CN114785478B - Side channel correlation energy analysis method and system applied to polynomial hardware multiplication - Google Patents

Abstract

The invention provides a side channel related energy analysis method and a system applied to polynomial hardware multiplication, wherein the method comprises the steps of obtaining all possible values of a sub-private key to be attacked; multiplying all possible values of the sub-private key with the public key polynomial vector respectively to obtain an assumed product vector; adopting an attack function to respectively process each hypothesized product vector to obtain a hypothesized intermediate value trace; mapping the assumed intermediate value trace into an assumed energy trace by adopting a Hamming distance model; obtaining an actually measured energy trace; calculating a correlation coefficient between the hypothesized energy trace and the actually measured energy trace; obtaining the maximum value of the correlation coefficient; and determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value. The invention has less requirement on the number of the actually measured energy tracks for analysis, can achieve the attack effect by using only one energy track for analysis, can implement attack without accurately positioning the actually measured energy tracks, and provides an evaluation means for detecting the safety reliability of the password equipment.

Description

Side channel correlation energy analysis method and system applied to polynomial hardware multiplication

Technical Field

The invention belongs to the technical field of side channel analysis, and particularly relates to a side channel related energy analysis method and system applied to polynomial hardware multiplication.

Background

The post quantum cryptography scheme based on the lattice is constructed by relying on the difficult problems in the lattice, and has strong quantum attack security because no effective quantum algorithm is available to solve the difficult problems in the lattices at present. Most cryptographic systems in the industry today, while theoretically secure, actually implement a cryptographic system on an embedded device, often can be attacked to recover a key by analyzing the energy consumption of a particular computing operation. This type of attack method is called side channel attack. Typical side channel analysis methods include simple energy analysis, differential energy analysis, and correlation energy analysis.

Under the practical application environment of the password chip, the effect of directly and visually observing the secret key cannot be achieved by using simple energy analysis due to the influence of unpredictable factors such as noise, burrs and the like. The related energy analysis has less requirements on the energy trace number than the differential energy analysis, and has stronger attack capability. The correlation energy analysis attacks by calculating the correlation degree of the actually acquired energy trace and the assumed energy trace of the attacker, and the core idea is to compare the correlation by calculating the pearson correlation coefficient.

Classical correlation energy analysis, namely vertical correlation energy analysis, analyzes the correlation between the same point in a plurality of energy tracks and intermediate values correspondingly generated by different inputs by changing plaintext inputs, thereby realizing the effect of recovering the key. The horizontal correlation energy analysis fully utilizes the intermediate value generated by the same operation for a plurality of times on a single energy trace, analyzes the correlation between the intermediate value and the assumed energy trace to realize the effect of recovering the key, and can be seen that the utilization rate of the horizontal correlation energy analysis to the points on the single energy trace is higher than that of the vertical correlation energy analysis. For the transient key scheme, since only a small amount of actually measured energy traces can be obtained, the attack effect of the horizontal correlation energy analysis is more effective than that of the vertical correlation energy analysis, but the horizontal correlation energy analysis needs to know the exact attack point in advance for alignment, which requires an accurate positioning technology as a support, and certainly increases the technical difficulty.

Disclosure of Invention

Aiming at the defects in the prior art, the invention provides a side channel related energy analysis method and a system applied to polynomial hardware multiplication.

In a first aspect, the present invention provides a side channel correlation energy analysis method applied to polynomial hardware multiplication, comprising:

acquiring all possible values of the subprivate key to be attacked; wherein one sub-private key corresponds to one coefficient in the private key polynomial vector;

multiplying all possible values of the sub-private key with the public key polynomial vector respectively to obtain an assumed product vector;

Adopting an attack function to respectively process each hypothesized product vector to obtain a hypothesized intermediate value trace;

mapping the assumed intermediate value trace into an assumed energy trace by adopting a Hamming distance model;

Obtaining an actually measured energy trace;

calculating a correlation coefficient between the hypothesized energy trace and the actually measured energy trace;

obtaining the maximum value of the correlation coefficient;

and determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value.

Further, the acquiring the measured energy trace includes:

A resistor is connected in series on a chip power supply branch of the FPGA board, the current of the chip in the operation process generates voltage drops at two ends of the resistor, and an oscilloscope is used for collecting the voltage drops generated at two ends of the resistor so as to obtain an actually measured energy trace; the hardware burnt on the FPGA board is designed into a lattice password system adopting schoolbook polynomial multiplication algorithm.

Further, the calculating the correlation coefficient between the hypothesized energy trace and the measured energy trace includes:

Calculating a correlation coefficient between the hypothetical energy trace and the measured energy trace according to the following formula:

Wherein ρ is a correlation coefficient between the hypothetical energy trace and the measured energy trace; cov () is covariance; var () is variance; x is a hypothetical energy trace; y is the measured energy trace after treatment.

In a second aspect, the present invention provides a side channel dependent energy analysis system for use in polynomial hardware multiplication, comprising:

The first acquisition module is used for acquiring all possible values of the subprivate key to be attacked; wherein one sub-private key corresponds to one coefficient in the private key polynomial vector;

The vector multiplication module is used for multiplying all possible values of the sub-private key with the public key polynomial vector respectively to obtain an assumed product vector;

the vector processing module is used for respectively processing each hypothesized product vector by adopting an attack function to obtain a hypothesized intermediate value trace;

The mapping module is used for mapping the assumed intermediate value trace into an assumed energy trace by adopting a Hamming distance model;

The second acquisition module is used for acquiring the actually measured energy trace;

The calculation module is used for calculating a correlation coefficient between the hypothesized energy trace and the actually measured energy trace;

The third acquisition module is used for acquiring the maximum value of the correlation coefficient;

and the determining module is used for determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value.

Further, the computing module includes:

a calculation unit for calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:

Wherein ρ is a correlation coefficient between the hypothetical energy trace and the measured energy trace; cov () is covariance; var () is variance; x is a hypothetical energy trace; y is the measured energy trace after treatment.

The invention provides a side channel related energy analysis method and a system applied to polynomial hardware multiplication, wherein the method comprises the steps of obtaining all possible values of a sub-private key to be attacked; wherein one sub-private key corresponds to one coefficient in the private key polynomial vector; multiplying all possible values of the sub-private key with the public key polynomial vector respectively to obtain an assumed product vector; adopting an attack function to respectively process each hypothesized product vector to obtain a hypothesized intermediate value trace; mapping the assumed intermediate value trace into an assumed energy trace by adopting a Hamming distance model; obtaining an actually measured energy trace; calculating a correlation coefficient between the hypothesized energy trace and the actually measured energy trace; obtaining the maximum value of the correlation coefficient; and determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value. By adopting the scheme, the invention has less requirement on the number of the actually measured energy traces for analysis, can achieve the attack effect by using only one energy trace for analysis, can implement attack without accurately positioning the actually measured energy trace, and provides an evaluation means for detecting the safety reliability of the password equipment.

Drawings

In order to more clearly illustrate the technical solution of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.

Fig. 1 is a schematic structural diagram of a side channel correlation energy analysis method applied to polynomial hardware multiplication according to an embodiment of the present invention;

FIG. 2 is a flowchart of a method for analyzing side channel correlation energy applied to polynomial hardware multiplication according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a modular multiplication circuit according to an embodiment of the present invention;

FIG. 4 is a graph of the acquired measured energy trace provided by an embodiment of the present invention

FIG. 5 is a diagram of an attack result provided by an embodiment of the present invention;

FIG. 6 is a graph of the accuracy evaluation result of a single energy trace according to an embodiment of the present invention;

FIG. 7 is a graph of the combined analysis accuracy of a plurality of energy traces according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a side channel correlation energy analysis system applied to polynomial hardware multiplication according to an embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The classical correlation energy analysis, i.e. the vertical correlation energy analysis, described in the background art, achieves the effect of recovering the key by changing the plaintext input, analyzing the correlation between the same point in the plurality of energy traces and the intermediate value generated corresponding to the different inputs. The horizontal correlation energy analysis fully utilizes the intermediate value generated by the same operation for a plurality of times on a single energy trace, analyzes the correlation between the intermediate value and the assumed energy trace to realize the effect of recovering the key, and can be seen that the utilization rate of the horizontal correlation energy analysis to the points on the single energy trace is higher than that of the vertical correlation energy analysis. For the transient key scheme, since only a small amount of actually measured energy traces can be obtained, the attack effect of the horizontal correlation energy analysis is more effective than that of the vertical correlation energy analysis, but the horizontal correlation energy analysis needs to know the exact attack point in advance for alignment, which requires an accurate positioning technology as a support, and certainly increases the technical difficulty.

Therefore, in order to solve the above-mentioned problems, the embodiment of the present invention provides a side channel correlation energy analysis method applied to polynomial hardware multiplication, as shown in fig. 1, fig. 1 is a schematic structural diagram of a side channel correlation energy analysis method applied to polynomial hardware multiplication.

