CN104811295A - Side channel energy analysis method for ZUC cryptographic algorithm with mask protection - Google Patents

Abstract

The invention discloses a side channel energy analysis method for the ZUC cryptographic algorithm with mask protection. The method includes: (1) establishing an energy consumption matrix E, and preprocessing to obtain an energy consumption matrix E'; (2) selecting left and right S-box output xor values S_XorOutr as attack points to obtain a middle matrix V or respectively adopting Hamming weight and single bits to determine a DPA (differential power analysis) discrimination function D; (3) calculating a simulated energy consumption matrix H and two average energy consumption matrixes D0 and D1; (4) calculating a correlation coefficient matrix R between H and E', and selecting predictive values corresponding to maximum rp,q to obtain correct keys; or determining the correct keys by selecting the predictive values corresponding to maximum delta dpq according to an equation that delta D is equal to D1-D0; (5) sequentially calculating for five times, and repeating the step two to step four to obtain all key information. By the technical scheme, the defect of lack of specific attack methods for the ZUC cryptographic algorithm with mask protection is solved, a novel two-order energy analysis method is provided innovatively, opening up a ZUC cryptographic algorithm attack situation is realized, and expansion of side channel energy analysis means is realized as well.

Description

A kind of Zu Chongzhi cryptographic algorithm to possessing mask protection carries out side channel energy analytical method

Technical field

The invention belongs to cryptographic algorithm technical field of analysis and detection; relate in cryptographic algorithms' implementation, the analysis of side channel energy, crypto module testing process; side channel energy analysis is carried out for the Zu Chongzhi stream cipher algorithm (ZUC) possessing mask safeguard procedures; obtain shielded key k; that is, side channel energy analytical method is carried out to the Zu Chongzhi cryptographic algorithm possessing mask protection.

Background technology

Along with the development of information technology, various cryptographic algorithm is just being widely used in the important departments such as economy, military affairs, administration, the fail safe of protection information.In view of the importance of cryptographic algorithm, the analysis and research that cryptographic algorithm software and hardware realizes (crypto module) have great importance safely to protection information.In recent years, the multiple attack to crypto module is widely known by the people, and all these objects of attacking are all the keys in order to obtain in crypto module.Common attack pattern can be divided into intrusive mood to attack, half intrusive mood is attacked and non-intrusion type is attacked.In recent years, due to non-intrusion type attack in side Multiple Channel Analysis implement convenient, less expensive and be widely used.Side Multiple Channel Analysis can be subdivided into chronometric analysis, energy spectrometer and emi analysis.Side channel energy analysis is wherein one of method the most frequently used in numerous analysis means, and it breaches the analytical model of conventional cipher algorithm, and ability is powerful, implements relatively easy.Side channel energy analysis and utilization crypto module energy ezpenditure and data operation and the correlation between performing; energy leakage function based on cryptographic algorithms' implementation sets up energy model; Using statistics method; the protected key that conjecture and authentication password module use, almost can be used to crack all symmetric cryptographies and public key cryptography.When cracking, tens of energy marks are only needed just can promptly to crack the most of smart cards not having defensive measure within a few minutes.Side channel energy analytical method generally comprises, simple energy analysis (SPA), differential power analysis (DPA), correlation energy analysis (CPA) and higher difference energy spectrometer (HODPA).

The attack of each peaked shapes of energy mark this characteristic different is directly utilized to be called simple power analysis SPA (Simple Power Analysis); When median handled by depending in algorithm implementation according to the energy ezpenditure of encryption device is respectively 0 and 1, the attack method that the difference between corresponding average energy mark carries out key recovery is called that differential power analysis attacks DPA (Differential Power Analysis); If cryptanalysis person utilizes the linear dependence between hypothesis energy ezpenditure and real energy ezpenditure to carry out key recovery, be then correlation energy analytical attack CPA (Correlation Power Analysis); In above-mentioned DPA analyzes, if only make use of a median, be called that single order DPA attacks, if certain utilizing in algorithm computing combines leakage, this combines leakage based on the multiple medians appeared in encryption device, then claim corresponding DPA to attack as high-order DPA analyzes.

In view of current development cryptographic algorithm being carried out to power consumption analysis attack technology, be the challenge that reply energy spectrometer brings, for the defense technique also constantly progress of power consumption analysis attack.The defense technique of anti-power consumption analysis comprises various concealing technology and mask technology, and the target of any defense technique is all make the energy ezpenditure of encryption device not rely on cryptographic algorithm median performed by equipment.

Concealing technology is by energy ezpenditure randomization, make all operations have the modes such as identical energy consumption cut off processed median and plant capacity consume between relation.Adopt the encryption device of concealing technology to perform identical operation with the equipment not adding protection, but therefrom cannot obtain available information.

Mask technology adopts the median handled by randomization encryption device, adds randomized mask to algorithm realization.It can realize in algorithm level, without the need to changing the energy ezpenditure characteristic of encryption device, without dependence between the median making the energy ezpenditure of equipment and performed cryptographic algorithm.

