IIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67
Size: px
Start display at page:

Download "IIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67"

Transcription

1 IIT KHARAGPUR Differential Fault Analysis on the Families of SIMON and SPECK Ciphers Authors: Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) FDTC 2014 South Korea, Busan September 23, 2014 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

2 Outline 1 Preliminaries 2 Introduction to SIMON and SPECK 3 Fault Attack On SIMON First Attack: A Bit-Flip Fault Attack on SIMON A Random-Byte Fault Attack on SIMON 4 Fault Attack On SPECK A Bit-Flip Fault Attack on SPECK 5 Conclusion FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

3 Fault Attack Plaintext Fault Plaintext Cipher Process Cipher Process Correct Ciphertext Output Analysis Faulty Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

4 Fault Attack 1 Fault models to model the strength of adversary 1 Bit flip Fault Model : Affects a bit of the intermediate result 2 Constant Byte Fault Model : Requires control over fault value and position 3 Random Byte Fault Model : No control over fault value and position 2 Attacks that require both the correct and faulty ciphertext are known as differential fault attacks FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

5 Introduction 1 SIMON and SPECK : Family of lightweight block ciphers FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

6 Introduction 1 SIMON and SPECK : Family of lightweight block ciphers 2 Proposed by the National Security Agency(NSA) in 2013 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

7 Introduction 1 SIMON and SPECK : Family of lightweight block ciphers 2 Proposed by the National Security Agency(NSA) in No fault attack reported so far FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

8 Introduction 1 SIMON and SPECK : Family of lightweight block ciphers 2 Proposed by the National Security Agency(NSA) in No fault attack reported so far 4 Fault models used in the attacks: Bit flip and Random byte fault model FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

9 Fault Attack on SIMON FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

10 Round Function of SIMON cipher x i-1 y i-1 Caption FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

11 Round Function of SIMON cipher x i-1 y i-1 y i Caption FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

12 Round Function of SIMON cipher x i-1 y i-1 f(x i-1 ) y i Caption FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

13 Round Function of SIMON cipher x i-1 y i-1 f(x i-1 ) k i-1 x i y i (x i, y i ) = (y i 1 f (x i 1 ) k i 1, x i 1 ), i {1,..., T } FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

14 Function f: Source of Information Leakage 1 S i x: Circular left shift of x by i bits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

15 Function f: Source of Information Leakage 1 S i x: Circular left shift of x by i bits 2 AND operation: A faulty bit in the input leaks information about the non-faulty bit. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

16 Equation of the Last Round Key FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

17 Equation of the Last Round Key x T-1 y T-1 f(x T-1 ) k T-1 x T y T (x T, y T ): Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

18 Equation of the Last Round Key x T-1 y T-1 f(x T-1 ) k T-1 Known x T y T Known (x T, y T ): Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

19 Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known (x T, y T ): Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

20 Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known x T = y T 1 f (x T 1 ) k T 1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

21 Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known x T = y T 1 f (x T 1 ) k T 1 = y T 1 f (y T ) k T 1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

22 Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known x T = y T 1 f (x T 1 ) k T 1 = y T 1 f (y T ) k T 1 k T 1 = y T 1 f (y T ) x T FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

23 Fault Injection in the Target Round FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

24 Fault Injection in the Target Round Fault e x T-2 y T-2 f(x T-2 ) k T-2 x (T-1)* y (T-1)* f(x T-1 ) k T-1 x T* y T* (x T, y T ): Faulty Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

25 Determining Fault Position and Value Using Correct Ciphertext: k T 1 y T 1 = f (y T ) x T k T 1 x T 2 = f (y T ) x T (1) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

26 Determining Fault Position and Value Using Correct Ciphertext: k T 1 y T 1 = f (y T ) x T k T 1 x T 2 = f (y T ) x T (1) Using Faulty Ciphertext: k T 1 y (T 1) = f (y T ) x T (2) k T 1 x T 2 e = f (y T ) x T FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

27 Determining Fault Position and Value Using Correct Ciphertext: k T 1 y T 1 = f (y T ) x T k T 1 x T 2 = f (y T ) x T (1) Using Faulty Ciphertext: k T 1 y (T 1) = f (y T ) x T (2) k T 1 x T 2 e = f (y T ) x T Using (1) and (2): e = x T x T f (y T ) f (y T ) Hence, we know the flipped bit(s) of x T 2 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

28 A Bit-Flip Fault Attack on SIMON Fault flips the j th bit x T-2 y T-2 (S 1 x T-2 & S 8 x T-2 ) S 2 x T-2 k T-2 (j+1) % n (j+2) % n (j+8) % n x (T-1)* y (T-1)* (S 1 x T-1 & S 8 x T-1 ) S 2 x T-1 k T-1 x T* y T* FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

