding to each of the N parts is the secret Each part of the key; and the above-mentioned key is obtained by combining N of the above-mentioned hypothetical keys.

10‧‧‧加密裝置 10‧‧‧Encryption device

100、300‧‧‧破解裝置 100, 300‧‧‧ crack device

310‧‧‧控制器 310‧‧‧ Controller

320‧‧‧非時變儲存裝置 320‧‧‧Time-independent storage devices

DI‧‧‧輸入資料 DI‧‧‧ input data

DO‧‧‧洩漏資料 DO‧‧‧Disclosure information

SK‧‧‧密鑰 SK‧‧‧Key

S21~S28‧‧‧步驟流程 S21~S28‧‧‧Step process

第1圖係顯示根據本發明之一實施例所述之破解裝置之示意圖;第2圖係顯示根據本發明之一實施例所述之破解方法之流 程圖;以及第3圖係顯示根據本發明之一實施例所述之破解裝置之方塊圖。 1 is a schematic diagram showing a cracking apparatus according to an embodiment of the present invention; and FIG. 2 is a flow showing a cracking method according to an embodiment of the present invention. And FIG. 3 is a block diagram showing a cracking apparatus according to an embodiment of the present invention.

為使本發明之上述目的、特徵和優點能更明顯易懂,下文特例舉一較佳實施例,並配合所附圖式,來作詳細說明如下:以下將介紹係根據本發明所述之較佳實施例。必須要說明的是,本發明提供了許多可應用之發明概念,在此所揭露之特定實施例,僅是用於說明達成與運用本發明之特定方式,而不可用以侷限本發明之範圍。 The above described objects, features, and advantages of the present invention will become more apparent from the description of the appended claims appended claims A good example. It is to be understood that the invention is not limited to the scope of the invention.

第1圖係顯示根據本發明之一實施例所述之破解裝置之示意圖。如第1圖所示,加密裝置10係用以根據密鑰SK,而將輸入資料DI加密,並且在加密的過程中,產生了洩漏資料DO。根據本發明之一實施例,洩漏資料DO可為時序資訊、警示音、指示燈、功率損耗以及洩漏的電磁波等等。破解裝置100係根據一破解方法,破解加密裝置10所使用之密鑰SK,其中破解方法將於下文中詳細描述。 1 is a schematic view showing a cracking apparatus according to an embodiment of the present invention. As shown in Fig. 1, the encryption device 10 is for encrypting the input material DI based on the key SK, and in the process of encryption, the leak data DO is generated. According to an embodiment of the invention, the leakage data DO may be timing information, warning tones, indicator lights, power loss, and leakage electromagnetic waves, and the like. The cracking device 100 cracks the key SK used by the encryption device 10 according to a cracking method, and the cracking method will be described in detail below.

第2圖係顯示根據本發明之一實施例所述之破解方法之流程圖。為了詳細說明本發明,第2圖之流程圖將搭配第1圖進行說明解釋。如第2圖所示,破解裝置100首先建立加密裝置10之洩漏模型(leakage model)(步驟S21)。 2 is a flow chart showing a method of cracking according to an embodiment of the present invention. In order to explain the present invention in detail, the flowchart of Fig. 2 will be explained with reference to Fig. 1. As shown in Fig. 2, the cracking device 100 first establishes a leak model of the encryption device 10 (step S21).

根據本發明之一實施例,洩漏模型係為加密裝置10根據輸入資料DI以及密鑰SK而產生的洩漏資料DO之函數。 也就是,洩漏模型係隨著與輸入資料DI有關之第一變數、與密鑰SK有關之第二變數以及與輸入資料DI以及密鑰SK皆有關之第三變數,而改變所輸出之洩漏資料DO。 According to an embodiment of the invention, the leakage model is a function of the leakage data DO generated by the encryption device 10 based on the input data DI and the key SK. That is, the leakage model changes the output leakage data with the first variable related to the input data DI, the second variable related to the key SK, and the third variable related to the input data DI and the key SK. DO.

