A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay.

Slides:

Advertisements

Similar presentations

A Robust Super Resolution Method for Images of 3D Scenes Pablo L. Sala Department of Computer Science University of Toronto.

Advertisements

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.

Presenter: Raghu Ranganathan ECE / CMR Tennessee Technological University March 22th, 2011 Smart grid seminar series Yao Liu, Peng Ning, and Michael K.

Fundamentals of Data Analysis Lecture 12 Methods of parametric estimation.

Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea

Using Rational Approximations for Evaluating the Reliability of Highly Reliable Systems Z. Koren, J. Rajagopal, C. M. Krishna, and I. Koren Dept. of Elect.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

SSCP: Mining Statistically Significant Co-location Patterns Sajib Barua and Jörg Sander Dept. of Computing Science University of Alberta, Canada.

Evaluating Hypotheses

An Experimental Evaluation on Reliability Features of N-Version Programming Xia Cai, Michael R. Lyu and Mladen A. Vouk ISSRE’2005.

1 Ensembles of Nearest Neighbor Forecasts Dragomir Yankov, Eamonn Keogh Dept. of Computer Science & Eng. University of California Riverside Dennis DeCoste.

Experimental Evaluation

1 Seventh Lecture Error Analysis Instrumentation and Product Testing.

1 Dot Plots For Time Series Analysis Dragomir Yankov, Eamonn Keogh, Stefano Lonardi Dept. of Computer Science & Eng. University of California Riverside.

Redundancy Ratio: An Invariant Property of the Consonant Inventories of the World’s Languages Animesh Mukherjee, Monojit Choudhury, Anupam Basu and Niloy.

Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.

Data and Data Collection Quantitative – Numbers, tests, counting, measuring Fundamentally--2 types of data Qualitative – Words, images, observations, conversations,

What Exactly are the Techniques of Software Verification and Validation A Storehouse of Vast Knowledge on Software Testing.

RRB/STS ORNL Workshop Integrated Hardware/Software Security Support R. R. BrooksSam T. Sander Associate ProfessorAssistant Professor Holcombe Department.

©2003/04 Alessandro Bogliolo Background Information theory Probability theory Algorithms.

How good are your testers? An assessment of testing ability Liang Huang, Chris Thomson and Mike Holcombe Department of Computer Science, University of.

Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.

1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

Active Learning for Class Imbalance Problem

Wavelet-Based Multiresolution Matching for Content-Based Image Retrieval Presented by Tienwei Tsai Department of Computer Science and Engineering Tatung.

Fault Tolerant Infective Countermeasure for AES

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Template attacks Suresh Chari, Josyula R. Rao, Pankaj Rohatgi IBM Research.

Computer Science Department University of Pittsburgh 1 Evaluating a DVS Scheme for Real-Time Embedded Systems Ruibin Xu, Daniel Mossé and Rami Melhem.

Table 3:Yale Result Table 2:ORL Result Introduction System Architecture The Approach and Experimental Results A Face Processing System Based on Committee.

Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.

Physical-layer Identification of UHF RFID Tags Authors: Davide Zanetti, Boris Danev and Srdjan Capkun Presented by Zhitao Yang 1.

Cellular Automata Machine For Pattern Recognition Pradipta Maji 1 Niloy Ganguly 2 Sourav Saha 1 Anup K Roy 1 P Pal Chaudhuri 1 1 Department of Computer.

A new Ad Hoc Positioning System 컴퓨터 공학과 오영준.

Functional Verification of Dynamically Reconfigurable Systems Mr. Lingkan (George) Gong, Dr. Oliver Diessel The University of New South Wales, Australia.

Optimal Resource Allocation for Protecting System Availability against Random Cyber Attack International Conference Computer Research and Development(ICCRD),

Question paper 1997.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

Jing Ye 1,2, Yu Hu 1, and Xiaowei Li 1 1 Key Laboratory of Computer System and Architecture Institute of Computing Technology Chinese Academy of Sciences.