29 A Bit-Flip Fault Attack on SIMON Fault flips the j th bit x T-2 y T-2 (S 1 x T-2 & S 8 x T-2 ) S 2 x T-2 k T-2 (j+1) % n (j+2) % n (j+8) % n x (T-1)* y (T-1)* (S 1 x T-1 & S 8 x T-1 ) S 2 x T-1 k T-1 x T* y T* (j+1) % n (j+2) % n (j+8) % n Affected bit - positions FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

30 A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

31 A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 & & FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

32 A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j S 2 (x (T-2)* ) j+6 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-3 & & FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

33 A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j S 2 (x (T-2)* ) j+6 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-3 & & y T* j+8 j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

34 A Bit-Flip Fault Attack on SIMON case 1 : x T 2 (j 7)%n = 0 y T j+1 = (x T 2 j y T j+1 = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & x T 2 (j 7)%n ) RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n (y T y T ) (j+1)%n Table: Secret Value x T 2 (j 7)%n obtained from (y T y T ) (j+1)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

35 A Bit-Flip Fault Attack on SIMON case 2 : x T 2 (j 7)%n = 1 y T = (x T 2 j y T = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & x T 2 (j 7)%n ) RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n (y T y T ) (j+1)%n Table: Secret Value x T 2 (j 7)%n obtained from (y T y T ) (j+1)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

36 A Bit-Flip Fault Attack on SIMON k T 1 j 7 = y T 1 j 7 f (y T ) j 7 x T j 7 k T 1 j+7 = y T 1 j+7 f (y T ) j+7 x T j+7 Using a single bit-flip, we can retrieve two bits of last round key. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

37 Simulation Results n bits k T 1 Avg. No. of Faulty Encryptions 16 0xfa 0x x26 0x53 0xaf x87 0x46 0x09 0x1a x22 0x4d 0xe9 0xcf 0x51 0xdd x19 0x26 0x5a 0xc7 0x4f 0xf2 0x90 0x Table: Bit-flip Fault Attack on SIMON Assuming no Control Over the Fault Position FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

38 A Random-Byte Fault Attack on SIMON: Case 1 (x T-2 ) Bit flip Bit flip j j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 S 1 (x (T-2)* ) S 8 (x (T-2)* ) j & j-7 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j-8 j-9 j-10 j-11 j-12 j-13 j-14 j-15 j-16 & & S 2 (x (T-2)* ) j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j-10 y T* j+1 j j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

39 A Random-Byte Fault Attack on SIMON: Case 1 y T = (x T 2 j y T = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & (x T 2 (j 7)%n 1)) RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n x T 2 (y T y T ) (j+1)%n (j 7)%n Table: Relation between the Secret Values x T 2 T 2 (j)%n and x(j 7)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

40 A Random-Byte Fault Attack on SIMON: Case 2 (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 Bit flip S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j S 2 (x (T-2)* ) j+6 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 & j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-3 & & & y T* j+8 j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

41 A Random-Byte Fault Attack on SIMON: Case 2 y T = (x T 2 j y T = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & x T 2 (j 7)%n ) 1 RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n (y T y T ) (j+1)%n Table: Secret Value x T 2 (j 7)%n obtained from (y T y T ) (j+1)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

42 Attack Complexity FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

43 Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

44 Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. Otherwise a byte fault of Hamming weight z in x T 2 retrieves 2z bits of the last round key k T 1. The number of possible byte faults having Hamming weight z is ( 8 z). FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

45 Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. Otherwise a byte fault of Hamming weight z in x T 2 retrieves 2z bits of the last round key k T 1. The number of possible byte faults having Hamming weight z is ( 8 z). Therefore, the expected number of key bits that can be retrieved by a random byte fault is: (( z z=1 ( )) ) z FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

46 Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. Otherwise a byte fault of Hamming weight z in x T 2 retrieves 2z bits of the last round key k T 1. The number of possible byte faults having Hamming weight z is ( 8 z). Therefore, the expected number of key bits that can be retrieved by a random byte fault is: (( z z=1 ( )) ) z Hence (n/8) byte faults required to recover n bit secret key FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

47 Simulation Results n bits k T 1 Avg. No. of Faulty Encryptions 16 0xfa 0x x26 0x53 0xaf x87 0x46 0x09 0x1a x22 0x4d 0xe9 0xcf 0x51 0xdd x19 0x26 0x5a 0xc7 0x4f 0xf2 0x90 0x01 30 Table: Random Byte Fault Attack on SIMON Assuming no Control Over the Fault Position FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

48 Fault Attack on SPECK FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

49 Round Function of SPECK cipher x i y i S dummy x : Circularleftshiftofxbyβbits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

50 Round Function of SPECK cipher x i y i S -α S α x: Circular right shift of x by α bits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

51 Round Function of SPECK cipher x i y i S -α + S dummy x : Circularleftshiftofxbyβbits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

52 Round Function of SPECK cipher x i y i S -α k i+1 + x i+1 S dummy x : Circularleftshiftofxbyβbits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

