Multi-Stage Fault Attacks
|
|
- Phebe Quinn
- 5 years ago
- Views:
Transcription
1 Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013
2 Outline 1. Motivation 2. The PRINCE Block Cipher 3. A Multi-Stage Fault Attack on PRINCE Multi-Stage Fault Attacks Philipp Jovanovic 2 / 33
3 Cryptology Cryptology Cryptography Cryptanalysis Figure: Overview on the field of cryptology. Multi-Stage Fault Attacks Philipp Jovanovic 3 / 33
4 Fields of Cryptanalysis abstract model Cryptanalysis physical device Classic Attacks active Implementation Attacks passive Brute Force Attacks Protocol Attacks Mathematical Analysis Fault Injection Reverse Engineering Side-Channel Analysis Figure: Overview on the different fields of cryptanalysis. Multi-Stage Fault Attacks Philipp Jovanovic 4 / 33
5 Implementation Attacks At a Glance... Multi-Stage Fault Attacks Philipp Jovanovic 5 / 33
6 Implementation Attacks At a Glance... Multi-Stage Fault Attacks Philipp Jovanovic 5 / 33
7 Implementation Attacks At a Glance... Figure: Multi-Stage Fault Attacks Philipp Jovanovic 5 / 33
8 Fields of Cryptanalysis abstract model Cryptanalysis physical device Classic Attacks active Implementation Attacks passive Brute Force Attacks Protocol Attacks Mathematical Analysis Fault Injection Reverse Engineering Side-Channel Analysis Figure: Overview on the different fields of cryptanalysis. Multi-Stage Fault Attacks Philipp Jovanovic 6 / 33
9 Fields of Cryptanalysis abstract model Cryptanalysis physical device Classic Attacks active Implementation Attacks passive Brute Force Attacks Protocol Attacks Mathematical Analysis Fault Injection Reverse Engineering Side-Channel Analysis Figure: Overview on the different fields of cryptanalysis. Multi-Stage Fault Attacks Philipp Jovanovic 6 / 33
10 Fault Attacks Characteristics First appearances in 1998 and By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key). Lead to powerful new attack techniques and chip manufacturers were forced to rethink their designs. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, In: Burton S. Kaliski Jr. (ed.) CRYPTO 1997, LNCS, vol. 1294, Springer Heidelberg 1997, pp D. Boneh, R.A. Demillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology 14 (2001), Multi-Stage Fault Attacks Philipp Jovanovic 7 / 33
11 Fault Attacks Characteristics First appearances in 1998 and By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key). Lead to powerful new attack techniques and chip manufacturers were forced to rethink their designs. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, In: Burton S. Kaliski Jr. (ed.) CRYPTO 1997, LNCS, vol. 1294, Springer Heidelberg 1997, pp D. Boneh, R.A. Demillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology 14 (2001), Multi-Stage Fault Attacks Philipp Jovanovic 7 / 33
12 Fault Attacks Characteristics First appearances in 1998 and By injecting faults into the electronical circuit, the attacker tries to extract secret informations from the latter (e.g. a key). Lead to powerful new attack techniques and chip manufacturers were forced to rethink their designs. E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, In: Burton S. Kaliski Jr. (ed.) CRYPTO 1997, LNCS, vol. 1294, Springer Heidelberg 1997, pp D. Boneh, R.A. Demillo, R.J. Lipton, On the Importance of Eliminating Errors in Cryptographic Computations, Journal of Cryptology 14 (2001), Multi-Stage Fault Attacks Philipp Jovanovic 7 / 33
13 Fault Attacks Techniques to Induce Faults Manipulation of the power-supply voltage to cause miscalculations. Manipulation of the circuit s clock. Parasitic charge-carrier generation by a laser beam. Figure: Multi-Stage Fault Attacks Philipp Jovanovic 8 / 33
14 Fault Attacks Some Attacks using Fault Injections C. Aumueller et al. Fault Attacks on RSA With CRT: Concrete Results and Practical Countermeasures, CHES M. Mohamed, S. Bulygin and J. Buchmann, Improved Differential Fault Analysis of Trivium, COSADE M.S. Pedro, M. Soos and S. Guilley, FIRE: Fault Injection for Reverse Engineering, In: C.A. Ardagana and J. Zhou (eds.) Security and Privacy of Mobile Devices in Wireless Communication Multi-Stage Fault Attacks Philipp Jovanovic 9 / 33
15 Overview 1. Motivation 2. The PRINCE Block Cipher 3. A Multi-Stage Fault Attack on PRINCE Multi-Stage Fault Attacks Philipp Jovanovic 10 / 33
16 Overview on Block Ciphers Definition Given a block size of n 1 bits and a key size of n 2 bits a block cipher is specified by an encryption function and a decryption function such that E : {0, 1} n 1 {0, 1} n 2 {0, 1} n 1, (m, k) c D : {0, 1} n 1 {0, 1} n 2 {0, 1} n 1, (c, k) m D k (E k (m)) = m for all plaintext messages m {0, 1} n 1 and all keys k {0, 1} n 2. Multi-Stage Fault Attacks Philipp Jovanovic 11 / 33
17 Overview on Block Ciphers Multi-Stage Fault Attacks Philipp Jovanovic 12 / 33
18 The PRINCE Block Cipher General Features Uses a 64-bit state and a 128-bit key. Based on the so-called FX construction. Core of the cipher is based on a Substitution-Permutation Network (SPN) and has 10 encryption rounds divided by a middle layer. Furthermore the core of PRINCE features the so-called α-reflection property. Due to this it holds that: where α = c0ac29b7c97c50dd. D (k0 k 0 )( ) = E (k 0 k 0 α)( ) This keeps the hardware costs low and produces only small overheads. (Applications: smart cards, sensor networks, "internet-of-things" etc.) J. Borghoff et al., PRINCE A Low-Latency Block Cipher for Pervasive Computing Applications, In: K. Sako and X. Wang (eds.) ASIACRYPT 2012, LNCS, vol. 7658, Springer Heidelberg 2012, pp Multi-Stage Fault Attacks Philipp Jovanovic 13 / 33
19 The PRINCE Block Cipher The 128-bit key k is split into two parts k 0 and of 64 bit each, k = k 0 and extended to 192 bits by the following mapping: (k 0 ) (k 0 k 0 ) := (k 0 (k 0 >>> 1) (k 0 >> 63) ) RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Figure: Layout of PRINCE. Multi-Stage Fault Attacks Philipp Jovanovic 14 / 33
20 Components of PRINCE RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj k i -add: The 64-bit subkey k i is XORed to the state. S-Layer: All state nibbles are substituted using the 4-bit SBox below. x A B C D E F S[x] B F 3 2 A C E 5 D 4 Multi-Stage Fault Attacks Philipp Jovanovic 15 / 33
21 Components of PRINCE RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj M / M -Layer: The 64-bit state is multiplied with a matrix M resp. M, where M = SR M and SR shifts row i of the state matrix cyclically to the left by i 1 nibbles. RC i -add: A 64-bit round constant is XORed to the state. i RC i , 13198a2e , a f31d efa98ec4e6c89, e638d01377, be5466cf34e90c6c 6 8 7ef84f78fd955cb1, f1ac43aa, c882d32f25323c a51195e0e3610d, d3b5a399ca0c2399, c0ac29b7c97c50dd Multi-Stage Fault Attacks Philipp Jovanovic 15 / 33
22 Overview 1. Motivation 2. The PRINCE Block Cipher 3. A Multi-Stage Fault Attack on PRINCE Multi-Stage Fault Attacks Philipp Jovanovic 16 / 33
23 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33
24 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33
25 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33
26 What s a Multi-Stage Fault Attack? Outline Obtain one (or more) pair(s) of correct and faulty ciphertexts c and c. Use Differential Fault Analysis to examine the ciphertext pairs (c, c ) and obtain informations about the secret key k. Repeat the above scheme if the attacked block cipher uses multiple independent subkeys, i.e. if k = k 0 k n and the k i are not connected through a key schedule. Recall: PRINCE uses two independent subkeys. Multi-Stage Fault Attacks Philipp Jovanovic 17 / 33
27 Multi-Stage Fault Attacks More Questions How good does a fault injection need to be controllable by an attacker such that informations about the secret key can be derived? In other words: Can we use ciphertexts obtained from arbitrary faults or are there any requirements in order to produce useful faulty ciphertexts? What exactly is Differential Fault Analysis and how does it work in the case of PRINCE? Multi-Stage Fault Attacks Philipp Jovanovic 18 / 33