Specifically, as shown in fig. 2, the method includes:

step S101, obtaining all possible values of a sub-private key to be attacked; wherein one of the child private keys corresponds to one of the coefficients in the private key polynomial vector.

By attacking one sub-private key at a time, all coefficients in the private key polynomial vector can be recovered one by one. Compared with the method for simultaneously attacking a plurality of sub-private keys, the attack mode peels off the influence among the sub-private key values, and the sub-private keys can be recovered one by one only by repeatedly executing the whole attack step, so that the operation implementation difficulty is lower.

Since the private key polynomial vector of the R-LWE lattice cryptosystem attacked in this embodiment is generated by the cumulative distribution gaussian sampler, each sub-private key has 63 possible values, so that a 63-dimensional column vector composed of all assumed values can be obtained in this step. If there is a simple energy analysis (SPA) vulnerability in the design of the R-LWE lattice cryptosystem, then the number of hypothesized values for the child private key may be further reduced.

In step S102, all possible values of the sub-private key are multiplied by the public key polynomial vector respectively to obtain the hypothesized product vector.

The public key polynomial vector can be easily obtained from the communication channel using the public key encryption scheme. Multiplying all possible values of the sub-private key by the public key polynomial vector respectively can be understood as multiplying a column vector by a row vector to obtain a matrix, dividing the matrix by rows, and each row vector thus obtained corresponds to a hypothetical product vector

And step S103, adopting an attack function to process each hypothesized product vector respectively to obtain a hypothesized intermediate value trace.

As shown in fig. 3, a and b are two inputs with a bit width of 13 bits, multiplication by a multiplier is performed to obtain a product value x with a bit width of 26 bits, and then a modular reduction operation is performed, wherein the modular value q is a prime number 7681, and the calculation process is simplified by a shift operation method:

1、t←(x>>13)+(x>>17)+(x>>21)；

2、tq←(t<<13)-(t<<9)+t；

3、r←x-tq。

Symbol annotation: ">" is a right shift operation, "<" is a left shift operation, "≡" is an assignment operation.

X [25:13], X [25:17], X [25:21] shown in FIG. 3 are all referred to as performing a bit-taking operation on X [25:0], and the obtained three numbers are sent to an adder for addition, so that the calculation of the process 1 is completed; storing the value as a value t through a primary register; then, calculating t, namely subtracting the value of t shifted left by 9 bits from the value of t shifted left by 13 bits and adding the value of t to complete the calculation of the process 2; then the value tq is stored through a primary register; because of the influence of two stages of registers, namely t and tq, the x is required to be directly stored in the two stages of registers, subtracted from the value tq to finish the calculation in the process 3, and then stored as a value r through a first-stage register; the value r is only approximate remainder, and is processed by three times of data selector, the three times of processing are the same, the selection standard is the size of comparing r with q, q is selected when r is smaller than q, r is larger than q, r-q is selected, and the result r is within the modulus q.

The attack function is the intermediate value combination [ x, t, tq, r ] in the process of obtaining r from x.

The construction method of the attack function is determined by the design structure of the hardware circuit. Registers in the circuit pipeline structure store intermediate value operation data, and an attack function reflects the change condition of the intermediate value data by combining the change modes of key data in the registers. The specific construction method can be as simple as using only input registers for design or using only output registers for design, but the attack effect of the attack function designed in this way must be less good, the finer the attack effect of the attack function is characterized, but the finer the attack function is, the more complex the design process must be.

Step S104, mapping the assumed intermediate value trace into an assumed energy trace by using a Hamming distance model.

The hamming distance model refers to the total number of 0→1 and 1→0 transitions that occur in the transition of one binary number to another binary number. The HD (x, y) is used to represent the hamming distance between two numbers x, y, the binary exclusive-or operation is performed on the two numbers, and then the number of 1 in the exclusive-or result is counted, and the obtained number is the hamming distance value. Hamming weight model processing is not used because hamming weight models are more suitable for software-implemented cryptosystems, while hamming distance models are more efficient for hardware-implemented cryptosystems. The attack function and the hamming distance model are both one-to-one mapping relations, so that the structure of the matrix formed by the hypothesized product vectors is not changed.

Step S105, obtaining the actually measured energy trace.

