簡易檢索 / 詳目顯示
| 研究生: |
郭俊良 Kuo, Jiun-Liang |
|---|---|
| 論文名稱: |
抵擋差分能量攻擊的遮罩架構於合成對偶AES之研究 A Study of Mask Architecture on Composite-Dual AES to Resist DPA |
| 指導教授: |
賴溪松
Laih, Chi Sung |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering |
| 論文出版年: | 2006 |
| 畢業學年度: | 94 |
| 語文別: | 英文 |
| 論文頁數: | 82 |
| 中文關鍵詞: | 差分能量攻擊 、遮罩架構 、合成對偶AES |
| 外文關鍵詞: | mask architecture, composite-dual AES, DPA |
| 相關次數: | 點閱:61 下載:2 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
自從美國國家標準與技術協會(NIST)於西元2001年發表了AES標準(FIPS-197),各領域的專家學者一直嘗試著去發展新的攻擊方式來破解AES,以硬體的觀點來看,當硬體模組在進行的時候,會因為許多的物理現象間接的洩露資訊,例如計算時間的長短、硬體模組在進行時所消耗的功率、以及電磁波發散...等等,利用此類訊息進行攻擊密碼架構以求獲得秘密(金鑰)的方法通稱為旁路攻擊法(Side-Channel Attack),因此一個保證安全的演算法,往往會因為實做上的種種因素而導致洩漏所需要保護的秘密;當攻擊者收集此密碼模組所消耗的功率並加以統計以及分析則稱為能量攻擊法(Power Attack),最早是由Kocher於1999所提出,因此在最近幾年陸陸續續有許多抵擋功率攻擊法的文章發表,最常見的方法為利用遮罩使中間值隱藏,,這個方法是去產生一個亂數值去隱藏我們所要隱藏的,因此,攻擊者無法正確的收集以及分析所需要的消耗功率曲線,如此便能抵擋此類攻擊。在此篇論文中,我們將回顧能量攻擊法,並使用對偶式密碼器(Dual Cipher)的特性去實做Oswald的遮罩架構,接著探討是否會有比Oswald的硬體架構在合成場轉換更好的選擇方式,並且討論是否使用對偶式密碼器加上既有的遮罩架構會有更佳的安全性,這都是在此論文裡會有所探討的。
NIST (National Institute of Standard Technology) selected Rijndael as the new Advanced Encryption Standard (AES) in 2001. Experts in every field try their best to introduce new style of attack to break AES standard. In hardware point of view, when hardware module is executed, it may reveal information indirectly about the cryptographic device due to many kinds of physical phenomena, like length of execution time, power consumption, and electromagnetic dissipations, etc. Using this kind of information to attack cryptographic device is called Side-Channel Attack (SCA). Therefore, even if one cryptographic algorithm is proved secure, it may reveal protected secret as a result of various implementation factors. An attacker can collect power curves dissipated by cryptographic device and analyze them. This kind of attack is called power attack and is proposed by Kocher in 1999. Therefore recently many papers are published to defend power attack. The most common method is to randomize intermediate value of each round, so that 'Mask' is discussed extensively. This kind of method is to conduct random number to what you want to hide. Thereby, attackers are not able to collect and analyze power curves, hence power attack will be useless. In this thesis, we will review power attack, implement Oswald's mask architecture based on the properties of Dual Cipher, and discuss whether it is better than Oswald's masking method. We will also analyze whether Dual AES combines mask may lead better security to defend power attack.
[1] "The MathWorks - MATLAB and Simulink for Technical Computing," http://www.mathworks.com.
[2] "Data Encryption Standard," NBS (National Bureau of Standards) FIPS PUB 46, Tech. Rep., 1977.
[3] "Data Encryption Standard," NBS (National Bureau of Standards) FIPS PUB 46-1, Tech. Rep., 1988.
[4] "Data Encryption Standard(DES)," National Bureau of Standards, Tech. Rep., Jan 1997.
[5] "Advanced Encryption Standard(AES)," National Institute of Standards and Technology, Tech. Rep., Nov 2001.
[6] M.-L. Akkar and C. Giraud, "An implementation of DES and AES, secure against some attacks," in Proceedings Cryptographic Hardware and Embedded Systems CHES 2001, ser. Lecture Notes in Computer Science, C. K. Koc, D. Naccache, and C. Paar, Eds., vol. 2162. Springer-Verlag, 2001, pp. 309-318.
[7] E. Barkan and E. Biham, "In how many ways can you write rijndael?" in Proceedings Advances in Cryptology - ASIACRYPT 2002, ser. Lecture Notes in Computer Science, Y. Zheng, Ed., vol. 2501. Springer-Verlag, 2002, pp. 160-175.
[8] J. Blomer, J. G. Merchan, and V. Krummel, "Provably secure masking of AES," in Selected Areas in Cryptography SAC 2004, ser. Lecture Notes in Computer Science, H. Handschuh and M. A. Hasan, Eds., vol. 3357. Springer-Verlag, 2004,pp. 69-83.
[9] R. M. Davis, "Some regular properties of DES," National Bureau of Standards Special Publication, Tech. Rep., 1978.
[10] T. ELGamal, "A public-key cryptosystem and a signature scheme based on discrete logarithms," in IEEE Tran. on Information Theory, vol. 31, no. 4, 1985, pp.469-472.
[11] J. D. Golic and C. Tymen, "Multiplicative masking and power analysis of AES," in Cryptographic Hardware and Embedded Systems - CHES 2002, ser. Lecture Notes in Computer Science, B. K. Jr., C. K. Koc, and C. Paar, Eds., vol. 2523, 2003, pp.198-212.
