low complexity differential cryptanalysis and fault
play

Low Complexity Differential Cryptanalysis and Fault Analysis of AES - PowerPoint PPT Presentation

Jul 07, 2023 •225 likes •716 views

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

  1. Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48

  2. Introduction We present a survey of low complexity differential cryptanalysis and differential fault analysis of AES. We define low complexity to be: ◮ A low number of plaintext-ciphertext pairs. ◮ A feasible amount of computing power. Inspired eprint publication Bouillaguet et al. (2010). Michael Tunstall (University of Bristol) May/June, 2011 2 / 48

  3. Preliminaries The AES is a 10-round block cipher that transforms a plaintext P = ( p 1 , p 2 , . . . , p 16 ) (256) to ciphertext C = ( c 1 , c 2 , . . . , c 16 ) (256) using secret key K = ( k 1 , k 2 , . . . , k 16 ) (256) . Arranged into a 4 × 4 array of bytes.     p 1 p 5 p 9 p 13 c 1 c 5 c 9 c 13 p 2 p 6 p 10 p 14 c 2 c 6 c 10 c 14     →  .     p 3 p 7 p 11 p 15 c 3 c 7 c 11 c 15    p 4 p 8 p 12 p 16 c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, 2011 3 / 48

  4. Preliminaries Each round ofThe AES consists of: ◮ AddRoundkey — An XOR with a subkey. ◮ SubBytes — A bytewise substitution (we will refer to a function S ). ◮ ShiftRows — The bytes in each row are rotated by 0, 1, 2, 3 places respectively. ◮ MixColumns — A matrix multiplication with   2 3 1 1 1 2 3 1     1 1 2 3   3 1 1 2 using polynomial multiplications over F 2 8 modulo the irreducible polynomial x 8 + x 4 + x 3 + x + 1. Where the last round does not include the MixColumns function, but a final XOR with a last subkey. Michael Tunstall (University of Bristol) May/June, 2011 4 / 48

  5. Observation 1 If we consider y 1 ⊕ y 2 = S ( x 1 ) ⊕ S ( x 2 ) For given XOR differences ∆ x = x 1 ⊕ x 2 and ∆ y = y 1 ⊕ y 2 the number of possible values for { x 1 , x 2 , y 1 , y 2 } will be: ◮ Four with probability 1 256 ◮ Two with probability 126 256 ◮ Zero with probability 128 256 Michael Tunstall (University of Bristol) May/June, 2011 5 / 48

  6. Observation 2 We consider a = MixColumns ( b ), where a = ( a 0 , a 1 , a 2 , a 3 ) , b = ( b 0 , b 1 , b 2 , b 3 ) Given any four bytes from ( a 0 , a 1 , a 2 , a 3 , b 0 , b 1 , b 2 , b 3 ) the remaining four can be computed. Trivially, this is also true if we consider the XOR differentials, since, if a ′ = MixColumns ( b ′ ) a = MixColumns ( b ) and then a ⊕ a ′ = MixColumns ( b ⊕ b ′ ). Michael Tunstall (University of Bristol) May/June, 2011 6 / 48

  7. Observation 3 We consider a ⊕ a ′ = MixColumns ( b ⊕ b ′ ). Given the number of input bytes that are different in b , b ′ , the number of bytes that differ in the output will occur with probabilities: # Bytes Out(0) Out(1) Out(2) Out(3) Out(4) In(0) 1 0 0 0 0 In(1) 0 0 0 0 1 255 ≈ 1 4 251 In(2) 0 0 0 2 6 255 2 1 65025 ≈ 1 1004 12803 In(3) 0 0 12675 ≈ 2 13 . 4 2 6 13005 4 1 502 1 3316275 ≈ 1 51212 3264761 In(4) 0 16581375 ≈ 5527125 ≈ 2 22 2 13 . 4 2 6 3316275 Michael Tunstall (University of Bristol) May/June, 2011 7 / 48

  8. Models We consider two models. Chosen Plaintext Model — Standard model for differential cryptanalysis. An attacker is able to encipher arbitrary plaintexts under a fixed unknown secret key and recover the ciphertext. The practicality of an attack is influenced by the number of chosen plaintexts required to conduct a given attack. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of the algorithm under attack. Michael Tunstall (University of Bristol) May/June, 2011 8 / 48

  9. Models Chosen Difference Model — Proposed to correspond to differential fault analysis. Able to encipher two related but unknown plaintexts. That is, an attacker is able to encipher two plaintexts with a difference of a chosen size. ◮ That is, a difference where the number and position of bytes can be controlled but not the value of the difference. The practicality of the attack is influenced by the number of pairs of ciphertexts required with a difference of a known size. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of a full 10-round AES. We also assume that the attacker has access to an oracle that can be used to test whether a given key hypothesis is correct. Michael Tunstall (University of Bristol) May/June, 2011 9 / 48

  10. Attacking a Reduced Round AES We define attacks against reduced round implementations of AES using the aforementioned models. In each case the last round does not include the MixColumns function. Michael Tunstall (University of Bristol) May/June, 2011 10 / 48