In mask defense schemes, based on one, the median v of algorithm computing is called that the random number m of mask converts, i.e. v _m=v*m.Mask results from encryption device inside, and different in implementation each time, and therefore assailant can not know mask.The operation that computing * uses according to cryptographic algorithm usually defines.Therefore, computing * mostly is Boolean XOR computing, mould adds computing or modular multiplication.When mould adds computing and modular multiplication, modulus is selected according to cryptographic algorithm.Usually, mask directly applies to expressly or key.In order to mask type median can be processed and follow the tracks of mask, need to modify to algorithm.The result of encryption is also mask type, in order to obtain ciphertext, needs to eliminate mask at the end of calculating.Keep each median to be in all the time by mask state in computational process, this point is extremely important.Even if some medians obtain based on the middle-value calculating before it, keep above-mentioned character still very important.For above-mentioned reasons, to different medians, often need to adopt different masks respectively.Being in the consideration to realizing performance, a new mask being adopted to each median and uneconomical.Therefore, in order to obtain suitable performance, need the quantity carefully selecting mask.

The mask quantity superposed in algorithm execution route, is called the exponent number of algorithm mask defense schemes, the mask of corresponding exponent number is carried out to the method for energy spectrometer, is called high-order energy energy spectrometer.Single order mask can defend the energy spectrometer of single order, but can not defend secondary energy analysis; Second order mask can defend secondary energy analysis, but can not defend three rank energy spectrometers.Usually consider that defence and the exponential increasing operand analyzed increase, and the restriction of the point of available energy leakage on algorithm structure, usual grouping algorithm realizes accomplishing secondary energy analysis, and corresponding defensive measure also generally only accomplishes that second order mask is defendd.

Below the principle of DPA and CPA is simply introduced.DPA principle is: for the enciphering/deciphering computing of N group plain/cipher text data, obtains N bar energy mark, and energy mark here refers to the energy consumption measurement vector collected in a Password Operations process; To each conjecture key K, produce corresponding median (object of attack), according to median determination choice function; By choice function, energy mark collection is divided into two subsets; Be averaged the energy ezpenditure that two sub-set pairs are answered respectively, and ask poor to two average energy consumption values, this equal value difference is that median that choice function is corresponding is to the impact effect of energy mark.According to statistical theory, if K conjecture is incorrect, when the number N convergence of energy mark is infinitely great, the equal value difference of two subsets will level off to zero; If when K conjecture is correct, certain sampling point in energy mark, will there will be the maximum sharpness (maximum absolute value value) of an equal value difference, can determine correct key by maximum sharpness.CPA principle is: for the enciphering/deciphering computing of N group plain/cipher text data, obtains N bar energy mark; To each conjecture key K, produce corresponding median (object of attack); Energy model is set up according to median; By energy model, median is mapped as simulated energy consumption; Linearly dependent coefficient between computer sim-ulation energy ezpenditure and energy mark, scope is between [-1,1]; Choosing the maximum of absolute value in coefficient correlation, is 1 in theory, but owing to unavoidably there is noise jamming in collecting energy mark process, maximum is less than 1, and conjecture key corresponding to this coefficient correlation maximum is correct key.

Second order DPA/CPA analyzes, carries out preliminary treatment except needing to energy mark, utilizes the number of median different, and it is completely the same that principle and method and single order side channel energy are analyzed.Single order side Multiple Channel Analysis only utilizes a median in algorithm structure, and correspondingly, what second order side Multiple Channel Analysis utilized handled by encryption device two medians to be correlated with combines leakage.

The step of secondary energy analysis generally comprises as follows: select two median u and v, because have employed mask technology, is only mask type median know appear in equipment operating; Record energy mark, and preliminary treatment is carried out to energy mark; Calculate hypothesis median, it is the combination of u and v, and for the attack of boolean's mask, this combination is generally XOR, namely according to certain energy model, w is mapped as hypothesis energy value h; Compare (related operation) hypothesis energy ezpenditure and preliminary treatment energy mark, correct key guesses the maximum of corresponding coefficient correlation.Wherein, crucial 2 for selecting two suitable medians and carrying out preliminary treatment to energy mark.

Namely preliminary treatment is be combined to form new energy consumption values to relevant in energy mark a, b at 2.Usually and do not know the correct time calculating mask median, so a time interval I=t of energy mark can only be guessed _r+1..., t _r+1, period may includes v _m, u _mcalculating, therefore need all 2 combinations be applied to by preconditioned functions pr e () in this time interval; Generally preconditioned functions is symmetrical, and the length of pretreated energy mark is l (l-1)/2; Pretreated energy trace description is (pre (t _r+1, t _r+2), pre (t _r+1, t _r+3) ..., pre (t _r+2, t _r+3) ..., pre (t _r+l-1, t _r+l)); Conventional preconditioned functions is generally: pre (t _x, t _y)=t _xt _y(multiplication), pre (t _x, t _y)=(t _x+ t _y) ², pre (t _x, t _y)=| t _x-t _y| (subtraction absolute value), (normalization), pre (t _x, t _y)=t _x+ t _y, pre (t _x, t _y)=t _x-t _ydeng.The result chosen directly affecting attack of preconditioned functions.

