explaining differential fault analysis on des
play

Explaining Differential Fault Analysis on DES Christophe Clavier - PowerPoint PPT Presentation

Nov 06, 2022 •33 likes •423 views

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

  1. Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

  2. References Bull & Innovatron Patents 2

  3. Fault I njection Equipment: Laser 3 Bull & Innovatron Patents

  4. Fault I njection Equipment: CLI O Glitch I njector 4 Bull & Innovatron Patents

  5. Where to inject a fault? 5 Bull & Innovatron Patents

  6. Looking Closer 3rd round 2nd round Key E Perm & Xor S-Boxes Key Key PC2 P Perm Shift Shift Shift (8 patterns) (8 patterns) (4 patterns) 6 Bull & Innovatron Patents

  7. Notation • 16 Rounds, each a transform 2 32- bit variables. • [L0,R0] – plaintext • [L16,R16] – ciphertext • Bitwise permutations are not always considered. 7 Bull & Innovatron Patents

  8. DES-Fifteenth Round 5/18/2006

  9. DES last round structure • Transformation of [L15,R15] to L15 R15 [L16,R16] using K16 K16 K16 = S-Box 16 15 L R = ⊕ ⊕ 16 ( 15 16 ) 15 R S R K L L16 R16 9 Bull & Innovatron Patents

  10. Fault I njection in 15 th round • If R15 is changed to R15’, without changing L15 = 16 15 L R = ⊕ ⊕ 16 ( 15 16 ) 15 R S R K L ′ ′ = then L 1 6 R 1 5 ′ ′ = ⊕ ⊕ R 1 6 S ( R 1 5 K 16 ) L 15 where S(x) is the S-box function ′ ′ ⊕ = ⊕ ⊕ ⊕ ⊕ ⊕ R 16 R 1 6 S ( R 15 K 16 ) L 15 S ( R 1 5 K 16 ) L 15 ′ = ⊕ ⊕ ⊕ S ( R 15 K 16 ) S ( R 1 5 K 16 ) 10 Bull & Innovatron Patents

  11. Differential Fault Analysis L16 L16’ • For each S-box (Si), i Є [1..8] L16 L16’ verify the following relation: K16 K16 K16 K16 _ 6 _ 6 _ 6 _ 6 • Gives a list of possible key values 2 32 Si Si Si Si • Leads to an exhaustive search _ 4 _ 4 _ _ 4 4 R16 R16’ R16 R16’ 11 Bull & Innovatron Patents

  12. Predicting the Key Space • Why 2 32 ? • The number of hypothesis’ given for each six bits of the key can be found using the tables, described in, ”Differential Cryptanalysis of DES-like Cryptosystems” by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 }, ... 12 Bull & Innovatron Patents

  13. Predicting the Key Space • For each s-box the expected number of hypotheses can be calculated: • The predicted key space is the product of all the averages = 2 24 . • Eight bits are not included in this key and need to be added = 2 32 . 13 Bull & Innovatron Patents

  14. I ntersecting Keyspaces • e.g. two faulty ciphertext leading to 2 14 • With numerous faulty ciphertexts the key will be in the intersection of all the key spaces. 14 Bull & Innovatron Patents

  15. A Real Example • Plaintext file • Ciphertext file Correct Ciphertext Faulty Ciphertexts 15 Bull & Innovatron Patents

  16. A Real Example 16 Bull & Innovatron Patents

  17. A Real Example • Searches of 2 48 and 2 25 for the different faulty ciphertexts. • The intersection can be taken giving a search of around 2 20 for the entire DES key. 17 Bull & Innovatron Patents

  18. DES – Other Rounds 5/18/2006

  19. Differential Fault Analysis L15 R15 • Why does this work? � Because for each s-box K16 K16 • For two unrelated ciphertexts then with S-Box probability 1/16, for each s-box. � Hypotheses are uniformly distributed • If a fault in a round towards the L16 R16 end of a DES then with probability p . 19 Bull & Innovatron Patents

  20. 1 Bit Faults: Round 15 • 1 bit fault in R15 L15 R15 • Gives differentials over 1 or 2 s- boxes. K16 K16 • Several samples will allow the key to be derived as before. S-Box L16 R16 20 Bull & Innovatron Patents

  21. 1 Bit Faults: Round 14 L14 R14 • 1 bit fault in R14, will also change one bit in L15. K15 K15 • For 7 of the 8 s-boxes, S-Box • For each s-box: L15 R15 P( ) = 7/8 K16 K16 • This probability will approach 1/16 the further into the S-Box algorithm the fault is injected. L16 R16 21 Bull & Innovatron Patents

  22. Differential Fault Analysis • Keyspace generated in exactly C’ 1 Keyspace C’ 2 Keyspace the same way as for fifteenth round fault. C’ 4 Keyspace • There is no intersection of all C’ 3 Keyspace keyspaces generated, a system of votes is conducted. C’ 5 Keyspace • The red area has the highest C’ 6 Keyspace chance of being the key. 22 Bull & Innovatron Patents

  23. Differential Fault Analysis • The amount of faulty ciphertexts required increases the further away from the end of the DES the fault is, and the amount of bits modified. • Theoretical results with 1 bit faults. � Easy until round 11 (less than 1000) ciphertexts � Round 10 requires several million ciphertexts � Round 9 ? • Attempt with 10’s of millions failed … 23 Bull & Innovatron Patents

  24. A Simulated Example • Ciphertex file • Faulty Ciphertext file 24 Bull & Innovatron Patents

  25. A Simulated Example 00 : 7 5 8 4 7 4 6 7 • Actual subkey: 01 : 7 3 7 4 7 4 5 7 02 : 7 5 8 4 6 5 6 6 03 : 7 4 8 5 7 5 6 8 0D 0C 09 34 10 38 3A 0D 04 : 6 5 7 5 7 5 5 7 05 : 5 5 8 4 7 4 6 5 06 : 6 5 8 4 7 6 5 6 07 : 6 5 8 4 7 5 6 8 08 : 7 4 7 5 7 4 5 8 09 : 6 5 2 5 7 4 5 6 0a : 7 5 8 5 7 6 5 6 0b : 6 5 7 5 7 6 6 8 0c : 6 0 6 5 7 5 6 8 0d : 0 3 7 5 7 5 6 2 0e : 6 3 7 4 7 4 6 7 0f : 6 3 8 2 7 5 6 7 10 : 6 5 8 5 2 6 5 7 11 : 7 4 8 5 6 5 6 8 12 : 7 5 8 5 4 5 5 8 13 : 7 5 8 5 6 3 6 7 14 : 7 5 7 4 5 6 6 8 ... 25 Bull & Innovatron Patents

  26. Gaining Extra Rounds L n-2 R n-2 • Any fault in R n will have an equivalent fault in L n-1 . K n K n- -1 1 S-Box • L n-1 is static, therefore need to target the copying of R n-2 . � Implementation Specific. � Several millions faults in 8 th round. L n-1 R n-1 � Less than a thousand in the 9 th . K n K n • Advanced Simple Power Analysis S-Box L n R n 26 Bull & Innovatron Patents

  27. 3DES 5/18/2006

  28. Differential Fault Analysis • If injecting faults in the last and middle DES (the fifteenth round of each). � C correct ciphertext. � C 1 ciphertext with fault in fifteenth round of the last DES. � C 2 ciphertext with fault in fifteenth round of the middle DES. • For each key hypothesis generated for K1, a keyspace can be generated and search for K2 (DES -1 (kh 1 ,C)), DES -1 (kh 1 ,C 2 )) K2 Keyspace (C,C 1 ) K1 Keyspace K2 Keyspace (DES -1 (kh 2 ,C)), DES -1 (kh 2 ,C 2 )) 28 Bull & Innovatron Patents

