【摘要】 Piccolo算法是于2011年CHES会议上提出的一种轻量级分组密码算法,用于物联网环境中保护RFID、传感器、智能卡等电子设备的通信安全.目前国内外安全性分析研究集中在该算法的已知明文攻击和选择明文攻击,在攻击者能力最弱条件下的唯密文攻击尚无相关研究.文中提出了统计故障分析下Piccolo密码的安全性,即在唯密文条件下,使用SEI、HW、ML、GF、MAP、GF-SEI、GF-ML、ML-SEI、ML-MAP、MM-HW及MM-HWML等一系列区分器,恢复Piccolo密码的主密钥.实验结果表明,Piccolo算法不能抵御统计故障分析的攻击,文中提出的新型区分器ML-MAP、MM-HW和MM-HW-ML仅需164和262个故障,可以分别恢复出80比特和128比特主密钥,有效地减少了故障数,并提升了攻击效率.该结果为物联网环境中轻量级密码的安全设计与实现提供有价值的参考.更多还原

【Abstract】 With a typical structure of generalized Feistel networks(GFN), the Piccolo lightweight cryptosystem was proposed at the workshop on Cryptographic Hardware and Embedded System(CHES)in 2011. It has a 64-bit block size and flexible 80-bit and 128-bit block sizes, corresponding to 25 and 31 rounds in the encryption and decryption, respectively.The Piccolo lightweight cryptosystem can protect the communication among electronic devices like RFIDs, sensors, and smart cards in the Internet of Things. It is vital and necessary to do security analysis of the Piccolo lightweight cryptosystem. On the circumstance,the attackers can obtain different types of information, including plaintext and ciphertexts, etc. Up to now, the attacking assumptions of the previous security analysis of the Piccolo lightweight cryptosystem focus on the known-plaintext attack(KPA)and the chosen-plaintext attack(CPA),such as the differential analysis, the linear analysis, the impossible differential analysis, the boomerang analysis, the meet-in-the-middle analysis, and the zero-correlation linear analysis etc. In the classical attacking scenario,the attackers require some information of the plaintexts. However,in the literature, there is no security analysis of the Piccolo lightweight cryptosystem against the ciphertext-only attack(COA), which is the weakest attacking assumption. In this case, the attackers can only obtain the ciphertexts. Owing to the limitation of hardware and portability in the Internet of Things,the COA attack is easier to implement. This paper proposes the security analysis of Piccolo against the statistical fault analysis(SFA)in the assumption of COA. It investigates the applications of a series of distinguishers of Square Euclidean Imbalance(SEI),Hamming Weight(HW), Maximum Likelihood(ML), Goodness of Fit(GF), Maximum a Posterior(MAP), Goodness of Fit-Square Euclidean Imbalance(GF-SEI), Goodness of FitMaximum Likelihood(GF-ML), Maximum Likelihood-Square Euclidean Imbalance(MLSEI),Maximum Likelihood-Maximum a Posterior(ML-MAP),Method of Moments-Hamming Weight(MM-HW)and Method of Moments-Hamming Weight-Maximum Likelihood(MMHW-ML). In order to descript the performance of all distinguishers, accuracy, reliability,latency, and complexity are taken into consideration. The accuracy represents the value of root mean squared error(RMSE). The smaller the value of RMSE is, the more accurate the distinguisher is. The reliability stands for the successful rate of the SFA in recovering the subkeys of Piccolo. When the reliability reaches at least 99%, the attackers have a strong capability in most cases. The latency represents the time in recovering the subkeys of Piccolo. The complexity is composed of time complexity, data complexity and memory complexity of the SFA. Both latency and complexity reflect the effectiveness of the distinguishers in practice. The experimental results show that Piccolo cannot resist against the statistical fault analysis. When the reliability reaches at least 99%,the novel proposed distinguishers of ML-MAP,MM-HW and MM-HWML can recover the 80-bit and 128-bit secret keys with 164 and 262 faults, respectively. The experiments show that the novel distinguishers have good performance in accuracy, reliability,latency, and complexity. They can be applied to decrease faults and increase efficiency. The results offer valuable references for the designing and implementation of the lightweight cryptosystems in the Internet of Things.更多还原