Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay.

Published byPhyllis Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay."— Presentation transcript:

1 A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur COSADE 2015

2 Outline  Objectives  The Time Redundancy Countermeasure  Bias Quantification and Adversarial strategy  Fault Model and Fault Injection Set-Up  Performed Attacks  Simulation Studies  Experimental Results  Conclusions COSADE 20152

3 Objectives 1. To develop a formulation for the degree of bias in a fault model 2. Propose biased fault models to attack the time redundancy countermeasure for AES-128 3. Establish the feasibility of the proposed attacks via simulations and real life experiments COSADE 20153

4 Introduction: Time Redundancy  Time Redundancy - A Classical Fault Tolerance Technique  Each operation is followed by a redundant operation and outputs are matched  Output is suppressed or randomized in case of a mismatch COSADE 20154 Program Flow

5 Against Fault Attacks : Detection SuccessFailure COSADE 20155 Identical Faults in both rounds goes undetected

6 Uniform Fault Model All faults under the fault model are equally likely Fault collision probability for two random fault injections is low Large number of fault injections necessary to get a useful ciphertext COSADE 20156

7 Beating the Countermeasure  Improving fault collision probability  Enhancing the probability of identical faults in original and redundant rounds  Two major aspects  The size of the fault space  The probability distribution of faults in the fault space  A smaller fault space enhances the fault collision probability  A non-uniform probability distribution of faults in the fault space also enhances the fault collision probability COSADE 20157

8 Biased Fault Model Variance = 0 Variance = 0.004 Variance = 0.026 Different faults have unequal probability of occurrence Biasness of the fault model can be quantified by the variance of fault probability distribution Higher the variance, higher is the degree of bias of the fault model COSADE 20158 A Hypothetical Fault Model

9 The Fault Collision Probability  With increase in variance, the fault collision probability increases  Requires fewer number of fault injections per useful ciphertext COSADE 20159

10 Long Story Short The Adversarial Perspective COSADE 201510 But what about practical feasibility? Yes!! It is practically feasible

11 Proposed Fault Model All faults are restricted to a single byte Two kinds of fault models Situation-1: Attacker has control over target byte Situation-2: Attacker has no control over target byte Control over target byte makes fault model more precise but is costly to achieve COSADE 201511 Fault Classification Fault Precision Suitable

12 Fault Injection Set-Up  Time redundant AES-128 implemented in Spartan 3A FPGA  Fault injection using clock glitches at various frequencies  Xilinx DCM to drive fast clock frequency  Internal state monitoring using ChipScope Pro 12.3 COSADE 201512

13 Fault Injection Technique COSADE 2015 13

14 Time Redundant AES-128 COSADE 201514 AES-128 Encryption Module

15 Fault Distribution Patterns COSADE 201515 Frequency Ranges Frequency (in MHz) Distribution pattern checked over 512 random fault injections Number of Fault Instances

16 Attack Procedure Notations COSADE 201516

17 Attack Procedure Fault Injection COSADE 201517 Useful Ciphertext obtained if f i = f j Useful Ciphertext obtained if f i = f j

18 Attack Procedure Requires Only Faulty Ciphertexts  Distinguishers used :  Hamming Distance (HD)  Squared Euclidean Imbalance (SEI)  Make a key hypothesis k and evaluate the distinguishers  Correct hypothesis gives minimum and maximum values respectively COSADE 2015 18 SEI Differential Fault Intensity Analysis, Ghalaty et. al., FDTC 2014 Fault Attacks on AES with Faulty Ciphertexts Only, Fuhr et. al., FDTC 2013

19 Attack Procedure Target Rounds  Round 9 (Rounds 17 and 18 of time redundant AES)  Fault is injected before the SubBytes operation of round 9  Hypothesize on one byte of K 10 at a time  Round 8 (Rounds 15 and 16 of time redundant AES)  Fault is injected before the SubBytes operation of round 8  Hypothesize on 4 bytes of K 10 and one byte of K 9 at a time  Beyond Round 8 attacks on time redundant AES become infeasible as very large number of fault injections are required COSADE 201519

20 Simulation : Part-1 Identical faults introduced into both original and redundant rounds Target byte chosen at random Same fault for original and redundant computations Each fault injection yields a useful ciphertext Attacks simulated on rounds 8 and 9 Performed separately for each fault model COSADE 201520 Simulation results Number of ciphertexts required to guess a key byte with 99% accuracy

21 Simulation : Part-2 Vary the degree of bias in the fault model Control the variance of the fault probability distribution Observe the number of fault injections per useful ciphertext Two adversarial models: Perfect control over target byte No control over target byte COSADE 201521 Larger number of fault injections Perfect control over target byte No control over target byte

22 Practical Experiments  Proposed attack evaluated on a time redundant hardware implementation of AES-128 on Spartan 3A FPGA  RTL Verilog definition of time redundant AES  A total of 20 rounds with comparison after each even round  Two types of implementations:  Type 1 : Target byte is fixed  Type 2 : Target byte is random COSADE 201522 Fixing the Target Byte

23 Experimental Results COSADE 201523 Useful ciphertexts Total Fault Injections Results presented per byte of key

24 Conclusions  Biased fault models weaken the time redundancy countermeasure considerably  Our experiments demonstrate practically feasible attacks on actual implementations of time redundant AES-128  Countermeasures based on uniform fault patterns must therefore be revisited in the light of biased fault models COSADE 201524

25 Thank You! COSADE 201525

Download ppt "A Biased Fault Attack on the Time Redundancy Countermeasure for AES Sikhar Patranabis, Abhishek Chakraborty, Phuong Ha Nguyen and Debdeep Mukhopadhyay."

Similar presentations

A Robust Super Resolution Method for Images of 3D Scenes Pablo L. Sala Department of Computer Science University of Toronto.

A Robust Super Resolution Method for Images of 3D Scenes Pablo L. Sala Department of Computer Science University of Toronto.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.

10/14/2005Caltech1 Reliable State Machines Dr. Gary R Burke California Institute of Technology Jet Propulsion Laboratory.
Presenter: Raghu Ranganathan ECE / CMR Tennessee Technological University March 22th, 2011 Smart grid seminar series Yao Liu, Peng Ning, and Michael K.

Presenter: Raghu Ranganathan ECE / CMR Tennessee Technological University March 22th, 2011 Smart grid seminar series Yao Liu, Peng Ning, and Michael K.
Fundamentals of Data Analysis Lecture 12 Methods of parametric estimation.

Fundamentals of Data Analysis Lecture 12 Methods of parametric estimation.
Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.

Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Using Rational Approximations for Evaluating the Reliability of Highly Reliable Systems Z. Koren, J. Rajagopal, C. M. Krishna, and I. Koren Dept. of Elect.

Using Rational Approximations for Evaluating the Reliability of Highly Reliable Systems Z. Koren, J. Rajagopal, C. M. Krishna, and I. Koren Dept. of Elect.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
SSCP: Mining Statistically Significant Co-location Patterns Sajib Barua and Jörg Sander Dept. of Computing Science University of Alberta, Canada.

SSCP: Mining Statistically Significant Co-location Patterns Sajib Barua and Jörg Sander Dept. of Computing Science University of Alberta, Canada.
Evaluating Hypotheses

Evaluating Hypotheses
An Experimental Evaluation on Reliability Features of N-Version Programming Xia Cai, Michael R. Lyu and Mladen A. Vouk ISSRE’2005.

An Experimental Evaluation on Reliability Features of N-Version Programming Xia Cai, Michael R. Lyu and Mladen A. Vouk ISSRE’2005.
1 Ensembles of Nearest Neighbor Forecasts Dragomir Yankov, Eamonn Keogh Dept. of Computer Science & Eng. University of California Riverside Dennis DeCoste.

1 Ensembles of Nearest Neighbor Forecasts Dragomir Yankov, Eamonn Keogh Dept. of Computer Science & Eng. University of California Riverside Dennis DeCoste.
Experimental Evaluation

Experimental Evaluation
1 Seventh Lecture Error Analysis Instrumentation and Product Testing.

1 Seventh Lecture Error Analysis Instrumentation and Product Testing.
1 Dot Plots For Time Series Analysis Dragomir Yankov, Eamonn Keogh, Stefano Lonardi Dept. of Computer Science & Eng. University of California Riverside.

1 Dot Plots For Time Series Analysis Dragomir Yankov, Eamonn Keogh, Stefano Lonardi Dept. of Computer Science & Eng. University of California Riverside.
Redundancy Ratio: An Invariant Property of the Consonant Inventories of the World’s Languages Animesh Mukherjee, Monojit Choudhury, Anupam Basu and Niloy.

Redundancy Ratio: An Invariant Property of the Consonant Inventories of the World’s Languages Animesh Mukherjee, Monojit Choudhury, Anupam Basu and Niloy.

Similar presentations

Ads by Google