protecting against statistical ineffective fault attacks
play

Protecting against Statistical Ineffective Fault Attacks Joan - PowerPoint PPT Presentation

Dec 22, 2022 •311 likes •964 views

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

  1. Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020

  2. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes 1 0 1 0 0 1 1 1 Robert Primas — CHES 2020

  3. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes • Additional defenses mechanisms against implementation attacks: 1 Robert Primas — CHES 2020

  4. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes • Additional defenses mechanisms against implementation attacks: Power Analysis Fault Attacks 1 Robert Primas — CHES 2020

  5. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution 2 Robert Primas — CHES 2020

  6. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution • In a follow-up at ASIACRYPT2018 it was shown that: • SIFA can additionally circumvent (higher-order) masking/TI 2 Robert Primas — CHES 2020

  7. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution • In a follow-up at ASIACRYPT2018 it was shown that: • SIFA can additionally circumvent (higher-order) masking/TI • Proposed countermeasures at the time: • Error correction • Hiding • Self destruction 2 Robert Primas — CHES 2020

  8. Motivation cont. www.tugraz.at • Many proposed SIFA countermeasures so far utilize error correction: • Rather expensive (masking!) • How much error correction is necessary? • What about DFA? 3 Robert Primas — CHES 2020

  9. Motivation cont. www.tugraz.at • Many proposed SIFA countermeasures so far utilize error correction: • Rather expensive (masking!) • How much error correction is necessary? • What about DFA? • We propose efficient SIFA countermeasure strategies: • “Careful” combination of redundancy with masking • Low overhead for lightweight schemes • Moderate overhead for “bulky” schemes like AES 3 Robert Primas — CHES 2020

  10. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • AES is a PRP: SUB BYTES ROUND 9 • Distribution of ciphertext bytes is SHIFT ROWS MIX COLUMNS uniform KEY ADD • (Also after only 9 rounds) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  11. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS • Assume fault that disturbs distribution KEY ADD of one state byte in round 9 SUB BYTES ROUND 9 • Stuck-at, bitflip, random, etc. SHIFT ROWS MIX COLUMNS • Attacker does not need to know the KEY ADD caused bias ROUND 10 SUB BYTES • 4 ciphertext bytes are affected SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  12. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  13. Statistical Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes (correct) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  14. Statistical Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes (incorrect) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  15. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD • Redundant computation fixes the SUB BYTES SUB BYTES ROUND 9 SHIFT ROWS SHIFT ROWS problem! MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 C N 5 Robert Primas — CHES 2020

  16. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD • Redundant computation fixes the SUB BYTES SUB BYTES ROUND 9 SHIFT ROWS SHIFT ROWS problem! MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  17. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 • For simplicity, assume stuck-at zero MIX COLUMNS KEY ADD fault (others work as well) SUB BYTES • “Effective” faults are filtered out ROUND 9 SHIFT ROWS MIX COLUMNS • Correct ciphertexts still show bias in KEY ADD round 9 ROUND 10 SUB BYTES SHIFT ROWS • Exploitation works same as before KEY ADD C 1 C N Dobraunig et al. [Dob+18b] 5 Robert Primas — CHES 2020

  18. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 • For simplicity, assume stuck-at zero MIX COLUMNS KEY ADD fault (others work as well) SUB BYTES • “Effective” faults are filtered out ROUND 9 SHIFT ROWS MIX COLUMNS • Correct ciphertexts still show bias in KEY ADD round 9 ROUND 10 SUB BYTES SHIFT ROWS • Exploitation works same as before KEY ADD C 1 C N Dobraunig et al. [Dob+18b] 5 Robert Primas — CHES 2020

  19. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  20. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  21. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18a] C N 5 Robert Primas — CHES 2020

  22. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS x 0 z 0 KEY ADD KEY ADD y 0 R SUB BYTES SUB BYTES y 1 ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS x 1 z 1 MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18a] C N 5 Robert Primas — CHES 2020

  23. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at x 0 z 0 • Masked AND-gate y 0 ~ • Naturally, when x and y are uniform R z y 1 then z has bias towards 0 0 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  24. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 y 0 ~ R z y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  25. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 • Difference cancels if either: y 0 • y 0 , y 1 are both 0 ~ R z y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  26. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 • Difference cancels if either: y 0 • y 0 , y 1 are both 0 ~ R z • y 0 , y 1 are both 1 y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

415 views • 17 slides
Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M.

Statistical Fault Attacks Revisited Application to Authenticated Encryption C. Dobraunig, M. Eichlseder, T. Korak, V. Lomn e, F. Mendel ASK 2016 The research leading to these results has received funding from the European Unions Horizon

551 views • 26 slides
Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich

Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich

W I S S E N T E C H N I K L E I D E N S C H A F T Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich Wenger 2 , and Stefan Mangard 1 , 1 Graz University of Technology 2 Infineon

552 views • 32 slides
PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019

PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019

Innovation Centre PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019 September 26, 1996 Bellcores Researchers Break Smart Cards BELLCORE ATTACK (1/2) Computation of a signature S = ( m ) d mod N

503 views • 24 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley TELECOM ParisTech CNRS LTCI / COMELEC / SEN S

896 views • 64 slides
SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria

730 views • 54 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

571 views • 27 slides
Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

M EDIA A CCESS C ONTROL (MAC) A DDRESS S POOFING A TTACKS AGAINST P ORT S ECURITY Andrew Buhr, Dale Lindskog, Pavol Zavarsky, Ron Ruhl Concordia University College of Alberta Findings Port Security is ineffective at preventing 3 different

455 views • 24 slides
Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

535 views • 51 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 ,

EXPERIMENTAL EVALUATION OF TWO SOFTWARE COUNTERMEASURES AGAINST FAULT ATTACKS Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies

679 views • 22 slides
Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

950 views • 52 slides
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3 , Karine Heydemann 3 , Amine Dehbaoui 2 , Bruno Robisson 1 , Emmanuelle Encrenaz 3 1 CEA Commissariat lEnergie Atomique et aux Energies Alternatives 2 ENSM.SE Ecole Nationale

456 views • 22 slides

More recommend