Channel Attacks on the AES Key Schedule Franois DASSANCE Inside - PowerPoint PPT Presentation

Combined Fault and Side- Channel Attacks on the AES Key Schedule François DASSANCE Inside Secure Alexandre VENELLI Inside Secure FDTC 2012 09/09/2012

Outline 1. Combined attack 2. Related work on combined attacks Asymmetric cryptosystems 1. Symmetric cryptosystems 2. Roche et al.’s attack on AES 3. 3. Combined attacks on AES key schedule Recursive structure of the key schedule 1. RCON 2. Affine transformation 3. 4. Complexity of our attacks 5. Countermeasures 6. Conclusion Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 2

Combined attack • Combines a fault attack with a leakage analysis • Main goal: attack implementations resistant against fault and leakage analysis • New implementations + new countermeasures often necessary Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 3

Example of combined attack Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 4

Example of combined attack Skip instruction Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 5

Outline 1. Combined attack 2. Related work on combined attacks Asymmetric cryptosystems 1. Symmetric cryptosystems 2. Roche et al.’s attack on AES 3. 3. Combined attacks on AES key schedule Recursive structure of the key schedule 1. RCON 2. Affine transformation 3. 4. Complexity of our attacks 5. Countermeasures 6. Conclusion Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 6

Asymmetric cryptosystems • Fault Analysis + Simple Side-Channel Analysis • Attack on atomic left-to-right exponentiation ─ Amiel, Villegas, Feix, Marcel - 2007 • Resistant algorithms for RSA and ECC ─ Schmidt, Tunstall, Avanzi, Kizhvatov, Kasper, Oswald - 2010 • Attack on scalar multiplication ─ Fan, Gierlichs, Vercauteren - 2011 Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 7

Symmetric cryptosystems • Fault Analysis + Differential Side-Channel Analysis • Differential Behavioral Analysis: attack on non-masked AES ─ Robisson, Manet - 2007 • Attack on masked AES but not FA-protected. Reduce the DPA countermeasure of one order. ─ Clavier, Feix, Gagnerot, Rousselet - 2010 • Attack on AES FA-protected and with masking of any order ─ Roche, Lomné, Khalfallah - 2011 Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 8

Roche et al. combined attack • Principle: Repeatable fault on the 16 bytes of key state of round 9 1. Record the power consumption curve 2. Find a first-order correlation on the computation of the faulted 3. ciphertext • Main relation: = 𝑇𝐶 𝑇𝐶 −1 𝐷 𝑗 𝑘 ⊕ 𝑙 10 𝑘 ⊕ 𝑙 10 𝑘 ⊕ 𝑓 10 𝑘 𝑘 𝑘 𝐷 𝑗 ⊕ 𝑓 9 • Complexity to retrieve the whole key: ─ 𝑂 faults and 2 28 𝐵 ─ 𝐵 = any DSCA statistical function on 𝑂 curves Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 9

Efficiency Combined ined attack ack High-orde rder DSCA A lot and increasing Number er of curves ves Few and fixed with the order of masking Complexity lexity of key 2 28 𝐵 2 12 𝐵 retrieval rieval algorith rithm Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 10

Remarks on Roche et al. • Requires fault on the 16 bytes of the key ─ Not practical in all AES implementations ─ Not trivial with all fault injection techniques • If a stuck-at fault model is considered, a masked bit induces a repeatability divided by 2 • High complexity of the key retrieval algorithm Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 11

Outline 1. Combined attack 2. Related work on combined attacks Asymmetric cryptosystems 1. Symmetric cryptosystems 2. Roche et al.’s attack on AES 3. 3. Combined attacks on AES key schedule Recursive structure of the key schedule 1. RCON 2. Affine transformation 3. 4. Complexity of our attacks 5. Countermeasures 6. Conclusion Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 12

Combined attacks on AES key schedule • Attacks based on two properties of the key schedule: ─ Recursive structure ─ Use of constant values • Our propositions improve: ─ The number of faults ─ The complexity of the key retrieval algorithm Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 13

Recursive structure (1) • Round key K 9 : 0 = 𝐿 8 0 ⊕ 𝑆𝐷𝑃𝑂 9 ⊕ 𝑇𝐶 𝐿 8 13 𝐿 9 1 = 𝐿 8 1 ⊕ 𝑇𝐶 𝐿 8 14 𝐿 9 2 = 𝐿 8 2 ⊕ 𝑇𝐶 𝐿 8 15 𝐿 9 3 = 𝐿 8 3 ⊕ 𝑇𝐶 𝐿 8 12 𝐿 9 𝑘 = 𝐿 8 𝑘 ⊕ 𝐿 9 𝑘−4 for 4 ≤ 𝑘 ≤ 15 𝐿 9 • Relations between faults on 𝐿 9 0 in 𝐿 9 0  same fault on bytes 4, 8 and 12 • Ex: fault 𝑓 9 • Relations between faults on 𝐿 10 0 = 𝑓 10 0 = 𝑓 10 4 = 𝑓 10 12 = 0 8 and 𝑓 10 0 in 𝐿 9 0  𝑓 9 • Ex: fault 𝑓 9 Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 14