28 Multi-Stage Fault Attacks More Questions How good does a fault injection need to be controllable by an attacker such that informations about the secret key can be derived? In other words: Can we use ciphertexts obtained from arbitrary faults or are there any requirements in order to produce useful faulty ciphertexts? What exactly is Differential Fault Analysis and how does it work in the case of PRINCE? Multi-Stage Fault Attacks Philipp Jovanovic 18 / 33
29 Multi-Stage Fault Attacks More Questions How good does a fault injection need to be controllable by an attacker such that informations about the secret key can be derived? In other words: Can we use ciphertexts obtained from arbitrary faults or are there any requirements in order to produce useful faulty ciphertexts? What exactly is Differential Fault Analysis and how does it work in the case of PRINCE? Multi-Stage Fault Attacks Philipp Jovanovic 18 / 33
30 Requirements Capabilities of an Attacker Known Plaintext Attack: We assume that the attacker is able to generate an arbitrary number of plaintext, (faulty) ciphertext triples (m, c, c ). Kerckhoffs Principle or The enemy knows the system : The design of the cipher is known to the adversary. (No security by obscurity) Fault Models Temporal Resolution: Fault injection timing is controllable very precisely, i.e. injection after a specific operation of the cipher. Spatial Resolution: Injection effects a single nibble (4-bit value) of the whole state. The affected nibble itself is either known (model: RKF) or unknown (model: RUF). Effects: Injection changes the state nibble to a random and unknown 4-bit value. Multi-Stage Fault Attacks Philipp Jovanovic 19 / 33
31 Requirements Capabilities of an Attacker Known Plaintext Attack: We assume that the attacker is able to generate an arbitrary number of plaintext, (faulty) ciphertext triples (m, c, c ). Kerckhoffs Principle or The enemy knows the system : The design of the cipher is known to the adversary. (No security by obscurity) Fault Models Temporal Resolution: Fault injection timing is controllable very precisely, i.e. injection after a specific operation of the cipher. Spatial Resolution: Injection effects a single nibble (4-bit value) of the whole state. The affected nibble itself is either known (model: RKF) or unknown (model: RUF). Effects: Injection changes the state nibble to a random and unknown 4-bit value. Multi-Stage Fault Attacks Philipp Jovanovic 19 / 33
32 A Multi-Stage Fault Attack on PRINCE Where to Inject Faults? RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Multi-Stage Fault Attacks Philipp Jovanovic 20 / 33
33 A Multi-Stage Fault Attack on PRINCE Attack Stage 0 RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Inject fault in R 1 9. Analyse fault propagation and ciphertext pairs. Obtain informations on k 0. Multi-Stage Fault Attacks Philipp Jovanovic 21 / 33
34 A Multi-Stage Fault Attack on PRINCE Attack Stage 1 RC RC 1 0 RC 2 RC 3 RC 4 RC 5 RC 6 RC 7 RC 8 RC 9 RC 10 RC 11 x R 1 R 2 R 3 R 4 R 5 S M S -1 R -1 6 R -1 7 R -1 8 R -1 9 R y k 0 k 0 S M M -1 S -1 RCi k1 k1 RCj Inject fault in R 1 8. Analyse fault propagation and ciphertext pairs. Obtain informations on. Multi-Stage Fault Attacks Philipp Jovanovic 22 / 33
35 Requirements Definition Let a = b 0 b 1 b 2 b 3 be a 4-bit value and let j {0,..., 3}. Then we define the map: ϕ : B 4 {0,..., 3} B 4, (a, j) ϕ j (a) where ϕ j (a) is equal to a but with the j-th bit b j set to 0. Bit Pattern j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Multi-Stage Fault Attacks Philipp Jovanovic 23 / 33
36 Requirements Definition Let a = b 0 b 1 b 2 b 3 be a 4-bit value and let j {0,..., 3}. Then we define the map: ϕ : B 4 {0,..., 3} B 4, (a, j) ϕ j (a) where ϕ j (a) is equal to a but with the j-th bit b j set to 0. Bit Pattern j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Multi-Stage Fault Attacks Philipp Jovanovic 23 / 33
37 A Multi-Stage Fault Attack on PRINCE Fault Propagation over 2 Rounds RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Multi-Stage Fault Attacks Philipp Jovanovic 24 / 33
38 Differential Fault Analysis Fault Equations Let v i, v i, k i and q i be variables. We substitute the nibbles of correct and faulty ciphertexts (intermediate states) for v i and v i, key nibbles for k i and round constant nibbles for q i. E i : SBox(v i k i q i ) SBox(v i k i q i ) = ϕ ji (w), i {0,..., 3} ϕ ji (x), i {4,..., 7} ϕ ji (y), i {8,..., 11} ϕ ji (z), i {12,..., 15} (0, 1, 2, 3, 2, 3, 0, 1, 3, 0, 1, 2, 3, 0, 1, 2), l {0, 7, 10, 13} (3, 0, 1, 2, 1, 2, 3, 0, 2, 3, 0, 1, 2, 3, 0, 1), l {1, 4, 11, 14} (j i ) i=0,...,15 = (2, 3, 0, 1, 0, 1, 2, 3, 1, 2, 3, 0, 1, 2, 3, 0), l {2, 5, 8, 15} (1, 2, 3, 0, 3, 0, 1, 2, 0, 1, 2, 3, 0, 1, 2, 3), l {3, 6, 8, 12} Multi-Stage Fault Attacks Philipp Jovanovic 25 / 33
39 Differential Fault Analysis Definition For every fault eqaution E i we introduce a key nibble candidate set S i with S i = {(t, u) t, u B 4 } for i {0,..., 15}. Furthermore let S = (S i ) i=0,...,15. DFA Algorithm: Input: (c, c ) (intermediate state (v, v ) for the 2nd stage) Output: Set S containing candidates for k 0 (or for the 2nd stage) return outer_filtering(inner_filtering(evaluation(c, c ))) Multi-Stage Fault Attacks Philipp Jovanovic 26 / 33
40 Differential Fault Analysis RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Overview on the Single Steps evaluation: Compute E i (u) = t for all u B 4 and save the result (u, t) to the set S i. inner_filtering: Discard all tuples (u, t) from S i where t doesn t match the pattern ϕ ji associated with E i. outer_filtering: Exploit the fact that the elements of the sets S 4 m,..., S 4 m+3 are derived from a commen preimage to discard even more invalid tuples (u, t). Multi-Stage Fault Attacks Philipp Jovanovic 27 / 33
41 Differential Fault Analysis RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Overview on the Single Steps evaluation: Compute E i (u) = t for all u B 4 and save the result (u, t) to the set S i. inner_filtering: Discard all tuples (u, t) from S i where t doesn t match the pattern ϕ ji associated with E i. outer_filtering: Exploit the fact that the elements of the sets S 4 m,..., S 4 m+3 are derived from a commen preimage to discard even more invalid tuples (u, t). Multi-Stage Fault Attacks Philipp Jovanovic 27 / 33
42 Differential Fault Analysis RC i r f f ϕ(f) 0 ϕ(f) 2 ϕ(f) 3 RC i+1 r + 1 SR -1 M ϕ(f) S -1, 1 x w y z w ϕ(w) ϕ(x) ϕ(y) ϕ(z) SR -1 x M ϕ(w) ϕ(x) ϕ(y) ϕ(z) S -1, y ϕ(w) ϕ(x) ϕ(y) ϕ(z) RC i+2 z ϕ(w) ϕ(x) ϕ(y) ϕ(z) Overview on the Single Steps evaluation: Compute E i (u) = t for all u B 4 and save the result (u, t) to the set S i. inner_filtering: Discard all tuples (u, t) from S i where t doesn t match the pattern ϕ ji associated with E i. outer_filtering: Exploit the fact that the elements of the sets S 4 m,..., S 4 m+3 are derived from a commen preimage to discard even more invalid tuples (u, t). Multi-Stage Fault Attacks Philipp Jovanovic 27 / 33
43 A Fault Attack on PRINCE Example Assume we have the following setup: k = ABCDEF ABCDEF m = ABCDEF c = 0A72342A c = 21A19DCD 25D7433C The faulty ciphertext c was obtained by injecting the error value e = 0xC into nibble s 0 of the state at the beginning of round R 1 9. Multi-Stage Fault Attacks Philipp Jovanovic 28 / 33
44 A Fault Attack on PRINCE As a reminder we list again the possible index pattern below. j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Table: Distribution of key nibbles after evaluation (1st column)... S i A B C D E F #S #S #S #S Apply the same technique to the other sets S 4,..., S 15. As a result there remain only 2 20 = from the initial 2 64 candidates for k 0. Multi-Stage Fault Attacks Philipp Jovanovic 29 / 33
45 A Fault Attack on PRINCE As a reminder we list again the possible index pattern below. j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Table:... after inner_filtering... S i A B C D E F #S #S #S #S Apply the same technique to the other sets S 4,..., S 15. As a result there remain only 2 20 = from the initial 2 64 candidates for k 0. Multi-Stage Fault Attacks Philipp Jovanovic 29 / 33
46 A Fault Attack on PRINCE As a reminder we list again the possible index pattern below. j ϕ j (a) 0 0 b 1 b 2 b 3 1 b 0 0 b 2 b 3 2 b 0 b 1 0 b 3 3 b 0 b 1 b 2 0 Table:... and after outer_filtering. S i A B C D E F #S #S #S #S Apply the same technique to the other sets S 4,..., S 15. As a result there remain only 2 20 = from the initial 2 64 candidates for k 0. Multi-Stage Fault Attacks Philipp Jovanovic 29 / 33
