using linear codes as a fault countermeasure for non
play

Using Linear Codes as a Fault Countermeasure for Non-Linear - PowerPoint PPT Presentation

Jan 08, 2023 •43 likes •493 views

Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September

  1. Using Linear Codes as a Fault Countermeasure for Non-Linear Operations : Application to AES and Formal Verification work co-funded by the PRINCE project Sabine Azzi, Bruno Barras, Maria Christofi , David Vigilant PROOFS workshop 2015, September 17 th

  2. Introduction Motivation Is it possible to design a countermeasure for embedded devices based on linear codes to protect linear (obviously yes) and non-linear parts of a block cipher ? Can we formally verify it ? Our Contribution Not yet studied for the non-linear operations (such as substitution step) − → This is discussed in this paper ! Willingness to get a formal verification of AES based on linear code as a fault countermeasure. PROOFS workshop 2015, September 17 th 2 / 25

  3. Introduction 1 Existing techniques Recent interest in using linear codes to protect block ciphers Linear codes well suited for software implementation PROOFS workshop 2015, September 17 th 2 / 25

  4. Existing Techniques to Protect Block Ciphers Against Fault Attacks Time redundancy : The algorithm itself is not modified. The whole algorithm or some parts of it are executed several times sequentially, and it is verified that the replayed computations lead to the same results. Hybrid redundancy : The consistency is verified in its context. For example, verifying the encryption result can be done by deciphering the result and verify that the original plaintext is recovered after decryption. Information redundancy : Add some duplication of the information which allows to detect any modification of any part of the data, with a consistency check with its duplication part. PROOFS workshop 2015, September 17 th 3 / 25

  5. Existing Techniques to Protect Block Ciphers Against Fault Attacks Time redundancy : The algorithm itself is not modified. The whole algorithm or some parts of it are executed several times sequentially, and it is verified that the replayed computations lead to the same results. Hybrid redundancy : The consistency is verified in its context. For example, verifying the encryption result can be done by deciphering the result and verify that the original plaintext is recovered after decryption. Information redundancy : Add some duplication of the information which allows to detect any modification of any part of the data, with a consistency check with its duplication part. PROOFS workshop 2015, September 17 th 3 / 25

  6. Introduction 1 Existing techniques Recent interest in using linear codes to protect block ciphers Linear codes well suited for software implementation PROOFS workshop 2015, September 17 th 3 / 25

  7. Recent Interest in Using Linear Codes to Protect Block Ciphers Side-Channel and specific for AES : ”A New Masking Scheme for Side-Channel Protection of AES” (Bringer et al. - 2012) Bloc cipher generic : Fault Attacks and Side-Channel : ”Orthogonal Direct Sum Masking” (Bringer et al. - 2014) Bloc cipher generic : Side-Channel Resistance study : ”Complementary Dual Codes for Counter-measures to Side-Channel Attacks (Carlet et al. - 2015) PROOFS workshop 2015, September 17 th 4 / 25

  8. Introduction 1 Existing techniques Recent interest in using linear codes to protect block ciphers Linear codes well suited for software implementation PROOFS workshop 2015, September 17 th 4 / 25

  9. Some Systematic Linear Codes Operations can be Implemented Efficiently in Software For systematic codes, data x is represented by x || Gx e.g. C [ 16 , 8 , 5 ] Decoded data representation : 1 byte Encoded data representation : 2 byte Redundancy part generation is a lookup table (256 bytes) Verification that x || Gx is in C is a lookup table (256 bytes) PROOFS workshop 2015, September 17 th 5 / 25

  10. 2 Contribution Study of the usage of systematic linear codes for non-linear operations of block ciphers Formal Verification Methodology AES case study implementation and formal verification PROOFS workshop 2015, September 17 th 5 / 25

  11. Linear Codes and Non Linear Operations State of the art on constrained devices (not enough Open question in cited room for a lookup table with encoded entries). papers. Common technique : Decode Encoded ( x ) data before the non linear step and re-encoded it after it. decode decoded data for the non x linear step ⇒ the fault resistance is significantly decreased � NL op This paper studies the fault resistance especially during non linear operations NL op ( x ) proposes a formal verification of a block cipher encode implementation with a countermeasure based on Encoded( NL op ( x ) ) linear codes PROOFS workshop 2015, September 17 th 6 / 25

  12. Systematic Linear Codes and Non Linear Operations Systematic codes may be interesting : 2 lookup tables x | Gx Consistency check x Gx possible ? NL op T Consistency check NL op ( x ) G NL op ( x ) possible NL op ( x ) | G NL op ( x ) But Gx may not determine uniquely x. PROOFS workshop 2015, September 17 th 7 / 25

  13. Example : C [ 16 , 8 , 5 ] and Non Linear Operations x | Gx Consistency check x Gx possible NL op T Consistency check G NL op ( x ) NL op ( x ) possible NL op ( x ) | G NL op ( x ) Gx does not determine uniquely x . PROOFS workshop 2015, September 17 th 8 / 25

  14. Example : C [ 16 , 8 , 5 ] and Non Linear Operations x | Gx Consistency check C [ 16 , 8 , 5 ] : x Gx possible has an orthogonal/complementary code Gx does not determine uniquely x NL op T BUT... Gx ⊕ x determines uniquely x Consistency check NL op ( x ) G NL op ( x ) possible NL op ( x ) | G NL op ( x ) PROOFS workshop 2015, September 17 th 9 / 25

  15. Method Applications/Generalisations The paper discusses how this approach can be : Generalized for all systematic linear codes with a square generator matrix (or concatenation of square matrices) Applied whatever the non linear operation (for all block ciphers) Combined with masking methods to prevent side channel attacks Applied to the orthogonal sum code technique PROOFS workshop 2015, September 17 th 10 / 25

  16. Example : C[16,8,5], Complementary and Non Linear Operations C[16,8,5] has an orthogonal/complementary code C2 with a generator matrix H x ⊕ Hy | y ⊕ Gx Consistency check x ⊕ Hy y ⊕ Gx possible Input : Input : randomized by randomized by Hy NL op ′ y ⊕ Hy T ′ Output : Output : randomised by randomized by y’ Hy ′ Consistency check NL op ( x ) ⊕ Hy ′ G NL op ( x ) ⊕ y ′ possible NL op ( x ) ⊕ Hy ′ | G NL op ( x ) ⊕ y ′ PROOFS workshop 2015, September 17 th 11 / 25

  17. 2 Contribution Study of the usage of systematic linear codes for non-linear operations of block ciphers Formal Verification Methodology AES case study implementation and formal verification PROOFS workshop 2015, September 17 th 11 / 25

  18. Motivation Many software countermeasures presented to thwart attacks ... PROOFS workshop 2015, September 17 th 12 / 25

  19. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. PROOFS workshop 2015, September 17 th 12 / 25

  20. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. Their security has to be verified ... PROOFS workshop 2015, September 17 th 12 / 25

  21. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. Their security has to be verified ... ... but it is costly. PROOFS workshop 2015, September 17 th 12 / 25

  22. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. Their security has to be verified ... ... but it is costly. Use tools from mathematics and theoretical computer science... PROOFS workshop 2015, September 17 th 12 / 25

  23. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. Their security has to be verified ... ... but it is costly. Use tools from mathematics and theoretical computer science... ...provide mechanized proofs that can be used as non-regression tests. PROOFS workshop 2015, September 17 th 12 / 25

  24. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. Their security has to be verified ... ... but it is costly. Use tools from mathematics and theoretical computer science... ...provide mechanized proofs that can be used as non-regression tests. So ... formal methods should be used to prove that systems respect some functional and security properties. PROOFS workshop 2015, September 17 th 12 / 25

  25. Motivation Many software countermeasures presented to thwart attacks ... ... which are ”quickly” broken. Their security has to be verified ... ... but it is costly. Use tools from mathematics and theoretical computer science... ...provide mechanized proofs that can be used as non-regression tests. So ... formal methods should be used to prove that systems respect some functional and security properties. Objective Given an implementation of a cryptographic algorithm, with a set of countermeasures, formally verify its functionality and its resistance to a set of attacks pre-defined. PROOFS workshop 2015, September 17 th 12 / 25

  26. The goal ! PROOFS workshop 2015, September 17 th 13 / 25

  27. The goal ! But how do we generate all fault scenarios ? PROOFS workshop 2015, September 17 th 13 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory

675 views • 33 slides
6.02 Fall 2012 Lecture #4 Linear block codes Rectangular codes Hamming codes 6.02 F

6.02 Fall 2012 Lecture #4 Linear block codes Rectangular codes Hamming codes 6.02 F

6.02 Fall 2012 Lecture #4 Linear block codes Rectangular codes Hamming codes 6.02 F all 2012 Lecture 4, Slide #1 Single Link Communication Model End-host Original source computers Receiving app/user Digitize Render/display,

246 views • 21 slides
Some recent developments in the theory of linear MRD-codes Olga Polverino Universit degli

Some recent developments in the theory of linear MRD-codes Olga Polverino Universit degli

Linear MRD-codes Generalized Gabidulin Codes and linearized polynomials Generalized Twisted Gabidulin Codes MRD-codes-Maxim Some recent developments in the theory of linear MRD-codes Olga Polverino Universit degli Studi della Campania,

1.92k views • 170 slides
Fault Tolerance For Sparse Linear Algebra Computations Implemented In A Grid Environment

Fault Tolerance For Sparse Linear Algebra Computations Implemented In A Grid Environment

Fault Tolerance For Sparse Linear Algebra Computations Implemented In A Grid Environment Experiments with Fault Tolerant Linear Algebra Algorithms Jack Dongarra Jeffery Chen Zhiao Shi Asim YarKhan University of Tennessee Fault Tolerance:

412 views • 22 slides
Confusion / dilution countermeasure #UDT2019 Objective Two types of anti torpedo countermeasure

Confusion / dilution countermeasure #UDT2019 Objective Two types of anti torpedo countermeasure

Confusion / dilution countermeasure #UDT2019 Objective Two types of anti torpedo countermeasure exist : Hard kill countermeasure The aim is to home in, on torpedo and to destroy or disabling torpedo by blast or physically smashing into.

168 views • 14 slides
LCD codes over F q are as good as linear codes for q at least four Ruud Pellikaan

LCD codes over F q are as good as linear codes for q at least four Ruud Pellikaan

LCD codes over F q are as good as linear codes for q at least four Ruud Pellikaan g.r.pellikaan@tue.nl International Conference on Graph Theory and Information Security ICGTIS, August 7, 2017 Universitas Indonesia, Depok, Indonesia Faculteit

537 views • 35 slides
Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear Codes Page 1 General Model message m Errors introduced by the noisy channel: coder changed fields in the codeword (e.g., a flipped bit)

307 views • 28 slides
Linear coordinates for perfect codes and Steiner triple systems F.I. Soloveva, I.Yu. Mogilnykh

Linear coordinates for perfect codes and Steiner triple systems F.I. Soloveva, I.Yu. Mogilnykh

Basic definitions Linear coordinates of perfect codes Symmetry groups of Mollard codes Propelinear perfect codes Linear coordinates for perfect codes and Steiner triple systems F.I. Soloveva, I.Yu. Mogilnykh Sobolev Institute of

756 views • 52 slides
outline introduction locality in fault-tolerant quantum comp. topological codes &

outline introduction locality in fault-tolerant quantum comp. topological codes &

outline introduction locality in fault-tolerant quantum comp. topological codes & local operations results single-shot error correction self-correction gauge color codes universality via gauge-fixing

687 views • 44 slides
Overview ECE 753: FAULT-TOLERANT Introduction Motivation and Background COMPUTING

Overview ECE 753: FAULT-TOLERANT Introduction Motivation and Background COMPUTING

2/27/2014 Overview ECE 753: FAULT-TOLERANT Introduction Motivation and Background COMPUTING Hamming Codes by example SEC-DED Codes Algebraic method Kewal K Saluja Kewal K.Saluja SEC-DED Codes Hardware SEC

177 views • 7 slides
Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi

Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi

17 September 2015 Buffer Overflow Attack with Multiple Fault Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi Homma, Yu-ichi Hayashi and Takafumi Aoki Tohoku University, Japan GSIS, TOHOKU

535 views • 27 slides
Fault-tolerant logical gates in quantum error-correcting codes Fernando Pastawski and Beni

Fault-tolerant logical gates in quantum error-correcting codes Fernando Pastawski and Beni

Fault-tolerant logical gates in quantum error-correcting codes Fernando Pastawski and Beni Yoshida (Caltech) arXiv:1408.1720 Phys Rev A xxxxxxx Jan 2015 @ QIP (Sydney, Australia) Fault-tolerant logical gates How do we implement a logical

515 views • 33 slides
Improved bounds on the word error probability of RA(2) codes with linear programming based

Improved bounds on the word error probability of RA(2) codes with linear programming based

Improved bounds on the word error probability of RA(2) codes with linear programming based decoding Nissim Halabi Tel-Aviv University Joint work with Guy Even Outline Turbo-like codes. classic Turbo codes & turbo-like

502 views • 34 slides
Quantum Lecture 9 Classical linear codes Quantum codes Mikael Skoglund, Quantum Info

Quantum Lecture 9 Classical linear codes Quantum codes Mikael Skoglund, Quantum Info

Quantum Lecture 9 Classical linear codes Quantum codes Mikael Skoglund, Quantum Info 1/16 Block Codes An ( n, M ) block (channel) code over a field GF( q ) is a set C = { x 1 , x 2 , . . . , x M } of codewords , with x m GF n ( q )

772 views • 8 slides
Information Theory Lecture 6 Block Codes and Finite Fields Codes: Roth (R) 12, 4.14

Information Theory Lecture 6 Block Codes and Finite Fields Codes: Roth (R) 12, 4.14

Information Theory Lecture 6 Block Codes and Finite Fields Codes: Roth (R) 12, 4.14 codes, minimum distance, linear codes, G and H matrices, decoding, bounds, weight distribution,. . . Finite fields: R3 (R7) groups,

911 views • 9 slides
6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding Burst errors and interleaving 6.02 Fall 2012 Lecture 5, Slide #1 Matrix Notation for Linear Block Codes Task: given k-bit message, compute n-bit

417 views • 18 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides
Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

881 views • 58 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 FSE 2018

1.11k views • 70 slides
Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Objectives Introduction to Finite Fields AES Algorithm Sub Byte Shift row

Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction to Finite Fields AES

604 views • 31 slides
RC6The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun

RC6The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun

RC6The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun Lisa Yin yiqun@nttmcl.com RC6 is the right AES choice Security Performance Ease of implementation Simplicity Flexibility RC6 is

314 views • 15 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of

HOST Cryptography III ECE 525 AES Block Cipher Blockciphers are central tool in the design of protocols for shared-key cryptography What is a blockcipher? } k } n } n { , { , { , It is a function E of parameters k and n that maps

329 views • 17 slides

More recommend