城市地下空间工程中英文对照外文翻译文献.docx
《城市地下空间工程中英文对照外文翻译文献.docx》由会员分享,可在线阅读,更多相关《城市地下空间工程中英文对照外文翻译文献.docx(26页珍藏版)》请在冰豆网上搜索。
城市地下空间工程中英文对照外文翻译文献
中英文对照外文翻译
(文档含英文原文和中文翻译)
外文文献:
CorrelationPowerAnalysiswithaLeakageModel
Abstract.Aclassicalmodelisusedforthepowerconsumptionofcryptographicdevices.ItisbasedontheHammingdistanceofthedatahandledwithregardtoanunknownbutconstantreferencestate.OncevalidatedexperimentallyitallowsanoptimalattacktobederivedcalledCorrelationPowerAnalysis.ItalsoexplainsthedefectsofformerapproachessuchasdifferentialPowerAnalysis.
Keywords:
Correlationfactor,CPA,DPA,Hammingdistance,poweranalysis,DES,AES,securecryptographicdevice,sidechannel.
1Introduction
Inthescopeofstatisticalpoweranalysisagainstcryptographicdevices,twohistoricaltrendscanbeobserved.Thefirstoneisthewellknowndifferentialpoweranalysis(DPA)introducedbyPaulKocher[12,13]andformalizedbyThomasMessergesetal.[16].Thesecondonehasbeensuggestedinvariouspapers[8,14,18]andproposedtousethecorrelationfactorbetweenthepowersamplesandtheHammingweightofthehandleddata.Bothapproachesexhibitsomelimitationsduetounrealisticassumptionsandmodelimperfectionsthatwillbeexaminedmorethoroughlyinthispaper.ThisworkfollowspreviousstudiesaimingateitherimprovingtheHammingweightmodel[2],orenhancingtheDPAitselfbyvariousmeans[6,4].
TheproposedapproachisbasedontheHammingdistancemodelwhichcanbeseenasageneralizationoftheHammingweightmodel.Allitsbasicassumptionswerealreadymentionedinvariouspapersfromyear2000[16,8,6,2].ButtheyremainedallusiveaspossibleexplanationofDPAdefectsandneverleadedtoanycompleteandconvenientexploitation.Ourexperimentalworkisasynthesisofthoseformerapproachesinordertogiveafullinsightonthedataleakage.Following[8,14,18]weproposetousethecorrelationpoweranalysis(CPA)toidentifytheparametersoftheleakagemodel.ThenweshowthatsoundandefficientattackscanbeconductedagainstunprotectedimplementationsofmanyalgorithmssuchasDESorAES.Thisstudydeliberatelyrestrictsitselftothescopeofsecretkeycryptographyalthoughitmaybeextendedbeyond.
Thispaperisorganizedasfollows:
Section2introducestheHammingdistancemodelandSection3provestherelevanceofthecorrelationfactor.ThemodelbasedcorrelationattackisdescribedinSection4withtheimpactonthemodelerrors.Section5addressestheestimationproblemandtheexperimentalresultswhichvalidatethemodelareexposedinSection6.Section7containsthecomparativestudywithDPAandaddressesmorespecificallytheso-called“ghostpeaks”problemencounteredbythosewhohavetodealwitherroneousconclusionswhenimplementingclassicalDPAonthesubstitutionboxesoftheDESfirstround:
itisshowntherehowtheproposedmodelexplainsmanydefectsoftheDPAandhowthecorrelationpoweranalysiscanhelpinconductingsoundattacksinoptimalconditions.OurconclusionsummarizestheadvantagesanddrawbacksofCPAversusDPAandremindsthatcountermeasuresworkagainstbothmethodsaswell.
2TheHammingDistanceConsumptionModel
Classically,mostpoweranalysesfoundinliteraturearebasedupontheHammingweightmodel[13,16],thatisthenumberofbitssetinadataword.Inam-bitmicroprocessor,binarydataiscoded
withthebitvaluesdj=0or1.ItsHammingweightissimplythenumberofbitssetto1,
Itsintegervaluesstandbetween0andm.IfDcontainsmindependentanduniformlydistributedbits,thewholewordhasanaverageHammingweight
andavariance
.
Itisgenerallyassumedthatthedataleakagethroughthepowerside-channeldependsonthenumberofbitsswitchingfromonestatetotheother[6,8]atagiventime.Amicroprocessorismodeledasastatewheretransitionsfromstatetostatearetriggeredbyeventssuchastheedgesofaclocksignal.ThisseemsrelevantwhenlookingatalogicalelementarygateasimplementedinCMOStechnology.Thecurrentconsumedisrelatedtotheenergyrequiredtoflipthebitsfromonestatetothenext.Itiscomposedoftwomaincontributions:
thecapacitor’schargeandtheshortcircuitinducedbythegatetransition.Curiously,thiselementarybehavioriscommonlyadmittedbuthasnevergivenrisetoanysatisfactorymodelthatiswidelyapplicable.Onlyhardwaredesignersarefamiliarwithsimulationtoolstoforeseethecurrentconsumptionofmicroelectronicdevices.
Ifthetransitionmodelisadopted,abasicquestionisposed:
whatisthereferencestatefromwhichthebitsareswitched?
