explaining differential fault analysis on des
play

Explaining Differential Fault Analysis on DES Christophe Clavier - PowerPoint PPT Presentation

Nov 06, 2022 •33 likes •423 views

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull & Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull & Innovatron Patents Fault I njection Equipment: CLI O

  1. Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

  2. References Bull & Innovatron Patents 2

  3. Fault I njection Equipment: Laser 3 Bull & Innovatron Patents

  4. Fault I njection Equipment: CLI O Glitch I njector 4 Bull & Innovatron Patents

  5. Where to inject a fault? 5 Bull & Innovatron Patents

  6. Looking Closer 3rd round 2nd round Key E Perm & Xor S-Boxes Key Key PC2 P Perm Shift Shift Shift (8 patterns) (8 patterns) (4 patterns) 6 Bull & Innovatron Patents

  7. Notation • 16 Rounds, each a transform 2 32- bit variables. • [L0,R0] – plaintext • [L16,R16] – ciphertext • Bitwise permutations are not always considered. 7 Bull & Innovatron Patents

  8. DES-Fifteenth Round 5/18/2006

  9. DES last round structure • Transformation of [L15,R15] to L15 R15 [L16,R16] using K16 K16 K16 = S-Box 16 15 L R = ⊕ ⊕ 16 ( 15 16 ) 15 R S R K L L16 R16 9 Bull & Innovatron Patents

  10. Fault I njection in 15 th round • If R15 is changed to R15’, without changing L15 = 16 15 L R = ⊕ ⊕ 16 ( 15 16 ) 15 R S R K L ′ ′ = then L 1 6 R 1 5 ′ ′ = ⊕ ⊕ R 1 6 S ( R 1 5 K 16 ) L 15 where S(x) is the S-box function ′ ′ ⊕ = ⊕ ⊕ ⊕ ⊕ ⊕ R 16 R 1 6 S ( R 15 K 16 ) L 15 S ( R 1 5 K 16 ) L 15 ′ = ⊕ ⊕ ⊕ S ( R 15 K 16 ) S ( R 1 5 K 16 ) 10 Bull & Innovatron Patents

  11. Differential Fault Analysis L16 L16’ • For each S-box (Si), i Є [1..8] L16 L16’ verify the following relation: K16 K16 K16 K16 _ 6 _ 6 _ 6 _ 6 • Gives a list of possible key values 2 32 Si Si Si Si • Leads to an exhaustive search _ 4 _ 4 _ _ 4 4 R16 R16’ R16 R16’ 11 Bull & Innovatron Patents

  12. Predicting the Key Space • Why 2 32 ? • The number of hypothesis’ given for each six bits of the key can be found using the tables, described in, ”Differential Cryptanalysis of DES-like Cryptosystems” by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 }, ... 12 Bull & Innovatron Patents

  13. Predicting the Key Space • For each s-box the expected number of hypotheses can be calculated: • The predicted key space is the product of all the averages = 2 24 . • Eight bits are not included in this key and need to be added = 2 32 . 13 Bull & Innovatron Patents

  14. I ntersecting Keyspaces • e.g. two faulty ciphertext leading to 2 14 • With numerous faulty ciphertexts the key will be in the intersection of all the key spaces. 14 Bull & Innovatron Patents

  15. A Real Example • Plaintext file • Ciphertext file Correct Ciphertext Faulty Ciphertexts 15 Bull & Innovatron Patents

  16. A Real Example 16 Bull & Innovatron Patents

  17. A Real Example • Searches of 2 48 and 2 25 for the different faulty ciphertexts. • The intersection can be taken giving a search of around 2 20 for the entire DES key. 17 Bull & Innovatron Patents

  18. DES – Other Rounds 5/18/2006

  19. Differential Fault Analysis L15 R15 • Why does this work? � Because for each s-box K16 K16 • For two unrelated ciphertexts then with S-Box probability 1/16, for each s-box. � Hypotheses are uniformly distributed • If a fault in a round towards the L16 R16 end of a DES then with probability p . 19 Bull & Innovatron Patents

  20. 1 Bit Faults: Round 15 • 1 bit fault in R15 L15 R15 • Gives differentials over 1 or 2 s- boxes. K16 K16 • Several samples will allow the key to be derived as before. S-Box L16 R16 20 Bull & Innovatron Patents

  21. 1 Bit Faults: Round 14 L14 R14 • 1 bit fault in R14, will also change one bit in L15. K15 K15 • For 7 of the 8 s-boxes, S-Box • For each s-box: L15 R15 P( ) = 7/8 K16 K16 • This probability will approach 1/16 the further into the S-Box algorithm the fault is injected. L16 R16 21 Bull & Innovatron Patents

  22. Differential Fault Analysis • Keyspace generated in exactly C’ 1 Keyspace C’ 2 Keyspace the same way as for fifteenth round fault. C’ 4 Keyspace • There is no intersection of all C’ 3 Keyspace keyspaces generated, a system of votes is conducted. C’ 5 Keyspace • The red area has the highest C’ 6 Keyspace chance of being the key. 22 Bull & Innovatron Patents

  23. Differential Fault Analysis • The amount of faulty ciphertexts required increases the further away from the end of the DES the fault is, and the amount of bits modified. • Theoretical results with 1 bit faults. � Easy until round 11 (less than 1000) ciphertexts � Round 10 requires several million ciphertexts � Round 9 ? • Attempt with 10’s of millions failed … 23 Bull & Innovatron Patents

  24. A Simulated Example • Ciphertex file • Faulty Ciphertext file 24 Bull & Innovatron Patents

  25. A Simulated Example 00 : 7 5 8 4 7 4 6 7 • Actual subkey: 01 : 7 3 7 4 7 4 5 7 02 : 7 5 8 4 6 5 6 6 03 : 7 4 8 5 7 5 6 8 0D 0C 09 34 10 38 3A 0D 04 : 6 5 7 5 7 5 5 7 05 : 5 5 8 4 7 4 6 5 06 : 6 5 8 4 7 6 5 6 07 : 6 5 8 4 7 5 6 8 08 : 7 4 7 5 7 4 5 8 09 : 6 5 2 5 7 4 5 6 0a : 7 5 8 5 7 6 5 6 0b : 6 5 7 5 7 6 6 8 0c : 6 0 6 5 7 5 6 8 0d : 0 3 7 5 7 5 6 2 0e : 6 3 7 4 7 4 6 7 0f : 6 3 8 2 7 5 6 7 10 : 6 5 8 5 2 6 5 7 11 : 7 4 8 5 6 5 6 8 12 : 7 5 8 5 4 5 5 8 13 : 7 5 8 5 6 3 6 7 14 : 7 5 7 4 5 6 6 8 ... 25 Bull & Innovatron Patents

  26. Gaining Extra Rounds L n-2 R n-2 • Any fault in R n will have an equivalent fault in L n-1 . K n K n- -1 1 S-Box • L n-1 is static, therefore need to target the copying of R n-2 . � Implementation Specific. � Several millions faults in 8 th round. L n-1 R n-1 � Less than a thousand in the 9 th . K n K n • Advanced Simple Power Analysis S-Box L n R n 26 Bull & Innovatron Patents

  27. 3DES 5/18/2006

  28. Differential Fault Analysis • If injecting faults in the last and middle DES (the fifteenth round of each). � C correct ciphertext. � C 1 ciphertext with fault in fifteenth round of the last DES. � C 2 ciphertext with fault in fifteenth round of the middle DES. • For each key hypothesis generated for K1, a keyspace can be generated and search for K2 (DES -1 (kh 1 ,C)), DES -1 (kh 1 ,C 2 )) K2 Keyspace (C,C 1 ) K1 Keyspace K2 Keyspace (DES -1 (kh 2 ,C)), DES -1 (kh 2 ,C 2 )) 28 Bull & Innovatron Patents

  29. Differential Fault Analysis • Each hypothesis for K1 produces 2 32 hypotheses for K2, the total number of keys (K1, K2) that need to be searched is: 2 32 × 2 32 = 2 64 • This can be improved upon with more acquisitions, with two faulty ciphertexts from each DES: 2 14 × 2 14 = 2 28 • This can still be improved upon … 29 Bull & Innovatron Patents

  30. Differential Fault Analysis • If a given key hypothesis (kh i ) contains K1 then (DES -1 (kh i ,C)), DES -1 (kh i ,C 2 )) Will contain K2, and the differentials generated across each s-box in the last round will be distributed on: 30 Bull & Innovatron Patents

  31. I mpossible Differentials • Again using the table described in, ”Differential Cryptanalysis of DES-like Cryptosystems” by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 }, ... 31 Bull & Innovatron Patents

