中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 信息安全国家重点实验室  > 学位论文
学科主题: 计算机科学技术基础学科::数据安全与计算机安全 ; 计算机科学技术其他学科
题名:
能量分析攻击的攻防机理及评估技术研究
作者: 刘继业
答辩日期: 2011-11
导师: 冯登国研究员
专业: 信息安全
授予单位: 中国科学院研究生院
授予地点: 北京
学位: 博士
关键词: 密码学 ; 侧信道密码分析 ; 能量分析攻击 ; 泄露刻画 ; 区分器 ; 防御对策 ; 量化度量 ; 指令级能耗模拟 ; 随机性检测
其他题名: Power Analysis Attack: Attack, Countermeasure, and Evaluation
摘要:

侧信道密码分析是密码学研究的一个重要分支。与传统的密码分析方法不
同,侧信道分析不仅关注密码方案的基本数学性质,同时还注重分析并利用密
码方案运行时产生的物理信息泄露,例如运行时间、瞬时能量消耗以及电磁辐
射等。其中,作为一种被公认有效的侧信道分析方法,能量分析攻击对广泛应
用的各类智能安全设备(例如,智能卡等)的物理安全性造成了极其严重的现实
威胁,日益受到学术界与产业界的共同关注。
因此,研究能量分析攻击的攻防机理,揭示这类攻击的现实威胁,建立高
效新颖的分析方法,提出有效的防御措施,合理客观地刻画攻防手段的有效
性,对于安全高效的密码模块的设计、分析、构建与测评,具有重要的理论价
值与迫切的现实意义。具体地,论文的主要工作及主要贡献包括如下五项内
容:
能耗泄漏刻画
对目标密码设备的能耗泄漏特征进行精确刻画是提出高效能量分析攻
击方法的先决条件。 现有在线能耗泄露刻画技术对泄露特征的刻画较为精
确,但需要对目标设备具有完全访问能力这一假设极大地限制了其应用范围。
因此,本文提出一种基于比特权重的能耗泄漏刻画方法(Bitwisely Weighted
Characterization,简称BWC),显著地拓展了在线泄露刻画手段的适用范畴。
与已有其它典型在线泄露刻画方法不同,BWC方法的显著特点之一是它并不
依赖于目标设备中实现的密码算法,而仅仅关注密码设备自身的能耗泄露特
征,因此具有更好的通用性。
区分器的构造与分析
能量分析攻击本质上利用了目标设备能量消耗特征与依赖密钥的中间值的
相关性,如何更有效地挖掘并利用这种相关性是建立高效分析方法的前提。因
此,区分器构造与分析是能量分析攻击中的核心问题之一,而高效性与通用性
则是区分器构造的主要目标。作为BWC方法的一个具体应用,本文构造了两
种增强型侧信道类区分器,即BWC-DPA区分器与BWC-CPA区分器,两者的
攻击效果均优于原区分器。此外,鉴于已有MIA类区分器存在的局限性,本文提出了基于局部Kolmogorov-Smirnov检测的PKS区分器,该区分器对线性能耗
泄漏和非线性能耗泄漏的利用效果均强于已有MIA类区分器。

算法级防御对策的设计与分析
轻量级密码算法可广泛应用于受限环境(如RFID、无线传感网络),是当
前密码学最活跃的研究方向之一。 为了增强这类密码算法实现对能量分析
攻击的抵御能力,受硬件防御对策“双栅逻辑”的启发,本文提出了一种适
用于轻量级密码实现的算法级防御措施――比特平衡编码(Bitwisely Balanced
enCoding,简称BBC)方案。BBC方法适用于多种典型的轻量级密码算法实现,
能够以较低的开销有效地降低能耗信息泄露造成的风险,特别地,增强了抵御
高阶CPA攻击的能力。
区分器有效性的度量
如何正确审视已有多种能量分析攻击的实际威胁,客观评估防御措施的有
效性,是当前侧信道密码分析领域的困难问题。其中,量化度量作为一种最关
键的客观刻画尺度,其构造与分析仍然面临许多方法与技术挑战。为此,本文
提出了区分度这一度量指标。区分度依赖于攻击结果的统计分布特征,可用于
评估高斯区分器的有效性,这一工作部分解决了区分器有效性度量指标的构造
问题。此外,本文还对区分度与成功率的相关性进行了理论分析与实验研究,
证实了区分度的合理性,并取得了度量指标相关性方面的一些初步理论成果。
密码分析基础支撑工具研制
密码分析基础支撑工具是对密码算法与密码模块进行实际的检测分析的必
要技术条件,也是已有检测分析方法与技术实用化的重要一环。因此,本文对
密码分析基础支撑工具的研制进行研究。具体地,针对随机性检测这一传统密
码分析中应用最广泛的量化检测工作,本文设计并实现了一款基于DSP的高速
随机性检测专用设备,即LOIS-RTC随机性检测卡。该检测卡完全兼容并支持
《随机性检测规范》,有力地推动了随机性检测技术的实用化。此外,本文提
出了一种密码实现能耗模拟方法,并给基于这种方法研制出原型系统IMScale。
该系统能够支持对多种典型密码算法软件实现的能量消耗特征进行指令级模
拟,可为密码算法设计阶段的安全性评估提供有效的技术支撑。

英文摘要:

Side-channel attacks have become an increasingly important branch of ongo-
ing cryptanalysis theoretical researches and cryptographic engineering practices.
Unlike its traditional black-box based counterpart, side-channel cryptanalysis not
only investigates mathematical properties of underlying cryptographic scheme,
but also concerns a broad spectrum of unintended observable leakages during its
execution, such as running time, power consumptions, electromagnetic emana-
tions and so on.  Power analysis attacks, one of the most widely believed types
of powerful side-channel attacks, pose serious threats to the physical security
of multiple kinds of smart secure devices (say smart card for instance) running
cryptographic schemes, and therefore have attracted wide attentions from both
academia and industrial sectors since its first introduction by P. Kocher in 1999.
Motivated by this, this dissertation investigated the mechanisms of power
analysis attacks and their countermeasures, aiming to establish practical effective
characterization and analysis approaches, to propose effective countermeasures,
and to capture the effectiveness of these in a reasonable and objective way.  We
argue that these works are not only of theoretical significance, but also of prac-
tical interest for the design, analysis, construction and testing of cryptographic
modules.  Specifically, main contents and contributions of this dissertation are
five-fold as follows.
Characterization of Power Leakage
Accurate characterization of the power leakages of crypto devices is an essen-
tial prerequisite for developing more effective power analysis attacks. Even most
of the currently existing online characterization approaches are capable of catch-
ing the characteristics of power consumption leakages, they bear one restriction
that a full access to target devices is explicitly assumed, which severely limits
their practicality.  We proposed a compact yet efficient approach to more accu-
rately characterizing side-channel leakages. It is called Bitwisely Weighted Char-
acterization (BWC for short) approach. One remarkable property of BBC is thativ it is completely independent of the underlying cryptographic scheme, and only
concerns the inherent power consumption characteristics of the crypto devices,
which immediately implies more genericity than those algorithm-dependent.
Construction and Analysis of Distinguisher
Basically, power analysis attacks work because they exploit the dependency
between power leakages and intermediate values related to the secret key being
used.  Consequently, how to effectively exploit this dependency is considerably
pertinent to developing more powerful attacks. Therefore, construction and anal-
ysis of side-channel distinguishers has been, and is one of core issues for power
analysis attacks, with effectiveness and genericity being its two main goals. As a
concrete application of BBC approach, we constructed two new BWC-based side-
channel distinguishers, namely BWC-DPA and BWC-CPA. The effectiveness of
these two distinguishers is better than that of their original counterparts.  On
the other hand, we developed a new generic side-channel distinguisher based on
partial Kolmogorov-Smirnov test, namely PKS distinguisher. PKS distinguisher
overcomes some serious limitations inherent in existing MIA-type distinguishers.
Specifically, PKS distinguisher has obvious advantages over existing MIA-like dis-
tinguishers in terms of both success rate and guessing entropy, and shows better
applicability as well.
Design and Analysis of Algorithmic Countermeasure
Light weight block ciphers are especially suitable for resource-restricted com-
puting devices (eg. RFID tags and wireless sensors), and turns to be one of the
most active research topics. In order to enhance the resistance level of light weight
block cipher implementations against power analysis attacks, we proposed an al-
gorithmic countermeasure called Bitwisely Balanced enCoding (BBC for short).
Taking LBlock and PRESENT as two cases of study, we performed simulation
experiments and the results show that BBC countermeasure can obtain high
security enhancement with reasonable cost.
Evaluation of Distinguisher’s Effectiveness
How to properly investigate the real threats of power analysis attacks and
how to objectively evaluate the actual resistance of countermeasures against at-ABSTRACT v
tacks remains to be one challenging task, one of which is the construction of
usable quantitative metrics. We proposed a sound approach to evaluating the ef-
fectiveness of DPA attacks from the perspective of distinguishers’ statistical char-
acteristics. Specifically, we formally defined the notion of Gaussian Distinguisher
in one typical DPA attack setting and then proved that two most frequently used
DPA distinguishers were Gaussian. After that, Distinctive Level, a useful quanti-
tative metric, was introduced to evaluate the effectiveness of DPA attacks. This
metric virtually equips the designer with the capability of judging to what extent
attacks will succeed.  We performed experiments using both simulated and real
power traces afterwards, the results of which evidently demonstrated the validity
and the effectiveness of the methods we had proposed. In addition, we examined
the relationship between distinctive level and success rate by theoretical reason-
ing as well as experimental evaluation, and the results validate the soundness of
distinctive level.
Design and Development of Basic Supporting Tools for Cryptanal-
ysis and Testing
The availability of some basic supporting tools for cryptanalysis and testing
is appallingly helpful for those practioners who carry out real analysis and testing
of cryptographic algorithms and modules. This also serves a crucial step towards
practicalization of available or self-developed approaches and techniques.  This
motivates the design and development of some basic supporting tools for these
tasks.  On the one hand, we designed and developed one DSP-based high-speed
random testing device, namely LOIS-RTC card, tailoring for the task of perform-
ing randomness testing of cryptographic schemes.  The functions of this device
are fully compatible with those specified in national random testing standard,
and it is vital for performing traditional cryptanalysis and testing. On the other
hand, we proposed an instruction-level power consumption software simulation
approach, aiming to analyze and assess the resistance of cryptographic imple-
mentations in the presence of power analysis attacks. Additionally, we designed
and developed one prototype system of power consumption simulations for cryp-
tographic implementations, called IMScale.  This prototype is instrumental for
performing side-channel cryptanalysis.

Keywords:  Cryptography, Side-Cannel Cryptanalysis, Power Analysis Attack,
Distinguisher, Countermeasure, Quantitative Metrics, Instruction-Level Power
Simulation, Randomness Testing

语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/14406
Appears in Collections:信息安全国家重点实验室_学位论文

Files in This Item:
File Name/ File Size Content Type Version Access License
刘继业博士毕业论文.pdf(6415KB)----限制开放 联系获取全文

Recommended Citation:
刘继业. 能量分析攻击的攻防机理及评估技术研究[D]. 北京. 中国科学院研究生院. 2011-11-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[刘继业]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[刘继业]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace