基于多階段相關(guān)功耗分析的SM4-XTS側(cè)信道分析方法

趙毅強; 閆明凱; 張啟智; 高雅; 夏顯召; 郭陽; 王耀華; 何家驥

doi:10.11999/JEIT240183

基于多階段相關(guān)功耗分析的SM4-XTS側(cè)信道分析方法

doi: 10.11999/JEIT240183

趙毅強^{1, 2},
閆明凱^{1, 2},
張啟智^{1, 2},
高雅^{1, 2},
夏顯召³,
郭陽⁴,
王耀華⁴,
何家驥^{1, 2, ,}

1.
天津大學微電子學院天津 300072
2.
天津市成像與感知微電子技術(shù)重點實驗室天津 300072
3.
中汽研科技有限公司深圳 518118
4.
國防科技大學計算機學院長沙 410073

基金項目: 國家重點研發(fā)計劃(2021YFB3100903)

詳細信息

作者簡介:
趙毅強：男，教授，研究方向為集成電路設(shè)計與安全

閆明凱：男，碩士生，研究方向為集成電路設(shè)計與安全

張啟智：男，博士生，研究方向為集成電路設(shè)計與安全

高雅：女，博士生，研究方向為集成電路設(shè)計與安全

夏顯召：男，博士，研究方向為汽車集成電路設(shè)計與安全

郭陽：男，教授，研究方向為微處理器設(shè)計與芯片安全

王耀華：男，研究員，研究方向為微處理器設(shè)計與芯片安全

何家驥：男，副研究員，研究方向為集成電路設(shè)計與安全

通訊作者:
何家驥　dochejj@tju.edu.cn

中圖分類號: TN918
計量
- 文章訪問數(shù): 172
- HTML全文瀏覽量: 82
- PDF下載量: 21
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2024-03-20
- 修回日期: 2024-09-10
- 網(wǎng)絡(luò)出版日期: 2024-09-28
- 刊出日期: 2024-11-01

SM4-XTS Side Channel Analysis Method Based on Multi-stage CPA

ZHAO Yiqiang^{1, 2},
YAN Mingkai^{1, 2},
ZHANG Qizhi^{1, 2},
GAO Ya^{1, 2},
XIA Xianzhao³,
GUO Yang⁴,
WANG Yaohua⁴,
HE Jiaji^{1, 2
, ,}

1.
School of Microelectronics, Tianjin University, Tianjin 300072, China
2.
Tianjin Key Laboratory of Imaging and Perception Microelectronics Technology, Tianjin 300072, China
3.
CATARC Technology Co., Ltd., Shenzhen 518118, China
4.
School of Computer Science, National University of Defense Technology, Changsha 410073, China

Funds: The National Key Research and Development Plan (2021YFB3100903)

摘要

摘要: 帶密文挪用的XEX可調(diào)分組密碼(XTS)被廣泛應(yīng)用于存儲加密中，隨著大數(shù)據(jù)計算與新型側(cè)信道分析方法的提出與應(yīng)用，XTS加密模式的安全性成為一個值得關(guān)注的問題。近年來，已有部分研究針對XTS模式進行了側(cè)信道的分析研究，通過確定部分密鑰與調(diào)整值tweak，進而縮小密鑰檢索范圍，但并沒有實現(xiàn)對XTS模式系統(tǒng)的分析。該文提出一種針對SM4-XTS電路的側(cè)信道分析技術(shù)，通過結(jié)合傳統(tǒng)的相關(guān)功耗分析(CPA)與多階段融合的CPA技術(shù)，解決了針對調(diào)整值模乘迭代導致的二進制數(shù)移位問題，從而實現(xiàn)調(diào)整值與密鑰的精確提取。為了驗證這種分析技術(shù)的有效性，在FPGA上實現(xiàn)了SM4-XTS加密模塊來模擬實際情況中的加密存儲器。實驗結(jié)果表明，在10000條功耗曲線下，該技術(shù)可以成功提取目標加密電路的部分調(diào)整值與密鑰。
- SM4-XTS /
- 側(cè)信道分析 /
- 分組密碼 /
- 相關(guān)功耗分析
Abstract: The XEX-based Tweaked-codebook mode with ciphertext Stealing (XTS) is widely used in storage encryption. With the emergence and application of big data computing and novel side-channel analysis methods, the security of the XTS encryption mode has become a matter of concern. Recent studies have attempted side-channel analysis on the XTS mode, aiming to narrow down the key search space by identifying partial keys and tweak values, but a comprehensive analysis of the XTS mode system has not been achieved. In this paper, a side-channel analysis technique targeting the SM4-XTS circuit is proposed. By combining traditional Correlation Power Analysis (CPA) with a multi-stage fusion CPA technique, the technique addresses the binary number shifting issue caused by the iterative modulation multiplication of the tweak values, enabling precise extraction of both the tweak values and keys. To validate the effectiveness of this analytical technique, an SM4-XTS encryption module is implemented on an FPGA to simulate real-world encryption memory scenarios. Experimental results demonstrate that the technique can successfully extract partial tweak values and keys from the target encryption circuit using only 10 000 power traces.
- SM4-XTS /
- Side-channel Analysis /
- Block ciphers /
- Correlation Power Analysis (CPA)

