CN-118611853-B - Differential fault attack method of lightweight password GIFT based on byte model

Abstract

The application discloses a differential fault attack method of a lightweight password GIFT based on a byte model, which comprises the steps of obtaining a correct ciphertext generated by encrypting a plaintext by a GIFT algorithm when a byte fault is not injected and an error ciphertext generated by encrypting the byte fault, wherein the GIFT algorithm encrypts the correct ciphertext and the error ciphertext through a plurality of S boxes, performing exclusive OR operation on the correct ciphertext and the error ciphertext to obtain an output difference of each corresponding S box in the encryption process of a target plaintext, determining a target S box with the byte fault injected in the S boxes according to the output difference of each S box and the input difference of each S box obtained in advance, determining an input value of the target S box in the encryption process of the plaintext without the byte fault according to the input difference and the output difference of the target S box, and recovering the target plaintext without the byte fault and an encryption key adopted by the text with the byte fault injected through the correct input value of the target S box.

Inventors

• ZHANG ZHONGYA
• WEI JINGQI
• ZHANG ZHIYONG
• GAO YUAN
• SONG BIN
• ZHANG LILI
• XIANG FEI
• ZHAO CHANGWEI
• CHEN GENG
• WU SHUANGJIN

Assignees

• 河南科技大学

Dates

Publication Date

20260508

Application Date

20240702

Claims (10)

1. 1. A differential fault attack method of a lightweight cipher GIFT based on a byte model, the method comprising: The method comprises the steps of respectively obtaining a correct ciphertext generated by encrypting a target plaintext by a GIFT algorithm when a byte fault is not injected and an error ciphertext generated by encrypting the target plaintext by the GIFT algorithm after the byte fault is injected, wherein the GIFT algorithm encrypts the target plaintext without the byte fault and the target plaintext with the injected byte fault through a plurality of S boxes, and the target plaintext without the byte fault and the target plaintext with the injected byte fault adopt the same encryption key; Performing exclusive OR operation on the correct ciphertext and the error ciphertext to obtain the output difference of each corresponding S box in the encryption process of the target plaintext without the injected byte fault and the target plaintext with the injected byte fault, and determining the target S box with the injected byte fault in a plurality of S boxes according to the output difference of each S box and the input difference of each S box acquired in advance; According to the input difference and the output difference of the target S box, determining the input value of the target S box in the encryption process of the target plaintext without the byte fault as the correct input value of the target S box; And recovering the encryption key adopted by the target plaintext without the injected byte fault and the target plaintext with the injected byte fault through the correct input value of the target S box.
2. 2. The differential fault attack method of the lightweight password GIFT based on the byte model according to claim 1, wherein the iterative process of the GIFT algorithm has a plurality of rounds, and each round encrypts plaintext without injected byte faults and plaintext with injected byte faults through a plurality of S boxes; the obtaining of the correct ciphertext generated by encrypting the target plaintext by using the GIFT algorithm when the byte fault is not injected and the error ciphertext generated by encrypting the target plaintext by using the GIFT algorithm after the byte fault is injected respectively includes: obtaining an iteration correct ciphertext and an iteration error ciphertext which are generated after each round of encryption of a target plaintext without byte fault injection and a target plaintext with byte fault injection respectively; the target plaintext with injected byte faults is injected with byte faults before each round of encryption in the encryption process, so that iterative error ciphertext of corresponding rounds is generated.
3. 3. The differential fault attack method of the lightweight cipher GIFT based on the byte model according to claim 2, wherein the recovering the encryption key adopted by the target plaintext without the injected byte fault and the target plaintext with the injected byte fault by the correct input value of the target S-box includes: Respectively acquiring correct input values of the target S box in continuous four-wheel encryption of the GIFT algorithm, and respectively recovering wheel keys used in the continuous four-wheel encryption according to the correct input values of the target S box in the continuous four-wheel encryption; Based on the key arrangement algorithm, the round key used in the continuous four-round encryption is adopted to recover the encryption key adopted by the target plaintext without the injected byte fault and the target plaintext with the injected byte fault.
4. 4. A differential fault attack method of a lightweight cipher GIFT based on a byte model according to claim 3, wherein the recovering the round keys used by the last four rounds respectively according to the correct input values of the target S-box at the last four rounds comprises: The round key for the i+1th round is obtained by the following formula: Where K i+1 represents the round key of the (i+1) -th round, P represents the P-box operation, S represents the S-box operation, D i+1 represents the correct input value of the target S-box at the (i+1) -th round, and C i+1 represents the iterative correct ciphertext of the (i+1) -th round.
5. 5. The differential fault attack method of the lightweight password GIFT based on the byte model according to claim 1, wherein determining a target S-box of the plurality of S-boxes into which the byte fault is injected according to the output differential of each S-box and the input differential of each S-box acquired in advance comprises: According to the output difference of each S box, determining the S box of which the target plaintext without byte fault injection and the target plaintext with byte fault injection are affected by the byte fault in the encryption process; and determining a target S box injected with the byte faults in the S boxes according to the input difference of the S boxes affected by the byte faults.
6. 6. A differential fault attack method of a lightweight cipher GIFT based on a byte model according to claim 3, wherein the iterative process of the GIFT algorithm has 28 rounds, and the round keys used in the continuous four-round encryption include round keys used in the 28 th round, 27 th round, 26 th round and 25 th round encryption.
7. 7. The differential fault attack method of the lightweight cipher GIFT based on the byte model according to any one of claims 1 to 6, wherein the depth of the byte fault injected in the target plaintext of the injected byte fault is 2 rounds or 3 rounds.
8. 8. A differential fault attack device for a lightweight cipher GIFT based on a byte model, the device comprising: The system comprises a ciphertext acquisition module, a byte fault detection module and a byte fault detection module, wherein the ciphertext acquisition module is used for respectively acquiring a correct ciphertext generated by encrypting a target plaintext by a GIFT algorithm when a byte fault is not injected and an error ciphertext generated by encrypting the target plaintext by the GIFT algorithm after the byte fault is injected; The S box determining module is used for performing exclusive OR operation on the correct ciphertext and the error ciphertext to obtain the output difference of each corresponding S box in the encryption process of the target plaintext without the injected byte fault and the target plaintext with the injected byte fault, and determining the target S box with the injected byte fault in the plurality of S boxes according to the output difference of each S box and the input difference of each S box acquired in advance; The input determining module is used for determining an input value of the target S box in the encryption process of the target plaintext without the byte fault as a correct input value of the target S box according to the input difference and the output difference of the target S box; And the key recovery module is used for recovering the encryption key adopted by the target plaintext without the injected byte fault and the target plaintext with the injected byte fault through the correct input value of the target S box.
9. 9. A computer device comprising at least one processor and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of differential fault attack of a byte-model-based lightweight cryptographic GIFT as in any of claims 1-7.
10. 10. A computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the differential fault attack method of the lightweight cryptographic GIFT based on a byte model as claimed in any one of claims 1 to 7.

Description

Differential fault attack method of lightweight password GIFT based on byte model Technical Field The application relates to the technical field of cryptography and information security, in particular to a differential fault attack method, device, equipment and medium of lightweight password GIFT based on a byte model. Background The internet of things technology is used as a bridge for connecting the physical world and the digital world, so that the safety problem of internet of things equipment is increasingly prominent while the life of people is promoted, and resources are often severely limited, so that when a cryptographic algorithm is selected, the algorithm is required to have enough safety, and performance requirements such as high efficiency, low energy consumption and the like are also required to be met. The research of the lightweight cryptographic algorithm GIFT has attracted wide attention in the global scope, plays a key role in the Internet of things, can provide a safe encryption function on equipment with limited resources, ensures the high-efficiency performance of the equipment, and provides a safe and efficient cryptographic guarantee scheme for the equipment of the Internet of things. Compared with the traditional cryptographic algorithm, the GIFT algorithm has higher execution efficiency, less consumption of computing resources and suitability for micro-computing equipment with limited computing capacity. Side channel attacks are an attack way to indirectly obtain sensitive information by monitoring physical characteristics (such as power consumption, electromagnetic radiation, timing, etc.) of the cryptographic system as it is executed. The differential fault attack is one of side channel attacks, and the key information is recovered by introducing faults into the execution process of a cryptographic algorithm and utilizing differential analysis, so that the cryptographic system is cracked. At present, differential fault attacks have been widely applied to security assessment of various GIFT algorithms. The differential fault attack of the GIFT algorithm comprises the following two steps of firstly integrating the basic idea of differential faults into the round function of the GIFT algorithm, providing two new bit-based differential fault attack methods for recovering main key information, wherein the implementation difficulty is high, the uncertainty is high, the number of required faults is high, and secondly, adopting a random nibble-based differential fault attack method for analyzing the key state information of the GIFT algorithm, wherein the attack efficiency is limited by the accuracy of fault injection and the fault tolerance capability of a target system and possibly faces the limitation of a defense mechanism, so that the attack complexity is increased and the success rate is reduced. Therefore, the implementation difficulty of the differential fault attack mode of the existing GIFT algorithm is high, the success rate is low, and the development of the security assessment work of the GIFT algorithm is not facilitated. Disclosure of Invention The application aims to provide a differential fault attack method, device, equipment and medium for a lightweight password GIFT based on a byte model, which have the advantages of low attack complexity, easy realization, good attack efficiency and favorable security assessment of a GIFT algorithm. In order to solve the technical problems, the embodiment of the application provides a differential fault attack method of a lightweight password GIFT based on a byte model, which comprises the following steps: The method comprises the steps of respectively obtaining a correct ciphertext generated by encrypting a target plaintext by a GIFT algorithm when a byte fault is not injected and an error ciphertext generated by encrypting the target plaintext by the GIFT algorithm after the byte fault is injected, wherein the GIFT algorithm encrypts the target plaintext without the byte fault and the target plaintext with the injected byte fault through a plurality of S boxes, and the target plaintext without the byte fault and the target plaintext with the injected byte fault adopt the same encryption key; Performing exclusive OR operation on the correct ciphertext and the error ciphertext to obtain the output difference of each corresponding S box in the encryption process of the target plaintext without the injected byte fault and the target plaintext with the injected byte fault, and determining the target S box with the injected byte fault in a plurality of S boxes according to the output difference of each S box and the input difference of each S box acquired in advance; According to the input difference and the output difference of the target S box, determining the input value of the target S box in the encryption process of the target plaintext without the byte fault as the correct input value of the target S box; And recovering the encrypt