sifa exploiting ineffective fault inductions on symmetric
play

SIFA: Exploiting Ineffective Fault Inductions on Symmetric - PowerPoint PPT Presentation

Oct 23, 2023 •173 likes •730 views

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria

  1. SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria first.last@iaik.tugraz.at 2 Infineon Technologies AG, Germany first.last@infineon.com

  2. Outlook We present fault attacks that are ... • Hard to prevent • Defy detection, any degree of redundancy • Defy infection • (Defy masking) • Versatile • Many possible fault locations/effects • Applicable to many symmetric schemes • Evaluated on various platforms 1

  3. Outlook We present fault attacks that are ... • Hard to prevent • Defy detection, any degree of redundancy • Defy infection • (Defy masking) • Versatile • Many possible fault locations/effects • Applicable to many symmetric schemes • Evaluated on various platforms 1

  4. Outlook We present fault attacks that are ... • Hard to prevent • Defy detection, any degree of redundancy • Defy infection • (Defy masking) • Versatile • Many possible fault locations/effects • Applicable to many symmetric schemes • Evaluated on various platforms 1

  5. Fault Attacks • Get device access: PT • Set plaintexts • Observe ciphertexts • Cause (partially) erroneous computation ENC • Observe faulty and correct ciphertext • Determine correct sub key guesses by verifying output pairs ⇒ Differential Fault Attack (DFA) CT 2

  6. Fault Attacks • Get device access: PT • Set plaintexts • Observe ciphertexts • Cause (partially) erroneous computation ENC • Observe faulty and correct ciphertext • Determine correct sub key guesses by verifying output pairs ⇒ Differential Fault Attack (DFA) CT* 2

  7. Fault Attacks • Get device access: PT • Set plaintexts • Observe ciphertexts • Cause (partially) erroneous computation ENC ENC • Observe faulty and correct ciphertext • Determine correct sub key guesses by verifying output pairs ⇒ Differential Fault Attack (DFA) CT* CT 2

  8. Fault Attacks • Get device access: • Set plaintexts • Observe ciphertexts CT* CT • Cause (partially) erroneous computation • Observe faulty and correct ciphertext • Determine correct sub key guesses by SUB KEY VERIFY verifying output pairs ⇒ Differential Fault Attack (DFA) 2

  9. Fault Attacks • Get device access: • Set plaintexts • Observe ciphertexts CT* CT • Cause (partially) erroneous computation • Observe faulty and correct ciphertext • Determine correct sub key guesses by SUB KEY VERIFY verifying output pairs ⇒ Differential Fault Attack (DFA) 2

  10. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT CT CT 3

  11. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT* CT ... 3

  12. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT* CT* CT* 3

  13. Fault Countermeasures - Detection PT • Use redundancy to detect faults ENC-DETECT ENC ENC • Fault detected → No ciphertext • 2 identical faults necessary for attack → More redundancy, Enc-Dec, masking, etc... CT* CT* CT* 3

  14. Fault Countermeasures - Infection PT • Use redundancy, interleaved computation and dummy rounds ENC-INFECT • Faults are amplified s.t. ciphertext is not ENC ENC ENC related to the key anymore • Key recovery not possible • Attacks still possible but hard... CT 4

  15. Fault Countermeasures - Infection PT • Use redundancy, interleaved computation and dummy rounds ENC-INFECT • Faults are amplified s.t. ciphertext is not ENC ENC ENC related to the key anymore • Key recovery not possible • Attacks still possible but hard... %&$ 4

  16. Fault Countermeasures - Infection • Use redundancy, interleaved computation and %&$ CT dummy rounds • Faults are amplified s.t. ciphertext is not related to the key anymore SUB KEY • Key recovery not possible VERIFY • Attacks still possible but hard... 4

  17. Fault Countermeasures - Infection • Use redundancy, interleaved computation and %&$ CT dummy rounds • Faults are amplified s.t. ciphertext is not related to the key anymore SUB KEY • Key recovery not possible VERIFY • Attacks still possible but hard... 4