HTML全文

圖 1 SM4加密算法

下載: 全尺寸圖片幻燈片

圖 2 XTS加密模式結(jié)構(gòu)

下載: 全尺寸圖片幻燈片

圖 3 tweak值迭代示意圖

下載: 全尺寸圖片幻燈片

圖 4 第1輪寄存器數(shù)據(jù)存儲情況

下載: 全尺寸圖片幻燈片

圖 5 tweak后96位分析結(jié)果圖

下載: 全尺寸圖片幻燈片

圖 6 多階段結(jié)合CPA分析效果

下載: 全尺寸圖片幻燈片

圖 7 SM4的rk值CPA分析結(jié)果

下載: 全尺寸圖片幻燈片

圖 8 功耗信息采集平臺結(jié)構(gòu)圖

下載: 全尺寸圖片幻燈片

圖 9 功耗信息采集過程

下載: 全尺寸圖片幻燈片

圖 10 SM4的CPA分析結(jié)果示意圖

下載: 全尺寸圖片幻燈片

1 tweak₀后96比特分析

Input: 128-bit PT
Output: $ {\text{twea}}{{\text{k}}_0}\left[ {95:0} \right] $
1: 　$ {\text{ET}} = {\text{PT}} \oplus {\text{twea}}{{\text{k}}_0} $
2: 　$ {X_1} = {\mathrm{{F}}} \_{\mathrm{function}}\left( {{\text{ET}},{\text{r}}{{\text{k}}_1}} \right) $
3: $ {\bf{PowerTrace1}} = {{\mathrm{HW}}} \left( {{\text{reg\_round1}} \leftarrow \{ {\text{PT}}[95:0],{X_4}\} } \right) $
//采集功耗數(shù)據(jù)并生成reg_round1保存數(shù)據(jù)的漢明重量，作為分析數(shù)據(jù)集PowerTrace1
4: $ {\text{twea}}{{\text{k}}_0}\left[ {95:0} \right] = \max ({{\mathrm{correlation}}} ({\bf{PowerTrace1}},{\text{PT}})) $

