Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint Work With Debapriya Basu Roy (IIT Kharagpur) Donghoon Chang (IIIT, Delhi) S V Dilip Kumar (IIT Kharagpur) Debdeep Mukhopadhyay (IIT Kharagpur) and Mridul Nandi (ISI, Kolkata) September, 2016 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Motivation 1 Description of CLOC and SILC 2 Fault Based Almost Universal Forgery on CLOC 3 Fault Based Almost Universal Forgery on SILC 4 Implementation of Fault 5 Conclusion 6 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Generic Fault Based Existential Forgery on AE Schemes Make a fault injected encryption query ( N , A , M ) and receive ( C , T ). Fault is injected at known bit positions N and A to result in N ′ and A ′ respectively. Make a valid forge with ( N ′ , A ′ , C , T ). Non-Trivial k ( k ≫ 1) forgery using one or very few faults Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Motivation 1 Description of CLOC and SILC 2 Fault Based Almost Universal Forgery on CLOC 3 Fault Based Almost Universal Forgery on SILC 4 Implementation of Fault 5 Conclusion 6 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Description of CLOC Hash Encrypt A 1 A 2 A a ozp ( N ) V M 1 M 2 M m − 1 M m fix 1 fix 1 fix 1 fix 0 ⊕ ⊕ ⊕ E k E k E k E k f 1 E k E k E k ⊕ ⊕ ⊕ ⊕ i V C 1 C 2 C m − 1 C m V ← Hash K ( N , A ) , C ← Enc K ( V , M ) , T ← PRF K ( V , C ) Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Description of SILC Differes with CLOC in Hash K . Enc K and PRF K are same. Hash Encrypt A 1 A a len ( A ) M 1 M 2 M m − 1 M m N V fix 1 fix 1 fix 1 zpp ⊕ ⊕ ⊕ E k E k E k E k E k E k E k g ⊕ ⊕ ⊕ ⊕ i V C 1 C 2 C m − 1 C m V ← Hash K ( N , A ) , C ← Enc K ( V , M ) , T ← PRF K ( V , C ) Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Motivation 1 Description of CLOC and SILC 2 Fault Based Almost Universal Forgery on CLOC 3 Single Bit Fault Based Forgery on CLOC Almost Universal Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC 4 Implementation of Fault 5 Conclusion 6 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Fault Model Fault e injected at the first bit of the n -bit input state of the second block cipher call in Enc K . Fault e M 1 M 2 M 3 M 4 V r fix 1 fix 1 fix 1 X 1 X 2 X E k E k E k E k Y Y 1 Y 2 ⊕ ⊕ ⊕ ⊕ C 1 C 2 C 3 C 4 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Phase 1 of the Forgery Construct a faulty ip/op pair and 2 valid ip/op pairs corresponding to E K by one enc query. 1 enc query ( N r , A r , M = ( M 1 , M 2 , M 3 , M 4 )) Receives ( C = ( C 1 , C 2 , C 3 , C 4 ) , T ) Computes ( X , Y ) , ( X 1 , Y 1 ) , ( X 2 , Y 2 ) Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Phase 2 ′ ), that produces Construct two colliding associated data ( A , A same V under same N A 1 A 2 A 3 ozp ( N ) A 1 A ′ A ′ ozp ( N ) 2 3 Y + X 1 Y 1 + X 2 Y + X 2 Y 2 + X 2 fix 0 ⊕ ⊕ ⊕ fix 0 ⊕ ⊕ ⊕ X 1 X 2 X 2 X 2 X X E k E k E k E k E k E k f 1 f 1 Y 1 Y 2 Y 2 Y 2 Y Y V V Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Phase 3 and Phase 4 Phase 3 Construct ( C ∗ , T ∗ ) under N , A and M ∗ by a single encryption query Phase 4 ′ , C ∗ , T ∗ ) Forge ( N , A Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Motivation 1 Description of CLOC and SILC 2 Fault Based Almost Universal Forgery on CLOC 3 Single Bit Fault Based Forgery on CLOC Almost Universal Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC 4 Implementation of Fault 5 Conclusion 6 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Different Steps for the Almost Universal Forgery on CLOC Any ( N , A = ( A 1 , · · · , A a ) , M = ( M 1 , · · · , M m )), except A 1 fixed Obtain faulty ip-op pair X and Y (like Phase 1) A 1 = X Compute all BC ip-op pairs during A processing Requires a enc queries ′ colliding with A at V Find A Enc query: ( N , A ′ , M ) → ( C , T ) Forge with ( N , A , C , T ) Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion What does Almost Mean? I 1 = A 1 = X , O 1 = Y = E k ( I 1 ) X 1 = A 2 ⊕ O 1 , Y 1 = E k ( X 1 ) X a − 1 = A a ⊕ Y a − 2 , Y a − 1 = E k ( X a − 1 ) Restriction Only A 1 = X No restrictions on N and M Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion First Encrytion Query Query with N , A and any a single block message M r = M r 1 . Receive ( C r 1 , T r ) Compute E k ( V ) = M r 1 ⊕ C r 1 Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Next a-2 Encrytion Queries For i=1 to a-2 Make an encryption query ( N , A , M = ( M ′ 1 = E k ( V ) ⊕ X i , M ′ 2 ) and receive ( C ′ = ( C ′ 1 , C ′ 2 ) , T ′ ). Compute Y i = M ′ 2 ⊕ C ′ 2 . Compute X i +1 = A i +2 ⊕ Y i . Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Last 2 Encrytion Queries Make an encryption query ( N , A , M = ( M ′ 1 = E k ( V ) ⊕ X a − 1 , M ′ 2 ) and receive ( C ′ = ( C ′ 1 , C ′ 2 ) , T ′ ) Compute Y a − 1 = M ′ 2 ⊕ C ′ 2 Find a colliding associated data A ′ for A (colliding at V ) (Same as Phase 2) Make an encryption query ( N , A ′ , M ) and receive ( C , T ) Fault Analysis on CLOC and SILC
Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Single Bit Fault Based Forgery on CLOC Fault Based Almost Universal Forgery on SILC Almost Universal Fault Based Forgery on CLOC Implementation of Fault Conclusion Valid Forge ( N , A , C , T ) is a Valid forge Fault Analysis on CLOC and SILC
Recommend
More recommend