Research On The Fault Analysis Of Some Block Ciphers

The block cipher is a core component of cryptology, and its security analysis is always a very active branch in cryptanalysis. With the development of integrate circuits, smart cards and embedded systems, a new class of attack, called side channel attack, on cryptographic devices has become public. When more and more cryptosystems being applied to different chips, such as smart cards, cryptographic storage card, encryptor chip, network router chip etc, some important information about the internal states may be leaked. For example, the information includes fault information, execution time, power consumption and electromagnetic radiation and so on. Examples show that a leak of very small amount of side channel information will be enough to break block ciphers completely. Therefore, it has drawn much attention in both domestic and overseas, and become one of the fastest growing research areas in the fields of cryptanalysis and cryptography engineering.As one type of side channel attacks, fault analysis is a popular cryptanalysis. This dissertation discusses fault analysis of some block ciphers and the related structures. In different fault models, on the basis of differential analysis, we present several effective fault analysis and fault detection, and validate the results by software simulation. Furthermore, other side channel attacks, including timing attack and power analysis, are described in this dissertation. The main contributions of the dissertation are listed as follows:(1) The ARIA algorithm is a Korean Standard block cipher, which is optimized for lightweight and hardware environments. On the basis of the byte–oriented model and the differential analysis principle, we propose a differential fault attack on the ARIA algorithm. Mathematical analysis and simulating experiment show that our attack can recover its 128– bit secret key by introducing 45 faulty ciphertexts. Simultaneously, we also present a fault detection technique for protecting ARIA against this proposed analysis. We believe that our results in this study will also be beneficial to the analysis and protection of the same type of other iterated block ciphers.(2) CLEFIA is a new 128–bit block cipher, which was proposed by SONY Corporation in FSE'2007. The previous attack shows that CLEFIA is vulnerable to differential fault analysis. However, its efficiency is not high and the attacking scope is limited. This dissertation studies the security of CLEFIA against differential fault analysis. On the basis of the byte–oriented fault model, our method only requires 12 faulty ciphertexts for the 128–bit secret key, and 30 faulty ciphertexts for the 192–bit and 256–bit secret keys of CLEFIA. Compared with the previous techniques, our work not only expands the fault locations, but also improves the efficiency of fault injection, and decreases the number of faulty ciphertexts.(3) This dissertation presents several new approaches for fault analysis on the cryptographic algorithm SMS4. The previous research focuses on injecting faults into the encryption of SMS4. However, its efficiency is not high and the attacking scope is limited. Thus, we propose several techniques which pay attention to different locations of occurring faults. Our proposed techniques make use of the byte–oriented fault model and chosen plaintext attacks. Under the same assumption, the 128–bit master key for SMS4 can be obtained. Thus, our work not only expands the locations of occurring fault, but also decreases the attacking cost.(4) This dissertation studies the security of the contracting UFN structure against differential fault analysis (DFA). The contracting unbalanced Feistel networks (UFN) is a particular structure of the block ciphers, where the"left half"and the"right half"are not of equal size, and the size of the domain is larger than that of the range. We propose two basic byte–oriented fault models and two corresponding attacking methods. Then we implement the attack on two instances of the contracting UFN structure, the block ciphers MacGuffin and SMS4. MacGuffin is breakable with 355 and 165 faulty ciphertexts in the two fault models, respectively. Under similar hypothesis, the experiments require 20 and 4 faulty ciphertexts to recover the 128–bit secret key of SMS4, respectively. So our work not only builds up a general model of DFA on the contracting UFN structure and ciphers, but also provides a new reference for fault analysis on other block ciphers.(5) This dissertation defines perfect security against side channel attacks for a cryptosystem implementation, and discusses the implication of secure notions for a cryptosystem in provable security. Then we give some security notions for symmetric encryption against side channel attacks, UB—SCA (unbreakability in side channel attacks), IND—CPA—SCA (indistinguishability of chosen plaintext attacks and side channel attacks) and IND—CCA—SCA (indistinguishability of chosen ciphertext attacks and side channel attacks). On the basis of these definitions, we propose and prove that UB—SCA ^IND—CPA ? IND—C PA—S CAand UB—SCA ^IND—C CA ?IND—C CA—SCA by reduction. It sets up a model for symmetric ciphers against side channel attacks in theory.(6) The Common Scrambling Algorithm (CSA) is used to encrypt streams of video data in the Digital Video Broadcasting (DVB) system. To date, CSA is secure against classical attacks, but vulnerable to fault analysis. This dissertation presents a differential power analysis, one of side channel attacks, on DVB CSA. By decrypting the block cipher part, the common key of the whole algorithm can be derived. Thus, our method expands the attacking scope of differential power analysis.