Low Complexity Differential Cryptanalysis and Fault Analysis of AES - - PowerPoint PPT Presentation

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Michael Tunstall May/June, 2011

Michael Tunstall (University of Bristol) May/June, 2011 1 / 34

Introduction

We present a survey of low complexity differential cryptanalysis and differential fault analysis of AES. We define low complexity to be:

◮ A low number of plaintext-ciphertext pairs. ◮ A feasible amount of computing power.

Inspired eprint publication Bouillaguet et al. (2010).

Michael Tunstall (University of Bristol) May/June, 2011 2 / 34

Preliminaries

The AES is a 10-round block cipher that transforms a plaintext P = (p1, p2, . . . , p16)(256) to ciphertext C = (c1, c2, . . . , c16)(256) using secret key K = (k1, k2, . . . , k16)(256). Arranged into a 4 × 4 array of bytes.     p1 p5 p9 p13 p2 p6 p10 p14 p3 p7 p11 p15 p4 p8 p12 p16     →     c1 c5 c9 c13 c2 c6 c10 c14 c3 c7 c11 c15 c4 c8 c12 c16     .

Michael Tunstall (University of Bristol) May/June, 2011 3 / 34

Preliminaries

Each round ofThe AES consists of:

◮ AddRoundkey — An XOR with a subkey. ◮ SubBytes — A bytewise substitution (we will refer to a function S). ◮ ShiftRows — The bytes in each row are rotated by 0, 1, 2, 3 places

respectively.

◮ MixColumns — A matrix multiplication with

    2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2     using polynomial multiplications over F28 modulo the irreducible polynomial x8 + x4 + x3 + x + 1.

Where the last round does not include the MixColumns function, but a final XOR with a last subkey.

Michael Tunstall (University of Bristol) May/June, 2011 4 / 34

Observation 1

If we consider y1 ⊕ y2 = S(x1) ⊕ S(x2) For given XOR differences ∆x = x1 ⊕ x2 and ∆y = y1 ⊕ y2 the number of possible values for {x1, x2, y1, y2} will be:

◮ Four with probability

1 256

◮ Two with probability 126

256

◮ Zero with probability 128

256

Michael Tunstall (University of Bristol) May/June, 2011 5 / 34

Observation 2

We consider a = MixColumns(b), where a = (a0, a1, a2, a3), b = (b0, b1, b2, b3) Given any four bytes from (a0, a1, a2, a3, b0, b1, b2, b3) the remaining four can be computed. Trivially, this is also true if we consider the XOR differentials, since, if a = MixColumns(b) and a′ = MixColumns(b′) then a ⊕ a′ = MixColumns(b ⊕ b′).

Michael Tunstall (University of Bristol) May/June, 2011 6 / 34

Observation 3

We consider a ⊕ a′ = MixColumns(b ⊕ b′). Given the number of input bytes that are different in b, b′, the number of bytes that differ in the output will occur with probabilities:

# Bytes Out(0) Out(1) Out(2) Out(3) Out(4) In(0) 1 In(1) 1 In(2)

4 255 ≈ 1 26 251 255

In(3)

2 12675 ≈ 1 213.4 1004 65025 ≈ 1 26 12803 13005

In(4)

4 16581375 ≈ 1 222 502 5527125 ≈ 1 213.4 51212 3316275 ≈ 1 26 3264761 3316275

Michael Tunstall (University of Bristol) May/June, 2011 7 / 34

Models

We consider two models. Chosen Plaintext Model — Standard model for differential cryptanalysis. An attacker is able to encipher arbitrary plaintexts under a fixed unknown secret key and recover the ciphertext. The practicality of an attack is influenced by the number of chosen plaintexts required to conduct a given attack. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of the algorithm under attack.

Michael Tunstall (University of Bristol) May/June, 2011 8 / 34

Models

Chosen Difference Model — Proposed to correspond to differential fault analysis. Able to encipher two related but unknown plaintexts. That is, an attacker is able to encipher two plaintexts with a difference of a chosen size.

