On Fault Injections in Generalized Feistel Networks

Similar documents
Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Piret and Quisquater s DFA on AES Revisited

Cryptography and Network Security. Sixth Edition by William Stallings

Computer and Data Security. Lecture 3 Block cipher and DES

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

CSCE 813 Internet Security Symmetric Cryptography

Cryptographic Algorithms - AES

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Introduction to Modern Symmetric-Key Ciphers

External Encodings Do not Prevent Transient Fault Analysis

Fault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis

Symmetric Cryptography. Chapter 6

CPS2323. Block Ciphers: The Data Encryption Standard (DES)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Jordan University of Science and Technology

Chapter 3 Block Ciphers and the Data Encryption Standard

Fundamentals of Cryptography

Wenling Wu, Lei Zhang

Linear Cryptanalysis of Reduced Round Serpent

CIS 6930/4930 Computer and Network Security. Project requirements

A Chosen-key Distinguishing Attack on Phelix

A SIMPLIFIED IDEA ALGORITHM

ELECTROMAGNETIC FAULT INJECTION ON MICROCONTROLLERS

Cryptography MIS

Secret Key Algorithms (DES)

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

BLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Modern Block Ciphers

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

Lecture 3: Symmetric Key Encryption

Differential Cryptanalysis

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher

Secret Key Cryptography

A Related Key Attack on the Feistel Type Block Ciphers

S-DES Encryption template. Input:

On the Design of Secure Block Ciphers

Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64

Elastic Block Ciphers: The Feistel Cipher Case

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

Lecture 4: Symmetric Key Encryption

Complementing Feistel Ciphers

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

AIT 682: Network and Systems Security

Key Separation in Twofish

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Computational Security, Stream and Block Cipher Functions

P2_L6 Symmetric Encryption Page 1

CSC 474/574 Information Systems Security

New Attacks on Feistel Structures with Improved Memory Complexities

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Symmetric Encryption. Thierry Sans

Chapter 7 Advanced Encryption Standard (AES) 7.1

Avalanche Analysis of Extended Feistel Network

Modern Symmetric Block cipher

Symmetric Key Cryptosystems. Definition

Cryptography and Network Security. Sixth Edition by William Stallings

A Methodology for Differential-Linear Cryptanalysis and Its Applications

Few Other Cryptanalytic Techniques

Elastic Block Ciphers: The Feistel Cipher Case

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

Selected Areas in Cryptography 04 University of Waterloo (Canada), August 9, 2004

Attack on DES. Jing Li

Chapter 6: Contemporary Symmetric Ciphers

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Conventional Encryption: Modern Technologies

Computer Security 3/23/18

Software Performance Characterization of Block Cipher Structures Using S-boxes and Linear Mappings

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Protecting Last Four Rounds of CLEFIA is Not Enough Against Differential Fault Analysis

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Block Ciphers Introduction

Jaap van Ginkel Security of Systems and Networks

Data Encryption Standard (DES)

Fault Attacks on AES with Faulty Ciphertexts Only

Block Cipher Involving Key Based Random Interlacing and Key Based Random Decomposition

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

Meet-in-the-middle fault analysis on word-oriented substitution-permutation network block ciphers

Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers

Attacks on Advanced Encryption Standard: Results and Perspectives

3 Symmetric Cryptography

Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks

Implementation and Performance analysis of Skipjack & Rijndael Algorithms. by Viswnadham Sanku ECE646 Project Fall-2001

Lecture 2: Secret Key Cryptography

A Differential Fault Attack against Early Rounds of (Triple-)DES

Symmetric Cryptography

Cryptography Functions

Multi-Stage Fault Attacks

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Fault injection attacks on cryptographic devices and countermeasures Part 1

A General Analysis of the Security of Elastic Block Ciphers

ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER

Transcription:

On Fault Injections in Generalized Feistel Networks Hélène Le Bouder 1, Gaël Thomas 2, Yanis Linge 3, Assia Tria 4 1 École Nationale Supérieure des Mines de Saint-Étienne 2 XLIM Université de Limoges 3 STMicroelectronics 4 CEA-Tech Fault Diagnosis and Tolerance in Cryptography 2014 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 1/21

Introduction Security is a key component for information technologies and communication Even securely designed algorithm may be vulnerable to physical attacks Fault injection attacks (FIA): disrupt and exploit the circuit behaviour But FIA can damage the circuit The number of fault injections is a critical aspect of FIA On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 2/21

This Paper FIA on Generalized Feistel Networks Single-bit fault model Find the most critical locations for FIA Assess the number of faults needed Generic Approach On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 3/21

Plan 1 Introduction 2 Context Generalized Feistel Networks Differential Fault Analysis 3 Our methodology At the Feistel network level At the Feistel function level Algorithm 4 Results on examples DES MIBS TWINE CLEFIA 5 Conclusion On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 4/21