  29. Differential Fault Analysis • Each hypothesis for K1 produces 2 32 hypotheses for K2, the total number of keys (K1, K2) that need to be searched is: 2 32 × 2 32 = 2 64 • This can be improved upon with more acquisitions, with two faulty ciphertexts from each DES: 2 14 × 2 14 = 2 28 • This can still be improved upon … 29 Bull & Innovatron Patents

  30. Differential Fault Analysis • If a given key hypothesis (kh i ) contains K1 then (DES -1 (kh i ,C)), DES -1 (kh i ,C 2 )) Will contain K2, and the differentials generated across each s-box in the last round will be distributed on: 30 Bull & Innovatron Patents

  31. I mpossible Differentials • Again using the table described in, ”Differential Cryptanalysis of DES-like Cryptosystems” by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 }, ... 31 Bull & Innovatron Patents

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit e Catholique de Louvain

797 views • 76 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Explaining Inconsistent Code Muhammad Numair Mansur Introduction 50% of the time in

Explaining Inconsistent Code Muhammad Numair Mansur Introduction 50% of the time in

Explaining Inconsistent Code Muhammad Numair Mansur Introduction 50% of the time in debugging Fault localization. Becomes more tedious as the program size increase. Automatically explaining and localizing inconsistent code .

1.04k views • 63 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition at Depth On Fault Mechanics Background San Andreas Fault Observatory at Depth (SAFOD) Sample recovery of cores containing the two

408 views • 8 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Explaining Local Government Transparency: An Analysis of Information Disclosed in Official

Explaining Local Government Transparency: An Analysis of Information Disclosed in Official

University of Minho School of Economics and Management Research Center in Political Science UNU-EGOV Seminar Guimares, October 15, 2015 Explaining Local Government Transparency: An Analysis of Information Disclosed in Official Websites

346 views • 30 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain Oberthur Technologies & Univ. of Luxembourg 04/24/09 | Session ID: CRYP-403 Session Classification: Agenda RSA and Fault Analysis A New

421 views • 27 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES

2.17k views • 28 slides
A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari,

A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari,

A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari, Mrinal Dasgupta & Gregory Soyez eorique et Hautes Laboratoire de Physique Th Energies LHCPhenoNet Paris, June 2014 Outline Introduction

565 views • 45 slides
Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Introduction Linear Cryptanalysis Against SPECK An Implementation of Wallns Algorithm Summary Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1 TCA Laboratory, Institute of Software, Chinese

531 views • 41 slides
Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS Winterschool in Finse, May 2019 The Rise of Side-Channels The Ideal World 2 Modern Cryptology From Katz and Lindells Classic Textbook Three Principles

913 views • 46 slides
A Cost Benefit Analysis of Faster Transmission System Protection Schemes and Ground Grid Design

A Cost Benefit Analysis of Faster Transmission System Protection Schemes and Ground Grid Design

A Cost Benefit Analysis of Faster Transmission System Protection Schemes and Ground Grid Design Brian Ehsani SEPTEMBER 5 - 7, 2018 Agenda Example System And Clearing Times Ground Grid Design Cost Analysis Additional Conclusions

909 views • 32 slides
Trapping Webster New Collegiate Dictionary: trap vb 1b: to place in a restricted position

Trapping Webster New Collegiate Dictionary: trap vb 1b: to place in a restricted position

Trapping Webster New Collegiate Dictionary: trap vb 1b: to place in a restricted position Petroleum Geology AES/TA 3820 General Considerations Trapping is the mechanism by which migration of oil and gas is stopped such that an accumulation of

550 views • 37 slides
Todays speakers Nicolas Jimenez, President and CEO Kelly Aimers, FCIA, ACAS, Director of

Todays speakers Nicolas Jimenez, President and CEO Kelly Aimers, FCIA, ACAS, Director of

9/4/2018 ICBCs 2018 Basic Insurance Rate Design Application Streamlined Review Process Presentation September 4, 2018 Todays speakers Nicolas Jimenez, President and CEO Kelly Aimers, FCIA, ACAS, Director of Pricing and

392 views • 37 slides

More recommend