基於漢明差值與觸動計數模型之差分能量分析與實作-以AES晶片為例

Abstract

在我們當今的日常生活中，人類對於網路和3C產品的使用越來越頻繁，而秘密資訊便可利用這些產品來做傳遞。為了確保這些資訊安全，加密系統必須廣泛的使用在這些產品上。不過，加密系統雖然提供了這些產品的安全性，但沒有人可以保證這些加密系統是絕對的讓人放心。 差分能量分析攻擊法是一種可以從這些密碼系統中揭露出秘密資訊的威脅，而差分能量分析攻擊法的執行效率是根據於能量模型的選擇與建立。只要選擇與建立良好適合的能量模型，攻擊過程將可以省去很多的時間成本。本篇論文將以AES 90奈米製程的實體晶片為例，實行兩種不同能量模型的攻擊法。漢明差值模型便是其中一種，它的模型是依據於S-box的輸入端與輸出端的關係。利用漢明差值的差分能量分析攻擊法可以對於使用查表方式實現S-box的AES晶片成功攻擊。但根據實驗結果，如果AES晶片的S-box是用composite-field的方式實現的話，針對S-box輸出輸入端作攻擊的這種漢明差值便無法使我們成功攻擊這顆晶片。因此，我們必須找出替代的能量模型，針對S-box來攻擊，並且完成破解晶片的研究。而我們想使用這能量模型，觸動計數模型，來取代漢明差值模型。它統計了當S-box正在運行時所產生logic gate的所有轉換。

In our daily life, the applications of internet and 3C products are used more frequently. The secret information is transported through these applications. In order to ensure the information security, some cryptographic systems have been adopted widely. Cryptographic system indeed can provide the security. However, no one can ensure that cryptographic system can absolutely protect the information security. Differential power analysis (DPA) attack is one of the threats [11] that could reveal the secret in the cryptographic system. The main efficiency of DPA attack is depended on the power model of attack method. Getting suitable power model, it could cost less time to finish the attack. This thesis describes differential power analysis attack with two kinds of power models on an Advanced Encryption Standard (AES) chip fabricated in 90nm CMOS. One kind of power model is Hamming-Distance model that calculates the relationship between input and output of S-box. The differential power analysis attack with the Hamming-distance model can attack the AES chip based on look-up-table S-box successfully. But according to the experiment results, it cannot attack the AES chip based on composite-field S-box successfully. So, other power model should substitute for the Hamming-distance model to complete the DPA attack. The substitute power model is toggle-count model that get the statistics of the switching activities from the logic gates during the S-Box process.