53 Round Function of SPECK cipher x i y i k i+1 S -α + S β x i+1 y i+1 S β y: Circular left shift of y by β bits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

54 Round Function of SPECK cipher x i y i k i+1 S -α + S β x i+1 y i+1 (x i+1, y i+1 ) = ((S α x i + y i ) k i+1, S β y i x i+1 ), i {0,..., T 1} FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

55 Equation of Last Round Key x T-1 y T-1 S -α k T + S β x T y T (x T, y T ) : CorrectCiphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

56 Equation of Last Round Key x T-1 y T-1 S -α + k T S β Known x T y T Known (x T, y T ): Correct Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

57 Equation of Last Round Key x T-1 y T-1 Known S -α + k T S β Known x T y T Known y T 1 = x T S β (y T ) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

58 Equation of Last Round Key x T-1 y T-1 Known S -α + k T S β Known x T y T Known k T = (S α x T 1 + S β (y T x T )) x T FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

59 Equation of Last Round Key x T-1 y T-1 Known S -α + k T S β Known x T y T Known k T j = (x T 1 j+α (y T x T ) j c j ) x T j FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

60 Fault Injection in the Target Round Fault e x T-1 y T-1 S -α k T + S β x T* y T* (x T, y T ): Faulty Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

61 Determining Fault Position and Value Using Correct Ciphertext: y T 1 = S β (y T x T ) (3) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

62 Determining Fault Position and Value Using Correct Ciphertext: Using Faulty Ciphertext: y T 1 = S β (y T x T ) (3) y (T 1) = S β (y T x T ) y (T 1) e = S β (y T x T ) (4) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

63 Determining Fault Position and Value Using Correct Ciphertext: Using Faulty Ciphertext: y T 1 = S β (y T x T ) (3) y (T 1) = S β (y T x T ) y (T 1) e = S β (y T x T ) (4) Using (3) and (4): e = S β (y T y T x T x T ) Hence, we know the flipped bit(s) of y T 1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

64 First Bit-Flip Fault Attack on SPECK (y T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 (y (T-1)* ) S -7 (x T-1 ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

65 A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 c j+1 Flipped j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

66 A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

67 A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

68 A Bit-Flip Fault Attack on SPECK case 1 : x j+α = c j c j 0 0 x j+α 0 0 y j 0 1 c j + x j+α + y j Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

69 A Bit-Flip Fault Attack on SPECK case 1 : x j+α = c j c j 1 1 x j+α 1 1 y j 0 1 c j + x j+α + y j Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

70 A Bit-Flip Fault Attack on SPECK case 1 : x j+α = c j c j x j+α y j c j + x j+α + y j Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

71 A Bit-Flip Fault Attack on SPECK case 2 : x j+α c j c j 1 1 x j+α 0 0 y j 0 1 c j + x j+α + y j Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

72 A Bit-Flip Fault Attack on SPECK case 2 : x j+α c j c j 0 0 x j+α 1 1 y j 0 1 c j + x j+α + y j Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

73 A Bit-Flip Fault Attack on SPECK case 2 : x j+α c j c j x j+α y j c j + x j+α + y j Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

74 A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

75 A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

76 Attack Complexity FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

77 Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

78 Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. For l th carry bit to be flipped all the lower (l 1) carry bits should also be flipped. The probability of this event is 1/2 l. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

79 Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. For l th carry bit to be flipped all the lower (l 1) carry bits should also be flipped. The probability of this event is 1/2 l. Therefore the expected number of bits of last round key that can be retrieved using a single bit-flip is: 1 + l t Pr[t] = 1 + t=1 l t 1 2 t 3 t=1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

80 Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. For l th carry bit to be flipped all the lower (l 1) carry bits should also be flipped. The probability of this event is 1/2 l. Therefore the expected number of bits of last round key that can be retrieved using a single bit-flip is: 1 + l t Pr[t] = 1 + t=1 l t 1 2 t 3 Hence the number of bit faults required to recover all the n bits of last round key k T is (n/3). t=1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

81 Simulation Results n bits k T 1 Avg. No. of Faulty Encryptions 16 0xfa 0x x26 0x53 0xaf x87 0x46 0x09 0x1a x22 0x4d 0xe9 0xcf 0x51 0xdd x19 0x26 0x5a 0xc7 0x4f 0xf2 0x90 0x Table: Bit-flip Fault Attack on SPECK Assuming no Control Over the Fault Position FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

82 Conclusion & Summary 1 Fault Attack Susceptibility: Latest ciphers such as SIMON and SPECK vulnerable to fault attacks. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

83 Conclusion & Summary 1 Fault Attack Susceptibility: Latest ciphers such as SIMON and SPECK vulnerable to fault attacks. 2 SIMON can be broken using (n/2) faults using a bit-flip fault model and (n/8) faulty ciphertexts using a random byte fault model. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

