Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

Similar documents
DES Data Encryption standard

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Classical Cryptography

Cryptanalysis of Ladder-DES

Differential Cryptanalysis of REDOC III

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Block Ciphers Security of block ciphers. Symmetric Ciphers

Keywords: dynamic P-Box and S-box, modular calculations, prime numbers, key encryption, code breaking.

An on-chip glitchy-clock generator and its application to safe-error attack

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

Local and Direct EM Injection of Power into CMOS Integrated Circuits.

Chapter 4 The Data Encryption Standard

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

ElGamal Public-Key Encryption and Signature

Classification of Ciphers

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Image Encryption Based on the Modified Triple- DES Cryptosystem

Cryptanalysis on short messages encrypted with M-138 cipher machine

Game Mechanics Minesweeper is a game in which the player must correctly deduce the positions of

Purple. Used by Japanese government. Not used for tactical military info. Used to send infamous 14-part message

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Network Security: Secret Key Cryptography

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

EE 418 Network Security and Cryptography Lecture #3

Single Error Correcting Codes (SECC) 6.02 Spring 2011 Lecture #9. Checking the parity. Using the Syndrome to Correct Errors

IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter

How to Flip a Bit? Michel Agoyan, Jean-Max Dutertre, Amir-Pasha Mirbaha, David Naccache, Anne-Lise Ribotta, Assia Tria. To cite this version:

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Diffie-Hellman key-exchange protocol

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

High Diffusion Cipher: Encryption and Error Correction in a Single Cryptographic Primitive

Generic Attacks on Feistel Schemes

Dedicated Cryptanalysis of Lightweight Block Ciphers

Threshold Implementations. Svetla Nikova

Differential Cryptanalysis of Round-Reduced PRINTcipher: Computing Roots of. permutations

Intro to Probability

Generic Attacks on Feistel Schemes

ECE-C690: Dependable Computing Midterm Exam

PROBABILITY M.K. HOME TUITION. Mathematics Revision Guides. Level: GCSE Foundation Tier

A Cryptosystem Based on the Composition of Reversible Cellular Automata

episteme Probability

Introduction to Cryptography

Testing Digital Systems II. Problem: Fault Diagnosis

1) 1) 2) 2) 3) 3) 4) 4) 5) 5) 6) 6) 7) 7) 8) 8) 9) 9) 10) 10) 11) 11) 12) 12)

Unlinkability and Redundancy in Anonymous Publication Systems

Meet-in-the-Middle Attacks on Reduced-Round Midori-64

Classical Definition of Probability Relative Frequency Definition of Probability Some properties of Probability

V.Sorge/E.Ritter, Handout 2

Transient-Steady Effect Attack on Block Ciphers

Biased Opponent Pockets

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Card-Based Protocols for Securely Computing the Conjunction of Multiple Variables

The number theory behind cryptography

DUBLIN CITY UNIVERSITY

commands Homework D1 Q.1.

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

COMING SOON: Place Value, Addition, and Subtraction UNIT TEST

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

4.1 What is Probability?

Now let s figure the probability that Angelina picked a green marble if Marc did not replace his marble.

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Investigations of Power Analysis Attacks on Smartcards

CMOS Process Variations: A Critical Operation Point Hypothesis

DUBLIN CITY UNIVERSITY

Figure 1 Basic Block diagram of self checking logic circuit

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

What are the chances?

Quality of Encryption Measurement of Bitmap Images with RC6, MRC6, and Rijndael Block Cipher Algorithms

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Digital Transmission using SECC Spring 2010 Lecture #7. (n,k,d) Systematic Block Codes. How many parity bits to use?

Generation of AES Key Dependent S-Boxes using RC4 Algorithm

Improving histogram test by assuring uniform phase distribution with setting based on a fast sine fit algorithm. Vilmos Pálfi, István Kollár

Combinational Logic Design CH002

AI Approaches to Ultimate Tic-Tac-Toe

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

Totally Self-Checking Carry-Select Adder Design Based on Two-Rail Code

Stream Ciphers And Pseudorandomness Revisited. Table of contents

Information Security Theory vs. Reality

M.E(I.T) Student, I.T Department, L.D College Of Engineering, Ahmedabad, Gujarat, India

Power Analysis Based Side Channel Attack

WDDL is Protected Against Setup Time Violation Attacks

A PUZZLE OF TOSSING COINS

1. The empty set is a proper subset of every set. Not true because the empty set is not a proper subset of itself! is the power set of A.