Zu Chongzhi set of algorithms (ZUC algorithm) is by the encryption of Chinese scholar autonomous Design and integral algorithm, is recommended as the international encryption of the 3rd cover of 4G radio communication and the candidate algorithm of integrity criteria by international organization 3GPP.Simply introduce this algorithm below: Zu Chongzhi algorithm logic is divided into upper, middle and lower three layers, as shown in Figure 1, upper strata is 16 grades of linear feedback shift registers (LFSR); Middle level is bit recombination (BR); Lower floor is nonlinear function F.(1) LFSR comprises 16 31 bit register element variable s ₀, s ₁, L, s ₁₅.The operational mode of LFSR has 2 kinds: initialize mode and mode of operation.Under initialize mode, LFSR receives 31 bit words u.U be by nonlinear function F 32 bits export W obtain by giving up significant bits, i.e. u=W > > 1, under initialize mode, LFSR computational process as:

LFSRWithInitialisationMode(u)

{

(1)v＝2 ¹⁵s ₁₅+2 ¹⁷s ₁₃+2 ²¹s ₁₀+220s ₄+(1+2 ⁸)s ₀mod(2 ³¹-1)；

(2)s ₁₆＝(v+u)mod(2 ³¹-1)；

(3)if(s ₁₆＝0)thens ₁₆＝2 ³¹-1；

(4)(s ₁，s ₂，L，s ₁₅，s ₁₆)→(s ₀，s ₁，L，s ₁₄，s ₁₅)；

}

In the operational mode, LFSR does not receive any input.Its computational process is as follows:

LFSRWithInitialisationMode()

{

(1)s ₁₆＝2 ¹⁵s ₁₅+2 ¹⁷s ₁₃+2 ²¹s ₁₀+220s ₄+(1+2 ⁸)s ₀mod(2 ³¹-1)；

(2)if(s ₁₆＝0)thens ₁₆＝2 ³¹-1；

(3)(s ₁，s ₂，L，s ₁₅，s ₁₆)→(s ₀，s ₁，L，s ₁₄，s ₁₅)；

}

(2) bit recombination (BR) extracts 128 bits and forms 4 32 bit words X from the register cell of LFSR ₀, X ₁, X ₂, X ₃.The concrete computational process of BR is as follows:

Bit Reconstruction()

{

(1)X ₀＝s _15H||s _14L

(2)X ₁＝s _11L||s _9H

(3)X ₂＝s _7L||s _5H

(4)X ₃＝s _2L||s _0H

}

(3) nonlinear function F comprises 2 32 bit mnemon variable R ₁and R ₂.F is input as 3 32 bit words X ₀, X ₁, X ₂, output is 32 bit words W.The computational process of F is as follows:

F(X0，X1，X2)

{

$\left(1\right)---W=(X_0\⊕R_1){+R}_2$

(2)W ₁＝R ₁+X ₁

$\left(3\right){---W}_2=R_2\⊕X_2$

(4)R ₁＝S(L ₁(W _1L||W _2H))

(5)R ₂＝S(L ₂(W _2L||W _1H))

}

Wherein S is the S box conversion of 32 bits, and 32 bit S boxes are formed by the S box juxtaposition of 4 little 8 × 8, i.e. S=(S ₀, S ₁, S ₂, S ₃), wherein S ₀=S ₂, S ₁=S ₃.S ₀mainly based on lightweight structure tectonic ideology, little S box is adopted to build the method design of large S box.Specifically, S ₀inside employs the little S box P of 34 × 4 ₁, P ₂, P ₃combine, as shown in Figure 2, wherein m=5.

S ₁the design of box is based on finite field gf (2 ⁸) on nonlinear inverse function x ^-1with linear affine shift design, with the S box design class of AES seemingly.Bottom finite field gf (2 ⁸) adopt primitive polynomial x ⁸+ x ⁷+ x ³+ x+1 defines, S ₁the mathematic(al) representation of box is: wherein matrix M meets:

$M=\left(\begin{array}{cccccccc}0& 1& 1& 1& 1& 0& 0& 1\\ 1& 0& 1& 1& 1& 1& 0& 0\\ 1& 1& 0& 1& 0& 1& 1& 0\\ 1& 1& 1& 0& 0& 0& 1& 1\\ 0& 1& 1& 1& 1& 1& 1& 0\\ 1& C& 1& 1& 0& 1& 1& 1\\ 1& 1& 0& 1& 1& 0& 1& 1\\ 1& 1& 1& 0& 1& 1& 0& 1\end{array}\right)$

If the 32 bit input X of S box S and 32 bits export Y and are respectively:

X＝x ₀||x ₁||x ₂||x ₃

Y＝y ₀||y ₁||y ₂||y ₃

Wherein x ₁and y ₁be 8 bit bytes, i=0,1,2,3.Then there is y ₁=S _i(x _j); L ₁and L ₂be 32 bit linear conversion, be defined as follows:

$L_1\left(X\right)=X\&CirclePlus;(X<<<2)\&CirclePlus;(X<<<10)\&CirclePlus;(X<<<18)\&CirclePlus;(X<<<24)$

$L_2\left(X\right)=X\&CirclePlus;(X<<<8)\&CirclePlus;(X<<<14)\&CirclePlus;(X<<<22)\&CirclePlus;(X<<<30)$

