山东建筑大学土木毕业设计外文文献及翻译

本科毕业设计外文文献及译文文献题目：CorrelationPowerAnalysiswithaLeakageModel文献、资料来源：期刊文献、资料发表（出版）日期：2004院（部）：土木工程学院专业：城市地下空间工程班级：地工121姓名：王玉铮学号：20120114008指导教师：钟世英翻译日期：2016.6.11山东建筑大学毕业设计外文文献及译文-1-外文文献：CorrelationPowerAnalysiswithaLeakageModelEricBrier,ChristopheClavier,andFrancisOlivierGemplusCardInternational,FranceSecurityTechnologyDepartment{eric.brier,christophe.clavier,francis.olivier}@gemplus.comAbstract.Aclassicalmodelisusedforthepowerconsumptionofcryptographicdevices.ItisbasedontheHammingdistanceofthedatahandledwithregardtoanunknownbutconstantreferencestate.OncevalidatedexperimentallyitallowsanoptimalattacktobederivedcalledCorrelationPowerAnalysis.ItalsoexplainsthedefectsofformerapproachessuchasdifferentialPowerAnalysis.Keywords:Correlationfactor,CPA,DPA,Hammingdistance,poweranalysis,DES,AES,securecryptographicdevice,sidechannel.1IntroductionInthescopeofstatisticalpoweranalysisagainstcryptographicdevices,twohistoricaltrendscanbeobserved.Thefirstoneisthewellknowndifferentialpoweranalysis(DPA)introducedbyPaulKocher[12,13]andformalizedbyThomasMessergesetal.[16].Thesecondonehasbeensuggestedinvariouspapers[8,14,18]andproposedtousethecorrelationfactorbetweenthepowersamplesandtheHammingweightofthehandleddata.Bothapproachesexhibitsomelimitationsduetounrealisticassumptionsandmodelimperfectionsthatwillbeexaminedmorethoroughlyinthispaper.ThisworkfollowspreviousstudiesaimingateitherimprovingtheHammingweightmodel[2],orenhancingtheDPAitselfbyvariousmeans[6,4].TheproposedapproachisbasedontheHammingdistancemodelwhichcanbeseenasageneralizationoftheHammingweightmodel.Allitsbasicassumptionswerealreadymentionedinvariouspapersfromyear2000[16,8,6,2].ButtheyremainedallusiveaspossibleexplanationofDPAdefectsandneverleadedtoanycompleteandconvenientexploitation.Ourexperimentalworkisasynthesisofthoseformerapproachesinordertogiveafullinsightonthedataleakage.Following[8,14,18]weproposetousethecorrelationpoweranalysis(CPA)toidentifythe山东建筑大学毕业设计外文文献及译文-2-parametersoftheleakagemodel.ThenweshowthatsoundandefficientattackscanbeconductedagainstunprotectedimplementationsofmanyalgorithmssuchasDESorAES.Thisstudydeliberatelyrestrictsitselftothescopeofsecretkeycryptographyalthoughitmaybeextendedbeyond.Thispaperisorganizedasfollows:Section2introducestheHammingdistancemodelandSection3provestherelevanceofthecorrelationfactor.ThemodelbasedcorrelationattackisdescribedinSection4withtheimpactonthemodelerrors.Section5addressestheestimationproblemandtheexperimentalresultswhichvalidatethemodelareexposedinSection6.Section7containsthecomparativestudywithDPAandaddressesmorespecificallytheso-called“ghostpeaks”problemencounteredbythosewhohavetodealwitherroneousconclusionswhenimplementingclassicalDPAonthesubstitutionboxesoftheDESfirstround:itisshowntherehowtheproposedmodelexplainsmanydefectsoftheDPAandhowthecorrelationpoweranalysiscanhelpinconductingsoundattacksinoptimalconditions.OurconclusionsummarizestheadvantagesanddrawbacksofCPAversusDPAandremindsthatcountermeasuresworkagainstbothmethodsaswell.2TheHammingDistanceConsumptionModelClassically,mostpoweranalysesfoundinliteraturearebasedupontheHammingweightmodel[13,16],thatisthenumberofbitssetinadataword.Inam-bitmicroprocessor,binarydataiscoded102mjjjdD,withthebitvaluesdj=0or1.ItsHammingweightissimplythenumberofbitssetto1,10)(mjjdDHItsintegervaluesstandbetween0andm.IfDcontainsmindependentanduniformlydistributedbits,thewholewordhasanaverageHammingweight2/mHandavariance4/2mH.Itisgenerallyassumedthatthedataleakagethroughthepowerside-channeldependsonthenumberofbitsswitchingfromonestatetotheother[6,8]atagiventime.Amicroprocessorismodeledasastatewheretransitionsfromstatetostatearetriggeredbyeventssuchastheedgesofaclocksignal.ThisseemsrelevantwhenlookingatalogicalelementarygateasimplementedinCMOStechnology.Thecurrentconsumedisrelatedtotheenergyrequiredtoflipthebitsfrom山东建筑大学毕业设计外文文献及译文-3-onestatetothenext.Itiscomposedoftwomaincontributions:thecapacitor’schargeandtheshortcircuitinducedbythegatetransition.Curiously,thiselementarybehavioriscommonlyadmittedbuthasnevergivenrisetoanysatisfactorymodelthatiswidelyapplicable.Onlyhardwaredesignersarefamiliarwithsimulationtoolstoforeseethecurrentconsumptionofmicroelectronicdevices.Ifthetransitionmodelisadopted,abasicquestionisposed:whatisthereferencestatefromwhichthebitsareswitched?Weassumeherethatthisreferencestateisaconstantmachineword,R,whichisunknown,butnotnecessarilyzero.Itwillalwaysbethesameifthesamedatamanipulationalwaysoccursatthesametime,althoughthisassumestheabsenceofanydesynchronizingeffect.Moreover,itisassumedthatswitchingabitfrom0to1orfrom1to0requiresthesameamountofenergyandthatallthemachinebitshandledatagiventimeareperfectlybalancedandconsumethesame.Theserestrictiveassumptionsarequiterealisticandaffordablewithoutanythoroughknowledgeofmicroelectronicdevices.Theyleadtoaconvenientexpressionfortheleakagemodel.IndeedthenumberofflippingbitstogofromRtoDisdescribedbyH(D⊕R)alsocalledtheHammingdistancebetweenDandR.ThisstatementenclosestheHammingweightmodelwhichassumesthatR=0.If