  11. One-Round AES: Chosen Plaintext Model There is a widely known attack on one-round AES in the chosen plaintext model. For two arbitrary plaintexts P , P ′ producing ciphertexts C , C ′ then we have c i ⊕ c ′ i = S ( p i ⊕ k i ) ⊕ S ( p ′ i ⊕ k i ) for i ∈ { 1 , . . . , 16 } . From Observation 1 we know each equation will produce approximately two possible values for each k i , leading to 2 16 hypotheses. Bouillaguet et al. (2010) note that two subkeys can be evaluated independently and have an intersection of 2 12 hypotheses. This attack does not work on the chosen difference model as the difference is itself unknown. Michael Tunstall (University of Bristol) May/June, 2011 11 / 48

  12. Two-Round AES: Chosen Difference Model The first differential fault analysis of AES was proposed by Piret and Quisquater (2003). If, for example, there is an XOR difference in four bytes it will propagate as follows.  θ 1 θ 2 θ 3 θ 4   2 α β γ 3 δ    x 1 x 5 x 9 x 13 0 0 0 0 3 α 2 β γ δ x 2 x 6 x 10 x 14        →  →       0 0 0 0 α 3 β 2 γ δ x 3 x 7 x 11 x 15     0 0 0 0 α β 3 γ 2 δ x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, 2011 12 / 48

  13. Two-Round AES: Chosen Difference Model If the last subkey is K = ( k 1 , k 2 , . . . , k 16 ) (256) and chiphertexts C = ( c 1 , c 2 , . . . , c 16 ) (256) , C ′ = ( c ′ 1 , c ′ 2 , . . . , c ′ 16 ) (256) . We can construct four sets of equations of the form 2 θ = S − 1 ( c 1 ⊕ k 1 ) ⊕ S − 1 ( c ′ 1 ⊕ k 1 ) θ = S − 1 ( c 8 ⊕ k 8 ) ⊕ S − 1 ( c ′ 8 ⊕ k 8 ) θ = S − 1 ( c 11 ⊕ k 11 ) ⊕ S − 1 ( c ′ 11 ⊕ k 11 ) 3 θ = S − 1 ( c 14 ⊕ k 14 ) ⊕ S − 1 ( c ′ 14 ⊕ k 14 ) , which will give 2 8 hypotheses for { k 1 , k 8 , k 11 , k 14 } . Leading to 2 32 hypotheses for K . ◮ (Time complexity) Michael Tunstall (University of Bristol) May/June, 2011 13 / 48

  14. Two-Round AES: Chosen Plaintext Model Bouillaguet et al. (2010) note that if the plaintext if known then there are 127 possible vales for each θ i for i ∈ { 1 , 2 , 3 , 4 } (Observation 1). Then, given 2 θ = S − 1 ( c 1 ⊕ k 1 ) ⊕ S − 1 ( c ′ 1 ⊕ k 1 ) θ = S − 1 ( c 8 ⊕ k 8 ) ⊕ S − 1 ( c ′ 8 ⊕ k 8 ) θ = S − 1 ( c 11 ⊕ k 11 ) ⊕ S − 1 ( c ′ 11 ⊕ k 11 ) 3 θ = S − 1 ( c 14 ⊕ k 14 ) ⊕ S − 1 ( c ′ 14 ⊕ k 14 ) , will give 2 7 hypotheses for { k 1 , k 8 , k 11 , k 14 } . Leading to 2 28 hypotheses. ◮ (Time complexity) Michael Tunstall (University of Bristol) May/June, 2011 14 / 48

  15. Three-Round AES: Chosen Difference Model The same attack as previously can be constructed if we consider a difference in one bye.  ζ 0 0 0   2 θ 0 0 0  0 0 0 0 3 θ 0 0 0      →  →     0 0 0 0 θ 0 0 0   0 0 0 0 θ 0 0 0  2 α β γ 3 δ    x 1 x 5 x 9 x 13 3 α 2 β γ δ x 2 x 6 x 10 x 14      →     α 3 β 2 γ δ x 3 x 7 x 11 x 15    α β 3 γ 2 δ x 4 x 8 x 12 x 16 Using the same technique as presented previously we can generate 2 32 key hypotheses. One can then generate 2 8 hypotheses with a time complexity of 2 32 / 10 ≈ 2 28 . 5 . Michael Tunstall (University of Bristol) May/June, 2011 15 / 48

  16. Three-Round AES: Chosen Plaintext Model Given Observation 1 we can note that θ will have 2 7 possible values rather than the 2 8 considered in the previous attack. Producing 2 7 hypotheses with a time complexity of 2 32 / 3 ≈ 2 30 . 5 . Michael Tunstall (University of Bristol) May/June, 2011 16 / 48

  17. Four-Round AES: Chosen Plaintext Model — Meet-in-the-Middle Attack — Bouillaguet et al. (2010) describe an attack that requires ten plaintext-ciphertext pairs. Where the plaintexts differ in four bytes. Guessing four bytes of the last subkey ( K 5 ) and one byte of the penultimate key ( K 4 ), we can predict X i for i ∈ { 1 , 2 , . . . , 10 } .   X i 0 0 0 0 0 0 0   → ShiftRows → SubBytes → ⊕ MixColumns − 1 ( K 4 ) →    0 0 0 0  0 0 0 0   c 1 c 5 c 9 c 13 c 2 c 6 c 10 c 14   MixColumns → ShiftRows → SubBytes → ⊕ K 5 →   c 3 c 7 c 11 c 15   c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, 2011 17 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and

