A First DFA on PRIDE: from Theory to Practice Works presentation at CRiSIS 2016 Benjamin Lac 1 , 5 , Marc Beunardeau 2 , 6 , Anne Canteaut 3 , Jacques J.A. Fournier 1 , Renaud Sirdey 4 1 CEATech/DPACA, Gardanne, France, 2 Ingenico Labs, Paris, France, 3 Inria, Paris, France, 4 CEATech/LIST, Saclay, France 5 ENSM-SE, Saint-Étienne, France, 6 ENS, Paris, France, {benjamin.lac, jacques.fournier, renaud.sirdey}@cea.fr , marc.beunardeau@ingenico.com , anne.canteaut@inria.fr September 7th, 2016
The PRIDE block cipher 1 The structure of PRIDE The PRIDE round function Differential Fault Analysis of PRIDE 2 General principle Differential properties of the PRIDE S-box Properties that make the attack effective Practical implementation of the DFA on PRIDE 3 Implementation of the device Exploitation of obtained faults Countermeasures 4 Duplication of computations Desynchronization Masking Conclusion and perspectives 5 Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
The PRIDE block cipher The PRIDE block cipher 1 The structure of PRIDE The PRIDE round function Differential Fault Analysis of PRIDE 2 General principle Differential properties of the PRIDE S-box Properties that make the attack effective Practical implementation of the DFA on PRIDE 3 Implementation of the device Exploitation of obtained faults Countermeasures 4 Duplication of computations Desynchronization Masking Conclusion and perspectives 5 Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
The PRIDE block cipher The structure of PRIDE 1 of 19 The structure of PRIDE Iterative block cipher composed of 20 rounds and introduced by Albrecht & al. in 2014. It takes as input a 64-bit block and uses a 128-bit key k = k 0 || k 1 . k 0 f 1 ( k 1 ) f 2 ( k 1 ) f 19 ( k 1 ) f 20 ( k 1 ) k 0 P − 1 M ⊕ R R R R ′ ⊕ P C The key scheduling We denote k 1 i the i -th byte of k 1 then f r ( k 1 ) = k 1 0 || g (0) ( k 1 1 ) || k 1 2 || g (1) ( k 1 3 ) || k 1 4 || g (2) ( k 1 5 ) || k 1 6 || g (3) ( k 1 7 ) r r r r for round r with g ( i ) r ( x ) = ( x + C i r ) mod 256 where C i is a constant. Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
The PRIDE block cipher The structure of PRIDE 1 of 19 The structure of PRIDE Iterative block cipher composed of 20 rounds and introduced by Albrecht & al. in 2014. It takes as input a 64-bit block and uses a 128-bit key k = k 0 || k 1 . k 0 f 1 ( k 1 ) f 2 ( k 1 ) f 19 ( k 1 ) f 20 ( k 1 ) k 0 P − 1 M ⊕ R R R R ′ ⊕ P C The key scheduling We denote k 1 i the i -th byte of k 1 then f r ( k 1 ) = k 1 0 || g (0) ( k 1 1 ) || k 1 2 || g (1) ( k 1 3 ) || k 1 4 || g (2) ( k 1 5 ) || k 1 6 || g (3) ( k 1 7 ) r r r r for round r with g ( i ) r ( x ) = ( x + C i r ) mod 256 where C i is a constant. Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
The PRIDE block cipher The PRIDE round function 2 of 19 The PRIDE round function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I r P − 1 ( f r ( k 1 )) ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X r R ′ S S S S S S S S S S S S S S S S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Y r P R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z r L 0 L 1 L 2 L 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W r P − 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O r Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
Differential Fault Analysis of PRIDE The PRIDE block cipher 1 The structure of PRIDE The PRIDE round function Differential Fault Analysis of PRIDE 2 General principle Differential properties of the PRIDE S-box Properties that make the attack effective Practical implementation of the DFA on PRIDE 3 Implementation of the device Exploitation of obtained faults Countermeasures 4 Duplication of computations Desynchronization Masking Conclusion and perspectives 5 Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
Differential Fault Analysis of PRIDE General principle 3 of 19 Injecting faults on Z 19 S S S S S S S S S S S S S S S S Y 19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z 19 L 0 L 1 L 2 L 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W 19 P − 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O 19 = I 20 P − 1 ( f 20 ( k 1 )) ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X 20 S S S S S S S S S S S S S S S S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Y 20 = O 20 k 0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ P − 1 ( C ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C Benjamin Lac DRT/CEATech/DPACA/LSAS Works presentation at CRiSIS 2016 September 7th, 2016
Recommend
More recommend