阅读说明：本技术 一种基于模板攻击的混沌分组加密分析方法 (Chaos grouping encryption analysis method based on template attack ) 是由 罗玉玲 张顺生 刘俊秀 丘森辉 岑明灿 蔡超波 于 2019-10-24 设计创作，主要内容包括：本发明公开了一种基于模板攻击的混沌分组加密分析方法,其特征是,包括如下步骤：a)实现混沌分组加密过程：b)模板攻击分析混沌分组加密。这种方法能完成混沌分块加密算法的攻击,且进行攻击需要的痕迹数量会比CPA攻击少。(The invention discloses a chaos grouping encryption analysis method based on template attack, which is characterized by comprising the following steps of: a) the chaotic block encryption process is realized: b) and (4) analyzing chaotic block encryption by template attack. The method can complete the attack of the chaotic block encryption algorithm, and the number of traces required for attack is less than that of CPA attack.)

1. A chaos grouping encryption analysis method based on template attack is characterized by comprising the following steps:

a) the chaotic block encryption process is realized:

(1) generating a round key: the round key of the chaotic cipher algorithm is generated based on tent mapping, and the tent mapping can be expressed as:

wherein the parameter beta_iIs a parameter of the chaotic system and is derived from a master key K_iGenerating, each byte of the master key is converted to a corresponding beta between 0 and 1 by_i：

Wherein ith of master key^thOne byte is marked as K_i，i∈[1，16]，x₀Is a decimal number between 0 and 1, and x is₀And beta₁As an initial parameter for the tent map, the result x1 is through iteration f (x)₀，β₁) The remaining parameters were calculated 20 times as shown in equation (3):

x_(i)＝f²⁰(x_(i-1)，β_i)， (3)，

wherein f is²⁰Represents iterating the tent mapping 20 times, i ∈ [2, 16 ]]And finally x₁₆And beta₁₆As an initial value of the tent map, and iterates 100+16R times to generate pseudo-random sequences, the last 16R pseudo-random numbers are represented as x_i(i∈[101,16R]) And a round key k_iCan be expressed as:

k_i＝floor(x_i×255)， (4)，

wherein the floor (x) function returns the largest integer no greater than x;

(2) round keys are added to the plaintext: in the first round of encryption, the ith of the intermediate value^thByte can be represented by the ith^thPlaintext c of one byte_iAnd the ith^thByte wheel key k_iExclusive or gives:

wherein i is more than or equal to 1 and less than or equal to 16;

(3) byte replacement operation: the S-box lookup table is used for replacing the XOR operation value of the round key and the previous round intermediate value, and the S-box in the AES algorithm is used and is generated in a mathematical mode;

(4) and (3) diffusion operation: one round of obfuscation includes two stages, the first stage, where the first byte of the intermediate value remains unchanged and the following bytes are obtained as follows:

wherein i is more than or equal to 1 and less than or equal to 15, in the second stage, the last byte of the intermediate value generated in the previous stage is kept unchanged, and the previous byte is obtained in the following way:

(5) and (3) cat mapping: the 16-byte intermediate values generated in the previous step are stored in a 4 x 4 matrix, with the initial coordinates (x) of the intermediate values_n，y_n) Conversion to new coordinates (x) by the following cat mapping_n+1，y_n+1)：

Where N denotes the size of the matrix, x_nIndicating the column index of the matrix, y_nA row index representing a matrix;

(6) repeating the steps (2) to (5) for R times;

b) analyzing chaotic block encryption by template attack:

1) the template erecting process: the modeling method adopts a multivariate high-modulus model, firstly generates a random plaintext and a random master key, the plaintext and the master key are used as the input of an encryption system, and collects corresponding power consumption traces in the encryption process, and each possible Hamming weight power consumption trace is used for modeling the multivariate high-modulus model, and comprises the following steps:

1-1) generating random plaintext and computing a round key for a first round of encryption: randomly generating D groups of plaintext and round keys, storing the plaintext and the round keys in matrixes P and K, wherein the sizes of P and K are D multiplied by I, the symbol I is the number of bytes of each group of plaintext and key, and the D th byte^thIth of group plain text^thByte is defined as p_d，iAnd at d^thIth of group round key^thByte is represented as k_d，i；

1-2) collecting energy consumption data: d groups of plaintext and master key are used as input of an encryption system, D power consumption traces are stored in a matrix T in the encryption process, each trace has J sampling points, the size of the matrix T is DxJ, and the sampling point J of the trace D can be represented as T_d，j；

