protecting against statistical ineffective fault attacks
play

Protecting against Statistical Ineffective Fault Attacks Joan - PowerPoint PPT Presentation

Dec 22, 2022 •311 likes •964 views

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

  1. Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020

  2. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes 1 0 1 0 0 1 1 1 Robert Primas — CHES 2020

  3. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes • Additional defenses mechanisms against implementation attacks: 1 Robert Primas — CHES 2020

  4. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes • Additional defenses mechanisms against implementation attacks: Power Analysis Fault Attacks 1 Robert Primas — CHES 2020

  5. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution 2 Robert Primas — CHES 2020

  6. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution • In a follow-up at ASIACRYPT2018 it was shown that: • SIFA can additionally circumvent (higher-order) masking/TI 2 Robert Primas — CHES 2020

  7. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution • In a follow-up at ASIACRYPT2018 it was shown that: • SIFA can additionally circumvent (higher-order) masking/TI • Proposed countermeasures at the time: • Error correction • Hiding • Self destruction 2 Robert Primas — CHES 2020

  8. Motivation cont. www.tugraz.at • Many proposed SIFA countermeasures so far utilize error correction: • Rather expensive (masking!) • How much error correction is necessary? • What about DFA? 3 Robert Primas — CHES 2020

  9. Motivation cont. www.tugraz.at • Many proposed SIFA countermeasures so far utilize error correction: • Rather expensive (masking!) • How much error correction is necessary? • What about DFA? • We propose efficient SIFA countermeasure strategies: • “Careful” combination of redundancy with masking • Low overhead for lightweight schemes • Moderate overhead for “bulky” schemes like AES 3 Robert Primas — CHES 2020

  10. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • AES is a PRP: SUB BYTES ROUND 9 • Distribution of ciphertext bytes is SHIFT ROWS MIX COLUMNS uniform KEY ADD • (Also after only 9 rounds) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  11. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS • Assume fault that disturbs distribution KEY ADD of one state byte in round 9 SUB BYTES ROUND 9 • Stuck-at, bitflip, random, etc. SHIFT ROWS MIX COLUMNS • Attacker does not need to know the KEY ADD caused bias ROUND 10 SUB BYTES • 4 ciphertext bytes are affected SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  12. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  13. Statistical Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes (correct) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  14. Statistical Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes (incorrect) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  15. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD • Redundant computation fixes the SUB BYTES SUB BYTES ROUND 9 SHIFT ROWS SHIFT ROWS problem! MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 C N 5 Robert Primas — CHES 2020

  16. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD • Redundant computation fixes the SUB BYTES SUB BYTES ROUND 9 SHIFT ROWS SHIFT ROWS problem! MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  17. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 • For simplicity, assume stuck-at zero MIX COLUMNS KEY ADD fault (others work as well) SUB BYTES • “Effective” faults are filtered out ROUND 9 SHIFT ROWS MIX COLUMNS • Correct ciphertexts still show bias in KEY ADD round 9 ROUND 10 SUB BYTES SHIFT ROWS • Exploitation works same as before KEY ADD C 1 C N Dobraunig et al. [Dob+18b] 5 Robert Primas — CHES 2020

  18. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 • For simplicity, assume stuck-at zero MIX COLUMNS KEY ADD fault (others work as well) SUB BYTES • “Effective” faults are filtered out ROUND 9 SHIFT ROWS MIX COLUMNS • Correct ciphertexts still show bias in KEY ADD round 9 ROUND 10 SUB BYTES SHIFT ROWS • Exploitation works same as before KEY ADD C 1 C N Dobraunig et al. [Dob+18b] 5 Robert Primas — CHES 2020

  19. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  20. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  21. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18a] C N 5 Robert Primas — CHES 2020

  22. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS x 0 z 0 KEY ADD KEY ADD y 0 R SUB BYTES SUB BYTES y 1 ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS x 1 z 1 MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18a] C N 5 Robert Primas — CHES 2020

  23. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at x 0 z 0 • Masked AND-gate y 0 ~ • Naturally, when x and y are uniform R z y 1 then z has bias towards 0 0 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  24. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 y 0 ~ R z y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  25. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 • Difference cancels if either: y 0 • y 0 , y 1 are both 0 ~ R z y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  26. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 • Difference cancels if either: y 0 • y 0 , y 1 are both 0 ~ R z • y 0 , y 1 are both 1 y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

413 views • 17 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich

Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich

W I S S E N T E C H N I K L E I D E N S C H A F T Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich Wenger 2 , and Stefan Mangard 1 , 1 Graz University of Technology 2 Infineon

552 views • 32 slides
PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019

PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019

Innovation Centre PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019 September 26, 1996 Bellcores Researchers Break Smart Cards BELLCORE ATTACK (1/2) Computation of a signature S = ( m ) d mod N

503 views • 24 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley TELECOM ParisTech CNRS LTCI / COMELEC / SEN S

896 views • 64 slides
SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria

730 views • 54 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

M EDIA A CCESS C ONTROL (MAC) A DDRESS S POOFING A TTACKS AGAINST P ORT S ECURITY Andrew Buhr, Dale Lindskog, Pavol Zavarsky, Ron Ruhl Concordia University College of Alberta Findings Port Security is ineffective at preventing 3 different

455 views • 24 slides
Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

535 views • 51 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2

Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2

Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2 Overview Historically how redundancy has been developed and implemented What we have today And have had for a while What we'll have soon

344 views • 9 slides
Database Management Limitations of Relational Database Designs Systems Provides a set of

Database Management Limitations of Relational Database Designs Systems Provides a set of

Lecture 2 Database Management Limitations of Relational Database Designs Systems Provides a set of guidelines, does not result in a unique database schema Winter 2004 Does not provide a way of evaluating alternative schemas CMPUT

387 views • 17 slides
Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science & Engineering University of Washington Joint work with David Notkin July 2004 Motivation Existing automated test generation tools are

638 views • 43 slides
Motivation Some expressions in a program may cause redundant recomputation of values. If such

Motivation Some expressions in a program may cause redundant recomputation of values. If such

Motivation Some expressions in a program may cause redundant recomputation of values. If such recomputation is safely eliminated, the program will usually become faster. There exist several redundancy elimination optimisations which attempt to

670 views • 37 slides
TRECVID-2006: Rushes Exploitation Task Alan Smeaton Dublin City University & Tzveta Ianeva

TRECVID-2006: Rushes Exploitation Task Alan Smeaton Dublin City University & Tzveta Ianeva

TRECVID-2006: Rushes Exploitation Task Alan Smeaton Dublin City University & Tzveta Ianeva NIST Rushes Exploitation Task Definition Goal: research about the feasibility of shifting to work on unproduced video; Develop a

393 views • 15 slides
Using Component Redundancy for adaptive, self-optimising and self-healing Component-Based Systems

Using Component Redundancy for adaptive, self-optimising and self-healing Component-Based Systems

Performance Engineering Laboratory Using Component Redundancy for adaptive, self-optimising and self-healing Component-Based Systems Ada Diaconescu, John Murphy Performance Engineering Laboratory Dublin City University Ada Diaconescu

352 views • 11 slides
Learning objectives Understand the basic principles undelying A&T techniques Grasp

Learning objectives Understand the basic principles undelying A&T techniques Grasp

Learning objectives Understand the basic principles undelying A&T techniques Grasp the motivations and applicability of the Basic Principles main principles (c) 2007 Mauro Pezz & Michal Young Ch 3, slide 1 (c) 2007 Mauro

303 views • 3 slides
Information theory " Information content of a message a boolean value

Information theory " Information content of a message a boolean value

Information theory " Information content of a message a boolean value "true"/"false" can be encoded as one bit without losing information: 1/0 a direction up/down/right/left: 2 bits the strings

444 views • 10 slides

More recommend