The secret key loading procedure of Zu Chongzhi algorithm is: the initial key k of 128 bits and the initial vector iv of 128 bits is expanded to 16 31 bit words as LFSR register cell variable s ₀, s ₁, L, s ₁₅initial condition.If k and iv is respectively k ₀|| k ₁|| L||k ₁₅and iv ₀|| iv ₁|| L||iv ₁₅; Wherein k _iand iv _ibe 8 bit bytes, 0≤i≤15.Key loading procedure is as follows: (1) D is the constant of 240 bits, can be divided into the substring of 16 15 bits as follows: D=d ₀|| d ₁|| L||d ₁₅, wherein:

d ₀＝100010011010111 ₂，

d ₁＝010011010111100 ₂，

d ₂＝110001001101011 ₂，

d ₃＝001001101011110 ₂，

d ₄＝101011110001001 ₂，

d ₅＝011010111100010 ₂，

d ₆＝111000100110101 ₂，

d ₇＝000100110101111 ₂，

d ₈＝100110101111000 ₂，

d ₉＝010111100010011 ₂，

d ₁₀＝110101111000100 ₂，

d ₁₁＝001101011110001 ₂，

d ₁₂＝101111000100110 ₂，

d ₁₃＝011110001001101 ₂，

d ₁₄＝111100010011010 ₂，

d ₁₅＝100011110101100 ₂

(2) to 0≤i≤15, s is had _i=k _i|| d _i|| iv _i.

At initial phase, first the initial vector iv of the initial key k of 128 bits and 128 bits is encased in the register cell variable s of LFSR according to aforementioned key charging method ₀, s ₁, L, s ₁₅in, as the initial state of LFSR, juxtaposition 32 bit mnemon variable R ₁and R ₂for full O.Then following operation is performed:

Repeat following process 32 times:

(1)Bit Reconstruction()；

(2)W＝F(X ₀，X ₁，X ₂)；

(3)LFSRWithInitialisationMode(W＞＞1)；

First working stage performs following process once, and is given up by the output W of F:

(1)Bit Reconstruction()；

(2)F(X ₀，X ₁，X ₂)；

(3)LFSRWithWorkMode()；

Then key output stage is entered.At key output stage, often run a beat, perform following process once, and export the key word Z of 32 bits:

(1)Bit Reconstruction()；

$\left(2\right)---Z=F(X0,X1,X2)\&CirclePlus;X3;$

(3)LFSRWithWorkMode()；

At present, utilize side Multiple Channel Analysis (SCA), particularly using the side Energy Analysis for High of energy spectrometer (PA), by setting up Hamming weight model, using first-order difference energy spectrometer (DPA) method can analyze the key of ZUC algorithm.For opposing DPA/CPA analyzes, generally employ mask safeguard procedures protection ZUC cryptographic algorithms' implementation.How for having mask safeguard procedures protection ZUC cryptographic algorithm, to carry out secondary energy analysis be the important research direction that secret key cracks.Therefore, for the ZUC cryptographic algorithm with mask scheme, need badly and propose corresponding effective second order side channel energy analytical method.

Summary of the invention

The object of technical solution of the present invention is to propose a kind of ZUC algorithm for possessing mask protection, utilizes algorithms of different median, carries out second order side channel energy analytical method targetedly and obtains the ZUC algorithm secret key information possessing corresponding mask scheme.

Realizing above-mentioned purpose technical scheme of the present invention is, a kind of Zu Chongzhi cryptographic algorithm to possessing mask protection carries out side channel energy analytical method, and the method comprises the steps:

(1) collecting energy mark is set up energy consumption matrix E and is carried out preliminary treatment and obtains the energy consumption matrix E ' after processing;

(2) ZUC algorithm F function the right and left S box is selected to export XOR value S_XorOut _rcalculate as the point of attack and obtain intermediary matrix V or determine DPA distinguishing funotion D by Hamming weight, single-bit respectively;

(3) computer sim-ulation energy consumption matrix H and two average energy consumption matrix D ₀and D ₁;

(4) the coefficient correlation determination correlation matrix R between computer sim-ulation energy consumption matrix H and energy consumption matrix E ', chooses the maximum r in R _{p, q}corresponding conjecture value is correct secret key; Or by calculating average energy consumption matrix D ₀and D ₁difference, obtain average energy consumption difference matrix Δ D=D ₁-D ₀, select maximum energy consumption equal value difference Δ d _pthe conjecture value that q is corresponding is correct secret key;

(5) select S box arithmetic section, carry out 5 successively and take turns computing, the analytical method according to above-mentioned (2)-(4) can obtain all secret key information.