◮ That is, a difference where the number and position of bytes can be

controlled but not the value of the difference.

The practicality of the attack is influenced by the number of pairs of ciphertexts required with a difference of a known size. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of a full 10-round AES. We also assume that the attacker has access to an oracle that can be used to test whether a given key hypothesis is correct.

Michael Tunstall (University of Bristol) May/June, 2011 9 / 34

Attacking a Reduced Round AES

We define attacks against reduced round implementations of AES using the aforementioned models. In each case the last round does not include the MixColumns function.

Michael Tunstall (University of Bristol) May/June, 2011 10 / 34

One-Round AES: Chosen Plaintext Model

There is a widely known attack on one-round AES in the chosen plaintext model. For two arbitrary plaintexts P, P′ producing ciphertexts C, C ′ then we have ci ⊕ c′

i = S(pi ⊕ ki) ⊕ S(p′ i ⊕ ki)

for i ∈ {1, . . . , 16} . From Observation 1 we know each equation will produce approximately two possible values for each ki, leading to 216 hypotheses. Bouillaguet et al. (2010) note that two subkeys can be evaluated independently and have an intersection of 212 hypotheses. This attack does not work on the chosen difference model as the difference is itself unknown.

Michael Tunstall (University of Bristol) May/June, 2011 11 / 34

Two-Round AES: Chosen Difference Model

The first differential fault analysis of AES was proposed by Piret and Quisquater (2003). If, for example, there is an XOR difference in four bytes it will propagate as follows.     θ1 θ2 θ3 θ4     →     2 α β γ 3 δ 3 α 2 β γ δ α 3 β 2 γ δ α β 3 γ 2 δ     →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16    

Michael Tunstall (University of Bristol) May/June, 2011 12 / 34

Two-Round AES: Chosen Difference Model

If the last subkey is K = (k1, k2, . . . , k16)(256) and chiphertexts C = (c1, c2, . . . , c16)(256), C ′ = (c′

1, c′ 2, . . . , c′ 16)(256).

We can construct four sets of equations of the form 2 θ = S−1(c1 ⊕ k1) ⊕ S−1(c′

1 ⊕ k1)

θ = S−1(c8 ⊕ k8) ⊕ S−1(c′

8 ⊕ k8)

θ = S−1(c11 ⊕ k11) ⊕ S−1(c′

11 ⊕ k11)

3 θ = S−1(c14 ⊕ k14) ⊕ S−1(c′

14 ⊕ k14) ,

which will give 28 hypotheses for {k1, k8, k11, k14}. Leading to 232 hypotheses for K.

◮ (Time complexity) Michael Tunstall (University of Bristol) May/June, 2011 13 / 34

Two-Round AES: Chosen Plaintext Model

Bouillaguet et al. (2010) note that if the plaintext if known then there are 127 possible vales for each θi for i ∈ {1, 2, 3, 4} (Observation 1). Then, given 2 θ = S−1(c1 ⊕ k1) ⊕ S−1(c′

1 ⊕ k1)

θ = S−1(c8 ⊕ k8) ⊕ S−1(c′

8 ⊕ k8)

θ = S−1(c11 ⊕ k11) ⊕ S−1(c′

11 ⊕ k11)

3 θ = S−1(c14 ⊕ k14) ⊕ S−1(c′

14 ⊕ k14) ,

will give 27 hypotheses for {k1, k8, k11, k14}. Leading to 228 hypotheses.

◮ (Time complexity) Michael Tunstall (University of Bristol) May/June, 2011 14 / 34

Three-Round AES: Chosen Difference Model

The same attack as previously can be constructed if we consider a difference in one bye.     ζ     →     2 θ 3 θ θ θ     →     2 α β γ 3 δ 3 α 2 β γ δ α 3 β 2 γ δ α β 3 γ 2 δ     →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16     Using the same technique as presented previously we can generate 232 key hypotheses. One can then generate 28 hypotheses with a time complexity of 232/10 ≈ 228.5.

Michael Tunstall (University of Bristol) May/June, 2011 15 / 34

Three-Round AES: Chosen Plaintext Model

Given Observation 1 we can note that θ will have 27 possible values rather than the 28 considered in the previous attack. Producing 27 hypotheses with a time complexity of 232/3 ≈ 230.5.

Michael Tunstall (University of Bristol) May/June, 2011 16 / 34

Four-Round AES: Chosen Plaintext Model

— Meet-in-the-Middle Attack —

Bouillaguet et al. (2010) describe an attack that requires ten plaintext-ciphertext pairs. Where the plaintexts differ in four bytes. Guessing four bytes of the last subkey (K5) and one byte of the penultimate key (K4), we can predict Xi for i ∈ {1, 2, . . . , 10}.     Xi     → ShiftRows → SubBytes → ⊕MixColumns−1(K4) → MixColumns → ShiftRows → SubBytes → ⊕K5 →     c1 c5 c9 c13 c2 c6 c10 c14 c3 c7 c11 c15 c4 c8 c12 c16    

Michael Tunstall (University of Bristol) May/June, 2011 17 / 34

Four-Round AES: Chosen Plaintext Model

— Meet-in-the-Middle Attack —

We can then compute X1 ⊕ X2, X2 ⊕ X3, . . . , X9 ⊕ X10. This gives us the XOR differences before the XOR with the third subkey K3. The values X1 ⊕ X2, X2 ⊕ X3, . . . , X9 ⊕ X10 are then put in a hash table. Time complexity of 240 × 10/4 ≈ 241.

Michael Tunstall (University of Bristol) May/June, 2011 18 / 34

Four-Round AES: Chosen Plaintext Model

— Meet-in-the-Middle Attack —

Guessing four bytes of the first subkey (K1) and one byte of the second key (K2), we can predict Yi for i ∈ {1, 2, . . . , 10}.     p1 p5 p9 p13 p2 p6 p10 p14 p3 p7 p11 p15 p4 p8 p12 p16     → ⊕K0 → ShiftRows → SubBytes → MixColumns → ⊕K1 →ShiftRows → SubBytes →     Yi − − − − − − − − − − − − − − −     Also has a Time complexity of 240 × 10/4 ≈ 241.

Michael Tunstall (University of Bristol) May/June, 2011 19 / 34

Four-Round AES: Chosen Plaintext Model

— Meet-in-the-Middle Attack —

Again we can compute Y1 ⊕ Y2, Y2 ⊕ Y3, . . . , Y9 ⊕ Y10. Given that this gives the difference before, and therefore after, the MixColumns function in the second round.

◮ For each i ∈ {1, 2, . . ., 9} and j = i + 1.

    Yi ⊕ Yj − − − − − − − − − − − −     → MixColumns →     2 (Yi ⊕ Yj) − − − 3 (Yi ⊕ Yj) − − − Yi ⊕ Yj − − − Yi ⊕ Yj − − −     Collisions on all 2 (Yi ⊕ Yj) and Xi ⊕ Xj give 28 hypotheses for

◮ four bytes of K0 and K5 and one bytes K1 and K4. Michael Tunstall (University of Bristol) May/June, 2011 20 / 34

Four-Round AES: Chosen Plaintext/Difference Model

— Meet-in-the-Middle Attack —

This process can be repeated four times to produce 232 hypotheses for the last subkey. These hypotheses can be tested by exhaustive search, or checking the coherence with hypotheses on other subkeys. However, this attack cannot be used in the chosen difference model since the plaintexts need to be known.

Michael Tunstall (University of Bristol) May/June, 2011 21 / 34

Four-Round AES: Chosen Difference Model

— Differential Attack —

For a difference in four bytes:     ζ1 ζ2 ζ3 ζ4     →     θ1 θ2 θ3 θ4     →     2 γ1 γ2 γ3 3 γ4 3 γ1 2 γ2 γ3 γ4 γ1 3 γ2 2 γ3 γ4 γ1 γ2 3 γ3 2 γ4     →     ǫ1 ǫ5 ǫ9 ǫ13 ǫ2 ǫ6 ǫ10 ǫ14 ǫ3 ǫ7 ǫ11 ǫ15 ǫ4 ǫ8 ǫ12 ǫ16     →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16     There does not appear to be a method of deriving the secret key that would be significantly quicker than an exhaustive key search.

Michael Tunstall (University of Bristol) May/June, 2011 22 / 34

Four-Round AES: Chosen Difference Model

— Differential Attack —

However, if we assume that θ4 = 0 then:     ζ1 ζ2 ζ3 ζ4     →     θ1 θ2 θ3 θ4     →     2 γ1 γ2 γ3 3 γ1 2 γ2 γ3 γ1 3 γ2 2 γ3 γ1 γ2 3 γ3     →   

2 a1 ⊕ 3 a2 ⊕ a3 2 b1 ⊕ 3 b2 ⊕ b3 2 c1 ⊕ c2 ⊕ c3 3 d1 ⊕ d2 ⊕ d3 a1 ⊕ 2 a2 ⊕ 3 a3 b1 ⊕ 2 b2 ⊕ b3 c1 ⊕ 3 c2 ⊕ c3 2 d1 ⊕ 3 d2 ⊕ d3 a1 ⊕ a2 ⊕ 2 a3 b1 ⊕ b2 ⊕ 3 b3 c1 ⊕ 2 c2 ⊕ 3 c3 d1 ⊕ 2 d2 ⊕ 3 d3 3 a1 ⊕ a2 ⊕ a3 3 b1 ⊕ b2 ⊕ 2 b3 3 c1 ⊕ c2 ⊕ 2 c3 d1 ⊕ d2 ⊕ 2 d3

   →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16    

Michael Tunstall (University of Bristol) May/June, 2011 23 / 34

Four-Round AES: Chosen Difference Model

— Differential Attack —

At the end of the third round there is a difference that is a combination of three unknown bytes. Can reduce the four sets of 232 key hypotheses to four sets of 224 hypotheses. That is a total reduction from 2128 → 296 hypotheses. More pairs of ciphertexts can then be used to reduce the number of hypotheses. Four such observations would be expected to reduce 2128 → 1 hypotheses. Any remaining hypotheses can be checked by verifying the existence

• f the structure in the round before.

Michael Tunstall (University of Bristol) May/June, 2011 24 / 34

Four-Round AES: Chosen Difference Model

— Differential Attack —

We have know way of knowing of one of θi for i ∈ {1, 2, 3, 4}. However, The probability of one of θi for i ∈ {1, 2, 3, 4} being equal to one is 1/26 (Observation 3). We would therefore expect to have 4 such occurrences within 256

• bservations.

One can then search through the 44 256

4

• ≈ 235 possible

combinations. Evaluating a set of equations is approximately equivalent to 29 executions of AES. Overall time complexity ≈ 246.

Michael Tunstall (University of Bristol) May/June, 2011 25 / 34

Four-Round AES: Chosen Plaintext Model

— Differential Attack —

As previously, there is more information if we consider a chosen plaintext model. If we have 24 distinct plaintexts there are 24

2

• = 276 possible ways of

comparing two plaintexts. One can then conduct an attack with time complexity ≈ 247.

Michael Tunstall (University of Bristol) May/June, 2011 26 / 34

Four-Round AES: Chosen Plaintext Model

— Square Attack —

An attack described in the original specification of AES. If we consider 256 distinct plaintexts that differ in only one byte. The XOR sum of the state matrix after three rounds will sum to zero. This property persists until the SubBytes function in the subsequent round. With 256 chosen plaintexts and a four-round AES one can verify that this property holds, leaving 216 key hypotheses. Repeating this will another set of 256 distinct plaintexts will reduce the number of key hypotheses to one.

Michael Tunstall (University of Bristol) May/June, 2011 27 / 34

Four-Round AES: Chosen Difference Model

— Square Attack —

Phan and Yen (2006) proposed that this attack would work in the same manner for differential fault analysis. In our chosen difference model we cannot chose the values so one has to collect all 256 possible ciphertexts. An instance of the Coupon Collector’s problem as described by Knuth. One would expect to need some 1560 ≈ 211 for one set of 256 distinct ciphertexts. Requires an exhaustive search of 216.

Michael Tunstall (University of Bristol) May/June, 2011 28 / 34

Four-Round AES: Chosen Plaintext Model

— Impossible Differential Attack —

Biham and Keller (1999). If we have a XOR difference on one byte on entry to the MixColumns function, all four bytes will be different on output (Observation 3).     ζ     →     2 θ 3 θ θ θ     →     2 γ1 γ2 γ3 3 γ4 3 γ1 2 γ2 γ3 γ4 γ1 3 γ2 2 γ3 γ4 γ1 γ2 3 γ3 2 γ4     →     ǫ1 ǫ5 ǫ9 ǫ13 ǫ2 ǫ6 ǫ10 ǫ14 ǫ3 ǫ7 ǫ11 ǫ15 ǫ4 ǫ8 ǫ12 ǫ16     →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16     This property persists until the beginning of the MixColumns in the following round.

Michael Tunstall (University of Bristol) May/June, 2011 29 / 34

Four-Round AES: Chosen Plaintext Model

— Impossible Differential Attack —

Hypotheses can be verified in sets of 32 bits by conducting a partial decryption and assuring that the difference before the MixColumns

• peration in the penultimate round contains no bytes equal to zero.

⊕MixColumns−1(k9) → MixColumns → ShiftRows → SubBytes → ⊕k10 →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16    

Michael Tunstall (University of Bristol) May/June, 2011 30 / 34

Four-Round AES: Chosen Plaintext/Difference Model

— Impossible Differential Attack —

Conducting this analysis 211 times allows the last subkey to be determined. The time complexity of this attack is 232 single round decryptions per ciphertext, i.e. 211 232/4

• ≈ 241.

Phan and Yen (2006) proposed that this attack would work in the same manner for differential fault analysis. The number of acquisitions remains the same 211. The time complexity of this attack is 232 single round decryptions per ciphertext, i.e. 211 232/10

• ≈ 239.5.

Michael Tunstall (University of Bristol) May/June, 2011 31 / 34

Five-Round AES: Chosen Plaintext Model

— Square Attack —

Again, an attack described in the original specification of AES. SubBytes → ⊕MixColumns−1(k9) → MixColumns → ShiftRows → SubBytes → ⊕k10 →     x1 x5 x9 x13 x2 x6 x10 x14 x3 x7 x11 x15 x4 x8 x12 x16     One can make hypotheses on individual byes of MixColumns−1(k9) by verifying the property that 256 states have an XOR sum of zero. Requires 32-bits of k10 to be guessed for groups of four bytes. Requires five sets of 256 plaintext-ciphertext pairs, and a time complexity of 240.

Michael Tunstall (University of Bristol) May/June, 2011 32 / 34

Five-Round AES: Chosen Difference Model

— Square Attack —

As with the four round Square attack, one requires 5 sets of 256 ciphertexts. Leading to 5 × 1560 ≈ 213. Time complexity 239.

Michael Tunstall (University of Bristol) May/June, 2011 33 / 34

Conclusion

An survey of low complexity differential cryptanalysis and fault analysis of AES. Some minor improvements are included for 1–3 round AES. A new differential cryptanalysis of four-round AES.

◮ Applicable to both the Chosen Plaintext and Chosen Difference Models.

Re-evaluate the Square and Impossible Differential attacks in terms of a model corresponding to differential fault analysis.

Michael Tunstall (University of Bristol) May/June, 2011 34 / 34