84 Conclusion & Summary 1 Fault Attack Susceptibility: Latest ciphers such as SIMON and SPECK vulnerable to fault attacks. 2 SIMON can be broken using (n/2) faults using a bit-flip fault model and (n/8) faulty ciphertexts using a random byte fault model. 3 Using a bit-flip fault model, SPECK can be broken using (n/3) bit faults. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

85 Thank You! FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

86 References 1 R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers. The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology eprint Archive, Report 2013/404, Available at 2 H. A. Alkhzaimi and M. M. Lauridsen. Cryptanalysis of the SIMON Family of Block Ciphers. Cryptology eprint Archive, Report 2013/543, Avaliable at 3 F. Abed, E. List, S. Lucks, and J. Wenzel. Differential Cryptanalysis of Reduced-Round Simon. Cryptology eprint Archive, Report 2013/526, Available at 4 Javad Alizadeh, Nasour Bagheri, Praveen Gauravaram, Abhishek Kumar and Somitra Kumar Sanadhya. Linear Cryptanalysis of Round Reduced SIMON. IACR Cryptology eprint Archive, Report 2013/663, Available at FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

87 References 5 D.Boneh, R.A.DeMillo, and R.J.Lipton. On the Importance of Checking Cryptographic Protocols for Faults (ExtendedAbstract). In W. Fumy, editor, Advances in Cryptology - EUROCRYPT 97, volume 1233 of Lecture Notes in Computer Science, pages Springer, FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

Similar documents

Differential Fault Analysis on the families of SIMON and SPECK ciphers

Differential Fault Analysis on the families of SIMON and SPECK ciphers Differential Fault Analysis on the families of SIMON and SPECK ciphers Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay Indian Institute of Technology, Kharagpur Abstract. In 2013, the US National

More information

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques Lingyue Qin 1, Huaifeng Chen 3, Xiaoyun Wang 2,3 1 Department of Computer Science and Technology, Tsinghua University, Beijing

More information

Linear Cryptanalysis of Reduced-Round Speck

Linear Cryptanalysis of Reduced-Round Speck Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be

More information

Algebraic Analysis of the Simon Block Cipher Family

Algebraic Analysis of the Simon Block Cipher Family Algebraic Analysis of the Simon Block Cipher amily Håvard Raddum Simula Research Laboratory, Norway Abstract. This paper focuses on algebraic attacks on the Simon family of block ciphers. We construct

More information

A Brief Comparison of Simon and Simeck

A Brief Comparison of Simon and Simeck A Brief Comparison of Simon and Simeck Stefan Kölbl, Arnab Roy {stek,arroy}@dtu.dk DTU Compute, Technical University of Denmark, Denmark Abstract. Simeck is a new lightweight block cipher design based

More information

Improved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48

Improved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48 Improved inear Cryptanalysis of reduced-round SIMON-32 and SIMON-48 Mohamed Ahmed Abdelraheem, Javad Alizadeh 2, Hoda A. Alkhzaimi 3, Mohammad eza Aref 2, Nasour Bagheri 4, and Praveen Gauravaram 5 SICS

More information

observations on the simon block cipher family

observations on the simon block cipher family observations on the simon block cipher family Stefan Kölbl 1 Gregor Leander 2 Tyge Tiessen 1 August 17, 2015 1 DTU Compute, Technical University of Denmark, Denmark 2 Horst Görtz Institute for IT Security,

More information

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON Danping Shi 1,2, Lei Hu 1,2, Siwei Sun 1,2, Ling Song 1,2, Kexin Qiao 1,2, Xiaoshuang Ma 1,2 1 State Key Laboratory of Information

More information

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Differential Fault Analysis of AES using a Single Multiple-Byte Fault Differential Fault Analysis of AES using a Single Multiple-Byte Fault Subidh Ali 1, Debdeep Mukhopadhyay 1, and Michael Tunstall 2 1 Department of Computer Sc. and Engg, IIT Kharagpur, West Bengal, India.

More information

On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants

On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants Kota Kondo 1, Yu Sasaki 2, and Tetsu Iwata 3 1 Nagoya University, Japan, k kondo@echo.nuee.nagoya-u.ac.jp

More information

Concurrent Error Detection in S-boxes 1

Concurrent Error Detection in S-boxes 1 International Journal of Computer Science & Applications Vol. 4, No. 1, pp. 27 32 2007 Technomathematics Research Foundation Concurrent Error Detection in S-boxes 1 Ewa Idzikowska, Krzysztof Bucholc Poznan

More information

Block Cipher Cryptanalysis: An Overview

Block Cipher Cryptanalysis: An Overview 0/52 Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Outline Iterated Block Cipher 1 Iterated Block Cipher 2 S-Boxes 3 A Basic Substitution

