Differential Fault Analysis on AES Variants Kazuo Sakiyama

Contents • Background – Physical Attacks and Differential Fault Analysis – Advanced Encryption Standard

Cryptanalytic Attacks =? • Mathematical Approach Input Output Input Cryptographic device (Secret key inside)

Classification of Physical Attacks =? • Direction of information channel Passive Attacks Non-Invasive Passive

Differential Fault Analysis (DFA) on AES Encryption • DFA (Most discussed fault analysis) P

Advanced Encryption Standard SB SR MC AES Round Operation • • Substitution permutation network

AES Key Schedule AES-128 AES-192 K 1 K 0 F K 1 …… F

AES Key Schedule AES-256 F K 0 K 1 K 2 K 3 Sub

Fault Model in this presentation • Fault model: – 1 -byte random fault model

DFA attacks on AES Variants • The minimal times of fault injections but still

DFA on AES-128 SB 8 AK 8 MC 8 SR 8 2 -8 SB

DFA Attacks on AES-192 (simple attack, 3 faults) SB 9 SR 9 MC 9

DFA Attacks on AES-256 (simple attack, 3 faults) SB 11 SR 11 MC 11

Maybe 2 faults are enough for AES-192 and AES-256 ΔI Match? Kg-based Correct AES

DFA Attacks on AES-192 (2 faults) SB 9 SR 9 MC 9 AK 9

Some property for AES-192 key Schedule K 10 F AES-192 K 11 K 12

DFA Attacks on AES-192 (2 faults) MC 10 AK 10 SB 11 SR 11

DFA Attacks on AES-256 (2 faults) SB 11 SR 11 MC 11 AK 11

AES S-box Differential Table • For an AES S-box, given a pair of input/output

Some property for AES-256 key Schedule K 12 F AES-256 K 14 For AES-256:

DFA Attacks on AES-256 (2 faults) SB 11 SB 12 11 SR 11 AK

Conclusion • In side-channel attacks especially fault analysis, cryptanalysis techniques can help. • For

Slides: 23

Download presentation

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications 2012 -8 -29 @ Nagoya, Japan

Contents • Background – Physical Attacks and Differential Fault Analysis – Advanced Encryption Standard – Fault Model in this discussion • 1 -byte random fault in known byte position • DFA Attack on AES Variants – DFA on AES-128 with 1 fault injection – DFA on AES-192 with 3/2 fault injections – DFA on AES-256 with 3/2 fault injections • Challenge to be practically feasible • Conclusion

Cryptanalytic Attacks =? • Mathematical Approach Input Output Input Cryptographic device (Secret key inside) Output Input Physical Information Channels =? • Physical Approach – Keep the proposed attack feasible 3

Classification of Physical Attacks =? • Direction of information channel Passive Attacks Non-Invasive Passive Attacks (Side-Channel Analysis) Time, Power Consumption, Electromagnetic Radiation Input, Output Known Active Attacks Non-Invasive Active Attacks (Fault Analysis) Inject computational faults Cryptographic device (Secret key inside) Output 4

Differential Fault Analysis (DFA) on AES Encryption • DFA (Most discussed fault analysis) P AES I I I’ ΔI = I I’ C C’ • Attack Procedures ΔI Match? Kg-based Correct AES Decryption Intermediate Value: Ig ΔIg Fault Model: Space of ΔI e. g. 1 -byte random fault at a known byte position C Key Guess: Kg Kg-based Faulty Intermediate Value: I’g AES Decryption C’ 5

Advanced Encryption Standard SB SR MC AES Round Operation • • Substitution permutation network Symmetric algorithm 128 -bit input block 3 versions – 128 -bit key (10 Rounds) – 192 -bit key (12 Rounds) – 256 -bit key (14 Rounds) AK

AES Key Schedule AES-128 AES-192 K 1 K 0 F K 1 …… F K 2 …… K 10 K 12

AES Key Schedule AES-256 F K 0 K 1 K 2 K 3 Sub Word …… K 13 K 14

Fault Model in this presentation • Fault model: – 1 -byte random fault model – Random faulty value at a known byte position – 1 S-box calculation has a faulty result • Fault injection based on setup-time violation – Clock glitch – Less time for a certain clock cycle (round operation)

DFA attacks on AES Variants • The minimal times of fault injections but still within a practical key recovery complexity • DFA on AES-128 with 1 fault injection – CHES 03, Africa 09, WISTP 11 • DFA on AES-192 with 3 fault injections – FDTC 11 • DFA on AES-256 with 3 fault injections – FDTC 11 • DFA on AES-192 with 2 fault injections – Improved a little from FDTC 11 • DFA on AES-256 with 2 fault injections – IEEE Trans. on Info. F&S

DFA on AES-128 SB 8 AK 8 MC 8 SR 8 2 -8 SB 9 1 1 2128 4 4 3 3 2 2 1 2 3 4 1 SB 10 1 1 1 232 28 SR 9 1 4 4 4 3 3 28 2 2 1 SR 10 4 3 2 20 4 3 2 1 3 3 2 1 4 2 MC 9 2 1 4 3 AK 10 1 1 4 4 3 3 2 2 AK 9 C C’ Without considering K 9, we can reduce K 10 space to 232

DFA Attacks on AES-192 (simple attack, 3 faults) SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 1’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 2’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 3’ Identify K 12 first using (C 1, C 1’) and (C 1, C 2’), then recover K 11

DFA Attacks on AES-256 (simple attack, 3 faults) SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C 1’ SB 14 SR 14 AK 14 C 2’ SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C 3’ Identify K 14 first using (C 1, C 1’) and (C 1, C 2’), then recover K 13

Maybe 2 faults are enough for AES-192 and AES-256 ΔI Match? Kg-based Correct AES Decryption Intermediate Value: Ig ΔIg C Key Guess: Kg Kg-based Faulty Intermediate Value: I’g AES Decryption C’ Space of ΔI Satisfy zero-difference bytes in intermediate status Space of Kg AES 128: 128 -bit AES 192: 192 -bit 72 -bit 0 bit AES 256: 256 -bit 136 -bit 16 -bit Keep the proposed attack feasible!

DFA Attacks on AES-192 (2 faults) SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 1’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 2’ 1. Restrict K 12 to 232

Some property for AES-192 key Schedule K 10 F AES-192 K 11 K 12 For AES-192: K 12 left 2 columns of K 11 K 12 right 1 column of K 10

DFA Attacks on AES-192 (2 faults) MC 10 AK 10 SB 11 SR 11 AK 11 MC 11 SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 1’ SB 9 SR 9 MC 9 AK 9 SB 10 SR 10 MC 10 AK 10 SB 11 SR 11 MC 11 AK 11 SB 12 SR 12 AK 12 C 2’ 1. Restrict K 12 10 to 232 AK 11 MC 11 SB 11 SR 11 MC 2. Given a K 12 candidate, leftmost 2 columns of K 11 is fixed, we AK 10 have 5 more 2 -8 conditions to satisfy. So we can identify K 12 3. Identify the rest of K 11

DFA Attacks on AES-256 (2 faults) SB 11 SR 11 MC 11 AK 11 1. Restrict K 14 to 232 SB 12 SR 12 MC 12 AK 12 SB 13 SR 13 MC 13 AK 13 SB 14 SR 14 AK 14 C 1’ SB 14 SR 14 AK 14 C 2’

AES S-box Differential Table • For an AES S-box, given a pair of input/output difference, this difference exists with probability of about ½. If this difference pair exist, one can find 2 pairs of solution. • Given N pairs of input/output difference, we can expect N real value solutions • Used in the inbound of Rebound Attack Outbound Inbound Outbound

Some property for AES-256 key Schedule K 12 F AES-256 K 14 For AES-256: K 12 right 3 columns of K 12 K 13

DFA Attacks on AES-256 (2 faults) SB 11 SB 12 11 SR 11 AK SR 12 MC 11 AK 11 SB 11 SR 11 MC 11 AK 11 MC 11 SB 12 MC 12 SR 12 MC 12 AK 12 SB 12 SR 12 MC 12 AK 12 13 SBAK 12 13 SR MC 13 AK 13 SB 13 SR 13 MC 13 AK 13 14 SB 13 SB 14 SR AK 14 C 1’ SB 14 SR 14 AK 14 C 2’ SR 13 1. Restrict K 14 to 232 13 13 12 MC 12 2. Pick up a K 14, calculate the difference at. AK SB 13 out, and. SBrestrict real. SR values in each column to 28 3. Then we know the rightmost 3 columns of K 12, calculate the blue bytes in SB 12 in, check 2 conditions of 2 -8. Space of SB 13 out is reduced to 216. Then K 13 is reduced to 216 (Complexity about 248, key recovery using FPGA takes 8 days to finish)

Conclusion • In side-channel attacks especially fault analysis, cryptanalysis techniques can help. • For AES-256, DFA attack with two 1 -byte random faults at known position are feasible for strong attackers • Can we make DFA with unknown positions faults feasible?

Thank you for your attentions!