45 research outputs found
Probabilistic Signature Based Framework for Differential Fault Analysis of Stream Ciphers
Differential Fault Attack (DFA) has received serious attention in cryptographic literature and very recently
such attacks have been mounted against several popular stream ciphers for example Grain v1, MICKEY 2.0
and Trivium, that are parts of the eStream hardware profile. The basic idea of the fault attacks consider
injection of faults and the most general set-up should consider faults at random location and random time.
Then one should identify the exact location and the exact timing of the fault (as well as multi bit faults) with the help of fault signatures.
In this paper we consider this most general set-up and solve the problem of fault attack under a general framework,
where probabilistic signatures are exploited. Our ideas subsume all the existing DFAs against the Grain family,
MICKEY 2.0 and Trivium. In the process we provide improved fault attacks for all the versions of Grain family and also
for MICKEY 2.0 (the attacks against Trivium are already quite optimal and thus there is not much scope to improve).
Our generalized method can also take care of the cases where certain parts of the keystream bits are missing
for authentication purpose. In particular, we show that the unsolved problem of identifying the faults
in random time for Grain 128a can be solved in this manner. Our techniques can easily be applied to mount fault
attack on any stream cipher of similar kind
ΠΡΠ°ΠΊΠ° ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΎΠΊ HMAC ΠΈ NMAC
One of the important problems arising in designing and practical implementation of cryptosystems is provide countermeasures against side-channel attacks. When implemented on a specific physical device, the algorithms, strength of which from the purely mathematical point of view is without great doubt, often employ weaknesses to such attacks.A fault analysis attack is one of the options of the side-channel attack on a cryptosystem. Its essence is that the attacker has an active influence on a physical device that provides computation (for example, a smart card). Faults caused by influence are then analysed in order to restore security information that is stored inside the device. These attacks are often significantly more efficient than passive side-channel attacks.The fault analysis attacks were proposed over 20 years ago. Since then, attacks have been successfully built owing to implementation of a number of symmetric and asymmetric crypto-algorithms. Also, a number of different methods for active influence on computation have been proposed, using specific physical effects and characteristics of the computing environment. Approaches to counteracting such types of attacks are also actively developing. For this, both physical and purely mathematical methods are used. However, it should be noted that cryptographic hash functions, and more complex crypto-schemes containing them as components (for example, some message authentication codes and digital signatures), are slightly presented in these papers.It is important to note that practical implementation of a specific attack requires that a combination of the following factors is available: a possibility of a specific physical impact on computation, an adequate mathematical model of such physical impact and a purely mathematical component of the attack that is a specific algorithms for introducing faults and further analysis of the results. At the same time, the solution of each of these problems separately is of independent theoretical value.The paper results do not involve the physical component of attack, aiming only at mathematics. In other words, a proposal is to present the specific algorithms for introducing faults and further analysis of the results. In this case, a specific fault model is considered known and specified. Several such models have been considered, based on the similar ones previously proposed for other algorithms.As an object of study, two standards to form message authentication codes have been selected: HMAC and NMAC. These standards can be based on any cryptographic hash function that provides the required level of security. The paper examines four examples of widely used hashes: MD5, MD4, SHA-1, SHA-0.The main results of the paper are as follows:- built specific algorithms for introducing faults in computation and their further analysis, allowing to discover secret information (secret keys);- finding and validation of estimates of such attacks (in terms of the number of introduced faults and the work factor of further analysis) for various combinations of parameters (algorithms and fault models);Β - shown that attacks timing can be reasonable.ΠΠ΄Π½ΠΎΠΉ ΠΈΠ· Π²Π°ΠΆΠ½ΡΡ
ΠΏΡΠΎΠ±Π»Π΅ΠΌ, Π²ΠΎΠ·Π½ΠΈΠΊΠ°ΡΡΠΈΡ
ΠΏΡΠΈ ΠΏΡΠΎΠ΅ΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ ΠΈ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ Π°ΡΠ°ΠΊΠ°ΠΌ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ. ΠΠ΅ΡΠ΅Π΄ΠΊΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ, ΡΡΠΎΠΉΠΊΠΎΡΡΡ ΠΊΠΎΡΠΎΡΡΡ
Ρ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠΎΡΠΊΠΈ Π·ΡΠ΅Π½ΠΈΡ Π½Π΅ Π²ΡΠ·ΡΠ²Π°Π΅Ρ Π±ΠΎΠ»ΡΡΠΈΡ
ΡΠΎΠΌΠ½Π΅Π½ΠΈΠΉ, ΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡΡΡ ΡΡΠ·Π²ΠΈΠΌΡΠΌΠΈ ΠΊ ΡΠ°ΠΊΠΈΠΌ Π°ΡΠ°ΠΊΠ°ΠΌ ΠΏΡΠΈ ΠΈΡ
ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ Π½Π° ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΌ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΡΡΡΠΎΠΉΡΡΠ²Π΅.ΠΡΠ°ΠΊΠ° ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΎΠ΄Π½ΠΈΠΌ ΠΈΠ· Π²Π°ΡΠΈΠ°Π½ΡΠΎΠ² Π°ΡΠ°ΠΊΠΈ Π½Π° ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΡ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ. Π‘ΡΡΡ Π΅Π΅ ΡΠΎΡΡΠΎΠΈΡ Π² Π°ΠΊΡΠΈΠ²Π½ΠΎΠΌ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΠΈ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ Π½Π° ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΡΡΡΠΎΠΉΡΡΠ²ΠΎ, ΠΎΡΡΡΠ΅ΡΡΠ²Π»ΡΡΡΠ΅Π΅ ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΠΉ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΡΠΌΠ°ΡΡ-ΠΊΠ°ΡΡΡ). ΠΠΎΠ»ΡΡΠ°Π΅ΠΌΡΠ΅ Π² ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ΅ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΡ Π·Π°ΡΠ΅ΠΌ Π°Π½Π°Π»ΠΈΠ·ΠΈΡΡΡΡΡΡ Ρ ΡΠ΅Π»ΡΡ Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ, Ρ
ΡΠ°Π½ΠΈΠΌΡΡ Π²Π½ΡΡΡΠΈ ΡΡΡΡΠΎΠΉΡΡΠ²Π°. ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ Π°ΡΠ°ΠΊΠΈ Π·Π°ΡΠ°ΡΡΡΡ ΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡΡΡ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½Π΅Π΅ ΠΏΠ°ΡΡΠΈΠ²Π½ΡΡ
Π°ΡΠ°ΠΊ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ.ΠΡΠ°ΠΊΠΈ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² Π±ΡΠ»ΠΈ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ Π² Π±ΠΎΠ»Π΅Π΅ 20 Π»Π΅Ρ Π½Π°Π·Π°Π΄. Π‘ ΡΠ΅Ρ
ΠΏΠΎΡ Π±ΡΠ»ΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΠΎΡΡΡΠΎΠ΅Π½Ρ Π°ΡΠ°ΠΊΠΈ Π½Π° ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΡΠ΅Π»ΠΎΠ³ΠΎ ΡΡΠ΄Π° ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ
ΠΈ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ
ΠΊΡΠΈΠΏΡΠΎΠ°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ². Π’Π°ΠΊΠΆΠ΅ Π±ΡΠ» ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ ΡΡΠ΄ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ² ΠΎΡΡΡΠ΅ΡΡΠ²Π»Π΅Π½ΠΈΡ Π°ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½Π° ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΠΉ, Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΡΡΠ΅ΠΊΡΠΎΠ² ΠΈ ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΠ΅ΠΉ Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΠΎΠΉ ΡΡΠ΅Π΄Ρ. Π’Π°ΠΊΠΆΠ΅ Π°ΠΊΡΠΈΠ²Π½ΠΎ ΡΠ°Π·Π²ΠΈΠ²Π°ΡΡΡΡ ΠΈ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Ρ ΠΊ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ°ΠΊΠΎΠ³ΠΎ ΡΠΎΠ΄Π° Π°ΡΠ°ΠΊΠ°ΠΌ. ΠΠ»Ρ ΡΡΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΊΠ°ΠΊ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΠ΅, ΡΠ°ΠΊ ΠΈ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΌΠ΅ΡΠΎΠ΄Ρ. ΠΠ΄Π½Π°ΠΊΠΎ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΈ Π±ΠΎΠ»Π΅Π΅ ΡΠ»ΠΎΠΆΠ½ΡΠ΅ ΠΊΡΠΈΠΏΡΠΎΡΡ
Π΅ΠΌΡ, ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ ΠΈΡ
Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΊΠΈ ΠΈ ΡΠΈΡΡΠΎΠ²ΡΠ΅ ΠΏΠΎΠ΄ΠΏΠΈΡΠΈ), Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΡΡΠΈΡ
ΡΠ°Π±ΠΎΡ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Ρ Π½Π΅Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ.ΠΠ°ΠΆΠ½ΠΎ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ Π΄Π»Ρ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΉ Π°ΡΠ°ΠΊΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΎΡΠ΅ΡΠ°Π½ΠΈΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΡ
ΡΠ°ΠΊΡΠΎΡΠΎΠ²: Π½Π°Π»ΠΈΡΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½Π° Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ, Π°Π΄Π΅ΠΊΠ²Π°ΡΠ½ΠΎΠΉ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ Π΄Π°Π½Π½ΠΎΠ³ΠΎ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠ° Π°ΡΠ°ΠΊΠΈ --ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ². ΠΡΠΈ ΡΡΠΎΠΌ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ ΠΈΠ· ΡΡΠΈΡ
Π·Π°Π΄Π°Ρ ΠΏΠΎ ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΠ΅Ρ ΡΠ°ΠΌΠΎΡΡΠΎΡΡΠ΅Π»ΡΠ½ΡΡ ΡΠ΅ΠΎΡΠ΅ΡΠΈΡΠ΅ΡΠΊΡΡ ΡΠ΅Π½Π½ΠΎΡΡΡ.Π Π΅Π·ΡΠ»ΡΡΠ°ΡΡ Π½Π°ΡΡΠΎΡΡΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ Π½Π΅ Π·Π°ΡΡΠ°Π³ΠΈΠ²Π°ΡΡ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΡΡ ΡΠΎΡΡΠ°Π²Π»ΡΡΡΡΡ Π°ΡΠ°ΠΊΠΈ, ΠΎΠ³ΡΠ°Π½ΠΈΡΠΈΠ²Π°ΡΡΡ Π»ΠΈΡΡ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΠΊΠΎΠΉ. ΠΠ½ΡΠΌΠΈ ΡΠ»ΠΎΠ²Π°ΠΌΠΈ, ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ². ΠΡΠΈ ΡΡΠΎΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½Π°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΠ±ΠΎΠ΅Π² ΡΡΠΈΡΠ°Π΅ΡΡΡ ΠΈΠ·Π²Π΅ΡΡΠ½ΠΎΠΉ ΠΈ Π·Π°Π΄Π°Π½Π½ΠΎΠΉ. Π Π°ΡΡΠΌΠΎΡΡΠ΅Π½ΠΎ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΎ ΡΠ°ΠΊΠΈΡ
ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ Π±Π°Π·ΠΈΡΡΡΡΡΡ Π½Π° Π°Π½Π°Π»ΠΎΠ³Π°Ρ
, ΡΠ°Π½Π΅Π΅ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΡΡ
Π΄Π»Ρ Π΄ΡΡΠ³ΠΈΡ
Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ².Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΎΠ±ΡΠ΅ΠΊΡΠ° ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠΉ Π²ΡΠ±ΡΠ°Π½Ρ Π΄Π²Π° ΡΡΠ°Π½Π΄Π°ΡΡΠ° ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΎΠΊ: HMAC ΠΈ NMAC. Π£ΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΡΡΠ°Π½Π΄Π°ΡΡΡ ΠΌΠΎΠ³ΡΡ Π±Π°Π·ΠΈΡΠΎΠ²Π°ΡΡΡΡ Π½Π° Π»ΡΠ±ΠΎΠΉ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡΠ΅ΠΉ Π½ΡΠΆΠ½ΡΠΉ ΡΡΠΎΠ²Π΅Π½Ρ ΡΡΠΎΠΉΠΊΠΎΡΡΠΈ. Π Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½Ρ ΡΠ΅ΡΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ° ΡΠΈΡΠΎΠΊΠΎΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½Π½ΡΡ
Ρ
ΡΡΠ΅ΠΉ: MD5, MD4, SHA-1, SHA-0.ΠΡΠ½ΠΎΠ²Π½ΡΠΌΠΈ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ°ΠΌΠΈ Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΡ ΡΠ²Π»ΡΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅:-Β Β Β Β ΠΏΠΎΡΡΡΠΎΠ΅Π½Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ Π² Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ, ΠΈ ΠΈΡ
