Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June.

Published byIra Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June."— Presentation transcript:

1 Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June 28, 2012

2 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Outline Brief Introduction of Fault Attack A New Extension to Fault Attack: Linear Fault Analysis (LFA) A Key Recovery Attack on SERPENT by Using LFA Conclusion and Discussion

3 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (1/5) Fault analysis is a class of implementation attacks that disturb cryptographic computations so as to recover secret keys. In Eurocrypt 1996, Boneh et al. firstly proposed the idea of fault attack. In Crypto 1997, Biham et al. presented an extension to the above approach, i.e., Differential Fault Analysis (DFA).

4 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (2/5) About fault injection: An attacker is able to deliberately interfere the normal operation of the device with voltage variations, clock glitches and lasers so as to induce faults. A laser with certain energy and wavelength could interfere fixed parts of the memory/registers without damaging them, resulting in single bit/byte error at some internal state accurately.

5 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (3/5) Cryptographic Device Cryptographic Procedures X=1|1|0|0|1|0|1|0 Y=0|1|0|0|0|0|1|1 X=1|1|0|0|1|0|1|0 Y * =1|1|0|1|1|1|0|1 1|0|0|0|1|0|1|1 1|0|0|0|0|0|1|1 Radiation X-Ray Micro-Probe △ Y=Y ⊕ Y * =1|0|0|1|1|1|1|0 Internal Round Cryptographic Device X=1|1|0|0|1|0|1|0 Basic idea of differential fault analysis (DFA):

6 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (4/5) Research work with respect to DFA: DFA has been used as an effective cryptanalytic tool to evaluate the security of various block ciphers such as DES, AES, IDEA, CLEFIA, SMS4, ARIA, Camellia, and so on. Some extensions to DFA have been presented in order to make fault attack more efficient.

7 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (5/5) General countermeasure against DFA: Basically, DFA techniques target the last few rounds of a block cipher, i.e., faults will be triggered at the last few rounds of the cipher so as to induce information leakage. The general countermeasure against DFA is to protect the last few rounds of the cipher by means of redundancy. For a block cipher, the practical implementations used to thwart DFA will cover as less protected rounds as possible.

8 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (1/8) We first apply the idea of linear cryptanalysis in fault attack and present a new fault attack on block ciphers called linear fault analysis (LFA). Fault Model and Assumption in LFA: Random single-bit/single-byte fault model induced at some certain round. The values and positions (within the impacted round) of the faults injected by the attacker are unknown and randomly distributed.

9 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (2/8) Basic idea of LFA:

10 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (3/8) Let E be a block cipher and decompose the cipher into E = E 1 ◦ E 0. Let Γ P · P ⊕ Γ C · C = Γ K ·K (also denoted as Γ P → Γ C ) be a linear approximation for E 1 with probability ½ +ε. Let S ΓP→ΓC be a set consisting of all bits of P involving in the item Γ P · P. Suppose that an attacker has the ability to induce single-bit faults at the input of E 1 repeatedly and the error bits don’t belong to the set S ΓP→ΓC, then an effective distinguisher Γ C · C 1 ⊕ Γ C · C 2 = 0 for the cipher E with probability ½ + 2ε 2 can be derived by the attacker. How LFA works?

11 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (4/8) Based on the above distinguisher, we can mount a key recovery attack on E ′ = E 2 ◦ E = E 2 ◦ E 1 ◦ E 0 by guessing part of the subkey information used in E 2. Attack procedure: Step 1. Given the linear characteristic Γ P → Γ C for E 1, collect N pairs of ciphertexts, each pair consisting of a right ciphertext C 1 i under E ′ and the corresponding faulty ciphertext C 2 i derived by injecting single-bit fault at any position of the input of E 1, where 1 ≤ i ≤ N. How LFA works? (to continue)

12 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (5/8) Step 2. Let K g denote the subkey information which is related to the item Γ C · E 2 -1 (C j i ). Then for each possible value of K g, do as below: Initialize a counter T Kg firstly. For each ciphertext pair (C 1 i, C 2 i ), implement the partial decryptions of C 1 i and C 2 i respectively and compute the parity of Γ C · E 2 -1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ). If the parity is 0, increase the relevant counter T Kg by 1, and decrease by 1 otherwise. Store the value of K g as well as the absolute value of the corresponding T Kg. Step 3. For all possible values of K g, compare the stored values and take the value of K g as the correct key information if the absolute value of the corresponding T Kg is maximal. How LFA works? (to continue)

13 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (6/8) Case 1: the guessed value of K g is correct For any ciphertext pair (C 1 i, C 2 i ) in which C 2 i is derived by inducing single-bit fault at the input of E 1 such that the error bit is not in the set S ΓP→ΓC : the equation Γ C · E 2 -1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ) = 0 holds with probability ½ + 2ε 2 ; For any ciphertext pair (C 1 i, C 2 i ) where C 2 i is obtained by injecting single-bit fault at the input of E 1 such that the error bit belongs to the set S ΓP→ΓC : the equation Γ C · E 2 -1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ) = 1 holds with probability ½ + 2ε 2 ; Thus in this case, we can estimate |T Kg | by the following formula: Why the above attack works?

14 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (7/8) Case 2: the guessed value of K g is wrong According to the Wrong-Key Randomization Hypothesis, it’s assumed that the wrong guess of K g results in a random-looking parity of Γ C · E 2 - 1 (C 1 i ) ⊕ Γ C · E 2 -1 (C 2 i ). Thus in this case the value of |T Kg | approximates to 0. Therefore, it is feasible to distinguish the correct value of K g from all wrong guesses of K g by applying the above key recovery attack if given sufficient ciphertext pairs (C 1 i, C 2 i ). Why the above attack works? (to continue)

15 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A New Extension to Fault Attack: Linear Fault Analysis (LFA) (8/8) The number of ciphertext pairs required in our key recovery attack can be estimated by the following formula: Moreover, similar result can be derived regarding the linear fault analysis under the condition of single-byte fault model.

16 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (1/7) proposed by Anderson et al in 1998 As a candidate of AES contest, it was rated just behind the AES Rijndael classical SPN structure with 32 rounds block size: 128 bits key size: 128, 192 or 256 bits Schematic description of SERPENT at the right side SERPENT block cipher:

17 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (2/7) Current status of fault analysis for SERPENT: So far there isn't any known fault attack on SERPENT which can be done by inducing faults at the round earlier than the penultimate round of the cipher. Countermeasure against fault attack on SERPENT: It could be implemented by protecting the last two rounds of the cipher if taking into account the cost and efficiency of the implementation. However, our effective attack shows that LFA could be a threat to the protected implementation of SERPENT.

18 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (3/7) Assume that single-bit faults can be injected at the input of the round 29 (that is, third from the last round) of SERPENT repeatedly and randomly. We construct twelve 2-round linear characteristics Γ P i → Γ C i (1 ≤ i ≤ 12) for the rounds from round 29 to round 30 of SERPENT. We could derive twelve distinguishers for the 31 rounds from round 0 to round 30 of SERPENT as below:

19 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (4/7) Linear characteristics used in our attack:

20 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (5/7) Linear characteristics used in our attack (to continue):

21 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (6/7) Linear characteristics used in our attack (to continue):

22 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (7/7) By applying the above twelve distinguishers sequentially, we can recover all the 128 bits of K 32. Strip the last round by decrypting with K 32, and mount an attack on the reduced-round cipher similarly so as to get the 128 bits of K 31. Attack complexity: data complexity: 2 23.14 correct/faulty ciphertext pairs time complexity: 2 31.73 SERPENT encryptions memory complexity: 2 26.14 bytes

23 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Conclusion and Discussion (1/2) We have proposed a new extension to fault attack on block ciphers, i.e., linear fault analysis (LFA), in which linear cryptanalysis is combined with fault attack delicately. In order to illustrate the effectiveness of LFA, we have applied it to analyze the security of SERPENT and achieved the currently best cryptanalytic result on SERPENT with respect to fault attack.

24 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Conclusion and Discussion (2/2) Note that our key recovery attack on SERPENT has a data complexity which seems impractical for real cryptographic devices, but it does show that LFA could be a potential threat to the previously protected implementations (against fault attack) of block ciphers. For a block cipher, the number of protected rounds must be chosen very carefully in order to prevent security flaws as well as keep the corresponding implementation economical and efficient. We hope that LFA could be beneficial to determining this number.

25 Shanghai Jiao Tong University http://LoCCS.sjtu.edu.cn Q&A Thanks!

Download ppt "Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June."

Similar presentations

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.

1 KCipher-2 KDDI R&D Laboratories Inc.. ©KDDI R&D Laboratories Inc. All rights Reserved. 2 Introduction LFSR-based stream ciphers Linear recurrence between.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.

SBSeg 2007, NCE/UFRJ, Rio de Janeiro Linear Analysis of reduced- round CAST-128 and CAST-256 Jorge Nakahara Jr 1 Mads Rasmussen 2 1 UNISANTOS, Brazil 2.
1 12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness of the various concepts introduced and studied in.

1 12. Principles of Parameter Estimation The purpose of this lecture is to illustrate the usefulness of the various concepts introduced and studied in.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
FEAL FEAL 1.

FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.

Similar presentations

Ads by Google