1-3) calculate the hypothetical energy consumption: generating ith of hypothetical energy matrix tiles^thThe following process is carried out: p is a radical of_d，iIs the d th^thIth in plain text^thByte, and k_d，iIs the d th^thIth of round key^thByte, p_d，iEach value of (a) and k_d，iPerforming exclusive-or operation, then performing substitution box operation on the value of the exclusive-or operation, calculating Hamming weight of the result after the substitution box operation, and generating the assumed energy consumption as shown in formula (9):

similarly, calculating the remaining plaintext and round key can obtain an assumed energy consumption matrix;

1-4) sorting traces: the Hamming weight of the 8-bit binary number ranges from 0 to 8, and traces collected from the encryption device are classified into 9 groups, such as h, according to the corresponding Hamming weights_1，iAnd h_2，iAssumed to be a trace t₁And t₂Of 0, followed by h_D-1，iAnd h_D，iAssume as t_D-1And t_DHas a hamming weight of 8, traces with a hamming weight of 0 are divided into a first group and traces with a hamming weight of 8 are divided into a last group, in which case the matrix T is converted into a corresponding matrix T₁；

1-5) calculate average traces: according to ith of matrix H^thColumn, calculated in matrix T₁Average trace of each Hamming weight in, matrix T₁Conversion into a matrix T₂，T₂Is W x J, where J is the total number of sample points per trace and W is the total number of possible Hamming weights;

1-6) finding trace interest points: find points of interest that exhibit large differences in performing different operations, each possible Hamming weight operation w ranging from 8 to 0, and each sampling point (j, A)_w，j) Defined as the average energy, if N is present_w，jBar trace, when hamming weight operation w is performed, the average energy is calculated as shown in equation (10):

when the mean value of each Hamming weight trace is obtained, the difference between the mean values of the two Hamming weight traces is calculated and then summed, and the calculation process is shown as formula (11):

obtaining a mark D with a peak_jThe step of selecting the sharp peak point is as follows: first step, at D_jSelecting the highest peak point, and saving the value of j as an interest point; secondly, discarding N points near j, wherein N is the minimum space of the peak point; thirdly, repeating the previous two steps until all the interest points are found, when the interest points are selected, at least one clock cycle is needed between the interest points, the minimum height of the interest points is higher than a noise plane, and n interest points are selected;

1-7) calculating a covariance matrix C and a mean vector m: the sampling points of each trace are normally distributed, and the corresponding parameters m and sigma are estimated as

the mean vector m between the points of interest is shown in equation (13):

m＝(m₁，m₂，m₃…m_n)^T(13)，

the multivariate normal distribution probability density function is shown in equation (14):

wherein det (C) represents the determinant of the matrix C, C^-1An inverse matrix representing C;

2) and (3) key recovery process: a 128-bit binary fixed master key is divided into 16 8-bit keys, the first 8 bits of the round keys of the first round of encryption are attacked, the output of a substitution box of an encryption algorithm is selected as an attack point, relatively few traces are collected, the probability of each possible key is calculated, the key corresponding to the maximum multivariate normal distribution probability is the most possible correct round key,

2-1) generating random plaintext and fixed master key: randomly generating F groups of plain texts, storing the F groups of plain texts in a matrix B, wherein the size of the matrix B is F multiplied by I, I is the number of bytes in each group of plain texts, and the F th^thIth of group plain text^thA byte is defined as b_f，i；

2-2) collecting energy consumption data: inputting F groups of random plaintext and fixed master key into an encryption system, collecting F energy traces in the encryption process, storing the energy traces in a matrix G, wherein the size of the matrix G is F multiplied by J, J represents the number of sampling points, and G_f，jIs shown at f^thThe jth sample point in the bar trace;

2-3) calculate the hypothetical energy consumption: calculating the hypothetical energy consumption matrix UⁱF of (a)^thThe process of the row is as follows: each possible key value s and b_f，iPerforming an XOR operation where s ∈ [0, 255 ]]Is a possible value of 8-bit round key, then calculates the substitution box operation of the last step result, and finally calculates the Hamming weight value after the substitution box operation, and similarly calculates the hypothetical energy consumption matrix U generated by the operation of other groups of plaintext and possible round keysⁱMatrix UⁱIs as shown in equation (15):

wherein, the matrix UⁱThe (f, s) -th element in (b) represents the assumed energy consumption, corresponding to the f-th element^thIth of group plain text^thBytes and possibly a secret key s;

2-4) calculate the probability of each possible key: f th^thThe sampling value of the bar trace is represented as the f-th of the matrix G^thLine, wherein the f^thThe value of the bar trace at the interest point is marked

combine all

if the possible round key equals the hexadecimal number 0xFF and the probability of multiple gaussians in the three traces is (0.85, 0.9, 0.86), then the total result is calculated as 0.6579, if one trace fails to match the template, then the result is calculated as the next round key

Technical Field

The invention relates to the field of information security, in particular to a chaotic block encryption analysis method based on template attack.