[12] K. Itoh, M. Takenaka, and N. Torii, "DPA countermeasure based on the "masking method"," in Proceedings Information Security and Cryptology - ICISC 2001, ser. Lecture Notes In Computer Science, K. Kim, Ed., vol. 2288. Springer-Verlag, 2002, pp. 440-456.
[13] P. Kocher, J. Jaffe, and B. Jun, "Introduction to differential power analysis and related attacks," http://www.cryptography.com/resources/whitepapers/DPATechInfo.pdf, 1998.
[14] P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in Proceedings Advances in Cryptology - CRYPTO'99, ser. Lecture Notes in Computer Science, M. Wiener, Ed., vol. 1666. Springer-Verlag, 1999, pp. 388-397.
[15] K. J. Kulikowski, M. Su, A. Smirnov, and A. Taubin, "Delay insensitive encoding and power analysis: A balancing act," in Proceedings Asynchronous Circuits and Systems, 2005 (ASYNC'05), 2005, pp. 116-125.
[16] X. Lai and J. Massey, "A proposal for a new block encryption standard," in Proceedings Advances in Cryptology - EUROCRYPT'90, ser. Lecture Notes in Computer Science, I. Damgard, Ed., vol. 473. Springer-Verlag, 1991, pp. 380-404.
[17] S.-C. Lu, "On the design of AES based on dual cipher and composite field," Master's thesis, National Cheng Kung University, June 2003.
[18] T. Messerges, "Securing the AES finalist against power analysis attacks," in Proceedings Fast Software Encryption FSE 2000, ser. Lecture Notes in Computer Science, B. Schneier, Ed., vol. 1978. Springer-Verlag, 2000, pp. 150-164.
[19] E. Oswald, S. Mangard, N. Pramstaller, and V. Rijmen, "A side-channel analysis resistant description of the S-Box," in Proceedings Fast Software Encryption-FSE 2005, ser. Lecture Notes in Computer Science, H. Gilbert and H. Handschuh, Eds., vol. 3557. Springer-Verlag, 2005, pp. 413-423.
[20] E. Oswald, S. Mangard, and N. Pramstaller, "Secure and efficient masking of AES - a mission impossible?" Tech. Rep., 2004.
[21] C. Paar, "Efficient VLSI architectures for bit-parallel computation in Galois Fields," Ph.D. dissertation, Institute for Experimental Mathematics, University of Essen, Germany, 1994.
[22] N. Pramstaller, F. K. Gurkaynak, S. Haene, H. Kaeslin, N. Felber, and W. Fichtner, "Towards an AES crypto-chip resistant to differential power analysis," in Proceedings European Solid-State Circuits Conference - ESSCIRC 2004, pp. 307-310.
[23] N. Pramstaller, E. Oswald, S. Mangard, F. K. Gurkaynak, and S. Haene, "A masked AES ASIC implementation," in Proceedings of Austrochip 2004 Villach, Austria, Oct. 8, 2004.
[24] V. Rijmen, "Efficient implementation of the rijndael s-box," available at: http://www.esat.kuleuven.ac.be/rijmen/rijndael/sbox.pdf.
[25] R. Rivest, A. Shamir, and L. Adleman, "A method for obtaining digital signatures and public-key cryptosystems," in Communications of the ACM, vol. 21, no. 2, 1978, pp. 120-126.
[26] K. Tiri and I. Verbauwhede, "A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation," in Design, Automation and Test in Europe Conference and Exhibition (DATE'04), 2004.
[27] T. E. Tkacik, "A hardware random number generator," in Proceedings Cryptographic Hardware and Embedded Systems - CHES 2002, ser. Lecture Notes in Computer Science, B. K. Jr., C. K. Koc, and C. Paar, Eds., vol. 2523. Springer-Verlag, 2003, pp. 450-453.
[28] E. Trichina, "Combinational logic design for AES subbyte transformation on masked data," 2003, cryptology ePrint Archive.
[29] E. Trichina and T. Korkishko, "Secure AES hardware module for resource constrained devices," in Security in Ad-hoc and Sensor Networks, ser. Lecture Notes in Computer Science, C. Castelluccia, H. Hartenstein, C. Paar, and D. Westhoff, Eds., vol. 3313. Springer-Verlag, 2004, pp. 215-229.
[30] E. Trichina, T. Korkishko, and K. H. Lee, "Small size, low power, side channelimmune AES coprocessor: Design and synthesis results," in Advanced Encryption Standard-AES, ser. Lecture Notes in Computer Science, H. Dobbertin, V. Rijmen, and A. S, Eds., vol. 3373. Springer-Verlag, 2005, pp. 113-127.
[31] E. Trichina, D. D. Seta, and L. Germani, "Simplified adaptive multiplicative masking for AES," in Proceedings Cryptographic Hardware and Embedded Systems - CHES 2002, ser. Lecture Notes in Computer Science, B. K. Jr., C. K. Koc, and C. Paar, Eds., vol. 2523. Springer-Verlag, 2003, pp. 187-197.
[32] J. Wolkerstorfer, E. Oswald, and M. Lamberger, "An ASIC implementation of the AES sboxes," in Proceedings Topics in Cryptology - CT-RSA 2002, ser. Lecture Notes in Computer Science, B. Preneel, Ed., vol. 2271. Springer-Verlag, 2002, pp. 67-78.
[33] S.-Y. Wu, S.-C. Lu, and C. S. Laih, "Design of AES based on Dual Cipher and composite field," in Proceedings Topics in Cryptology CT-RSA 2004, ser. Lecture Notes in Computer Science, T. Okamoto, Ed., vol. 2964. Springer-Verlag, 2004, pp. 25-38.
校內:2007-07-12公開校外:2008-07-12公開