Generalized Feistel Networks The Original Feistel Structure Designed by Horst Feistel at IBM in the 1970 s Used in DES, Camellia, MIBS, Simon,... L r R r Build 2n-bit permutation from n-bit to n-bit (Feistel) functions Similar encryption and decryption up to subkeys order F L r+1 R r+1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 5/21

Generalized Feistel Networks Generalized Feistel Networks Introduced by Zheng, Matsumoto, and Imai at CRYPTO 89 Splits the message into b 2 n-bit-long blocks B 0 r B 1 r B 2 r B 3 r B 4 r B 5 r B 6 r B 7 r non-linear functions block permutation B 0 r+1 B 1 r+1 B 2 r+1 B 3 r+1 B 4 r+1 B 5 r+1 B 6 r+1 B 7 r+1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 6/21

Differential Fault Analysis Differential Fault Analysis (DFA) on GFNs DFA is a powerful cryptanalytic technique that exploits differences between the correct ciphertext and erroneous results due to fault injections. B o r = F ( ) ( ) Br 1, i Kr λ F Br 1, i Kr λ B j r 1 B j r 1, Bj r 1 B i r 1, B i r 1 F K λ r B o r, B o r On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 7/21

At the Feistel network level Diffusion Full Diffusion Delay: minimum number of rounds d for every inputs to influence every outputs On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 8/21

At the Feistel network level Diffusion Full Diffusion Delay: minimum number of rounds d for every inputs to influence every outputs A matrix M to represent the diffusion in the network: On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 8/21

At the Feistel network level Diffusion Full Diffusion Delay: minimum number of rounds d for every inputs to influence every outputs A matrix M to represent the diffusion in the network: 0: Br+1 i is influenced by Bj r directly 1: Br+1 i is influenced by Bj r via the Feistel function F : not influenced (noted. ) M = 1 0........ 0....... 1 0........ 0....... 1 0........ 0....... 1 0 0....... On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 8/21

At the Feistel function level Feistel function Xor with the subkey S-boxes: non linear Layers of linear functions Diffusion in the Feistel function A divide-and-conquer approach at the S-box level Influence of the fault on B j Goals: B o r = F ( B i r 1, K λ r r 1 ) F ( B i r 1, K λ r 1 Number of pieces of subkey attacked 2 Number of possible differences 3 Number of faults required ) B j r 1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 9/21

Algorithm For each block and each round where the fault can be injected: On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: V F vector of the number of passages of the fault in the Feistel function on the penultimate round On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: V F vector of the number of passages of the fault in the Feistel function on the penultimate round W F = M V F vector of the number of passages of the fault in the Feistel function on the last round On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: V F vector of the number of passages of the fault in the Feistel function on the penultimate round W F = M V F vector of the number of passages of the fault in the Feistel function on the last round 2 Deduce the number n λ of blocks K λ r that can be attacked On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: V F vector of the number of passages of the fault in the Feistel function on the penultimate round W F = M V F vector of the number of passages of the fault in the Feistel function on the last round 2 Deduce the number n λ of blocks K λ r that can be attacked 3 Use F to find the number of possible differential B j r 1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: V F vector of the number of passages of the fault in the Feistel function on the penultimate round W F = M V F vector of the number of passages of the fault in the Feistel function on the last round 2 Deduce the number n λ of blocks K λ r that can be attacked 3 Use F to find the number of possible differential B j r 1 4 Deduce the number n l of pieces K λ,l r attacked On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

Algorithm For each block and each round where the fault can be injected: 1 Use M to compute: V F vector of the number of passages of the fault in the Feistel function on the penultimate round W F = M V F vector of the number of passages of the fault in the Feistel function on the last round 2 Deduce the number n λ of blocks K λ r that can be attacked 3 Use F to find the number of possible differential B j r 1 4 Deduce the number n l of pieces K λ,l r attacked 5 Estimate the number n J of faults required to attack that subkey block On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 10/21

DES Description NIST standard from 1977 to 2001 A 16-round Feistel cipher Lr Rr Starts by a 64-bit permutation IP and finishes by its inverse IP 1 E Kr Feistel function consists in 4 steps: Expansion E which maps 32 bits in 48 bits by duplicating half of the bits S1 S2 S3 S4 S5 P S6 S7 S 8 Xor with the 48 bits of subkey K r 8 S-boxes 6 4 Lr+1 Rr+1 Bit permutation P of 32 bits On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 11/21

DES Results Full diffusion delay: d = 2 ( ). 0 M = 0 1 Number of subkey blocks: Λ = 1 Number of pieces in subkey blocks: L = 8 Number of faults required to retrieve a piece of subkey: n = 3 Table: Results of our analysis on the DES Blocks B V F W F n l R 15 (., 0) (1, 0) 1 n l 2 1 R 14 (0, 1) (2, 1) 2 n l 8 2 R 13 (1, 2) (3, 2) 2 n l 8 32 247 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 12/21