More information

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern

More information

Linear Cryptanalysis Using Low-bias Linear Approximations

Linear Cryptanalysis Using Low-bias Linear Approximations Linear Cryptanalysis Using Low-bias Linear Approximations Tomer Ashur 1, Daniël Bodden 1, and Orr Dunkelman 2 1 Dept. Electrical Engineering, COSIC-imec, KU Leuven, Belgium [tashur,dbodden]@esat.kuleuven.be

More information

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August

More information

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-oriented Block Ciphers Siwei Sun, Lei Hu, Peng Wang, Kexin

More information

Differential Cache Trace Attack Against CLEFIA

Differential Cache Trace Attack Against CLEFIA Differential Cache Trace Attack Against CLEFIA Chester Rebeiro and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology Kharagpur, India {chester,debdeep}@cse.iitkgp.ernet.in

More information

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent B. Collard, F.-X. Standaert, J.-J. Quisquater UCL Crypto Group Microelectronics Laboratory Catholic University of Louvain - UCL

More information

Structural Evaluation by Generalized Integral Property

Structural Evaluation by Generalized Integral Property Structural Evaluation by Generalized Integral Property Yosue Todo NTT Secure Platform Laboratories, Toyo, Japan todo.yosue@lab.ntt.co.jp Abstract. In this paper, we show structural cryptanalyses against

More information

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur Cryptographically Robust Large Boolean Functions Debdeep Mukhopadhyay CSE, IIT Kharagpur Outline of the Talk Importance of Boolean functions in Cryptography Important Cryptographic properties Proposed

More information

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property Cryptanalysis of the ull DES and the ull 3DES Using a New Linear Property Tomer Ashur 1 and Raluca Posteuca 1 imec-cosic, KU Leuven, Leuven, Belgium [tomer.ashur, raluca.posteuca]@esat.kuleuven.be Abstract.

More information

Differential Fault Analysis on DES Middle Rounds

Differential Fault Analysis on DES Middle Rounds Differential Fault Analysis on DES Middle Rounds Matthieu Rivain Speaker: Christophe Giraud Oberthur Technologies Agenda 1 Introduction Data Encryption Standard DFA on DES Last & Middle Rounds 2 Our Attack

More information

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen. Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography

More information

Lecture 12: Block ciphers

Lecture 12: Block ciphers Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is

More information

EME : extending EME to handle arbitrary-length messages with associated data

EME : extending EME to handle arbitrary-length messages with associated data EME : extending EME to handle arbitrary-length messages with associated data (Preliminiary Draft) Shai Halevi May 18, 2004 Abstract We describe a mode of oepration EME that turns a regular block cipher

More information

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher Raghvendra Rohit, Riham AlTawy, & Guang Gong Department of Electrical and Computer Engineering, University of Waterloo Waterloo,

More information

A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS

A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS FDTC2012 Ronan Lashermes, Guillaume Reymond, Jean-Max Dutertre, Jacques Fournier, Bruno Robisson and Assia Tria 9 SEPTEMBER 2012 INTRODUCTION Introduction

More information

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

AES side channel attacks protection using random isomorphisms

AES side channel attacks protection using random isomorphisms Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random

More information

Complementing Feistel Ciphers

Complementing Feistel Ciphers Complementing Feistel Ciphers Alex Biryukov 1 and Ivica Nikolić 2 1 University of Luxembourg 2 Nanyang Technological University, Singapore alex.biryukov@uni.lu inikolic@ntu.edu.sg Abstract. In this paper,

More information

Public Key Perturbation of Randomized RSA Implementations

Public Key Perturbation of Randomized RSA Implementations Public Key Perturbation of Randomized RSA Implementations A. Berzati, C. Dumas & L. Goubin CEA-LETI Minatec & Versailles St Quentin University Outline 1 Introduction 2 Public Key Perturbation Against R2L

More information

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER A. A. Zadeh and Howard M. Heys Electrical and Computer Engineering Faculty of Engineering and Applied Science Memorial University of Newfoundland

More information

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix S. Udaya Kumar V. U. K. Sastry A. Vinaya babu Abstract In this paper, we have developed a block cipher

More information

Cryptanalysis of block EnRUPT

Cryptanalysis of block EnRUPT Cryptanalysis of block EnRUPT Elias Yarrkov 2010-10-08 (revised 2010-10-12) Abstract EnRUPT is a cryptographic primitive with a variable block and key length. We show several attacks on it that stem from

More information

Introduction to Cryptology. Lecture 2

Introduction to Cryptology. Lecture 2 Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis

More information

Improved Algebraic Fault Analysis: A Case Study on Piccolo and with Applications to other Lightweight Block Ciphers

Improved Algebraic Fault Analysis: A Case Study on Piccolo and with Applications to other Lightweight Block Ciphers Improved Algebraic Fault Analysis: A Case tudy on Piccolo and with Applications to other Lightweight Block Ciphers Fan ZHANG 1, Xinjie ZHAO 2,3, hize GUO 3, Tao WANG 2, and Zhijie HI 1 1 University of

More information

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen

More information

A Pseudo-Random Encryption Mode

A Pseudo-Random Encryption Mode A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of

More information

Bit-Based Division Property and Application to Simon Family

Bit-Based Division Property and Application to Simon Family Bit-Based Division Property and Application to Simon Family Yosuke Todo 1,2 and Masakatu Morii 2 1 NTT Secure Platform Laboratories, Tokyo, Japan todo.yosuke@lab.ntt.co.jp 2 Kobe University, Kobe, Japan

More information

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? Alexander Rostovtsev alexander. rostovtsev@ibks.ftk.spbstu.ru St. Petersburg State Polytechnic University Virtual isomorphisms of ciphers: is AES secure against differential / linear attack? In [eprint.iacr.org/2009/117]

More information

DPA on n-bit sized Boolean and Arithmetic Operations and its Application to IDEA, RC6 and the HMAC-Construction

DPA on n-bit sized Boolean and Arithmetic Operations and its Application to IDEA, RC6 and the HMAC-Construction DPA on n-bit sized Boolean and Arithmetic Operations and its Application to IDEA, RC6 and the HMAC-Construction Kerstin Lemke, Kai Schramm and Christof Paar Communication Security Group (COSY) Department

More information

A Weak Cipher that Generates the Symmetric Group

A Weak Cipher that Generates the Symmetric Group A Weak Cipher that Generates the Symmetric Group Sean Murphy Kenneth Paterson Peter Wild Information Security Group, Royal Holloway and Bedford New College, University of London, Egham, Surrey TW20 0EX,

More information

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Computer and Network Security Topic 3.1 Secret Key Cryptography Algorithms CSC/ECE 574 Dr. Peng Ning 1 Outline Introductory Remarks Feistel Cipher DES AES CSC/ECE 574 Dr. Peng Ning 2 Introduction

More information

Algebraic Techniques in Differential Cryptanalysis

Algebraic Techniques in Differential Cryptanalysis Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London FSE 2009, Leuven, 24.02.2009 Martin Albrecht and Carlos

More information

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Low Complexity Differential Cryptanalysis and Fault Analysis of AES Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, 2011 1 / 34 Introduction We present a survey of low

More information

A Five-Round Algebraic Property of the Advanced Encryption Standard

A Five-Round Algebraic Property of the Advanced Encryption Standard A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science

More information

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network Ruilin Li, Bing Sun, and Chao Li Department of Mathematics and System Science, Science College, National University of Defense

More information

«Differential Behavioral Analysis»

«Differential Behavioral Analysis» «Differential Behavioral Analysis» Bruno ROBISSON Pascal MANET CEA-LETI SESAM Laboratory (joint R&D team CEA-LETI/EMSE), Centre Microélectronique de Provence Avenue des Anémones, 13541 Gardanne, France

More information

Diophantine equations via weighted LLL algorithm

Diophantine equations via weighted LLL algorithm Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory

More information

Beijing , China

Beijing , China Automatic ecurity Evaluation and (Related-key) Differential Characteristic earch: Application to IMON, PREENT, LBlock, DE(L) and Other Bit-oriented Block Ciphers iwei un 1,2, Lei Hu 1,2, Peng Wang 1,2,

More information

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/

More information

Fault Analysis of the KATAN Family of Block Ciphers

Fault Analysis of the KATAN Family of Block Ciphers Fault Analysis of the KATAN Family of Block Ciphers Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Centre for Computer and Information Security Research,

More information

Type 1.x Generalized Feistel Structures

Type 1.x Generalized Feistel Structures Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized

More information

Automatic Search for A Variant of Division Property Using Three Subsets (Full Version)

Automatic Search for A Variant of Division Property Using Three Subsets (Full Version) Automatic Search for A Variant of Division Property Using Three Subsets (Full Version) Kai Hu, Meiqin Wang Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong

More information

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers Goutam Paul and Shashwat Raizada Jadavpur University, Kolkata and Indian Statistical Institute,

More information

Security Analysis of the Block Cipher SC2000

Security Analysis of the Block Cipher SC2000 Security Analysis of the Block Cipher SC2000 VERSION 1.1 FINAL REPORT Alex Biryukov University of Luxembourg, Luxembourg Ivica Nikolić Nanyang Technological University, Singapore Contents 1 Introduction

More information

Cryptanalysis of a Multistage Encryption System

Cryptanalysis of a Multistage Encryption System Cryptanalysis of a Multistage Encryption System Chengqing Li, Xinxiao Li, Shujun Li and Guanrong Chen Department of Mathematics, Zhejiang University, Hangzhou, Zhejiang 310027, China Software Engineering

