Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improved Practical Differential Fault Analysis of Grain-128

Published byJulia Moreno Quiroga Modified over 6 years ago

Similar presentations

Presentation on theme: "Improved Practical Differential Fault Analysis of Grain-128"— Presentation transcript:

1 Improved Practical Differential Fault Analysis of Grain-128
Prakash Dey, Abhishek Chakraborty, Avishek Adhikari and Debdeep Mukhopadhyay Departments of Pure Mathematics, University of Calcutta and Computer Science and Engineering, Indian Institute of Technology Kharagpur, India

2 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Outline Motivation of our Work Basic Idea Grain-128 Cipher Preliminaries Simulation Based Results Fault Injection Setup Experimental Results Conclusions 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

3 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Motivation of our Work Differential Fault Attacks on stream ciphers : An active field of research Practical realizations of such DFA : Not reported in the literature How realistic are the assumed fault models for DFA on stream ciphers? Need to be revisited from a practical view point We considered a low-cost clock glitch based fault injection on eSTREAM finalist Grain-128 Differential fault analysis is a type of side channel attack in the field of cryptography, specifically cryptanalysis. The principle is to induce faults—unexpected environmental conditions—into cryptographic implementations, to reveal their internal states. 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

4 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Basic Idea SINGLE CLOCK GLITCH GRAIN-128 NOT ENOUGH FAULTS MULTI CLOCK GLITCHES GRAIN-128 ENOUGH FAULTS 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

5 Overview: Work Procedure
Offline stage: i) Simulation of faults many times ii) Identification of a bitwise XOR pattern between the normal and faulty keystream Online stage: i) Introduction of clock glitch introduced faults on hardware ii) Identification of the fault location iii) SAT solver: Obtain internal state of Grain-128 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

6 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Grain-128 Stream Cipher eSTREAM hardware port folio finalist Designed by M. Hell, T. Johansson, A. Maximov and W. Meier 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

7 Fault and Fault position
15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

8 The XOR Differential Keystream
In order to detect the fault, one needs to identify a pattern in the XOR differential keystream 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

9 Signature of Faults Key-IV independent Differential Pattern corresponding to a fault 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

10 Signature: A Toy Example
15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

11 Generating Polynomial Equations
Now the system of polynomial equations are simply passed on to the SAT solver for the extraction of solution for the variables of IS_t SAT solver 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

12 Experimental Results - 1
Fault location Identification Probability Bad Fault Rejection Probability One standalone desktop PC with AMD 4.0 GHz FX-8350 processor and 32 GB RAM Beowulf Cluster of 20 desktop PC each with 2.60 GHz Intel Pentium E5300 Dual-core processor and 4 GB RAM SAT solver Cryptominisat installed in SAGE All simulation based experiments were performed assuming PRGA(keystream generation) round 1 as target round For each column of both the tables we considered 2^20 experiments … ie randomly varying key-IV and fault positions within k neighbourhood Key Iv pairs are distinct uniformly random and independent Faults other than k neighbourhood fault at a fixed PRGA round is c 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

13 Experimental Results - 2
SAT Solving Results with timeout of 4 hours m: denotes the number of random faults introduced (uniformly and independently) N: no. of PRGA rounds considred for analysis NOE: Num of experiments NOT: Num of timed out cases PRGA: Pseudo Random keystream Generation Algorithm 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

14 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Fault Injection Setup Grain-128 cipher implemented in Spartan 3A FPGA Clock glitches at different frequencies Xilinx DCM to drive the CUT Internal state monitored using Chipscope Pro 12.3 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

15 Fault Injection Technique
Spartan 3A 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

16 Experimental Results - 3
All the faults were single bit faults No multiple bit faults Single bit faults biased at the 128th NLFSR bit 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

17 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Grain-128 : Critical Path 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Multiple Bit Faults Outcome: No random single bit faults as required for the attack proposed by S.Sarkar et.al (2013) Solution? Random Multiple Bit Faults in a single round Modified fault injection technique: Introduce k- neighbourhood random multiple bit faults 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

19 Introducing k- neighbourhood faults
15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

20 Experimental Results - 4
SAT solver time: secs To recover the internal state `94b7841c7bff0ca4765cd312e25c51de269e886808dde1a2faed03df8fed13a0‘ at PRGA round 17 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

21 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Conclusions For the first time, we provide actual chip results of clock glitch induced faults on any stream cipher (Grain-128) Occurrence of biased faults at a single bit Existing single bit fault based DFA on Grain-128 will not be feasible Modified fault injection technique: Combining the effect of the clock glitches and also the shift in the registers Revisiting the DFA algorithm on Grain-128: Relaxed fault model with key recovery possible for k-neighbourhood fault 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

22 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
References 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

23 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
References (Contd..) 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

24 Abhishek Chakraborty, Indian Institute of Technology Kharagpur
Thank you Questions ? 15-Nov-18 Abhishek Chakraborty, Indian Institute of Technology Kharagpur

Download ppt "Improved Practical Differential Fault Analysis of Grain-128"

Similar presentations

AES Side Channel Attacks

AES Side Channel Attacks
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.

LINEAR FEEDBACK SHIFT REGISTERS, GALOIS FIELDS, AND STREAM CIPHERS Mike Thomsen Cryptography II May 14 th, 2012.
Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers Real-world Stream Ciphers Online Cryptography Course Dan Boneh.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.

10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.

Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Cryptanalysis on FPGA Based Hardware

Cryptanalysis on FPGA Based Hardware
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Making Services Fault Tolerant

Making Services Fault Tolerant
Content Based Image Clustering and Image Retrieval Using Multiple Instance Learning Using Multiple Instance Learning Xin Chen Advisor: Chengcui Zhang Department.

Content Based Image Clustering and Image Retrieval Using Multiple Instance Learning Using Multiple Instance Learning Xin Chen Advisor: Chengcui Zhang Department.
Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.

Adaptive Security for Wireless Sensor Networks Master Thesis – June 2006.
Answers Will Out Or….what’s wrong with repeated failure?

Answers Will Out Or….what’s wrong with repeated failure?
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.

A Cryptography Education Tool Anna Yu Department of Computer Science College of Engineering North Carolina A&T State University June 18, 2009.
1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

Similar presentations

Ads by Google