Energy consumption matrix in above-mentioned steps (1) $E(N\&times;T)=\left(\begin{array}{ccc}{e}_1^1& L& e_T^1\\ M& e_t^n& M\\ e_1^N& L& e_T^N\end{array}\right),$ Wherein, N is the energy mark number of the ZUC algorithm computing collected, and T is computing time used, it is the energy consumption values that n-th enciphering/deciphering computing produces at moment t; Carrying out pretreated process to energy consumption matrix E is: arrange S box and export the 1st byte and the time gap scope of a jth bytes on energy mark is min-max, wherein, min and max is respectively minimum, maximum time point distance, range=max-min+1, for every bar energy mark, select the u point in min-max scope successively, corresponding power consumption values with one_to_one corresponding carries out preliminary treatment, and preprocess method is subtraction absolute value, multiplication or method for normalizing; Method for normalizing is, as u=min, $e_1^{\&prime;n}=(e_1^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_1^i}{n})(e_{\min }^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_{\min }^i}{n}),e_2^{\&prime;n}=(e_2^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_2^i}{n})(e_{\min +1}^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_{\min +1}^i}{n}),...,$ $e_{T-\min +1}^{\&prime;n}=(e_{T-\min +1}^n=\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_{T-\min +1}^i}{n})(e_T^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_T^i}{n}),$ As u=min+1, the like, wherein, n is energy mark number by analysis, and preliminary treatment obtains new energy consumption matrix $E^{\&prime;}(N\&times;T^{\&prime;})=\left(\begin{array}{ccc}{e}_1^{\&prime;1}& L& e_{T^{\&prime;}}^{\&prime;1}\\ M& e_t^{\&prime;n}& M\\ e_1^{\&prime;N}& L& e_{T^{\&prime;}}^{\&prime;N}\end{array}\right).$

The ZUC algorithm F function the right and left S box as the point of attack is selected to export XOR value in above-mentioned steps (2) r _{r, 1}, R _{r, 2}be respectively the S box output valve before r wheel mask, r is followed successively by 0,1,2,3,4, R _{r, 1}=f ₁(iv, k _r+9), R _{r, 2}=f ₂(iv, k _r+5, k _r+9), f ₁, f ₂be respectively F function the right and left S box output function, iv is initial vector; Intermediary matrix V is calculated as: select the secret key k of conjecture respectively _r+9, k _r+5totally 2 ¹⁶individual different value, substitutes into S_XorOut _rin obtain corresponding intermediary matrix $V(N\&times;2^{16})=\left(\begin{array}{ccc}{v}_0^1& K& v_{2^{16}-1}^1\\ M& v_m^n& M\\ v_0^N& L& v_{2^{16}-1}^N\end{array}\right),$ Wherein $v_m^n=f_1({\mathrm{iv}}^n,k_{r+9,m_0})\&CirclePlus;f_2({\mathrm{iv}}^n,k_{r+5,m_1},k_{r+9,m_0}),$ M=(m ₀, m ₁), k _{i, j}being expressed as i-th key conjecture value is j, i.e. j=k _{i, j}, iv ⁿfor known initial vector, m ₀, m ₁be the random number of 8 these spies; With Hamming weight, the determined DPA distinguishing funotion of single-bit method be respectively: $D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1})=\left\{\begin{array}{cc}1& \mathrm{HW}(S\_\mathrm{Xor}{\mathrm{Out}}_r)<16\\ 0& \mathrm{HW}(S\_{\mathrm{XorOut}}_r)>16\end{array}\right.$ And wherein, in bit (x, p) (p ∈ { 0,1, L, 31}) i.e. median x, the value 0 or 1 of this spy of p, guesses S_XorOut respectively _rin round key (k _r+9, k _r+5) totally 2 ¹⁶individual different value, substitutes into then distinguishing funotion is the total number of 1 value $n_1=\underset{x=1}{\overset{N}{\mathrm{\&Sigma;}}}D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1}),$ The total number of 0 value $n_1=\underset{x=1}{\overset{N}{\mathrm{\&Sigma;}}}(1-D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1})).$

Emulation energy consumption matrix in above-mentioned steps (3) $H(N\&times;2^8)=\left(\begin{array}{ccc}{h}_0^1& K& h_{2^8-1}^1\\ M& h_m^n& M\\ h_0^N& L& h_{2^8-1}^N\end{array}\right);$ Two average energy consumption matrix D ₀and D ₁computational process is: the middle time point t of energy consumption matrix E ', obtains the total power consumption average of this point two $d{0}_m^{\&prime;}=\frac{\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}(1-D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1}))e_t^{\&prime;n}}{n_0}$ With $d{1}_m^{\&prime;}=\frac{\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1})e_t^{\&prime;n}}{n_1},$ Wherein, d0 ' _mcorresponding time point t conjecture value is m=(m ₀, m ₁) n ₀group energy ezpenditure mean value; D1 ' _mcorresponding time point t conjecture value is m=(m ₀, m ₁) n ₁group energy ezpenditure mean value n ₀+ n ₁=N, asks energy consumption average to time points all in E ', obtains two average energy consumption matrixes

$D_0(2^{16}\&times;T^{\&prime;})=\left(\begin{array}{ccc}d{0}_0^1& K& d{0}_0^T\\ M& d{0}_m^{\&prime;}& M\\ d{0}_{2^{16}-1}^1& L& d{0}_{2^{16}-1}^{T^{\&prime;}}\end{array}\right),D_1(2^{16}\&times;T^{\&prime;})=\left(\begin{array}{ccc}d{1}_0^1& K& d{1}_0^T\\ M& d{1}_m^{\&prime;}& M\\ d{1}_{2^{16}-1}^1& L& d{1}_{2^{16}-1}^{T^{\&prime;}}\end{array}\right)$

