英文摘要 | Side-channel attacks have become an increasingly important branch of ongo- ing cryptanalysis theoretical researches and cryptographic engineering practices. Unlike its traditional black-box based counterpart, side-channel cryptanalysis not only investigates mathematical properties of underlying cryptographic scheme, but also concerns a broad spectrum of unintended observable leakages during its execution, such as running time, power consumptions, electromagnetic emana- tions and so on. Power analysis attacks, one of the most widely believed types of powerful side-channel attacks, pose serious threats to the physical security of multiple kinds of smart secure devices (say smart card for instance) running cryptographic schemes, and therefore have attracted wide attentions from both academia and industrial sectors since its first introduction by P. Kocher in 1999. Motivated by this, this dissertation investigated the mechanisms of power analysis attacks and their countermeasures, aiming to establish practical effective characterization and analysis approaches, to propose effective countermeasures, and to capture the effectiveness of these in a reasonable and objective way. We argue that these works are not only of theoretical significance, but also of prac- tical interest for the design, analysis, construction and testing of cryptographic modules. Specifically, main contents and contributions of this dissertation are five-fold as follows. Characterization of Power Leakage Accurate characterization of the power leakages of crypto devices is an essen- tial prerequisite for developing more effective power analysis attacks. Even most of the currently existing online characterization approaches are capable of catch- ing the characteristics of power consumption leakages, they bear one restriction that a full access to target devices is explicitly assumed, which severely limits their practicality. We proposed a compact yet efficient approach to more accu- rately characterizing side-channel leakages. It is called Bitwisely Weighted Char- acterization (BWC for short) approach. One remarkable property of BBC is thativ it is completely independent of the underlying cryptographic scheme, and only concerns the inherent power consumption characteristics of the crypto devices, which immediately implies more genericity than those algorithm-dependent. Construction and Analysis of Distinguisher Basically, power analysis attacks work because they exploit the dependency between power leakages and intermediate values related to the secret key being used. Consequently, how to effectively exploit this dependency is considerably pertinent to developing more powerful attacks. Therefore, construction and anal- ysis of side-channel distinguishers has been, and is one of core issues for power analysis attacks, with effectiveness and genericity being its two main goals. As a concrete application of BBC approach, we constructed two new BWC-based side- channel distinguishers, namely BWC-DPA and BWC-CPA. The effectiveness of these two distinguishers is better than that of their original counterparts. On the other hand, we developed a new generic side-channel distinguisher based on partial Kolmogorov-Smirnov test, namely PKS distinguisher. PKS distinguisher overcomes some serious limitations inherent in existing MIA-type distinguishers. Specifically, PKS distinguisher has obvious advantages over existing MIA-like dis- tinguishers in terms of both success rate and guessing entropy, and shows better applicability as well. Design and Analysis of Algorithmic Countermeasure Light weight block ciphers are especially suitable for resource-restricted com- puting devices (eg. RFID tags and wireless sensors), and turns to be one of the most active research topics. In order to enhance the resistance level of light weight block cipher implementations against power analysis attacks, we proposed an al- gorithmic countermeasure called Bitwisely Balanced enCoding (BBC for short). Taking LBlock and PRESENT as two cases of study, we performed simulation experiments and the results show that BBC countermeasure can obtain high security enhancement with reasonable cost. Evaluation of Distinguisher’s Effectiveness How to properly investigate the real threats of power analysis attacks and how to objectively evaluate the actual resistance of countermeasures against at-ABSTRACT v tacks remains to be one challenging task, one of which is the construction of usable quantitative metrics. We proposed a sound approach to evaluating the ef- fectiveness of DPA attacks from the perspective of distinguishers’ statistical char- acteristics. Specifically, we formally defined the notion of Gaussian Distinguisher in one typical DPA attack setting and then proved that two most frequently used DPA distinguishers were Gaussian. After that, Distinctive Level, a useful quanti- tative metric, was introduced to evaluate the effectiveness of DPA attacks. This metric virtually equips the designer with the capability of judging to what extent attacks will succeed. We performed experiments using both simulated and real power traces afterwards, the results of which evidently demonstrated the validity and the effectiveness of the methods we had proposed. In addition, we examined the relationship between distinctive level and success rate by theoretical reason- ing as well as experimental evaluation, and the results validate the soundness of distinctive level. Design and Development of Basic Supporting Tools for Cryptanal- ysis and Testing The availability of some basic supporting tools for cryptanalysis and testing is appallingly helpful for those practioners who carry out real analysis and testing of cryptographic algorithms and modules. This also serves a crucial step towards practicalization of available or self-developed approaches and techniques. This motivates the design and development of some basic supporting tools for these tasks. On the one hand, we designed and developed one DSP-based high-speed random testing device, namely LOIS-RTC card, tailoring for the task of perform- ing randomness testing of cryptographic schemes. The functions of this device are fully compatible with those specified in national random testing standard, and it is vital for performing traditional cryptanalysis and testing. On the other hand, we proposed an instruction-level power consumption software simulation approach, aiming to analyze and assess the resistance of cryptographic imple- mentations in the presence of power analysis attacks. Additionally, we designed and developed one prototype system of power consumption simulations for cryp- tographic implementations, called IMScale. This prototype is instrumental for performing side-channel cryptanalysis. Keywords: Cryptography, Side-Cannel Cryptanalysis, Power Analysis Attack, Distinguisher, Countermeasure, Quantitative Metrics, Instruction-Level Power Simulation, Randomness Testing |
修改评论