自從差分能量分析(DPA)的攻擊被宣布後，就有許多演算法提出許多的防禦對策，而對於安全的AES演算法來說，一種masking(遮罩)方法是被建議的，然而這masking方法又被發現有second order DPA的弱點，因此，本文研究目的就是在於提出有效的AES軟體對策，以防禦second order DPA攻擊，而本文提出了一種把明文masking兩次另外再以置換掉S-Box的方法作為對策，使這演算法對於修改的S-Box因而不須使用masking的方法，如此的加密不會增加程式的複雜性，而我們稱這種置換最初的S-Box叫等效的S-Box，而這等效的S-Box的產生方法，其實跟原來的那組S-Box產生方法一樣，而我們也於最後以8051單晶片實作展示了防禦結果，以證明其是可防禦DPA攻擊，因此本論文所提防禦方法也適合低成本的smart card的使用。

Many defensive countermeasures have been proposed by many algorithms since Differential Powder Analysis (DPA) attack was announced. For secure AES algorithm, there was weakness of second-order DPA in the proposed Masking method. In this paper, the effective AES software, which masks plain-text twice, the other to replace primitive S-Box to makes a defense against second-order DPA, is proposed. The algorithm needn’t use the Masking method to modify S-Box. Therefore, program’s complexity with encryption isn’t increased; to replace the primitive S-Box is called “random S-Box”. In fact, this random S-Box produces the same method as this primitive S-Box does. Finally, in order to prove that it can resist DPA attack, the defensive effect of 8051 micro-controller is shown. Hence, the proposed resistant method also suits the low-cost smart card.

第一章 緒論......................................................... 1
第二章 AES密碼系統介紹.................................. 3
第三章 能量分析攻擊介紹................................ 11
3.1 簡單能量分析............................................... 11
3.2 差分能量分析............................................... 14
第四章 AES密碼系統實驗設備的建構............. 18
4.1 智慧卡簡介................................................... 18
4.2 實驗設備的建構........................................... 20
第五章 實作展示差分能量分析在AES的弱點攻擊...... 23
5.1 S-Box 差分能量分析攻擊實作展示............ 23
5.2 XORing 差分能量分析攻擊實作展示......... 26
5.3 2次差分能量分析攻擊實作展示................. 29
第六章 實作有防禦的AES................................. 33
6.1 1次差分能量分析防禦實作方法................. 35
6.2 2次差分能量分析防禦實作方法................. 39
6.3 差分能量分析防禦結果展示....................... 42
6.4 優缺點分析................................................... 43
第七章 總結........................................................ 45
參考文獻............................................................. 46
附錄A AES中使用的名詞定義.......................... 48
附錄B 隨機的S-Box (Random S-Box)實作說明...... 50
附錄C 有SPA防禦的AES 8051組合語言.................... 53
附錄D 有DPA防禦的AES 8051組合語言................... 65

[1]Paul Kocher, Joshua Jaffe, and Benjamin Jun “Differential Power Analysis”, Advances in Cryptographt-CRYPTO’99, LNCS 1666, pp.388-397, Springer-Verlag, 1999.

[2]曾紹崟,呂誌忠,戴憲文,孫熒聯,王煥文,彭志毅,林慧菁“Jixco 簡介”,專題報導 ─ IC卡應用安全管理,Communications of the CCISA Vol.8 No.3 June 2002, P68~78.
[3]K.Itoh, M.Takenaka, and N.Torii,“DPA Countermeasure Based on the Masking Method”, ICICS 2001, LNCS 288, pp.440-456, Springer-Verlag, 2002.

[4]Joan Daemen,Vincent Rijmen, “AES proposal：Rijndael.”,1999,
available at Web http://csrc.nist.gov/encryption/aes/ rijndael/ Rijndael.pdf

[5]Paul Kocher,Joshua Jaffe,and Benjamin Jun “Introduction Differential Power Analysis and Related Attacks”1998 Available at http://www.cryptography.com/dpa/technical

[6]S.M.Yen,“Amplified Differential Power Crytanalysis on Rijndael Implementations with Exponentially Fewer Power Traces”, Information Security and Privacy-ACISP 2003, LNCS 2727, pp.106-117, Springer-Verlag, 2003.

[7]Jean-Jacques Quisquater, David Samyde,“Automatic Code Recognition for Smartcards Using a Kohonen Neural Network”, USENIX Association,Proceedings of the Fifth Smart Card Research and Advanced Application Conference (CARDIS 02), San Jose,CA,USA,November 2002, http://www.usenix.org/
events/cardis02/ full_papers/valverde/valverde.pdf

[8]T.Messerges,“Using Second-Order Power Analysis to Attack DPA Resistant Software”, CHES 2000, LNCS 1965, pp.238-351, Springer-Verlag, 2000.