Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
protecting against statistical ineffective fault attacks

Protecting against Statistical Ineffective Fault Attacks Joan - PowerPoint PPT Presentation

Dec 22, 2022 •311 likes •967 views

Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020 Motivation www.tugraz.at Using crypto in the wild requires:

  1. Protecting against Statistical Ineffective Fault Attacks Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Florian Mendel and Robert Primas CHES 2020

  2. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes 1 0 1 0 0 1 1 1 Robert Primas — CHES 2020

  3. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes • Additional defenses mechanisms against implementation attacks: 1 Robert Primas — CHES 2020

  4. Motivation www.tugraz.at Using crypto in the wild requires: • Mathematically secure cryptographic schemes • Additional defenses mechanisms against implementation attacks: Power Analysis Fault Attacks 1 Robert Primas — CHES 2020

  5. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution 2 Robert Primas — CHES 2020

  6. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution • In a follow-up at ASIACRYPT2018 it was shown that: • SIFA can additionally circumvent (higher-order) masking/TI 2 Robert Primas — CHES 2020

  7. Motivation www.tugraz.at • Statistical Ineffective Fault Attacks (SIFA) were first presented at CHES2018: • Work against block ciphers, AEAD, etc . . . • Circumvent redundancy/infection countermeasures • Only one fault injection per cipher execution • In a follow-up at ASIACRYPT2018 it was shown that: • SIFA can additionally circumvent (higher-order) masking/TI • Proposed countermeasures at the time: • Error correction • Hiding • Self destruction 2 Robert Primas — CHES 2020

  8. Motivation cont. www.tugraz.at • Many proposed SIFA countermeasures so far utilize error correction: • Rather expensive (masking!) • How much error correction is necessary? • What about DFA? 3 Robert Primas — CHES 2020

  9. Motivation cont. www.tugraz.at • Many proposed SIFA countermeasures so far utilize error correction: • Rather expensive (masking!) • How much error correction is necessary? • What about DFA? • We propose efficient SIFA countermeasure strategies: • “Careful” combination of redundancy with masking • Low overhead for lightweight schemes • Moderate overhead for “bulky” schemes like AES 3 Robert Primas — CHES 2020

  10. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • AES is a PRP: SUB BYTES ROUND 9 • Distribution of ciphertext bytes is SHIFT ROWS MIX COLUMNS uniform KEY ADD • (Also after only 9 rounds) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  11. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS • Assume fault that disturbs distribution KEY ADD of one state byte in round 9 SUB BYTES ROUND 9 • Stuck-at, bitflip, random, etc. SHIFT ROWS MIX COLUMNS • Attacker does not need to know the KEY ADD caused bias ROUND 10 SUB BYTES • 4 ciphertext bytes are affected SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  12. Statistical Fault Attacks on AES-128 www.tugraz.at P N : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  13. Statistical Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes (correct) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  14. Statistical Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 MIX COLUMNS KEY ADD • 4 state bytes in round 9 can be SUB BYTES ROUND 9 calculated from: SHIFT ROWS MIX COLUMNS • 4 ciphertext bytes KEY ADD • 4 key bytes (incorrect) ROUND 10 SUB BYTES SHIFT ROWS KEY ADD C N Fuhr et al. [Fuh+13] 4 Robert Primas — CHES 2020

  15. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD • Redundant computation fixes the SUB BYTES SUB BYTES ROUND 9 SHIFT ROWS SHIFT ROWS problem! MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 C N 5 Robert Primas — CHES 2020

  16. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD • Redundant computation fixes the SUB BYTES SUB BYTES ROUND 9 SHIFT ROWS SHIFT ROWS problem! MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  17. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 • For simplicity, assume stuck-at zero MIX COLUMNS KEY ADD fault (others work as well) SUB BYTES • “Effective” faults are filtered out ROUND 9 SHIFT ROWS MIX COLUMNS • Correct ciphertexts still show bias in KEY ADD round 9 ROUND 10 SUB BYTES SHIFT ROWS • Exploitation works same as before KEY ADD C 1 C N Dobraunig et al. [Dob+18b] 5 Robert Primas — CHES 2020

