Floating Fault analysis of Trivium under Weaker Assumptions

Trivium is a hardware-oriented stream cipher, and one of the finally chosen ciphers by eSTREAM project. Michal Hojsik and Bohuslav Rudolf presented an effective attack to Trivium, named floating fault analysis, at INDOCRYPT 2008. Their attack makes use of the fault injection and the fault float. In this paper, we present an improvement of this attack. Our attack is under following weaker and more practical assumptions.The fault injection can be made for the state at a random time.The positions of the fault bits are from random one of 3 NFSRs, and from a random area within 8 neighboring bits.We present a checking method, by which either the injecting time and fault positions can be determined, or the state differential at a known time can be determined. Each of these two determinations is enough for floating attack. After the determination, the attacker can averagely obtain 67.167 additional linear equations from 82 original quadratic equations, and obtain 66 additional quadratic equations from 66 original cubic equations

Fault Attack on FPGA implementations of Trivium Stream Cipher

This article presents the development of an experimental system to introduce faults in Trivium stream ciphers implemented on FPGA. The developed system has made possible to analyze the vulnerability of these implementations against fault attacks. The developed system consists of a mechanism that injects small pulses in the clock signal, and elements that analyze if a fault has been introduced, the number of faults introduced and its position in the inner state. The results obtained demonstrate the vulnerability of these implementations against fault attacks. As far as we know, this is the first time that experimental results of fault attack over Trivium are presented.Ministerio de Economía y Competitividad TEC2010-16870Ministerio de Economía y Competitividad TEC2013-45523- RMinisterio de Economía y Competitividad CSIC 201550E039

Fault Injection on FPGA implementations of Trivium Stream Cipher using Clock Attacks

Ministerio de Economía y Competitividad TEC2010-16870Ministerio de Economía y Competitividad TEC2013-45523-RMinisterio de Economía y Competitividad CSIC 201550E03

A Security Analysis of IoT Encryption: Side-channel Cube Attack on Simeck32/64

Simeck, a lightweight block cipher has been proposed to be one of the encryption that can be employed in the Internet of Things (IoT) applications. Therefore, this paper presents the security of the Simeck32/64 block cipher against side-channel cube attack. We exhibit our attack against Simeck32/64 using the Hamming weight leakage assumption to extract linearly independent equations in key bits. We have been able to find 32 linearly independent equations in 32 key variables by only considering the second bit from the LSB of the Hamming weight leakage of the internal state on the fourth round of the cipher. This enables our attack to improve previous attacks on Simeck32/64 within side-channel attack model with better time and data complexity of 2^35 and 2^11.29 respectively.Comment: 12 pages, 6 figures, 4 tables, International Journal of Computer Networks & Communication

Diseño de circuitos integrados y seguridad de circuitos criptográficos frente a ataques

Muchos sistemas electrónicos incorporan dispositivos criptográficos que implementan algoritmos que cifran la información almacenada. Pero aun cuando los algoritmos sean muy seguros, estos dispositivos pueden llegar a revelar cierta información debido a su implementación física, mediante el empleo de los llamados ataques laterales. Estos ataques hacen uso de información obtenida durante del funcionamiento del circuito para obtener información sobre la clave utilizada. Por lo tanto, hay que cuidar la implementación física de los dispositivos criptográficos, para minimizar la posibilidad de pérdida de información mediante estos ataques. En nuestras líneas de investigación estamos trabajando en analizar la vulnerabilidad de implementaciones de circuitos criptográficos, fundamentalmente cifradores de clave privada, frente a ataques laterales pasivos y activos. Estos ataques obtienen información de la clave almacenada mediante la medida de magnitudes físicas como el consumo de potencia o la radiación electromagnética durante el funcionamiento del circuito o alterando las condiciones de funcionamiento para introducirles fallos y comparar las salidas sin y con fallos. En esta comunicación presentamos un breve resumen del estado del arte en los ataques laterales sobre implementaciones hardware de cifradores, algunos de los temas en los que estamos trabajando y algunos resultados obtenidos por nuestro grupo de investigación.Many electronic systems include devices that implement cryptographic algorithms that encrypt stored information. But even if the algorithms are very safe, these devices can reveal some information because of its physical implementation, through the use of so-called side channel attacks. These attacks make use of information obtained during the operation of the circuit to obtain information of the used key. Therefore, we must take care of the physical implementation of cryptographic devices to minimize the possibility of loss of information through these types of attacks. In our research we are working on analyzing the vulnerability of implementations of cryptographic circuits, mainly private key ciphers, against side channel attacks, passive and active. These attacks obtain key information stored by measuring physical quantities such as power consumption or electromagnetic radiation during operation of the circuit, or altering the operating conditions to introduce faults and compare the output with and without faults. In this paper we present a brief summary of the state of art of side channel attacks on ciphers hardware implementations, some of the topics we are working and some results obtained by our research group.Junta de Andalucía CRIPTO-BIO (Diseño Microelectrónico para Autenticación Cripto-Biométrica)Ministerio de Ciencia y Tecnología (España) P08-TIC3674, CITIES (Circuitos Integrados para transmisión de información especialmente segura)Ministerio de Economía y Competitividad (España) TEC2010-16870 y CESAR (Circuitos microelectrónicos seguros frente a ataques laterales) y TEC2013-45523-

Floorplanning as a practical countermeasure against clock fault attack in Trivium stream cipher

The fault injection in ciphers operation is a very successful mechanism to attack them. The inclusion of elements of protection against this kind of attacks is more and more necessary. These mechanisms are usually based on introducing redundancy, which leads to a greater consumption of resources or a longer processing time. This article presents how the introduction of placement restrictions on ciphers can make it difficult to inject faults by altering the clock signal. It is therefore a countermeasure that neither increases the consumption of resources nor the processing time. This mechanism has been tested on FPGA implementations of the Trivium cipher. Several tests have been performed on a Spartan 3E device from Xilinx and the experimental measurements have been carried out with ChipScope Pro. The tests showed that an adequate floorplanning is a good countermeasure against these kind of attacks.Ministerio de Economía y Competitividad TEC2013-45523-RMinisterio de Economía y Competitividad TEC2016-80549-RMinisterio de Economía y Competitividad CSIC 201550E03

Encryption AXI Transaction Core for Enhanced FPGA Security

The current hot topic in cyber-security is not constrained to software layers. As attacks on electronic circuits have become more usual and dangerous, hardening digital System-on-Chips has become crucial. This article presents a novel electronic core to encrypt and decrypt data between two digital modules through an Advanced eXtensible Interface (AXI) connection. The core is compatible with AXI and is based on a Trivium stream cipher. Its implementation has been tested on a Zynq platform. The core prevents unauthorized data extraction by encrypting data on the fly. In addition, it takes up a small area—242 LUTs—and, as the core’s AXI to AXI path is fully combinational, it does not interfere with the system’s overall performance, with a maximum AXI clock frequency of 175 MHz.This work has been supported within the fund for research groups of the Basque university system IT1440-22 by the Department of Education and within the PILAR ZE-2020/00022 and COMMUTE ZE-2021/00931 projects by the Hazitek program, both of the Basque Government, the latter also by the Ministerio de Ciencia e Innovación of Spain through the Centro para el Desarrollo Tecnológico Industrial (CDTI) within the project IDI-20201264 and IDI-20220543 and through the Fondo Europeo de Desarrollo Regional 2014–2020 (FEDER funds)

Fault Analysis of the KATAN Family of Block Ciphers

In this paper, we investigate the security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32,KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault injection process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we determine suitable rounds for effective fault injections by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. Then, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. The complexity of our attack on KATAN32 is 2^59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2^55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively

Vulnerabilidad y análisis diferencial mediante inserción de fallos de cifradores Trivium en FPGA y ASIC.

Las comunicaciones entre dispositivos aumenta día a día y un gran ejemplo de ello es el crecimiento del Internet de las cosas, en inglés Internet of things (IoT). De entre todas las comunicaciones que se producen, parte de ella está compuesta por información sensible susceptible de ser interceptada por terceras partes con fines malintencionados. Con el fin de evitar este gran problema, la comunidad científica se ha centrado en la constante búsqueda y desarrollo de algoritmos criptográficos o criptosistemas, algoritmos orientados tanto a software como a hardware, que permitan asegurar unas comunicaciones donde los canales de transmisión son potencialmente inseguros. A la hora de poder establecer nuevos estándares de seguridad, es necesario estudiar la seguridad ofrecida por los nuevos algoritmos desde el punto de vista de su vulnerabilidad con el objetivo de reducirla. Estas vulnerabilidades de los llamados criptosistemas es posible estudiarlas tomando el rol de una tercera parte que trata de obtener la información secreta del dispositivo y con ello conocer dónde se encuentran sus puntos débiles. Es aquí donde se enmarca la presente Tesis Doctoral. A lo largo de este texto, se realiza un estudio del estado del arte de la criptografía, así como las técnicas más importantes para comprometer la seguridad de los criptosistemas actuales, siendo objeto de estudio el cifrador de flujo Trivium, tanto el diseño original presentado en el portfolio del proyecto eSTREAM, como diferentes variantes de éste. Para poder estudiar la vulnerabilidad de estos criptosistemas y poder recuperar su información secreta, se han diseñado diferentes sistemas de inserción de fallos tanto en tecnología FPGA como en ASIC. Estos sistemas de ataque se han implementado para poder atacar al cifrador mediante la manipulación de su señal de reloj y sus señales de control. Gracias a estos sistemas de ataque experimentales, es posible determinar los puntos débiles de estos criptosistemas y mediante el uso de análisis diferenciales recuperar su información secreta, clave y vector de inicialización. Este estudio, por tanto, presenta la primera rotura de este cifrador de forma experimental, consiguiendo en el 100% de los casos la recuperación de su clave secreta y probando que este criptosistema es vulnerable a los ataques por inserción de fallos