Midori算法抗故障攻击安全性评估

Security Evaluation for Fault Attacks on Lightweight Block Cipher Midori

Midori是ASIACRYPT 2015上提出的一种轻量级分组密码算法,密钥长度为128-bit,分组长度为64/128-bit,分别对应Midori64和Midori128,可被用于保护物联网设备安全.对Midori算法抗故障分析安全性进行了评估.首先,基于信息论通过分析故障传播路径,对故障注入后的Midori密钥剩余熵进行了理论估计.结果表明:基于第R–3轮半字节和字节模型,1次故障注入可分别将Midori64、Midori128密钥剩余熵大约降低到68.47-bit、8.03-bit,但对倒数第2轮、第3轮故障分析复杂度较高,多次故障注入分析可解决该问题.然后,利用差分故障分析方法,对故障注入后的Midori密钥剩余熵进行了实际验证.结果表明:3次随机半字节、2次随机字节故障可分别将Midori64、Midori128的密钥剩余熵降低至8.10-bit和0-bit.最后,利用Midori代数方程简单特点,将代数分析引入到故障分析中,利用代数故障分析方法优化了Midori差分故障分析结果.结果表明:代数故障分析可将Midori64故障攻击扩展到复杂故障模型,基于第R–3轮字节故障模型、R–4轮半字节故障模型,可分别使用4次、10次故障注入恢复Midori64完整密钥;代数故障分析可以降低Midori128攻击复杂度,基于第R–3轮字节故障模型,1次故障注入在94%的情况下可将Midori128密钥熵降低至16-bit以内.因此,必须对Midori算法倒数5轮进行故障攻击防护.

Midori is a lightweight block cipher of 128-bit key size proposed at ASIACRYPT 2015. It is a family of two block ciphers: Midori64 and Midori128 with 64-bit and 128-bit block size respectively, they can be used to protect small computing devices in Io T. The resistance of Midori64 and Midori128 against fault attacks is evaluated. Firstly, the remained key entropy of Midori is evaluated by analyzing the fault propagation path based on information theory. Theoretical analysis results show that: based on half byte and full byte fault model in round R–3, one fault injection can reduce the key entropy of Midori64 and Midori128 to 68.47 and 8.03 bits, respectively. However, the computation complexity in analyzing faults in round R–2 to round R–3 is unaffordable and multiple fault injections can solve this problem. Then, the remained key entropy of Midori is verified by differential fault analysis(DFA) technique. The result demonstrates that: three random half byte fault injections can reduce the key entropy of Midori64 to 8.10 bits and two random byte fault injections can recover the full secret key of Midori128. Finally, an algebraic technique is introduced into fault attack on Midori and an algebraic fault analysis(AFA) is applied to optimize the DFA result. The results show that: AFA can extend fault attack on Midori64 to more complicated fault models. Based on the byte fault model in round R–3 and half byte fault model in round R–4, four and ten fault injections can recover the full 128-bit key of Midori64, respectively. Based on the byte fault model in round R–3, single fault injection can reduce the key entropy of Midori128 to less than 16-bit for 94% of the cases. Thus, the last 5 rounds of Midori should be protected against fault attacks.