Π΄Π°Π»ΡΠ½Π΅ΠΉΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠΈΠ΅ ΠΈΠ·Π²Π»Π΅ΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ (ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ ΠΊΠ»ΡΡΠΈ);-Β Β Β Β Π½Π°ΠΉΠ΄Π΅Π½Ρ ΠΈ ΠΎΠ±ΠΎΡΠ½ΠΎΠ²Π°Π½Ρ ΠΎΡΠ΅Π½ΠΊΠΈ ΡΠ»ΠΎΠΆΠ½ΠΎΡΡΠΈ ΡΠ°ΠΊΠΈΡ
Π°ΡΠ°ΠΊ (Π² ΡΠ΅ΡΠΌΠΈΠ½Π°Ρ
ΡΠΈΡΠ»Π° Π²Π½ΠΎΡΠΈΠΌΡΡ
ΡΠ±ΠΎΠ΅Π² ΠΈ ΡΡΡΠ΄ΠΎΠ΅ΠΌΠΊΠΎΡΡΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°) Π΄Π»Ρ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΡΠΎΡΠ΅ΡΠ°Π½ΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ²(Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ ΡΠ±ΠΎΠ΅Π²);-Β Β Β Β ΠΏΠΎΠΊΠ°Π·Π°Π½ΠΎ, ΡΡΠΎ Π°ΡΠ°ΠΊΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½Ρ Π·Π° ΡΠ°Π·ΡΠΌΠ½ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ
Phase-shift Fault Analysis of Grain v1
This paper deals with the phase-shift fault analysisof stream cipher Grain v1. We assume that the attacker is ableto desynchronize the linear and nonlinear registers of the cipherduring the keystream generation phase by either forcing one ofthe registers to clock one more time, while the other register is notclocked, or by preventing one of the registers from clocking, whilethe other register is clocked. Using this technique, we are able toobtain the full inner state of the cipher in reasonable time (under12 hours on a single PC) by using 150 bits of unfaulted keystream,600 bits of faulted keystreams and by correctly guessing 28 bitsof the linear register
Differential Fault Attack on Rasta and FiLIP-DSM
In this paper we propose Differential Fault Attack (DFA) on two Fully Homomorphic Encryption (FHE) friendly stream ciphers Rasta and . Design criteria of Rasta rely on affine layers and nonlinear layers, whereas relies on permutations and a nonlinear fil- ter function. Here we show that the secret key of these two ciphers can be recovered by injecting only 1 bit fault in the initial state. Our DFA on full round (# rounds = 6) Rasta with 219 block size requires only one block (i.e., 219 bits) of normal and faulty keystream bits. In the case of our DFA on FiLIP-430 (one instance of ), we need 30000 normal and faulty keystream bits
A practical attack on the fixed RC4 in the wep mode
Abstract. In this paper we revisit a known but ignored weakness of the RC4 keystream generator, where secret state info leaks to the generated keystream, and show that this leakage, also known as Jenkinsβ correlation or the RC4 glimpse, can be used to attack RC4 in several modes. Our main result is a practical key recovery attack on RC4 when an IV modifier is concatenated to the beginning of a secret root key to generate a session key. As opposed to the WEP attack from [FMS01] the new attack is applicable even in the case where the first 256 bytes of the keystream are thrown and its complexity grows only linearly with the length of the key. In an exemplifying parameter setting the attack recoversa16-bytekeyin2 48 steps using 2 17 short keystreams generated from different chosen IVs. A second attacked mode is when the IV succeeds the secret root key. We mount a key recovery attack that recovers the secret root key by analyzing a single word from 2 22 keystreams generated from different IVs, improving the attack from [FMS01] on this mode. A third result is an attack on RC4 that is applicable when the attacker can inject faults to the execution of RC4. The attacker derives the internal state and the secret key by analyzing 2 14 faulted keystreams generated from this key
A New Version of Grain-128 with Authentication
A new version of the stream cipher Grain-128 is proposed. The new version, Grain-128a, is strengthened against all known attacks and observations on the original Grain-128, and has built-in support for authentication. The changes are modest, keeping the basic structure of Grain-128. This gives a high conο¬dence in Grain-128a and allows for easy updating of existing implementations
Fault Analysis of the KATAN Family of Block Ciphers
In this paper, we investigate the security of the KATAN family of block ciphers against differential fault attacks. KATAN consists of three variants with 32, 48 and 64-bit block sizes, called KATAN32,KATAN48 and KATAN64, respectively. All three variants have the same key length of 80 bits. We assume a single-bit fault injection model where the adversary is supposed to be able to corrupt a single random bit of the internal state of the cipher and this fault injection process can be repeated (by resetting the cipher); i.e., the faults are transient rather than permanent. First, we determine suitable rounds for effective fault injections by analyzing distributions of low-degree (mainly, linear and quadratic) polynomial equations obtainable using the cube and extended cube attack techniques. Then, we show how to identify the exact position of faulty bits within the internal state by precomputing difference characteristics for each bit position at a given round and comparing these characteristics with ciphertext differences (XOR of faulty and non-faulty ciphertexts) during the online phase of the attack. The complexity of our attack on KATAN32 is 2^59 computations and about 115 fault injections. For KATAN48 and KATAN64, the attack requires 2^55 computations (for both variants), while the required number of fault injections is 211 and 278, respectively
Fault Location Identification By Machine Learning
As the fault based analysis techniques are becoming more and more powerful, there is a need to streamline the existing tools for better accuracy and ease of use. In this regard, we propose a machine learning assisted tool that can be used in the context of a differential fault analysis. In particular, finding the exact fault location by analyzing the XORed output of a stream cipher/ stream cipher based design is somewhat non-trivial. Traditionally, Pearson\u27s correlation coefficient is used for this purpose. We show that a machine learning method is more powerful than the existing correlation coefficient, aside from being simpler to implement. As a proof of concept, we take two variants of Grain-128a (namely a stream cipher, and a stream cipher with authentication), and demonstrate that machine learning can outperform correlation with the same training/testing data. Our analysis shows that the machine learning can be considered as a replacement for the correlation in the future research works
Fault Analysis on the Stream Ciphers LILI-128 and Achterbahn
LILI-128 is a clock controlled stream cipher based on two LFSRs with one clock control function and one non-linear filter function. The clocking of the second LFSR is controlled by the first LFSR. In this paper we propose a fault algebraic attack on LILI-128 stream cipher. We first recover the state bits of the first LFSR by injecting a single bit fault in the first LFSR. After that we recover the second LFSR state bits by following algebraic cryptanalysis technique. We also propose fault attack on Achterbahn stream cipher, which is based on 8 NLFSRs, 8 LFSRs and one non-linear combining function. We first inject a single bit fault into the NLFSR-A then observe the normal and faulty keystream bits to recover almost all the state bits of the NLFSR-A after key initialization phase. One can apply our technique to other NLFSR-B, C, D to recover their state bits als