automatic synthesis of fault attack
play

Automatic Synthesis of Fault Attack Resistant Cipher Implementations - PowerPoint PPT Presentation

Oct 15, 2022 •127 likes •468 views

Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels Preventing Side Channel Attacks is

  1. Automatic Synthesis of Fault Attack Resistant Cipher Implementations Chester Rebeiro IIT Madras

  2. Side Channel Analysis Electro magnetic Radiation Fault injection Power consumption Timing channels

  3. Preventing Side Channel Attacks is Difficult Programming Platform / Language overheads Compiler Specific Specific Naïve implementations can VHDL, Countermeasures need to have significant size or/and Assembly, be tuned based on performance overheads Java * device (IoT devices to server) * compilers may introduce further Vulnerabilities Cannot be implemented by your average Joe

  4. Block Cipher Specification Language Specification- 1. h begin i 2. h lookups i 3. SBOX : { 0 x 63 , 0 x 7 c , 0 x 77, 0 x 7 b , · · · } HTML like language that captures basic 4. KEY : { 0 x 54, 0 x 68, 0 x 61, 0 x 74, · · · } 5. h /lookups i functionality of the cipher 6. h operations i 7. h func i h MUL2 ( a ) i 8. h h : { a : RS ( a, 7 ) } i - operations 9. h t : { a : LS ( a, 1 ) } i h n : { h : MUL ( h, 0 0 x 1 b0 ) } i 10. - information flow 11. h m : { ( n, t ) : XOR ( n, t ) } i 12. ret m 13. h / func i 14. · · · · · · · · · 15. h /operations i 16. · · · · · · · · · 17. h F 2 i h nonlinear i h SUBBYTE i h 18. h F 2[1] : { F 1[1] : LKUP ( F 1[1], SBOX ) } i 19. · · · · · · · · · Just need one per cipher 20. h F 2[16] : { F 1[16] : LKUP ( F 1[16], SBOX ) } i 21. / i 22. h F 3 i h linear i h PERMUTE i h Platform independent 23. h F 3[1] : { F 2[1] } i 24. · · · · · · · · · Programming language independent 25. h F 3[16] : { F 2[12] } i 26. / i 27. h F 4 i h linear i h MDS i h 28. h F 4[1] : { ( F 3[1], F 3[2], F 3[3], F 3[4] ) : XOR ( XOR ( MUL2 ( F 3[1] ), MUL3 ( F 3[2] ) ), XOR ( F 3[3], F 3[4] ) ) } i 29. · · · · · · · · · 30. h F 4[16] : { ( F 3[13], F 3[14], F 3[15], F 3[16] ) : XOR ( XOR ( MUL2 ( F 3[16] ), MUL3 ( F 3[23] ) ), XOR ( F 3[14], F 3[15] ) ) } i 31. / i 32. · · · · · · · · · 33. h end i

  5. Synthesis Tools Source Code (Java / Assembly / RTL) uint8_t F1[ 16 ], F2[ 16 ], F2d[ 16 ]; uint8_t SBOX[ 256 ] = {S1, S2, · · · , S256} ; Synthesis tools F 2[ 0 ] = SBOX[ F 1[ 0 ]] ; F 2[ 1 ] = SBOX[ F 1[ 1 ]] ; Specification- · · · · · · · · · F 2[ 15 ] = SBOX[ F 1[ 15 ]] ; · · · · · · · · · 1. h begin i F 2 d [ 0 ] = SBOX[ F 1[ 0 ]] ; 2. h lookups i 3. SBOX : { 0 x 63 , 0 x 7 c , 0 x 77, 0 x 7 b , · · · } F 2 d [ 1 ] = SBOX[ F 1[ 1 ]] ; 4. KEY : { 0 x 54, 0 x 68, 0 x 61, 0 x 74, · · · } 5. h /lookups i · · · · · · · · · 6. h operations i Side-Channel F 2 d [ 15 ] = SBOX[ F 1[ 15 ]] ; · · · · · · · · · 7. h func i h MUL2 ( a ) i 8. h h : { a : RS ( a, 7 ) } i 9. h t : { a : LS ( a, 1 ) } i h n : { h : MUL ( h, 0 0 x 1 b0 ) } i if ( F 2[ 0 ] == F 2 d [ 0 ] && · · · && F 2[ 15 ] == F 2 d [ 15 ]) 10. 11. h m : { ( n, t ) : XOR ( n, t ) } i { Evaluation 12. ret m continue ; 13. h / func i 14. · · · · · · · · · } · · · · · · · · · 15. h /operations i else 16. · · · · · · · · · 17. h F 2 i h nonlinear i h SUBBYTE i h & { 18. h F 2[1] : { F 1[1] : LKUP ( F 1[1], SBOX ) } i exit( 0 ); 19. · · · · · · · · · 20. h F 2[16] : { F 1[16] : LKUP ( F 1[16], SBOX ) } i } 21. / i 22. h F 3 i h linear i h PERMUTE i h Synthesis 23. h F 3[1] : { F 2[1] } i 24. · · · · · · · · · 25. h F 3[16] : { F 2[12] } i 26. / i 27. h F 4 i h linear i h MDS i h 28. h F 4[1] : { ( F 3[1], F 3[2], F 3[3], F 3[4] ) : XOR ( XOR ( MUL2 ( F 3[1] ), MUL3 ( F 3[2] ) ), XOR ( F 3[3], F 3[4] ) ) } i 29. · · · · · · · · · 30. h F 4[16] : { ( F 3[13], F 3[14], F 3[15], F 3[16] ) : XOR ( XOR ( MUL2 ( F 3[16] ), MUL3 ( F 3[23] ) ), XOR ( F 3[14], F 3[15] ) ) } i 31. / i 32. · · · · · · · · · 33. h end i compiler Specification Side-channel secure Executable / design

