Multi-Stage Fault Attacks

Size: px

Start display at page:

Download "Multi-Stage Fault Attacks"

Phebe Quinn
5 years ago
Views:

1 Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013

2 Outline 1. Motivation 2. The PRINCE Block Cipher 3. A Multi-Stage Fault Attack on PRINCE Multi-Stage Fault Attacks Philipp Jovanovic 2 / 33

3 Cryptology Cryptology Cryptography Cryptanalysis Figure: Overview on the field of cryptology. Multi-Stage Fault Attacks Philipp Jovanovic 3 / 33

4 Fields of Cryptanalysis abstract model Cryptanalysis physical device Classic Attacks active Implementation Attacks passive Brute Force Attacks Protocol Attacks Mathematical Analysis Fault Injection Reverse Engineering Side-Channel Analysis Figure: Overview on the different fields of cryptanalysis. Multi-Stage Fault Attacks Philipp Jovanovic 4 / 33

5 Implementation Attacks At a Glance... Multi-Stage Fault Attacks Philipp Jovanovic 5 / 33

6 Implementation Attacks At a Glance... Multi-Stage Fault Attacks Philipp Jovanovic 5 / 33

7 Implementation Attacks At a Glance... Figure: Multi-Stage Fault Attacks Philipp Jovanovic 5 / 33

8 Fields of Cryptanalysis abstract model Cryptanalysis physical device Classic Attacks active Implementation Attacks passive Brute Force Attacks Protocol Attacks Mathematical Analysis Fault Injection Reverse Engineering Side-Channel Analysis Figure: Overview on the different fields of cryptanalysis. Multi-Stage Fault Attacks Philipp Jovanovic 6 / 33

9 Fields of Cryptanalysis abstract model Cryptanalysis physical device Classic Attacks active Implementation Attacks passive Brute Force Attacks Protocol Attacks Mathematical Analysis Fault Injection Reverse Engineering Side-Channel Analysis Figure: Overview on the different fields of cryptanalysis. Multi-Stage Fault Attacks Philipp Jovanovic 6 / 33

10 Fault Attacks Characteristics First appearances in 1998 and By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key). Lead to powerful new attack techniques and chip manufacturers were forced to rethink their designs. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, In: Burton S. Kaliski Jr. (ed.) CRYPTO 1997, LNCS, vol. 1294, Springer Heidelberg 1997, pp D. Boneh, R.A. Demillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology 14 (2001), Multi-Stage Fault Attacks Philipp Jovanovic 7 / 33

11 Fault Attacks Characteristics First appearances in 1998 and By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key). Lead to powerful new attack techniques and chip manufacturers were forced to rethink their designs. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, In: Burton S. Kaliski Jr. (ed.) CRYPTO 1997, LNCS, vol. 1294, Springer Heidelberg 1997, pp D. Boneh, R.A. Demillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology 14 (2001), Multi-Stage Fault Attacks Philipp Jovanovic 7 / 33

Fault Attacks Characteristics First appearances in 1998 and 2001. By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key).

12 Fault Attacks Characteristics First appearances in 1998 and By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key). Lead to powerful new attack techniques and chip manufacturers were forced to rethink their designs. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, In: Burton S. Kaliski Jr. (ed.) CRYPTO 1997, LNCS, vol. 1294, Springer Heidelberg 1997, pp D. Boneh, R.A. Demillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology 14 (2001), Multi-Stage Fault Attacks Philipp Jovanovic 7 / 33

Fault Attacks Techniques to Induce Faults

Parasitic charge-carrier generation by a

13 Fault Attacks Techniques to Induce Faults Manipulation of the power-supply voltage to cause miscalculations. Manipulation of the circuit s clock. Parasitic charge-carrier generation by a laser beam. Figure: Multi-Stage Fault Attacks Philipp Jovanovic 8 / 33

14 Fault Attacks Some Attacks using Fault Injections C. Aumueller et al. Fault Attacks on RSA With CRT: Concrete Results and Practical Countermeasures, CHES M. Mohamed, S. Bulygin and J. Buchmann, Improved Differential Fault Analysis of Trivium, COSADE M.S. Pedro, M. Soos and S. Guilley, FIRE: Fault Injection for Reverse Engineering, In: C.A. Ardagana and J. Zhou (eds.) Security and Privacy of Mobile Devices in Wireless Communication Multi-Stage Fault Attacks Philipp Jovanovic 9 / 33

15 Overview 1. Motivation 2. The PRINCE Block Cipher 3. A Multi-Stage Fault Attack on PRINCE Multi-Stage Fault Attacks Philipp Jovanovic 10 / 33

