IIT KHARAGPUR FDTC September 23, South Korea, Busan. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, / 67

Similar documents
Differential Fault Analysis on the families of SIMON and SPECK ciphers

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Linear Cryptanalysis of Reduced-Round Speck

Algebraic Analysis of the Simon Block Cipher Family

A Brief Comparison of Simon and Simeck

Improved Linear Cryptanalysis of reduced-round SIMON-32 and SIMON-48

observations on the simon block cipher family

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants

Concurrent Error Detection in S-boxes 1

Block Cipher Cryptanalysis: An Overview

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Linear Cryptanalysis Using Low-bias Linear Approximations

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Differential Cache Trace Attack Against CLEFIA

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Structural Evaluation by Generalized Integral Property

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

Differential Fault Analysis on DES Middle Rounds

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Lecture 12: Block ciphers

EME : extending EME to handle arbitrary-length messages with associated data

MILP-based Cube Attack on the Reduced-Round WG-5 Lightweight Stream Cipher

A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS

Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d

ECS 189A Final Cryptography Spring 2011

AES side channel attacks protection using random isomorphisms

Complementing Feistel Ciphers

Public Key Perturbation of Randomized RSA Implementations

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Cryptanalysis of block EnRUPT

Introduction to Cryptology. Lecture 2

Improved Algebraic Fault Analysis: A Case Study on Piccolo and with Applications to other Lightweight Block Ciphers

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

A Pseudo-Random Encryption Mode

Bit-Based Division Property and Application to Simon Family

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

DPA on n-bit sized Boolean and Arithmetic Operations and its Application to IDEA, RC6 and the HMAC-Construction

A Weak Cipher that Generates the Symmetric Group

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Algebraic Techniques in Differential Cryptanalysis

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

A Five-Round Algebraic Property of the Advanced Encryption Standard

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

«Differential Behavioral Analysis»

Diophantine equations via weighted LLL algorithm

Beijing , China

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Fault Analysis of the KATAN Family of Block Ciphers

Type 1.x Generalized Feistel Structures

Automatic Search for A Variant of Division Property Using Three Subsets (Full Version)

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

Security Analysis of the Block Cipher SC2000

Cryptanalysis of a Multistage Encryption System

Investigations of Power Analysis Attacks on Smartcards *

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Linear Cryptanalysis of Reduced-Round PRESENT

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA

On the Security of NOEKEON against Side Channel Cube Attacks

The Invariant Set Attack 26th January 2017

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

FFT-Based Key Recovery for the Integral Attack

Mixed-integer Programming based Differential and Linear Cryptanalysis

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity

Revisit and Cryptanalysis of a CAST Cipher

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Affine Masking against Higher-Order Side Channel Analysis

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity

Pitfalls in public key cryptosystems based on free partially commutative monoids and groups

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Improved Slender-set Linear Cryptanalysis

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

How Fast can be Algebraic Attacks on Block Ciphers?

Improving and Evaluating Differential Fault Analysis on LED with Algebraic Techniques

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Key Recovery Attack against 2.5-round π-cipher

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

Akelarre. Akelarre 1

A Block Cipher using an Iterative Method involving a Permutation

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Algebraic Side-Channel Attacks

Towards Provable Security of Substitution-Permutation Encryption Networks

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly (Full Version)

Optimized Interpolation Attacks on LowMC

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Transcription:

IIT KHARAGPUR Differential Fault Analysis on the Families of SIMON and SPECK Ciphers Authors: Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) FDTC 2014 South Korea, Busan September 23, 2014 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 1 / 67

Outline 1 Preliminaries 2 Introduction to SIMON and SPECK 3 Fault Attack On SIMON First Attack: A Bit-Flip Fault Attack on SIMON A Random-Byte Fault Attack on SIMON 4 Fault Attack On SPECK A Bit-Flip Fault Attack on SPECK 5 Conclusion FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 2 / 67

Fault Attack Plaintext Fault Plaintext Cipher Process Cipher Process Correct Ciphertext Output Analysis Faulty Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 3 / 67

Fault Attack 1 Fault models to model the strength of adversary 1 Bit flip Fault Model : Affects a bit of the intermediate result 2 Constant Byte Fault Model : Requires control over fault value and position 3 Random Byte Fault Model : No control over fault value and position 2 Attacks that require both the correct and faulty ciphertext are known as differential fault attacks FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 4 / 67

Introduction 1 SIMON and SPECK : Family of lightweight block ciphers FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 5 / 67

