A method for performance evaluation of a side-channel power analysis module

By comprehensively evaluating the performance indicators of the power consumption analysis module, the problem of difficult module selection in the existing technology has been solved, and more accurate and efficient module selection has been achieved.

CN116405409BActive Publication Date: 2026-06-26CHENGDU SCI & TECH DEV CENT CHINA ACAD OF ENG PHYSICS +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHENGDU SCI & TECH DEV CENT CHINA ACAD OF ENG PHYSICS
Filing Date
2023-03-16
Publication Date
2026-06-26

Smart Images

  • Figure CN116405409B_ABST
    Figure CN116405409B_ABST
Patent Text Reader

Abstract

The application discloses a kind of side channel performance evaluation method of power consumption analysis module, comprising: S1: the actual key of cryptographic device is obtained, several different plaintexts and corresponding power consumption curves;S2: input preparation management is carried out to the plaintext and the power consumption curve;S3: calling the power consumption analysis module to be evaluated, plaintext and power consumption curve are used as input, analysis result is obtained, according to analysis result, determine index parameter;S4: whether correct guess key and actual key are identical is judged;If identical, calculate index parameter, according to the index parameter obtained by calculation, according to the set weighting model, calculate final score, and performance evaluation is carried out;If not identical, it is determined that the power consumption analysis module is unusable, and the final score is 0.The application realizes the comprehensive evaluation of power consumption analysis module performance by multiple indexes.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of side-channel analysis technology, and in particular to a performance evaluation method for a side-channel power consumption analysis module. Background Technology

[0002] Power consumption analysis refers to a method of cracking the cryptographic key by obtaining the plaintext and the power consumption curves leaked during encryption of a cryptographic device, and then using a discriminator to determine the data dependency between the leakage model based on the guessed intermediate value corresponding to the guessed key and the power consumption points on the power consumption curve. Based on this, power consumption analysis provides an assessment tool for detecting the security of cryptographic devices. A power consumption analysis module refers to a device, software, or system that has implemented the power consumption analysis method.

[0003] In recent years, researchers have proposed power consumption analysis methods and developed power consumption analysis modules to recover cryptographic device keys. For example, patent application number CN202210321368.2, entitled "Side-channel related energy analysis method and system applied to polynomial hardware multiplication," introduces a hypothetical product vector to crack asymmetric encryption algorithms and reduces the number of measured power consumption curves required for analysis; application number CN202110122805.3, entitled "A side-channel attack related energy analysis method based on ensemble learning," improves the analysis effect on random delay protection countermeasures by constructing multiple sub-learners; and application number CN202010685254.7, entitled "A second-order energy analysis attack method for SM4," extends second-order energy analysis from time domain analysis to frequency domain analysis for SM4, effectively avoiding the problem of misaligned time points in time domain analysis.

[0004] While the disclosure of the aforementioned schemes improves the effectiveness of power analysis methods and the diversity of encryption algorithm cracking, in practical engineering implementation, differences in analysis results and analysis time arise due to variations in intermediate values ​​used by the power analysis module (such as the XOR result of the plaintext and key in the first round of the AES algorithm, the output of the S-box in the first round), leakage models (such as Hamming weight, Hamming distance, etc.), attack methods (such as CPA, MIA, etc.), and implementation algorithms. Therefore, selecting a suitable power analysis module remains a problem. Existing methods compare the success rates of KSA and CPA discriminators, or compare MIA and CPA using average discriminator scores and nearest-nearest discriminator scores. However, these methods compare the performance of different power analysis methods by calculating evaluation metrics, lacking a comprehensive evaluation of power analysis methods. Summary of the Invention

[0005] To address the aforementioned issues, this invention provides a performance evaluation method for a side-channel power consumption analysis module. This method effectively evaluates the performance of the power consumption analysis module using metrics such as the minimum number of successful power consumption curves, time overhead, average discriminator score, and nearest discriminator score. It achieves a comprehensive evaluation and comparison of the performance of different power consumption analysis modules, providing a basis for selecting a suitable power consumption analysis module during engineering implementation.

[0006] This invention provides a performance evaluation method for a side-channel power consumption analysis module, the specific technical solution of which is as follows:

[0007] S1: Obtain the actual key of the cryptographic device, several different plaintexts, and the corresponding power consumption curves;

[0008] S2: Perform input preparation management on the plaintext and the power consumption curve;

[0009] S3: Call the power consumption analysis module to be evaluated, take plaintext and power consumption curves as input, obtain analysis results, and determine index parameters based on the analysis results. The index parameters include at least the minimum number of successful power consumption curves and time overhead.

[0010] S4: Determine whether the correctly guessed key is the same as the actual key;

[0011] If they are the same, the indicator parameters are calculated, and the final score is calculated according to the weighted model to evaluate the performance.

[0012] If they are different, the final score is 0, and the power consumption analysis module is deemed unusable.

[0013] Furthermore, the input preparation management involves dividing the plaintext and the power consumption curve into r groups.

[0014] Furthermore, the number of plaintext and power consumption curves in each group is k.

[0015] Furthermore, in step S3, when the analysis result is all guessed keys and their discriminator values, the calculation of the indicator parameters also includes: calculating the average discriminator score and calculating the most recent discriminator score.

[0016] Further, in step S4, the guessed keys are sorted according to the discriminator value, and the guessed key ranked first is the correct guessed key.

[0017] Furthermore, the average discriminator score is the distance between the actual key and other guessed keys in the analysis results, calculated as follows:

[0018]

[0019] in, Indicates the actual key. This refers to the discriminator value of the actual key. This represents the mean of the discriminator values ​​for other guessed keys. Represents the set of all guessed keys. This represents the standard deviation of the discriminator values ​​for all guessed keys.

[0020] Furthermore, the nearest discriminator score is the distance between the actual key in the analysis results and the guessed key with the largest discriminator value among other guessed keys, calculated as follows:

[0021]

[0022] in, Indicates the actual key. This refers to the discriminator value of the actual key. This represents the maximum value of the discriminator value among other guessed keys. Represents the set of all guessed keys. This represents the standard deviation of the discriminator values ​​for all guessed keys.

[0023] Furthermore, the minimum number of successful power consumption curves refers to the minimum number of power consumption curves under a set success rate threshold, where the success rate threshold is greater than 50%, and the success rate is calculated as follows:

[0024]

[0025] Where r represents the number of groups into which the plaintext and power consumption curves are divided, and a represents the number of groups where the correctly guessed key is the same as the actual key.

[0026] Furthermore, the time overhead refers to the time spent running the power analysis module to generate analysis results using a specified number of power consumption curves.

[0027] Furthermore, in step S4, when the correctly guessed key is the same as the actual key, the final score is calculated as follows:

[0028]

[0029] in, This indicates the number of indicator parameters involved in the scoring calculation. This represents the ideal value of the indicator. This represents the actual value of the indicator. Indicates the limit value of the indicator. This indicates the weight of the indicator.

[0030] The beneficial effects of this invention are as follows:

[0031] This invention evaluates the performance of power consumption analysis modules by calculating multiple indicators, providing directions for improvement. Furthermore, when evaluating multiple power consumption analysis modules, it achieves a comprehensive performance evaluation based on multiple indicators, enabling a thorough comparison of the advantages and disadvantages of each power consumption analysis module and providing a better selection of power consumption analysis modules for side-channel analysis. Attached Figure Description

[0032] Figure 1 This is a schematic diagram of the overall process of the method of the present invention;

[0033] Figure 2 This is a schematic diagram of the power consumption analysis module's processing flow;

[0034] Figure 3 This is a schematic diagram showing the change in the discriminator value for key guessing as a function of power consumption.

[0035] Figure 4 This is a schematic diagram showing the change in the success rate of the power consumption analysis module as a function of the number of power consumption curves. Detailed Implementation

[0036] The technical solutions in the embodiments of the present invention are clearly and completely described in the following description. Obviously, the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present invention.

[0037] In the description of the embodiments of the present invention, it should be noted that the indicated orientation or positional relationship is based on the orientation or positional relationship shown in the accompanying drawings, or the orientation or positional relationship in which the product of the invention is conventionally placed during use, or the orientation or positional relationship in which those skilled in the art conventionally understand it during use. This is only for the convenience of describing the present invention and simplifying the description, and is not intended to indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation. Therefore, it should not be construed as a limitation of the present invention. Furthermore, the terms "first" and "second" are only used to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0038] In the description of the embodiments of the present invention, it should also be noted that, unless otherwise explicitly specified and limited, the terms "set" and "connection" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral connection; they can refer to a direct connection or an indirect connection through an intermediate medium. Those skilled in the art can understand the specific meaning of the above terms in the present invention based on the specific circumstances.

[0039] It should be noted that the cryptographic device key analyzed by the power consumption analysis module is called the correctly guessed key.

[0040] Power consumption analysis modules often determine the correct key guess by calculating the distinguisher value. The distinguisher uses... It means that, among them To guess the key, the guess with the highest discriminator value is the correct guess. For example, in CPA, , This is the Pearson correlation coefficient.

[0041] Example 1

[0042] Embodiment 1 of the present invention discloses a performance evaluation method for a side-channel power consumption analysis module, such as... Figures 1-2 As shown, the specific process is as follows:

[0043] S1: Obtain the actual key of the cryptographic device, several different plaintexts, and the corresponding power consumption curves.

[0044] Specifically, in this embodiment, the cryptographic device uses an FPGA chip board with model number XC7A100T-2FGG484l, and the power consumption acquisition device uses a chipwhisperer power consumption acquisition board.

[0045] The cryptographic device uses the AES-128 encryption algorithm and encrypts random plaintext using the same key "2B 7E 15 16 28 AE D2 A6 AB F715 88 09 CF 4F 3C". Power consumption curves are obtained, with each curve containing 3000 power consumption points.

[0046] S2: Perform input preparation management on the plaintext and the power consumption curve;

[0047] In this embodiment, the plaintext and power consumption curves are divided into 100 groups, with each group containing 1, 2, 3, 4, ..., 50 plaintext and power consumption curves; the input to the power consumption analysis module is prepared according to the number of groups and the quantity of each group of plaintext and power consumption curves.

[0048] S3: Call the power consumption analysis module to be evaluated, take plaintext and power consumption curve as input, obtain analysis results, and determine index parameters based on the analysis results;

[0049] The analysis results are of two types: one is the correct guess of the key, and the other is all guessed keys and their discriminator values.

[0050] The specified parameters include at least the minimum number of successful power consumption curves and time overhead;

[0051] In this embodiment, the power consumption analysis module uses Python code to implement CPA, the intermediate value is selected as the S-box output of the first round of encryption in the AES-128 encryption algorithm, and the leakage model is Hamming weight.

[0052] The plaintext and power consumption curve mentioned above are used as inputs to the power consumption analysis module in sequence to obtain the analysis results.

[0053] S4: Determine whether the correctly guessed key is the same as the actual key;

[0054] If they are the same, calculate the index parameters and perform a performance evaluation;

[0055] When the analysis result indicates that the key was correctly guessed, the indicator parameters only include the minimum number of successful power consumption curves and the time overhead;

[0056] In this embodiment, the minimum number of successful power consumption curves is the minimum number of power consumption curves under a set success rate threshold, where the success rate threshold is greater than 50%, and the success rate is calculated as follows:

[0057]

[0058] Where r represents the number of groups into which the plaintext and power consumption curves are divided, and a represents the number of groups where the correctly guessed key is the same as the actual key.

[0059] The time overhead is the time spent running the power analysis module to generate analysis results using a specified number of power consumption curves.

[0060] The minimum number of successful power consumption curves is used to evaluate the minimum number of power consumption curves required for the power analysis module to correctly recover the key. The smaller the number of successful power consumption curves, the less information is needed for analysis, indicating a better analysis effect.

[0061] The time overhead is used to evaluate the efficiency of the power consumption analysis module. The lower the time overhead, the faster the key can be analyzed.

[0062] like Figure 4 As shown, the success rate curves are displayed. When the success rate is 80%, the minimum number of success power consumption curves is 20.

[0063] When the number of plaintext and power consumption curves is 50, the time overhead is 55.765s.

[0064] The final score is obtained by weighting and summing the number of minimum success power consumption curves and time overhead according to user requirements.

[0065] The final score is calculated as follows:

[0066]

[0067] in, This indicates the number of indicator parameters involved in the scoring calculation. This represents the ideal value of the indicator. This represents the actual value of the indicator. Indicates the limit value of the indicator. This indicates the weight of the indicator.

[0068] In this embodiment, the weight of the minimum number of successful power consumption curves is set to 50%, the ideal value is 10, and the limit value is 50. The weight of time overhead is set to 50%, the ideal value is 30s, and the limit value is 120s. The final score is calculated to be 73.19.

[0069] When evaluating multiple power consumption analysis modules, the best value among each indicator is defined as the ideal value, and the worst value is defined as the limit value.

[0070] The number of minimum successful power consumption curves and time overhead are negative indicators, and the smaller the better.

[0071] Therefore, the minimum value is chosen as the ideal value for the number of minimum successful power consumption curves and the time overhead, while the maximum value is the limit value.

[0072] After final scoring, the power consumption analysis module with the highest final score is selected.

[0073] If they are different, the power consumption analysis module is deemed unusable; that is, whether the guessed key and the actual key are the same is the pass / fail indicator. If the guessed key and the actual key are different, the final score is 0.