Correlation matrix in above-mentioned steps (4) between emulation energy consumption matrix H and energy consumption matrix E ' is $R(2^{16}\&times;T^{\&prime;})=\left(\begin{array}{ccc}{r}_{\mathrm{0,1}}& K& r_{0,T^{\&prime;}}\\ M& r_{m,t}& M\\ r_{2^{16}-\mathrm{1,1}}^1& L& r_{2^{16}-1,T^{\&prime;}}\end{array}\right),$ Wherein, $r_{m,t}=\frac{\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}[h_m^n-\stackrel{\&OverBar;}{h_m^n}][e_t^{\&prime;n}-\stackrel{\&OverBar;}{e_t^{\&prime;n}}]}{\sqrt{\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}{[h_m^n-\stackrel{\&OverBar;}{h_m^n}]}^2\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}{[e_t^{\&prime;n}-\stackrel{\&OverBar;}{e_t^{\&prime;n}}]}^2}},$ for the mean value that matrix H m arranges, for the mean value that matrix E ' t arranges, choose the maximum in R r _{p, q}corresponding (k _r+9, k _r+5) conjecture value (p/2 ⁸, p%2 ⁸) be the correct secret key analyzed and obtain; Calculate average energy consumption matrix D ₀and D ₁difference, select the equal value difference of maximum energy consumption then corresponding conjecture round key (k _r+9, k _r+5) conjecture value (p/2 ⁸, p%2 ⁸) be the correct secret key value analyzed and obtain.

The technical scheme of the application has the following advantages, solve the defect that the current ZUC cryptographic algorithms' implementation to having mask safeguard procedures does not have concrete attack method, for ZUC algorithm specific mask protection implementation method, innovatively propose new secondary energy analytical method, open up the new situation that ZUC cryptographic algorithm is attacked, extend the side channel energy analysis means to ZUC algorithm, the method can carry out side channel energy analysis to ZUC cryptographic algorithms' implementation more comprehensively effectively; The method that technical scheme proposes simultaneously is for common mask safeguard procedures, practical, provides reference to existing mask protectiving scheme design.

Accompanying drawing explanation

Fig. 1 is Zu Chongzhi algorithm logic hierarchical chart;

Fig. 2 is S ₀box structure construction schematic diagram;

Fig. 3 is the signal of ZUC algorithm single order mask S box defense mechanism;

Fig. 4 is the second order point of attack position signal of the identical protection of ZUC algorithm S box output masking value;

Fig. 5 is the power consumption profile of the identical ZUC algorithm of S box output masking value;

Embodiment

Below technical scheme of the present invention is specifically described, first introducing the simple mask means of defence of single order, in order to save the memory space of S box, accelerating the efficiency of mask, designer can adopt 1 32 bit random i lumber m to carry out mask precomputation to ZUC algorithm F function the right and left S box, exports then the output of 8 S boxes only needs to carry out precomputation 4 S boxes, if make realization more efficient, can make m=(m ₀, m ₁, m ₀, m ₁), wherein m ₀, m ₁be the random number of 8 bits, then only need the preliminary treatment carrying out 2 S boxes.ZUC algorithm single order mask S box defense mechanism signal as shown in Figure 3, the input of limit, left and right S box is respectively ${{S\_\mathrm{in}}_R}^{\&prime;}={S\_\mathrm{in}}_R\&CirclePlus;n,$ Its output valve respectively ${R_1}^{\&prime;}=R_1\&CirclePlus;m,{R_2}^{\&prime;}=R_2\&CirclePlus;m,$ Wherein, m=(m ₀, m ₁, m ₂, m ₃), n=(n ₀, n ₁, n ₂, n ₃), i is followed successively by 0,1,2,3, x _ibe expressed as i-th byte of 32 x.For the mask scheme that above-mentioned S box output masking value is consistent, by the output of new S box carry out XOR cancellation mask, the point of attack that namely r (r is followed successively by 0,1,2,3,4) takes turns is $S\_{\mathrm{XorOut}}_r={R_{r,1}}^{\&prime;}\&CirclePlus;{R_{r,2}}^{\&prime;}=R_{r,1}\&CirclePlus;m\&CirclePlus;R_{r,2}\&CirclePlus;m=R_{r,1}\&CirclePlus;R_{r,2},$ Wherein, R _{r, 1}, R _{r, 2}, R _{r, 1}', R _{r, 2}' be respectively r to take turns the forward and backward S box output valve of mask.According to the structure of ZUC algorithm, modern R _{r, 1}=f ₁(iv, k _r+9), R _{r, 2}=f ₂(iv, k _r+5, k _r+9), f ₁, f ₂be respectively F function the right and left S box output function, with iv, k _r+9, k _r+5as parameter, then guess k respectively _r+9, k _r+5the key value of totally 16, carries out second order DPA/CPA and analyzes acquisition k _r+9, k _r+5right value; Take turns front 5 respectively and carry out second order side Multiple Channel Analysis, r is followed successively by 0,1,2,3,4, carries out second order DPA/CPA and analyzes 9 the round key bytes obtaining ZUC algorithm.Therefore, for the ZUC algorithm realization that S box output masking value is identical, the XOR S_XorOut that S box can be exported _ras the point of attack, carry out the channel energy analysis of second order side.The selection of the concrete point of attack as shown in Figure 4.