47 A Fault Attack on PRINCE Fault 2 Faults 3 Faults 4 Faults Fault 2 Faults 3 Faults 4 Faults Size of keyspace: 2 n Size of keyspace: 2 n Figure: Experimental results for stage 0 (left) and stage 1 (right). The data was obtained through runs of the attack using fault model RUF. Multi-Stage Fault Attacks Philipp Jovanovic 30 / 33
48 A Fault Attack on PRINCE Table: Statistics for k 0 and candidates after stage 0 and 1. stage 0 stage 1 # keys / # faults min max avg median Summary: In order to reconstruct the complete 128-bit key k 0 it is sufficient to inject approximately 3 4 faults. Multi-Stage Fault Attacks Philipp Jovanovic 31 / 33
49 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33
50 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33
51 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33
52 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33
53 Outlook Q: Can we apply Multi-Stage Fault Attacks to other ciphers? A: Yes, indeed we can! We constructed an algorithm that can be used to analyse (SPN) block ciphers having independent subkeys using Multi-Stage Fault Attacks. Showed applications to PRINCE (this talk) and LED-128. To appear soon. (hopefully :-) Multi-Stage Fault Attacks Philipp Jovanovic 32 / 33
54 Fin Thank you for your attention! Multi-Stage Fault Attacks Philipp Jovanovic 33 / 33
Parametric Trojans for Fault-Injection Attacks on Cryptographic Hardware
Parametric Trojans for Fault-Injection Attacks on Cryptographic Hardware Raghavan Kumar $, Philipp Jovanovic e, Wayne Burleson $ and Ilia Polian e $ University of Massachusetts Amherst, 2, USA e University
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationPrecise Fault-Injections using Voltage and Temperature Manipulation for Differential Cryptanalysis
Precise Fault-Injections using Voltage and Temperature Manipulation for Differential Cryptanalysis Raghavan Kumar $, Philipp Jovanovic e and Ilia Polian e $ University of Massachusetts, 12 USA e University
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1, 3 and Bohuslav Rudolf 2, 3 1 The Selmer Center, University of Bergen, Norway 2 National Security Authority, Czech Republic 3 Department of Algebra,
More informationDifferential Fault Analysis on the AES Key Schedule
ifferential Fault Analysis on the AES Key Schedule Junko TAKAHASHI and Toshinori FUKUNAGA NTT Information Sharing Platform Laboratories, Nippon Telegraph and Telephone Corporation, {takahashi.junko, fukunaga.toshinori}@lab.ntt.co.jp
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationFault injection attacks on cryptographic devices and countermeasures Part 1
Fault injection attacks on cryptographic devices and countermeasures Part 1 Israel Koren Department of Electrical and Computer Engineering University of Massachusetts Amherst, MA Outline Introduction -
More informationA Fault Attack Against the FOX Cipher Family
A Fault Attack Against the FOX Cipher Family L. Breveglieri 1,I.Koren 2,andP.Maistri 1 1 Department of Electronics and Information Technology, Politecnico di Milano, Milano, Italy {brevegli, maistri}@elet.polimi.it
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationClock Glitch Fault Injection Attacks on an FPGA AES Implementation
Journal of Electrotechnology, Electrical Engineering and Management (2017) Vol. 1, Number 1 Clausius Scientific Press, Canada Clock Glitch Fault Injection Attacks on an FPGA AES Implementation Yifei Qiao1,a,
More informationImproved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks
Jeong et al. EURASIP Journal on Wireless Communications and Networking 2013, 2013:151 RESEARCH Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks Kitae
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationA Cautionary Note on Weak Implementations of Block Ciphers
A Cautionary Note on Weak Implementations of Block Ciphers Tim Kerins and Klaus Kursawe Information and System Security Group, Philips Research Europe Prof. Holstlaan 4, 5656 AA, Eindhoven, The Netherlands.
