Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Transcription

1 Low Complexity Differential Cryptanalysis and Fault Analysis of AES Michael Tunstall May/June, 2011 Michael Tunstall (University of Bristol) May/June, / 34

2 Introduction We present a survey of low complexity differential cryptanalysis and differential fault analysis of AES. We define low complexity to be: A low number of plaintext-ciphertext pairs. A feasible amount of computing power. Inspired eprint publication Bouillaguet et al. (2010). Michael Tunstall (University of Bristol) May/June, / 34

3 Preliminaries The AES is a 10-round block cipher that transforms a plaintext P = (p 1,p 2,...,p 16 ) (256) to ciphertext C = (c 1,c 2,...,c 16 ) (256) using secret key K = (k 1,k 2,...,k 16 ) (256). Arranged into a 4 4 array of bytes. p 1 p 5 p 9 p 13 p 2 p 6 p 10 p 14 p 3 p 7 p 11 p 15 p 4 p 8 p 12 p 16 c 1 c 5 c 9 c 13 c 2 c 6 c 10 c 14 c 3 c 7 c 11 c 15. c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, / 34

4 Preliminaries Each round ofthe AES consists of: AddRoundkey An XOR with a subkey. SubBytes A bytewise substitution (we will refer to a function S). ShiftRows The bytes in each row are rotated by 0, 1, 2, 3 places respectively. MixColumns A matrix multiplication with using polynomial multiplications over F 2 8 modulo the irreducible polynomial x 8 +x 4 +x 3 +x +1. Where the last round does not include the MixColumns function, but a final XOR with a last subkey. Michael Tunstall (University of Bristol) May/June, / 34

5 Observation 1 If we consider y 1 y 2 = S(x 1 ) S(x 2 ) For given XOR differences x = x 1 x 2 and y = y 1 y 2 the number of possible values for {x 1,x 2,y 1,y 2 } will be: Four with probability Two with probability Zero with probability Michael Tunstall (University of Bristol) May/June, / 34

6 Observation 2 We consider a = MixColumns(b), where a = (a 0,a 1,a 2,a 3 ), b = (b 0,b 1,b 2,b 3 ) Given any four bytes from (a 0,a 1,a 2,a 3,b 0,b 1,b 2,b 3 ) the remaining four can be computed. Trivially, this is also true if we consider the XOR differentials, since, if a = MixColumns(b) and a = MixColumns(b ) then a a = MixColumns(b b ). Michael Tunstall (University of Bristol) May/June, / 34

7 Observation 3 We consider a a = MixColumns(b b ). Given the number of input bytes that are different in b,b, the number of bytes that differ in the output will occur with probabilities: # Bytes Out(0) Out(1) Out(2) Out(3) Out(4) In(0) In(1) In(2) In(3) In(4) Michael Tunstall (University of Bristol) May/June, / 34

8 Models We consider two models. Chosen Plaintext Model Standard model for differential cryptanalysis. An attacker is able to encipher arbitrary plaintexts under a fixed unknown secret key and recover the ciphertext. The practicality of an attack is influenced by the number of chosen plaintexts required to conduct a given attack. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of the algorithm under attack. Michael Tunstall (University of Bristol) May/June, / 34

9 Models Chosen Difference Model Proposed to correspond to differential fault analysis. Able to encipher two related but unknown plaintexts. That is, an attacker is able to encipher two plaintexts with a difference of a chosen size. That is, a difference where the number and position of bytes can be controlled but not the value of the difference. The practicality of the attack is influenced by the number of pairs of ciphertexts required with a difference of a known size. The time complexity of attacks in this model is considered to the number of enciphering operations, or equivalent, of a full 10-round AES. We also assume that the attacker has access to an oracle that can be used to test whether a given key hypothesis is correct. Michael Tunstall (University of Bristol) May/June, / 34

10 Attacking a Reduced Round AES We define attacks against reduced round implementations of AES using the aforementioned models. In each case the last round does not include the MixColumns function. Michael Tunstall (University of Bristol) May/June, / 34

11 One-Round AES: Chosen Plaintext Model There is a widely known attack on one-round AES in the chosen plaintext model. For two arbitrary plaintexts P,P producing ciphertexts C,C then we have c i c i = S(p i k i ) S(p i k i ) for i {1,...,16}. From Observation 1 we know each equation will produce approximately two possible values for each k i, leading to 2 16 hypotheses. Bouillaguet et al. (2010) note that two subkeys can be evaluated independently and have an intersection of 2 12 hypotheses. This attack does not work on the chosen difference model as the difference is itself unknown. Michael Tunstall (University of Bristol) May/June, / 34

12 Two-Round AES: Chosen Difference Model The first differential fault analysis of AES was proposed by Piret and Quisquater (2003). If, for example, there is an XOR difference in four bytes it will propagate as follows. θ 1 θ 2 θ 3 θ 4 2α β γ 3δ x 1 x 5 x 9 x α 2β γ δ α 3β 2γ δ x 2 x 6 x 10 x 14 x 3 x 7 x 11 x α β 3γ 2δ x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, / 34

13 Two-Round AES: Chosen Difference Model If the last subkey is K = (k 1,k 2,...,k 16 ) (256) and chiphertexts C = (c 1,c 2,...,c 16 ) (256), C = (c 1,c 2,...,c 16 ) (256). We can construct four sets of equations of the form 2θ = S 1 (c 1 k 1 ) S 1 (c 1 k 1) θ = S 1 (c 8 k 8 ) S 1 (c 8 k 8 ) θ = S 1 (c 11 k 11 ) S 1 (c 11 k 11 ) 3θ = S 1 (c 14 k 14 ) S 1 (c 14 k 14), which will give 2 8 hypotheses for {k 1,k 8,k 11,k 14 }. Leading to 2 32 hypotheses for K. (Time complexity) Michael Tunstall (University of Bristol) May/June, / 34

14 Two-Round AES: Chosen Plaintext Model Bouillaguet et al. (2010) note that if the plaintext if known then there are 127 possible vales for each θ i for i {1,2,3,4} (Observation 1). Then, given 2θ = S 1 (c 1 k 1 ) S 1 (c 1 k 1) θ = S 1 (c 8 k 8 ) S 1 (c 8 k 8 ) θ = S 1 (c 11 k 11 ) S 1 (c 11 k 11 ) 3θ = S 1 (c 14 k 14 ) S 1 (c 14 k 14), will give 2 7 hypotheses for {k 1,k 8,k 11,k 14 }. Leading to 2 28 hypotheses. (Time complexity) Michael Tunstall (University of Bristol) May/June, / 34

15 Three-Round AES: Chosen Difference Model The same attack as previously can be constructed if we consider a difference in one bye. ζ θ θ θ θ α β γ 3δ x 1 x 5 x 9 x 13 3α 2β γ δ α 3β 2γ δ x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 α β 3γ 2δ x 4 x 8 x 12 x 16 Using the same technique as presented previously we can generate 2 32 key hypotheses. One can then generate 2 8 hypotheses with a time complexity of 2 32 / Michael Tunstall (University of Bristol) May/June, / 34

16 Three-Round AES: Chosen Plaintext Model Given Observation 1 we can note that θ will have 2 7 possible values rather than the 2 8 considered in the previous attack. Producing 2 7 hypotheses with a time complexity of 2 32 / Michael Tunstall (University of Bristol) May/June, / 34

17 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack Bouillaguet et al. (2010) describe an attack that requires ten plaintext-ciphertext pairs. Where the plaintexts differ in four bytes. Guessing four bytes of the last subkey (K 5 ) and one byte of the penultimate key (K 4 ), we can predict X i for i {1,2,...,10}. X i ShiftRows SubBytes MixColumns 1 (K 4 ) c 1 c 5 c 9 c 13 MixColumns ShiftRows SubBytes K 5 c 2 c 6 c 10 c 14 c 3 c 7 c 11 c 15 c 4 c 8 c 12 c 16 Michael Tunstall (University of Bristol) May/June, / 34

18 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack We can then compute X 1 X 2, X 2 X 3,..., X 9 X 10. This gives us the XOR differences before the XOR with the third subkey K 3. The values X 1 X 2, X 2 X 3,..., X 9 X 10 are then put in a hash table. Time complexity of / Michael Tunstall (University of Bristol) May/June, / 34

19 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack Guessing four bytes of the first subkey (K 1 ) and one byte of the second key (K 2 ), we can predict Y i for i {1,2,...,10}. p 1 p 5 p 9 p 13 p 2 p 6 p 10 p 14 p 3 p 7 p 11 p 15 K 0 ShiftRows SubBytes MixColumns p 4 p 8 p 12 p 16 Y i K 1 ShiftRows SubBytes Also has a Time complexity of / Michael Tunstall (University of Bristol) May/June, / 34

20 Four-Round AES: Chosen Plaintext Model Meet-in-the-Middle Attack Again we can compute Y 1 Y 2, Y 2 Y 3,..., Y 9 Y 10. Given that this gives the difference before, and therefore after, the MixColumns function in the second round. For each i {1,2,...,9} and j = i +1. Y i Y j 2(Y i Y j ) 0 0 MixColumns 3(Y i Y j ) Y i Y j 0 Y i Y j Collisions on all 2(Y i Y j ) and X i X j give 2 8 hypotheses for four bytes of K0 and K 5 and one bytes K 1 and K 4. Michael Tunstall (University of Bristol) May/June, / 34

21 Four-Round AES: Chosen Plaintext/Difference Model Meet-in-the-Middle Attack This process can be repeated four times to produce 2 32 hypotheses for the last subkey. These hypotheses can be tested by exhaustive search, or checking the coherence with hypotheses on other subkeys. However, this attack cannot be used in the chosen difference model since the plaintexts need to be known. Michael Tunstall (University of Bristol) May/June, / 34

22 Four-Round AES: Chosen Difference Model Differential Attack For a difference in four bytes: ζ θ γ 1 γ 2 γ 3 3γ 4 0 ζ ζ 3 0 θ θ γ 1 2γ 2 γ 3 γ 4 γ 1 3γ 2 2γ 3 γ ζ 4 θ γ 1 γ 2 3γ 3 2γ 4 ǫ 1 ǫ 5 ǫ 9 ǫ 13 x 1 x 5 x 9 x 13 ǫ 2 ǫ 6 ǫ 10 ǫ 14 ǫ 3 ǫ 7 ǫ 11 ǫ 15 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 ǫ 4 ǫ 8 ǫ 12 ǫ 16 x 4 x 8 x 12 x 16 There does not appear to be a method of deriving the secret key that would be significantly quicker than an exhaustive key search. Michael Tunstall (University of Bristol) May/June, / 34

23 Four-Round AES: Chosen Difference Model Differential Attack However, if we assume that θ 4 = 0 then: ζ θ γ 1 γ 2 γ ζ ζ 3 0 θ θ γ 1 2γ 2 γ 3 0 γ 1 3γ 2 2γ ζ 4 θ γ 1 γ 2 3γ 3 0 2a 1 3a 2 a 3 2b 1 3b 2 b 3 2c 1 c 2 c 3 3d 1 d 2 d 3 a 1 2a 2 3a 3 b 1 2b 2 b 3 c 1 3c 2 c 3 2d 1 3d 2 d 3 a 1 a 2 2a 3 b 1 b 2 3b 3 c 1 2c 2 3c 3 d 1 2d 2 3d 3 3a 1 a 2 a 3 3b 1 b 2 2b 3 3c 1 c 2 2c 3 d 1 d 2 2d 3 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, / 34

24 Four-Round AES: Chosen Difference Model Differential Attack At the end of the third round there is a difference that is a combination of three unknown bytes. Can reduce the four sets of 2 32 key hypotheses to four sets of 2 24 hypotheses. That is a total reduction from hypotheses. More pairs of ciphertexts can then be used to reduce the number of hypotheses. Four such observations would be expected to reduce hypotheses. Any remaining hypotheses can be checked by verifying the existence of the structure in the round before. Michael Tunstall (University of Bristol) May/June, / 34

25 Four-Round AES: Chosen Difference Model Differential Attack We have know way of knowing of one of θ i for i {1,2,3,4}. However, The probability of one of θ i for i {1,2,3,4} being equal to one is 1/2 6 (Observation 3). We would therefore expect to have 4 such occurrences within 256 observations. One can then search through the 4 4( 256) possible combinations. Evaluating a set of equations is approximately equivalent to 2 9 executions of AES. Overall time complexity Michael Tunstall (University of Bristol) May/June, / 34

26 Four-Round AES: Chosen Plaintext Model Differential Attack As previously, there is more information if we consider a chosen plaintext model. If we have 24 distinct plaintexts there are ( 24 2) = 276 possible ways of comparing two plaintexts. One can then conduct an attack with time complexity Michael Tunstall (University of Bristol) May/June, / 34

27 Four-Round AES: Chosen Plaintext Model Square Attack An attack described in the original specification of AES. If we consider 256 distinct plaintexts that differ in only one byte. The XOR sum of the state matrix after three rounds will sum to zero. This property persists until the SubBytes function in the subsequent round. With 256 chosen plaintexts and a four-round AES one can verify that this property holds, leaving 2 16 key hypotheses. Repeating this will another set of 256 distinct plaintexts will reduce the number of key hypotheses to one. Michael Tunstall (University of Bristol) May/June, / 34

28 Four-Round AES: Chosen Difference Model Square Attack Phan and Yen (2006) proposed that this attack would work in the same manner for differential fault analysis. In our chosen difference model we cannot chose the values so one has to collect all 256 possible ciphertexts. An instance of the Coupon Collector s problem as described by Knuth. One would expect to need some for one set of 256 distinct ciphertexts. Requires an exhaustive search of Michael Tunstall (University of Bristol) May/June, / 34

29 Four-Round AES: Chosen Plaintext Model Impossible Differential Attack Biham and Keller (1999). If we have a XOR difference on one byte on entry to the MixColumns function, all four bytes will be different on output (Observation 3). ζ θ γ 1 γ 2 γ 3 3γ θ θ γ 1 2γ 2 γ 3 γ 4 γ 1 3γ 2 2γ 3 γ θ γ 1 γ 2 3γ 3 2γ 4 ǫ 1 ǫ 5 ǫ 9 ǫ 13 x 1 x 5 x 9 x 13 ǫ 2 ǫ 6 ǫ 10 ǫ 14 ǫ 3 ǫ 7 ǫ 11 ǫ 15 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 ǫ 4 ǫ 8 ǫ 12 ǫ 16 x 4 x 8 x 12 x 16 This property persists until the beginning of the MixColumns in the following round. Michael Tunstall (University of Bristol) May/June, / 34

30 Four-Round AES: Chosen Plaintext Model Impossible Differential Attack Hypotheses can be verified in sets of 32 bits by conducting a partial decryption and assuring that the difference before the MixColumns operation in the penultimate round contains no bytes equal to zero. MixColumns 1 (k 9 ) MixColumns ShiftRows x 1 x 5 x 9 x 13 SubBytes k 10 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 Michael Tunstall (University of Bristol) May/June, / 34

31 Four-Round AES: Chosen Plaintext/Difference Model Impossible Differential Attack Conducting this analysis 2 11 times allows the last subkey to be determined. The time complexity of this attack is 2 32 single round decryptions per ciphertext, i.e. 2 11( 2 32 /4 ) Phan and Yen (2006) proposed that this attack would work in the same manner for differential fault analysis. The number of acquisitions remains the same The time complexity of this attack is 2 32 single round decryptions per ciphertext, i.e. 2 11( 2 32 /10 ) Michael Tunstall (University of Bristol) May/June, / 34

32 Five-Round AES: Chosen Plaintext Model Square Attack Again, an attack described in the original specification of AES. SubBytes MixColumns 1 (k 9 ) MixColumns ShiftRows x 1 x 5 x 9 x 13 SubBytes k 10 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15 x 4 x 8 x 12 x 16 One can make hypotheses on individual byes of MixColumns 1 (k 9 ) by verifying the property that 256 states have an XOR sum of zero. Requires 32-bits of k 10 to be guessed for groups of four bytes. Requires five sets of 256 plaintext-ciphertext pairs, and a time complexity of Michael Tunstall (University of Bristol) May/June, / 34

33 Five-Round AES: Chosen Difference Model Square Attack As with the four round Square attack, one requires 5 sets of 256 ciphertexts. Leading to Time complexity Michael Tunstall (University of Bristol) May/June, / 34

34 Conclusion An survey of low complexity differential cryptanalysis and fault analysis of AES. Some minor improvements are included for 1 3 round AES. A new differential cryptanalysis of four-round AES. Applicable to both the Chosen Plaintext and Chosen Difference Models. Re-evaluate the Square and Impossible Differential attacks in terms of a model corresponding to differential fault analysis. Michael Tunstall (University of Bristol) May/June, / 34