Differential Analysis of Round-Reduced AES Faulty Ciphertexts - - PowerPoint PPT Presentation

differential analysis of round reduced aes faulty
SMART_READER_LITE
LIVE PREVIEW

Differential Analysis of Round-Reduced AES Faulty Ciphertexts - - PowerPoint PPT Presentation

Nov 11, 2022 436 likes •595 views

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

slide-1
SLIDE 1

DFT 2013

Differential Analysis

  • f Round-Reduced AES Faulty Ciphertexts

Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria

slide-2
SLIDE 2

Outline

  • Introduction
  • State-of-the-art of the Round Reduction Analysis
  • Theory of our attacks and the realizations
  • Summary and conclusion

2

slide-3
SLIDE 3

Introduction

3

AES-128

  • is a widely-used symmetric

encryption algorithm

  • includes 10 rounds (after a

short initial round)

  • uses a 128-bit key K and

ten derived round keys

slide-4
SLIDE 4

Problem

  • Many symmetric cryptographic algorithms are based
  • n the iteration of identical transformation sequences (rounds).
  • A significant part of these algorithms’ strength against

cryptanalysis is based on their iterated rounds.

  • How much the round reduction attacks are realistic and

threatening? Context: Laser fault injection on an unprotected 8-bit 16 MHz 0.35 µm microcontroller with an embedded AES

4

slide-5
SLIDE 5

Fault Injection Means

5

Vcc

K ¡

slide-6
SLIDE 6

A Round Reduction is an attack for skipping one or several iterative rounds due to a fault injection. A Round Reduction Analysis is a technique for finding the secret

  • key. The technique compares a round-reduced ciphertext to a

corresponding reference value (e.g. the corresponnding plaintext

  • r the correct ciphertext).

6

Round Reduction Analysis

slide-7
SLIDE 7

The State-of-the-Art of RRA

They resort to the DFA (Differential Fault Analysis) and use the corresponding plaintext or ciphertext as the reference.

  • Is there any other potential RR attack and analysis?
  • Does protecting the two first and the two last rounds suffice to

disable the RRA threats?

7

Three RRA on AES are reported since 2005:

slide-8
SLIDE 8

Attack Scenarios

8

Rmax is a variable

in order to select between 128, 192 and 256 versions

slide-9
SLIDE 9

A General RRA

  • In theory, two corresponding round-reduced encryptions

which differ in only one round may be analyzed in order to reveal the key. The differential analysis requires two texts.

  • In practice, the analysis is feasible when the Rmax is
  • targeted. However, when the fault is injected into the RC,

the encryption includes invalid round key values. Thus, two corresponding round-reduced encryptions which differ in two rounds are needed in order to reveal the key.

9

slide-10
SLIDE 10

A General RRA

Because, the fault increases the RC to higher than the Rmax value. Thus, the algorithm searches for the invalid key values in the memory. For instance:

10

slide-11
SLIDE 11

MicroPackS Laser Bench

11

slide-12
SLIDE 12

Summary

12

slide-13
SLIDE 13
  • RR attacks are more realistic and more threatening than what

they are usually considered on the unprotected circuit.

  • They can be carried out at any round by targeting the round-

controlling values.

  • Protecting only the two first and the two last rounds does not

suffice to disable the RRA threats.

  • In this study, we reported our improvement for one former

technique and we realized 3 new attacks.

13

Conclusion

slide-14
SLIDE 14

Thank you for your attention

assia.tria@cea.fr

14