  18. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at : SHIFT ROWS ROUND 8 • For simplicity, assume stuck-at zero MIX COLUMNS KEY ADD fault (others work as well) SUB BYTES • “Effective” faults are filtered out ROUND 9 SHIFT ROWS MIX COLUMNS • Correct ciphertexts still show bias in KEY ADD round 9 ROUND 10 SUB BYTES SHIFT ROWS • Exploitation works same as before KEY ADD C 1 C N Dobraunig et al. [Dob+18b] 5 Robert Primas — CHES 2020

  19. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  20. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18b] C N 5 Robert Primas — CHES 2020

  21. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS KEY ADD KEY ADD SUB BYTES SUB BYTES ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18a] C N 5 Robert Primas — CHES 2020

  22. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at P N : : : SHIFT ROWS SHIFT ROWS ROUND 8 MIX COLUMNS MIX COLUMNS x 0 z 0 KEY ADD KEY ADD y 0 R SUB BYTES SUB BYTES y 1 ROUND 9 • Masking fixes the problem! SHIFT ROWS SHIFT ROWS x 1 z 1 MIX COLUMNS MIX COLUMNS • Except it doesn’t KEY ADD KEY ADD ROUND 10 SUB BYTES SUB BYTES SHIFT ROWS SHIFT ROWS KEY ADD KEY ADD C 1 Dobraunig et al. [Dob+18a] C N 5 Robert Primas — CHES 2020

  23. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at x 0 z 0 • Masked AND-gate y 0 ~ • Naturally, when x and y are uniform R z y 1 then z has bias towards 0 0 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  24. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 y 0 ~ R z y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  25. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 • Difference cancels if either: y 0 • y 0 , y 1 are both 0 ~ R z y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

  26. Statistical Ineffective Fault Attacks on AES-128 www.tugraz.at • Assume a fault causes difference in x 0 (to redundant computation) x 0 z 0 • Difference cancels if either: y 0 • y 0 , y 1 are both 0 ~ R z • y 0 , y 1 are both 1 y 1 0 1 z 1 x 1 Dobraunig et al. [Dob+18a] 5 Robert Primas — CHES 2020

Recommend

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph

Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures Christoph Dobraunig, Maria Eichlseder, Hannes Gross, Stefan Mangard, Florian Mendel, Robert Primas ASIACRYPT 2018 IAIK - Graz University of Technology www.tugraz.at

1.02k views • 78 slides
SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of:

SIFA Statistical Ineffective Fault Attacks Rump Session at CHES 2018 Based on work of: Christoph Dobraunig, Maria Eichlseder, Hannes Gro, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas Are Protected Implementations Hard to

416 views • 17 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

368 views • 18 slides
Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia

Introduction to Fault Attacks Josep Balasch KU Leuven ESAT / COSIC IACR Summer School 2015 Chia Laguna, Sardinia (Italy) 19 October 2015 Introduction to Fault Attacks 19 October 2015 What are fault attacks? Active attacks against

576 views • 27 slides
effective ineffective EXTERNAL effective ineffective INTERNAL focus focus

effective ineffective EXTERNAL effective ineffective INTERNAL focus focus

EXTERNAL focus BROAD NARROW INTERNAL effective ineffective EXTERNAL effective ineffective INTERNAL focus focus prepara%on self-talk emotional control emotional control frustra%on disappointment

320 views • 31 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

594 views • 19 slides
Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo

Protecting Against Fault Injection Attacks: from CRT-RSA to all Asymmetric Cryptography Pablo Rauzy Sylvain Guilley rauzy@enst.fr guilley@enst.fr pablo.rauzy.name perso.enst.fr/ guilley TELECOM ParisTech CNRS LTCI / COMELEC / SEN S

901 views • 64 slides
PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019

PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019

Innovation Centre PROTECTING ECC AGAINST FAULT ATTACKS Marc Joye NutMiC 2019 Paris, June 2427, 2019 September 26, 1996 Bellcores Researchers Break Smart Cards BELLCORE ATTACK (1/2) Computation of a signature S = ( m ) d mod N

507 views • 24 slides
Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich

Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich

W I S S E N T E C H N I K L E I D E N S C H A F T Protecting the Control Flow of Embedded Processors against Fault Attacks Mario Werner 1 , Erich Wenger 2 , and Stefan Mangard 1 , 1 Graz University of Technology 2 Infineon

554 views • 32 slides
Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi Distributed Systems Fault tolerance A system or a component fails due to a fault Fault tolerance means that the system continues to provide its