Weassumeherethatthisreferencestateisaconstantmachineword,R,whichisunknown,butnotnecessarilyzero.Itwillalwaysbethesameifthesamedatamanipulationalwaysoccursatthesametime,althoughthisassumestheabsenceofanydesynchronizingeffect.Moreover,itisassumedthatswitchingabitfrom0to1orfrom1to0requiresthesameamountofenergyandthatallthemachinebitshandledatagiventimeareperfectlybalancedandconsumethesame.
Theserestrictiveassumptionsarequiterealisticandaffordablewithoutanythoroughknowledgeofmicroelectronicdevices.Theyleadtoaconvenientexpressionfortheleakagemodel.IndeedthenumberofflippingbitstogofromRtoDisdescribedbyH(D⊕R)alsocalledtheHammingdistancebetweenDandR.ThisstatementenclosestheHammingweightmodelwhichassumesthatR=0.IfDisauniformrandomvariable,soisD⊕R,andH(D⊕R)hasthesamemeanm/2andvariancem/4asH(D).
WealsoassumealinearrelationshipbetweenthecurrentconsumptionandH(D⊕R).Thiscanbeseenasalimitationbutconsideringachipasalargesetofelementaryelectricalcomponents,thislinearmodelfitsrealityquitewell.Itdoesnotrepresenttheentireconsumptionofachipbutonlythedatadependentpart.Thisdoesnotseemunrealisticbecausethebuslinesareusuallyconsideredasthemostconsumingelementswithinamicro-controller.Alltheremainingthingsinthepowerconsumptionofachipareassignedtoatermdenotedbwhichisassumedindependentfromtheothervariables:
enclosesofsets,timedependentcomponentsandnoise.Thereforethebasicmodelforthedatadependencycanbewritten:
whereaisascalargainbetweentheHammingdistanceandWthepowerconsumed.
3TheLinearCorrelationFactor
Alinearmodelimpliessomerelationshipsbetweenthevariancesofthedifferenttermsconsideredasrandomvariables:
ClassicalstatisticsintroducethecorrelationfactorρWHbetweentheHammingdistanceandthemeasuredpowertoassessthelinearmodelfittingrate.Itisthecovariancebetween
b
bothrandomvariablesnormalizedbytheproductoftheirstandarddeviations.Undertheuncorrelatednoiseassumption,thisdefinitionleadsto:
Thisequationcomplieswiththewellknownproperty:
−1≤ρWH≤+1:
foraperfectmodelthecorrelationfactortendsto±1ifthevarianceofnoisetendsto0,thesigndependingonthesignofthelineargaina.Ifthemodelappliesonlytolindependentbitsamongstm,apartialcorrelationstillexists:
4SecretInferenceBasedonCorrelationPowerAnalysis
Therelationshipswrittenaboveshowthatifthemodelisvalidthecorrelationfactorismaximizedwhenthenoisevarianceisminimum.ThismeansthatρWHcanhelptodeterminethereferencestateR.Assume,justlikeinDPA,thatasetofknownbutrandomlyvaryingdataDandasetofrelatedpowerconsumptionWareavailable.Ifthe2mpossiblevaluesofRarescannedexhaustivelytheycanberankedbythecorrelationfactortheyproducewhencombinedwiththeobservationW.Thisisnotthatexpensivewhenconsideringan8-bitmicro-controller,thecasewithmanyoftoday’ssmartcards,asonly256valuesaretobetested.On32-bitarchitecturesthisexhaustivesearchcannotbeappliedassuch.Butitisstillpossibletoworkwithpartialcorrelationortointroducepriorknowledge.
LetRbethetruereferenceandH=H(D⊕R)therightpredictionontheHammingdistance.LetRrepresentacandidatevalueandHtherelatedmodelH=H(D⊕R).AssumeavalueofRthathaskbitsthatdifferfromthoseofR,then:
H(R⊕R)=k.Sincebisindependentfromothervariables,thecorrelationtestleadsto(see[5]):
ThisformulashowshowthecorrelationfactoriscapableofrejectingwrongcandidatesforR.Forinstance,ifasinglebitiswrongamongstan8-bitword,thecorrelationisreducedby1/4.Ifallthebitsarewrong,i-eR=¬R,thenananti-correlationshouldbeobservedwithρWH=−ρWH.Inabsolutevalueorifthelineargainisassumedpositive(a>0),therecannotbeanyRleadingtoahighercorrelationratethanR.Thisprovestheuniquenessofthesolutionandthereforehowthereferencestatecanbedetermined.
Thisanalysiscanbeperformedonthepowertraceassignedtoapieceofcodewhilemanipulatingknownandvaryingdata.IfweassumethatthehandleddataistheresultofaXORoperationbetweenasecretkeywordKandaknownmessagewordM,D=K⊕M,theproceduredescribedabove,i-eexhaustivesearchonRandcorrelationtest,shouldleadtoK⊕Rassociatedwithmax(ρWH).IndeedifacorrelationoccurswhenMishandledwithrespecttoR1,anotherhastooccurlateron,whenM⊕Kismanipulatedinturn,possiblywithadifferentreferencestateR2(infactwithK⊕R2sinceonlyMisknown).
Forinstance,whenconsideringthefirstAddRoundKeyfunctionatthebeginningoftheAESalgorithmembeddedonan8-bitprocessor,itisobviousthatsuchamethodleadstothewholekeymaskedbytheconstantreferencebyteR2.IfR2isthesameforallthekeybytes,whichishighlyplausible,only28possibilitiesremaintobetestedbyexhaustivesearchtoinfertheentirekeymaterial.Thiscompleme