為了減少演算法雜訊,破解裝置100根據複數組的輸入資料DI,對洩漏模型進行數學運算而產生數學模型(步驟S22),用以消去僅與密鑰SK有關之第二變數。根據本發明之一實施例,最簡單之數學運算係為根據複數組的輸入資料DI,對洩漏模型進行加法或減法之運算而產生數學模型。 In order to reduce the algorithm noise, the cracking device 100 performs a mathematical operation on the leak model based on the input data DI of the complex array to generate a mathematical model (step S22) for eliminating the second variable related only to the key SK. According to an embodiment of the present invention, the simplest mathematical operation is to generate a mathematical model by adding or subtracting the leakage model according to the input data DI of the complex array.

隨後,破解裝置100對加密裝置10所使用之密鑰SK進行假設,而產生複數組的假設密鑰(步驟S23)。根據本發明之一實施例,密鑰SK可為128位元之密鑰。根據本發明之一實施例,破解裝置100將密鑰SK劃分為數個部份,分別對每個部份進行假設而產生複數組的假設密鑰。舉例來說,密鑰SK之每個部份皆包括8位元,破解裝置100每次針對進行8位元進行假設,而產生28組的假設密鑰。相較於對128位元之密鑰SK進行窮舉法而產生2128組的假設密鑰,本發明所提出之破解裝置100可大幅減少所需產生之假設密鑰,進而大幅增進破解的效率。 Subsequently, the cracking device 100 makes a hypothesis on the key SK used by the encryption device 10, and generates a hypothetical key of the complex array (step S23). According to an embodiment of the invention, the key SK may be a 128-bit key. According to an embodiment of the present invention, the cracking apparatus 100 divides the key SK into a plurality of parts, and makes a hypothesis for each part to generate a hypothetical key of a complex array. For example, each part of the key SK includes 8 bits, and the cracking apparatus 100 makes a hypothesis for performing 8-bit each time, and generates 28 sets of hypothetical keys. Compared with the 128-bit key SK exhaustive method to generate 2 128 sets of hypothesis keys, the cracking apparatus 100 proposed by the present invention can greatly reduce the hypothesis key required to be generated, thereby greatly improving the efficiency of cracking. .

破解裝置100更將複數組的假設密鑰輸入數學模型而產生複數組的模擬資料(步驟S24),由於數學模型已經經由數學運算而消除與密鑰SK相關之第二變數之影響,因此複數組的模擬資料僅與第一變數以及第三變數有關。 The cracking device 100 further inputs the hypothesis key of the complex array into the mathematical model to generate the analog data of the complex array (step S24). Since the mathematical model has eliminated the influence of the second variable related to the key SK via the mathematical operation, the complex array The simulation data is only related to the first variable and the third variable.

另一方面,破解裝置100也將複數組的輸入資料DI輸入至加密裝置10,以偵測加密裝置10根據各輸入資料DI與密鑰SK而產生的複數組的洩漏資料DO(步驟S25)。為了將複數 組的模擬資料與複數組的洩漏資料DO進行比對,破解裝置100將量測到之複數組的洩漏資料DO進行相同於對洩漏模型所執行的數學運算,而產生運算資料(步驟S26)。根據本發明之一實施例,對複數組的洩漏資料DO執行相同的數學運算,可消除僅與密鑰SK相關之第二變數之影響,並且降低量測雜訊。 On the other hand, the cracking device 100 also inputs the input data DI of the complex array to the encryption device 10 to detect the leaked data DO of the complex array generated by the encryption device 10 based on the respective input data DI and the key SK (step S25). In order to The simulation data of the group is compared with the leak data DO of the complex array, and the cracking device 100 performs the mathematical operation performed on the leak model by the measured leak data DO of the complex array to generate the operation data (step S26). According to an embodiment of the present invention, performing the same mathematical operation on the leak data DO of the complex array eliminates the influence of the second variable associated only with the key SK and reduces the measurement noise.