Fault-based Cryptanalysis on Block Ciphers ASK 2015 Victor LOMNE ANSSI (French Network and Information Security Agency) Friday, October 2 nd , 2015 - Singapore Introduction| Fault Injection Means| Cryptanalysis methods| Countermeasures|

1.19k views • 69 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G

Multiple Differential Cryptanalysis: Theory and Practice C eline Blondeau, Beno t G erard SECRET-Project-Team, INRIA, France aaa FSE, February 14th, 2011 C.Blondeau and B.G erard. Multiple differential cryptanalysis 1/ 20

660 views • 28 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent

Chaskey ARX Cryptanalysis Improved Differential-Linear Conclusion Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning Gatan Leurent Inria, Paris Eurocrypt 2016 m 0 m 1 m 2 K K K Gatan

540 views • 36 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer

Differential Cryptanalysis Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Concept of Differentials Propagation Ratio The

471 views • 15 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha

On the Security Margin of TinyJAMBU with Refined Differential and Linear Cryptanalysis Dhiman Saha 1 Yu Sasaki 2 Danping Shi 3,4 Ferdinand Sibleyras 5 Siwei Sun 3,4 Yingjie Zhang 3,4 1 de.ci.phe.red Lab, Department of Electrical Engineering and

444 views • 40 slides
EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim

EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim

EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim Definition q A hashfunction isafunctionh compression

585 views • 47 slides
MPLS Basics Penultimate Hop Popping How a router determines the outgoing interface: Last Hop

MPLS Basics Penultimate Hop Popping How a router determines the outgoing interface: Last Hop

MPLS Basics Penultimate Hop Popping How a router determines the outgoing interface: Last Hop Router Without PHP Pentagramatical Body Popping? Penultimate Hop Popping Fancy-pants definition: In order to save an additional lookup on an

347 views • 7 slides
Presburger Arithmetic Reversal-Bounded Counter Machines St ephane Demri (demri@lsv.fr)

Presburger Arithmetic Reversal-Bounded Counter Machines St ephane Demri (demri@lsv.fr)

Presburger Arithmetic Reversal-Bounded Counter Machines St ephane Demri (demri@lsv.fr) October 16th, 2015 Slides and lecture notes http://www.lsv.fr/demri/notes-de-cours.html https://wikimpri.dptinfo.ens-cachan.fr/doku.

1.32k views • 76 slides
Math 3B: Lecture 21 Noah White November 9, 2016 Math Success Program Free one on one

Math 3B: Lecture 21 Noah White November 9, 2016 Math Success Program Free one on one

Math 3B: Lecture 21 Noah White November 9, 2016 Math Success Program Free one on one tutoring sessions Math Success Program Free one on one tutoring sessions Weekly drop in hours Math Success Program Free one on one tutoring

844 views • 61 slides
Introduction Sung-Eui Yoon ( ) Course URL: http://sgvr.kaist.ac.kr/~sungeui/CG About

Introduction Sung-Eui Yoon ( ) Course URL: http://sgvr.kaist.ac.kr/~sungeui/CG About

CS380: Computer Graphics Introduction Sung-Eui Yoon ( ) Course URL: http://sgvr.kaist.ac.kr/~sungeui/CG About the Instructor Notable recognitions Co-chairs at ACM Symp. on Interactive 3D Graphics and Games Test-of-time

758 views • 53 slides
Self-directed Support Use of direct payments to employ family members module Learning

Self-directed Support Use of direct payments to employ family members module Learning

Self-directed Support Use of direct payments to employ family members module Learning Objectives Gain an understanding of whats new in relation to employing family members Gain an understanding of when a payment may or may not

524 views • 20 slides
2 nd semester ENG NGLI LISH SH LA LANG NGUAGE AGE Topic 48: Solutions. Advanced. Unit 7

2 nd semester ENG NGLI LISH SH LA LANG NGUAGE AGE Topic 48: Solutions. Advanced. Unit 7

ACADEMIC LYCEUM INTERNATIONAL HOUSE TASHKENT 2 nd semester ENG NGLI LISH SH LA LANG NGUAGE AGE Topic 48: Solutions. Advanced. Unit 7 Review Intermediate control work 4 1. She ____ obsessed with rock climbing at a young age.

398 views • 7 slides
The Child Welfare System and Trafficking April 2nd, 2015 ERIN CONNER, MSW SOCIAL SERVICES

The Child Welfare System and Trafficking April 2nd, 2015 ERIN CONNER, MSW SOCIAL SERVICES

The Child Welfare System and Trafficking April 2nd, 2015 ERIN CONNER, MSW SOCIAL SERVICES PROGRAM CONSULTANT NC DIVISION OF SOCIAL SERVICES 1 Description of Session The presenter will summarize the current policy and practices of local

296 views • 14 slides

More recommend