More information

Investigations of Power Analysis Attacks on Smartcards *

Investigations of Power Analysis Attacks on Smartcards * Investigations of Power Analysis Attacks on Smartcards * Thomas S. Messerges Ezzy A. Dabbish Robert H. Sloan 1 Dept. of EE and Computer Science Motorola Motorola University of Illinois at Chicago tomas@ccrl.mot.com

More information

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates. COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In

More information

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Improved Impossible Differential Cryptanalysis of Rijndael and Crypton Jung Hee Cheon 1, MunJu Kim 2, Kwangjo Kim 1, Jung-Yeun Lee 1, and SungWoo Kang 3 1 IRIS, Information and Communications University,

More information

Linear Cryptanalysis of Reduced-Round PRESENT

Linear Cryptanalysis of Reduced-Round PRESENT Linear Cryptanalysis of Reduced-Round PRESENT Joo Yeon Cho 1 Helsinki University of Technology, Finland 2 Nokia A/S, Denmark joo.cho@tkk.fi Abstract. PRESENT is a hardware-oriented block cipher suitable

More information

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure Josh Jaffe CHES 2007 Cryptography Research, Inc. www.cryptography.com 575 Market St., 21 st Floor, San Francisco, CA 94105 1998-2007 Cryptography Research, Inc. Protected under issued and/or pending US

More information

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Improved Multiple Impossible Differential Cryptanalysis of Midori128 Improved Multiple Impossible Differential Cryptanalysis of Midori128 Mohamed Tolba, Ahmed Abdelkhalek, and Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University,

More information

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian Statistical Institute, India FHNW, Windisch,

More information

On the Security of NOEKEON against Side Channel Cube Attacks

On the Security of NOEKEON against Side Channel Cube Attacks On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security

More information

The Invariant Set Attack 26th January 2017

The Invariant Set Attack 26th January 2017 The Invariant Set Attack 26th January 2017 Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer The Invariant Set Attack 26th January 2017 1 Nonlinear Invariant Attack

More information

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design: Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations

More information

FFT-Based Key Recovery for the Integral Attack

FFT-Based Key Recovery for the Integral Attack FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose

More information

Mixed-integer Programming based Differential and Linear Cryptanalysis

Mixed-integer Programming based Differential and Linear Cryptanalysis Mixed-integer Programming based Differential and Linear Cryptanalysis Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance

More information

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1, Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, jean-sebastien.coron,johann.groszschaedl,praveen.vadnala}@uni.lu

More information

Revisit and Cryptanalysis of a CAST Cipher

Revisit and Cryptanalysis of a CAST Cipher 2017 3rd International Conference on Electronic Information Technology and Intellectualization (ICEITI 2017) ISBN: 978-1-60595-512-4 Revisit and Cryptanalysis of a CAST Cipher Xiao Zhou, Jingwei Li, Xuejia

More information

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128 Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com

More information

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256 Improved Impossible Differential ttack on educed Version of Camellia-92/256 Ya iu, Dawu Gu, Zhiqiang iu, Wei i 2,3 Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai

More information

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract

More information

Affine Masking against Higher-Order Side Channel Analysis

Affine Masking against Higher-Order Side Channel Analysis Affine Masking against Higher-Order Side Channel Analysis Guillaume Fumaroli 1, Ange Martinelli 1, Emmanuel Prouff 2, and Matthieu Rivain 3 1 Thales Communications {guillaume.fumaroli, jean.martinelli}@fr.thalesgroup.com

More information

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Cryptanalysis of a Generalized Unbalanced Feistel Network Structure Ruilin Li 1, Bing Sun 1, Chao Li 1,2, and Longjiang Qu 1,3 1 Department of Mathematics and System Science, Science College, National

More information

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity Jean-Sébastien Coron 1, Johann Großschädl 1, Mehdi Tibouchi 2, and Praveen Kumar Vadnala 1 1 University of Luxembourg, jean-sebastien.coron,johann.groszschaedl,praveen.vadnala}@uni.lu

More information

Pitfalls in public key cryptosystems based on free partially commutative monoids and groups

Pitfalls in public key cryptosystems based on free partially commutative monoids and groups Pitfalls in public key cryptosystems based on free partially commutative monoids and groups María Isabel González Vasco 1 and Rainer Steinwandt 2 1 Área de Matemática Aplicada, Universidad Rey Juan Carlos

More information

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Cryptanalysis of PRESENT-like ciphers with secret S-boxes Cryptanalysis of PRESENT-like ciphers with secret S-boxes Julia Borghoff Lars Knudsen Gregor Leander Søren S. Thomsen DTU, Denmark FSE 2011 Cryptanalysis of Maya Julia Borghoff Lars Knudsen Gregor Leander

More information

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks

More information

Improved Slender-set Linear Cryptanalysis

Improved Slender-set Linear Cryptanalysis 1 / 37 Improved Slender-set Linear Cryptanalysis Guo-Qiang Liu 1 Chen-Hui Jin 1 Chuan-Da Qi 2 1 Information Science Technology Institute Zhengzhou, Henan, China 2 Xinyang Normal University Xinyang, Henan,

More information

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version Mohamed Ahmed Abdelraheem, Julia Borghoff, Erik Zenner Technical University of Denmark, DK-2800 Kgs. Lyngby, Denmark {M.A.Abdelraheem,J.Borghoff,E.Zenner}@mat.dtu.dk

More information

How Fast can be Algebraic Attacks on Block Ciphers?

