Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Published byMarian Smith Modified over 9 years ago

Similar presentations

Presentation on theme: "Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore."— Presentation transcript:

1 Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore

2 Overview Side Channel Collision Attacks Wide Collisions for AES Improving Recognition Rates Attack Results

3 Embedded Systems Specific purpose device with computing capabilities Constrained resources Many require security

4 Side Channel Attacks … leaks additional information via side channel! e.g. power consumption / EM emanation Leakage plaintext ciphertext

5 Collisions in AES Collision: Querying same S-box value twice Collision Attack: Exploiting collision detections to recover secret key y1y1 y 4 = y 1 plaintext Add_Key Sub_Bytes S-box 1S-box 4

6 Collision Detection Collisions are highly frequent: – First round:.41 collisions – One encryption:>40 collisions Detecting collisions is hard: – One encryption: 12 720 comparisons – Probability of a collision: <0.4% – False positive rate of 1%: >120 faulty detections  Should minimize false positives

7 Wide Collisions (I)  Two AES encryptions with chosen inputs  Same plaintexts except for diagonals!  AddRoundKey, SubBytes -> same difference

8 Wide Collisions (II) ShiftRows aligns differences MixColumns can result in equal bytes Collision

9 Wide Collisions (III)  2 nd ShiftRows results in equal columns  Full column collides until next ShiftRows!  5 predictable S-Box collisions between 2 encryptions! Full Column Collision

10 Collision Detection Direct Comparison of two power traces Ideally only compared in leaking regions (5 s-Boxes and full MixColumns colliding)  Point selection necessary: – Knowledge of implementation or profiling needed S-box4 S-boxes (in round 3) + S-box in round 2 + Mix Columns

11 Key Recovery Phase 1 st byte after 1 st MixColumns: 4 collisions reduce key candidates from 2 32 to 1 candidate per diagonal. Full key recovery: 16 distinct collisions.  Avoid false positives

12 Outlier Method Procedure: Find overall Mean Trace Locate Outlier Region Locate Neighboring Pairs Mean Trace Individual Trace Outlier Region

13 Outlier Method: Details Two parameters: Size of outlier region Admitted distance between neighboring points Both influence Number of detected collisions Rate of false positives Tradeoff depends on implementation

14 Results Leaking PointsDetected CollisionsCorrect Detections 1 (R = 0.9, d max = 0.3)12723.0% 4 (R = 0.9, d max = 0.3)4671.1% 8 (R = 0.9, d max = 0.3)8893.7%  Wide Collisions stronger, but knowledge of implementation or profiling needed  Blind Templates (+ PCA) are great for device profiling Unprotected SW implementation, 8-bit Smart Card Results on 3000 power traces:

15 Optimized Collision Detection Targeting Wide Collisions – Strong leakage, easier to detect – Requires chosen inputs Using Outlier Detection method: – Reduces overall detection of collisions – Minimizes false positives

16 Conclusion Wide collisions yield feasible power based collision attack Outlier Method is a helpful tool for decreasing false positive detections

17 Thank you very much for your attention! teisenba@fau.edu

Download ppt "Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore."

Similar presentations

AES Side Channel Attacks

AES Side Channel Attacks
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology

An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Statistical Tools Flavor Side-Channel Collision Attacks

Statistical Tools Flavor Side-Channel Collision Attacks
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
White-Box Cryptography

White-Box Cryptography
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.

Practical Template-Algebraic Side Channel Attacks with Extremely Low Data Complexity 1.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.

Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
Full AES key extraction in 65 milliseconds using cache attacks

Full AES key extraction in 65 milliseconds using cache attacks
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
ICS 454: Principles of Cryptography

ICS 454: Principles of Cryptography
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.

ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Study of AES Encryption/Decription Optimizations Nathan Windels.

Study of AES Encryption/Decription Optimizations Nathan Windels.

Similar presentations

Ads by Google