low complexity differential cryptanalysis and fault
play

Low Complexity Differential Cryptanalysis and Fault Analysis of AES - PowerPoint PPT Presentation

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48 Introduction We present a survey of low complexity differential cryptanalysis


  1. Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 48

  2. Introduction We present a survey of low complexity differential cryptanalysis and differential fault analysis of AES. We define low complexity to be: ◮ A low number of plaintext-ciphertext pairs. ◮ A feasible amount of computing power. Inspired eprint publication Bouillaguet et al. (2010). Michael Tunstall (University of Bristol) May/June, 2011 2 / 48

  3. Preliminaries The AES is a 10-round block cipher that transforms a plaintext P = ( p 1 , p 2 , . . . , p 16 ) (256) to ciphertext C = ( c 1 , c 2 , . . . , c 16 ) (256) using secret key K = ( k 1 , k 2 , . . . , k 16 ) (256) . Arranged into a 4 × 4 array of bytes.     p 1 p 5 p 9 p 13 c 1 c 5 c 9 c 13 p 2 p 6 p 10 p 14 c 2 c 6 c 10 c 14     →  .     p 3 p 7 p 11 p 15 c 3 c 7 c 11 c 15    p 4 p 8 p 12 p 16 c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, 2011 3 / 48

  4. Preliminaries Each round ofThe AES consists of: ◮ AddRoundkey — An XOR with a subkey. ◮ SubBytes — A bytewise substitution (we will refer to a function S ). ◮ ShiftRows — The bytes in each row are rotated by 0, 1, 2, 3 places respectively. ◮ MixColumns — A matrix multiplication with   2 3 1 1 1 2 3 1     1 1 2 3   3 1 1 2 using polynomial multiplications over F 2 8 modulo the irreducible polynomial x 8 + x 4 + x 3 + x + 1. Where the last round does not include the MixColumns function, but a final XOR with a last subkey. Michael Tunstall (University of Bristol) May/June, 2011 4 / 48

  5. Observation 1 If we consider y 1 ⊕ y 2 = S ( x 1 ) ⊕ S ( x 2 ) For given XOR differences ∆ x = x 1 ⊕ x 2 and ∆ y = y 1 ⊕ y 2 the number of possible values for { x 1 , x 2 , y 1 , y 2 } will be: ◮ Four with probability 1 256 ◮ Two with probability 126 256 ◮ Zero with probability 128 256 Michael Tunstall (University of Bristol) May/June, 2011 5 / 48

  6. Observation 2 We consider a = MixColumns ( b ), where a = ( a 0 , a 1 , a 2 , a 3 ) , b = ( b 0 , b 1 , b 2 , b 3 ) Given any four bytes from ( a 0 , a 1 , a 2 , a 3 , b 0 , b 1 , b 2 , b 3 ) the remaining four can be computed. Trivially, this is also true if we consider the XOR differentials, since, if a ′ = MixColumns ( b ′ ) a = MixColumns ( b ) and then a ⊕ a ′ = MixColumns ( b ⊕ b ′ ). Michael Tunstall (University of Bristol) May/June, 2011 6 / 48

  7. Observation 3 We consider a ⊕ a ′ = MixColumns ( b ⊕ b ′ ). Given the number of input bytes that are different in b , b ′ , the number of bytes that differ in the output will occur with probabilities: # Bytes Out(0) Out(1) Out(2) Out(3) Out(4) In(0) 1 0 0 0 0 In(1) 0 0 0 0 1 255 ≈ 1 4 251 In(2) 0 0 0 2 6 255 2 1 65025 ≈ 1 1004 12803 In(3) 0 0 12675 ≈ 2 13 . 4 2 6 13005 4 1 502 1 3316275 ≈ 1 51212 3264761 In(4) 0 16581375 ≈ 5527125 ≈ 2 22 2 13 . 4 2 6 3316275 Michael Tunstall (University of Bristol) May/June, 2011 7 / 48

  8. Models We consider two models. Chosen Plaintext Model — Standard model for differential cryptanalysis. An attacker is able to encipher arbitrary plaintexts under a fixed unknown secret key and recover the ciphertext. The practicality of an attack is influenced by the number of chosen plaintexts required to conduct a given attack. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of the algorithm under attack. Michael Tunstall (University of Bristol) May/June, 2011 8 / 48

  9. Models Chosen Difference Model — Proposed to correspond to differential fault analysis. Able to encipher two related but unknown plaintexts. That is, an attacker is able to encipher two plaintexts with a difference of a chosen size. ◮ That is, a difference where the number and position of bytes can be controlled but not the value of the difference. The practicality of the attack is influenced by the number of pairs of ciphertexts required with a difference of a known size. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of a full 10-round AES. We also assume that the attacker has access to an oracle that can be used to test whether a given key hypothesis is correct. Michael Tunstall (University of Bristol) May/June, 2011 9 / 48

  10. Attacking a Reduced Round AES We define attacks against reduced round implementations of AES using the aforementioned models. In each case the last round does not include the MixColumns function. Michael Tunstall (University of Bristol) May/June, 2011 10 / 48

  11. One-Round AES: Chosen Plaintext Model There is a widely known attack on one-round AES in the chosen plaintext model. For two arbitrary plaintexts P , P ′ producing ciphertexts C , C ′ then we have c i ⊕ c ′ i = S ( p i ⊕ k i ) ⊕ S ( p ′ i ⊕ k i ) for i ∈ { 1 , . . . , 16 } . From Observation 1 we know each equation will produce approximately two possible values for each k i , leading to 2 16 hypotheses. Bouillaguet et al. (2010) note that two subkeys can be evaluated independently and have an intersection of 2 12 hypotheses. This attack does not work on the chosen difference model as the difference is itself unknown. Michael Tunstall (University of Bristol) May/June, 2011 11 / 48

  12. Two-Round AES: Chosen Difference Model The first differential fault analysis of AES was proposed by Piret and Quisquater (2003). If, for example, there is an XOR difference in four bytes it will propagate as follows.  θ 1 θ 2 θ 3 θ 4   2 α β γ 3 δ    x 1 x 5 x 9 x 13 0 0 0 0 3 α 2 β γ δ x 2 x 6 x 10 x 14        →  →       0 0 0 0 α 3 β 2 γ δ x 3 x 7 x 11 x 15     0 0 0 0 α β 3 γ 2 δ x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, 2011 12 / 48

  13. Two-Round AES: Chosen Difference Model If the last subkey is K = ( k 1 , k 2 , . . . , k 16 ) (256) and chiphertexts C = ( c 1 , c 2 , . . . , c 16 ) (256) , C ′ = ( c ′ 1 , c ′ 2 , . . . , c ′ 16 ) (256) . We can construct four sets of equations of the form 2 θ = S − 1 ( c 1 ⊕ k 1 ) ⊕ S − 1 ( c ′ 1 ⊕ k 1 ) θ = S − 1 ( c 8 ⊕ k 8 ) ⊕ S − 1 ( c ′ 8 ⊕ k 8 ) θ = S − 1 ( c 11 ⊕ k 11 ) ⊕ S − 1 ( c ′ 11 ⊕ k 11 ) 3 θ = S − 1 ( c 14 ⊕ k 14 ) ⊕ S − 1 ( c ′ 14 ⊕ k 14 ) , which will give 2 8 hypotheses for { k 1 , k 8 , k 11 , k 14 } . Leading to 2 32 hypotheses for K . ◮ (Time complexity) Michael Tunstall (University of Bristol) May/June, 2011 13 / 48

  14. Two-Round AES: Chosen Plaintext Model Bouillaguet et al. (2010) note that if the plaintext if known then there are 127 possible vales for each θ i for i ∈ { 1 , 2 , 3 , 4 } (Observation 1). Then, given 2 θ = S − 1 ( c 1 ⊕ k 1 ) ⊕ S − 1 ( c ′ 1 ⊕ k 1 ) θ = S − 1 ( c 8 ⊕ k 8 ) ⊕ S − 1 ( c ′ 8 ⊕ k 8 ) θ = S − 1 ( c 11 ⊕ k 11 ) ⊕ S − 1 ( c ′ 11 ⊕ k 11 ) 3 θ = S − 1 ( c 14 ⊕ k 14 ) ⊕ S − 1 ( c ′ 14 ⊕ k 14 ) , will give 2 7 hypotheses for { k 1 , k 8 , k 11 , k 14 } . Leading to 2 28 hypotheses. ◮ (Time complexity) Michael Tunstall (University of Bristol) May/June, 2011 14 / 48

  15. Three-Round AES: Chosen Difference Model The same attack as previously can be constructed if we consider a difference in one bye.  ζ 0 0 0   2 θ 0 0 0  0 0 0 0 3 θ 0 0 0      →  →     0 0 0 0 θ 0 0 0   0 0 0 0 θ 0 0 0  2 α β γ 3 δ    x 1 x 5 x 9 x 13 3 α 2 β γ δ x 2 x 6 x 10 x 14      →     α 3 β 2 γ δ x 3 x 7 x 11 x 15    α β 3 γ 2 δ x 4 x 8 x 12 x 16 Using the same technique as presented previously we can generate 2 32 key hypotheses. One can then generate 2 8 hypotheses with a time complexity of 2 32 / 10 ≈ 2 28 . 5 . Michael Tunstall (University of Bristol) May/June, 2011 15 / 48

  16. Three-Round AES: Chosen Plaintext Model Given Observation 1 we can note that θ will have 2 7 possible values rather than the 2 8 considered in the previous attack. Producing 2 7 hypotheses with a time complexity of 2 32 / 3 ≈ 2 30 . 5 . Michael Tunstall (University of Bristol) May/June, 2011 16 / 48

  17. Four-Round AES: Chosen Plaintext Model — Meet-in-the-Middle Attack — Bouillaguet et al. (2010) describe an attack that requires ten plaintext-ciphertext pairs. Where the plaintexts differ in four bytes. Guessing four bytes of the last subkey ( K 5 ) and one byte of the penultimate key ( K 4 ), we can predict X i for i ∈ { 1 , 2 , . . . , 10 } .   X i 0 0 0 0 0 0 0   → ShiftRows → SubBytes → ⊕ MixColumns − 1 ( K 4 ) →    0 0 0 0  0 0 0 0   c 1 c 5 c 9 c 13 c 2 c 6 c 10 c 14   MixColumns → ShiftRows → SubBytes → ⊕ K 5 →   c 3 c 7 c 11 c 15   c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, 2011 17 / 48

Recommend


More recommend