MIBS Description Presented at CANS 09 Lr Rr A 32-round Feistel cipher Kr Key of 64 or 80 bits Feistel function operates in 3 steps: Xor with the subkey S0 S1 S2 S3 S4 MC S5 S6 S 7 8 S-boxes 4 4 A linear mixing layer MC acting at nibble level Lr+1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 13/21

MIBS Results Full diffusion delay: d = 2 ( ) 1 0 M = 0. Number of subkey blocks: Λ = 1 Number of pieces in subkey blocks: L = 8 Number of faults required to retrieve a piece of subkey: n = 2 Table: Results of our analysis on MIBS Blocks B V F W F n l L 31 (0,.) (0, 1) 1 1 L 30 (1, 0) (1, 2) 5 n l 6 4 L 29 (2, 1) (2, 3) 8 112 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 14/21

TWINE Description 64-bit block cipher presented at SAC 12 GFN with 16 blocks, 4 bits each, and with 80 or 128-bit keys 36 rounds for both key lengths Feistel function used 8 times per round and consecutively made of: 4-bit Xor with a subkey block A single S-box 4 4 Br 0 Br 1 Br 2 Br 3 Br 4 Br 5 Br 6 Br 7 Br 8 Br 9 Br 10 Br 11 Br 12 Br 13 Br 14 Br 15 B 0 r+1 B 1 r+1 B 2 r+1 B 3 r+1 B 4 r+1 B 5 r+1 B 6 r+1 B 7 r+1 B 8 r+1 B 9 r+1 B 10 r+1 B 11 r+1 B 12 r+1 B 13 r+1 B 14 r+1 B 15 r+1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 15/21

TWINE Results Full diffusion delay: d = 8 1 0................ 0....................... 1 0.......... 0........... 1 0............ 0....................... 1 0...... M =.... 0................. 1 0.................. 0................. 1 0................ 0..... 1 0.................. 0..................... 1 0............ 0... Number of subkey blocks: Λ = 8 Number of pieces in subkey blocks: L = 1 Number of faults required to retrieve a piece of subkey: n = 2 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 16/21

TWINE Results Full diffusion delay: d = 8 Number of subkey blocks: Λ = 8 Number of pieces in subkey blocks: L = 1 Number of faults required to retrieve a piece of subkey: n = 2 Summary of Results Best case achievable: inject a fault at round 31 Attack n λ = 5 functions (4 with non faulted B j r 1 with #{B j r 1 } = 7) If injected earlier at most 4 functions If injected after only up to 3 functions and one On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 16/21

CLEFIA Description 128-bit block cipher presented at FSE 07 Key sizes: 128, 192 or 256 bits Part of standard ISO/IEC 29192-2 B 0 r B 1 r GFN with 4 blocks, 32 bits each 2 slightly different Feistel functions: Xor with the subkey 4 S-boxes 8 8 2 linear diffusion layers, MC 0 and MC 1 K 1 r S1 S0 S1 MC0 S0 B 0 r B 1 r B 2 r B 3 r F0 F1 B 0 r+1 B 0 r B 1 r+1 B 2 r+1 B 3 r+1 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 17/21

CLEFIA Results Full diffusion delay d = 4 1 0.. M =.. 0... 1 0 0... Number of subkey blocks: Λ = 2 Number of pieces in subkey blocks: L = 4 Number of faults required to retrieve a piece of subkey: n = 2 On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 18/21

CLEFIA Results Full diffusion delay d = 4 Number of subkey blocks: Λ = 2 Number of pieces in subkey blocks: L = 4 Number of faults required to retrieve a piece of subkey: n = 2 Table: Results of our analysis on CLEFIA Blocks B V F W F n λ n l B17 0 (0,.,.,.) (0, 1,.,.) 1 (1, 0) (1, ) B16 0 (1,.,., 0) (1, 2,., 0) 1 (4, 0) (1, ) B15 0 (2,., 0, 1) (2, 3, 0, 1) 2 (4, 1) (1, 127) B14 0 (3, 0, 1, 2) (3, 4, 1, 2) 2 (4, 4) (4, huge) B13 0 (4, 1, 2, 3) (4, 5, 2, 3) 2 (4, 4) (946, huge) On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 18/21

Conclusion It has been shown that some blocks are more vulnerable to DFA than others in GFNs A method has been proposed to identify these blocks allowing attackers to minimize single-bit fault injections The vulnerability evaluation is not optimal but is generic and a method to assess the vulnerabilities automatically is possible Further work will include multi-bit faults injection On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 19/21

Acknowledgements The authors would like to thank Ronan Lashermes and Thierry P. Berger for their valuable contributions to the development and understanding of the issues discussed in the paper. This work was partially funded by the French DGCIS (Direction Générale de la Compétitivité de l Industrie et des Services) through the CALISSON 2 project; and partially supported by the French National Agency of Research: ANR-11-INS-011. On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 20/21

Thank you for your attention Do you have any questions? On Fault Injections on GFNs Le Bouder, Thomas, Linge, Tria 2014-09-23 FDTC 2014 21/21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback