Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Slides:

Advertisements

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

Advertisements

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Cryptography and Network Security Chapter 3

Block Ciphers and the Data Encryption Standard

Data Encryption Standard (DES)

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Cryptography1 CPSC 3730 Cryptography Chapter 3 DES.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.

Lecture 23 Symmetric Encryption

CS 591 C3S C ryptography & S teganography S ecure S ystem By: Osama Khaleel.

Chapter 3 – Block Ciphers and the Data Encryption Standard

CSE 651: Introduction to Network Security

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Kevin Orr JT Schratz AES ENCRYPTION. OVERVIEW History Algorithm Uses Brute Force Attack.

Cryptanalysis. The Speaker  Chuck Easttom  

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Fault Tolerant Infective Countermeasure for AES

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.

Blowfish A widely used block cipher. Blowfish Designed by Bruce Schneier (1993) A variant of it (Twofish) was an AES finalist candidate 64-bit block size,

AES Background and Mathematics CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.

Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.

DIFFERENTIAL CRYPTANALYSIS Chapter 3.4. Ciphertext only attack. The cryptanalyst knows the cryptograms. This happens, if he can eavesdrop the communication.

Introduction to Information Security Lect. 6: Block Ciphers.

Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Lecture 23 Symmetric Encryption

A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay.

COMP 424 Lecture 04 Advanced Encryption Techniques (DES, AES, RSA)

Block Ciphers and the Advanced Encryption Standard

Linear Cryptanalysis of DES

David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 4: Dissin’ DES The design took.

RC6: The Simple Cipher Presenter: Morgan Monger. RC6 Cipher Created by Ronald Rivest et al. for AES submission Follows the evolution of RC5 cipher –Parameterized.

Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.

Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.

Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.

Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.

CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.

Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim

1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.

@Yuan Xue Announcement Project Release Team forming Homework 1 will be released next Tuesday.

Homework #1 J. H. Wang Oct. 9, 2012.

CS480 Cryptography and Information Security

Overview on Hardware Security

Chapter3: Block Ciphers and the Data Encryption Standard

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser

6b. Practical Constructions of Symmetric-Key Primitives.

Chapter-2 Classical Encryption Techniques.

Symmetric Key Block Ciphers

Aesun Park1 , Kyung-Ah Shim2*, Namhun Koo2, and Dong-Guk Han1

Improved Practical Differential Fault Analysis of Grain-128

Cryptography II Jagdish S. Gangolly School of Business

Lecture 6 Overview.

Lecture 5: DES Use and Analysis Background just got here last week

Advanced Encryption Standard

Presentation transcript:

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan

Contents Background – Physical Attacks and Differential Fault Analysis – Advanced Encryption Standard – Fault Model in this discussion 1-byte random fault in known byte position DFA Attack on AES Variants – DFA on AES-128 with 1 fault injection – DFA on AES-192 with 3/2 fault injections – DFA on AES-256 with 3/2 fault injections Challenge to be practically feasible Conclusion

Cryptanalytic Attacks Mathematical Approach Physical Approach – Keep the proposed attack feasible 3 =? Physical Information Channels Input Output Cryptographic device (Secret key inside) InputOutput =? Input Output

Classification of Physical Attacks Direction of information channel 4 =? Cryptographic device (Secret key inside) InputOutput Passive Attacks Active Attacks Input, Output Known Non-Invasive Passive Attacks (Side-Channel Analysis) Time, Power Consumption, Electromagnetic Radiation Non-Invasive Active Attacks (Fault Analysis) Inject computational faults

Differential Fault Analysis (DFA) on AES Encryption DFA (Most discussed fault analysis) Attack Procedures 5 P AES C’ C I  I’ I ΔI = I I’ C’ C Key Guess: Kg AES Decryption Kg-based Correct Intermediate Value: Ig Kg-based Faulty Intermediate Value: I’g ΔIgΔI Match? P Fault Model: Space of ΔI e.g. 1-byte random fault at a known byte position

Advanced Encryption Standard Substitution permutation network Symmetric algorithm 128-bit input block 3 versions – 128-bit key (10 Rounds) – 192-bit key (12 Rounds) – 256-bit key (14 Rounds) SB SR MC AK AES Round Operation

AES Key Schedule F K0 K1 … K10 AES-128 F K0 … K12 AES-192 K1 K2

AES Key Schedule F … K13 AES-256 Sub Word K0 K1 K3 K2 K14

Fault Model in this presentation Fault model: – 1-byte random fault model – Random faulty value at a known byte position – 1 S-box calculation has a faulty result Fault injection based on setup-time violation – Clock glitch – Less time for a certain clock cycle (round operation)

DFA attacks on AES Variants The minimal times of fault injections but still within a practical key recovery complexity DFA on AES-128 with 1 fault injection – CHES03, Africa09, WISTP11 DFA on AES-192 with 3 fault injections – FDTC11 DFA on AES-256 with 3 fault injections – FDTC11 DFA on AES-192 with 2 fault injections – Improved a little from FDTC11 DFA on AES-256 with 2 fault injections – IEEE Trans. on Info. F&S

DFA on AES-128 SB 8 SR 8 MC 8 AK 8 SB SR MC AK 9 SB 10 SR 10 AK C C’  Without considering K9, we can reduce K10 space to 2 32

DFA Attacks on AES-192 (simple attack, 3 faults) SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C1 C1’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C2 C2’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C3 C3’ Identify K12 first using (C1,C1’) and (C1,C2’), then recover K11

DFA Attacks on AES-256 (simple attack, 3 faults) SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C1 C1’ SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C3 C3’ SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C2 C2’ Identify K14 first using (C1,C1’) and (C1,C2’), then recover K13

Space of Kg Maybe 2 faults are enough for AES-192 and AES-256 C’ C Key Guess: Kg AES Decryption Kg-based Correct Intermediate Value: Ig Kg-based Faulty Intermediate Value: I’g ΔIgΔI Match? Space of ΔI Satisfy zero-difference bytes in intermediate status AES 128: 128-bit  8-bit AES 192: 192-bit  72-bit  0 bit AES 256: 256-bit  136-bit  16-bit Keep the proposed attack feasible!

DFA Attacks on AES-192 (2 faults) SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C1 C1’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C2 C2’ 1.Restrict K12 to 2 32

Some property for AES-192 key Schedule F K10 K12 AES-192 K11 For AES-192: K12  left 2 columns of K11 K12  right 1 column of K10

DFA Attacks on AES-192 (2 faults) SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C1 C1’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C2 C2’ 1.Restrict K12 to Given a K12 candidate, leftmost 2 columns of K11 is fixed, we have 5 more 2 -8 conditions to satisfy. So we can identify K12 3.Identify the rest of K11 SB 11 SR 11 MC 11 AK 11 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 MC 10 AK 10

DFA Attacks on AES-256 (2 faults) 1.Restrict K14 to 2 32 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C2 C2’ SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C1 C1’

AES S-box Differential Table For an AES S-box, given a pair of input/output difference, this difference exists with probability of about ½. If this difference pair exist, one can find 2 pairs of solution. Given N pairs of input/output difference, we can expect N real value solutions Used in the inbound of Rebound Attack Outbound Inbound Outbound

Some property for AES-256 key Schedule F AES-256 K12 K13 K14 For AES-256: K12  right 3 columns of K12

DFA Attacks on AES-256 (2 faults) 1.Restrict K14 to Pick up a K14, calculate the difference at SB 13out, and restrict real values in each column to Then we know the rightmost 3 columns of K12, calculate the blue bytes in SB 12in, check 2 conditions of Space of SB 13out is reduced to Then K13 is reduced to 2 16 (Complexity about 2 48, key recovery using FPGA takes 8 days to finish) MC 12 AK 12 SB 13 SR 13 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C2 C2’ SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C1 C1’ MC 12 AK 12 SB 13 SR 13 SR 12 SB 12 AK 11 MC 11

Conclusion In side-channel attacks especially fault analysis, cryptanalysis techniques can help. For AES-256, DFA attack with two 1-byte random faults at known position are feasible for strong attackers Can we make DFA with unknown positions faults feasible?

Thank you for your attentions!