Advanced Encryption Standard (AES) Differential Fault Analysis Overview

differential fault analysis on aes variants n.w
1 / 23
Embed
Share

Learn about the Differential Fault Analysis (DFA) on AES variants, including AES-128, AES-192, and AES-256. The discussion covers physical attacks, cryptanalytic approaches, AES encryption, key scheduling, and more, providing insights into the vulnerabilities and challenges in cryptographic systems.

  • Cryptography
  • AES
  • Differential Analysis
  • Security
  • Encryption
rayaanacharya
koto724 Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications 2012-8-29 @ Nagoya, Japan

  2. Contents Background Physical Attacks and Differential Fault Analysis Advanced Encryption Standard Fault Model in this discussion 1-byte random fault in known byte position DFA Attack on AES Variants DFA on AES-128 with 1 fault injection DFA on AES-192 with 3/2 fault injections DFA on AES-256 with 3/2 fault injections Challenge to be practically feasible Conclusion

  3. Cryptanalytic Attacks Mathematical Approach =? Input Output Cryptographic device (Secret key inside) Input Output Output =? Physical Information Channels Input Physical Approach Keep the proposed attack feasible 3

  4. Classification of Physical Attacks Direction of information channel =? Input, Output Known Passive Attacks Non-Invasive Passive Attacks (Side-Channel Analysis) Active Attacks Time, Non-Invasive Active Attacks (Fault Analysis) Inject computational faults Power Consumption, Electromagnetic Radiation Cryptographic device (Secret key inside) Input Output 4

  5. Differential Fault Analysis (DFA) on AES Encryption DFA (Most discussed fault analysis) C I P AES I= I I I I P AES C Attack Procedures Kg-based Correct Intermediate Value: Ig AES Decryption C Match? I Ig Key Guess: Kg Kg-based Faulty Intermediate Value: I g C AES Decryption Fault Model: Space of I e.g. 1-byte random fault at a known byte position 5

  6. Advanced Encryption Standard AK SB SR MC AES Round Operation Substitution permutation network Symmetric algorithm 128-bit input block 3 versions 128-bit key (10 Rounds) 192-bit key (12 Rounds) 256-bit key (14 Rounds)

  7. AES Key Schedule AES-128 AES-192 K1 K0 K0 F F K2 K1 K10 K12

  8. AES Key Schedule AES-256 K0 K1 F K2 K3 Sub Word K13 K14

  9. Fault Model in this presentation Fault model: 1-byte random fault model Random faulty value at a known byte position 1 S-box calculation has a faulty result Fault injection based on setup-time violation Clock glitch Less time for a certain clock cycle (round operation)

  10. DFA attacks on AES Variants The minimal times of fault injections but still within a practical key recovery complexity DFA on AES-128 with 1 fault injection CHES03, Africa09, WISTP11 DFA on AES-192 with 3 fault injections FDTC11 DFA on AES-256 with 3 fault injections FDTC11 DFA on AES-192 with 2 fault injections Improved a little from FDTC11 DFA on AES-256 with 2 fault injections IEEE Trans. on Info. F&S

  11. DFA on AES-128 AK8 MC8 SB8 SR8 2-8 1 4 1 4 3 3 2 2 1 2 1 AK9 2 MC9 SB9 SR9 1 4 1 4 3 3 2 2 3 4 3 4 1 4 1 4 3 3 2 2 1 4 4 3 3 2 2 1 1 4 1 4 3 3 2 2 C C AK10 SB10 SR10 1 4 1 4 3 3 2 2 3 2 2 1 1 4 4 3 1 4 1 4 3 3 2 2 232 28 232 28 232 28 Without considering K9, we can reduce K10 space to 232 20 28 2128 232 28

  12. DFA Attacks on AES-192 (simple attack, 3 faults) SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C1 C1 SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C2 C2 SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C3 C3 Identify K12 first using (C1,C1 ) and (C1,C2 ), then recover K11

  13. DFA Attacks on AES-256 (simple attack, 3 faults) SB11 SR11 MC11 AK11 SB11 SR11 MC11 AK11 SB12 SR12 MC12 AK12 SB12 SR12 MC12 AK12 SB13 SR13 MC13 AK13 SB13 SR13 MC13 AK13 SB14 SR14 AK14 C1 C1 SB14 SR14 AK14 C2 C2 SB11 SR11 MC11 AK11 SB12 SR12 MC12 AK12 SB13 SR13 MC13 AK13 SB14 SR14 AK14 C3 C3 Identify K14 first using (C1,C1 ) and (C1,C2 ), then recover K13

  14. Maybe 2 faults are enough for AES-192 and AES-256 Kg-based Correct Intermediate Value: Ig AES Decryption C Match? I Ig Key Guess: Kg Kg-based Faulty Intermediate Value: I g C AES Decryption Space of I Satisfy zero-difference bytes in intermediate status Space of Kg AES 128: 128-bit 8-bit AES 192: 192-bit 72-bit 0 bit AES 256: 256-bit 136-bit 16-bit Keep the proposed attack feasible!