More informationMulti-Stage Fault Attacks on Block Ciphers
Multi-Stage Fault Attacks on Block Ciphers Philipp Jovanovic, Martin Kreuer, Ilia Polian Fakultät für Informatik und Mathematik Universität Passau 94032 Passau, German {Philipp.Jovanovic, Martin.Kreuer,
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationMeet-in-the-middle Attack on the 6-round Variant of the Block Cipher PRINCE
Vol.5 (ITCS 204), pp.250-255 http://d.doi.org/0.4257/astl.204.5.57 Meet-in-the-middle Attack on the 6-round Variant of the Block Cipher PRINCE Yasutaka Igarashi, Toshinobu Kaneko 2, Satoshi Setoguchi,
More informationA Differential Fault Attack against Early Rounds of (Triple-)DES
A Differential Fault Attack against Early Rounds of (Triple-)DES Ludger Hemme Giesecke & Devrient GmbH Prinzregentenstr. 159, 81677 Munich, Germany ludger.hemme@de.gi-de.com Abstract. Previously proposed
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationP2_L6 Symmetric Encryption Page 1
P2_L6 Symmetric Encryption Page 1 Reference: Computer Security by Stallings and Brown, Chapter 20 Symmetric encryption algorithms are typically block ciphers that take thick size input. In this lesson,
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationComputer and Data Security. Lecture 3 Block cipher and DES
Computer and Data Security Lecture 3 Block cipher and DES Stream Ciphers l Encrypts a digital data stream one bit or one byte at a time l One time pad is example; but practical limitations l Typical approach
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationParity-based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers
Parity-based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers Ramesh Karri 1, Grigori Kuznetsov 2 and Michael Goessel 2 1 Department of Electrical and Computer Engineering Polytechnic
More informationRECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi-110054, India mktalyan@yahoo.com 1 ABSTRACT In this paper, we have
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Secret Key Cryptography Block cipher DES 3DES
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationICT 6541 Applied Cryptography. Hossen Asiful Mustafa
ICT 6541 Applied Cryptography Hossen Asiful Mustafa Encryption & Decryption Key (K) Plaintext (P) Encrypt (E) Ciphertext (C) C = E K (P) Same Key (K) Ciphertext (C) Decrypt (D) Plaintext (P) P = D K (C)
More informationFault Injection Attacks and Countermeasures
Fault Injection Attacks and Countermeasures Brněnské bezpečnostní setkávání, FEKT VUT Brno Jakub Breier 28 March 2018 Physical Analysis and Cryptographic Engineering Nanyang Technological University Singapore
More informationCryptanalysis. Ed Crowley
Cryptanalysis Ed Crowley 1 Topics Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types 2 Cryptanalysis Science of cracking ciphers and codes, decoding secrets,
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationCryptography ThreeB. Ed Crowley. Fall 08
Cryptography ThreeB Ed Crowley Fall 08 Cryptanalysis History Modern Cryptanalysis Characterization of Cryptanalysis Attacks Attack Types Cryptanalysis. Science of cracking ciphers and codes, decoding secrets,
More informationA Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher
A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher Lu Xiao and Howard M. Heys 2 QUALCOMM Incorporated, lxiao@qualcomm.com 2 Electrical and Computer Engineering, Faculty
More informationProtecting Last Four Rounds of CLEFIA is Not Enough Against Differential Fault Analysis
Protecting Last Four Rounds of CLEFIA is Not Enough Against Differential Fault Analysis Sk Subidh Ali and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur,
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationFault-propagation Pattern Based DFA on SPN Structure Block Ciphers using Bitwise Permutation, with Application to PRESENT and PRINTcipher
Fault-propagation Pattern Based DFA on SPN Structure Block Ciphers using Bitwise Permutation, with Application to PRESENT and PRINTcipher XinJie Zhao 1, Tao Wang 1, ShiZe Guo 2,3 1 (Department of Computer