Background

Information security has become an active area of research, where chaos-based cryptography has become one of the most common techniques for designing new encryption algorithms in the last two decades. The chaotic system is a nonlinear system with long-term unpredictability, which is described as pseudo-random and ergodic and extremely sensitive to initial conditions. Because of the inherent association of cryptography and chaos, researchers have investigated the possibility of applying chaotic systems to cryptography, and have proposed many chaotic cryptographic systems. For chaotic cryptosystems, nuances in the input (e.g., plaintext) can result in significant changes in the output (ciphertext). Studies have shown that these cryptosystems are highly secure and, in addition, traditional math-based methods are used for security analysis of chaotic cryptosystems, most of which employ known plaintext attacks and perform the attacks by using the properties of plaintext, ciphertext and the cryptosystem.

When cryptographic algorithms are run on hardware platforms, such as microcontrollers, Application Specific Integrated Circuits (ASICs), and Field Programmable Gate Arrays (FPGAs), different types of side channel information (e.g., power consumption, time and electromagnetism, etc.) may be leaked. A Side Channel Analysis (SCA) attack analyzes the cryptographic system's keys with leaked information from the target device. Different attack schemes are proposed using processing time, electromagnetic radiation and power consumption bypass information. The first SCA attack scheme was proposed in 1996, where the time required to execute a key was estimated and a timing attack was used to break the asymmetric encryption algorithm. As another type of SCA attack scheme, since there is a correlation between the operation of a cryptosystem and electromagnetic radiation, cryptographic algorithms such as the electromagnetic analysis attack data encryption standard or the advanced encryption standard can be used, simple and differential energy analysis (SPA, DPA) attacks were proposed and analyzed in 1999, and in the last 20 years, the energy analysis attacks have been widely used due to their ease of implementation and relatively low cost. SPA attacks are used to reveal keys from a given trace, DPA attacks are another popular energy analysis method compared to SPA attacks, which require a large number of traces to attack keys, and as a variant of DPA, correlation energy analysis (CPA) was proposed in 2003, which uses correlation between intermediate data and hardware device energy consumption to obtain important information using CPA attacks, which are more powerful and powerful than DPA attacks. The Template Attack (TA) also belongs to energy analysis attack, and from the perspective of information theory, it is considered as an efficient power analysis attack, and one advantage of it is that, having the same device as the target device, a large amount of energy traces can be used to describe the multivariate normal distribution on the device, and then, each key can be recovered by recording relatively few energy traces on the target device, which is smaller than the trace required by DPA attack, and as a probabilistic attack, it overcomes the disadvantages of the conventional CPA attack algorithm, such as the protection countermeasure embedded in the encryption algorithm and only the capture of linear dependency.

Disclosure of Invention

The invention aims to provide a chaotic block encryption analysis method based on template attack aiming at the defects of the prior art. The method can complete the attack of the chaotic block encryption algorithm, and the CPA attack is less in traces required by the attack.

The technical scheme for realizing the purpose of the invention is as follows:

a chaos grouping encryption analysis method based on template attack is different from the prior art, and comprises the following steps:

a) the chaotic block encryption process is realized:

(1) generating a round key: the round key of the chaotic cipher algorithm is generated based on tent mapping, and the tent mapping can be expressed as:

wherein the parameter beta_iIs a parameter of the chaotic system and is derived from a master key K_iGenerating, each byte of the master key is converted to a corresponding beta between 0 and 1 by_i：

Wherein ith of master key^thOne byte is marked as K_i，i∈[1，16]，x₀Is a decimal number between 0 and 1, here randomly set to 0.587, and x is set₀And beta₁As an initial parameter for the tent map, result x₁Is performed by iterating f (x)₀，β₁) The remaining parameters were calculated 20 times as shown in equation (3):

x_(i)＝f²⁰(x_(i-1)，β_i) (3)，

wherein f is²⁰Represents iterating the tent mapping 20 times, i ∈ [2, 16 ]]And finally x₁₆And beta₁₆As an initial value of the tent map, and iterates 100+16R times to generate pseudo-random sequences, the last 16R pseudo-random numbers are represented as x_i(i∈[101,16R]) And a round key k_iCan be expressed as:

k_i＝floor(x_i×255) (4)，

wherein the floor (x) function returns the largest integer no greater than x;

(2) round keys are added to the plaintext: in the first round of encryption, the ith of the intermediate value^thByte can be represented by the ith^thPlaintext c of one byte_iAnd the ith^thByte wheel key k_iExclusive or gives:

wherein i is more than or equal to 1 and less than or equal to 16;

(3) byte replacement operation: the S-box lookup table is used for carrying out exclusive or operation on the key of the replacement round and the intermediate value of the previous round, and the S-box can be generated by a plurality of methods, such as a chaotic system, manual construction, mathematical construction and the like;

(4) and (3) diffusion operation: one round of obfuscation includes two stages, the first stage, where the first byte of the intermediate value remains unchanged and the following bytes are obtained as follows:

wherein i is more than or equal to 1 and less than or equal to 15, in the second stage, the last byte of the intermediate value generated in the previous stage is kept unchanged, and the previous byte is obtained in the following way:

(5) And (3) cat mapping: the 16-byte intermediate values generated in the previous step are stored in a 4 x 4 matrix, with the initial coordinates (x) of the intermediate values_n，y_n) Conversion to new coordinates (x) by the following cat mapping_n+1，y_n+1)：

Where N denotes the size of the matrix, x_nIndicating the column index of the matrix, y_nA row index representing a matrix;

(6) repeating the steps (2) to (5) for R times, (R ═ 10) the chaotic block cipher system completes the cipher through the steps (1) - (6), and the cipher system will use the common statistical methods to analyze the security, such as SP 800-22 test, byte frequency test, avalanche test and strict avalanche test;

b) analyzing chaotic block encryption by template attack:

1) the template erecting process: the modeling method adopts a multivariate high-modulus model, firstly generates a random plaintext and a random master key, the plaintext and the master key are used as the input of an encryption system, and collects corresponding power consumption traces in the encryption process, and each possible Hamming weight power consumption trace is used for modeling the multivariate high-modulus model, and comprises the following steps:

1-1) generating random plaintext and computing a round key for a first round of encryption: randomly generating D groups of plaintext and round keys, storing the plaintext and the round keys in matrixes P and K, wherein the sizes of P and K are D multiplied by I, the symbol I is the number of bytes of each group of plaintext and key, and the D th byte^thIth of group plain text^thByte is defined as p_d，iAnd at d^thIth of group round key^thByte is represented as k_a，i；

1-2) collecting energy consumption data: d groups of plaintext and master key are used as input of an encryption system, D power consumption traces are stored in a matrix T in the encryption process, each trace has J sampling points, the size of the matrix T is DxJ, and the sampling point J of the trace D can be represented as T_d，j；

1-3) calculate the hypothetical energy consumption: generating the ith of the hypothetical energy matrix H^thThe following process is carried out: p is a radical of_d，iIs the d th^thIth in plain text^thByte, and k_d，iIs the d th^thIth of round key^thByte, p_d，iEach value of (a) and k_d，iPerforming exclusive-or operation, then performing substitution box operation on the value of the exclusive-or operation, calculating Hamming weight of the result after the substitution box operation, and generating the assumed energy consumption as shown in formula (9):

similarly, calculating the remaining plaintext and round key can obtain an assumed energy consumption matrix;

1-4) sorting traces: the Hamming weight of the 8-bit binary number ranges from 0 to 8, and traces collected from the encryption device are classified into 9 groups, such as h, according to the corresponding Hamming weights_1，iAnd h_2，iAssumed to be a trace t₁And t₂Of 0, followed by h_D-1，iAnd h_D，iAssume as t_D-1And t_DHas a hamming weight of 8, traces with a hamming weight of 0 are divided into a first group and traces with a hamming weight of 8 are divided into a last group, in which case the matrix T is converted into a corresponding matrix T₁；

1-5) calculate average traces: according to ith of matrix H^thColumn, calculated in matrix T₁Average trace of each Hamming weight in, matrix T₁Conversion into a matrix T₂，T₂Is W x J, where J is the total number of sample points per trace and W is the total number of possible Hamming weights;

1-6) finding trace interest points: find points of interest that exhibit large differences in performing different operations, each possible Hamming weight operation w ranging from 8 to 0, and each sampling point (j, A)_w，j) Defined as the average energy, if N is present_w，jBar trace, when hamming weight operation w is performed, the average energy is calculated as shown in equation (10):

when the mean value of each Hamming weight trace is obtained, the difference between the mean values of the two Hamming weight traces is calculated and then summed, and the calculation process is shown as formula (11):

obtaining a mark D with a peak_jThe step of selecting the sharp peak point is as follows: first step, at D_jSelecting the highest peak point, and saving the value of j as an interest point; secondly, discarding N points near j, wherein N is the minimum space of the peak point; thirdly, repeating the previous two steps until all the interest points are found, when the interest points are selected, at least one clock cycle is needed between the interest points, the minimum height of the interest points is higher than a noise plane, and n interest points are selected;

1-7) calculating a covariance matrix C and a mean vector m: the sampling points of each trace are normally distributed, and the corresponding parameters m and sigma are estimated as

And

each trace t is modeled as a multivariate normal distribution described by a covariance matrix C and a mean vector m, where the covariance matrix C is shown in equation (12):

the mean vector m between the points of interest is shown in equation (13):

m＝(m₁，m₂，m₃…m_n)^T(13)，

the multivariate normal distribution probability density function is shown in equation (14):

wherein det (C) represents the determinant of the matrix C, C^-1An inverse matrix representing C;

2) and (3) key recovery process: a 128-bit binary fixed master key is divided into 16 8-bit keys, the first 8 bits of the round keys of the first round of encryption are attacked, the output of a substitution box of an encryption algorithm is selected as an attack point, relatively few traces are collected, the probability of each possible key is calculated, the key corresponding to the maximum multivariate normal distribution probability is the most possible correct round key,

2-1) generating random plaintext and fixed master key: randomly generating F groups of plain texts, storing the F groups of plain texts in a matrix B, wherein the size of the matrix B is F multiplied by I, I is the number of bytes in each group of plain texts, and the F th^thIth of group plain text^thA byte is defined as b_f，i；

2-2) collecting energy consumption data: inputting F groups of random plaintext and fixed master key into an encryption system, collecting F energy traces in the encryption process, storing the energy traces in a matrix G, wherein the size of the matrix G is F multiplied by J, J represents the number of sampling points, and G_f，jIs shown at f^thThe jth sample point in the bar trace;

2-3) calculate the hypothetical energy consumption: calculating the hypothetical energy consumption matrix UⁱF of (a)^thThe process of the row is as follows: each possible key value s and b_f，iPerforming an XOR operation where s ∈ [0, 255 ]]Is a possible value of 8-bit round key, then calculates the substitution box operation of the last step result, and finally calculates the Hamming weight value after the substitution box operation, and similarly calculates the hypothetical energy consumption matrix U generated by the operation of other groups of plaintext and possible round keysⁱMatrix UⁱIs as shown in equation (15):

wherein, the matrix UⁱThe (f, s) -th element in (b) represents the assumed energy consumption, corresponding to the f-th element^thIth of group plain text^thBytes and possibly a secret key s;

2-4) calculate the probability of each possible key: f th^thThe sampling value of the bar trace is represented as the f-th of the matrix G^thLine, wherein the f^thThe value of the bar trace at the interest point is marked

F th^thAll interest points of the streak are expressed as a vector as shown in equation (16):

is the weight of Hamming

Corresponding to the multivariate gaussian probability, it can be calculated as shown in equation (17):

at the f-th of the matrix G^thMatrix U with corresponding rowsⁱHas a Hamming weight of

Matrix PⁱIs calculated as shown in equation (18):

combine all

The values, described in detail, are shown in equation (19):

if the possible round key equals the hexadecimal number 0xFF and the probability of multiple gaussians in the three traces is (0.85, 0.9, 0.86), then the total result is calculated as 0.6579, if one trace fails to match the template, then the result is calculated as the next round key

Is forced to fall quickly and wrong round key guesses are eliminated, and, eventually,

is found, meaning that guessing the key is the most likely fit to the template, the calculation is performedAs shown in equation (20):

the method can complete the attack of the chaotic block encryption algorithm, and the CPA attack is less in traces required by the attack.

Drawings

FIG. 1 is a schematic diagram of the working flow of the chaotic block cipher in the embodiment;

FIG. 2 is a schematic flow chart of the first three steps of the encryption algorithm in the embodiment;

FIG. 3 is a schematic flow chart of the calculation of hypothetical energy consumption in the construction of the template stage in the embodiment;

FIG. 4 is a diagram illustrating an example of computing the hypothetical energy consumption matrix H and the classification matrix T₁A schematic flow diagram of (a);

FIG. 5 is a flow chart illustrating calculation of hypothetical energy consumption during a key recovery phase in an embodiment;

FIG. 6 is a diagram illustrating the calculation of the probability matrix P in the embodimentⁱIs a schematic flow diagram.

Detailed Description

The invention will be further illustrated, but not limited, by the following description of the embodiments with reference to the accompanying drawings.