下載: 導出CSV

2 tweak₀前32比特分析

Input: 128-bit $ {\text{P}}{{\text{T}}_0} $
Output: $ {\text{twea}}{{\text{k}}_0}\left[ {127:96} \right] $
1: $ {\text{E}}{{\text{T}}_0} = {\text{P}}{{\text{T}}_0} \oplus {\text{twea}}{{\text{k}}_0} $
2: $ {X_{1,0}} = {{\mathrm{F}}} \_{\mathrm{function}}\left( {{\text{E}}{{\text{T}}_0},{\text{r}}{{\text{k}}_1}} \right) $
3: for i in range(1,32):
4: 　if ($ {\text{twea}}{{\text{k}}_i}\left[ {127} \right] = = 0 $) then
5: 　　$ {\text{twea}}{{\text{k}}_i} = {\text{twea}}{{\text{k}}_{i - 1}} \lt \lt \lt 1 $
6: 　else then
7: 　　$ {\text{twea}}{{\text{k}}_i} = ({\text{twea}}{{\text{k}}_{i - 1}} \lt \lt \lt 1) \oplus {\text{0x}}87 $
8: 　if ($ {\text{P}}{{\text{T}}_i}\left[ {127} \right] = = 0 $) then
9: 　　$ {\text{P}}{{\text{T}}_i} = {\text{P}}{{\text{T}}_{i - 1}} \lt \lt \lt 1 $
10: else then
11: 　$ {\text{P}}{{\text{T}}_i} = ({\text{P}}{{\text{T}}_{i - 1}} \lt \lt \lt 1) \oplus {\text{0x}}87 $
12: $ {\text{E}}{{\text{T}}_i} = {\text{P}}{{\text{T}}_i} \oplus {\text{twea}}{{\text{k}}_i} $
13: $ {X_{1,i}} = {{\mathrm{F}}} \_{\mathrm{function}}\left( {{\text{E}}{{\text{T}}_i},{\text{r}}{{\text{k}}_1}} \right) $
14: $ {\bf{PowerTrace}}2=\text{HD}(\{{\text{ET}}_{i-1}[95:0],{X}_{1,i\text{-1}}\}, $ 　　 $\{{\text{ET}}_{i}[95:0],{X}_{1,i}\}) $
//采集功耗數(shù)據(jù)并生成寄存器內(nèi)存儲值變化的漢明距離，作為分　析數(shù)據(jù)集PowerTrace2
15: $ {\text{twea}}{{\text{k}}_0}\left[ {127:96} \right] = \max ({{\mathrm{correlation}}} $ 　　 $({\bf{PowerTrace}}2,{\text{PT}})) $

下載: 導出CSV

3 Key₁分析

Input: 128-bit PT
Output: $ {\text{Ke}}{{\text{y}}_1} $
1: 　$ {\text{ET}} = {\text{PT}} \oplus {\text{twea}}{{\text{k}}_0} $
2: 　$ {\bf{PowerTrace}}3 = {{\mathrm{HW}}} ( {\text{Sbox}}\{ {\text{ET}}\left[ {95:64} \right] \oplus {\text{ET}}\left[ {63:32} \right] $ 　　　$ \oplus {\text{ET}}\left[ {31:0} \right] \oplus {\text{r}}{{\text{k}}_1}\} ) $
//采集功耗數(shù)據(jù)并生成Sbox輸出值的漢明重量，作為分析數(shù)據(jù) 　集PowerTrace3
3: 　$ {\bf{grk}} = \max ({{\mathrm{correlation}}} ({\bf{PowerTrace3}},{\text{PT}})) $
//根據(jù)數(shù)據(jù)集計算相關(guān)性最大的rk值，作為grk(guess round 　key)
4: $ {\text{Ke}}{{\text{y}}_1} = Key\_{\exp ^{ - 1}}({\bf{grk}}) $
//由密鑰擴展算法的逆映射計算密鑰Key₁值

下載: 導出CSV

表 1 多種方法分析效果

算法	tweak參數(shù)	功耗曲線(k)	攻擊效果
Unterluggauer 等人^[5]	AES-XTS固定隨機值	15	Key₁
Luo^[6]	AES-XTS固定隨機值	20	Key₁
Luo^[7]	AES-XTS固定隨機值	64	數(shù)個待選tweak
Zhu^[9]	SM4-XTS固定為00	100	Key₁
本文	SM4-XTS固定隨機值	50	128bit tweak + Key₁

下載: 導出CSV

參考文獻(17)

[1]	IEEE. IEEE Std 1619–2007 IEEE standard for cryptographic protection of data on block-oriented storage devices[S]. New York: IEEE, 2008. doi: 10.1109/IEEESTD.2008.4493450.
[2]	LISKOV M, RIVEST R L, and WAGNER D. Tweakable block ciphers[J]. Journal of Cryptology, 2011, 24(3): 588–613. doi: 10.1007/s00145-010-9073-y.
[3]	王永娟, 樊昊鵬, 代政一, 等. 側(cè)信道攻擊與防御技術(shù)研究進展[J]. 計算機學報, 2023, 46(1): 202–228. doi: 10.11897/SP.J.1016.2023.00202. WANG Yongjuan, FAN Haopeng, DAI Zhengyi, et al. Advances in side channel attacks and countermeasures[J]. Chinese Journal of Computers, 2023, 46(1): 202–228. doi: 10.11897/SP.J.1016.2023.00202.
[4]	JIN Xin, FENG Junhao, and HUANG Boyang. Side channel attack on sm4 algorithm with deep learning-based analysis[C]. 2022 IEEE International Conference on Advances in Electrical Engineering and Computer Applications (AEECA), Dalian, China, 2022: 749–752. doi: 10.1109/AEECA55500.2022.9919093.
[5]	UNTERLUGGAUER T and MANGARD S. Exploiting the physical disparity: Side-channel attacks on memory encryption[C]. The 7th International Workshop on Constructive Side-Channel Analysis and Secure Design, Graz, Austria, 2016: 3–18. doi: 10.1007/978-3-319-43283-0_1.
[6]	LUO Chao, FEI Yunsi, and DING A A. Side-channel power analysis of XTS-AES[C]. Proceedings of Design, Automation & Test in Europe Conference & Exhibition (DATE), Lausanne, Switzerland, 2017: 1330–1335. doi: 10.23919/DATE.2017.7927199.
[7]	LUO Chao, FEI Yunsi, DING A A, et al. Comprehensive side-channel power analysis of XTS-AES[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2019, 38(12): 2191–2200. doi: 10.1109/TCAD.2018.2878171.
[8]	TRAUTMANN J, KRüGER P, BECHER A, et al. Design, calibration, and evaluation of real-time waveform matching on an FPGA-based digitizer at 10 GS/s[J]. ACM Transactions on Reconfigurable Technology and Systems, 2024, 17(2): 24. doi: 10.1145/3635719.
[9]	朱圓. 抗旁路攻擊的高性能小面積XTS-SM4密碼電路設(shè)計[D]. [碩士論文]. 南京航空航天大學, 2018. ZHU Yuan. Design of high-performance and small-area XTS-SM4 cipher circuit against side-channel attack[D]. [Master dissertation], Nanjing University of Aeronautics and Astronautics, 2018.
[10]	AN S and SEO S C. Designing a new XTS-AES parallel optimization implementation technique for fast file encryption[J]. IEEE Access, 2022, 10: 25349–25357. doi: 10.1109/ACCESS.2022.3155810.
[11]	DIFFIE W and LEDIN G. SMS4 encryption algorithm for wireless networks[J]. Cryptology Eprint Archive, 2008, 329.
[12]	李子磊, 劉政林, 霍文捷, 等. 高吞吐率XTS-AES加密算法的硬件實現(xiàn)[J]. 微電子學與計算機, 2011, 28(4): 95–98,102. doi: 10.19304/j.cnki.issn1000-7180.2011.04.024. LI Zilei, LIU Zhenglin, and HUO Wenjie, et al. A high-throughput hardware implementation of XTS-AES encryption algorithm[J]. Microelectronics & Computer, 2011, 28(4): 95–98,102. doi: 10.19304/j.cnki.issn1000-7180.2011.04.024.
[13]	ZHENG Liang, LI Changting, LIU Zongbin, et al. Implementation of high throughput XTS-SM4 module for data storage devices[C]. The 14th International Conference, SecureComm 2018 on Security and Privacy in Communication Networks, Singapore, Singapore, 2018: 271–290. doi: 10.1007/978-3-030-01704-0_15.
[14]	KOCHER P, JAFFE J, and JUN B. Differential power analysis[C]. The 19th Annual International Cryptology Conference on Advances in Cryptology. Santa Barbara, USA, 1999: 388–397. doi: 10.1007/3-540-48405-1_25.
[15]	安聰. 基于AES加密算法的側(cè)信道攻擊的研究[D]. [碩士論文], 南京郵電大學, 2023. doi: 10.27251/d.cnki.gnjdc.2022.001262. AN Cong. Research on side channel attack based on AES encryption algorithms[D]. [Master dissertation], Nanjing University of Posts and Telecommunications, 2023. doi: 10.27251/d.cnki.gnjdc.2022.001262.
[16]	SHAN Weijun, WANG Lihui, LI Qing, et al. A chosen-plaintext method of CPA on SM4 block cipher[C]. 2014 Tenth International Conference on Computational Intelligence and Security, Kunming, China, 2014: 363–366. doi: 10.1109/CIS.2014.57.
[17]	ZHAO Cheng, LI Xiuying, JIN Jifang, et al. Two-point joint CPA attacks against SM4 algorithm[C]. 2019 IEEE 11th International Conference on Communication Software and Networks (ICCSN), Chongqing, China, 2019: 826–829. doi: 10.1109/ICCSN.2019.8905348.