More informationCSc 466/566. Computer Security. 6 : Cryptography Symmetric Key
1/56 CSc 466/566 Computer Security 6 : Cryptography Symmetric Key Version: 2012/02/22 16:14:16 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More informationFault Analysis Study of the Block Cipher FOX64
Fault Analysis Study of the Block Cipher FOX64 Ruilin Li 1, Jianxiong You 1, Bing Sun 1,, and Chao Li 1,3 1 Department of Mathematics and System Science, Science College, National University of Defense
More informationA Framework for the Analysis and Evaluation of Algebraic Fault Attacks on Lightweight Block Ciphers
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1 A Framework for the Analysis and Evaluation of Algebraic Fault Attacks on Lightweight Block Ciphers Fan Zhang, Shize Guo, Xinjie Zhao, Tao Wang,
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationFDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks
FDTC 21 Fault Diagnosis and Tolerance in Cryptography PACA on AES Passive and Active Combined Attacks Christophe Clavier Benoît Feix Georges Gagnerot Mylène Roussellet Limoges University Inside Contactless
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationFAULT DETECTION IN THE ADVANCED ENCRYPTION STANDARD. G. Bertoni, L. Breveglieri, I. Koren and V. Piuri
FAULT DETECTION IN THE ADVANCED ENCRYPTION STANDARD G. Bertoni, L. Breveglieri, I. Koren and V. Piuri Abstract. The AES (Advanced Encryption Standard) is an emerging private-key cryptographic system. Performance
More informationCSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms
CSCI 454/554 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms? Security by
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationHOST Differential Power Attacks ECE 525
Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately, cryptographic
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationA Weight Based Attack on the CIKS-1 Block Cipher
A Weight Based Attack on the CIKS-1 Block Cipher Brian J. Kidney, Howard M. Heys, Theodore S. Norvell Electrical and Computer Engineering Memorial University of Newfoundland {bkidney, howard, theo}@engr.mun.ca
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Encryption Concepts, Classical Crypto, and Binary Operations January 30, 2018 Overview Today: Cryptography concepts and classical crypto Textbook sections 3.1,
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationDifferential Fault Analysis on AES Key Schedule and Some Countermeasures
Differential Fault Analysis on AES Key Schedule and Some Countermeasures Chien-Ning Chen and Sung-Ming Yen Laboratory of Cryptography and Information Security (LCIS) Dept of Computer Science and Information
More informationUsing Error Detection Codes to detect fault attacks on Symmetric Key Ciphers
Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Israel Koren Department of Electrical and Computer Engineering Univ. of Massachusetts, Amherst, MA collaborating with Luca Breveglieri,
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationPUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems
PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems Huiju Cheng, Howard M. Heys, and Cheng Wang Electrical and Computer Engineering Memorial University of Newfoundland St. John's,
More informationOn Analyzing Program Behavior Under Fault Injection Attacks
On Analyzing Program Behavior Under Fault Injection Attacks Jakub Breier Physical Analysis and Cryptographic Engineering Nanyang Technological University, Singapore jbreier@ntuedusg Abstract Fault attacks
More informationFrom AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks
From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks Noémie Floissac and Yann L Hyver SERMA TECHNOLOGIES ITSEF 30, avenue Gustave Eiffel, 33608 Pessac, France Email: {n.floissac;y.lhyver}@serma.com
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationCryptographic Algorithms - AES
Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 3.1 Secret Key Cryptography Algorithms Instructor: Dr. Kun Sun Outline Introductory Remarks Feistel Cipher DES AES 2 Introduction Secret Keys or Secret Algorithms?
