differential fault analysis of trivium
play

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and - PowerPoint PPT Presentation

Jun 17, 2023 •194 likes •390 views

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

  1. Differential Fault Analysis of Trivium Michal Hojsík 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech Republic Fast Software Encryption 2008 February 10-13, Lausanne Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 1 / 13

  2. Talk outline Talk outline Trivium description Differential fault analysis Differential fault analysis of Trivium Experimental results Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 2 / 13

  3. Trivium Trivium Hardware oriented additive synchronous stream cipher Designed by de Cannière and Preneel in 2005 for eSTREAM Project Very fast in hardware and software 80-bit secret key and 80-bit initialisation vector Consists of 3 non-linear shift registers 288 bit inner state Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 3 / 13

  4. Trivium Cipher description Trivium Description Inner state IS = ( s 1 , . . . , s 288 ) Keystream generation algorithm: ✲ ❢ q ✻ ✲ s 1 s 66 s 69 s 91 s 92 s 93 ❄ ❄ ✛ ✲ ✲ ❢ ❢ ❵ ❢ ✛ ✻ ❢ ❄ ✲ q ✲ ✲ z i ✻ ❢ ❢ ✻ ✻ ✲ s 94 s 162 s 171 s 175 s 176 s 177 ❄ ❄ ✲ ✲ ❢ ❵ ❢ ✛ ❢ ✲ ✻ ❢ q ✻ ✲ s 178 s 243 s 264 s 286 s 287 s 288 ❄ ❄ ✲ ✲ ❵ ❢ ❢ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 4 / 13

  5. Trivium Cipher description Trivium Description Secret key K = ( K 1 , . . . , K 80 ) , initialisation vector IV = ( IV 1 , . . . , IV 80 ) Initialisation algorithm = 1152 loops of the keystream gen. alg. without output ✲ ❢ ✻ ✲ K 1 K 80 0 0 · · · · · · ❄ ✲ ❄ ✛ ✲ ❢ ❢ ❵ ❢ ✛ ✻ ❢ ✲ ✻ ❢ ✻ ✲ IV 1 IV 80 0 0 · · · · · · ❄ ✲ ❄ ✲ ❵ ❢ ❢ ✛ ❢ ✲ ✻ ❢ ✻ ✲ 0 1 1 1 0 · · · ❄ ✲ ❄ ✲ ❵ ❢ ❢ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 4 / 13

  6. Differential Fault Analysis General overview Differential Fault Analysis - DFA Type of active side-channel attack - adversary actively interferes with a cryptosystem First used in 1996 by Boneh et al. for RSA and by Biham and Shamir for DES Results on stream ciphers, e.g. Hoch, Shamir 2004 – Fault Analysis of LFSR based ciphers, Lili128, Sober-t32 Biham, Grandboulan 2005 – Impossible Fault Analysis of RC4 Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 5 / 13

  7. Differential Fault Analysis Attack model DFA Attack Model General DFA attack model: Attacker is able to inject a fault into a cipher inner state or intermediate result Attacker has only partial control over their number, location, timing ... Attacker can reset the device to its original state and repeat fault injection Our assumptions: Attacker is able to: obtain first n consecutive bits of (proper) keystream { z i } produced out of a state IS t inject exactly one fault (bit flip) into IS t at random position → faulty inner state IS ′ t obtain first n consecutive bits of faulty keystream { z ′ i } produced out of IS ′ t repeat the fault injection into the same inner state IS t m times Can be achieved in the Chosen ciphertext attack scenario Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 6 / 13

  8. Trivium DFA Fault Injection Fault Injection - Trivium Attack is based on the simplicity of the Trivium feedback functions Attack uses simple equation ( x + 1 ) · y + x · y = y ✲ ❡ q ✻ ✲ s 1 s 40 s 66 s 69 s 91 s 92 s 93 ❄ ❄ ✛ ✲ ✲ ❡ ❵ ❡ ❡ ✛ ✻ ❄ ❡ ✲ q ✲ ✲ z i ✻ ❡ ❡ ✲ s 94 ✻ ✻ s 162 s 171 s 175 s 176 s 177 ❄ ❄ ✲ ✲ ❵ ❡ ❡ ✛ ❡ ✲ ✻ ❡ q ✲ s 178 ✻ s 243 s 264 s 286 s 287 s 288 ❄ ❄ ✲ ✲ ❵ ❡ ❡ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 7 / 13

  9. Trivium DFA Fault Injection Fault Injection - Trivium Attack is based on the simplicity of the Trivium feedback functions Attack uses simple equation ( x + 1 ) · y + x · y = y ✲ ❡ q ✻ ✲ + 1 · · · · · · ❄ ❄ ✛ ✲ ✲ ❡ ❵ ❡ ❡ ✛ ✻ ❄ ❡ ✲ q ✲ ✲ · ✻ ❡ ❡ ✲ ✻ ✻ · · · · · · ❄ ❄ ✲ ✲ ❡ ❵ ❡ ✛ ❡ ✲ ✻ ❡ q ✲ ✻ · · · · · · ❄ ❄ ✲ ✲ ❡ ❵ ❡ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 7 / 13

  10. Trivium DFA Fault Injection Fault Injection - Trivium Attack is based on the simplicity of the Trivium feedback functions Attack uses simple equation ( x + 1 ) · y + x · y = y ✲ ❡ q ✻ ✲ + 1 · · · · · ❄ ❄ ✛ ✲ ✲ ❡ ❡ ❵ ❡ ✛ ✻ ❄ ❡ ✲ q ✲ ✲ + 1 ✻ ❡ ❡ ✲ + 1 ✻ ✻ · · · · · ❄ ❄ ✲ ✲ ❡ ❵ ❡ ✛ ❡ ✲ ✻ ❡ q ✲ ✻ · · · · · · ❄ ❄ ✲ ✲ ❵ ❡ ❡ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 7 / 13

  11. Trivium DFA Fault Injection Fault Injection - Trivium Attack is based on the simplicity of the Trivium feedback functions Attack uses simple equation ( x + 1 ) · y + x · y = y ✲ ❡ q ✻ ✲ + 1 + 1 · · · · ❄ ❄ ✛ ✲ ✲ ❡ ❵ ❡ ❡ ✛ ✻ ❄ ❡ ✲ q ✲ ✲ · ✻ ❡ ❡ ✲ ✻ ✻ + 1 · · · · · · ❄ ❄ ✲ ✲ ❡ ❵ ❡ ✛ ❡ ✲ ✻ ❡ q ✲ ✻ · · · · · · ❄ ❄ ✲ ✲ ❵ ❡ ❡ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 7 / 13

  12. Trivium DFA Fault Injection Fault Injection - Trivium Attack is based on the simplicity of the Trivium feedback functions Attack uses simple equation ( s 40 + 1 ) · s 41 + s 40 · s 41 = s 41 ✲ ❡ q ✻ ✲ · · + 1 + 1 · · · ❄ ❄ ✛ ✲ ✲ ❡ ❵ ❡ ❡ ✛ ✻ ❄ ❡ ✲ q ✲ ✲ · ✻ ❡ ❡ ✲ s 41 ✻ ✻ + 1 · · · · · ❄ ❄ ✲ ✲ ❡ ❵ ❡ ✛ ❡ ✲ ✻ ❡ q ✲ ✻ · · · · · · ❄ ❄ ✲ ✲ ❡ ❵ ❡ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 7 / 13

  13. Trivium DFA Fault Injection Fault Injection - Trivium Attack is based on the simplicity of the Trivium feedback functions Attack uses simple equation s 39 · ( s 40 + 1 ) + s 39 · s 40 = s 39 ✲ ❡ q ✻ ✲ · · + 1 + 1 · · · ❄ ❄ ✛ ✲ ✲ ❡ ❵ ❡ ❡ ✛ ✻ ❄ ❡ ✲ q ✲ ✲ · ✻ ❡ ❡ ✲ s 39 ✻ ✻ s 41 + 1 · · · · · ❄ ❄ ✲ ✲ ❵ ❡ ❡ ✛ ❡ ✲ ✻ ❡ q ✲ ✻ · · · · · · ❄ ❄ ✲ ✲ ❵ ❡ ❡ Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 7 / 13

  14. Trivium DFA Attack Description Attack Description I Core of the attack - solve a system of equations in the inner state bits IS t = ( s 1 , . . . , s 288 ) Use equations given by the (proper) keystream { z i } Use differential fault analysis to obtain more equations Precomputation: for each fault position e , 1 ≤ e ≤ 288 express first n delta-keystream bits as expression is ( s 1 , . . . , s 288 ) store the equations in a table Fault position determination: distance between the output bits differs for each register compute the distances between nonzero bits of a keystream difference determine the fault position - table lookup Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 8 / 13

  15. Trivium DFA Attack Description Attack Description III Attack algorithm: - obtain the proper keystream generated from IS t - insert the keystream equations into the system while solution not found - reset the cipher to the state IS t - insert a fault into IS t at random position - obtain the faulty keystream - determine the fault position - insert delta keystream equations into the system - try to solve the system end while - clock Trivium backwards until initial state reached - read the secret key and IV Michal Hojsík and Bohuslav Rudolf () Differential Fault Analysis of Trivium Fast Software Encryption 2008 9 / 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

423 views • 39 slides
Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit e Catholique de Louvain

797 views • 76 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier Tsinghua University, Beijing, China FHNW, Windisch, Switzerland June 6,2018 Introduction to Trivium Outline Introduction to Trivium 1 Related

382 views • 24 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain

Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks Pierre-Alain Fouque 1 Thomas Vannet 2 1 Universit e de Rennes 1 2 NTT Secure Platform Laboratories March 13, 2013 Table of contents Introduction Trivium

463 views • 32 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition at Depth On Fault Mechanics Background San Andreas Fault Observatory at Depth (SAFOD) Sample recovery of cores containing the two

408 views • 8 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain Oberthur Technologies & Univ. of Luxembourg 04/24/09 | Session ID: CRYP-403 Session Classification: Agenda RSA and Fault Analysis A New

421 views • 27 slides
A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari,

A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari,

A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari, Mrinal Dasgupta & Gregory Soyez eorique et Hautes Laboratoire de Physique Th Energies LHCPhenoNet Paris, June 2014 Outline Introduction

565 views • 45 slides
Contents: 1. Introduction 1.1 Hybrid Video Coding 1.2 Object Oriented Coding 1.3 Advanced

Contents: 1. Introduction 1.1 Hybrid Video Coding 1.2 Object Oriented Coding 1.3 Advanced

The Hong Kong Polytechnic University Department of Electronic and Information Engineering, Centre for Multimedia Signal Processing Prof. W.C. Siu, Chair Professor and Centre Director 8 June, 2008 ICNNSP2008: IEEE International Conference on

685 views • 40 slides
STRUCTURE INTO MACHINE LEARNING TRINITY OF AI ALGORITHMS COMPUTE DATA 2 DEEP LEARNING IS

STRUCTURE INTO MACHINE LEARNING TRINITY OF AI ALGORITHMS COMPUTE DATA 2 DEEP LEARNING IS

Anima Anandkumar BEYOND BLACK BOXES: INFUSING STRUCTURE INTO MACHINE LEARNING TRINITY OF AI ALGORITHMS COMPUTE DATA 2 DEEP LEARNING IS DATA-HUNGRY STRUCTURE-INFUSED LEARNING Learning Data Priors = + Learning Data Priors = + How

579 views • 44 slides
Development of Open Source RESTful WHOIS Linlin Zhou Why We Need a New WHOIS Protocol WHOIS

Development of Open Source RESTful WHOIS Linlin Zhou Why We Need a New WHOIS Protocol WHOIS

Development of Open Source RESTful WHOIS Linlin Zhou Why We Need a New WHOIS Protocol WHOIS Protocol (RFC 3912) has problems WHOIS has never been internationalized WHOIS was defined for ASCII only WHOIS also has no data model The

316 views • 15 slides
Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES

2.17k views • 28 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Introduction Linear Cryptanalysis Against SPECK An Implementation of Wallns Algorithm Summary Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1 TCA Laboratory, Institute of Software, Chinese

531 views • 41 slides
Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS Winterschool in Finse, May 2019 The Rise of Side-Channels The Ideal World 2 Modern Cryptology From Katz and Lindells Classic Textbook Three Principles

913 views • 46 slides

More recommend