differential analysis of round reduced aes faulty
play

Differential Analysis of Round-Reduced AES Faulty Ciphertexts - PowerPoint PPT Presentation

Nov 11, 2022 •436 likes •591 views

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

  1. DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria

  2. Outline • Introduction • State-of-the-art of the Round Reduction Analysis • Theory of our attacks and the realizations • Summary and conclusion 2

  3. Introduction AES-128 • is a widely-used symmetric encryption algorithm • includes 10 rounds (after a short initial round) • uses a 128-bit key K and ten derived round keys 3

  4. Problem • Many symmetric cryptographic algorithms are based on the iteration of identical transformation sequences (rounds). • A significant part of these algorithms’ strength against cryptanalysis is based on their iterated rounds. • How much the round reduction attacks are realistic and threatening? Context: Laser fault injection on an unprotected 8-bit 16 MHz 0.35 µ m microcontroller with an embedded AES 4

  5. Fault Injection Means K ¡ Vcc 0 5

  6. Round Reduction Analysis A Round Reduction is an attack for skipping one or several iterative rounds due to a fault injection. A Round Reduction Analysis is a technique for finding the secret key. The technique compares a round-reduced ciphertext to a corresponding reference value (e.g. the corresponnding plaintext or the correct ciphertext). 6

  7. The State-of-the-Art of RRA Three RRA on AES are reported since 2005: They resort to the DFA (Differential Fault Analysis) and use the corresponding plaintext or ciphertext as the reference. • Is there any other potential RR attack and analysis? • Does protecting the two first and the two last rounds suffice to disable the RRA threats? 7

  8. Attack Scenarios R max is a variable in order to select between 128, 192 and 256 versions 8

  9. A General RRA • In theory, two corresponding round-reduced encryptions which differ in only one round may be analyzed in order to reveal the key. The differential analysis requires two texts. • In practice, the analysis is feasible when the Rmax is targeted. However, when the fault is injected into the RC , the encryption includes invalid round key values. Thus, two corresponding round-reduced encryptions which differ in two rounds are needed in order to reveal the key. 9

  10. A General RRA Because, the fault increases the RC to higher than the Rmax value. Thus, the algorithm searches for the invalid key values in the memory. For instance: 10

  11. MicroPackS Laser Bench 11

  12. Summary 12

  13. Conclusion • RR attacks are more realistic and more threatening than what they are usually considered on the unprotected circuit. • They can be carried out at any round by targeting the round- controlling values. • Protecting only the two first and the two last rounds does not suffice to disable the RRA threats. • In this study, we reported our improvement for one former technique and we realized 3 new attacks. 13

  14. Thank you for your attention assia.tria@cea.fr 14

Recommend

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef

Truncated Differential Analysis of Reduced-Round LBlock Sareh Emami, Cameron McDonald, Josef Pieprzyk and Ron Steinfeld Joint work between Macquarie University , Qualcomm Inc. Australia and Monash University CANS 2013, Paraty, Brazil Outline

429 views • 30 slides
Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi

Practical Analysis of Reduced-Round K ECCAK Mar a Naya-Plasencia, Andrea R ock and Willi Meier Indocrypt 2011 1 / 28 Overview Sponge construction and K ECCAK Previous analysis results Differentials in K ECCAK Differential

311 views • 28 slides
New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 ,

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia Ya Liu 1 , Leibo Li 2 , Dawu Gu 1 , Xiaoyun Wang 2,3 , Zhiqiang Liu 1 , Jiazhe Chen 2 , Wei Li 4 1. Shanghai Jiao Tong University, 2. Shangdong University 3.

472 views • 25 slides
Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES Lorenzo Grassi, IAIK, TU Graz (Austria) March, 2019 www.iaik.tugraz.at Motivation At Eurocrypt 2017, the first secret-key distinguisher for

576 views • 42 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations

Description of PRINT CIPHER Differential Cryptanalysis Computing roots of permutations Summary Differential Cryptanalysis of Round-Reduced PRINT CIPHER : Computing Roots of Permutations Mohamed Abdelraheem, Gregor Leander and Erik Zenner DTU

639 views • 21 slides
Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 ,

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 ,

Multiple Differential Cryptanalysis of Round-Reduced Prince Anne Canteaut 1 , Thomas Fuhr 2 , Henri Gilbert 2 , Mara Naya-Plasencia 1 , Jean-Ren Reinhard 2 1 INRIA, France 2 ANSSI, France FSE 2014 - March 5, 2014 Canteaut, Fuhr, Gilbert,

