Research On The Security Of Cryptographic Algorithms Under Masking Protection

Lightweight authenticated encryption algorithms have many important applications in resource constrained environment,such as medical equipment,distributed control systems,Internet of Things,information physics systems,etc.Most of these devices need to be connected with other devices and work together to complete some work.In order to ensure the data communication security of these devices,the lightweight authenticated encryption algorithms suitable for resource constrained environment(where chip area resource is relatively small,or low energy cost,etc)are emerged.However,these algorithms are usually vulnerable to the side channel analysis.Currently,how to protect the lightweight authenticated encryption algorithms against the side channel analysis appears to be a research hot topic in both the academia and industry.Based on the structures of the lightweight authenticated encryption algorithms Spook and ASCON,this thesis studies both the side channel analysis and related masking protection schemes.The main results are given as follows:1.The security of Spook cipher against the correlation power analysis is checked.Based on the structure of Spook and the implementation characteristics of its S-box,the Hamming weight model is used to describe the power consumption characteristics of its encryption operation.Moreover,the S-box output value to the hypothetical power consumption is checked,where the real power consumption is used to solve the correlation coefficient so that the secret key is determined.The experiment illustrates that the master key of Spook cipher can be successfully recovered within one minute by attacking its Clyde-128 component,where 789 traces are collected.On the other hand,when the opponent attacks the Shadow-512 component,she can recover 128 bits of the internal secret state information so that the corresponding 128 bits plaintext can be captured.Furthermore,the security performance of the encryption algorithm implemented by both the S-box using look-up table and bit-slice method is also compared.These results indicate that the Spook cipher cannot resist correlation power analysis without using masking protection.2.A first order Boolean masking method protection for Spook cipher is proposed.Based on the structure of Spook cipher and the implementation characteristics of its S-box,a masking scheme protection for Spook cipher is constructed and implemented on an ARM development board.The experimental results illustrate that only 8 bits information can be leaked of the master key,where 500000 traces are collected.Actually,it does not affect the security of Spook cipher(the full master key is 128 bits).Through the random number multiplexing idea,the entire masking scheme only needs to use 64 bits random numbers.In particular,compared to the original implementation of Spook cipher,the storage footprint is only increased by 2.87%.3.A differential power analysis of ASCON cipher is proposed,and then a first order threshold implementation is also provided.More specifically,based on the structure of ASCON cipher and the implementation characteristics of its S-box,a differential power analysis attack is described.In fact,this attack uses the implementation characteristics of ASCON S-box via the Hamming weight model.Moreover,some secret bits of the master key of ASCON cipher are recovered by using the power consumption discrimination function and the traces.In particular,a traces pre-processing method is used to the"ghost peak"that appears in the differential power analysis.By collecting the leaked 1500 traces of s~a permutation,there are 44 bits of the master key can be recovered.Furthermore,a first order threshold implementation of ASCON is also investigated.Leakage assessment was performed by t-test,and the t values were all within 4.5.It means that the protection scheme effectively prevents information leakage.