  15. DFA Attacks on AES-192 (2 faults) SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C1 C1 SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C2 C2 1. Restrict K12 to 232

  16. Some property for AES-192 key Schedule AES-192 K10 K11 F K12 For AES-192: K12 left 2 columns of K11 K12 right 1 column of K10

  17. AK11 MC11 SB11 SR11 MC10 DFA Attacks on AES-192 (2 faults) AK10 SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C1 C1 SB9 SR9 MC9 AK9 SB10 SR10 MC10 AK10 SB11 SR11 MC11 AK11 SB12 SR12 AK12 C2 C2 1. Restrict K12 to 232 2. Given a K12 candidate, leftmost 2 columns of K11 is fixed, we have 5 more 2-8conditions to satisfy. So we can identify K12 3. Identify the rest of K11 AK11 MC11 SB11 SR11 MC10 AK10

  18. DFA Attacks on AES-256 (2 faults) SB11 SR11 MC11 AK11 SB12 SR12 MC12 AK12 SB13 SR13 MC13 AK13 SB14 SR14 AK14 C1 C1 SB11 SR11 MC11 AK11 SB12 SR12 MC12 AK12 SB13 SR13 MC13 AK13 SB14 SR14 AK14 C2 C2 1. Restrict K14 to 232

  19. AES S-box Differential Table For an AES S-box, given a pair of input/output difference, this difference exists with probability of about . If this difference pair exist, one can find 2 pairs of solution. Given N pairs of input/output difference, we can expect N real value solutions Used in the inbound of Rebound Attack Outbound Inbound Outbound

  20. Some property for AES-256 key Schedule AES-256 K12 K13 F K14 For AES-256: K12 right 3 columns of K12

  21. DFA Attacks on AES-256 (2 faults) SB11 SR11 MC11 AK11 SB12 SR12 MC12 AK12 SB13 SR13 MC13 AK13 SB14 SR14 AK14 SR13 SB13 MC12 MC11 AK12 C1 C1 SB12 AK11 SR12 SB11 SR11 MC11 AK11 SB12 SR12 MC12 AK12 SB13 SR13 MC13 AK13 SB14 SR14 AK14 C2 C2 1. Restrict K14 to 232 2. Pick up a K14, calculate the difference at SB13out, and restrict real values in each column to 28 3. Then we know the rightmost 3 columns of K12, calculate the blue bytes in SB12in, check 2 conditions of 2-8. Space of SB13outis reduced to 216. Then K13 is reduced to 216 (Complexity about 248, key recovery using FPGA takes 8 days to finish) SR13 SB13 MC12 AK12

  22. Conclusion In side-channel attacks especially fault analysis, cryptanalysis techniques can help. For AES-256, DFA attack with two 1-byte random faults at known position are feasible for strong attackers Can we make DFA with unknown positions faults feasible?

  23. Thank you for your attentions!

Related


Visual Presentation Slides Showcase

Visual Presentation Slides Showcase

luella
pengisian ilmu gendam WA 62 819.3171.8989

pengisian ilmu gendam WA 62 819.3171.8989

GURU1
Guidelines for Using UPMC PowerPoint Template

Guidelines for Using UPMC PowerPoint Template

zayd
Visual Drill and Alphabet Presentation Slides Collection

Visual Drill and Alphabet Presentation Slides Collection

dulcie
mustika gendam putih

mustika gendam putih

GURU1
5G Use Case Proposal for Dublin Ericsson

5G Use Case Proposal for Dublin Ericsson

raina
pelet gendam asmarandana

pelet gendam asmarandana

GURU1
Mastering Field Hockey Basics with Laura Tan and Gary Yang

Mastering Field Hockey Basics with Laura Tan and Gary Yang

stan_606
Kompetisi Fungsi Hash NIST (SHA-3): Proses Pemilihan Finalis dan Detail Desain

Kompetisi Fungsi Hash NIST (SHA-3): Proses Pemilihan Finalis dan Detail Desain

ashvin
New Pattern Matching Algorithms for Network Security Applications by Liu Yang

New Pattern Matching Algorithms for Network Security Applications by Liu Yang

zahr_450
Interactive Presentation Slides Showcase

Interactive Presentation Slides Showcase

touchstone_a
Emerging Management Challenges in Global Marketplace

Emerging Management Challenges in Global Marketplace

van_ema
YANG Modelling and NETCONF Protocol Discussion

YANG Modelling and NETCONF Protocol Discussion

soed_nil
IEEE 802.1Qcp Update Bridges and Bridged Networks YANG Data Model

IEEE 802.1Qcp Update Bridges and Bridged Networks YANG Data Model

ryla_702
Introduction to YANG Modelling and NETCONF Protocol

Introduction to YANG Modelling and NETCONF Protocol

sar_ber
Yin-Yang Philosophy in Asian Culture

Yin-Yang Philosophy in Asian Culture

paulett
Concept of Ying Yang and Opposites in Nature

Concept of Ying Yang and Opposites in Nature

maritafi
Enhancing Your PowerPoint Skills: Adding Slides, Formatting Text, and Applying Themes

Enhancing Your PowerPoint Skills: Adding Slides, Formatting Text, and Applying Themes

zferr
Persaingan Klasemen Liga Inggris 2024- Siapa yang Akan Lolos ke Empat Besar.docx

Persaingan Klasemen Liga Inggris 2024- Siapa yang Akan Lolos ke Empat Besar.docx

Backlinks
Penyalur tenaga kerjaMarta.co.id

Penyalur tenaga kerjaMarta.co.id

Marta1
Koitotoooo

Koitotoooo

Uzair1
kikototo (1)

kikototo (1)

Uzair1

More Related Content