ARGUING THE SAFETY OF MACHINE LEARNING FOR HIGHLY AUTOMATED DRIVING USING ASSURANCE CASES LYDIA GAUERHOF BOSCH CORPORATE RESEARCH

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Yale University Department of Computer Science

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

SECTION 4 CHANNEL FORMAT TYPES AND RATES. 4.1 General

Heads Up! A c t i v i t y 5. The Problem. Name Date

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Techniques for Troubleshooting Sketches &

Chapter 4 MASK Encryption: Results with Image Analysis

CS 787: Advanced Algorithms Homework 1

Available online at ScienceDirect. Procedia Computer Science 34 (2014 )

paioli Power Analysis Immunity by Offsetting Leakage Intensity Sylvain Guilley perso.enst.fr/ guilley Telecom ParisTech

SECURITY OF CRYPTOGRAPHIC SYSTEMS. Requirements of Military Systems

A Simulation-Based Methodology for Evaluating the DPA-Resistance of Cryptographic Functional Units with Application to CMOS and MCML Technologies

Key Concepts. Theoretical Probability. Terminology. Lesson 11-1

Transcription:

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

References 2 Bull & Innovatron Patents

Fault Injection Equipment: Laser 3 Bull & Innovatron Patents

Fault Injection Equipment: CLIO Glitch Injector 4 Bull & Innovatron Patents

Where to inject a fault? 5 Bull & Innovatron Patents

Looking Closer 2nd round 3rd round Key Shift PC2 (8 patterns) E Perm & Xor (8 patterns) S-Boxes P Perm (4 patterns) Key Shift Key Shift 6 Bull & Innovatron Patents

Notation 16 Rounds, each a transform 2 32- bit variables. [L0,R0] plaintext [L16,R16] ciphertext Bitwise permutations are not always considered. 7 Bull & Innovatron Patents

5/18/2006 DES-Fifteenth Round

DES last round structure L15 R15 Transformation of [L15,R15] to [L16,R16] using K16 K16 S-Box L16 = R15 R16 = S( R15 K16) L15 L16 R16 9 Bull & Innovatron Patents

Fault Injection in 15 th round If R15 is changed to R15, without changing L15 L16 = R15 R16 = S( R15 K16) L15 then L16 = R15 R16 = S( R15 K16) L15 where S(x) is the S-box function R16 R16 = S( R15 K16) L15 S( R15 K16) L15 = S( R15 K16) S( R15 K16) 10 Bull & Innovatron Patents

Differential Fault Analysis For each S-box (Si), i Є[1..8] verify the following relation: Gives a list of possible key values 2 32 Leads to an exhaustive search K16 L16 L16 _ 6 Si 6 _ Si _ 4 _ 4 K16 R16 R16 11 Bull & Innovatron Patents

Predicting the Key Space Why 2 32? The number of hypothesis given for each six bits of the key can be found using the tables, described in, Differential Cryptanalysis of DES-like Cryptosystems by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 },... 12 Bull & Innovatron Patents

Predicting the Key Space For each s-box the expected number of hypotheses can be calculated: The predicted key space is the product of all the averages = 2 24. Eight bits are not included in this key and need to be added = 2 32. 13 Bull & Innovatron Patents

Intersecting Keyspaces e.g. two faulty ciphertext leading to 2 14 With numerous faulty ciphertexts the key will be in the intersection of all the key spaces. 14 Bull & Innovatron Patents

A Real Example Plaintext file Ciphertext file Correct Ciphertext Faulty Ciphertexts 15 Bull & Innovatron Patents

A Real Example 16 Bull & Innovatron Patents

A Real Example Searches of 2 48 and 2 25 for the different faulty ciphertexts. The intersection can be taken giving a search of around 2 20 for the entire DES key. 17 Bull & Innovatron Patents

5/18/2006 DES Other Rounds

Differential Fault Analysis Why does this work? Because for each s-box For two unrelated ciphertexts then with probability 1/16, for each s-box. Hypotheses are uniformly distributed If a fault in a round towards the end of a DES then with probability p. L15 L16 R15 S-Box R16 K16 19 Bull & Innovatron Patents

1 Bit Faults: Round 15 L15 R15 S-Box K16 1 bit fault in R15 Gives differentials over 1 or 2 s- boxes. Several samples will allow the key to be derived as before. L16 R16 20 Bull & Innovatron Patents

1 Bit Faults: Round 14 L14 R14 S-Box K15 1 bit fault in R14, will also change one bit in L15. For 7 of the 8 s-boxes, L15 R15 S-Box K16 For each s-box: P( ) = 7/8 This probability will approach 1/16 the further into the algorithm the fault is injected. L16 R16 21 Bull & Innovatron Patents

Differential Fault Analysis Keyspace generated in exactly the same way as for fifteenth round fault. C 1 Keyspace C 4 Keyspace C 2 Keyspace There is no intersection of all keyspaces generated, a system of votes is conducted. C 3 Keyspace C 5 Keyspace The red area has the highest chance of being the key. C 6 Keyspace 22 Bull & Innovatron Patents

Differential Fault Analysis The amount of faulty ciphertexts required increases the further away from the end of the DES the fault is, and the amount of bits modified. Theoretical results with 1 bit faults. Easy until round 11 (less than 1000) ciphertexts Round 10 requires several million ciphertexts Round 9? Attempt with 10 s of millions failed 23 Bull & Innovatron Patents

A Simulated Example Ciphertex file Faulty Ciphertext file 24 Bull & Innovatron Patents

A Simulated Example 00 : 7 5 8 4 7 4 6 7 01 : 7 3 7 4 7 4 5 7 02 : 7 5 8 4 6 5 6 6 03 : 7 4 8 5 7 5 6 8 04 : 6 5 7 5 7 5 5 7 05 : 5 5 8 4 7 4 6 5 06 : 6 5 8 4 7 6 5 6 07 : 6 5 8 4 7 5 6 8 08 : 7 4 7 5 7 4 5 8 09 : 6 5 2 5 7 4 5 6 0a : 7 5 8 5 7 6 5 6 0b : 6 5 7 5 7 6 6 8 0c : 6 0 6 5 7 5 6 8 0d : 0 3 7 5 7 5 6 2 0e : 6 3 7 4 7 4 6 7 0f : 6 3 8 2 7 5 6 7 10 : 6 5 8 5 2 6 5 7 11 : 7 4 8 5 6 5 6 8 12 : 7 5 8 5 4 5 5 8 13 : 7 5 8 5 6 3 6 7 14 : 7 5 7 4 5 6 6 8... Actual subkey: 0D 0C 09 34 10 38 3A 0D 25 Bull & Innovatron Patents

Gaining Extra Rounds L n-2 R n-2 S-Box L n-1 R n-1 S-Box K n-1 K n Any fault in R n will have an equivalent fault in L n-1. L n-1 is static, therefore need to target the copying of R n-2. Implementation Specific. Several millions faults in 8 th round. Less than a thousand in the 9 th. Advanced Simple Power Analysis L n R n 26 Bull & Innovatron Patents

5/18/2006 3DES

Differential Fault Analysis If injecting faults in the last and middle DES (the fifteenth round of each). C correct ciphertext. C 1 ciphertext with fault in fifteenth round of the last DES. C 2 ciphertext with fault in fifteenth round of the middle DES. For each key hypothesis generated for K1, a keyspace can be generated and search for K2 (DES -1 (kh 1,C)), DES -1 (kh 1,C 2 )) (C,C 1 ) K2 Keyspace K1 Keyspace (DES -1 (kh 2,C)), DES -1 (kh 2,C 2 )) K2 Keyspace 28 Bull & Innovatron Patents

Differential Fault Analysis Each hypothesis for K1 produces 2 32 hypotheses for K2, the total number of keys (K1, K2) that need to be searched is: 2 32 2 32 = 2 64 This can be improved upon with more acquisitions, with two faulty ciphertexts from each DES: 2 14 2 14 = 2 28 This can still be improved upon 29 Bull & Innovatron Patents

Differential Fault Analysis If a given key hypothesis (kh i ) contains K1 then (DES -1 (kh i,c)), DES -1 (kh i,c 2 )) Will contain K2, and the differentials generated across each s-box in the last round will be distributed on: 30 Bull & Innovatron Patents

Impossible Differentials Again using the table described in, Differential Cryptanalysis of DES-like Cryptosystems by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 },... 31 Bull & Innovatron Patents

Impossible Differentials If a given key hypothesis (kh i ) does not contains K1 then (DES -1 (kh i,c)), DES -1 (kh i,c 2 )) Will not contain K2, and the differentials generated across each s-box will be uniformly distributed over, i.e. they will be random values: 32 Bull & Innovatron Patents

Impossible Differentials Again using the table described in, Differential Cryptanalysis of DES-like Cryptosystems by Biham and Shamir { 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, { 0, 0, 0, 6, 0, 2, 4, 4, 0, 10, 12, 4, 10, 6, 2, 4 }, { 0, 0, 0, 8, 0, 4, 4, 4, 0, 6, 8, 6, 12, 6, 4, 2 }, { 14, 4, 2, 2, 10, 6, 4, 2, 6, 4, 4, 0, 2, 2, 2, 0 }, { 0, 0, 0, 6, 0, 10, 10, 6, 0, 4, 6, 4, 2, 8, 6, 2 }, { 4, 8, 6, 2, 2, 4, 4, 2, 0, 4, 4, 0, 12, 2, 4, 6 }, { 0, 4, 2, 4, 8, 2, 6, 2, 8, 4, 4, 2, 4, 2, 0, 12 }, { 2, 4, 10, 4, 0, 4, 8, 4, 2, 4, 8, 2, 2, 2, 4, 4 }, { 0, 0, 0, 12, 0, 8, 8, 4, 0, 6, 2, 8, 8, 2, 2, 4 }, { 10, 2, 4, 0, 2, 4, 6, 0, 2, 2, 8, 0, 10, 0, 2, 12 }, { 0, 8, 6, 2, 2, 8, 6, 0, 6, 4, 6, 0, 4, 0, 2, 10 }, { 2, 4, 0, 10, 2, 2, 4, 0, 2, 6, 2, 6, 6, 4, 2, 12 }, { 0, 0, 0, 8, 0, 6, 6, 0, 0, 6, 6, 4, 6, 6, 14, 2 }, { 6, 6, 4, 8, 4, 8, 2, 6, 0, 6, 4, 6, 0, 2, 0, 2 }, { 0, 4, 8, 8, 6, 6, 4, 0, 6, 6, 4, 0, 0, 4, 0, 8 }, { 2, 0, 2, 4, 4, 6, 4, 2, 4, 8, 2, 2, 2, 6, 8, 8 },... 33 Bull & Innovatron Patents

Impossible Differentials If for a given s-box, a given differential is produced that has a frequency of zero, it is an impossible differential. If an impossible differential occurs then the pair, (DES -1 (kh i,c)), DES -1 (kh i,c 2 )) is invalid (i.e. K1 is wrong) and can be discarded, avoiding a seach of 2 32 keys. 34 Bull & Innovatron Patents

Predicting the Key Space Looking at the fraction of zeros in the differentials: S-box 0 : Fraction non-zero = 0.79 S-box 1 : Fraction non-zero = 0.78 S-box 2 : Fraction non-zero = 0.79 S-box 3 : Fraction non-zero = 0.68 S-box 4 : Fraction non-zero = 0.76 S-box 5 : Fraction non-zero = 0.80 S-box 6 : Fraction non-zero = 0.77 S-box 7 : Fraction non-zero = 0.77 P(All differentials are non-zero K1 is false)= 0.119 P(can discard hypotheses K1 is false) = 1 0.119 = 0.8806 35 Bull & Innovatron Patents

Differential Fault Analysis A each hypothesis for K1 produces 2 32 hypotheses for K2, the total number of keys (K1, K2) that need to be searched is: 2 32 (2 32 0.119) = 2 32 2 29 = 2 61 This can be improved upon with more acquisitions, with two faulty ciphertexts from each DES: 2 14 (2 14 0.119 2 ) = 2 14 2 8 = 2 22 The same arguement can be applied to a 3DES using three different keys. 36 Bull & Innovatron Patents

5/18/2006 Conclusion

Conclusions Differential Fault Analysis could be expected to be as powerful as Differential Cryptanalysis However, less data is generally available i.e. it takes a certain effort to inject a fault. Lack of control of the message (fault) can be problematic. Countermeasures are well known. Round/Algorithm Redundancy. Variable Redundancy. Random Delays. 38 Bull & Innovatron Patents

5/18/2006 Questions?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback