电子学报 ›› 2020, Vol. 48 ›› Issue (10): 2003-2008.DOI: 10.3969/j.issn.0372-2112.2020.10.018

• 学术论文 • 上一篇    下一篇

针对AES-128算法的密钥优势模板攻击

樊昊鹏1,2, 袁庆军1,2, 王向宇1,2, 王永娟1,2, 王涛1,2   

  1. 1. 战略支援部队信息工程大学, 河南郑州 450001;
    2. 河南省网络密码技术重点实验室, 河南郑州 450001
  • 收稿日期:2019-07-05 修回日期:2020-06-07 出版日期:2020-10-25
    • 作者简介:
    • 樊昊鹏 男,1997年4月出生,河南新密人.现为战略支援部队信息工程大学硕士研究生,主要研究方向为网络空间安全,侧信道分析技术.E-mail:fanhaopeng15gc@sina.com
      袁庆军 男,1993年出生,河北衡水人.硕士、讲师,研究方向为网络空间安全、侧信道分析技术.E-mail:gcxyuan@outlook.com
    • 基金资助:
    • 国家自然科学基金 (No.61872381); 河南省网络密码技术重点实验室开放基金 (No.LNCT2019-S02)

Key Advantage Template Attack Against AES-128 Algorithm

FAN Hao-peng1,2, YUAN Qing-jun1,2, WANG Xiang-yu1,2, WANG Yong-juan1,2, WANG Tao1,2   

  1. 1. Information Engineering University, Zhengzhou, Henan 450001, China;
    2. Henan Key Laboratory of Network Cryptography, Zhengzhou, Henan 450001, China
  • Received:2019-07-05 Revised:2020-06-07 Online:2020-10-25 Published:2020-10-25
    • Supported by:
    • National Natural Science Foundation of China (No.61872381); Open Fund of Henan Key Laboratory of Network Cryptography Technology (No.LNCT2019-S02)

摘要: 模板攻击分为模板刻画和密钥恢复两个阶段.针对AES-128算法,模板攻击为每一字节密钥构建256个模板,当攻击者仅获得1000条左右的能量迹时将面临两个问题:一是模板刻画不具有适用性,二是无法恢复正确的密钥.针对这些问题,本文在模板刻画阶段为S盒输出值的汉明重量构建9个模板,利用Panda 2018数据集提供的600条能量迹进行建模;在密钥恢复阶段提出密钥优势叠加的方法,仅需约10条相同密钥加密所产生的能量迹即可有效区分正确密钥,降低了攻击的难度并提高了攻击的成功率.

关键词: 模板攻击, AES-128算法, 密钥优势, 汉明重量模型

Abstract: Template attack is divided into two stages: template description and key recovery. For AES-128 algorithm, when the attacker only got 1000 energy traces, he would face two problems: one was that the template description would not be applicable, the other was that the correct key would not be recovered. To solve these problems, this paper constructed 9 templates for Hamming weight of S-box output value in the template description stage, and used 600 energy traces provided by panda 2018 data set to build the model; in the key recovery stage, this paper proposed the method of key advantage superposition, which only needed about 10 energy traces encrypted to distinguish the correct key. This method reduces the number of energy traces required in the template description stage and key recovery stage, lowered the difficulty of template attack, and improved the success rate of template attack.

Key words: template attack, AES-128 algorithm, key advantage, Hamming weight model

中图分类号: