高阶掩码防护的设计实现安全性研究

发布时间：2018-10-31 09:32

【摘要】：掩码对抗方案自提出以来,从一阶对抗逐渐发展至高阶对抗阶段,安全性及通用性也不断提高.最早的一阶掩码方案主要针对DES算法提出,而后出现的一阶掩码方案则大多以AES为防护目标,并针对于不同的软硬件平台,同时不断减少时间和空间耗费.在追求更高安全性的同时,高阶掩码方案也不断朝着通用化的方向发展,主要工作在于设计通用化的S盒掩码方案,保证可应用于任何S盒设计且可抵抗任意阶侧信道攻击.高阶掩码方案已被普遍接受为一种算法级可证明安全的侧信道防护方法,出现以ISW安全性框架为代表的理论安全性证明,以及在此框架下的任意阶掩码方案.然而面向侧信道分析,密码算法设计实现的安全性无法仅仅基于算法安全,针对这种掩码方案理论安全与实际安全间的差距,Roche与Prouff于2011年提出面向硬件设计的安全性掩码方案,但该方案无法运用于已有高阶掩码设计,只是对Rivain和Prouff在CHES2010上提出的RivP方案进行硬件级安全性实现.同时,以实现d阶安全的有限域乘法为例,实现需要加法和乘法的执行次数由O(d~2)增加到O(d~3),由于增加过多的设计资源而对执行效率有较大的影响,降低了方案的实用性.在高效安全的硬件设计平台上,首先,作者分析由于时延不同导致的glitch有可能泄露敏感信息.相比于组合逻辑设计,时序设计下的电路不会产生降阶泄露.除了已有的glitch泄露外,文中还发现存在与硬件设计结构相关的泄露.作者从密码芯片设计者的角度出发,对掩码方案中关键部件的不同硬件设计结构进行分析.作者利用互信息的方法分析并行设计所产生的安全性问题,从理论上证明并行设计存在的安全隐患.在找出掩码设计隐患的基础上给出安全、轻量的安全设计建议,并最终通过实验对比不同设计结构下高阶掩码方案硬件设计的安全性,证明实验结果与理论研究结论一致.
[Abstract]:Since the mask countermeasure scheme was put forward, the security and generality of the scheme have been improved from the first order confrontation to the high order confrontation. The earliest first-order masking scheme is mainly aimed at DES algorithm, while the later first-order masking scheme mostly takes AES as the protection target, and aims at different hardware and software platforms, and reduces the time and space consumption continuously at the same time. While pursuing higher security, high-order mask schemes are also developing towards generalization. The main work is to design a generic S-box mask scheme to ensure that it can be applied to any S-box design and can resist any side channel attack. High-order masking schemes have been widely accepted as an algorithm-level proof-safe side channel protection method. The theoretical security proof represented by the ISW security framework and the arbitrary order masking schemes under this framework have emerged. However, for side channel analysis, the security of cryptographic algorithm design and implementation can not only be based on algorithm security, aiming at the gap between the theoretical security and practical security of this scheme. Roche and Prouff proposed a hardware-oriented security mask scheme in 2011, but this scheme can not be applied to the existing high-order mask design. It is only a hardware-level security implementation of the RivP scheme proposed by Rivain and Prouff on CHES2010. At the same time, taking the implementation of the d order secure finite field multiplication as an example, the number of times of performing the addition and multiplication needs to be increased from O (dt2) to O (df3), which has a great impact on the execution efficiency due to the increase of design resources. The practicability of the scheme is reduced. On an efficient and secure hardware design platform, firstly, the author analyzes that glitch caused by different delay may leak sensitive information. Compared with combinational logic design, the circuit in sequential design does not produce reduced order leakage. In addition to the existing glitch leaks, there are also leaks related to the hardware design structure. From the point of view of the cipher chip designer, the author analyzes the different hardware design structures of the key components in the masking scheme. The author uses mutual information method to analyze the security problems caused by concurrent design and proves theoretically the hidden danger of concurrent design. On the basis of finding out the hidden trouble of masking design, the safety and light safety design suggestions are given. Finally, the security of hardware design of high-order masking scheme under different design structures is compared through experiments, which proves that the experimental results are consistent with the theoretical research conclusions.
【作者单位】：武汉大学计算机学院;电力芯片设计分析国家电网公司重点实验室;国网新疆电力公司检修公司;
【基金】：国家自然科学基金(61472292,61332019) 国家“九七三”重点基础研究发展规划项目基金(2014CB340601) 面向智能电网新一代高速高等级安全芯片关键技术研究(526816160015)资助~~
【分类号】：TP309

【相似文献】