Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai...

Linear Fault Analysis of

Block Ciphers

Zhiqiang LiuZhiqiang Liu11, Dawu Gu, Dawu Gu11, Ya Liu, Ya Liu11, Wei Li, Wei Li22

1. Shanghai Jiao Tong University 2. Donghua University1. Shanghai Jiao Tong University 2. Donghua University

ACNS 2012ACNS 2012

JuneJune 28 , 2012 28 , 2012

Shanghai Jiao Tong University

http://LoCCS.sjtu.edu.cn

Outline

Brief Introduction of Fault Attack

A New Extension to Fault Attack:

Linear Fault Analysis (LFA)

A Key Recovery Attack on SERPENT by Using LFA

Conclusion and Discussion



Brief Introduction of Fault Attack (1/5)

Fault analysis is a class of implementation attacks that disturb cryptographic computations so as to recover secret keys.

In Eurocrypt 1996, Boneh et al. firstly proposed the idea of

fault attack.

In Crypto 1997, Biham et al. presented an extension to the

above approach, i.e., Differential Fault Analysis (DFA).




About fault injection:An attacker is able to deliberately interfere the normal operation of the device with voltage variations, clock glitches and lasers so as to induce faults.

A laser with certain energy and wavelength could interfere fixed parts of the memory/registers without damaging them, resulting in single bit/byte error at some internal state accurately.




Cryptographic Device

Cryptographic ProceduresX=1|1|0|0|1|0|1|0 Y=0|1|0|0|0|0|1|1

X=1|1|0|0|1|0|1|0

Y*=1|1|0|1|1|1|0|11|0|0|0|1|0|1|1

1|0|0|0|0|0|1|1

RadiationX-Ray

Micro-Probe

△ Y=Y Y⊕ *=1|0|0|1|1|1|1|0

Internal Round

Cryptographic Device

X=1|1|0|0|1|0|1|0

Basic idea of differential fault analysis (DFA):




Research work with respect to DFA: DFA has been used as an effective cryptanalytic tool to evaluate the security of various block ciphers such as DES, AES, IDEA, CLEFIA, SMS4, ARIA, Camellia, and so on.

Some extensions to DFA have been presented in order to make fault attack more efficient.




General countermeasure against DFA: Basically, DFA techniques target the last few rounds of a block cipher, i.e., faults will be triggered at the last few rounds of the cipher so as to induce information leakage.

The general countermeasure against DFA is to protect the last few rounds of the cipher by means of redundancy.

For a block cipher, the practical implementations used to thwart DFA will cover as less protected rounds as possible.



A New Extension to Fault Attack:Linear Fault Analysis (LFA) (1/8)

We first apply the idea of linear cryptanalysis in fault attack and present a new fault attack on block ciphers called linear fault analysis (LFA).

Fault Model and Assumption in LFA:

Random single-bit/single-byte fault model induced at some certain round. The values and positions (within the impacted round) of the faults

injected by the attacker are unknown and randomly distributed.




Basic idea of LFA:




Let E be a block cipher and decompose the cipher into E = E1 ◦ E0.

Let ΓP · P Γ⊕ C · C = ΓK ·K (also denoted as ΓP → ΓC) be a linear approximation for E1 with probability ½ +ε.

Let SΓP→ΓC be a set consisting of all bits of P involving in the item ΓP · P.

Suppose that an attacker has the ability to induce single-bit faults at the input of E1 repeatedly and the error bits don’t belong to the set SΓP→ΓC , then an effective distinguisher ΓC · C1 Γ⊕ C · C2 = 0 for the cipher E with probability ½ + 2ε2 can be derived by the attacker.

How LFA works?




Based on the above distinguisher, we can mount a key recovery attack on E′= E2 ◦E = E2 ◦E1 ◦E0 by guessing part of the subkey information used in E2.

Attack procedure:Step 1. Given the linear characteristic ΓP → ΓC for E1, collect N pairs of

ciphertexts, each pair consisting of a right ciphertext C1i under E′and the

corresponding faulty ciphertext C2i derived by injecting single-bit fault at

any position of the input of E1, where 1 ≤ i ≤ N.

How LFA works? (to continue)




Step 2. Let Kg denote the subkey information which is related to the item ΓC · E2-

1(Cji). Then for each possible value of Kg, do as below:

Initialize a counter TKg firstly.

For each ciphertext pair (C1i, C2

i), implement the partial decryptions of C1i and C2

i respectively and compute the parity of ΓC · E2

-1(C1i) Γ⊕ C · E2

-1(C2i). If the parity is 0,

increase the relevant counter TKg by 1, and decrease by 1 otherwise.

