statistical fault attacks on nonce based authenticated
play

Statistical Fault Attacks on Nonce-Based Authenticated Encryption - PowerPoint PPT Presentation

Jan 04, 2023 •320 likes •602 views

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

  1. Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn´ e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

  2. www.iaik.tugraz.at Overview Fault attacks on AES-based AE-schemes Nonce does not preclude fault attacks Based on Fuhr et al. (FDTC 2013) Faults influence distribution Experiments to show practical relevance 1 / 21

  3. www.iaik.tugraz.at Statistical Fault Attack SB SR AK equ MC SB SR AK C 2 / 21

  4. www.iaik.tugraz.at Application to Authenticated Encryption Requirements for the Attack 1 The inputs need to be different for each fault 2 The block cipher output needs to be known 3 / 21

  5. www.iaik.tugraz.at Application to Authenticated Encryption Authenticated encryption modes for block ciphers (ISO/IEC) CCM EAX GCM OCB 4 / 21

  6. www.iaik.tugraz.at Attack on CCM N � CTR 0 · · · CTR 1 CTR d ⊞ ⊞ 1 1 E k E k E k · · · P 1 ⊕ P d ⊕ S C 1 · · · C d S ⊕ · · · ⊕ ⊕ V E k E k trunc T 5 / 21

  7. www.iaik.tugraz.at Attack on CCM N � CTR 0 · · · CTR 1 CTR d ⊞ ⊞ 1 1 E k E k E k · · · P 1 ⊕ P d ⊕ S C 1 · · · C d S ⊕ · · · ⊕ ⊕ V E k E k trunc T 5 / 21

  8. www.iaik.tugraz.at Attack on OCB � M i P 1 P d − 1 P d � 0 ∗ . . . ⊕ ∆ d − 1 ⊕ ∆ $ ⊕ ∆ 1 ∆ ∗ E k E k E k E k . . . ∆ 1 ⊕ ∆ d − 1 ⊕ ⊕ ⊕ V C 1 C d − 1 C d T . . . 6 / 21

  9. www.iaik.tugraz.at Attack on OCB � M i P 1 P d − 1 P d � 0 ∗ . . . ⊕ ∆ d − 1 ⊕ ∆ $ ⊕ ∆ 1 ∆ ∗ E k E k E k E k . . . ∆ 1 ⊕ ∆ d − 1 ⊕ ⊕ ⊕ V C 1 C d − 1 C d T . . . 6 / 21

  10. www.iaik.tugraz.at Application to other schemes rand rand rand ∆ k ⊕ E t E k E k k ∆ k ⊕ C C C 7 / 21

  11. www.iaik.tugraz.at XEX-like Construction Output masked by ∆ k rand ∆ k := δ k ∆ k ⊕ ∆ k := δ k + δ n E k ∆ k := δ k , n ∆ k ⊕ C Example: COPA 8 / 21

  12. www.iaik.tugraz.at Attack on COPA � P i P 1 P 2 P d ⊕ ⊕ ⊕ ⊕ 3 L 2 · 3 L 2 d − 1 3 L 2 d − 1 3 2 L E k E k E k E k · · · ⊕ ⊕ ⊕ ⊕ V L E k E k E k E k ⊕ ⊕ ⊕ ⊕ 2 2 L 2 d L 2 d 7 L 2 L C 1 C 2 C d T L = E k ( 0 ) 9 / 21

  13. www.iaik.tugraz.at Attack on COPA � P i P 1 P 2 P d ⊕ ⊕ ⊕ ⊕ 3 L 2 · 3 L 2 d − 1 3 L 2 d − 1 3 2 L E k E k E k E k · · · ⊕ ⊕ ⊕ ⊕ V L E k E k E k E k ⊕ ⊕ ⊕ ⊕ 2 2 L 2 d L 2 d 7 L 2 L C 1 C 2 C d T L = E k ( 0 ) 9 / 21

  14. www.iaik.tugraz.at Attack on COPA Idea: Consider 2 L as part of the last subkey SK ′ 10 := SK 10 ⊕ 2 L Apply SFA to recover SK ′ 10 Repeat attack to either recover SK 9 (in round 9) or 10 := SK 10 ⊕ 2 2 L of the next block the get SK 10 SK ′′ ⇒ Attack complexity (number of needed faults) is doubled 10 / 21

  15. www.iaik.tugraz.at XEX-like Construction Output masked by ∆ k rand ∆ k := δ k ∆ k ⊕ ∆ k := δ k + δ n E k ∆ k := δ k , n ∆ k ⊕ C 11 / 21

  16. www.iaik.tugraz.at Tweakable Block Cipher TWEAKEY framework rand Deoxys KIASU . . . E t k C 12 / 21

  17. www.iaik.tugraz.at Attack on Deoxys � = � P i P 1 P d E 0 , N , 0 E 0 , N , d − 1 E 1 , N , d − 1 · · · k k k ⊕ V C 1 C d T Similar to OCB 13 / 21

  18. www.iaik.tugraz.at Attack on Deoxys � = � P i P 1 P d E 0 , N , 0 E 0 , N , d − 1 E 1 , N , d − 1 · · · k k k ⊕ V C 1 C d T Similar to OCB 13 / 21

  19. www.iaik.tugraz.at Attack on Deoxys � = Deoxys-BC-256 k h 2 h · · · h 2 t h h · · · h RC 0 RC 1 RC 13 RC 14 ⊕ ⊕ ⊕ ⊕ SK 0 SK 13 SK 1 SK 14 P ⊕ f ⊕ f · · · ⊕ f ⊕ C 14 / 21

  20. www.iaik.tugraz.at Summary of Results Primitive Classification Comments CCM basic CTR GCM basic CTR EAX basic CTR OCB basic XE Cloc/Silc ∗ basic CFB OTR ∗ basic XE COPA ∗ XEX ELmD ∗ XEX SHELL ∗ XEX KIASU ∗ TBC Deoxys ∗ TBC ∗ CAESAR candidates 15 / 21

  21. www.iaik.tugraz.at Practical Verification/Implementation Clock glitches General-purpose microcontroller AES software implementation AES hardware co-processor Laser fault injection Smartcard microcontroller AES hardware co-processor ⇒ Key-recovery with a small number of faulty ciphertexts 16 / 21

  22. www.iaik.tugraz.at ATxmega 256A3 correct key 2 − 1 wrong keys 2 − 2 SEI 2 − 3 2 − 4 2 − 5 10 20 30 40 50 60 70 80 number of faulty encryptions Software implementation Single clock glitch 17 / 21

  23. www.iaik.tugraz.at ATxmega 256A3 correct key 2 − 1 wrong keys 2 − 2 SEI 2 − 3 2 − 4 2 − 5 10 20 30 40 50 60 70 80 number of faulty encryptions Software implementation Multiple clock glitches 18 / 21

  24. www.iaik.tugraz.at Smartcard Microcontroller correct key 2 − 1 wrong keys 2 − 2 SEI 2 − 3 2 − 4 2 − 5 10 20 30 40 50 60 70 80 number of faulty encryptions AES co-processor Laser 19 / 21

  25. www.iaik.tugraz.at Summary SFA is a powerful tool Nonce is not enough Attacks are not limited to AES-based modes 20 / 21

  26. www.iaik.tugraz.at Thank you http://eprint.iacr.org/2016/616 21 / 21

  27. www.iaik.tugraz.at References E. Biham and A. Shamir Differential Fault Analysis of Secret Key Cryptosystems CRYPTO 1997 D. Boneh, R. A. DeMillo, and R. J. Lipton On the Importance of Checking Cryptographic Protocols for Faults EUROCRYPT 1997 J. Bl¨ omer and V. Krummel Fault Based Collision Attacks on AES FDTC 2006 T. Fuhr, ´ E. Jaulmes, V. Lomn´ e, and A. Thillard Fault Attacks on AES with Faulty Ciphertexts Only FDTC 2013 C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn´ e, and F . Mendel Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes ASIACRYPT 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

413 views • 17 slides
GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per

` GCM-SIV: Full Nonce Mis isuse-Resistant Authenticated Encry ryption at t Under One Cycle per Byt yte Shay Gueron Yehuda Lindell Bar-Ilan University Haifa Univ. and Intel Appeared at ACM CCS 2015 ` How to Encry rypt wit ith a Blo

684 views • 30 slides
Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

964 views • 64 slides
Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza

Online Authenticated Encryption and its Nonce-Reuse Misuse-Resistance Viet Tung Hoang 1 Reza Reyhanitabar 2 Phillip Rogaway 3 Damian Vizr 4 1 UC, Santa Barbara 2 NEC Laboratories Europe, Germany 3 UC Davis 4 EPFL, Switzerland 6th Asian Workshop

730 views • 50 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Bck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

956 views • 28 slides
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017 Overview 1. Key reinstallation in 4-way handshake 2. Misconceptions and remarks 3. Steps to improve Wi-Fi

894 views • 35 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1

Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm Asl Bay 1 , O guzhan Ersoy 2 , Ferhat Karako c 1 1 T 2 Bo UB ITAK-B ILGEM-UEKAE gazi ci University ASIACRYPT 2016, Hanoi, VIETNAM 1/27

860 views • 28 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Friet: An Authenticated Encryption Scheme with Built-in Fault Detection Thierry Simon 1,2 Lejla

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection Thierry Simon 1,2 Lejla

Friet: An Authenticated Encryption Scheme with Built-in Fault Detection Thierry Simon 1,2 Lejla Batina 1 Joan Daemen 1 Vincent Grosso 1,3 Pedro Maat Costa Massolino 1 Kostas Papagiannopoulos 1,4 Francesco Regazzoni 5 Niels Samwel 1 1 Radboud

543 views • 28 slides
Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT

580 views • 45 slides
rt Pr ss tt

rt Pr ss tt

Prs rs rt rt Pr ss tt s rt Pr ss

1.05k views • 50 slides
MOSS POINT SCHOOL DISTRICT EDITION Presented By: Danyelle Cooper & Kewanna Riley RCA MISSION:

MOSS POINT SCHOOL DISTRICT EDITION Presented By: Danyelle Cooper & Kewanna Riley RCA MISSION:

MOSS POINT SCHOOL DISTRICT EDITION Presented By: Danyelle Cooper & Kewanna Riley RCA MISSION: To deliver the highest quality educational experience where global citizens are born through advanced rigor, engaging teaching methods, and a

128 views • 10 slides
KRYPTOS Patrick Kellogg patrickkellogg@gmail.com http://www.patrickkellogg.com/kryptos I

KRYPTOS Patrick Kellogg patrickkellogg@gmail.com http://www.patrickkellogg.com/kryptos I

KRYPTOS Patrick Kellogg patrickkellogg@gmail.com http://www.patrickkellogg.com/kryptos I love this sculpture by Jim Sanborn (Note: tiny reproduction) About Kryptos The sculpture was erected in 1990 on the grounds of the CIA

570 views • 56 slides
Tools: the Swarm protocol and a possible new implementation in Python Pietro TERNA, University of

Tools: the Swarm protocol and a possible new implementation in Python Pietro TERNA, University of

Tools: the Swarm protocol and a possible new implementation in Python Pietro TERNA, University of Torino and ISI, terna@econ.unito.it, http://web.econ.unito.it/terna 2009 02 09 ABM-BaF09 1 _______________________________________ A general

476 views • 47 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Optimal Boolean Functions Irene Villa UiB - Universitetet i Bergen Selmer center Finse 2018

Optimal Boolean Functions Irene Villa UiB - Universitetet i Bergen Selmer center Finse 2018

Optimal Boolean Functions Irene Villa UiB - Universitetet i Bergen Selmer center Finse 2018 Communicate a secret message Communicate a secret message Cipher: M set of possible messages k K key-space k : M M encryption function

933 views • 34 slides
Cryptographic Hash Function EDON-R Presented by Prof. Danilo Gligoroski Department of

Cryptographic Hash Function EDON-R Presented by Prof. Danilo Gligoroski Department of

1 Cryptographic Hash Function EDON-R Presented by Prof. Danilo Gligoroski Department of Telematics Faculty of Information Technology, Mathematics and Electrical Engineering Norwegian University of Science and TechnologyTechnology - NTNU,

717 views • 55 slides
Privacy Christos Dimitrakakis September 17, 2019 C. Dimitrakakis Privacy September 17, 2019 .

Privacy Christos Dimitrakakis September 17, 2019 C. Dimitrakakis Privacy September 17, 2019 .

. . . . . . . . . . . . . . . . Privacy Christos Dimitrakakis September 17, 2019 C. Dimitrakakis Privacy September 17, 2019 . . . . . . . . . . . . . . . . . . . . . . . . 1 / 38 . . . . . . . .

937 views • 68 slides

More recommend