statistical fault attacks revisited application to
play

Statistical Fault Attacks Revisited Application to Authenticated - PowerPoint PPT Presentation

Sep 23, 2023 •285 likes •551 views

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

  1. Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn´ e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644052 (HECTOR).

  2. www.iaik.tugraz.at Authenticated Encryption Encryption / Authentication E ( K , N , A , P ) = ( C , T ) Decryption / Verification D ( K , N , A , C , T ) ∈ { P , ⊥} 1 / 24

  3. www.iaik.tugraz.at Fault Attacks Differential Fault Analysis Collision Fault Analysis Safe Error Attack . . . ⇒ Statistical Fault Attack 2 / 24

  4. www.iaik.tugraz.at Statistical Fault Attack Fuhr et al. (FDTC 2013) Fault attack on AES with faulty ciphertexts only Succeeding with random and unknown plaintexts Main Idea: Fault injection introduces a bias on a target variable 3 / 24

  5. www.iaik.tugraz.at Fault Models Perfect control. The attacker perfectly knows the statistical distribution of the faulty value Partial control. The attacker has some partial information on the distribution of the faulty value No control. The attacker has no information about the distribution of the faulty value, except that it is non uniform 4 / 24

  6. www.iaik.tugraz.at Application to AES Attack on the 10th round Max. likelihood Min. mean HW a) 1 1 b) 10 14 c) 14 18 28 hypotheses per key byte 5 / 24

  7. www.iaik.tugraz.at Application to AES Attack on the 9th round Square Euclidean Imbalance a) 6 b) 14 c) 80 232 hypotheses to retrieve 4 key bytes 6 / 24

  8. www.iaik.tugraz.at Statistical Fault Attack Requirements for the Attack 1 The inputs need to be different for each fault 2 The block cipher output needs to be known 7 / 24

  9. www.iaik.tugraz.at Application Authenticated encryption modes for block ciphers (ISO/IEC) CCM EAX GCM OCB SIV (Key Wrap) 8 / 24

  10. www.iaik.tugraz.at Attack on CCM N � CTR 0 · · · CTR 1 CTR d ⊞ ⊞ 1 1 E k E k E k · · · P 1 ⊕ P d ⊕ S C 1 · · · C d S ⊕ · · · ⊕ ⊕ V E k E k trunc T 9 / 24

  11. www.iaik.tugraz.at Attack on EAX and GCM EAX CTR + CMAC cleaned-up CCM GCM CTR + CW MAC 10 / 24

  12. www.iaik.tugraz.at Attack on OCB � M i P 1 P d − 1 P d � 0 ∗ . . . ⊕ ∆ d − 1 ⊕ ∆ $ ⊕ ∆ 1 ∆ ∗ E k E k E k E k . . . ∆ 1 ⊕ ∆ d − 1 ⊕ ⊕ ⊕ V C 1 C d − 1 C d T . . . 11 / 24

  13. www.iaik.tugraz.at Application to other schemes rand rand rand ∆ k ⊕ E t E k E k k ∆ k ⊕ C C C 12 / 24

  14. www.iaik.tugraz.at Basic Construction rand Cloc/Silc CFB + CBC MAC E k OTR XE + 2r-Feistel C 13 / 24

  15. www.iaik.tugraz.at XEX-like Construction Output is mask by ∆ k rand ∆ k := δ k ∆ k ⊕ ∆ k := δ k + δ n E k ∆ k := δ k , n ∆ k ⊕ C Example: COPA 14 / 24

  16. www.iaik.tugraz.at Attack on COPA � P i P 1 P 2 P d ⊕ ⊕ ⊕ ⊕ 3 L 2 · 3 L 2 d − 1 3 L 2 d − 1 3 2 L E k E k E k E k · · · ⊕ ⊕ ⊕ ⊕ V L E k E k E k E k ⊕ ⊕ ⊕ ⊕ 2 2 L 2 d L 2 d 7 L 2 L C 1 C 2 C d T L = E k ( 0 ) 15 / 24

  17. www.iaik.tugraz.at Attack on COPA Idea: Consider 2 L as part of the last subkey SK ′ 10 := SK 10 ⊕ 2 L Apply SFA to recover SK ′ 10 Repeat attack to either recover SK 9 (in round 9) or 10 := SK 10 ⊕ 2 2 L of the next block the get SK 10 SK ′ ⇒ Attack complexity (number of needed faults) is doubled 16 / 24

  18. www.iaik.tugraz.at XEX-like Construction Output is mask by ∆ k rand ∆ k := δ k ∆ k ⊕ ∆ k := δ k + δ n E k ∆ k := δ k , n ∆ k ⊕ C 17 / 24

  19. www.iaik.tugraz.at Tweakable Block Cipher TWEAKEY framework rand Deoxys KIASU . . . E t k C 18 / 24

  20. www.iaik.tugraz.at Attack on Deoxys � = � P i P 1 P d E 0 , N , 0 E 0 , N , d − 1 E 1 , N , d − 1 · · · k k k ⊕ V C 1 C d T Similar to OCB 19 / 24

  21. www.iaik.tugraz.at Attack on Deoxys � = Deoxys-BC-256 · · · k h 2 h h 2 · · · t h h h ⊕ RC 0 ⊕ RC 1 ⊕ RC 13 ⊕ RC 14 SK 0 SK 13 SK 1 SK 14 ⊕ ⊕ · · · ⊕ ⊕ P f f f C 20 / 24

  22. www.iaik.tugraz.at Summary of Results Primitive Classification Comments CCM basic CTR GCM basic CTR EAX basic CTR OCB basic XE Cloc/Silc ∗ basic CFB OTR ∗ basic XE COPA ∗ XEX ELmD ∗ XEX SHELL ∗ XEX KIASU ∗ TBC TWEAKEY Deoxys ∗ TBC TWEAKEY ∗ CAESAR candidates 21 / 24

  23. www.iaik.tugraz.at Practical Verification/Implementation Clock glitches General-purpose microcontroller (ATxmega 256A3) AES software implementation AES hardware co-processor Laser fault injection Smartcard microcontroller AES hardware co-processor ⇒ Key-recovery with a small number of faulty ciphertexts 22 / 24

  24. www.iaik.tugraz.at Summary SFA is a powerful tool Attacks are not limited to AES-based modes e.g. Prøst, Joltik, Scream,. . . Applicable to some Sponge modes APE construction e.g. PRIMATEs, Ascon 23 / 24

  25. www.iaik.tugraz.at Thank you http://eprint.iacr.org/2016/616 24 / 24

  26. www.iaik.tugraz.at References E. Biham and A. Shamir Differential Fault Analysis of Secret Key Cryptosystems CRYPTO 1997 D. Boneh, R. A. DeMillo, and R. J. Lipton On the Importance of Checking Cryptographic Protocols for Faults EUROCRYPT 1997 J. Bl¨ omer and V. Krummel Fault Based Collision Attacks on AES FDTC 2006 T. Fuhr, ´ E. Jaulmes, V. Lomn´ e, and A. Thillard Fault Attacks on AES with Faulty Ciphertexts Only FDTC 2013 C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn´ e, and F . Mendel Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes ASIACRYPT 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

964 views • 64 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

413 views • 17 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila , Ricardo J. Rodr guez Jos 594190@unizar.es, rj.rodriguez@unileon.es All wrongs reversed University of Zaragoza, Spain RIASC,

1.03k views • 53 slides
Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application

Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application

Improving Scalability and Fault Improving Scalability and Fault Tolerance in an Application Tolerance in an Application Management Infrastructure Management Infrastructure Nikolay Topilski , Jeannie Albrecht, and Amin Vahdat Williams College

560 views • 18 slides
Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath

Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath

Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath University of Maryland Baltimore County presentation by Daniel Kellenberger 01.06.2010 Why Do We Need (Another) Fault Classification? Fault-based

647 views • 16 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor

Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Acknowledgements FAME Project Team https://sites.google.com/view/famechip Supported through National

1.01k views • 72 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux

Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks Margaux Dugardin, Sylvain Guilley, Martin Moreau, Zakaria Najm, Pablo Rauzy PROOFS 2016 - Santa Barbara, CA Introduction Eve Communications Alice Bob Channel

726 views • 60 slides
White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e

White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e

White-Box Cryptography Matthieu Rivain Journ ees Nationales 2017 Pr e-GDR S ecurit e Informatique Paris, 31 mai 2017 Outline Context: white-box crypto: big trend in the industry cryptographic obfuscation: big trend in the

1.41k views • 46 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information

Introdution to Physical Cryptanalysis ASK 2014 Victor LOMNE ANSSI (French Network and Information Security Agency) Saturday, December 20 th , 2014 Introduction| Side Channel Attacks (SCA)| Fault Attacks (FA)| Combined Attacks| Protections|

817 views • 71 slides

More recommend