基于持续性故障的分组密码算法 S 盒表逆向分析

Reverse-engineering based on fault analysis works by inducing abnormal ciphertexts by injecting faults in⁃ to the equipment running a secret cipher, and then restoring its internal structure and parameters. This paper proposes a method of reverse-engineering the S-box table based on persistent fault, when the structure of round function except the S-box table is known. We take advantage of the fact that when S-box operations use the fault element, intermediate state er⁃ rors appear, leading to ciphertext errors. Therefore, we construct special plaintexts and keys in order to induce errors in the S-box operation of the second round. Then, outputs of the S-box operation in the first round can be derived, i.e. one element of the S-box table is recovered. All elements of the S-box table can be recovered by using different plaintexts and keys. Tak⁃ ing AES-128 (Advanced Encryption Standard-128) algorithm as example, our method restores the complete S-box table by 1 441 792 encryptions. Compared with existing methods, our approach has obvious advantages in number of fault injections and complexity of computations. In addition, we applies this method to a SM4-like algorithm, and recovered its S-box table with an average of 1 900 544 encryptions. Finally, we discuss the universality of the new method, by considering two typi⁃ cal structures of block ciphers, Feistel and SPN (Substitution Permutation Network) structures respectively, and summarize conditions of our method.