隨後,破解裝置100判斷複數組的模擬資料之每一者與運算資料之間的相關性(步驟S27)。根據本發明之一實施例,破解裝置100計算複數組的模擬資料之每一者與運算資料之間的相關係數,用以判斷複數組的模擬資料之每一者與運算資料之間的相關性。 Subsequently, the cracking device 100 judges the correlation between each of the complex data of the complex array and the arithmetic data (step S27). According to an embodiment of the present invention, the cracking apparatus 100 calculates a correlation coefficient between each of the complex array of analog data and the operation data, and is used to determine the correlation between each of the complex array of analog data and the operational data. .

並且,破解裝置100根據複數組的模擬資料與運算資料之相關性,而取得加密裝置10所使用之密鑰SK(步驟S28)。根據本發明之一實施例,當複數組的模擬資料之一者具有最高的相關係數時,代表該組的模擬資料與運算資料最相近,因此該組的模擬資料所對應之一組的假設密鑰理應最近似加密裝置10所使用之密鑰SK。 Then, the cracking device 100 acquires the key SK used by the encryption device 10 based on the correlation between the analog data of the complex array and the arithmetic data (step S28). According to an embodiment of the present invention, when one of the analog data of the complex array has the highest correlation coefficient, the analog data representing the group is the closest to the operational data, and therefore the hypothesis of the group corresponding to the simulated data of the group is assumed. The key should be closest to the key SK used by the encryption device 10.

根據本發明之另一實施例,破解裝置100可對密鑰SK劃分為數個部份來進行假設,並產生針對各部分的複數個假設密鑰。當破解裝置100判斷出各假設密鑰皆與加密裝置10所使用之密鑰SK所對應之部份相符時,破解裝置100將這些相符的假設密鑰結合而得到密鑰SK。 According to another embodiment of the present invention, the cracking apparatus 100 may divide the key SK into a plurality of parts to make a hypothesis, and generate a plurality of hypothesis keys for each part. When the cracking device 100 determines that each of the hypothetical keys matches the portion corresponding to the key SK used by the encryption device 10, the cracking device 100 combines the matching hypothesis keys to obtain the key SK.

舉例來說,破解裝置100將密鑰SK劃分為第一部份以及第二部份,並對第一部份進行假設而產生複數組的第一假設密鑰。當判斷第一部份係為第一假設密鑰之一者時,對第二 部份進行假設而產生複數組的第二假設密鑰。當判斷第二部份係為第二假設密鑰之一者時,破解裝置100結合第一部份以及第二部份而得到密鑰SK。 For example, the cracking device 100 divides the key SK into a first part and a second part, and makes a hypothesis of the first part to generate a first hypothesis key of the complex array. When judging that the first part is one of the first hypothetical keys, the second Part of the assumption is made to generate a second hypothesis key of the complex array. When it is determined that the second part is one of the second hypothesis keys, the cracking apparatus 100 combines the first part and the second part to obtain the key SK.

第3圖係顯示根據本發明之一實施例所述之破解裝置之方塊圖。第3圖之破解裝置300係對應至第1圖之破解裝置100。如第3圖所示,破解裝置300包括控制器310以及非時變儲存裝置320,非時變儲存裝置320用以儲存複數指令。控制器310執行非時變儲存裝置320所儲存之複數指令後,執行第2圖所示之破解方法200之對應步驟。 Figure 3 is a block diagram showing a cracking device according to an embodiment of the present invention. The cracking device 300 of Fig. 3 corresponds to the cracking device 100 of Fig. 1. As shown in FIG. 3, the cracking device 300 includes a controller 310 and a time-invariant storage device 320 for storing a plurality of instructions. After the controller 310 executes the complex instructions stored by the time-invariant storage device 320, the corresponding steps of the cracking method 200 shown in FIG. 2 are executed.

