121 research outputs found
SoK : On DFA Vulnerabilities of Substitution-Permutation Networks
Recently, the NIST launched a competition for lightweight cryptography and a large number of ciphers are expected to be studied and analyzed under this competition. Apart from the classical security, the candidates are desired to be analyzed against physical attacks. Differential Fault Analysis (DFA) is an invasive physical attack method for recovering key information from cipher implementations. Up to date, almost all the block ciphers have been shown to be vulnerable against DFA, while following similar attack patterns. However, so far researchers mostly focused on particular ciphers rather than cipher families, resulting in works that reuse the same idea for different ciphers.
In this article, we aim at bridging this gap, by providing a generic DFA attack method targeting Substitution-Permutation Network (SPN) based families of symmetric block ciphers. We provide an overview of the state-of-the-art of the fault attacks on SPNs, followed by generalized conditions that hold on all the ciphers of this design family. We show that for any SPN, as long as the fault mask injected before a non-linear layer in the last round follows a non-uniform distribution, the key search space can always be reduced. This shows that it is not possible to design an SPN-based cipher that is completely secure against DFA, without randomization.
Furthermore, we propose a novel approach to find good fault masks that can leak the key with a small number of instances. We then developed a tool, called Joint Difference Distribution Table (JDDT) for pre-computing the solutions for the fault equations, which allows us to recover the last round key with a very small number of pairs of faulty and non-faulty ciphertexts.
We evaluate our methodology on various block ciphers, including PRESENT-80, PRESENT-128, GIFT-64, GIFT-128, AES-128, LED-64, LED-128, Skinny-64-64, Skinny-128-128, PRIDE and PRINCE. The developed technique would allow automated DFA analysis of several candidates in the NIST competition
Residual Vulnerabilities to Power side channel attacks of lightweight ciphers cryptography competition Finalists
The protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate builtâin countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTONâBeetle security vulnerability can generally be assessed with the security assumptions âChosen ciphertext attack and leakage in encryption only, with nonceâmisuse resilience adversary (CCAmL1)â and âChosen ciphertext attack and leakage in encryption only with nonceârespecting adversary (CCAL1)â, respectively. However, the security vulnerability of GIFTâCOFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack
Automatic Characterization of Exploitable Faults: A Machine Learning Approach
Characterization of the fault space of a cipher to filter out
a set of faults potentially exploitable for fault attacks (FA), is a prob-
lem with immense practical value. A quantitative knowledge of the ex-
ploitable fault space is desirable in several applications, like security
evaluation, cipher construction and implementation, design, and test-
ing of countermeasures etc. In this work, we investigate this problem in
the context of block ciphers. The formidable size of the fault space of
a block cipher mandates the use of an automation to solve this prob-
lem, which should be able to characterize each individual fault instance
quickly. On the other hand, the automation is expected to be applicable
to most of the block cipher constructions. Existing techniques for au-
tomated fault attacks do not satisfy both of these goals simultaneously
and hence are not directly applicable in the context of exploitable fault
characterization. In this paper, we present a supervised machine learning
(ML) assisted automated framework, which successfully addresses both
of the criteria mentioned. The key idea is to extrapolate the knowledge of
some existing FAs on a cipher to rapidly figure out new attack instances
on the same. Experimental validation of the proposed framework on two
state-of-the-art block ciphers â PRESENT and LED, establishes that our
approach is able to provide fairly good accuracy in identifying exploitable
fault instances at a reasonable cost. Finally, the effect of different S-Boxes
on the fault space of a cipher is evaluated utilizing the framework
CRAFT: Lightweight Tweakable Block Cipher with Efficient Protection Against DFA Attacks
Traditionally, countermeasures against physical attacks are integrated into the implementation of cryptographic primitives after the algorithms have been designed for achieving a certain level of cryptanalytic security. This picture has been changed by the introduction of PICARO, ZORRO, and FIDES, where efficient protection against Side-Channel Analysis (SCA) attacks has been considered in their design. In this work we present the tweakable block cipher CRAFT: the efficient protection of its implementations against Differential Fault Analysis (DFA) attacks has been one of the main design criteria, while we provide strong bounds for its security in the related-tweak model. Considering the area footprint of round-based hardware implementations, CRAFT outperforms the other lightweight ciphers with the same state and key size. This holds not only for unprotected implementations but also when fault-detection facilities, side-channel protection, and their combination are integrated into the implementation. In addition to supporting a 64-bit tweak, CRAFT has the additional property that the circuit realizing the encryption can support the decryption functionality as well with very little area overhead
