Statistical Fault Attacks Revisited Application to Authenticated - - PowerPoint PPT Presentation

Statistical Fault Attacks Revisited Application to Authenticated Encryption

• C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn´

e, F. Mendel ASK 2016

The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052 (HECTOR).

www.iaik.tugraz.at

Authenticated Encryption

Encryption / Authentication

E(K, N, A, P) = (C, T)

Decryption / Verification

D(K, N, A, C, T) ∈ {P, ⊥}

1 / 24

www.iaik.tugraz.at

Fault Attacks

Differential Fault Analysis Collision Fault Analysis Safe Error Attack . . . ⇒ Statistical Fault Attack

2 / 24

www.iaik.tugraz.at

Statistical Fault Attack

Fuhr et al. (FDTC 2013) Fault attack on AES with faulty ciphertexts only Succeeding with random and unknown plaintexts Main Idea: Fault injection introduces a bias on a target variable

3 / 24

www.iaik.tugraz.at

Fault Models

Perfect control. The attacker perfectly knows the statistical distribution of the faulty value Partial control. The attacker has some partial information on the distribution of the faulty value No control. The attacker has no information about the distribution of the faulty value, except that it is non uniform

4 / 24

www.iaik.tugraz.at

Application to AES

Attack on the 10th round

• Max. likelihood
• Min. mean HW

a) 1 1 b) 10 14 c) 14 18

28 hypotheses per key byte 5 / 24

www.iaik.tugraz.at

Application to AES

Attack on the 9th round Square Euclidean Imbalance a) 6 b) 14 c) 80

232 hypotheses to retrieve 4 key bytes 6 / 24

www.iaik.tugraz.at

Statistical Fault Attack

Requirements for the Attack 1 The inputs need to be different for each fault 2 The block cipher output needs to be known

7 / 24

www.iaik.tugraz.at

Application

Authenticated encryption modes for block ciphers (ISO/IEC) CCM EAX GCM OCB SIV (Key Wrap)

8 / 24

www.iaik.tugraz.at

Attack on CCM

NCTR0 ⊞ CTR1 · · · ⊞ CTRd 1 1 Ek Ek Ek S P1 ⊕ · · · Pd ⊕ C1 · · · Cd S V ⊕ · · · ⊕ ⊕ Ek Ek trunc T

9 / 24

www.iaik.tugraz.at

Attack on EAX and GCM

EAX

CTR + CMAC cleaned-up CCM

GCM

CTR + CW MAC

10 / 24

www.iaik.tugraz.at

Attack on OCB

P1 ∆1 ⊕ Ek ∆1 ⊕ C1 Pd−1 ∆d−1 ⊕ Ek ∆d−1 ⊕ Cd−1 . . . . . . . . . Pd0∗ ∆∗ Ek ⊕ Cd Mi ∆$ ⊕ Ek V ⊕ T

11 / 24

www.iaik.tugraz.at

Application to other schemes

rand rand rand ∆k ⊕ Ek Ek Et

k

∆k ⊕ C C C

12 / 24

www.iaik.tugraz.at

Basic Construction

Cloc/Silc

CFB + CBC MAC

OTR

XE + 2r-Feistel

rand Ek C

13 / 24

www.iaik.tugraz.at

XEX-like Construction

Output is mask by ∆k

∆k := δk ∆k := δk + δn ∆k := δk,n

Example: COPA rand ∆k ⊕ Ek ∆k ⊕ C

14 / 24

www.iaik.tugraz.at

Attack on COPA

P1 P2 Pd Pi 3L ⊕ 2 · 3L ⊕ 2d−13L ⊕ 2d−132L ⊕ Ek Ek Ek Ek V ⊕ ⊕ · · · ⊕ ⊕ L Ek Ek Ek Ek 2L ⊕ 22L ⊕ 2dL ⊕ 2d7L ⊕ C1 C2 Cd T L = Ek(0)

15 / 24

www.iaik.tugraz.at

Attack on COPA

Idea: Consider 2L as part of the last subkey

SK ′

10 := SK10 ⊕ 2L

Apply SFA to recover SK ′

10

Repeat attack to either recover

SK9 (in round 9) or SK ′

10 := SK10 ⊕ 22L of the next block the get SK10

⇒ Attack complexity (number of needed faults) is doubled

16 / 24

www.iaik.tugraz.at

XEX-like Construction

Output is mask by ∆k

∆k := δk ∆k := δk + δn ∆k := δk,n

rand ∆k ⊕ Ek ∆k ⊕ C

17 / 24

www.iaik.tugraz.at

Tweakable Block Cipher

TWEAKEY framework

Deoxys KIASU . . .

rand Et

k

C

18 / 24

www.iaik.tugraz.at

Attack on Deoxys=

P1 Pd Pi E0,N,0

k

· · · E0,N,d−1

k

E1,N,d−1

k

⊕ V C1 Cd T Similar to OCB

19 / 24

www.iaik.tugraz.at

Attack on Deoxys=

Deoxys-BC-256

k h 2 h · · · h 2 t h h · · · h ⊕ RC0 ⊕ RC1 ⊕ RC13 ⊕ RC14 SK0 SK1 SK13 SK14 P ⊕ f ⊕ f · · · ⊕ f ⊕ C

20 / 24

www.iaik.tugraz.at

Summary of Results

Primitive Classification Comments CCM basic CTR GCM basic CTR EAX basic CTR OCB basic XE Cloc/Silc∗ basic CFB OTR∗ basic XE COPA∗ XEX ELmD∗ XEX SHELL∗ XEX KIASU∗ TBC TWEAKEY Deoxys∗ TBC TWEAKEY

∗ CAESAR candidates 21 / 24

www.iaik.tugraz.at

Practical Verification/Implementation

Clock glitches

General-purpose microcontroller (ATxmega 256A3) AES software implementation AES hardware co-processor

Laser fault injection

Smartcard microcontroller AES hardware co-processor

⇒ Key-recovery with a small number of faulty ciphertexts

22 / 24

www.iaik.tugraz.at

Summary

SFA is a powerful tool Attacks are not limited to AES-based modes

e.g. Prøst, Joltik, Scream,. . .

Applicable to some Sponge modes

APE construction e.g. PRIMATEs, Ascon

23 / 24

www.iaik.tugraz.at

Thank you

http://eprint.iacr.org/2016/616

24 / 24

www.iaik.tugraz.at

References

• E. Biham and A. Shamir

Differential Fault Analysis of Secret Key Cryptosystems CRYPTO 1997

• D. Boneh, R. A. DeMillo, and R. J. Lipton

On the Importance of Checking Cryptographic Protocols for Faults EUROCRYPT 1997

• J. Bl¨
• mer and V. Krummel

Fault Based Collision Attacks on AES FDTC 2006

• T. Fuhr, ´
• E. Jaulmes, V. Lomn´

e, and A. Thillard Fault Attacks on AES with Faulty Ciphertexts Only FDTC 2013

• C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn´

e, and F . Mendel Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes ASIACRYPT 2016