由於本發明所提出之破解裝置以及破解方法係對洩漏模型以及複數運算資料執行數學運算,不僅降低資料的複雜度,更可以有效的降低演算法雜訊以及量測雜訊。根據本發明之一實施例,對洩漏模型以及複數運算資料所執行之數學運算可為兩組不同的輸入資料之差值,若有需要,本發明所提出之破解裝置以及破解方法可包括其他的操作,例如需要額外的輸入資料以利消除與密鑰相關之第二變數之影響。 Since the cracking device and the cracking method proposed by the present invention perform mathematical operations on the leak model and the complex arithmetic data, not only the complexity of the data is reduced, but also the algorithm noise and the measurement noise can be effectively reduced. According to an embodiment of the present invention, the mathematical operation performed on the leakage model and the complex operation data may be a difference between two sets of different input data, and if necessary, the cracking device and the cracking method proposed by the present invention may include other The operation, for example, requires additional input data to eliminate the effects of the second variable associated with the key.

此外,當輸入N組的輸入資料DI且利用2組輸入資料進行數學運算時,可得到

Figure TWI611682BD00001
組的運算資料,因此透過數學運算可以大幅度地增加所需的運算資料量。再者,假定密鑰SK係為128位元,因此窮舉法需要確認運算資料以及模擬資料之相關性達2128次,然而本發明所提出之破解裝置以及方法可將密鑰128分段確認其相關性,也就是,當破解裝置100將密鑰SK分為128段進行確認,破解裝置100僅需確認運算資料以及模擬資料之間的相關性降低至128次,此舉將大幅度降低資料處理 量,並且節省資料處理時間。 In addition, when inputting the input data DI of the N groups and performing mathematical operations using the two sets of input data,
Figure TWI611682BD00001
The computational data of the group, so the amount of computational data required can be greatly increased by mathematical operations. Furthermore, it is assumed that the key SK is 128 bits, so the exhaustive method needs to confirm the correlation between the arithmetic data and the analog data up to 2 128 times. However, the cracking apparatus and method proposed by the present invention can confirm the key 128 in stages. Correlation, that is, when the cracking device 100 divides the key SK into 128 segments for confirmation, the cracking device 100 only needs to confirm that the correlation between the computing data and the analog data is reduced to 128 times, which will greatly reduce the data. Processing volume and saving data processing time.

以上敘述許多實施例的特徵,使所屬技術領域中具有通常知識者能夠清楚理解本說明書的形態。所屬技術領域中具有通常知識者能夠理解其可利用本發明揭示內容為基礎以設計或更動其他製程及結構而完成相同於上述實施例的目的及/或達到相同於上述實施例的優點。所屬技術領域中具有通常知識者亦能夠理解不脫離本發明之精神和範圍的等效構造可在不脫離本發明之精神和範圍內作任意之更動、替代與潤飾。 The features of many embodiments are described above to enable those of ordinary skill in the art to clearly understand the form of the specification. Those having ordinary skill in the art will appreciate that the objectives of the above-described embodiments and/or advantages consistent with the above-described embodiments can be accomplished by designing or modifying other processes and structures based on the present disclosure. It is also to be understood by those skilled in the art that <RTIgt; </ RTI> <RTIgt; </ RTI> <RTIgt; </ RTI> <RTIgt; </ RTI> <RTIgt;

S21~S28‧‧‧步驟流程 S21~S28‧‧‧Step process

Claims (12)

一種破解方法,用以揭露一加密裝置之一密鑰,上述破解方法包括:建立上述加密裝置之一洩漏模型;根據複數組的輸入資料,對上述洩漏模型進行一數學運算而產生一數學模型;產生複數組的假設密鑰;利用上述數學模型產生對應上述假設密鑰之複數組的模擬資料;輸入上述輸入資料至上述加密裝置,並偵測上述加密裝置所產生的複數組的洩漏資料;對上述洩漏資料進行上述數學運算而產生一運算資料;判斷上述模擬資料之每一者與上述運算資料之間的一相關性;以及根據上述相關性,判斷上述假設密鑰之一者為上述密鑰。 A cracking method for exposing a key of an encryption device, the cracking method comprising: establishing a leakage model of the encryption device; performing a mathematical operation on the leakage model according to the input data of the complex array to generate a mathematical model; Generating a hypothetical key of the complex array; generating the analog data corresponding to the complex array of the hypothetical key by using the above mathematical model; inputting the input data to the encryption device, and detecting the leakage data of the complex array generated by the encryption device; The leakage data is subjected to the above mathematical operation to generate an operation data; determining a correlation between each of the simulation data and the operation data; and determining, according to the correlation, one of the hypothetical keys as the key . 如申請專利範圍第1項所述之破解方法,其中上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:計算上述模擬資料之每一者與上述運算資料之間的一相關係數;根據上述相關係數選擇上述模擬資料之一者為一目標資料,其中上述目標資料具有最高的上述相關係數;以及判斷上述目標資料對應之上述假設密鑰為上述密鑰。 The method of claim 1, wherein the step of determining that one of the hypothetical keys is the key further comprises: calculating a correlation coefficient between each of the simulated data and the operational data. And selecting one of the simulation data according to the correlation coefficient as a target data, wherein the target data has the highest correlation coefficient; and determining that the hypothesis key corresponding to the target data is the key. 如申請專利範圍第1項所述之破解方法,其中上述洩漏模型係根據與上述輸入資料有關之一第一變數、與上述假設 密鑰有關之一第二變數以及與上述輸入資料以及上述假設密鑰皆有關之一第三變數,而輸出不同的上述洩漏資料,其中上述數學運算用以消除上述洩漏模型之上述第二變數之影響。 The method of claim 1, wherein the leakage model is based on a first variable related to the input data, and the assumption a second variable related to the key and a third variable related to the input data and the hypothetical key, and outputting the different leakage data, wherein the mathematical operation is used to eliminate the second variable of the leakage model influences. 如申請專利範圍第3項所述之破解方法,其中上述加密裝置係根據上述密鑰,將上述複數組的輸入資料加密而產生不同的上述洩漏資料,其中上述數學運算更用以消除上述加密裝置之上述第二變數之影響。 The method of claim 3, wherein the encryption device encrypts the input data of the complex array according to the key to generate different leakage data, wherein the mathematical operation is used to eliminate the encryption device. The effect of the above second variable. 如申請專利範圍第1項所述之破解方法,其中上述產生上述假設密鑰之步驟更包括:將上述密鑰劃分為N個部份;及對上述密鑰的上述N個部份的每一者進行假設而產生N個上述複數組的假設密鑰;其中,在對上述N個部分的另一者進行假設之前,先判斷上述N個部分的一者所對應的上述複數組假設密鑰的一者為上述N個部分的一者。 The method of claim 1, wherein the step of generating the hypothesis key further comprises: dividing the key into N parts; and each of the N parts of the key A hypothesis is generated to generate N hypothetical keys of the complex array; wherein, before making an assumption to the other of the N parts, determining the complex array hypothesis key corresponding to one of the N parts One is one of the above N parts. 如申請專利範圍第5項所述之破解方法,其中上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:判斷上述N個部分的每一者所對應的上述複數組假設密鑰的一者為上述密鑰的各部分;以及結合N個上述假設密鑰而得到上述密鑰。 The method of claim 5, wherein the step of determining that one of the hypothetical keys is the key further comprises: determining the complex array hypothesis key corresponding to each of the N parts One of the keys is a part of the above-mentioned key; and the above-mentioned key is obtained by combining N the above-mentioned hypothetical keys. 一種破解裝置,用以揭露一加密裝置之一密鑰,包括:一控制器;以及一非時變儲存裝置,用以儲存複數指令,其中上述控制器 根據上述指令執行對應之步驟,包括:建立上述加密裝置之一洩漏模型;根據複數組的輸入資料,對上述洩漏模型進行一數學運算而產生一數學模型;產生複數組的假設密鑰;利用上述數學模型產生對應上述假設密鑰之複數組的模擬資料;輸入上述輸入資料至上述加密裝置,並偵測上述加密裝置所產生的複數組的洩漏資料;對上述洩漏資料進行上述數學運算而產生一運算資料;以及根據上述模擬資料之每一者與上述運算資料之相關性,判斷上述假設密鑰之一者為上述密鑰。 