D_160 / MAPLD Burke 1 Fault Tolerant State Machines Gary Burke, Stephanie Taft Jet Propulsion Laboratory, California Institute of Technology.

Local Predictability of the Performance of an Ensemble Forecast System Liz Satterfield and Istvan Szunyogh Texas A&M University, College Station, TX Third.

Spatiotemporal Saliency Map of a Video Sequence in FPGA hardware David Boland Acknowledgements: Professor Peter Cheung Mr Yang Liu.

Speech Lab, ECE, State University of New York at Binghamton  Classification accuracies of neural network (left) and MXL (right) classifiers with various.

© Copyright McGraw-Hill 2004

Evaluation of gene-expression clustering via mutual information distance measure Ido Priness, Oded Maimon and Irad Ben-Gal BMC Bioinformatics, 2007.

WISA 2007 Jeju Island, Korea, 27th – 29th Aug 2007 Longer Randomly Blinded RSA Keys may be Weaker than Shorter Ones Colin D. Walter

Measurements and Their Analysis. Introduction Note that in this chapter, we are talking about multiple measurements of the same quantity Numerical analysis.

Differential Distinguishing Attack on the Shannon Stream Cipher Based on Fault Analysis Mehdi Hassanzadeh University of Bergen Selmer Center, Norway

Similarity Measurement and Detection of Video Sequences Chu-Hong HOI Supervisor: Prof. Michael R. LYU Marker: Prof. Yiu Sang MOON 25 April, 2003 Dept.

1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.

Unpredictable Software-based Attestation Solution for Node Compromise Detection in Mobile WSN Xinyu Jin 1 Pasd Putthapipat 1 Deng Pan 1 Niki Pissinou 1.

Click to edit Present’s Name Three Attacks, Many Process Variations and One Expansive Countermeasure International Workshop on Cybersecurity Darshana Jayasinghe,

Chi Square Chi square is employed to test the difference between an actual sample and another hypothetical or previously established distribution such.

7. Performance Measurement

SUR-2250 Error Theory.

Xin Fang, Pei Luo, Yunsi Fei, and Miriam Leeser

Inference about Comparing Two Populations

Location Cloaking for Location Safety Protection of Ad Hoc Networks

Supporting Fault-Tolerance in Streaming Grid Applications

Improved Practical Differential Fault Analysis of Grain-128

Hardware Masking, Revisited

Process and Measurement System Capability Analysis

Aiman H. El-Maleh Sadiq M. Sait Syed Z. Shazli

Reseeding-based Test Set Embedding with Reduced Test Sequences

A handbook on validation methodology. Metrics.

Presentation transcript:

A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur COSADE 2015

Outline  Objectives  The Time Redundancy Countermeasure  Bias Quantification and Adversarial strategy  Fault Model and Fault Injection Set-Up  Performed Attacks  Simulation Studies  Experimental Results  Conclusions COSADE 20152

Objectives 1. To develop a formulation for the degree of bias in a fault model 2. Propose biased fault models to attack the time redundancy countermeasure for AES Establish the feasibility of the proposed attacks via simulations and real life experiments COSADE 20153

Introduction: Time Redundancy  Time Redundancy - A Classical Fault Tolerance Technique  Each operation is followed by a redundant operation and outputs are matched  Output is suppressed or randomized in case of a mismatch COSADE Program Flow

Against Fault Attacks : Detection SuccessFailure COSADE Identical Faults in both rounds goes undetected

Uniform Fault Model All faults under the fault model are equally likely Fault collision probability for two random fault injections is low Large number of fault injections necessary to get a useful ciphertext COSADE 20156

Beating the Countermeasure  Improving fault collision probability  Enhancing the probability of identical faults in original and redundant rounds  Two major aspects  The size of the fault space  The probability distribution of faults in the fault space  A smaller fault space enhances the fault collision probability  A non-uniform probability distribution of faults in the fault space also enhances the fault collision probability COSADE 20157

Biased Fault Model Variance = 0 Variance = Variance = Different faults have unequal probability of occurrence Biasness of the fault model can be quantified by the variance of fault probability distribution Higher the variance, higher is the degree of bias of the fault model COSADE A Hypothetical Fault Model

The Fault Collision Probability  With increase in variance, the fault collision probability increases  Requires fewer number of fault injections per useful ciphertext COSADE 20159

Long Story Short The Adversarial Perspective COSADE But what about practical feasibility? Yes!! It is practically feasible

Proposed Fault Model All faults are restricted to a single byte Two kinds of fault models Situation-1: Attacker has control over target byte Situation-2: Attacker has no control over target byte Control over target byte makes fault model more precise but is costly to achieve COSADE Fault Classification Fault Precision Suitable

Fault Injection Set-Up  Time redundant AES-128 implemented in Spartan 3A FPGA  Fault injection using clock glitches at various frequencies  Xilinx DCM to drive fast clock frequency  Internal state monitoring using ChipScope Pro 12.3 COSADE

Fault Injection Technique COSADE

Time Redundant AES-128 COSADE AES-128 Encryption Module

Fault Distribution Patterns COSADE Frequency Ranges Frequency (in MHz) Distribution pattern checked over 512 random fault injections Number of Fault Instances

Attack Procedure Notations COSADE

Attack Procedure Fault Injection COSADE Useful Ciphertext obtained if f i = f j Useful Ciphertext obtained if f i = f j

Attack Procedure Requires Only Faulty Ciphertexts  Distinguishers used :  Hamming Distance (HD)  Squared Euclidean Imbalance (SEI)  Make a key hypothesis k and evaluate the distinguishers  Correct hypothesis gives minimum and maximum values respectively COSADE SEI Differential Fault Intensity Analysis, Ghalaty et. al., FDTC 2014 Fault Attacks on AES with Faulty Ciphertexts Only, Fuhr et. al., FDTC 2013

Attack Procedure Target Rounds  Round 9 (Rounds 17 and 18 of time redundant AES)  Fault is injected before the SubBytes operation of round 9  Hypothesize on one byte of K 10 at a time  Round 8 (Rounds 15 and 16 of time redundant AES)  Fault is injected before the SubBytes operation of round 8  Hypothesize on 4 bytes of K 10 and one byte of K 9 at a time  Beyond Round 8 attacks on time redundant AES become infeasible as very large number of fault injections are required COSADE

Simulation : Part-1 Identical faults introduced into both original and redundant rounds Target byte chosen at random Same fault for original and redundant computations Each fault injection yields a useful ciphertext Attacks simulated on rounds 8 and 9 Performed separately for each fault model COSADE Simulation results Number of ciphertexts required to guess a key byte with 99% accuracy

Simulation : Part-2 Vary the degree of bias in the fault model Control the variance of the fault probability distribution Observe the number of fault injections per useful ciphertext Two adversarial models: Perfect control over target byte No control over target byte COSADE Larger number of fault injections Perfect control over target byte No control over target byte

Practical Experiments  Proposed attack evaluated on a time redundant hardware implementation of AES-128 on Spartan 3A FPGA  RTL Verilog definition of time redundant AES  A total of 20 rounds with comparison after each even round  Two types of implementations:  Type 1 : Target byte is fixed  Type 2 : Target byte is random COSADE Fixing the Target Byte

Experimental Results COSADE Useful ciphertexts Total Fault Injections Results presented per byte of key

Conclusions  Biased fault models weaken the time redundancy countermeasure considerably  Our experiments demonstrate practically feasible attacks on actual implementations of time redundant AES-128  Countermeasures based on uniform fault patterns must therefore be revisited in the light of biased fault models COSADE

Thank You! COSADE