Recommend

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM

Outline Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults Chong Hee KIM Information Security Group Universit e Catholique de Louvain, Belgium August 21, 2010 Chong Hee KIM, Universit e Catholique de Louvain

797 views • 76 slides
Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers Xiaolu Hou 1 , Jakub Breier 2 , Fuyuan Zhang 3 , and Yang Liu 2 1 National University of Singapore, Singapore 2 HP-NTU Digital Manufacturing Corporate Lab,

513 views • 26 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low complexity differential cryptanalysis

844 views • 34 slides
Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June,

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis

716 views • 48 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Explaining Inconsistent Code Muhammad Numair Mansur Introduction 50% of the time in

Explaining Inconsistent Code Muhammad Numair Mansur Introduction 50% of the time in

Explaining Inconsistent Code Muhammad Numair Mansur Introduction 50% of the time in debugging Fault localization. Becomes more tedious as the program size increase. Automatically explaining and localizing inconsistent code .

1.04k views • 63 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition at Depth On Fault Mechanics Background San Andreas Fault Observatory at Depth (SAFOD) Sample recovery of cores containing the two

410 views • 8 slides
Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics

Differential propagation analysis of Keccak Differential propagation analysis of Keccak Joan Daemen and Gilles Van Assche STMicroelectronics Fast Software Encryption, March 19-21, 2012 1 / 28 Differential propagation analysis of Keccak Outline

409 views • 36 slides
Explaining Local Government Transparency: An Analysis of Information Disclosed in Official

Explaining Local Government Transparency: An Analysis of Information Disclosed in Official

University of Minho School of Economics and Management Research Center in Political Science UNU-EGOV Seminar Guimares, October 15, 2015 Explaining Local Government Transparency: An Analysis of Information Disclosed in Official Websites

346 views • 30 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain Oberthur Technologies & Univ. of Luxembourg 04/24/09 | Session ID: CRYP-403 Session Classification: Agenda RSA and Fault Analysis A New

421 views • 27 slides
GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017

GPU-ENABLED DIFFERENTIAL DEPENDENCY NETWORK ANALYSIS OF LARGE DATASETS Gil Speyer May 9, 2017 Nvidia GTC S7254 Transcriptomic Data Personome.com Biological Pathways Nature.org Differential expression analysis Class labels C1 C2

414 views • 30 slides
A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy Maitra, Santanu Sarkar Indian Statistical Institute Kolkata September 10, 2012 CHES 2012, Leuven Belgium GRAIN family of Stream Ciphers 2 of 32

506 views • 32 slides
Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Hi-C Differential Analysis: A new method using tree representation based on Contiguity

Pratical case and Data State of the art Differential Analysis method based on CCHAC Conclusion Hi-C Differential Analysis: A new method using tree representation based on Contiguity Constrained Hierarchical Agglomerative Clustering (CCHAC)

644 views • 28 slides
Explaining Program Failures via Postmortem Static Analysis Manu Sridharan Roman Manevich UC

Explaining Program Failures via Postmortem Static Analysis Manu Sridharan Roman Manevich UC

Explaining Program Failures via Postmortem Static Analysis Manu Sridharan Roman Manevich UC Berkeley Tel Aviv University Stephen Adams, Manuvir Das, Zhe Yang Center for Software Excellence Microsoft Corporation Motivation Programs are

221 views • 19 slides
Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013 Pu

Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013 Pu

Fault lt Tre ree An Analysis lysis (F (FTA) A) Kim R. Fowler KSU ECE February 2013 Pu Purp rpose se for r FTA A In the face of potential failures, determine if design must change to improve: Reliability Safety

1.41k views • 59 slides
INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Vulnerability Analysis on Smart Cards using Fault Tree Guillaume Bouffard Bhagyalekshmy N Thampi Jean-Louis Lanet Smart Secure Devices (SSD) Team

705 views • 39 slides
Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis

Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis

Confirming Differential Gene Expression in Honeybee flight muscles RNA seq analysis From raw RNAseq data to transcriptome and differential expression analysis. Software for analysis TopHat alignment TopHat alignment in IGV

468 views • 11 slides
Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue

Mobile Data Collection and Analysis with Local Differential Privacy - Part 1 Ninghui Li (Purdue University) 1 Outline Motivation of Differential Privacy and Local Differential Privacy (LDP) Frequency Oracles in LDP Tradeoff between

821 views • 53 slides

More recommend