Chosen Plaintext Combined Attack against sm4 Algorithm
nomzod qiymatlarini taxmin qilish va korrelyatsiya koeffitsientlarini qayta hisoblashda maksimal koeffitsientga
Download 124.2 Kb.
|
SM4
- Bu sahifa navigatsiya:
- 4.3. Cheklovlar
- Tajribalar
nomzod qiymatlarini taxmin qilish va korrelyatsiya koeffitsientlarini qayta hisoblashda maksimal koeffitsientga.Yaxshilashdan faqat 4 ta asosiy CPA amalga oshiriladi va tahlil qilish uchun izlar soni 4 ga kamaydi. Bundan tashqari, kalit qidiruv maydonining murakkabligi 4 28 + 24 2 gacha kamayadi. Xulosa qilib aytganda, bizning hujumimiz nafaqat bizning hujumimiz uchun zarur bo'lgan izlar soni, balki vaqt murakkabligi bo'yicha ham aniq afzalliklarga ega. Bu bizning hujumimizni tajribalar uchun yanada amaliy va amalga oshirish imkonini beradi.4.3. Cheklovlar3.3-bo'limda aytib o'tilganidek, bizning hujumimiz yangi differentsial texnologiyani birlashtirgan bo'lsa-da va tajribalar uchun ko'proq mumkin bo'lsa-da, hali ham ba'zi cheklovlar mavjud.Birinchidan, 3.2-bo'limda keltirilganidek, biz faqat dumaloq kalit ikkita nomzod qiymatiga ega deb taxmin qilamiz. Aslida, dumaloq kalit baytida to'rtta nomzod mavjud. To'rtta nomzod qiymatlari mavjud bo'lsa, hujum muvaffaqiyatsiz deb hisoblanadi va yana boshqa kirishlar bilan amalga oshiriladi. Bundan tashqari, tahlilda to'rtta nomzodni taxmin qilsak, murakkablik tahlili ortadi. Bu ham biz kelajakda o'rganamiz va tekshiramiz. Ikkinchidan, SM4 ni amalga oshirishda maskalanuvchi qarshi choralar mavjud bo'lganda va S-box tasodifiy raqamlar bilan niqoblangan bo'lsa (bu holat juda keng tarqalgan), bizning hujumimiz muvaffaqiyatsiz bo'ladi. Maskalashni amalga oshirish uchun biz shablon hujumi va to'qnashuv hujumini birlashtirishni ko'rib chiqamiz.TajribalarYuqoridagi qo'shma hujumlar uchun biz FPGA chipida amalga oshirilgan SM4 algoritmida eksperimental tekshirishni o'tkazdik, asosan hujumning fizibilligi va samarasini tekshirdik.9.1. Eksperimental muhitTajribada foydalanilgan FPGA chipi (SM4 algoritmini amalga oshirish) SAKURA-G FPGA sinov taxtasi bo'lib, bizning hujumimiz uchun quvvat tahlili hujumiga oid Riscure to'plami, jumladan, dasturiy ta'minot inspektori va sotib olish uchun apparat osiloskopini tahlil qilish uchun ishlatiladi. Butun tahlil jarayoni quyidagi uchta bosqichni o'z ichiga olgan holda 2-rasmda ko'rsatilgan.(1) Kompyuter SAKURA-G FPGA sinov taxtasiga ochiq matnni yetkazib beradi va sinov taxtasi SM4 shifrlash operatsiyasini bajaradi va bir vaqtning o'zida tetik signalini hosil qiladi. (2) Kompyuter SM4 shifrlash operatsiyasi natijasida sizib chiqqan quvvat sarfi egri chiziqlarini yig'ish uchun osiloskopga boshqaruv ko'rsatmalarini yuboradi va ma'lumotni saqlash uchun shaxsiy kompyuterga yuboradi. (3) Yig'ilgan SM4 quvvat oqish egri chiziqlari Riscure quvvat tahlili Software Inspector tomonidan birlashtiriladi va tahlil qilinadi. Figure 2. Measurement environment. Attack Instances In the experiment, the second round (the input of the first round needs to be controlled, so that rk0 and rk1 are recovered) is selected as the analysis object for attack examples. The analysis of the fourth round (the input of the third round needs to be controlled) is similar to that of the second round. Based on the above experimental environment, three groups of power leakage curves A, B and C (1000 for each group) are collected, and the plaintext input of the curves need to satisfy the following requirements: 1 2 Group A: M0 = X1 ⊕ X2 ⊕ X3 is a fixed value, X0 is a random value; Group B: M0′ = X′ ⊕ X′ ⊕ X3′ is a fixed value, X0′ is a random value; 0 1 2 3 0 Group C: M′′ = X′′ ⊕ X′′ ⊕ X′′ is a fixed value, X′′ is a random value. where M / ′= M /= M .0 0 ′′ 0 As shown in Figure 3, the power curve of data collection in group A includes plaintext input, 32 obvious peaks, and ciphertexts output; each peak represents the round operation of SM4. The second peak (corresponding intermediate value is the output of the second round S box) is selected for attack. When the number of the power consumption curves is 1000, the correlation coefficient results of the attack are shown in Figures 4–7. There are four obvious peaks, which respectively represent the correlation between the correct guess value of V1 four bytes and the power consumption curve sample points. Therefore, the correct V1 can be determined. Similarly, the power consumption curves of group B and C are analyzed successively to recover V2 and V3. Using V1, V2, V3 and chosen input plaintext values, the input and output difference of S-box is calculated, the round key rk0 of the first round is recovered, and then rk1 is deduced. Meanwhile, we can use two of the three values V1, V2, V3, and chosen input plaintext values, calculate 16 candidate values for rk0, and recalculate the correlation coefficients between the S-box output and the traces; the round key corresponding to the maximum coefficient is the correct rk0, and then rk1 is deduced. Tajribalar Yuqoridagi qo'shma hujumlar uchun biz FPGA chipida amalga oshirilgan SM4 algoritmida eksperimental kuchni o'tkazdik, asosan hujumning fizibilligi va to'g'riligini tekshirdik. 9.1. Eksperimental muhit Tajribada foydalanilgan FPGA chipi (SM4 algoritmini amalga oshirish-G) SAKURA FPGA sinov taxtasi bo'lib, bizning hujumimiz uchun quvvat tahliliga oid Riscure to'plami, individual ta'minot inspektori va sotib olish uchun apparat o'z ishini tahlil qilish uchun. Butun tahlil jarayoni uch qadamni o'z olingan holda 2-rasmda ko'rsatilgan. SAKURA-G FPGA sinov taxtasiga ochiq matnni yuklaydi va SM4 shifrlash operatsiyasini va bir kompyuter taxtasi o'zida tetik signalini hosil qiladi. (2) Kompyuter SM4 shifrlash operatsiyasi yordamida sizib chiqqan quvvat sarfi egri chiziqlarini yig'ish uchun osiloskopga boshqaruv ko'rsatma va ma'lumotni saqlash uchun shaxsiy kompyuterga yuboriladi. (3) Yig'ilgan SM4 quvvat oqish egri chiziqlari Riscure quvvat tahlili Software Inspector birlashtiriladi va tahlil tahlili. Download 124.2 Kb. Do'stlaringiz bilan baham: 
|