sifa exploiting ineffective fault inductions on symmetric
play

SIFA: Exploiting Ineffective Fault Inductions on Symmetric - PowerPoint PPT Presentation

Oct 23, 2023 •173 likes •730 views

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria

  1. SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria first.last@iaik.tugraz.at 2 Infineon Technologies AG, Germany first.last@infineon.com

  2. Outlook We present fault attacks that are ... • Hard to prevent • Defy detection, any degree of redundancy • Defy infection • (Defy masking) • Versatile • Many possible fault locations/effects • Applicable to many symmetric schemes • Evaluated on various platforms 1

  3. Outlook We present fault attacks that are ... • Hard to prevent • Defy detection, any degree of redundancy • Defy infection • (Defy masking) • Versatile • Many possible fault locations/effects • Applicable to many symmetric schemes • Evaluated on various platforms 1

  4. Outlook We present fault attacks that are ... • Hard to prevent • Defy detection, any degree of redundancy • Defy infection • (Defy masking) • Versatile • Many possible fault locations/effects • Applicable to many symmetric schemes • Evaluated on various platforms 1

  5. Fault Attacks • Get device access: PT • Set plaintexts • Observe ciphertexts • Cause (partially) erroneous computation ENC • Observe faulty and correct ciphertext • Determine correct sub key guesses by verifying output pairs ⇒ Differential Fault Attack (DFA) CT 2

  6. Fault Attacks • Get device access: PT • Set plaintexts • Observe ciphertexts • Cause (partially) erroneous computation ENC • Observe faulty and correct ciphertext • Determine correct sub key guesses by verifying output pairs ⇒ Differential Fault Attack (DFA) CT* 2

  7. Fault Attacks • Get device access: PT • Set plaintexts • Observe ciphertexts • Cause (partially) erroneous computation ENC ENC • Observe faulty and correct ciphertext • Determine correct sub key guesses by verifying output pairs ⇒ Differential Fault Attack (DFA) CT* CT 2

  8. Fault Attacks • Get device access: • Set plaintexts • Observe ciphertexts CT* CT • Cause (partially) erroneous computation • Observe faulty and correct ciphertext • Determine correct sub key guesses by SUB KEY VERIFY verifying output pairs ⇒ Differential Fault Attack (DFA) 2

  9. Fault Attacks • Get device access: • Set plaintexts • Observe ciphertexts CT* CT • Cause (partially) erroneous computation • Observe faulty and correct ciphertext • Determine correct sub key guesses by SUB KEY VERIFY verifying output pairs ⇒ Differential Fault Attack (DFA) 2

  10. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT CT CT 3

  11. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT* CT ... 3

  12. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT* CT* CT* 3

  13. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT* CT* CT* 3

  14. Fault Countermeasures - Infection PT • Use redundancy, interleaved computation and dummy rounds ENC-INFECT • Faults are amplified s.t. ciphertext is not ENC ENC ENC related to the key anymore • Key recovery not possible • Attacks still possible but hard... CT 4

  15. Fault Countermeasures - Infection PT • Use redundancy, interleaved computation and dummy rounds ENC-INFECT • Faults are amplified s.t. ciphertext is not ENC ENC ENC related to the key anymore • Key recovery not possible • Attacks still possible but hard... %&$ 4

  16. Fault Countermeasures - Infection • Use redundancy, interleaved computation and %&$ CT dummy rounds • Faults are amplified s.t. ciphertext is not related to the key anymore SUB KEY • Key recovery not possible VERIFY • Attacks still possible but hard... 4

  17. Fault Countermeasures - Infection • Use redundancy, interleaved computation and %&$ CT dummy rounds • Faults are amplified s.t. ciphertext is not related to the key anymore SUB KEY • Key recovery not possible VERIFY • Attacks still possible but hard... 4

  18. Statistical Ineffective Fault Attacks (SIFA) Combines ... • Ineffective Fault Attacks (IFA) by Clavier et al. [Cla07] + Exploits only correct ciphertexts (similar to safe error attacks) − Requires precise faults with known effect • Statistical Fault Analysis (SFA) by Fuhr et al. [FJLT13] + Any fault, even if effect is unknown − Mitigated by detection/infection ⇒ Statistical Ineffective Fault Attacks (SIFA) + Exploits only correct ciphertexts + Any fault, even if effect is unknown 5

  19. Statistical Ineffective Fault Attacks (SIFA) Combines ... • Ineffective Fault Attacks (IFA) by Clavier et al. [Cla07] + Exploits only correct ciphertexts (similar to safe error attacks) − Requires precise faults with known effect • Statistical Fault Analysis (SFA) by Fuhr et al. [FJLT13] + Any fault, even if effect is unknown − Mitigated by detection/infection ⇒ Statistical Ineffective Fault Attacks (SIFA) + Exploits only correct ciphertexts + Any fault, even if effect is unknown 5

  20. Statistical Ineffective Fault Attacks (SIFA) Combines ... • Ineffective Fault Attacks (IFA) by Clavier et al. [Cla07] + Exploits only correct ciphertexts (similar to safe error attacks) − Requires precise faults with known effect • Statistical Fault Analysis (SFA) by Fuhr et al. [FJLT13] + Any fault, even if effect is unknown − Mitigated by detection/infection ⇒ Statistical Ineffective Fault Attacks (SIFA) + Exploits only correct ciphertexts + Any fault, even if effect is unknown 5

  21. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext 6

  22. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

  23. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

  24. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

  25. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

413 views • 17 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

964 views • 64 slides
Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

535 views • 51 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators Schuyler Eldridge Ajay Joshi Department of Electrical and Computer Engineering, Boston University schuye@bu.edu January 30, 2015 This work was

679 views • 19 slides
Exploiting Redundant Test Cases in Fault Localisation: Good or Bad? Alexandre Perez

Exploiting Redundant Test Cases in Fault Localisation: Good or Bad? Alexandre Perez

Exploiting Redundant Test Cases in Fault Localisation: Good or Bad? Alexandre Perez alexandre.perez@fe.up.pt Nuno Cardoso, Jos e Campos, Rui Abreu nunopcardoso@gmail.com, jose.carlos.campos@fe.up.pt, rui@computer.com Department of

508 views • 32 slides
Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems Ramnatthan

Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems Ramnatthan

Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems Ramnatthan Alagappan, Aishwarya Ganesan, Jing Liu, Andrea Arpaci-Dusseau, and Remzi Arpaci-Dusseau Replication Protocols Viewstamped Paxos Raft replication

1.83k views • 144 slides
effective ineffective EXTERNAL effective ineffective INTERNAL focus focus

effective ineffective EXTERNAL effective ineffective INTERNAL focus focus

EXTERNAL focus BROAD NARROW INTERNAL effective ineffective EXTERNAL effective ineffective INTERNAL focus focus prepara%on self-talk emotional control emotional control frustra%on disappointment

317 views • 31 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
WHY YOU Speakers notes for new staff inductions SHOULD These speakers notes can be BE A

WHY YOU Speakers notes for new staff inductions SHOULD These speakers notes can be BE A

WHY YOU Speakers notes for new staff inductions SHOULD These speakers notes can be BE A UCU used alongside UCUs MEMBER Powerpoint presentation Why you should be a UCU member Slide 1 Title slideWhy you should become a UCU

695 views • 3 slides
Appendix E Presentation for Inductions 46 47 48

Appendix E Presentation for Inductions 46 47 48

Appendix E Presentation for Inductions 46 47 48

408 views • 3 slides
Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

M EDIA A CCESS C ONTROL (MAC) A DDRESS S POOFING A TTACKS AGAINST P ORT S ECURITY Andrew Buhr, Dale Lindskog, Pavol Zavarsky, Ron Ruhl Concordia University College of Alberta Findings Port Security is ineffective at preventing 3 different

455 views • 24 slides
2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

4/1/2014 Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault coverage COMPUTING Checkpointing and backward error recovery (rollback) Kewal K.Saluja General principles General principles

259 views • 3 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Three arguments in defense of the digital services tax IFA Asia-Pacific Regional Tax Conference,

Three arguments in defense of the digital services tax IFA Asia-Pacific Regional Tax Conference,

Three arguments in defense of the digital services tax IFA Asia-Pacific Regional Tax Conference, Taipei, April 19, 2018 Wei Cui, Peter A. Allard School of Law, University of British Columbia Reactions Practitioners: Clifford Chance,

505 views • 13 slides
UK Life, Driving value through excellence Investor and Analyst Event, Wednesday 6 th May 2009

UK Life, Driving value through excellence Investor and Analyst Event, Wednesday 6 th May 2009

UK Life, Driving value through excellence Investor and Analyst Event, Wednesday 6 th May 2009 Andrew Moss NUL18.11.08 Disclaimer This presentation may include oral and written forward-looking statements with respect to certain of Avivas

578 views • 25 slides
ANY AGE at HOW TO IGNITE PASSION IN YOUR PEOPLE IGNITE PASSION WITHOUT BURNING THEM OUT

ANY AGE at HOW TO IGNITE PASSION IN YOUR PEOPLE IGNITE PASSION WITHOUT BURNING THEM OUT

EricChester.com on ANY AGE at HOW TO IGNITE PASSION IN YOUR PEOPLE IGNITE PASSION WITHOUT BURNING THEM OUT brand community people ericchester.com The only way to attract and people retain great people is to offer a culture that other

459 views • 31 slides
Multi-agent distributed optimization over networks and its application to energy systems Maria

Multi-agent distributed optimization over networks and its application to energy systems Maria

Vistas in Control | ETH Zurich | September 10 - 11 2018 Multi-agent distributed optimization over networks and its application to energy systems Maria Prandini Introduction Robotic networks Social networks taken from AJGpr.com Transportation

1.27k views • 116 slides
Tonights Agenda Informal review of document, concepts Open House and conversation with

Tonights Agenda Informal review of document, concepts Open House and conversation with

2014 Draft Southeast Alaska Transportation Plan Tonights Agenda Informal review of document, concepts Open House and conversation with ADOT&PF staff 5:30-6:30 pm Public Meeting Introductions, ADOT&PF Presentation on Draft SATP

377 views • 24 slides
Agenda 9 th User Group meeting in Brussels* 21/11/2018 12:30 16:00 CET TIME AGENDA ITEM

Agenda 9 th User Group meeting in Brussels* 21/11/2018 12:30 16:00 CET TIME AGENDA ITEM

Agenda 9 th User Group meeting in Brussels* 21/11/2018 12:30 16:00 CET TIME AGENDA ITEM PRESENTER 12:30 13:15 Lunch 13:15 13:25 1. Welcome, agenda Mark Pickles 13:25 13:50 2. Feedback Market Parties on XBID operation Mark

651 views • 62 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
PKI: Glue of Middleware PKI: Glue of Middleware Michael R Gettes, Duke University Michael R

PKI: Glue of Middleware PKI: Glue of Middleware Michael R Gettes, Duke University Michael R

PKI: Glue of Middleware PKI: Glue of Middleware Michael R Gettes, Duke University Michael R Gettes, Duke University EuroCAMP EuroCAMP November, 2005 November, 2005 Landscaping Landscaping PKI Hierarchies and Bridges PKI Hierarchies

455 views • 26 slides

More recommend