16 Overview on Block Ciphers Definition Given a block size of n 1 bits and a key size of n 2 bits a block cipher is specified by an encryption function and a decryption function such that E : {0, 1} n 1 {0, 1} n 2 {0, 1} n 1, (m, k) c D : {0, 1} n 1 {0, 1} n 2 {0, 1} n 1, (c, k) m D k (E k (m)) = m for all plaintext messages m {0, 1} n 1 and all keys k {0, 1} n 2. Multi-Stage Fault Attacks Philipp Jovanovic 11 / 33

17 Overview on Block Ciphers Multi-Stage Fault Attacks Philipp Jovanovic 12 / 33

18 The PRINCE Block Cipher General Features Uses a 64-bit state and a 128-bit key. Based on the so-called FX construction. Core of the cipher is based on a Substitution-Permutation Network (SPN) and has 10 encryption rounds divided by a middle layer. Furthermore the core of PRINCE features the so-called α-reflection property. Due to this it holds that: where α = c0ac29b7c97c50dd. D (k0 k 0 )( ) = E (k 0 k 0 α)( ) This keeps the hardware costs low and produces only small overheads. (Applications: smart cards, sensor networks, "internet-of-things" etc.) J. Borghoff et al., PRINCE A Low-Latency Block Cipher for Pervasive Computing Applications, In: K. Sako and X. Wang (eds.) ASIACRYPT 2012, LNCS, vol. 7658, Springer Heidelberg 2012, pp Multi-Stage Fault Attacks Philipp Jovanovic 13 / 33

19 The PRINCE Block Cipher The 128-bit key k is split into two parts k 0 and of 64 bit each, k = k 0 and extended to 192 bits by the following mapping: (k 0 ) (k 0 k 0 ) := (k 0 (k 0 >>> 1) (k 0 >> 63) ) RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Figure: Layout of PRINCE. Multi-Stage Fault Attacks Philipp Jovanovic 14 / 33

20 Components of PRINCE RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj k i -add: The 64-bit subkey k i is XORed to the state. S-Layer: All state nibbles are substituted using the 4-bit SBox below. x A B C D E F S[x] B F 3 2 A C E 5 D 4 Multi-Stage Fault Attacks Philipp Jovanovic 15 / 33

21 Components of PRINCE RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj M / M -Layer: The 64-bit state is multiplied with a matrix M resp. M, where M = SR M and SR shifts row i of the state matrix cyclically to the left by i 1 nibbles. RC i -add: A 64-bit round constant is XORed to the state. i RC i , 13198a2e , a f31d efa98ec4e6c89, e638d01377, be5466cf34e90c6c 6 8 7ef84f78fd955cb1, f1ac43aa, c882d32f25323c a51195e0e3610d, d3b5a399ca0c2399, c0ac29b7c97c50dd Multi-Stage Fault Attacks Philipp Jovanovic 15 / 33

22 Overview 1. Motivation 2. The PRINCE Block Cipher 3. A Multi-Stage Fault Attack on PRINCE Multi-Stage Fault Attacks Philipp Jovanovic 16 / 33

23 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33

24 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33

25 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33

26 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33

27 Multi-Stage Fault Attacks More Questions How good does a fault injection need to be controllable by an attacker such that informations about the secret key can be derived? In other words: Can we use ciphertexts obtained from arbitrary faults or are there any requirements in order to produce useful faulty ciphertexts? What exactly is Differential Fault Analysis and how does it work in the case of PRINCE? Multi-Stage Fault Attacks Philipp Jovanovic 18 / 33

28 Multi-Stage Fault Attacks More Questions How good does a fault injection need to be controllable by an attacker such that informations about the secret key can be derived? In other words: Can we use ciphertexts obtained from arbitrary faults or are there any requirements in order to produce useful faulty ciphertexts? What exactly is Differential Fault Analysis and how does it work in the case of PRINCE? Multi-Stage Fault Attacks Philipp Jovanovic 18 / 33

29 Multi-Stage Fault Attacks More Questions How good does a fault injection need to be controllable by an attacker such that informations about the secret key can be derived? In other words: Can we use ciphertexts obtained from arbitrary faults or are there any requirements in order to produce useful faulty ciphertexts? What exactly is Differential Fault Analysis and how does it work in the case of PRINCE? Multi-Stage Fault Attacks Philipp Jovanovic 18 / 33

30 Requirements Capabilities of an Attacker Known Plaintext Attack: We assume that the attacker is able to generate an arbitrary number of plaintext, (faulty) ciphertext triples (m, c, c ). Kerckhoffs Principle or The enemy knows the system : The design of the cipher is known to the adversary. (No security by obscurity) Fault Models Temporal Resolution: Fault injection timing is controllable very precisely, i.e. injection after a specific operation of the cipher. Spatial Resolution: Injection effects a single nibble (4-bit value) of the whole state. The affected nibble itself is either known (model: RKF) or unknown (model: RUF). Effects: Injection changes the state nibble to a random and unknown 4-bit value. Multi-Stage Fault Attacks Philipp Jovanovic 19 / 33

31 Requirements Capabilities of an Attacker Known Plaintext Attack: We assume that the attacker is able to generate an arbitrary number of plaintext, (faulty) ciphertext triples (m, c, c ). Kerckhoffs Principle or The enemy knows the system : The design of the cipher is known to the adversary. (No security by obscurity) Fault Models Temporal Resolution: Fault injection timing is controllable very precisely, i.e. injection after a specific operation of the cipher. Spatial Resolution: Injection effects a single nibble (4-bit value) of the whole state. The affected nibble itself is either known (model: RKF) or unknown (model: RUF). Effects: Injection changes the state nibble to a random and unknown 4-bit value. Multi-Stage Fault Attacks Philipp Jovanovic 19 / 33

32 A Multi-Stage Fault Attack on PRINCE Where to Inject Faults? RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Multi-Stage Fault Attacks Philipp Jovanovic 20 / 33

33 A Multi-Stage Fault Attack on PRINCE Attack Stage 0 RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Inject fault in R 1 9. Analyse fault propagation and ciphertext pairs. Obtain informations on k 0. Multi-Stage Fault Attacks Philipp Jovanovic 21 / 33

34 A Multi-Stage Fault Attack on PRINCE Attack Stage 1 RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Inject fault in R 1 8. Analyse fault propagation and ciphertext pairs. Obtain informations on. Multi-Stage Fault Attacks Philipp Jovanovic 22 / 33

35 Requirements Definition Let a = b 0 b 1 b 2 b 3 be a 4-bit value and let j {0,..., 3}. Then we define the map: ϕ : B 4 {0,..., 3} B 4, (a, j) ϕ j (a) where ϕ j (a) is equal to a but with the j-th bit b j set to 0. Bit Pattern j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Multi-Stage Fault Attacks Philipp Jovanovic 23 / 33

36 Requirements Definition Let a = b 0 b 1 b 2 b 3 be a 4-bit value and let j {0,..., 3}. Then we define the map: ϕ : B 4 {0,..., 3} B 4, (a, j) ϕ j (a) where ϕ j (a) is equal to a but with the j-th bit b j set to 0. Bit Pattern j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Multi-Stage Fault Attacks Philipp Jovanovic 23 / 33

37 A Multi-Stage Fault Attack on PRINCE Fault Propagation over 2 Rounds RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Multi-Stage Fault Attacks Philipp Jovanovic 24 / 33

38 Differential Fault Analysis Fault Equations Let v i, v i, k i and q i be variables. We substitute the nibbles of correct and faulty ciphertexts (intermediate states) for v i and v i, key nibbles for k i and round constant nibbles for q i. E i : SBox(v i k i q i ) SBox(v i k i q i ) = ϕ ji (w), i {0,..., 3} ϕ ji (x), i {4,..., 7} ϕ ji (y), i {8,..., 11} ϕ ji (z), i {12,..., 15} (0, 1, 2, 3, 2, 3, 0, 1, 3, 0, 1, 2, 3, 0, 1, 2), l {0, 7, 10, 13} (3, 0, 1, 2, 1, 2, 3, 0, 2, 3, 0, 1, 2, 3, 0, 1), l {1, 4, 11, 14} (j i ) i=0,...,15 = (2, 3, 0, 1, 0, 1, 2, 3, 1, 2, 3, 0, 1, 2, 3, 0), l {2, 5, 8, 15} (1, 2, 3, 0, 3, 0, 1, 2, 0, 1, 2, 3, 0, 1, 2, 3), l {3, 6, 8, 12} Multi-Stage Fault Attacks Philipp Jovanovic 25 / 33

39 Differential Fault Analysis Definition For every fault eqaution E i we introduce a key nibble candidate set S i with S i = {(t, u) t, u B 4 } for i {0,..., 15}. Furthermore let S = (S i ) i=0,...,15. DFA Algorithm: Input: (c, c ) (intermediate state (v, v ) for the 2nd stage) Output: Set S containing candidates for k 0 (or for the 2nd stage) return outer_filtering(inner_filtering(evaluation(c, c ))) Multi-Stage Fault Attacks Philipp Jovanovic 26 / 33

40 Differential Fault Analysis RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Overview on the Single Steps evaluation: Compute E i (u) = t for all u B 4 and save the result (u, t) to the set S i. inner_filtering: Discard all tuples (u, t) from S i where t doesn t match the pattern ϕ ji associated with E i. outer_filtering: Exploit the fact that the elements of the sets S 4 m,..., S 4 m+3 are derived from a commen preimage to discard even more invalid tuples (u, t). Multi-Stage Fault Attacks Philipp Jovanovic 27 / 33

41 Differential Fault Analysis RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Overview on the Single Steps evaluation: Compute E i (u) = t for all u B 4 and save the result (u, t) to the set S i. inner_filtering: Discard all tuples (u, t) from S i where t doesn t match the pattern ϕ ji associated with E i. outer_filtering: Exploit the fact that the elements of the sets S 4 m,..., S 4 m+3 are derived from a commen preimage to discard even more invalid tuples (u, t). Multi-Stage Fault Attacks Philipp Jovanovic 27 / 33

42 Differential Fault Analysis RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Overview on the Single Steps evaluation: Compute E i (u) = t for all u B 4 and save the result (u, t) to the set S i. inner_filtering: Discard all tuples (u, t) from S i where t doesn t match the pattern ϕ ji associated with E i. outer_filtering: Exploit the fact that the elements of the sets S 4 m,..., S 4 m+3 are derived from a commen preimage to discard even more invalid tuples (u, t). Multi-Stage Fault Attacks Philipp Jovanovic 27 / 33

43 A Fault Attack on PRINCE Example Assume we have the following setup: k = ABCDEF ABCDEF m = ABCDEF c = 0A72342A c = 21A19DCD 25D7433C The faulty ciphertext c was obtained by injecting the error value e = 0xC into nibble s 0 of the state at the beginning of round R 1 9. Multi-Stage Fault Attacks Philipp Jovanovic 28 / 33

44 A Fault Attack on PRINCE As a reminder we list again the possible index pattern below. j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Table: Distribution of key nibbles after evaluation (1st column)... S i A B C D E F #S #S #S #S Apply the same technique to the other sets S 4,..., S 15. As a result there remain only 2 20 = from the initial 2 64 candidates for k 0. Multi-Stage Fault Attacks Philipp Jovanovic 29 / 33

45 A Fault Attack on PRINCE As a reminder we list again the possible index pattern below. j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Table:... after inner_filtering... S i A B C D E F #S #S #S #S Apply the same technique to the other sets S 4,..., S 15. As a result there remain only 2 20 = from the initial 2 64 candidates for k 0. Multi-Stage Fault Attacks Philipp Jovanovic 29 / 33

46 A Fault Attack on PRINCE As a reminder we list again the possible index pattern below. j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Table:... and after outer_filtering. S i A B C D E F #S #S #S #S Apply the same technique to the other sets S 4,..., S 15. As a result there remain only 2 20 = from the initial 2 64 candidates for k 0. Multi-Stage Fault Attacks Philipp Jovanovic 29 / 33

47 A Fault Attack on PRINCE Fault 2 Faults 3 Faults 4 Faults Fault 2 Faults 3 Faults 4 Faults Size of keyspace: 2 n Size of keyspace: 2 n Figure: Experimental results for stage 0 (left) and stage 1 (right). The data was obtained through runs of the attack using fault model RUF. Multi-Stage Fault Attacks Philipp Jovanovic 30 / 33

48 A Fault Attack on PRINCE Table: Statistics for k 0 and candidates after stage 0 and 1. stage 0 stage 1 # keys / # faults min max avg median Summary: In order to reconstruct the complete 128-bit key k 0 it is sufficient to inject approximately 3 4 faults. Multi-Stage Fault Attacks Philipp Jovanovic 31 / 33

49 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33

50 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33

51 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33

52 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33

53 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33

54 Fin Thank you for your attention! Multi-Stage Fault Attacks Philipp Jovanovic 33 / 33

Parametric Trojans for Fault-Injection Attacks on Cryptographic Hardware

Parametric Trojans for Fault-Injection Attacks on Cryptographic Hardware Raghavan Kumar $, Philipp Jovanovic e, Wayne Burleson $ and Ilia Polian e $ University of Massachusetts Amherst, 2, USA e University