Recursive structure (2) • Needs 4𝑂 faults • Improvements on the key retrieval algorithm 0 • To retrieve 𝐿 10 0 = 𝑓 9 0 and 𝑓 9 0 as 𝑓 10 0 ─ Loop only on 𝑙 10 ─ Complexity for this byte: 2 16 𝐵 0 is found  𝑓 9 4 , 𝑓 9 8 and 𝑓 9 12 are deduced • Once 𝑓 9 𝑘 for 𝑘 = 4,8,12 ─ Simple loop on 𝑙 10 ─ Complexity for each of these 3 bytes: 2 8 𝐵 1 , 𝐿 9 2 and 𝐿 9 3 • Same method for 𝐿 9 • Complexity for the whole key: 4 × 2 16 + 3 × 2 8 𝐵 = 2 20 + 3 × 2 10 𝐵 Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 15

RCON (1) • First column of 𝐿 9 0 = 𝐿 8 0 ⊕ 𝑆𝐷𝑃𝑂 9 ⊕ 𝑇𝐶 𝐿 8 13 𝐿 9 4 = 𝐿 8 4 ⊕ 𝐿 9 0 𝐿 9 8 = 𝐿 8 8 ⊕ 𝐿 9 4 𝐿 9 12 = 𝐿 8 12 ⊕ 𝐿 9 8 𝐿 9 • One fault on 𝑆𝐷𝑃𝑂 9 affects 4 bytes of 𝐿 9 in the same way • The fault can have a permanent effect • Complexity similar to previous attack for 4 bytes: (2 16 +3 × 2 8 )𝐵 Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 16

RCON (2) Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 17

Attacking known constant values • If the fault setup is characterized … • 𝑆𝐷𝑃𝑂 9 = 0x1B • Ex: if single bit stuck-at 0 or 1 model, only 4 possible values for 𝑆𝐷𝑃𝑂 9 ( 0x1𝐵, 0x19,0x13,0x0B if stuck-at 0) • Lower complexity for key retrieval algorithm (4 bytes): 2 10 𝐵 • Whether stuck-at or bit-flip model, a fault on a constant will be XOR-ed  No impact on the repeatability Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 18

Affine transformation (1) • Most DSCA countermeasures compute the SubBytes as 𝑇𝐶 𝑌 = Ω ⋅ Inv 𝐺 28 𝑌 ⊕ Δ where Ω is the matrix of the affine transformation and Δ is the vector. • Different attack scenarios are possible depending on the implementation Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 19

Affine transformation (2) 1. Transient fault on Δ : ─ Same case as before ─ Complexity: 4𝑂 faults and 2 18 + 3 × 2 10 𝐵 2. Permanent fault. Different Δ 𝑇𝑋 and Δ 𝑇𝐶 for the SubWord and SubBytes A fault 𝑓 𝑇𝑋 on Δ 𝑇𝑋 affects round 9 and 10 ─ = 𝐿 9 𝑘 ⊕ 𝑓 𝑇𝑋 for 0 ≤ 𝑘 ≤ 15 𝑘 Faulted round 9 key is 𝐿 9 ─ Relations between errors on 𝐿 10 ─ 𝑘+4 = 𝑓 10 𝑘+12 = 𝑓 10 𝑘 ⊕ 𝑓 𝑇𝑋 𝑓 10 𝑘+8 = 𝑓 10 𝑘 for 𝑘 = 0,1,2,3 𝑓 10 Complexity: 𝑂 faults and 2 24 + 3 × 2 16 + 3 × 2 10 𝐵 ─ Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 20

Affine transformation (3) 3. Permanent fault. Same Δ for SubWord and SubBytes ─ Same complexity as previous scenario Data path modified  relation of key retrieval becomes ─ 𝑘 ⊕ 𝑙 10 𝑘 ⊕ 𝑓 9 𝑘 ⊕ 𝑙 10 𝑘 ⊕ 𝑓 10 𝑇𝐶 𝑇𝐶 −1 𝐷 𝑗 𝑘 𝑘 ⊕ 𝑓 9 • If the fault setup is characterized, we can lower the complexity Transient fault: 1. 4𝑂 faults and 2 12 𝐵 (same complexity as classical DSCA) Permanent fault: 2. 𝑂 faults and 2 20 + 3 × 2 10 𝐵 Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 21

Outline 1. Combined attack 2. Related work on combined attacks Asymmetric cryptosystems 1. Symmetric cryptosystems 2. Roche et al.’s attack on AES 3. 3. Combined attacks on AES key schedule Recursive structure of the key schedule 1. RCON 2. Affine transformation 3. 4. Complexity of our attacks 5. Countermeasures 6. Conclusion Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 22