中文摘要：

查找S盒是分组密码设计中的一种重要操作,也是防御传统线性和差分分析的有效手段,但是当考虑到密码实现泄露的物理效应信息时,其却成为了密码系统最脆弱的一部分.文中对使用S盒的分组密码故障攻击进行了研究,给出了一种针对Camellia的改进差分故障分析方法.首先,将针对使用S盒的分组密码差分故障分析归结为求解S盒输入和输出差分问题,给出了基本的差分故障分析模型并演化出了SPN和Feistel结构分组密码的差分故障分析模型.然后,提出了针对Camellia的改进差分故障分析方法,对攻击复杂度进行了分析,并通过仿真实验进行验证.结果表明,由于扩散函数的可逆性和Feistel结构,Camellia易遭受深度差分故障分析,16次和24次故障注入即可分别恢复Camellia-128和Camellia-192/256主密钥.最后,分析了密码设计中的查找S盒操作和针对密码实现物理效应的攻击之间的矛盾,并讨论了分组密码故障攻击可能的发展趋势.

英文摘要：

The S-box lookup is an important operation in block cipher design,and is also an effective part to prevent traditional linear and differential attacks,however,when the physical implementation of the algorithm is considered,it becomes the weakest part of cryptosystems.This paper studies fault attacks on block ciphers with S-box,and presents an improved differential fault analysis method on Camellia.Firstly,it summarizes the differential fault analysis on block cipher with S-box into computing the S-box input and output differential problem,and presents a basic differential fault analysis model and then evolves it into two models for SPN and Feistel structure block ciphers.Secondly,it proposes an improved differential fault analysis method on Camellia,makes the attack complexity analysis,and then verifies it through software simulation.Experiments demonstrate： due to its reversible permutation function and Feistel structure,Camellia is vulnerable to deep differential fault analysis,16 and 24 faulty ciphertexts are enough to retrieve Camellia-128 and Camellia-192/256 key effectively.Finally,the contradictions between traditional cryptography and implementation attacks are analyzed,the state of the art and future directions of the fault attacks on Block ciphers are discussed.