  6. Automatic Synthesis of Fault Attack Resistant Block Cipher Implementations

  7. Fault Injection in Block Ciphers optical glitch in power Random single byte fault glitch in clock Memory Instructions injection 000000000000 load r1, #key 000000000000 add r0, r1, r2 000000000000 out r9,r1 out r9,r0 000000000000 sub r4, #23 000000000 88 0 mul r2, r1, r4 000000000000 cmp r3, #0 target device Logical Fault Effect 000000000000 Physical Fault Injection Secret Key Attack Outcome Fault Propagation Difficult

  8. Differential Fault Attacks plaintext FAULT INJECTION ENCRYPTION ENCRYPTION ciphertext faulty ciphertext ANALYSIS

  9. A Simple AES Fault Attack P P p 0 p 1 p 127 p 0 p 1 p 127 AES AES k 127 k 1 k 1 k 127 k 0 k 0 c 0 c 1 c 127 c’ 0 ’ c 1 c 127 C’ C ' k 0 = c 0 Many more stronger fault attacks are possible

  10. Central Idea in DFA Fault attackers look to solve equations in one of the following form x Å x ' = d x - 1 ( y Å k ) Å S - 1 ( y ' Å k ) = d x ' S x x ' k where and are known and and are S S d unknown. k k Iterate over all possible values of and identify d y those that satisfy the above equations. y ' The number of solutions depends on the properties of the S-box.

  11. Central Idea in DFA If multiple equations of this form are found, then the complexity is reduced considerably where are linear functions in d Only key tuples that satisfy all n equations are potential candidates Assuming is a byte, we can recover n bytes of key with a complexity of 2 8 d

  12. summarize Linear functions Involving sbox More the better Inject Fault Solve Equations Online complexity : #faults are needed to retrieve the key Offline complexity : Search space for finding the keys

  13. Differential Fault Attacks on AES Fault Injected #faults (online complexity) Offline complexity in first round requires 128 faults NIL in last round requires 128 faults NIL in 9 th round requires 4 faults 256 (each fault derives 32 bits of key) in 8 th round Requires 1 fault 256 all other rounds Not exploitable N/A A majority of the faults are unexploitable Naïve countermeasures do not consider the online or offline attack complexity requirements, thus significant overheads

  14. SAFARI Automatic Synthesis of Fault Attack Resistant Block Cipher Implementations Block Cipher Specification (BCS) FaultDroid XFC Ranked list of Countermeas ure fault locations with corresponding offline Addition to complexity Specification Software (CAS) Implementation BCS ⇤ Synthes is Security RTL Implementation

  15. XFC: Exploitable Fault Characterization Block Cipher Specification (BCS) FaultDroid XFC Ranked list of Countermeas ure fault locations with corresponding offline Addition to complexity Specification Software (CAS) Implementation BCS ⇤ Synthes is Security RTL Implementation DAC’17

  16. XFC XFC

  17. Fault Propagation Phase Linear Key Addition Non-Linear S-box S-box S-box S-box A Typical Block Cipher Diffusion Diffusion Linear Linear Key Addition Non-Linear S-box S-box S-box S-box Diffusion Diffusion Linear Linear Key Addition Non-Linear S-box S-box S-box S-box Diffusion Diffusion Linear Linear Key Addition Non-Linear S-box S-box S-box S-box Linear Key Addition

  18. Fault Propagation Phase Linear Key Addition Non-Linear S-box S-box S-box S-box Diffusion Diffusion Linear Color the fault affected part. Propagate and color as follows. Linear Key Addition 1. When passing through a linear layer, Non-Linear S-box S-box S-box S-box retain same color Diffusion Diffusion Linear 2. When passing through a non-linear Linear Key Addition layer, change color Non-Linear S-box S-box S-box S-box 1. If two bytes of different colors are Diffusion Diffusion Linear combined, change the color. Linear Key Addition Same colors are linearly correlated Non-Linear S-box S-box S-box S-box Different colors are not correlated Linear Key Addition

  19. Key Addition Key Determination Phase S-box S-box S-box S-box Diffusion Diffusion ' Å k 1 Å k 1 ) Å S S - 1 ( y - 1 ( y 1 ) = g 1 ( d ) 1 ' Å k 2 ) = g 2 ( d ) Key Addition - 1 ( y 2 Å k 2 ) Å S S - 1 ( y 2 S-box S-box S-box S-box For every possible value of d Diffusion Diffusion determine k 1 , k 2 that satisfy the equations. Key Addition The complexity is 2 4 ; the possible S-box S-box S-box S-box values can take. d Diffusion Diffusion Key Addition S-box S-box S-box S-box k k 2 k 3 k 4 1 y 3 y y 2 y 4 1

  20. Key Addition Key Determination Phase S-box S-box S-box S-box Diffusion Diffusion Key Addition S-box S-box S-box S-box ' Å k 3 ) = g 3 ( d ) Diffusion Diffusion - 1 ( y 3 Å k 3 ) Å S S - 1 ( y 3 ' Å k 4 ) = g 4 ( d ) - 1 ( y 4 Å k 4 ) Å S S - 1 ( y 4 Key Addition Can be used to determine (k 3 , k 4 ) S-box S-box S-box S-box Diffusion Diffusion Key Addition S-box S-box S-box S-box k k 2 k 3 k 4 1 y 3 y y 2 y 4 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
FAULT INTERPRETATION: AUTOMATIC CURVE MATCHING Fault interpretation is carried out by Archimedes

FAULT INTERPRETATION: AUTOMATIC CURVE MATCHING Fault interpretation is carried out by Archimedes

ARCHIMEDES|THEORY 01 ARCHIMEDES | THEORY FAULT INTERPRETATION: AUTOMATIC CURVE MATCHING Fault interpretation is carried out by Archimedes using an Automatic Curve Matching (ACM) method applied to located magnetic data. ACM

270 views • 4 slides
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi Moritz Lipp Berk Sunar Michael Schwarz 2018: Meltdown Attack? 2 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers

1.14k views • 63 slides
Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev

Formal Verification of Automatic Circuit Transformations for Fault-Tolerance Dmitry Burlyaev Pascal Fradet 09/30/15, Austin, TX, USA @ FMCAD'15 Outline For a given (fault-tolerance) transformation T , we want to prove a property of the form

1.11k views • 79 slides
Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 ,

Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 ,

Perturbation attack on modern CPUs, from the fault model to the exploitation Thomas TROUCHKINE 1 , Guillaume BOUFFARD 1,2 , Jessy CLDIRE 3 1 National Cybersecurity Agency of France (ANSSI) 2 Information Security Group, cole Normale

292 views • 28 slides
Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing

Fault attack vulnerability assessment of binary code Cryptography and Security in Computing Systems [CS219], Valencia, Spain January 21, 2019 Jean-Baptiste Brjon Emmanuelle Encrenaz Karine Heydemann Quentin Meunier Son-Tuan Vu Sorbonne

770 views • 34 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch retrospective Understand

283 views • 13 slides
Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of

ANR MetaLibm kick-off meeting Lyon, 22 January, 2014 Automatic Synthesis of Fast and Certified Code for Polynomial Evaluation through the example of the CGPE tool Guillaume Revy quipe-projet DALI, Univ. Perpignan Via Domitia LIRMM, CNRS:

570 views • 30 slides
Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and Gaussian Back-end Fusion Massimiliano Todisco 1 , H ector Delgado 1 , Kong Aik Lee 2 , Md Sahidullah 3 , Nicholas Evans 1 , Tomi Kinnunen 4 and

292 views • 5 slides
Automatic Interface Synthesis based on the Classification of Interface Protocols of IPs ChangRyul

Automatic Interface Synthesis based on the Classification of Interface Protocols of IPs ChangRyul

Automatic Interface Synthesis based on the Classification of Interface Protocols of IPs ChangRyul Yun 1 , DongSu Kang 2 , YoungHwan Bae 3 , HanJin Cho 3 , KyoungSon Jhang 2 1 Agency for Defense Development, KOREA 2 Dept. of Computer Engineering,

758 views • 26 slides
Improved Debugging Using Automatic Fault-localization Techniques Mary Jean Harrold ADVANCE

Improved Debugging Using Automatic Fault-localization Techniques Mary Jean Harrold ADVANCE

Improved Debugging Using Automatic Fault-localization Techniques Mary Jean Harrold ADVANCE Professor of Computing Georgia Institute of Technology Supported by NSF, NASA Boeing Commercial Airplanes, Tata Consultancy Services MASPLAS 2007 My

736 views • 44 slides
I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net> Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege

800 views • 39 slides
Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T.

Institut Mines-Tlcom Multi-Level Formal Analysis A New Direction for Fault Injection Attack? L. Sauvage, T. Graba, T. Porteboeuf PROOFS September 17, 2015 Presentation Outline Introduction, Motivation Multi-level Formal Verification

485 views • 27 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 23: Speech

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 23: Speech

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 23: Speech Synthesis (Part I) Instructor: Preethi Jyothi Oct 30, 2017 T ext- T o- S peech Systems Storied History Von Kempelens speaking machine (1791)

290 views • 8 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
GAN-based Photo Video Synthesis Summary of Generative Adversarial Nets Lei Zhang What is

GAN-based Photo Video Synthesis Summary of Generative Adversarial Nets Lei Zhang What is

GAN-based Photo Video Synthesis Summary of Generative Adversarial Nets Lei Zhang What is Generative Adversarial Networks (GAN)? Generative - creating new data that depends on the choice of the training set Adversarial - competitive

894 views • 9 slides
50 Fake Planes: Finding enough elements of Donald Cartwright, University of Sydney Tim

50 Fake Planes: Finding enough elements of Donald Cartwright, University of Sydney Tim

50 Fake Planes: Finding enough elements of Donald Cartwright, University of Sydney Tim Steger, Universit` a degli Studi di Sassari completing a project started by Gopal Prasad, University of Michigan Sai-Kee Yeung, Purdue University 25

478 views • 10 slides
Lower Rio Grande Settlement Framework John W. Utton Utton & Kery, P.A. Santa Fe, New Mexico

Lower Rio Grande Settlement Framework John W. Utton Utton & Kery, P.A. Santa Fe, New Mexico

Lower Rio Grande Settlement Framework John W. Utton Utton & Kery, P.A. Santa Fe, New Mexico October 18, 2018 History of LRG Water Appropriation and Administration Rio Grande Project Notices 1906/08 Elephant Butte Dam - 1916

423 views • 23 slides
Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . . . 1 / 18

I SAP Towards Side-channel Secure AE Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer FSE 2017 www.iaik.tugraz.at Introduction Problem: side-channel attacks Countermeasures: hiding, masking, TI . .

635 views • 30 slides
CACM Network Code SEM Market Integration Workshop III 9 February 2012 Mark Lane Overview of

CACM Network Code SEM Market Integration Workshop III 9 February 2012 Mark Lane Overview of

CACM Network Code SEM Market Integration Workshop III 9 February 2012 Mark Lane Overview of current Network Code development Important Consultations for SEM CACM Network Code Legally Binding Requirements for SEM Governance Guideline

99 views • 7 slides
Collaboration to secure new sources of water 12 th February 2015 Alan Turner Economic and

Collaboration to secure new sources of water 12 th February 2015 Alan Turner Economic and

Collaboration to secure new sources of water 12 th February 2015 Alan Turner Economic and Spatial Development Officer Kent County Council alan.turner@kent.gov.uk Contents Introduction Range of supply options Advantages and

415 views • 24 slides
LOCAL FLA OCAL FLAVOR LITIGA OR LITIGATION: TION: WHATS THE SCOOP? THE THE PUBLIC PUBLIC

LOCAL FLA OCAL FLAVOR LITIGA OR LITIGATION: TION: WHATS THE SCOOP? THE THE PUBLIC PUBLIC

LOCAL FLA OCAL FLAVOR LITIGA OR LITIGATION: TION: WHATS THE SCOOP? THE THE PUBLIC PUBLIC HEAL HEALTH TH LA LAW W CENTER CENTER 11/12/2020 2 COMMER COMMERCIA CIAL L TOB OBACCO C CCO CONTR ONTROL TEAM OL TEAM 11/12/2020 3

659 views • 39 slides

More recommend