[0074] Example 2

[0075] Embodiment 2 of the present invention discloses a performance evaluation method for a side-channel power consumption analysis module, such as... Figures 1-2 As shown, the specific process is as follows:

[0076] S1: Obtain the actual key of the cryptographic device, several different plaintexts, and the corresponding power consumption curves.

[0077] Specifically, in this embodiment, the cryptographic device uses an FPGA chip board with model number XC7A100T-2FGG484l, and the power consumption acquisition device uses a chipwhisperer power consumption acquisition board.

[0078] The cryptographic device uses the AES-128 encryption algorithm and encrypts random plaintext using the same key "2B 7E 15 16 28 AE D2 A6 AB F715 88 09 CF 4F 3C". Power consumption curves are obtained, with each curve containing 3000 power consumption points.

[0079] S2: Perform input preparation management on the plaintext and the power consumption curve;

[0080] In this embodiment, the plaintext and power consumption curves are divided into 100 groups, with each group containing 1, 2, 3, 4, ..., 50 plaintext and power consumption curves; the input to the power consumption analysis module is prepared according to the number of groups and the quantity of each group of plaintext and power consumption curves.

[0081] S3: Call the power consumption analysis module to be evaluated, take plaintext and power consumption curve as input, obtain analysis results, and determine index parameters based on the analysis results;

[0082] The analysis results are of two types: one is the correct guess of the key, and the other is all guessed keys and their discriminator values.

[0083] The specified parameters include at least the minimum number of successful power consumption curves and the time overhead.

[0084] In this embodiment, the power consumption analysis module uses Python code to implement CPA, the intermediate value is selected as the S-box output of the first round of encryption in the AES-128 encryption algorithm, and the leakage model is Hamming weight.

[0085] The plaintext and power consumption curve mentioned above are used as inputs to the power consumption analysis module in sequence to obtain the analysis results.

[0086] S4: Determine whether the correctly guessed key is the same as the actual key;

[0087] In this embodiment, the guessing keys are sorted according to the discriminator value, and the guessing key ranked first is the correct guessing key.

[0088] If they are the same, calculate the index parameters and perform a performance evaluation;

[0089] When the analysis results are all guessed keys and their discriminant values, the metric parameters include the minimum number of successful power consumption curves, time overhead, calculation of average discriminant score, and calculation of most recent discriminant score.

[0090] Figure 3 shows the trend of the discriminant value of the guessed key (correlation in CPA) with the number of power consumption curves. When the number of power consumption curves is small, the actual key and other guessed keys cannot be distinguished. As the number of power consumption curves increases, the discriminant value of the actual key is significantly larger than the discriminant value of other guessed keys, and the actual key can be distinguished.

[0091] The average discriminator and most recent discriminator scores evaluate the power analysis module's ability to recover the correct key.

[0092] In this embodiment, the minimum number of successful power consumption curves is the minimum number of power consumption curves under a set success rate threshold, where the success rate threshold is greater than 50%, and the success rate is calculated as follows:

[0093]

[0094] Where r represents the number of groups into which the plaintext and power consumption curves are divided, and a represents the number of groups where the correctly guessed key is the same as the actual key.

[0095] The time overhead is the time spent running the power analysis module to generate analysis results using a specified number of power consumption curves.

[0096] The minimum number of successful power consumption curves is used to evaluate the minimum number of power consumption curves required for the power analysis module to correctly recover the key. The smaller the number of successful power consumption curves, the less information is needed for analysis, indicating a better analysis effect.

[0097] The time overhead is used to evaluate the efficiency of the power consumption analysis module. The lower the time overhead, the faster the key can be analyzed.

[0098] The average discriminator score is the distance between the actual key and other guessed keys in the analysis results, and is calculated as follows:

[0099]

[0100] in, Indicates the actual key. This refers to the discriminator value of the actual key. This represents the mean of the discriminator values ​​for other guessed keys. Represents the set of all guessed keys. This represents the standard deviation of the discriminator values ​​for all guessed keys.

[0101] The nearest discriminator score is the distance between the actual key in the analysis results and the guessed key with the largest discriminator value among other guessed keys, calculated as follows:

[0102]

[0103] in, Indicates the actual key. This refers to the discriminator value of the actual key. This represents the maximum value of the discriminator value among other guessed keys. Represents the set of all guessed keys. This represents the standard deviation of the discriminator values ​​for all guessed keys.

[0104] The higher the average discriminator and nearest discriminator scores, the greater the distance between the actual key and other guesses.

[0105] The final score is obtained by weighting and summing the number of minimum success power consumption curves and time overhead according to user requirements.

[0106] The final score is calculated as follows:

[0107]

[0108] in, This indicates the number of indicator parameters involved in the scoring calculation. This represents the ideal value of the indicator. This represents the actual value of the indicator. Indicates the limit value of the indicator. This indicates the weight of the indicator.

[0109] When evaluating multiple power consumption analysis modules, the best value among each indicator is defined as the ideal value, and the worst value is defined as the limit value.

[0110] The number of minimum successful power consumption curves and time overhead are negative indicators, and the smaller the better.

[0111] Therefore, the minimum value is chosen as the ideal value for the number of minimum successful power consumption curves and the time overhead, while the maximum value is the limit value.

[0112] The average discriminant score and the most recent discriminant score are positive indicators; the higher the better.

[0113] Therefore, the maximum value is chosen as the ideal value for the average discriminator score and the most recent discriminator score, while the minimum value is chosen as the limit value.

[0114] After final scoring, the power consumption analysis module with the highest final score is selected.

[0115] If they are different, the power consumption analysis module is deemed unusable; that is, whether the guessed key and the actual key are the same is the pass / fail indicator. If the guessed key and the actual key are different, the final score is 0.

[0116] This invention is not limited to the specific embodiments described above. The invention extends to any new feature or combination disclosed in this specification, as well as any new method or process step or combination disclosed herein.

Claims

1. A performance evaluation method for a side-channel power consumption analysis module, characterized in that, include: S1: Obtain the actual key of the cryptographic device, several different plaintexts, and the corresponding power consumption curves; S2: Perform input preparation management on the plaintext and the power consumption curve; S3: Call the power consumption analysis module to be evaluated, take plaintext and power consumption curves as input, obtain analysis results, and determine index parameters based on the analysis results. The index parameters include at least the minimum number of successful power consumption curves and time overhead. The analysis results include the correct guessed key, as well as all guessed keys and their discriminator values. The minimum number of successful power consumption curves refers to the minimum number of power consumption curves under a set success rate threshold, where the success rate threshold is greater than 50%. The success rate is calculated as follows: Where r represents the number of groups into which the plaintext and power consumption curves are divided, and a represents the number of groups where the correctly guessed key is the same as the actual key; S4: Determine whether the correctly guessed key is the same as the actual key; If they are the same, the indicator parameters are calculated, and the final score is calculated according to the weighted model to evaluate the performance. When the correctly guessed key matches the actual key, the final score is calculated as follows: in, This indicates the number of indicator parameters involved in the scoring calculation. This represents the ideal value of the indicator. This represents the actual value of the indicator. Indicates the limit value of the indicator. Indicates the weight of the indicator; when evaluating multiple power consumption analysis modules, the ideal value of the indicator is set to the best value among all indicators, and the limit value of the indicator is set to the worst value among all indicators. If they are different, the final score is 0, and the power consumption analysis module is deemed unusable.

2. The performance evaluation method for the side-channel power consumption analysis module according to claim 1, characterized in that, The input preparation management involves dividing the plaintext and the power consumption curve into r groups.

3. The performance evaluation method for the side-channel power consumption analysis module according to claim 2, characterized in that, The number of plaintext and power consumption curves in each group is k.

4. The performance evaluation method for the side-channel power consumption analysis module according to claim 1, characterized in that, In step S3, when the analysis results are all guessed keys and their discriminator values, the calculation of the indicator parameters also includes: calculating the average discriminator score and calculating the most recent discriminator score.

5. The performance evaluation method for the side-channel power consumption analysis module according to claim 4, characterized in that, Step S4: When the analysis result is all guessed keys and their discriminator values, sort the guessed keys according to their discriminator values. The guessed key ranked first is the correct guessed key.

6. The performance evaluation method for the side-channel power consumption analysis module according to claim 4, characterized in that, The average discriminator score is the distance between the actual key and other guessed keys in the analysis results, and is calculated as follows: in, Indicates the actual key. This refers to the discriminator value of the actual key. This represents the mean of the discriminator values ​​for other guessed keys. Represents the set of all guessed keys. This represents the standard deviation of the discriminator values ​​for all guessed keys.

7. The performance evaluation method for the side-channel power consumption analysis module according to claim 4, characterized in that, The nearest discriminator score is the distance between the actual key in the analysis results and the guessed key with the largest discriminator value among other guessed keys, calculated as follows: in, Indicates the actual key. This refers to the discriminator value of the actual key. This represents the maximum value of the discriminator value among other guessed keys. Represents the set of all guessed keys. This represents the standard deviation of the discriminator values ​​for all guessed keys.

8. The performance evaluation method for the side-channel power consumption analysis module according to claim 1, characterized in that, The time overhead is the time spent running the power analysis module to generate analysis results using a specified number of power consumption curves.