CRAFT: Lightweight Tweakable Block Cipher with Efficient Protection Against DFA Attacks
Traditionally, countermeasures against physical attacks are integrated into the implementation of cryptographic primitives after the algorithms have been designed for achieving a certain level of cryptanalytic security. This picture has been changed by the introduction of PICARO, ZORRO, and FIDES, where efficient protection against Side-Channel Analysis (SCA) attacks has been considered in their design. In this work we present the tweakable block cipher CRAFT: the efficient protection of its implementations against Differential Fault Analysis (DFA) attacks has been one of the main design criteria, while we provide strong bounds for its security in the related-tweak model. Considering the area footprint of round-based hardware implementations, CRAFT outperforms the other lightweight ciphers with the same state and key size. This holds not only for unprotected implementations but also when fault-detection facilities, side-channel protection, and their combination are integrated into the implementation. In addition to supporting a 64-bit tweak, CRAFT has the additional property that the circuit realizing the encryption can support the decryption functionality as well with very little area overhead
Analyse et Conception d'Algorithmes de Chiffrement LĂ©gers
The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux prĂ©sentĂ©s dans cette thĂšse sâinscrivent dans le cadre du projet FUI Paclido, qui a pour but de dĂ©finir de nouveaux protocoles et algorithmes de sĂ©curitĂ© pour lâInternet des Objets, et plus particuliĂšrement les rĂ©seaux de capteurs sans fil. Cette thĂšse sâintĂ©resse donc aux algorithmes de chiffrements authentifiĂ©s dits Ă bas coĂ»t ou Ă©galement, lĂ©gers, pouvant ĂȘtre implĂ©mentĂ©s sur des systĂšmes trĂšs limitĂ©s en ressources. Une premiĂšre partie des contributions porte sur la conception de lâalgorithme lĂ©ger Lilliput-AE, basĂ© sur un schĂ©ma de Feistel gĂ©nĂ©ralisĂ© Ă©tendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisĂ© par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques thĂ©oriques menĂ©es contre des solutions dĂ©jĂ existantes, notamment un certain nombre de candidats Ă la compĂ©tition LWC du NIST. Elle prĂ©sente donc des analyses spĂ©cifiques des algorithmes Skinny et Spook ainsi quâune Ă©tude plus gĂ©nĂ©rale des attaques de type boomerang contre les schĂ©mas de Feistel
DEFAULT : cipher level resistance against differential fault attack
Differential Fault Analysis (DFA) is a well known cryptanalytic tech- nique that exploits faulty outputs of an encryption device. Despite its popularity and similarity with the classical Differential Analysis (DA), a thorough analysis explaining DFA from a designerâs point-of-view is missing in the literature. To the best of our knowledge, no DFA immune block cipher at an algorithmic level has been proposed so far. Furthermore, all known DFA countermeasures somehow depend on the device/protocol or on the implementation such as duplication/comparison. As all of these are outside the scope of the cipher designer, we focus on designing a primitive which can protect from DFA on its own. We present the first concept of cipher level DFA resistance which does not rely on any device/protocol related assumption, nor does it depend on any form of duplication. Our construction is simple, software/hardware friendly and DFA security scales up with the state size. It can be plugged before and/or after (almost) any symmetric key cipher and will ensure a non-trivial search complexity against DFA. One key component in our DFA protection layer is an SBox with linear structures. Such SBoxes have never been used in cipher design as they generally perform poorly against differential attacks. We argue that they in fact represent an interesting trade-off between good cryptographic properties and DFA resistance. As a proof of concept, we construct a DFA protecting layer, named DEFAULT-LAYER, as well as a full-fledged block cipher DEFAULT. Our solutions compare favorably to the state-of-the-art, offering advantages over the sophisticated duplication based solutions like impeccable circuits/CRAFT or infective countermeasures
A Countermeasure Against Statistical Ineffective Fault Analysis
When considering practical attacks against cryptographic implementations, Fault Injection Attacks (FIA) pose a powerful tool that can recover the secret key within few encryptions.
Over the past few decades they have become a well-studied topic both by academic an industry practitioners.
Current state-of-the-art countermeasures against Fault Injection Attacks (FIA) provide good protection against analysis methods that require the differences in the correct and faulty ciphertext to derive the secret information, such as Differential Fault Analysis (DFA) or collision fault analysis.
However, recent progress in Ineffective Fault Analysis (IFA) and Statistical IFA (SIFA) constitutes a real threat against cryptographic implementations. Such methods cannot be thwarted by standard FIA countermeasures that focus on detecting the change in the intermediate data.
In this paper, we present a novel method based on error correcting codes that protects implementations against SIFA.
We design a set of universal error-correcting gates that can be used for block cipher implementations.
We analyze a hardware implementation of protected GIFT-64 and show that our method provides 100% protection against SIFA
- âŠ