The R-LWE hardware design for this embodiment attack runs on an Xilinx Spartan-6 (XC 6SLX 9) FPGA board with a clock frequency of 50MHz. And a resistor is connected in series on a chip power supply branch of the FPGA board, the current of the chip in the operation process can generate voltage drop at two ends of the resistor, and the voltage drop generated at two ends of the resistor is collected by using an oscilloscope to reflect the real-time energy consumption condition of the chip. The model of the oscilloscope used for acquisition is Pico 3206D, two channels can be used for acquisition at intervals of 2ns (500 MS/s), one channel is set to be in a trigger state and used for triggering the oscilloscope to start recording data, and the other channel is used for recording energy consumption during chip operation. FIG. 3 is a graph of the measured energy trace of a piece of private key block collected by us, and the starting point of the measured energy trace is not required to be aligned by using our attack method.

The processing method of the actually measured energy trace is determined by the sampling frequency of the oscilloscope and the clock frequency of the chip on the board, and sampling points are taken from the actually measured energy trace at intervals according to the multiple relation of the sampling frequency and the clock frequency of the chip on the board to construct the energy trace for correlation calculation. In the experimental environment of this embodiment, there are 10 sampling points per clock cycle, so we take 1 data point every 10 sampling points, and take N times in total to construct the energy trace for correlation calculation. The specific total number of data points is determined by the dimension of the assumed product vector, and the modular multiplication circuit has a pipeline structure, so that the beginning of the sub private key block is crosslinked with the previous sub private key block, and therefore, the energy trace for correlation calculation is not constructed N times, but is reduced. The hardware burnt on the FPGA board is designed into a lattice password system adopting schoolbook polynomial multiplication algorithm.

In step S106, a correlation coefficient between the assumed energy trace and the measured energy trace is calculated.

Calculating a correlation coefficient between the hypothetical energy trace and the measured energy trace according to the following formula:

Wherein ρ is a correlation coefficient between the hypothetical energy trace and the measured energy trace; cov () is covariance; var () is variance; x is a hypothetical energy trace; y is the measured energy trace after treatment.

Step S107, a correlation coefficient maximum value is acquired.

Step S108, determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value.

The initial sampling point of the constructed energy trace is not fixed and traverses over the entire sub-private key energy trace, so the correlation coefficient needs to be computed point-by-point sliding. And drawing the correlation coefficient curve according to the calibrated initial sampling point sequence number. Therefore, if a point is the point with the largest median of the whole correlation curve, it represents that the point is aligned with the start point of the measured energy trace, and the assumed subprivate key value to which the point belongs is the best candidate subprivate key value.

In addition, the actually measured energy trace is preprocessed by using a low-pass filter, so that high-frequency noise components in the actually measured energy trace are reduced, and the attack accuracy is further improved.

The result of the attack on the energy trace of fig. 4 is shown in fig. 5, where the light curve represents the superimposed effect of all the incorrectly assumed subprivate key correlation curves and the dark curve represents the correct assumed subprivate key correlation curve. The lower graph of fig. 5 is an enlarged view of a portion of the upper graph, and it can be seen that the dark curve has a higher peak than the light curve, which indicates that the attack successfully recovered the child private key there. The sub-private keys can be recovered one by repeatedly performing all the attack steps.

The embodiment of the invention collects 5000 energy tracks for evaluating the accuracy of the analysis method on a single energy track, an attack result is shown in fig. 6, the horizontal axis represents the serial number of the sub-private key, the vertical axis represents the accuracy of successful recovery, and the result shows that the average accuracy of successfully recovering any sub-private key is 99.90%. However, since the value of the individual subprivate key will cause a plurality of registers in the circuit structure to be 0 all the time in the round of calculation, the describing effect of the attack function is greatly reduced, so that the accuracy of successful recovery of the individual subprivate key is significantly lower than that of other subprivate keys, and finally, the accuracy of successful recovery of all the subprivate keys, namely, the accuracy of successful recovery of an entire private key polynomial vector is reduced to 76.41%.

In addition, the accuracy of the combined analysis of a plurality of energy traces is tested, and the result is shown in fig. 7, so that the combined analysis accuracy of two energy traces can reach 98.08%, and the combined analysis accuracy of five energy traces can reach 100%.

As shown in fig. 8, an embodiment of the present invention provides a side channel correlation energy analysis system applied to polynomial hardware multiplication, including:

a first obtaining module 10, configured to obtain all possible values of the subprivate key to be attacked; wherein one of the child private keys corresponds to one of the coefficients in the private key polynomial vector.

The vector multiplication module 20 is configured to multiply all possible values of the sub-private key with the public key polynomial vector respectively, so as to obtain a hypothetical product vector.

The vector processing module 30 is configured to process each hypothesized product vector by using an attack function, so as to obtain a hypothesized intermediate value trace.

A mapping module 40, configured to map the hypothesized intermediate value trace into a hypothesized energy trace using a hamming distance model.

A second acquisition module 50 for acquiring the measured energy trace.

A calculation module 60 for calculating a correlation coefficient between the hypothetical energy trace and the measured energy trace.

A third obtaining module 70, configured to obtain a maximum value of the correlation coefficient.

The determining module 80 is configured to determine a sub-private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub-private key value.

Optionally, the computing module includes:

a calculation unit for calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:

Wherein ρ is a correlation coefficient between the hypothetical energy trace and the measured energy trace; cov () is covariance; var () is variance; x is a hypothetical energy trace; y is the measured energy trace after treatment.

The same or similar parts between the various embodiments in this specification are referred to each other. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as far as reference is made to the description in the method embodiments.

The invention has been described in detail in connection with the specific embodiments and exemplary examples thereof, but such description is not to be construed as limiting the invention. It will be understood by those skilled in the art that various equivalent substitutions, modifications or improvements may be made to the technical solution of the present invention and its embodiments without departing from the spirit and scope of the present invention, and these fall within the scope of the present invention. The scope of the invention is defined by the appended claims.

Claims (5)

1. A side channel correlation energy analysis method applied to polynomial hardware multiplication, comprising:

acquiring all possible values of the subprivate key to be attacked; wherein one sub-private key corresponds to one coefficient in the private key polynomial vector;

multiplying all possible values of the sub-private key with the public key polynomial vector respectively to obtain an assumed product vector;

Adopting an attack function to respectively process each hypothesized product vector to obtain a hypothesized intermediate value trace;

mapping the assumed intermediate value trace into an assumed energy trace by adopting a Hamming distance model;

Obtaining an actually measured energy trace;

calculating a correlation coefficient between the hypothesized energy trace and the actually measured energy trace;

obtaining the maximum value of the correlation coefficient;

and determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value.

2. The side channel dependent energy analysis method of claim 1, wherein the acquiring the measured energy trace comprises:

A resistor is connected in series on a chip power supply branch of the FPGA board, the current of the chip in the operation process generates voltage drops at two ends of the resistor, and an oscilloscope is used for collecting the voltage drops generated at two ends of the resistor so as to obtain an actually measured energy trace; the hardware burnt on the FPGA board is designed into a lattice password system adopting schoolbook polynomial multiplication algorithm.

3. The side channel correlation energy analysis method of claim 1, wherein the calculating a correlation coefficient between the hypothesized energy trace and the measured energy trace comprises:

Calculating a correlation coefficient between the hypothetical energy trace and the measured energy trace according to the following formula:

Wherein ρ is a correlation coefficient between the hypothetical energy trace and the measured energy trace; cov () is covariance; var () is variance; x is a hypothetical energy trace; y is the measured energy trace after treatment.

4. A side channel dependent energy analysis system for use in polynomial hardware multiplication, comprising:

The first acquisition module is used for acquiring all possible values of the subprivate key to be attacked; wherein one sub-private key corresponds to one coefficient in the private key polynomial vector;

The vector multiplication module is used for multiplying all possible values of the sub-private key with the public key polynomial vector respectively to obtain an assumed product vector;

the vector processing module is used for respectively processing each hypothesized product vector by adopting an attack function to obtain a hypothesized intermediate value trace;

The mapping module is used for mapping the assumed intermediate value trace into an assumed energy trace by adopting a Hamming distance model;

The second acquisition module is used for acquiring the actually measured energy trace;

The calculation module is used for calculating a correlation coefficient between the hypothesized energy trace and the actually measured energy trace;

The third acquisition module is used for acquiring the maximum value of the correlation coefficient;

and the determining module is used for determining the sub private key value corresponding to the maximum value of the correlation coefficient as the best candidate sub private key value.

5. The side channel correlation energy analysis system of claim 4, wherein the computing module comprises:

a calculation unit for calculating a correlation coefficient between the assumed energy trace and the measured energy trace according to the following formula:

Wherein ρ is a correlation coefficient between the hypothetical energy trace and the measured energy trace; cov () is covariance; var () is variance; x is a hypothetical energy trace; y is the measured energy trace after treatment.