Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June 28, 2012

Shanghai Jiao Tong University Outline Brief Introduction of Fault Attack A New Extension to Fault Attack: Linear Fault Analysis (LFA) A Key Recovery Attack on SERPENT by Using LFA Conclusion and Discussion

Shanghai Jiao Tong University Brief Introduction of Fault Attack (1/5) Fault analysis is a class of implementation attacks that disturb cryptographic computations so as to recover secret keys. In Eurocrypt 1996, Boneh et al. firstly proposed the idea of fault attack. In Crypto 1997, Biham et al. presented an extension to the above approach, i.e., Differential Fault Analysis (DFA).

Shanghai Jiao Tong University Brief Introduction of Fault Attack (2/5) About fault injection: An attacker is able to deliberately interfere the normal operation of the device with voltage variations, clock glitches and lasers so as to induce faults. A laser with certain energy and wavelength could interfere fixed parts of the memory/registers without damaging them, resulting in single bit/byte error at some internal state accurately.

Shanghai Jiao Tong University Brief Introduction of Fault Attack (3/5) Cryptographic Device Cryptographic Procedures X=1|1|0|0|1|0|1|0 Y=0|1|0|0|0|0|1|1 X=1|1|0|0|1|0|1|0 Y * =1|1|0|1|1|1|0|1 1|0|0|0|1|0|1|1 1|0|0|0|0|0|1|1 Radiation X-Ray Micro-Probe △ Y=Y ⊕ Y * =1|0|0|1|1|1|1|0 Internal Round Cryptographic Device X=1|1|0|0|1|0|1|0 Basic idea of differential fault analysis (DFA):

Shanghai Jiao Tong University Brief Introduction of Fault Attack (4/5) Research work with respect to DFA: DFA has been used as an effective cryptanalytic tool to evaluate the security of various block ciphers such as DES, AES, IDEA, CLEFIA, SMS4, ARIA, Camellia, and so on. Some extensions to DFA have been presented in order to make fault attack more efficient.

Shanghai Jiao Tong University Brief Introduction of Fault Attack (5/5) General countermeasure against DFA: Basically, DFA techniques target the last few rounds of a block cipher, i.e., faults will be triggered at the last few rounds of the cipher so as to induce information leakage. The general countermeasure against DFA is to protect the last few rounds of the cipher by means of redundancy. For a block cipher, the practical implementations used to thwart DFA will cover as less protected rounds as possible.

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (1/8) We first apply the idea of linear cryptanalysis in fault attack and present a new fault attack on block ciphers called linear fault analysis (LFA). Fault Model and Assumption in LFA: Random single-bit/single-byte fault model induced at some certain round. The values and positions (within the impacted round) of the faults injected by the attacker are unknown and randomly distributed.

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (2/8) Basic idea of LFA:

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (3/8) Let E be a block cipher and decompose the cipher into E = E 1 ◦ E 0. Let Γ P · P ⊕ Γ C · C = Γ K ·K (also denoted as Γ P → Γ C ) be a linear approximation for E 1 with probability ½ +ε. Let S ΓP→ΓC be a set consisting of all bits of P involving in the item Γ P · P. Suppose that an attacker has the ability to induce single-bit faults at the input of E 1 repeatedly and the error bits don’t belong to the set S ΓP→ΓC, then an effective distinguisher Γ C · C 1 ⊕ Γ C · C 2 = 0 for the cipher E with probability ½ + 2ε 2 can be derived by the attacker. How LFA works?

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (4/8) Based on the above distinguisher, we can mount a key recovery attack on E ′ = E 2 ◦ E = E 2 ◦ E 1 ◦ E 0 by guessing part of the subkey information used in E 2. Attack procedure: Step 1. Given the linear characteristic Γ P → Γ C for E 1, collect N pairs of ciphertexts, each pair consisting of a right ciphertext C 1 i under E ′ and the corresponding faulty ciphertext C 2 i derived by injecting single-bit fault at any position of the input of E 1, where 1 ≤ i ≤ N. How LFA works? (to continue)

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (5/8) Step 2. Let K g denote the subkey information which is related to the item Γ C · E 2 -1 (C j i ). Then for each possible value of K g, do as below: Initialize a counter T Kg firstly. For each ciphertext pair (C 1 i, C 2 i ), implement the partial decryptions of C 1 i and C 2 i respectively and compute the parity of Γ C · E 2 -1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ). If the parity is 0, increase the relevant counter T Kg by 1, and decrease by 1 otherwise. Store the value of K g as well as the absolute value of the corresponding T Kg. Step 3. For all possible values of K g, compare the stored values and take the value of K g as the correct key information if the absolute value of the corresponding T Kg is maximal. How LFA works? (to continue)

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (6/8) Case 1: the guessed value of K g is correct For any ciphertext pair (C 1 i, C 2 i ) in which C 2 i is derived by inducing single-bit fault at the input of E 1 such that the error bit is not in the set S ΓP→ΓC : the equation Γ C · E 2 -1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ) = 0 holds with probability ½ + 2ε 2 ; For any ciphertext pair (C 1 i, C 2 i ) where C 2 i is obtained by injecting single-bit fault at the input of E 1 such that the error bit belongs to the set S ΓP→ΓC : the equation Γ C · E 2 -1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ) = 1 holds with probability ½ + 2ε 2 ; Thus in this case, we can estimate |T Kg | by the following formula: Why the above attack works?

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (7/8) Case 2: the guessed value of K g is wrong According to the Wrong-Key Randomization Hypothesis, it’s assumed that the wrong guess of K g results in a random-looking parity of Γ C · E (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ). Thus in this case the value of |T Kg | approximates to 0. Therefore, it is feasible to distinguish the correct value of K g from all wrong guesses of K g by applying the above key recovery attack if given sufficient ciphertext pairs (C 1 i, C 2 i ). Why the above attack works? (to continue)

Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (8/8) The number of ciphertext pairs required in our key recovery attack can be estimated by the following formula: Moreover, similar result can be derived regarding the linear fault analysis under the condition of single-byte fault model.

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (1/7) proposed by Anderson et al in 1998 As a candidate of AES contest, it was rated just behind the AES Rijndael classical SPN structure with 32 rounds block size: 128 bits key size: 128, 192 or 256 bits Schematic description of SERPENT at the right side SERPENT block cipher:

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (2/7) Current status of fault analysis for SERPENT: So far there isn't any known fault attack on SERPENT which can be done by inducing faults at the round earlier than the penultimate round of the cipher. Countermeasure against fault attack on SERPENT: It could be implemented by protecting the last two rounds of the cipher if taking into account the cost and efficiency of the implementation. However, our effective attack shows that LFA could be a threat to the protected implementation of SERPENT.

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (3/7) Assume that single-bit faults can be injected at the input of the round 29 (that is, third from the last round) of SERPENT repeatedly and randomly. We construct twelve 2-round linear characteristics Γ P i → Γ C i (1 ≤ i ≤ 12) for the rounds from round 29 to round 30 of SERPENT. We could derive twelve distinguishers for the 31 rounds from round 0 to round 30 of SERPENT as below:

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (4/7) Linear characteristics used in our attack:

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (5/7) Linear characteristics used in our attack (to continue):

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (6/7) Linear characteristics used in our attack (to continue):

Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (7/7) By applying the above twelve distinguishers sequentially, we can recover all the 128 bits of K 32. Strip the last round by decrypting with K 32, and mount an attack on the reduced-round cipher similarly so as to get the 128 bits of K 31. Attack complexity: data complexity: correct/faulty ciphertext pairs time complexity: SERPENT encryptions memory complexity: bytes

Shanghai Jiao Tong University Conclusion and Discussion (1/2) We have proposed a new extension to fault attack on block ciphers, i.e., linear fault analysis (LFA), in which linear cryptanalysis is combined with fault attack delicately. In order to illustrate the effectiveness of LFA, we have applied it to analyze the security of SERPENT and achieved the currently best cryptanalytic result on SERPENT with respect to fault attack.

Shanghai Jiao Tong University Conclusion and Discussion (2/2) Note that our key recovery attack on SERPENT has a data complexity which seems impractical for real cryptographic devices, but it does show that LFA could be a potential threat to the previously protected implementations (against fault attack) of block ciphers. For a block cipher, the number of protected rounds must be chosen very carefully in order to prevent security flaws as well as keep the corresponding implementation economical and efficient. We hope that LFA could be beneficial to determining this number.

Shanghai Jiao Tong University Q&A Thanks!