Introduction 1 SIMON and SPECK : Family of lightweight block ciphers 2 Proposed by the National Security Agency(NSA) in 2013 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 5 / 67

Introduction 1 SIMON and SPECK : Family of lightweight block ciphers 2 Proposed by the National Security Agency(NSA) in 2013 3 No fault attack reported so far FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 5 / 67

Introduction 1 SIMON and SPECK : Family of lightweight block ciphers 2 Proposed by the National Security Agency(NSA) in 2013 3 No fault attack reported so far 4 Fault models used in the attacks: Bit flip and Random byte fault model FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 5 / 67

Fault Attack on SIMON FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 6 / 67

Round Function of SIMON cipher x i-1 y i-1 Caption FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 7 / 67

Round Function of SIMON cipher x i-1 y i-1 y i Caption FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 8 / 67

Round Function of SIMON cipher x i-1 y i-1 f(x i-1 ) y i Caption FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 9 / 67

Round Function of SIMON cipher x i-1 y i-1 f(x i-1 ) k i-1 x i y i (x i, y i ) = (y i 1 f (x i 1 ) k i 1, x i 1 ), i {1,..., T } FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 10 / 67

Function f: Source of Information Leakage 1 S i x: Circular left shift of x by i bits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 11 / 67

Function f: Source of Information Leakage 1 S i x: Circular left shift of x by i bits 2 AND operation: A faulty bit in the input leaks information about the non-faulty bit. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 11 / 67

Equation of the Last Round Key FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 12 / 67

Equation of the Last Round Key x T-1 y T-1 f(x T-1 ) k T-1 x T y T (x T, y T ): Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 13 / 67

Equation of the Last Round Key x T-1 y T-1 f(x T-1 ) k T-1 Known x T y T Known (x T, y T ): Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 14 / 67

Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known (x T, y T ): Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 15 / 67

Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known x T = y T 1 f (x T 1 ) k T 1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 16 / 67

Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known x T = y T 1 f (x T 1 ) k T 1 = y T 1 f (y T ) k T 1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 16 / 67

Equation of the Last Round Key Known x T-1 y T-1 Known f(x T-1 ) k T-1 Known x T y T Known x T = y T 1 f (x T 1 ) k T 1 = y T 1 f (y T ) k T 1 k T 1 = y T 1 f (y T ) x T FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 16 / 67

Fault Injection in the Target Round FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 17 / 67

Fault Injection in the Target Round Fault e x T-2 y T-2 f(x T-2 ) k T-2 x (T-1)* y (T-1)* f(x T-1 ) k T-1 x T* y T* (x T, y T ): Faulty Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 18 / 67

Determining Fault Position and Value Using Correct Ciphertext: k T 1 y T 1 = f (y T ) x T k T 1 x T 2 = f (y T ) x T (1) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 19 / 67

Determining Fault Position and Value Using Correct Ciphertext: k T 1 y T 1 = f (y T ) x T k T 1 x T 2 = f (y T ) x T (1) Using Faulty Ciphertext: k T 1 y (T 1) = f (y T ) x T (2) k T 1 x T 2 e = f (y T ) x T FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 19 / 67

Determining Fault Position and Value Using Correct Ciphertext: k T 1 y T 1 = f (y T ) x T k T 1 x T 2 = f (y T ) x T (1) Using Faulty Ciphertext: k T 1 y (T 1) = f (y T ) x T (2) k T 1 x T 2 e = f (y T ) x T Using (1) and (2): e = x T x T f (y T ) f (y T ) Hence, we know the flipped bit(s) of x T 2 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 19 / 67

A Bit-Flip Fault Attack on SIMON Fault flips the j th bit x T-2 y T-2 (S 1 x T-2 & S 8 x T-2 ) S 2 x T-2 k T-2 (j+1) % n (j+2) % n (j+8) % n x (T-1)* y (T-1)* (S 1 x T-1 & S 8 x T-1 ) S 2 x T-1 k T-1 x T* y T* FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 20 / 67

A Bit-Flip Fault Attack on SIMON Fault flips the j th bit x T-2 y T-2 (S 1 x T-2 & S 8 x T-2 ) S 2 x T-2 k T-2 (j+1) % n (j+2) % n (j+8) % n x (T-1)* y (T-1)* (S 1 x T-1 & S 8 x T-1 ) S 2 x T-1 k T-1 x T* y T* (j+1) % n (j+2) % n (j+8) % n Affected bit - positions FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 21 / 67

A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 22 / 67

A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 & & FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 23 / 67

A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j S 2 (x (T-2)* ) j+6 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-3 & & FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 24 / 67

A Bit-Flip Fault Attack on SIMON (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j S 2 (x (T-2)* ) j+6 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-3 & & y T* j+8 j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 25 / 67

A Bit-Flip Fault Attack on SIMON case 1 : x T 2 (j 7)%n = 0 y T j+1 = (x T 2 j y T j+1 = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & x T 2 (j 7)%n ) RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n (y T y T ) (j+1)%n 0 1 0 0 1 0 0 0 Table: Secret Value x T 2 (j 7)%n obtained from (y T y T ) (j+1)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 26 / 67

A Bit-Flip Fault Attack on SIMON case 2 : x T 2 (j 7)%n = 1 y T = (x T 2 j y T = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & x T 2 (j 7)%n ) RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n (y T y T ) (j+1)%n 0 1 1 1 1 0 1 1 Table: Secret Value x T 2 (j 7)%n obtained from (y T y T ) (j+1)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 27 / 67

A Bit-Flip Fault Attack on SIMON k T 1 j 7 = y T 1 j 7 f (y T ) j 7 x T j 7 k T 1 j+7 = y T 1 j+7 f (y T ) j+7 x T j+7 Using a single bit-flip, we can retrieve two bits of last round key. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 28 / 67

Simulation Results n bits k T 1 Avg. No. of Faulty Encryptions 16 0xfa 0x24 25 24 0x26 0x53 0xaf 43 32 0x87 0x46 0x09 0x1a 62 48 0x22 0x4d 0xe9 0xcf 0x51 0xdd 104 64 0x19 0x26 0x5a 0xc7 0x4f 0xf2 0x90 0x01 150 Table: Bit-flip Fault Attack on SIMON Assuming no Control Over the Fault Position FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 29 / 67

A Random-Byte Fault Attack on SIMON: Case 1 (x T-2 ) Bit flip Bit flip j j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 S 1 (x (T-2)* ) S 8 (x (T-2)* ) j & j-7 j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j-8 j-9 j-10 j-11 j-12 j-13 j-14 j-15 j-16 & & S 2 (x (T-2)* ) j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j-10 y T* j+1 j j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 30 / 67

A Random-Byte Fault Attack on SIMON: Case 1 y T = (x T 2 j y T = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & (x T 2 (j 7)%n 1)) RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n x T 2 (y T y T ) (j+1)%n (j 7)%n 1 0 1 1 0 0 1 0 0 1 0 0 1 0 1 1 1 0 1 0 1 Table: Relation between the Secret Values x T 2 T 2 (j)%n and x(j 7)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 31 / 67

A Random-Byte Fault Attack on SIMON: Case 2 (x T-2 ) Bit flip j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 Bit flip S 1 (x (T-2)* ) j+7 & S 8 (x (T-2)* ) j S 2 (x (T-2)* ) j+6 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 & j-1 j-2 j-3 j-4 j-5 j-6 j-7 j-8 j-9 j+5 j+4 j+3 j+2 j+1 j j-1 j-2 j-3 & & & y T* j+8 j+7 j+6 j+5 j+4 j+3 j+2 j+1 j j-1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 32 / 67

A Random-Byte Fault Attack on SIMON: Case 2 y T = (x T 2 j y T = ((x T 2 j & x T 2 (j 7)%n ) RemainingTerms 1) & x T 2 (j 7)%n ) 1 RemainingTerms x T 2 j x T 2 j 1 x T 2 (j 7)%n (y T y T ) (j+1)%n 0 1 0 1 1 0 0 1 0 1 1 0 1 0 1 0 Table: Secret Value x T 2 (j 7)%n obtained from (y T y T ) (j+1)%n FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 33 / 67

Attack Complexity FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 34 / 67

Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 34 / 67

Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. Otherwise a byte fault of Hamming weight z in x T 2 retrieves 2z bits of the last round key k T 1. The number of possible byte faults having Hamming weight z is ( 8 z). FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 34 / 67

Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. Otherwise a byte fault of Hamming weight z in x T 2 retrieves 2z bits of the last round key k T 1. The number of possible byte faults having Hamming weight z is ( 8 z). Therefore, the expected number of key bits that can be retrieved by a random byte fault is: (( 8 1 255 2z z=1 ( )) ) 8 128 8 z FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 34 / 67

Attack Complexity If the least and most significant bits of the byte fault having Hamming weight z are 1, then 2z 2 key bits are retrieved. There are 64 such faults. Otherwise a byte fault of Hamming weight z in x T 2 retrieves 2z bits of the last round key k T 1. The number of possible byte faults having Hamming weight z is ( 8 z). Therefore, the expected number of key bits that can be retrieved by a random byte fault is: (( 8 1 255 2z z=1 ( )) ) 8 128 8 z Hence (n/8) byte faults required to recover n bit secret key FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 34 / 67

Simulation Results n bits k T 1 Avg. No. of Faulty Encryptions 16 0xfa 0x24 6 24 0x26 0x53 0xaf 9 32 0x87 0x46 0x09 0x1a 13 48 0x22 0x4d 0xe9 0xcf 0x51 0xdd 21 64 0x19 0x26 0x5a 0xc7 0x4f 0xf2 0x90 0x01 30 Table: Random Byte Fault Attack on SIMON Assuming no Control Over the Fault Position FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 35 / 67

Fault Attack on SPECK FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 36 / 67

Round Function of SPECK cipher x i y i S dummy x : Circularleftshiftofxbyβbits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 37 / 67

Round Function of SPECK cipher x i y i S -α S α x: Circular right shift of x by α bits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 38 / 67

Round Function of SPECK cipher x i y i S -α + S dummy x : Circularleftshiftofxbyβbits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 39 / 67

Round Function of SPECK cipher x i y i S -α k i+1 + x i+1 S dummy x : Circularleftshiftofxbyβbits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 40 / 67

Round Function of SPECK cipher x i y i k i+1 S -α + S β x i+1 y i+1 S β y: Circular left shift of y by β bits FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 41 / 67

Round Function of SPECK cipher x i y i k i+1 S -α + S β x i+1 y i+1 (x i+1, y i+1 ) = ((S α x i + y i ) k i+1, S β y i x i+1 ), i {0,..., T 1} FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 42 / 67

Equation of Last Round Key x T-1 y T-1 S -α k T + S β x T y T (x T, y T ) : CorrectCiphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 43 / 67

Equation of Last Round Key x T-1 y T-1 S -α + k T S β Known x T y T Known (x T, y T ): Correct Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 44 / 67

Equation of Last Round Key x T-1 y T-1 Known S -α + k T S β Known x T y T Known y T 1 = x T S β (y T ) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 45 / 67

Equation of Last Round Key x T-1 y T-1 Known S -α + k T S β Known x T y T Known k T = (S α x T 1 + S β (y T x T )) x T FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 46 / 67

Equation of Last Round Key x T-1 y T-1 Known S -α + k T S β Known x T y T Known k T j = (x T 1 j+α (y T x T ) j c j ) x T j FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 47 / 67

Fault Injection in the Target Round Fault e x T-1 y T-1 S -α k T + S β x T* y T* (x T, y T ): Faulty Ciphertext FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 48 / 67

Determining Fault Position and Value Using Correct Ciphertext: y T 1 = S β (y T x T ) (3) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 49 / 67

Determining Fault Position and Value Using Correct Ciphertext: Using Faulty Ciphertext: y T 1 = S β (y T x T ) (3) y (T 1) = S β (y T x T ) y (T 1) e = S β (y T x T ) (4) FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 49 / 67

Determining Fault Position and Value Using Correct Ciphertext: Using Faulty Ciphertext: y T 1 = S β (y T x T ) (3) y (T 1) = S β (y T x T ) y (T 1) e = S β (y T x T ) (4) Using (3) and (4): e = S β (y T y T x T x T ) Hence, we know the flipped bit(s) of y T 1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 49 / 67

First Bit-Flip Fault Attack on SPECK (y T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 (y (T-1)* ) S -7 (x T-1 ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 50 / 67

A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 c j+1 Flipped j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 51 / 67

A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 52 / 67

A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 53 / 67

A Bit-Flip Fault Attack on SPECK case 1 : x j+α = c j c j 0 0 x j+α 0 0 y j 0 1 c j + x j+α + y j 00 01 Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 54 / 67

A Bit-Flip Fault Attack on SPECK case 1 : x j+α = c j c j 1 1 x j+α 1 1 y j 0 1 c j + x j+α + y j 10 11 Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 55 / 67

A Bit-Flip Fault Attack on SPECK case 1 : x j+α = c j c j 0 0 1 1 x j+α 0 0 1 1 y j 0 1 0 1 c j + x j+α + y j 00 01 10 11 Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 56 / 67

A Bit-Flip Fault Attack on SPECK case 2 : x j+α c j c j 1 1 x j+α 0 0 y j 0 1 c j + x j+α + y j 01 10 Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 57 / 67

A Bit-Flip Fault Attack on SPECK case 2 : x j+α c j c j 0 0 x j+α 1 1 y j 0 1 c j + x j+α + y j 01 10 Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 58 / 67

A Bit-Flip Fault Attack on SPECK case 2 : x j+α c j c j 1 1 0 0 x j+α 0 0 1 1 y j 0 1 0 1 c j + x j+α + y j 01 10 01 10 Table: Determining value of x j+α FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 59 / 67

A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 60 / 67

A Bit-Flip Fault Attack on SPECK (y T-1 ) (y (T-1)* ) S -7 (x T-1 ) Bit flip j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 Flipped carry bits j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 + j+11 j+10 j+9 j+8 j+7 j+6 j+5 j+4 j+3 (x T* ) j+4 j+3 j+2 j+1 j j-1 j-2 j-3 j-4 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 61 / 67

Attack Complexity FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 62 / 67

Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 62 / 67

Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. For l th carry bit to be flipped all the lower (l 1) carry bits should also be flipped. The probability of this event is 1/2 l. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 62 / 67

Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. For l th carry bit to be flipped all the lower (l 1) carry bits should also be flipped. The probability of this event is 1/2 l. Therefore the expected number of bits of last round key that can be retrieved using a single bit-flip is: 1 + l t Pr[t] = 1 + t=1 l t 1 2 t 3 t=1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 62 / 67

Attack Complexity The probability of obtaining l more bits of x T 1 is equal to the probability of l carry bits getting flipped due to a single bit flip in y T 1. For l th carry bit to be flipped all the lower (l 1) carry bits should also be flipped. The probability of this event is 1/2 l. Therefore the expected number of bits of last round key that can be retrieved using a single bit-flip is: 1 + l t Pr[t] = 1 + t=1 l t 1 2 t 3 Hence the number of bit faults required to recover all the n bits of last round key k T is (n/3). t=1 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 62 / 67

Simulation Results n bits k T 1 Avg. No. of Faulty Encryptions 16 0xfa 0x24 18 24 0x26 0x53 0xaf 25 32 0x87 0x46 0x09 0x1a 44 48 0x22 0x4d 0xe9 0xcf 0x51 0xdd 85 64 0x19 0x26 0x5a 0xc7 0x4f 0xf2 0x90 0x01 114 Table: Bit-flip Fault Attack on SPECK Assuming no Control Over the Fault Position FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 63 / 67

Conclusion & Summary 1 Fault Attack Susceptibility: Latest ciphers such as SIMON and SPECK vulnerable to fault attacks. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 64 / 67

Conclusion & Summary 1 Fault Attack Susceptibility: Latest ciphers such as SIMON and SPECK vulnerable to fault attacks. 2 SIMON can be broken using (n/2) faults using a bit-flip fault model and (n/8) faulty ciphertexts using a random byte fault model. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 64 / 67

Conclusion & Summary 1 Fault Attack Susceptibility: Latest ciphers such as SIMON and SPECK vulnerable to fault attacks. 2 SIMON can be broken using (n/2) faults using a bit-flip fault model and (n/8) faulty ciphertexts using a random byte fault model. 3 Using a bit-flip fault model, SPECK can be broken using (n/3) bit faults. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 64 / 67

Thank You! FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 65 / 67

References 1 R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers. The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology eprint Archive, Report 2013/404, 2013. Available at http://eprint.iacr.org/ 2 H. A. Alkhzaimi and M. M. Lauridsen. Cryptanalysis of the SIMON Family of Block Ciphers. Cryptology eprint Archive, Report 2013/543, 2013. Avaliable at http://eprint.iacr.org/ 3 F. Abed, E. List, S. Lucks, and J. Wenzel. Differential Cryptanalysis of Reduced-Round Simon. Cryptology eprint Archive, Report 2013/526, 2013. Available at http://eprint.iacr.org/. 4 Javad Alizadeh, Nasour Bagheri, Praveen Gauravaram, Abhishek Kumar and Somitra Kumar Sanadhya. Linear Cryptanalysis of Round Reduced SIMON. IACR Cryptology eprint Archive, Report 2013/663, 2013. Available at http://eprint.iacr.org/2013/663 FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 66 / 67

References 5 D.Boneh, R.A.DeMillo, and R.J.Lipton. On the Importance of Checking Cryptographic Protocols for Faults (ExtendedAbstract). In W. Fumy, editor, Advances in Cryptology - EUROCRYPT 97, volume 1233 of Lecture Notes in Computer Science, pages 37-51. Springer, 1997. FDTC 2014 (South Korea, Busan) IIT KHARAGPUR September 23, 2014 67 / 67

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback