Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Slides:



Advertisements
Similar presentations
AES Side Channel Attacks
Advertisements

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Statistical Tools Flavor Side-Channel Collision Attacks
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
White-Box Cryptography
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Block Ciphers and the Data Encryption Standard
Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
Full AES key extraction in 65 milliseconds using cache attacks
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
ICS 454: Principles of Cryptography
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Study of AES Encryption/Decription Optimizations Nathan Windels.
Cryptography and Network Security
Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.
Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.
GSM CLONING. GSM (Global System for Mobile Communication) Most widely used cellular mobile phone system. First digital system to follow analog era. Specification.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
Blowfish A widely used block cipher. Blowfish Designed by Bruce Schneier (1993) A variant of it (Twofish) was an AES finalist candidate 64-bit block size,
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
Information Security Lab. Dept. of Computer Engineering 122/151 PART I Symmetric Ciphers CHAPTER 5 Advanced Encryption Standard 5.1 Evaluation Criteria.
Dan Boneh Block ciphers The AES block cipher Online Cryptography Course Dan Boneh.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions.
 Cryptography is the science of using mathematics to encrypt and decrypt data.  Cryptography enables you to store sensitive.
Advanced Encryption Standard. Origins NIST issued a new version of DES in 1999 (FIPS PUB 46-3) DES should only be used in legacy systems 3DES will be.
R ECONFIGURABLE H ARDWARE FOR H IGH - SECURITY /H IGH -P ERFORMANCE E MBEDDED S YSTEMS : T HE SAFES P ERSPECTIVE Guy Gogniat, Tilman Wolf, Wayne Burleson,
Exploiting Cache-Timing in AES: Attacks and Countermeasures Ivo Pooters March 17, 2008 Seminar Information Security Technology.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Lecture 23 Symmetric Encryption
A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay.
Fifth Edition by William Stallings
Linear Cryptanalysis of DES
Final Presentation Encryption on Embedded System Supervisor: Ina Rivkin students: Chen Ponchek Liel Shoshan Spring 2014 Part B.
New Methods for Cost-Effective Side- Channel Attacks on Cryptographic RFIDs Chair for Embedded Security Ruhr University Bochum David Oswald Timo Kasper.
WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
The Advanced Encryption Standard Part 1: Overview
Lecture 3 Page 1 CS 236 Online Introduction to Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Understanding Cryptography by Christof Paar and Jan Pelzl Chapter 4 – The Advanced Encryption Standard (AES) ver. October 28, 2009.
Le Trong Ngoc Security Fundamentals (2) Encryption mechanisms 4/2011.
Click to edit Present’s Name Three Attacks, Many Process Variations and One Expansive Countermeasure International Workshop on Cybersecurity Darshana Jayasinghe,
Modeling security 1. Models - encryption r Alice and Bob have the same key k r Alice and Bob exchange encrypted messages r Eve wants to get the plaintext.
Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser
Triple DES.
Ali Galip Bayrak EPFL, Switzerland June 7th, 2011
By Theodora Kontogianni
ADVANCED ENCRYPTION STANDARD
Cryptography Lecture 18.
Hardware Masking, Revisited
December 4--8, Nonlinear Invariant Attack Practical Attack on Full SCREAM, iSCREAM, and Midori64 Name: Position: My research topics.
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
High-Level Synthesis for Side-Channel Defense
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
Cryptography Lecture 16.
Presentation transcript:

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore

Overview Side Channel Collision Attacks Wide Collisions for AES Improving Recognition Rates Attack Results

Embedded Systems Specific purpose device with computing capabilities Constrained resources Many require security

Side Channel Attacks … leaks additional information via side channel! e.g. power consumption / EM emanation Leakage plaintext ciphertext

Collisions in AES Collision: Querying same S-box value twice Collision Attack: Exploiting collision detections to recover secret key y1y1 y 4 = y 1 plaintext Add_Key Sub_Bytes S-box 1S-box 4

Collision Detection Collisions are highly frequent: – First round:.41 collisions – One encryption:>40 collisions Detecting collisions is hard: – One encryption: comparisons – Probability of a collision: <0.4% – False positive rate of 1%: >120 faulty detections  Should minimize false positives

Wide Collisions (I)  Two AES encryptions with chosen inputs  Same plaintexts except for diagonals!  AddRoundKey, SubBytes -> same difference

Wide Collisions (II) ShiftRows aligns differences MixColumns can result in equal bytes Collision

Wide Collisions (III)  2 nd ShiftRows results in equal columns  Full column collides until next ShiftRows!  5 predictable S-Box collisions between 2 encryptions! Full Column Collision

Collision Detection Direct Comparison of two power traces Ideally only compared in leaking regions (5 s-Boxes and full MixColumns colliding)  Point selection necessary: – Knowledge of implementation or profiling needed S-box4 S-boxes (in round 3) + S-box in round 2 + Mix Columns

Key Recovery Phase 1 st byte after 1 st MixColumns: 4 collisions reduce key candidates from 2 32 to 1 candidate per diagonal. Full key recovery: 16 distinct collisions.  Avoid false positives

Outlier Method Procedure: Find overall Mean Trace Locate Outlier Region Locate Neighboring Pairs Mean Trace Individual Trace Outlier Region

Outlier Method: Details Two parameters: Size of outlier region Admitted distance between neighboring points Both influence Number of detected collisions Rate of false positives Tradeoff depends on implementation

Results Leaking PointsDetected CollisionsCorrect Detections 1 (R = 0.9, d max = 0.3) % 4 (R = 0.9, d max = 0.3)4671.1% 8 (R = 0.9, d max = 0.3)8893.7%  Wide Collisions stronger, but knowledge of implementation or profiling needed  Blind Templates (+ PCA) are great for device profiling Unprotected SW implementation, 8-bit Smart Card Results on 3000 power traces:

Optimized Collision Detection Targeting Wide Collisions – Strong leakage, easier to detect – Requires chosen inputs Using Outlier Detection method: – Reduces overall detection of collisions – Minimizes false positives

Conclusion Wide collisions yield feasible power based collision attack Outlier Method is a helpful tool for decreasing false positive detections

Thank you very much for your attention!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.