How Fast can be Algebraic Attacks on Block Ciphers? How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org

More information

Improving and Evaluating Differential Fault Analysis on LED with Algebraic Techniques

Improving and Evaluating Differential Fault Analysis on LED with Algebraic Techniques Improving and Evaluating Differential Fault Analysis on LED with Algebraic Techniques Xinjie Zhao,, hize Guo, Fan Zhang, Zhijie hi, Chujiao Ma and Tao Wang Department of Information Engineering Ordnance

More information

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock Hadi Soleimany and Kaisa Nyberg Department of Information and Computer Science, Aalto University School of Science, Finland WCC 2013 1/53 Outline

More information

Key Recovery Attack against 2.5-round π-cipher

Key Recovery Attack against 2.5-round π-cipher Key Recovery Attack against 2.5-round -Cipher Christina Boura 1, Avik Chakraborti 2, Gaëtan Leurent 3, Goutam Paul 2, Dhiman Saha 4, Hadi Soleimany 5,6 and Valentin Suder 7 1 University of Versailles,

More information

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium, The Interpolation Attack on Block Ciphers? Thomas Jakobsen 1 and Lars R. Knudsen 2 1 Department of Mathematics, Building 303, Technical University of Denmark, DK-2800 Lyngby, Denmark, email:jakobsen@mat.dtu.dk.

More information

Akelarre. Akelarre 1

Akelarre. Akelarre 1 Akelarre Akelarre 1 Akelarre Block cipher Combines features of 2 strong ciphers o IDEA mixed mode arithmetic o RC5 keyed rotations Goal is a more efficient strong cipher Proposed in 1996, broken within

More information

A Block Cipher using an Iterative Method involving a Permutation

A Block Cipher using an Iterative Method involving a Permutation Journal of Discrete Mathematical Sciences & Cryptography Vol. 18 (015), No. 3, pp. 75 9 DOI : 10.1080/097059.014.96853 A Block Cipher using an Iterative Method involving a Permutation Lakshmi Bhavani Madhuri

More information

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage

More information

Algebraic Side-Channel Attacks

Algebraic Side-Channel Attacks Algebraic Side-Channel Attacks Mathieu Renauld, François-Xavier Standaert UCL Crypto Group, Université catholique de Louvain, B-1348 Louvain-la-Neuve. e-mails: mathieu.renauld,fstandae@uclouvain.be Abstract.

More information

Towards Provable Security of Substitution-Permutation Encryption Networks

Towards Provable Security of Substitution-Permutation Encryption Networks Towards Provable Security of Substitution-Permutation Encryption Networks Zhi-Guo Chen and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University at Kingston, Ontario,

More information

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers Muxiang Zhang 1 and Agnes Chan 2 1 GTE Laboratories Inc., 40 Sylvan Road LA0MS59, Waltham, MA 02451 mzhang@gte.com 2 College of Computer

More information

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD. Correlation Attack to the Block Cipher RC5 and the Simplied Variants of RC6 Takeshi Shimoyama 3, Kiyofumi Takeuchi y, Juri Hayakawa y 3 Fujitsu Laboratories LTD. 4-1-1 Kamikodanaka, Nakahara-ku, Kawasaki

More information

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis 3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis TANAKA Hidema, TONOMURA Yuji, and KANEKO Toshinobu A multi rounds elimination method for higher order differential cryptanalysis

More information

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version) Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version) Qingju Wang 1,2,3, Yonglin Hao 4, Yosuke Todo 5, Chaoyun Li 6, Takanori Isobe 7, and Willi Meier

More information

Optimized Interpolation Attacks on LowMC

Optimized Interpolation Attacks on LowMC Optimized Interpolation Attacks on LowMC Itai Dinur 1, Yunwen Liu 2, Willi Meier 3, and Qingju Wang 2,4 1 Département d Informatique, École Normale Supérieure, Paris, France 2 Dept. Electrical Engineering

More information

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway Symmetric Cryptanalytic Techniques Sean Murphy ショーン マーフィー Royal Holloway Block Ciphers Encrypt blocks of data using a key Iterative process ( rounds ) Modified by Modes of Operation Data Encryption Standard

More information

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Report on Learning with Errors over Rings-based HILA5 and its CCA Security Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback