differential fault analysis against aes 192 and aes 256
play

Differential Fault Analysis against AES-192 and AES-256 with Minimal - PowerPoint PPT Presentation

Sep 17, 2022 •37 likes •797 views

Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit e Catholique de Louvain

  1. Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit´ e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  2. Outline Outline 1 Introduction Differential fault analysis against AES AES AES key scheduling 2 Fault model and basic concept of DFA against AES Fault model Basic concept of DFA against AES-128 3 Proposed attacks DFA against AES-192 DFA against AES-256 4 Comparison and conclusions Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  3. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions Outline 1 Introduction Differential fault analysis against AES AES AES key scheduling 2 Fault model and basic concept of DFA against AES Fault model Basic concept of DFA against AES-128 3 Proposed attacks DFA against AES-192 DFA against AES-256 4 Comparison and conclusions Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  4. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions Differential fault analysis DFA (Differential fault analysis) DFA uses differential information between correct and faulty ciphertexts to figure out the secret key Normally attacker gets faulty ciphertexts by giving external impact with voltage variation, glitch, laser, etc The first DFA: against DES by Biham and Shamir, 1997 DFA against AES-128 Piret and Quisquater (2003) 2 pairs, practical fault model (random byte error) Fukunaga and Takahashi: 1 pair with 2 32 exhaustive search (8-35 minutes at Core2 Duo 3.0GHz PC) Tunstall and Mukhopadhyay: 1 pair with 2 8 exhaustive search Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  5. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions Differential fault analysis DFA (Differential fault analysis) DFA uses differential information between correct and faulty ciphertexts to figure out the secret key Normally attacker gets faulty ciphertexts by giving external impact with voltage variation, glitch, laser, etc The first DFA: against DES by Biham and Shamir, 1997 DFA against AES-128 Piret and Quisquater (2003) 2 pairs, practical fault model (random byte error) Fukunaga and Takahashi: 1 pair with 2 32 exhaustive search (8-35 minutes at Core2 Duo 3.0GHz PC) Tunstall and Mukhopadhyay: 1 pair with 2 8 exhaustive search Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  6. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions Differential fault analysis DFA against AES-192 and AES-256 Application of Piret and Quisquter’s: 4 pairs 2009, Li et al.: 16 or 3000 pairs 2010, Barenghi et al.: 16 pairs 2010, Takahashi and Fukunaga: 3 pairs for AES-192, 4 pairs for AES-256 (2 faulty plaintexts) Proposed methods: 2 pairs for AES-192, 3 pairs for AES-256 Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  7. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES Plaintext K 0 Sub bytes Intermediate result, called State , is represented as Shift rows a two-dimensional byte array with 4 rows and 4 1 MixCol columns K 1 S (0,0) S (0,1) S (0,2) S (0,3) Sub bytes Shift rows S (1,0) S (1,1) S (1,2) S (1,3) r-1 MixCol S (2,0) S (2,1) S (2,2) S (2,3) K r-1 S (3,0) S (3,1) S (3,2) S (3,3) Sub bytes Shift rows r K r Ciphertext Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  8. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES Plaintext Each round is composed of 4 transformations K 0 except the last round: Sub bytes SubBytes: 16 identical 8 × 8 S-boxes, non-linear Shift rows byte substitution 1 MixCol ShiftRows: Each row is cyclically shifed over K 1 different offsets MixColumns: A linear transformation to each Sub bytes column Shift rows AddRoundKey: A bitwise XOR with a round key r-1 MixCol Number of rounds K r-1 Key length Number of rounds r Sub bytes AES-128 128 10 Shift rows r AES-192 192 12 K r AES-256 256 14 Ciphertext Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  9. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES Plaintext Each round is composed of 4 transformations K 0 except the last round: Sub bytes SubBytes: 16 identical 8 × 8 S-boxes, non-linear Shift rows byte substitution 1 MixCol ShiftRows: Each row is cyclically shifed over K 1 different offsets MixColumns: A linear transformation to each Sub bytes column Shift rows AddRoundKey: A bitwise XOR with a round key r-1 MixCol Number of rounds K r-1 Key length Number of rounds r Sub bytes AES-128 128 10 Shift rows r AES-192 192 12 K r AES-256 256 14 Ciphertext Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  10. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES Plaintext Each round is composed of 4 transformations K 0 except the last round: Sub bytes SubBytes: 16 identical 8 × 8 S-boxes, non-linear Shift rows byte substitution 1 MixCol ShiftRows: Each row is cyclically shifed over K 1 different offsets MixColumns: A linear transformation to each Sub bytes column Shift rows AddRoundKey: A bitwise XOR with a round key r-1 MixCol Number of rounds K r-1 Key length Number of rounds r Sub bytes AES-128 128 10 Shift rows r AES-192 192 12 K r AES-256 256 14 Ciphertext Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  11. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES Plaintext Each round is composed of 4 transformations K 0 except the last round: Sub bytes SubBytes: 16 identical 8 × 8 S-boxes, non-linear Shift rows byte substitution 1 MixCol ShiftRows: Each row is cyclically shifed over K 1 different offsets MixColumns: A linear transformation to each Sub bytes column Shift rows AddRoundKey: A bitwise XOR with a round key r-1 MixCol Number of rounds K r-1 Key length Number of rounds r Sub bytes AES-128 128 10 Shift rows r AES-192 192 12 K r AES-256 256 14 Ciphertext Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  12. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES key scheduling RotWord RotWord SubWord SubWord K 9 K 11 Rcon Rcon 3 7 11 15 3 7 11 15 11 15 4 8 12 16 4 8 12 16 12 16 RotWord RotWord SubWord SubWord K 12 K 10 Rcon Rcon AES - 128 AES - 192 Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  13. Introduction Differential fault analysis against AES Fault model and basic concept of DFA against AES AES Proposed attacks AES key scheduling Comparison and conclusions AES key scheduling RotWord SubWord Rcon 3 7 11 15 11 15 11 15 4 8 12 16 12 16 12 16 RotWord SubWord K 14 Rcon K 13 AES - 256 Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

  14. Introduction Fault model and basic concept of DFA against AES Fault model Proposed attacks Basic concept of DFA against AES-128 Comparison and conclusions Outline 1 Introduction Differential fault analysis against AES AES AES key scheduling 2 Fault model and basic concept of DFA against AES Fault model Basic concept of DFA against AES-128 3 Proposed attacks DFA against AES-192 DFA against AES-256 4 Comparison and conclusions Chong Hee KIM, Universit´ e Catholique de Louvain DFA against AES-192 and AES-256 with Minimal Faults

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

423 views • 39 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition at Depth On Fault Mechanics Background San Andreas Fault Observatory at Depth (SAFOD) Sample recovery of cores containing the two

408 views • 8 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain Oberthur Technologies & Univ. of Luxembourg 04/24/09 | Session ID: CRYP-403 Session Classification: Agenda RSA and Fault Analysis A New

421 views • 27 slides
GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017 Nvidia GTC S7254 Transcriptomic Data Personome.com Biological Pathways Nature.org Differential expression analysis Class labels C1 C2

414 views • 30 slides
A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy Maitra, Santanu Sarkar Indian Statistical Institute Kolkata September 10, 2012 CHES 2012, Leuven Belgium GRAIN family of Stream Ciphers 2 of 32

506 views • 32 slides
DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #2: IN-MEMORY

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #2: IN-MEMORY

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #2: IN-MEMORY DATABASES 2 TODAYS AGENDA Background In-Memory DBMS Architectures Early Notable In-Memory DBMSs 3 LAST CLASS History of DBMSs In a way

1.08k views • 69 slides
FedSel: Federated SGD under Local Differential Privacy with Top-k Dimension Selection Ruixuan

FedSel: Federated SGD under Local Differential Privacy with Top-k Dimension Selection Ruixuan

FedSel: Federated SGD under Local Differential Privacy with Top-k Dimension Selection Ruixuan Liu 1 , Yang Cao 2 , Masatoshi Yoshikawa 2 , Hong Chen 1 1 Renmin University of China, 2 Kyoto University DASFAA, 2020 Federated Learning Overview

370 views • 35 slides
Entropy & Information Jill illes V s Vreeken 29 29 May 2015 2015 Qu Question o of f

Entropy & Information Jill illes V s Vreeken 29 29 May 2015 2015 Qu Question o of f

Entropy & Information Jill illes V s Vreeken 29 29 May 2015 2015 Qu Question o of f th the da day What is infor ormation tion? (and what do talking drums have to do with it?) Bit Bits a s and Piec Pieces es What are

592 views • 42 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Acknowledgements FAME Project Team https://sites.google.com/view/famechip Supported through National

1.01k views • 72 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides

More recommend