ISCAS OpenIR  > 信息安全国家重点实验室  > 学位论文
Subject: 计算机科学技术基础学科::数据安全与计算机安全
Author: 陈海宁
Issued Date: 2010-06-02
Supervisor: 周永彬
Major: 信息安全
Degree Grantor: 中国科学院研究生院
Place of Degree Grantor: 北京
Degree Level: 硕士
Keyword: Feistel密码 ; 差分故障分析 ; 故障传播模式 ; 故障传播路径 ; Camellia
Abstract: 密码算法是信息安全研究的核心内容之一,其实际安全性不仅依赖于密码自身的数学特性,也依赖于具体的实现特性。基于实现的密码分析是一种有别于传统密码分析的新型密码分析方法,它利用算法实现时的信息泄露来恢复秘密信息。差分故障分析(Differential Fault Analysis,简称DFA)就是这样一类重要的密码分析方法。 现代密码学中,密码设计通常基于混淆和扩散这两大基本原则。对于一个分组密码而言,选择一个合适的轮函数并进行若干次迭代可以提供必要的混淆和扩散。因此,目前流行的分组密码均为迭代型密码,所采用的典型结构包括Feistel结构、SPN结构和广义Feistel结构等。这些密码结构及其所采用的基础密码组件(例如,S盒和P置换等)的性质,完全决定了故障在传播过程中所呈现的一些模式。直观上,这种内在特征可以用于挖掘DFA攻击和密码结构之间的关系。因此,完全可能利用这种特征来建立一种面向密码结构的系统化DFA攻击方法。 本文主要研究面向Feistel密码的差分故障分析方法,并探讨这类分析方法与已有可证明安全性理论分析结论之间的关系。为此,引入了故障传播路径(Fault Propagation Path,简称FPPath)和故障传播模式(Fault Propagation Pattern,简称FPPattern)的概念,给出了适用于Feistel结构的 FPPath 和 FPPattern 计算方法,建立了与已有可证明安全性理论结果之间的关系。在此基础上,提出了一种面向Feistel密码的基于故障传播模式的 系统化差分故障分析方法。使用该方法,可编程实现FPPath和FPPattern的自动计算,这将有助于针对Feistel密码的自动化DFA攻击的实施。这种情形下,可将FPPath的长度视作评估DFA攻击有效性的一种度量指标。此外,该系统化方法的必然结果是攻击性能的显著提高:不但攻击轮数有所减少,而且故障植入点数量也会减少,这将迅速降低实施一次成功攻击所需的故障密文数。最后,为验证该方法的正确性和有效性,以Camellia密码算法为具体实例,进行了相关模拟攻击实验研究,并给出了相应的数据复杂度分析和时间复杂度分析。通过充分利用Camellia算法中P置换的性质,在不需要穷举搜索的情况下,新攻击方法仅需要6个故障密文即可完全恢复出128位密钥,而成功恢复出192位或256位密钥所需要的故障密文数则为22个。结果表明,基于FPPattern的DFA方法要优于所有已有同类方法。
English Abstract: Cryptographic algorithm is one of the core elements for information security, and its physical security relies not only on the mathematical characteristics but also on the implementation characteristics. Unlike traditional cryptanalysis, implementation based cryptanalysis is a new type attack which utilizes the leakage information of cryptographic algorithm's implementation in order to retrieve secrets. Differential Fault Analysis (DFA for short) is such a powerful cryptanalytic method. In modern cryptography, confusion and diffusion have been widely accepted as two fundamental principles to design secure ciphers. For block ciphers, a carefully chosen round function, if iterated couples of times, can provide the necessary properties of confusion and diffusion. As a result, most popular block ciphers are iterated ones, with typical structures such as Feistel, SPN, Generalized Feistel, etc. These cryptographic structures, as well as the special properties of underlying cryptographic components like S-boxes and permutation functions, will fully determine the patterns that faults will have in the process of propagation. Intuitively, this inherent characteristic can be (and should be) used to exploit the relationship between DFA and cryptographic structures. Therefore, it is totally possible to take advantages of this characteristic to establish a systematic DFA method on cryptographic structures. This thesis mainly focuses on studying the DFA method on Feistel ciphers and discussing the relationship between this method and the established results of theoretical cryptanalysis with provable security. For this purpose, this thesis introduces two new notions of Fault Propagation Path (FPPath for short) and Fault Propagation Pattern (FPPattern for short), and presents the algorithms for computing FPPath and FPPattern for Feistel ciphers. The relation between those two fundamental notions and the established results of theoretical cryptanalysis with provable security is built. Based on those notions, this thesis presents a FPPattern based systematic DFA method on Feistel ciphers. By this method, it can be programmed to automatically compute FPPaths and FPPatterns, which will facilitate the automatic DFA on Feistel ciphers. In this case, the length of FPPath can be regarded as a quantitative metric to evaluate the efficiency of DFA attacks. Moreover, one consequent result of this systematic method is remarkable performance enhancement. Specifically, not only the number of attacked rounds but also the number of fault injection points is reduced, which rapidly decrease the amount of required faulty ciphertexts for successful attacks. To verify both the correctness and the efficiency of this method, the FPPattern based DFA simulations are performed to attack Camellia, and corresponding analyses of both data complexity and time complexity are provided. By making better use of the fundamental property of P-function utilized in Camellia, our attack, without any brute-force search, only requires 6 faulty ciphertexts to retrieve the 128-bit key and 22 faulty ciphertexts to recover 192/256-bit keys. The results demonstrate that the FPPattern based DFA method is better than all the existing DFA methods.
Language: 中文
Content Type: 学位论文
Appears in Collections:信息安全国家重点实验室_学位论文

Files in This Item:
File Name/ File Size Content Type Version Access License
Thesis_Chen.pdf(900KB)----限制开放 联系获取全文

Recommended Citation:
陈海宁. 面向Feistel密码的基于故障传播模式的差分故障分析[D]. 北京. 中国科学院研究生院. 2010-06-02.
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[陈海宁]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[陈海宁]‘s Articles
Related Copyright Policies
Social Bookmarking
Add to CiteULike Add to Connotea Add to Add to Digg Add to Reddit
所有评论 (0)
内 容:
Email:  *
验证码:   刷新
标 题:
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.



Valid XHTML 1.0!
Copyright © 2007-2021  中国科学院软件研究所 - Feedback
Powered by CSpace