Channel Attacks on the AES Key Schedule Franois DASSANCE Inside - - PowerPoint PPT Presentation

Combined Fault and Side- Channel Attacks on the AES Key Schedule

François DASSANCE Inside Secure FDTC 2012 09/09/2012 Alexandre VENELLI Inside Secure

Outline

• 1. Combined attack
• 2. Related work on combined attacks

1.

Asymmetric cryptosystems

2.

Symmetric cryptosystems

3.

Roche et al.’s attack on AES

• 3. Combined attacks on AES key schedule

1.

Recursive structure of the key schedule

2.

RCON

3.

Affine transformation

• 4. Complexity of our attacks
• 5. Countermeasures
• 6. Conclusion

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 2

Combined attack

• Combines a fault attack with a leakage analysis
• Main goal: attack implementations resistant against fault and

leakage analysis

• New implementations + new countermeasures often

necessary

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 3

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 4

Example of combined attack

Example of combined attack

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 5

Skip instruction

Outline

• 1. Combined attack
• 2. Related work on combined attacks

1.

Asymmetric cryptosystems

2.

Symmetric cryptosystems

3.

Roche et al.’s attack on AES

• 3. Combined attacks on AES key schedule

1.

Recursive structure of the key schedule

2.

RCON

3.

Affine transformation

• 4. Complexity of our attacks
• 5. Countermeasures
• 6. Conclusion

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 6

Asymmetric cryptosystems

• Fault Analysis + Simple Side-Channel Analysis
• Attack on atomic left-to-right exponentiation

─ Amiel, Villegas, Feix, Marcel - 2007

• Resistant algorithms for RSA and ECC

─ Schmidt, Tunstall, Avanzi, Kizhvatov, Kasper, Oswald - 2010

• Attack on scalar multiplication

─ Fan, Gierlichs, Vercauteren - 2011

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 7

Symmetric cryptosystems

• Fault Analysis + Differential Side-Channel Analysis
• Differential Behavioral Analysis: attack on non-masked AES

─ Robisson, Manet - 2007

• Attack on masked AES but not FA-protected. Reduce the

DPA countermeasure of one order.

─ Clavier, Feix, Gagnerot, Rousselet - 2010

• Attack on AES FA-protected and with masking of any order

─ Roche, Lomné, Khalfallah - 2011

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 8

Roche et al. combined attack

• Principle:

1.

Repeatable fault on the 16 bytes of key state of round 9

2.

Record the power consumption curve

3.

Find a first-order correlation on the computation of the faulted ciphertext

• Main relation:

𝐷𝑗

𝑘

= 𝑇𝐶 𝑇𝐶−1 𝐷𝑗

𝑘 ⊕ 𝑙10 𝑘

⊕ 𝑓9

𝑘 ⊕ 𝑙10 𝑘 ⊕ 𝑓10 𝑘

• Complexity to retrieve the whole key:

─ 𝑂 faults and 228𝐵 ─ 𝐵 = any DSCA statistical function on 𝑂 curves

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 9

Efficiency

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 10

Combined ined attack ack High-orde rder DSCA Number er of curves ves Few and fixed A lot and increasing with the order of masking Complexity lexity of key retrieval rieval algorith rithm 228𝐵 212𝐵

Remarks on Roche et al.

• Requires fault on the 16 bytes of the key

─ Not practical in all AES implementations ─ Not trivial with all fault injection techniques

• If a stuck-at fault model is considered, a masked bit induces a

repeatability divided by 2

• High complexity of the key retrieval algorithm

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 11

Outline

• 1. Combined attack
• 2. Related work on combined attacks

1.

Asymmetric cryptosystems

2.

Symmetric cryptosystems

3.

Roche et al.’s attack on AES

• 3. Combined attacks on AES key schedule

1.

Recursive structure of the key schedule

2.

RCON

3.

Affine transformation

• 4. Complexity of our attacks
• 5. Countermeasures
• 6. Conclusion

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 12

Combined attacks on AES key schedule

• Attacks based on two properties of the key schedule:

─ Recursive structure ─ Use of constant values

• Our propositions improve:

─ The number of faults ─ The complexity of the key retrieval algorithm

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 13

Recursive structure (1)

• Round key K9:

𝐿9

0 = 𝐿8 0 ⊕ 𝑆𝐷𝑃𝑂9 ⊕ 𝑇𝐶 𝐿8 13

𝐿9

1 = 𝐿8 1 ⊕ 𝑇𝐶 𝐿8 14

𝐿9

2 = 𝐿8 2 ⊕ 𝑇𝐶 𝐿8 15

𝐿9

3 = 𝐿8 3 ⊕ 𝑇𝐶 𝐿8 12

𝐿9

𝑘 = 𝐿8 𝑘 ⊕ 𝐿9 𝑘−4 for 4 ≤ 𝑘 ≤ 15

• Relations between faults on 𝐿9
• Ex: fault 𝑓9

0 in 𝐿9 0  same fault on bytes 4, 8 and 12

• Relations between faults on 𝐿10
• Ex: fault 𝑓9

0 in 𝐿9 0  𝑓9 0 = 𝑓10 0 = 𝑓10 8 and 𝑓10 4 = 𝑓10 12 = 0

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 14

Recursive structure (2)

• Needs 4𝑂 faults
• Improvements on the key retrieval algorithm
• To retrieve 𝐿10

─ Loop only on 𝑙10

0 and 𝑓9 0 as 𝑓10 0 = 𝑓9

─ Complexity for this byte: 216𝐵

• Once 𝑓9

0 is found  𝑓9 4, 𝑓9 8 and 𝑓9 12 are deduced

─ Simple loop on 𝑙10

𝑘 for 𝑘 = 4,8,12

─ Complexity for each of these 3 bytes: 28𝐵

• Same method for 𝐿9

1, 𝐿9 2 and 𝐿9 3

• Complexity for the whole key:

4 × 216 + 3 × 28 𝐵 = 220 + 3 × 210 𝐵

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 15

RCON (1)

• First column of 𝐿9

𝐿9

0 = 𝐿8 0 ⊕ 𝑆𝐷𝑃𝑂9 ⊕ 𝑇𝐶 𝐿8 13

𝐿9

4 = 𝐿8 4 ⊕ 𝐿9

𝐿9

8 = 𝐿8 8 ⊕ 𝐿9 4

𝐿9

12 = 𝐿8 12 ⊕ 𝐿9 8

• One fault on 𝑆𝐷𝑃𝑂9 affects 4 bytes of 𝐿9 in the same way
• The fault can have a permanent effect
• Complexity similar to previous attack for 4 bytes:

(216+3 × 28)𝐵

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 16

RCON (2)

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 17

Attacking known constant values

• If the fault setup is characterized…
• 𝑆𝐷𝑃𝑂9 = 0x1B
• Ex: if single bit stuck-at 0 or 1 model, only 4 possible values

for 𝑆𝐷𝑃𝑂9 (0x1𝐵, 0x19,0x13,0x0B if stuck-at 0)

• Lower complexity for key retrieval algorithm (4 bytes):

210𝐵

• Whether stuck-at or bit-flip model, a fault on a constant will be

XOR-ed  No impact on the repeatability

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 18

Affine transformation (1)

• Most DSCA countermeasures compute the SubBytes as

𝑇𝐶 𝑌 = Ω ⋅ Inv𝐺28 𝑌 ⊕ Δ where Ω is the matrix of the affine transformation and Δ is the vector.

• Different attack scenarios are possible depending on the

implementation

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 19

Affine transformation (2)

• 1. Transient fault on Δ:

─ Same case as before ─ Complexity: 4𝑂 faults and 218 + 3 × 210 𝐵

• 2. Permanent fault. Different Δ𝑇𝑋 and Δ𝑇𝐶 for the SubWord

and SubBytes

─

A fault 𝑓𝑇𝑋 on Δ𝑇𝑋 affects round 9 and 10

─

Faulted round 9 key is 𝐿9

𝑘

= 𝐿9

𝑘 ⊕ 𝑓𝑇𝑋 for 0 ≤ 𝑘 ≤ 15

─

Relations between errors on 𝐿10 𝑓10

𝑘+4 = 𝑓10 𝑘+12 = 𝑓10 𝑘 ⊕ 𝑓𝑇𝑋

𝑓10

𝑘+8 = 𝑓10 𝑘 for 𝑘 = 0,1,2,3

─

Complexity: 𝑂 faults and 224 + 3 × 216 + 3 × 210 𝐵

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 20

Affine transformation (3)

• 3. Permanent fault. Same Δ for SubWord and SubBytes

─

Same complexity as previous scenario

─

Data path modified  relation of key retrieval becomes 𝑇𝐶 𝑇𝐶−1 𝐷𝑗

𝑘 ⊕ 𝑙10 𝑘

⊕ 𝑓9

𝑘 ⊕ 𝑓9 𝑘 ⊕ 𝑙10 𝑘 ⊕ 𝑓10 𝑘

• If the fault setup is characterized, we can lower the

complexity

1.

Transient fault: 4𝑂 faults and 212𝐵 (same complexity as classical DSCA)

2.

Permanent fault: 𝑂 faults and 220 + 3 × 210 𝐵

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 21

Outline

• 1. Combined attack
• 2. Related work on combined attacks

1.

Asymmetric cryptosystems

2.

Symmetric cryptosystems

3.

Roche et al.’s attack on AES

• 3. Combined attacks on AES key schedule

1.

Recursive structure of the key schedule

2.

RCON

3.

Affine transformation

• 4. Complexity of our attacks
• 5. Countermeasures
• 6. Conclusion

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 22

Complexity of our attacks

Atta tack ck # # faults lts # 𝑩

Key state 𝐿9 (Roche et al.)

• Transient on 16 bytes

𝑂 228 Key state 𝐿9 (Roche et al.)

• Transient on 1 byte

16𝑂 220 Key schedule

• Transient 1 byte

4𝑂 218 + 3 × 210 RCON

• Transient known on 1 byte
• Transient random on 1 byte
• Permanent known on 1 byte
• Permanent random on 1 byte

𝑂 𝑂 1 1 210 216 + 3 × 28 210 216 + 3 × 28 Affine transformation

• Transient known on 1 byte
• Transient random on 1 byte
• Permanent known on 1 byte
• Permanent random on 1 byte

4𝑂 4𝑂 𝑂 𝑂 212 218 + 3 × 210 220 + 3 × 210 224 + 3 × 216 + 3 × 210

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 23

Outline

• 1. Combined attack
• 2. Related work on combined attacks

1.

Asymmetric cryptosystems

2.

Symmetric cryptosystems

3.

Roche et al.’s attack on AES

• 3. Combined attacks on AES key schedule

1.

Recursive structure of the key schedule

2.

RCON

3.

Affine transformation

• 4. Complexity of our attacks
• 5. Countermeasures
• 6. Conclusion

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 24

Countermeasures

• Masked coherence check:

1.

Store 𝐷 ⊕ 𝑁1 and 𝐷 ⊕ 𝑁2 two ciphertexts of the same message masked with 𝑁1 and 𝑁2

2.

Check 𝐷 ⊕ 𝑁1 ⊕ 𝑁2 =? 𝐷 ⊕ 𝑁2 ⊕ 𝑁1

3.

If no fault, demask and output the ciphertext 𝐷

• Does not detect a permanent fault on 𝑆𝐷𝑃𝑂9. Needs a known

answer test or integrity check on 𝑆𝐷𝑃𝑂9

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 25

Outline

• 1. Combined attack
• 2. Related work on combined attacks

1.

Asymmetric cryptosystems

2.

Symmetric cryptosystems

3.

Roche et al.’s attack on AES

• 3. Combined attacks on AES key schedule

1.

Recursive structure of the key schedule

2.

RCON

3.

Affine transformation

• 4. Complexity of our attacks
• 5. Countermeasures
• 6. Conclusion

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 26

Conclusion

• Combined attacks are a real threat to most current crypto

implementations

• We propose different attack paths on AES that lower the

complexity of previous combined attacks

• Repeatability of our attacks on AES constants do not depend
• n a stuck-at or bit-flip fault
• Needs additional countermeasure to protect against an attack
• n 𝑆𝐷𝑃𝑂9

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 27

Thank you for your attention !

Combined Fault and Side-Channel Attacks on the AES Key Schedule – 09/09/2012 28

Contact : avenelli@insidefr.com