  18. Statistical Ineffective Fault Attacks (SIFA) Combines ... • Ineffective Fault Attacks (IFA) by Clavier et al. [Cla07] + Exploits only correct ciphertexts (similar to safe error attacks) − Requires precise faults with known effect • Statistical Fault Analysis (SFA) by Fuhr et al. [FJLT13] + Any fault, even if effect is unknown − Mitigated by detection/infection ⇒ Statistical Ineffective Fault Attacks (SIFA) + Exploits only correct ciphertexts + Any fault, even if effect is unknown 5

  19. Statistical Ineffective Fault Attacks (SIFA) Combines ... • Ineffective Fault Attacks (IFA) by Clavier et al. [Cla07] + Exploits only correct ciphertexts (similar to safe error attacks) − Requires precise faults with known effect • Statistical Fault Analysis (SFA) by Fuhr et al. [FJLT13] + Any fault, even if effect is unknown − Mitigated by detection/infection ⇒ Statistical Ineffective Fault Attacks (SIFA) + Exploits only correct ciphertexts + Any fault, even if effect is unknown 5

  20. Statistical Ineffective Fault Attacks (SIFA) Combines ... • Ineffective Fault Attacks (IFA) by Clavier et al. [Cla07] + Exploits only correct ciphertexts (similar to safe error attacks) − Requires precise faults with known effect • Statistical Fault Analysis (SFA) by Fuhr et al. [FJLT13] + Any fault, even if effect is unknown − Mitigated by detection/infection ⇒ Statistical Ineffective Fault Attacks (SIFA) + Exploits only correct ciphertexts + Any fault, even if effect is unknown 5

  21. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext 6

  22. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

  23. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

  24. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

  25. SIFA on AES - Fault Injection Phase Example for AES... • Over multiple encryptions, state bytes are : ROUND 10 ROUND 9 ROUND 8 SHIFT ROWS uniformly distributed MIX COLUMNS • Fault somewhere between MC in round 8-9 KEY ADD 8 SUB BYTES • Goal is some non-uniform distribution SHIFT ROWS • Stuck-at fault, random fault, skips, flips... MIX COLUMNS • Fault Granularity: 1 bit → a few bytes KEY ADD 9 • Works even for ineffective faults SUB BYTES SHIFT ROWS • i.e. a fault was injected but the computation KEY ADD 10 is still correct • Attacker gets “access to subset of ciphertexts” Ciphertext Ciphertext Ciphertext Ciphertext Ciphertext 6

Recommend

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

415 views • 17 slides
Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.01k views • 78 slides
Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

964 views • 64 slides
Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

535 views • 51 slides
Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault 1915: rotor machines: (electro-)mechanical - On Fault Attacks on

Its Not My Fault Bart Preneel FDTC12 9 September 2011 Symmetric crypto history 101 http://www.ecrypt.eu.org pre-1915: manual encryption or simple devices Its Not My Fault 1915: rotor machines: (electro-)mechanical - On

296 views • 6 slides
Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators

Exploiting Hidden Layer Modular Redundancy for Fault-Tolerance in Neural Network Accelerators Schuyler Eldridge Ajay Joshi Department of Electrical and Computer Engineering, Boston University schuye@bu.edu January 30, 2015 This work was

679 views • 19 slides
Exploiting Redundant Test Cases in Fault Localisation: Good or Bad? Alexandre Perez

Exploiting Redundant Test Cases in Fault Localisation: Good or Bad? Alexandre Perez

Exploiting Redundant Test Cases in Fault Localisation: Good or Bad? Alexandre Perez alexandre.perez@fe.up.pt Nuno Cardoso, Jos e Campos, Rui Abreu nunopcardoso@gmail.com, jose.carlos.campos@fe.up.pt, rui@computer.com Department of

508 views • 32 slides
Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems Ramnatthan

Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems Ramnatthan

Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems Ramnatthan Alagappan, Aishwarya Ganesan, Jing Liu, Andrea Arpaci-Dusseau, and Remzi Arpaci-Dusseau Replication Protocols Viewstamped Paxos Raft replication

1.83k views • 144 slides
effective ineffective EXTERNAL effective ineffective INTERNAL focus focus

effective ineffective EXTERNAL effective ineffective INTERNAL focus focus

EXTERNAL focus BROAD NARROW INTERNAL effective ineffective EXTERNAL effective ineffective INTERNAL focus focus prepara%on self-talk emotional control emotional control frustra%on disappointment

317 views • 31 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
WHY YOU Speakers notes for new staff inductions SHOULD These speakers notes can be BE A

WHY YOU Speakers notes for new staff inductions SHOULD These speakers notes can be BE A

WHY YOU Speakers notes for new staff inductions SHOULD These speakers notes can be BE A UCU used alongside UCUs MEMBER Powerpoint presentation Why you should be a UCU member Slide 1 Title slideWhy you should become a UCU

695 views • 3 slides
Appendix E Presentation for Inductions 46 47 48

Appendix E Presentation for Inductions 46 47 48

Appendix E Presentation for Inductions 46 47 48

408 views • 3 slides
Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

Findings Port Security is ineffective at preventing 3 different MAC Spoofing attacks in

M EDIA A CCESS C ONTROL (MAC) A DDRESS S POOFING A TTACKS AGAINST P ORT S ECURITY Andrew Buhr, Dale Lindskog, Pavol Zavarsky, Ron Ruhl Concordia University College of Alberta Findings Port Security is ineffective at preventing 3 different

455 views • 24 slides
2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

4/1/2014 Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault coverage COMPUTING Checkpointing and backward error recovery (rollback) Kewal K.Saluja General principles General principles

259 views • 3 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Fault Modeling 1 Why Fault Models? Actual number of physical defects in a circuit are too

Fault Modeling 1 Why Fault Models? Actual number of physical defects in a circuit are too

8/1/2012 Fault Modeling 1 Why Fault Models? Actual number of physical defects in a circuit are too many. Not possible to consider individually. Difficult to count and analyze. Some logical fault models are considered. A fault

493 views • 15 slides
0 4 1 3 2 No deterministic symmetric dining solution [RL81] Probabilistic symmetric

0 4 1 3 2 No deterministic symmetric dining solution [RL81] Probabilistic symmetric

Once up on a time ... [Dij71] 0 4 1 3 2 No deterministic symmetric dining solution [RL81] Probabilistic symmetric solution T raditional non-symmetric: Left-Righ t solution Generalized dining philosophers [Lyn81] . . .

625 views • 20 slides
Difficulties In Evolving the Cybersecurity Workforce: As Clear As A.I.R (Archaic Ineffective

Difficulties In Evolving the Cybersecurity Workforce: As Clear As A.I.R (Archaic Ineffective

Difficulties In Evolving the Cybersecurity Workforce: As Clear As A.I.R (Archaic Ineffective Requirements) Corey T. Jackson, MBA, CISSP, CSSLP, NET+ Senior Enterprise Knowledge Architect US Department of Justice- Federal Bureau of

341 views • 9 slides
Active fault level management Introducing the Fault Current Limiting service 1 Fluctuating

Active fault level management Introducing the Fault Current Limiting service 1 Fluctuating

Active fault level management Introducing the Fault Current Limiting service 1 Fluctuating fault level Fault level reinforcement is disruptive, lengthy and expensive which can discourage connection of new demand/ generation NETWORK

447 views • 16 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
BSc Project What kinds of fault we may confront in a control loop? Fault Detection &

BSc Project What kinds of fault we may confront in a control loop? Fault Detection &

13/12/2016 2 of 23 Content What is fault? Why we detect fault in a control loop? BSc Project What kinds of fault we may confront in a control loop? Fault Detection & Diagnosis What is stiction? in Control Valves

406 views • 6 slides
Three approaches to promote de-implementation of ineffective treatments David H. Howard

Three approaches to promote de-implementation of ineffective treatments David H. Howard

Three approaches to promote de-implementation of ineffective treatments David H. Howard Department of Health Policy and Management Emory University How to promote abandonment of unproven technologies Test them Pay less for them

661 views • 20 slides

More recommend