By the analysis selected the above-mentioned point of attack, can determine that the Zu Chongzhi cryptographic algorithm to possessing mask protection carries out side channel energy analytical method: collecting energy mark is set up energy consumption matrix E and carried out preliminary treatment and obtains the energy consumption matrix E ' after process; The 5 energy marks of taking turns before initialization are gathered as shown in Figure 5, for 5 taking turns image data, often wheel R respectively before initialization in frame for the ZUC algorithm of the single order that left and right S box output masking value is identical simple mask protection ₁, R ₂all with identical mask, wherein, the key value of initial input is: $\begin{array}{c}{k}_0=00,k_1=11,k_2=22,k_3=33,k_4=44,k_5=55,k_6=66,k_7=77\\ k_8=88,k_9=99,k_{10}=\mathrm{aa},k_{11}=\mathrm{bb},k_{12}=\mathrm{cc},k_{13}=\mathrm{dd},k_{14}=\mathrm{ee},k_{15}=\mathrm{ff}\end{array};$ Method for normalizing and subtraction absolute value methods is utilized to carry out preliminary treatment to energy consumption matrix respectively; ZUC algorithm F function the right and left S box is selected to export XOR value S_XorOut _ras the point of attack, use Hamming weight model, carry out CPA analysis; Adopt preprocess method to be that normalized analysis result is as shown in table 1, when coefficient correlation and maximum correlation coefficient rate value minimum, key conjecture value corresponding to its coefficient correlation maximum is correct key.

Table 1: preliminary treatment is normalized secondary energy analysis result

Same employing preprocess method is that subtraction absolute value methods carries out second order analysis, and experimental result is as shown in table 2, is analyzed as shown in Table 2 also can obtain correct key by secondary energy.

Table 2: when preliminary treatment is subtraction absolute value methods secondary energy analysis result

By the above-mentioned secondary energy analysis to the protection of single order mask, the known the application's of utilization method can go out the key of this protection and two kinds of different Analysis of Pretreatment Methods come to the same thing by successful analysis.

Technique scheme only embodies the optimal technical scheme of technical solution of the present invention, and those skilled in the art all embody principle of the present invention to some variations that wherein some part may be made, and belong within protection scope of the present invention.

Claims (5)

1. carry out a side channel energy analytical method to the Zu Chongzhi cryptographic algorithm possessing mask protection, it is characterized in that, the method comprises the steps:

(1) collecting energy mark is set up energy consumption matrix E and is carried out preliminary treatment and obtains the energy consumption matrix E ' after processing;

(2) ZUC algorithm F function the right and left S box is selected to export XOR value S_XorOut _rcalculate as the point of attack and obtain intermediary matrix V or determine DPA distinguishing funotion D by Hamming weight, single-bit respectively;

(3) computer sim-ulation energy consumption matrix H and two average energy consumption matrix D ₀and D ₁;

(4) the coefficient correlation determination correlation matrix R between computer sim-ulation energy consumption matrix H and energy consumption matrix E ', chooses the maximum r in R _{p, q}corresponding conjecture value is correct secret key; Or by calculating average energy consumption matrix D ₀and D ₁difference, obtain average energy consumption difference matrix Δ D=D ₁-D ₀, select maximum energy consumption equal value difference Δ d _p ^qcorresponding conjecture value is correct secret key;

(5) select S box arithmetic section, carry out 5 successively and take turns computing, the analytical method according to above-mentioned (2)-(4) can obtain all secret key information.

2. the Zu Chongzhi cryptographic algorithm to possessing mask protection according to claim 1 carries out side channel energy analytical method, it is characterized in that, the energy consumption matrix in step (1) $E(N\&times;T)=\left(\begin{array}{ccc}{e}_1^1& L& e_T^1\\ M& e_t^n& M\\ e_1^N& L& e_T^N\end{array}\right),$ Wherein, N is the energy mark number of the ZUC algorithm computing collected, and T is computing time used, it is the energy consumption values that n-th enciphering/deciphering computing produces at moment t; Carrying out pretreated process to energy consumption matrix E is: arrange S box and export the 1st byte and the time gap scope of a jth bytes on energy mark is min-max, wherein, min and max is respectively minimum, maximum time point distance, range=max-min+1, for every bar energy mark, select the u point in min-max scope successively, corresponding power consumption values with ---correspondence carries out preliminary treatment, and preprocess method is subtraction absolute value, multiplication or method for normalizing; Method for normalizing is, as u=min, $e_2^{\&prime;n}=(e_2^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_2^i}{n})(e_{\min +1}^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_{\min +1}^i}{n}),...,e_{T-\min +1}^{\&prime;n}=(e_{T-\min +1}^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_{T-\min +1}^i}{n})(e_T^n-\frac{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{e}_T^i}{n}),$ As u=min+1, the like, wherein, n is energy mark number by analysis, and preliminary treatment obtains new energy consumption matrix $E^{\&prime;}(N\&times;T^{\&prime;})=\left(\begin{array}{ccc}{e}_1^{\&prime;1}& L& e_{T^{\&prime;}}^{\&prime;1}\\ M& e_t^{\&prime;n}& M\\ e_1^{\&prime;N}& L& e_{T^{\&prime;}}^{\&prime;N}\end{array}\right).$

3. the Zu Chongzhi cryptographic algorithm to possessing mask protection according to claim 1 carries out side channel energy analytical method, it is characterized in that, selects the ZUC algorithm F function the right and left S box as the point of attack to export XOR value in step (2) r _{r, 1}, R _{r, 2}be respectively the S box output valve before r wheel mask, r is followed successively by 0,1,2,3,4, R _{r, i}=f ₁(iv, k _r+9), R _{r, 2}=f ₂(iv, k _r+5,k _r+9), f ₁, f ₂be respectively F function the right and left S box output function, iv is initial vector; Intermediary matrix V is calculated as: select the secret key k of conjecture respectively _r+9, k _r+5totally 2 ¹⁶individual different value, substitutes into S_XorOut _rin obtain corresponding intermediary matrix $V(N\&times;2^{16})=\left(\begin{array}{ccc}{v}_0^1& K& v_{2^{16}-1}^1\\ M& v_m^n& M\\ v_0^N& L& v_{2^{16}-1}^N\end{array}\right),$ Wherein m=(m ₀, m ₁), k _{i, j}being expressed as i-th key conjecture value is j, i.e. j=k _{i, j}, iv " and be known initial vector, m ₀, m ₁be the random number of 8 bits; With Hamming weight, the determined DPA distinguishing funotion of single-bit method be respectively: $D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1})=\left\{\begin{array}{cc}1& \mathrm{HW}(S\_{\mathrm{XorOut}}_r)<16\\ 0& \mathrm{HW}(S\_{\mathrm{XorOut}}_r)>16\end{array}\right.$ And wherein, in bit (x, p) (p ∈ { 0,1, L, 31}) i.e. median x, the value 0 or 1 of p bit, guesses S_XorOut respectively _rin round key (k _r+9, k _r+5) totally 2 ¹⁶individual different value, substitutes into then distinguishing funotion is the total number of 1 value $n_1=\underset{x=1}{\overset{N}{\mathrm{\&Sigma;}}}D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1}),$ The total number of 0 value $n_1=\underset{x=1}{\overset{N}{\mathrm{\&Sigma;}}}(1-D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1})).$

4. the Zu Chongzhi cryptographic algorithm to possessing mask protection according to claim 1 carries out side channel energy analytical method, it is characterized in that, emulation energy consumption matrix in step (3) $H(N\&times;2^8)=\left(\begin{array}{ccc}{h}_0^1& K& h_{2^8-1}^1\\ M& h_m^n& M\\ h_0^N& L& h_{2^8-1}^N\end{array}\right);$ Two average energy consumption matrix D ₀and D ₁computational process is: the middle time point t of energy consumption matrix E ', obtains the total power consumption average of this point two ${d0}_m^t=\frac{\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}(1-D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1}))e_t^{\&prime;n}}{n_0}$ With ${d1}_m^t=\frac{\underset{n=1}{\overset{N}{\mathrm{\&Sigma;}}}D({\mathrm{iv}}^n,k_{r+9,m_0},k_{r+5,m_1})e_t^{\&prime;n}}{n_1},$ Wherein, corresponding time point t conjecture value is m=(m ₀, m ₁) n ₀group energy ezpenditure mean value; corresponding time point t conjecture value is m=(m ₀, m ₁) n ₁group energy ezpenditure mean value n ₀+ n ₁=N, asks energy consumption average to time points all in E ', obtains two average energy consumption matrixes $D_0(2^{16}\&times;T^{\&prime;})=\left(\begin{array}{ccc}{d0}_0^1& K& {d0}_0^{T^{\&prime;}}\\ M& {d0}_m^t& M\\ {d0}_{2^{16}-1}^1& L& {d0}_{2^{16}-1}^{T^{\&prime;}}\end{array}\right),$

$D_1(2^{16}\&times;T^{\&prime;})=\left(\begin{array}{ccc}{d1}_0^1& K& {d1}_0^{T^{\&prime;}}\\ M& {d1}_m^t& M\\ {d1}_{2^{16}-1}^1& L& {d1}_{2^{16}-1}^{T^{\&prime;}}\end{array}\right).$

5. the Zu Chongzhi cryptographic algorithm to possessing mask protection according to claim 1 carries out side channel energy analytical method, and it is characterized in that, the correlation matrix in step (4) between emulation energy consumption matrix H and energy consumption matrix E ' is $R(2^{16}\&times;T^{\&prime;})=\left(\begin{array}{ccc}{r}_{\mathrm{0,1}}& K& r_{0,T^{\&prime;}}\\ M& r_{m,t}& M\\ r_{2^{16}-\mathrm{1,1}}^1& L& r_{2^{16}-1,T^{\&prime;}}\end{array}\right),$ Wherein, for the mean value that matrix H m arranges, for the mean value that matrix E ' t arranges, choose the maximum in R r _{p, q}corresponding (k _r+9, k _r+5) conjecture value (p/2 ⁸, p%2 ⁸) be the correct secret key analyzed and obtain; Calculate average energy consumption matrix D ₀and D ₁difference, select the equal value difference of maximum energy consumption then corresponding conjecture round key (k _r+9, k _r+5) conjecture value (p/2 ⁸, p%2 ⁸) be the correct secret key value analyzed and obtain.