A cracking device for exposing a key of an encryption device, comprising: a controller; and a time-invariant storage device for storing a plurality of instructions, wherein the controller Performing the corresponding steps according to the foregoing instructions, comprising: establishing a leakage model of the encryption device; performing a mathematical operation on the leakage model according to the input data of the complex array to generate a mathematical model; generating a hypothetical key of the complex array; The mathematical model generates analog data corresponding to the complex array of the hypothetical keys; inputs the input data to the encryption device, and detects leakage data of the complex array generated by the encryption device; performing the mathematical operation on the leakage data to generate a And calculating the data; and determining, according to the correlation between each of the simulation data and the operation data, that one of the hypothetical keys is the key. 如申請專利範圍第7項所述之破解裝置,其中上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:計算上述模擬資料之每一者與上述運算資料之間的一相關係數;根據上述相關係數選擇上述模擬資料之一者為一目標資料,其中上述目標資料具有最高的上述相關係數;以及判斷上述目標資料對應之上述假設密鑰為上述密鑰。 The cracking device of claim 7, wherein the step of determining that one of the hypothesis keys is the key further comprises: calculating a correlation coefficient between each of the simulation data and the operation data. And selecting one of the simulation data according to the correlation coefficient as a target data, wherein the target data has the highest correlation coefficient; and determining that the hypothesis key corresponding to the target data is the key. 如申請專利範圍第7項所述之破解裝置,其中上述洩漏模型係根據與上述輸入資料有關之一第一變數、與上述假設密鑰有關之一第二變數以及與上述輸入資料以及上述假設密鑰皆有關之一第三變數,而輸出不同的上述洩漏資料, 其中上述數學運算用以消除上述洩漏模型之上述第二變數之影響。 The cracking device of claim 7, wherein the leakage model is based on a first variable related to the input data, a second variable related to the hypothetical key, and the input data and the hypothesis The key is related to one of the third variables, and outputs different leakage data. The above mathematical operation is used to eliminate the influence of the second variable of the leakage model described above. 如申請專利範圍第9項所述之破解裝置,其中上述加密裝置根據上述密鑰,將上述複數組的輸入資料加密而產生不同的上述洩漏資料,其中上述數學運算更用以消除上述加密裝置之上述第二變數之影響。 The cracking device of claim 9, wherein the encryption device encrypts the input data of the complex array according to the key to generate different leakage data, wherein the mathematical operation is further used to eliminate the encryption device. The effect of the above second variable. 如申請專利範圍第7項所述之破解裝置,其中上述產生上述假設密鑰之步驟更包括:將上述密鑰劃分為N個部份;以及對上述密鑰的上述N個部份的每一者進行假設而產生N個上述複數組的假設密鑰;其中,在對上述N個部分的另一者進行假設之前,先判斷上述N個部分的一者所對應的上述複數組假設密鑰的一者為上述N個部分的一者。 The cracking device of claim 7, wherein the step of generating the hypothesis key further comprises: dividing the key into N parts; and each of the N parts of the key A hypothesis is generated to generate N hypothetical keys of the complex array; wherein, before making an assumption to the other of the N parts, determining the complex array hypothesis key corresponding to one of the N parts One is one of the above N parts. 如申請專利範圍第11項所述之破解裝置,其中上述判斷上述假設密鑰之一者為上述密鑰之步驟更包括:判斷上述N個部分的每一者所對應的上述複數組假設密鑰的一者為上述密鑰的各部分;以及結合N個上述假設密鑰而得到上述密鑰。 The cracking device of claim 11, wherein the step of determining that one of the hypothesis keys is the key further comprises: determining the complex array hypothesis key corresponding to each of the N parts One of the keys is a part of the above-mentioned key; and the above-mentioned key is obtained by combining N the above-mentioned hypothetical keys.
TW105117521A 2016-06-03 2016-06-03 Cracking devices and methods thereof TWI611682B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW105117521A TWI611682B (en) 2016-06-03 2016-06-03 Cracking devices and methods thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105117521A TWI611682B (en) 2016-06-03 2016-06-03 Cracking devices and methods thereof

Publications (2)

Publication Number Publication Date
TW201743585A TW201743585A (en) 2017-12-16
TWI611682B true TWI611682B (en) 2018-01-11

Family

ID=61230465

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105117521A TWI611682B (en) 2016-06-03 2016-06-03 Cracking devices and methods thereof

Country Status (1)

Country Link
TW (1) TWI611682B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2148462A1 (en) * 2008-07-22 2010-01-27 University College Cork A differential side-channel analysis countermeasure
TWI422203B (en) * 2010-12-15 2014-01-01 Univ Nat Chiao Tung Electronic device and method for protecting against differential power analysis attack
US20150074159A1 (en) * 2012-05-16 2015-03-12 Axel York POSCHMANN Methods for determining a result of applying a function to an input and evaluation devices
CN104811295A (en) * 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2148462A1 (en) * 2008-07-22 2010-01-27 University College Cork A differential side-channel analysis countermeasure
TWI422203B (en) * 2010-12-15 2014-01-01 Univ Nat Chiao Tung Electronic device and method for protecting against differential power analysis attack
US20150074159A1 (en) * 2012-05-16 2015-03-12 Axel York POSCHMANN Methods for determining a result of applying a function to an input and evaluation devices
CN104811295A (en) * 2015-05-05 2015-07-29 国家密码管理局商用密码检测中心 Side channel energy analysis method for ZUC cryptographic algorithm with mask protection

Also Published As

Publication number Publication date
TW201743585A (en) 2017-12-16

Similar Documents

Publication Publication Date Title
TWI733106B (en) Model-based prediction method and device
Ashyralyev et al. Optimal control problem for impulsive systems with integral boundary conditions
ATE422125T1 (en) GENERATION AND VERIFICATION PROCESSES THROUGH THE USE OF TIME LOCK PUZZLE
JPWO2009072547A1 (en) Side channel attack resistance evaluation apparatus, method and program
WO2016083864A1 (en) Methods for recovering secret data of a cryptographic device and for evaluating the security of such a device
KR101792650B1 (en) Process for testing the resistance of an integrated circuit to a side channel analysis
JP2007155715A (en) System and method for verifying metadata during measuring processing
CN109313110A (en) Use the application assessment of digital image correlation technique
CN106357378B (en) Key detection method and its system for SM2 signature
US11101981B2 (en) Generating a pseudorandom number based on a portion of shares used in a cryptographic operation
Thapar et al. Deep learning assisted cross-family profiled side-channel attacks using transfer learning
TWI611682B (en) Cracking devices and methods thereof
Chaudhuri et al. Detection of malicious FPGA bitstreams using CNN-based learning
WO2016063512A1 (en) Mac tag list generating apparatus, mac tag list verifying apparatus, mac tag list generating method, mac tag list verifying method and program recording medium
KR20160114252A (en) Method for processing side channel analysis
JP5979750B2 (en) Side channel evaluation apparatus and side channel evaluation method
CN213547530U (en) SPA attack prevention to-be-detected circuit safety simulation analysis device
US10277392B2 (en) Cracking devices and methods thereof
JP2005202757A (en) Pseudo random number generator and program
Srivastava et al. SCAR: Power Side-Channel Analysis at RTL Level
KR102554852B1 (en) Method and apparatus for side channel analysis for rsa encryption using artifical neural network
CN213028070U (en) DPA attack prevention to-be-tested circuit safety simulation analysis device
Park et al. ATAVE: A framework for automatic timing attack vulnerability evaluation
Gupta et al. Image encryption method using dependable multiple chaotic logistic functions
CN106685643A (en) Method and device for verifying public key in CRT mode