431 views • 40 slides
SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via

SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via

SybilGuard: Defending Against Sybil Attacks SybilGuard: Defending Against Sybil Attacks via Social Networks via Social Networks Intel Research Pittsburgh / CMU Haifeng Yu National University of Singapore Michael Kaminsky Intel Research

508 views • 22 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

536 views • 51 slides
SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 ,

SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography Christoph Dobraunig 1 , Maria Eichlseder 1 , Thomas Korak 2 , Stefan Mangard 1 , Florian Mendel 2 , Robert Primas 1 1 Graz University of Technology, Austria

733 views • 54 slides
blood, but against the rulers, against the authorities, against the powers of this dark world and

blood, but against the rulers, against the authorities, against the powers of this dark world and

For our struggle is not against flesh and blood, but against the rulers, against the authorities, against the powers of this dark world and against the spiritual forces of evil in the heavenly realms . Eph. 6:12 NIV But there are some Jews

665 views • 14 slides
REFUGE CONTAINER FIRE PREVENTION PREVENTING PROTECTING RESPONDING [etc] PREVENTING PROTECTING

REFUGE CONTAINER FIRE PREVENTION PREVENTING PROTECTING RESPONDING [etc] PREVENTING PROTECTING

REFUGE CONTAINER FIRE PREVENTION PREVENTING PROTECTING RESPONDING [etc] PREVENTING PROTECTING RESPONDING FIRE KILLS BIN FIRE RISKS DELIBERATE ACCIDENTAL PREVENTING PROTECTING RESPONDING BIN FIRE RISKS PREVENTING PROTECTING RESPONDING BIN

142 views • 10 slides
Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2

Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2

Redundant Booting with U-Boot Welcome to the Redundancy Theater Playhouse Thomas Rini 1 2 Overview Historically how redundancy has been developed and implemented What we have today And have had for a while What we'll have soon

358 views • 9 slides
Database Management Limitations of Relational Database Designs Systems Provides a set of

Database Management Limitations of Relational Database Designs Systems Provides a set of

Lecture 2 Database Management Limitations of Relational Database Designs Systems Provides a set of guidelines, does not result in a unique database schema Winter 2004 Does not provide a way of evaluating alternative schemas CMPUT

389 views • 17 slides
Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science

Automated Software Testing with Inferred Program Properties Tao Xie Dept. of Computer Science & Engineering University of Washington Joint work with David Notkin July 2004 Motivation Existing automated test generation tools are

640 views • 43 slides
Motivation Some expressions in a program may cause redundant recomputation of values. If such

Motivation Some expressions in a program may cause redundant recomputation of values. If such

Motivation Some expressions in a program may cause redundant recomputation of values. If such recomputation is safely eliminated, the program will usually become faster. There exist several redundancy elimination optimisations which attempt to

676 views • 37 slides
TRECVID-2006: Rushes Exploitation Task Alan Smeaton Dublin City University & Tzveta Ianeva

TRECVID-2006: Rushes Exploitation Task Alan Smeaton Dublin City University & Tzveta Ianeva

TRECVID-2006: Rushes Exploitation Task Alan Smeaton Dublin City University & Tzveta Ianeva NIST Rushes Exploitation Task Definition Goal: research about the feasibility of shifting to work on unproduced video; Develop a

394 views • 15 slides
Using Component Redundancy for adaptive, self-optimising and self-healing Component-Based Systems

Using Component Redundancy for adaptive, self-optimising and self-healing Component-Based Systems

Performance Engineering Laboratory Using Component Redundancy for adaptive, self-optimising and self-healing Component-Based Systems Ada Diaconescu, John Murphy Performance Engineering Laboratory Dublin City University Ada Diaconescu

354 views • 11 slides
Learning objectives Understand the basic principles undelying A&T techniques Grasp

Learning objectives Understand the basic principles undelying A&T techniques Grasp

Learning objectives Understand the basic principles undelying A&T techniques Grasp the motivations and applicability of the Basic Principles main principles (c) 2007 Mauro Pezz & Michal Young Ch 3, slide 1 (c) 2007 Mauro

304 views • 3 slides
Information theory " Information content of a message a boolean value

Information theory " Information content of a message a boolean value

Information theory " Information content of a message a boolean value "true"/"false" can be encoded as one bit without losing information: 1/0 a direction up/down/right/left: 2 bits the strings

446 views • 10 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.