507 views • 35 slides
Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks

Differential Cryptanalysis of Round-Reduced Simon and Speck Farzaneh Abed Eik List Stefan Lucks Jakob Wenzel Bauhaus-Universitt Weimar FSE 2014 March 27, 2014 March 27, 2014 Agenda Motivation Simon and Speck Our Method Results

533 views • 31 slides
Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez

Introduction Demirci and Sel cuk Attack Differential Enumeration Technique Conclusion Exhausting Demirci-Sel cuk Meet-in-the-Middle Attacks against Reduced-Round AES Patrick Derbez 1 Pierre-Alain Fouque 1 , 2 Ecole Normale Sup

1.25k views • 60 slides
Reduced Basis Collocation Methods for Partial Differential Equations with Random Coefficients

Reduced Basis Collocation Methods for Partial Differential Equations with Random Coefficients

Preliminary: Spectral Methods for PDEs with Uncertain Coefficients Reduced Basis Methods Reduced Basis + Sparse Grid Collocation Iterative Solution of Reduced Problem Concluding Remarks Reduced Basis Collocation Methods for Partial Differential

476 views • 43 slides
/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of

/ 33 1 Cryptanalysis of Reduced round SKINNY Block Cipher Outline A brief description of SKINNY Zero-Correlation Linear Cryptanalysis of SKINNY MILP model for SKINNY64 cipher Using MILP in Impossible differential

420 views • 31 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore

Cryptanalysis of Round-Reduced LED Ivica Nikoli, Lei Wang and Shuang Wu FSE 2013 Singapore March 11, 2013 1 Outline Backgrounds Specification Previous Analysis Slidex Attack Application Multicollision Application

744 views • 42 slides
Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder

Branching Heuristics in Differential Collision Search: Application to SHA-512 Maria Eichlseder Florian Mendel Martin Schl affer IAIK, Graz University of Technology, Austria FSE 2014 Practical Collisions for Round-Reduced Hash Functions

602 views • 23 slides
Von Neumann stability analysis In numerical algorithms for differential equations the concern is

Von Neumann stability analysis In numerical algorithms for differential equations the concern is

Von Neumann stability analysis In numerical algorithms for differential equations the concern is the growth of round-off errors and/or initially small fluctuations in initial data which might cause a large deviation of final answers from the

763 views • 6 slides
Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X.

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard , F.-X. Standaert , J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL Belgium FSE 2008 Collard B. (UCL

448 views • 33 slides
Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree

Cryptanalysis of Round-Reduced KECCAK using Non-Linear Structures Mahesh Sreekumar Rajasree Center for Cybersecurity, Indian Institute of Technology Kanpur INDOCRYPT 2019, Hyderabad Outline 2 Introduction Hash function Structure of KECCAK

752 views • 50 slides
A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and

A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and

A New Structural-Differential Property of 5-Round AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom May, 2017 www.iaik.tugraz.at Introduction AES is probably the most widely studied and used block cipher. So far, non-random

603 views • 42 slides
Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick

Introduction Algebraic Structure Automated Tools Conclusion Automatic Search of Attacks on round-reduced AES and Applications Charles Bouillaguet Patrick Derbez Pierre-Alain Fouque ENS, CNRS, INRIA Cascade August 15, 2011 Introduction

576 views • 40 slides
New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu

New Collision Attacks on Round-Reduced Keccak Kexin Qiao 1 , 3 , 4 Ling Song 1 , 2 , 3 Meicheng Liu 1 Jian Guo 2 { qiaokexin,songling,liumeicheng } @iie.ac.cn, guojian@ntu.edu.sg 1 SKLOIS, Institute of Information Engineering, Chinese Academy of

530 views • 35 slides
SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2

SymSum : Symmetric-Sum Distinguishers Against Round Reduced SHA3 Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Crypto Research Lab Department of Computer Science & Engineering, IIT Kharagpur, India { dhimans,drc }

449 views • 34 slides
Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @

Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP Ling Song , Jian Guo FSE 2019 @ Paris, France Song, Guo Cube-Attack-Like Cryptanalysis of Round-Reduced Keccak Using MILP FSE 2019 1 / 27 Outlines 1 Keccak and its Relatives 2

927 views • 33 slides
Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu,

Partial-Collision Attack on the Round- Reduced Compression Function of Skein-256 Hongbo Yu, Jiazhe Chen, Xiaoyun Wang Tsinghua University Shandong University 1 Outline Brief description of Skein-256 Previous results related to

518 views • 22 slides
Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo

On behavior of Professors Ohta and Sakiyama. Free-start preimages of round-reduced Blake compression function Lei Wang, Kazuo Ohta and Kazuo Sakiyama The University of Electro-Communications, Japan Blake A candidate in second round for

433 views • 11 slides

More recommend