Store the value of Kg as well as the absolute value of the corresponding TKg.

Step 3. For all possible values of Kg, compare the stored values and take the value of Kg as the correct key information if the absolute value of the corresponding TKg is maximal.

How LFA works? (to continue)




Case 1: the guessed value of Kg is correct

For any ciphertext pair (C1i, C2

i) in which C2i is derived by inducing single-bit

fault at the input of E1 such that the error bit is not in the set SΓP→ΓC:

the equation ΓC · E2-1(C1

i) Γ⊕ C · E2-1(C2

i) = 0 holds with probability ½ + 2ε2;

For any ciphertext pair (C1i, C2

i) where C2i is obtained by injecting single-bit

fault at the input of E1 such that the error bit belongs to the set SΓP→ΓC:

the equation ΓC · E2-1(C1

i) Γ⊕ C · E2-1(C2

i) = 1 holds with probability ½ + 2ε2;

Thus in this case, we can estimate |TKg| by the following formula:

Why the above attack works?

24|/)(#21||| mSNTCPgK




Case 2: the guessed value of Kg is wrong

According to the Wrong-Key Randomization Hypothesis, it’s assumed that the wrong guess of Kg results in a random-looking parity of ΓC · E2

-

1(C1i) Γ⊕ C · E2

-1(C2i).

Thus in this case the value of |TKg| approximates to 0.

Therefore, it is feasible to distinguish the correct value of Kg from all wrong

guesses of Kg by applying the above key recovery attack if given sufficient

ciphertext pairs (C1i, C2

i) .

Why the above attack works? (to continue)




The number of ciphertext pairs required in our key recovery attack can be estimated by the following formula:

Moreover, similar result can be derived regarding the linear fault analysis under the condition of single-byte fault model.

44

1

|/)(#21|

1

mSc

CP

N



A Key Recovery Attack on SERPENT by Using LFA (1/7)

proposed by Anderson et al in 1998

As a candidate of AES contest, it was rated just behind the AES Rijndael

classical SPN structure with 32 rounds

block size: 128 bits

key size: 128, 192 or 256 bits

Schematic description of SERPENT at the right side

SERPENT block cipher:




Current status of fault analysis for SERPENT:So far there isn't any known fault attack on SERPENT which can be done by inducing faults at the round earlier than the penultimate round of the cipher.

Countermeasure against fault attack on SERPENT:It could be implemented by protecting the last two rounds of the cipher if taking into account the cost and efficiency of the implementation.

However, our effective attack shows that LFA could be a threat to the protected implementation of SERPENT.




Assume that single-bit faults can be injected at the input of the round 29 (that is, third from the last round) of SERPENT repeatedly and randomly.

We construct twelve 2-round linear characteristics ΓPi → ΓC

i (1 ≤ i ≤ 12)

for the rounds from round 29 to round 30 of SERPENT.

We could derive twelve distinguishers for the 31 rounds from round 0 to round 30 of SERPENT as below: ,0)()( 2

11

1 CSERPENTCSERPENT lriClr

iC 121 i




Linear characteristics used in our attack:




Linear characteristics used in our attack (to continue):




By applying the above twelve distinguishers sequentially, we can recover all the 128 bits of K32.

Strip the last round by decrypting with K32, and mount an attack on the

reduced-round cipher similarly so as to get the 128 bits of K31.

Attack complexity:

data complexity: 223.14 correct/faulty ciphertext pairs

time complexity: 231.73 SERPENT encryptions

memory complexity: 226.14 bytes



Conclusion and Discussion (1/2)

We have proposed a new extension to fault attack on block ciphers, i.e., linear fault analysis (LFA), in which linear cryptanalysis is combined with fault attack delicately.

In order to illustrate the effectiveness of LFA, we have applied it to analyze the security of SERPENT and achieved the currently best cryptanalytic result on SERPENT with respect to fault attack.



Conclusion and Discussion (2/2)

Note that our key recovery attack on SERPENT has a data complexity which seems impractical for real cryptographic devices, but it does show that LFA could be a potential threat to the previously protected implementations (against fault attack) of block ciphers.

For a block cipher, the number of protected rounds must be chosen very carefully in order to prevent security flaws as well as keep the corresponding implementation economical and efficient. We hope that LFA could be beneficial to determining this number.



Q&A

Thanks!

Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai...

Documents

Transcript of Linear Fault Analysis of Block Ciphers Zhiqiang Liu 1, Dawu Gu 1, Ya Liu 1, Wei Li 2 1. Shanghai...