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationAdvanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50
Advanced Encryption Standard and Modes of Operation Foundations of Cryptography - AES pp. 1 / 50 AES Advanced Encryption Standard (AES) is a symmetric cryptographic algorithm AES has been originally requested
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationOn-Line Self-Test of AES Hardware Implementations
On-Line Self-Test of AES Hardware Implementations G. Di Natale, M. L. Flottes, B. Rouzeyre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier Université Montpellier II / CNRS
More informationA Fault-Resistant AES Implementation Using Differential Characteristic of Input and Output
A Fault-Resistant AES Implementation Using Differential Characteristic of Input and Output JeongSoo Park Hoseo University Asan, ChungNam, Korea sizeplay@nate.com KiSeok Bae Kyungpook National University
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li 1, Kazuo Sakiyama 1, Shigeto Gomisawa 1, Toshinori Fukunaga 2, Junko Takahashi 1,2, and Kazuo Ohta 1 1 Department of Informatics, The University of Electro-Communications
More informationInfective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output
Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output Benedikt Gierlichs 1, Jörn-Marc Schmidt 2, and Michael Tunstall 3 1 KU Leuven Dept. Electrical Engineering-ESAT/SCD-COSIC
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li 1, Kazuo Sakiyama 1, Shigeto Gomisawa 1, Toshinori Fukunaga 2, Junko Takahashi 1,2,andKazuoOhta 1 1 Department of Informatics, The University of Electro-Communications
More informationFault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis
Appl. Math. Inf. Sci. 6-3S, No. 3, 951-957 (2012) 951 Applied Mathematics & Information Sciences An International Journal Fault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis
More informationImproved Meet-in-the-Middle Attacks on AES-192 and PRINCE
Improved Meet-in-the-Middle Attacks on AES-92 and PRINCE Leibo Li,2, Keting Jia 2 and Xiaoyun Wang,2,3 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationCryptography Introduction to Computer Security. Chapter 8
Cryptography Introduction to Computer Security Chapter 8 Introduction Cryptology: science of encryption; combines cryptography and cryptanalysis Cryptography: process of making and using codes to secure
More informationPlaintext (P) + F. Ciphertext (T)
Applying Dierential Cryptanalysis to DES Reduced to 5 Rounds Terence Tay 18 October 1997 Abstract Dierential cryptanalysis is a powerful attack developed by Eli Biham and Adi Shamir. It has been successfully
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationA New Technique for Sub-Key Generation in Block Ciphers
World Applied Sciences Journal 19 (11): 1630-1639, 2012 ISSN 1818-4952 IDOSI Publications, 2012 DOI: 10.5829/idosi.wasj.2012.19.11.1871 A New Technique for Sub-Key Generation in Block Ciphers Jamal N.
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationEncryption / decryption system. Fig.1. Block diagram of Hummingbird
801 Lightweight VLSI Design of Hybrid Hummingbird Cryptographic Algorithm NIKITA ARORA 1, YOGITA GIGRAS 2 12 Department of Computer Science, ITM University, Gurgaon, INDIA 1 nikita.0012@gmail.com, 2 gigras.yogita@gmail.com
More information