Fault Attack on the Authenticated Cipher ACORN v2

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c·2179.19-1.76N at worst, where N is the number of fault injections such that 31≤N≤88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers

Fault Attack on ACORN v3

Fault attack is one of the most efficient side channel attacks and has attracted much attention in recent public cryptographic literatures. In this work we introduce a fault attack on the authenticated cipher ACORN v3. Our attack is done under the assumption that a fault is injected into an initial state of ACORN v3 randomly, and contains two main steps: fault locating and equation solving. At the first step, we introduce concepts of unique set and non-unique set, where differential strings belonging to unique sets can determine the fault location uniquely. For strings belonging to non-unique sets, we use some strategies to increase the probability of determining the fault location uniquely to almost 1. At the second step, we demonstrate several ways of retrieving equations, and then obtain the initial state by solving equations with the guess-and-determine method. With $n$ fault experiments, we can recover the initial state with time complexity $c \cdot2^{146.5-3.52\cdot n}$, where $c$ is the time complexity of solving linear equations and $26<n<43$. We also apply the attack to ACORN v2, which shows that, comparing with ACORN v2, the tweaked version ACORN v3 is more vulnerable against the fault attack

Inapplicability of Differential Fault Attacks against Cellular Automata based Lightweight Authenticated Cipher

Authenticated encryption (AE) schemes are a necessity to secure the physical devices connected to the Internet. Two AE schemes, TinyJambu and Elephant, are finalists of NIST lightweight cryptography competition. Another AE scheme, ACORN v3, a CAESAR competition finalist, has been shown to be particularly vulnerable against Differential Fault Attack (DFA), even more than its previous version ACORN v2. TinyJambu is also susceptible to DFA. An optimized interpolation attack has been proposed against one instance of Elephant, Delirium, recently. We propose methods to strengthen these schemes using the Cellular Automata (CA) and increase their resistance to these attacks. The Programmable Cellular Automata (PCA) 90-150 is effectively deployed to make these ciphers robust against DFA. We also provide mathematical analysis of the invigorated schemes and show that significant improvement is achieved in all the three enhanced schemes

Residual Vulnerabilities to Power side channel attacks of lightweight ciphers cryptography competition Finalists

The protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate built‐in countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTON‐Beetle security vulnerability can generally be assessed with the security assumptions “Chosen ciphertext attack and leakage in encryption only, with nonce‐misuse resilience adversary (CCAmL1)” and “Chosen ciphertext attack and leakage in encryption only with nonce‐respecting adversary (CCAL1)”, respectively. However, the security vulnerability of GIFT‐COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack

Implementasi Algoritme Morus V2 untuk Pengamanan Data Pada Perangkat Bluetooth Low Energy

Pengamanan data merupan bagian penting dalam penerapan jaringan berbasis Internet of things (IoT). Sistem IoT membutuhkan sebuah protokol komunikasi, seperti Bluetooth Low Energy (BLE). BLE dinilai cepat dan hemat energi dalam pengiriman data jarak dekat. BLE digunakan sebagai komunikasi client-server yang menerima data dari sensor. Pengiriman data tidak aman tanpa adanya proses pengaman data. Kriptografi menjadi salah satu pilihan dalam pengaman data. Pada pengembangan diperlukan pertimbangan beberapa aspek seperti, resource yang digunakan, serta waktu untuk proses enkripsi dan dekripsi. Pada penelitian ini algoritme MORUS V2 dipilih untuk mengamankan data dari serangan. Algoritme ini mudah diimplementasikan pada hardware. Kecepatan dari algoritme ini dapat mencapai 0,69 cpb, lebih cepat dari algoritme lain. Proses enkripsi data dari sensor dilakukan pada server hingga menghasilkan ciphertext. Kemudian akan dilakukan dekripsi pada ciphertext ketika diterima oleh client, hingga plaintext ditampilkan. Dari hasil pengujian algoritme MORUS V2 telah berhasil diimplementasikan melalui pengujian test vector dengan nilai keystream yang sama. Pengujian confidentiality telah berhasil dilakukan melalui proses enkripsi dan dekripsi. Pada pengujian serangan pasif berhasil dilakukan dengan hasil nilai plaintext tidak diketahui ketika data dikirim, serta tidak ada perubahan ketika data sampai pada client. Pengujian serangan aktif menggunakan known-plaintext attack (KPA) dinyatakan gagal dalam memperoleh nilai plaintext.AbstractData security is an essential part of implementing an Internet of things (IoT) based network. IoT systems require a communication protocol, such as Bluetooth Low Energy (BLE). BLE is considered fast and energy-efficient in sending data over short distances. BLE is used as a client-server communication that receives data from sensors.  Data transmission will be insecure without a data security process. Cryptography is one of the options for securing data.  The development requires consideration of several aspects, such as the resources used, as well as the time for the encryption and decryption process.  In research, the MORUS V2 algorithm was chosen to secure data from attacks. This algorithm is easy to implement on hardware. The speed of this algorithm can reach 0.69 CPB, faster than other algorithms. The data encryption process from the sensor is carried out on the server to produce ciphertext.  Then decryption will be carried out on the ciphertext when received by the client until the plaintext is displayed.  From the test results, the MORUS V2 algorithm has been successfully implemented through test vector testing with the same keystream value.  Confidentiality testing has been successfully carried out through encryption and decryption processes. The passive attack test was successfully carried out with the result that the plaintext value was unknown when the data was sent, and there was no change when the data arrived at the client. Active attack testing using a known-plaintext attack (KPA) is declared to have failed in obtaining the plaintext value

Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it. In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios

Blockcipher-based Authenticated Encryption: How Small Can We Go?

This paper presents a lightweight blockcipher based authenticated encryption mode mainly focusing on minimizing the implementation size, i.e., hardware gates or working memory on software. The mode is called COFB, for COmbined FeedBack. COFB uses an $n$-bit blockcipher as the underlying primitive and relies on the use of a nonce for security. In addition to the state required for executing the underlying blockcipher, COFB needs only $n/2$ bits state as a mask. To date, for all existing constructions in which masks have been applied, at least $n$ bit masks have been used. Thus, we have shown the possibility of reducing the size of a mask without degrading the security level much. Moreover, it requires one blockcipher call to process one input block. We show COFB is provably secure up to $O(2^{n/2}/n)$ queries which are almost up to the standard birthday bound. We first present an idealized mode iCOFB along with the details of its provable security analysis. Next, we extend the construction to the practical mode COFB. We instantiate COFB with two 128-bit blockciphers, AES-128 and GIFT-128, and present their implementation results on FPGAs. We present two implementations, with and without CAESAR hardware API. When instantiated with AES-128 and implemented without CAESAR hardware API, COFB achieves only a few more than $1000$ Look-Up-Tables (LUTs) while maintaining almost the same level of provable security as standard AES-based AE, such as GCM. When instantiated with GIFT-128, COFB performs much better in hardware area. It consumes less than $1000$ LUTs while maintaining the same security level. However, when implemented with CAESAR hardware API, there are significant overheads both in the hardware area and throughput. COFB with AES-128 achieves about $1475$ LUTs. COFB with GIFT-128 achieves a few more than $1000$ LUTs. Though there are overheads, still both these figures show competitive implementation results compared to other authenticated encryption constructions

Analyse et Conception d'Algorithmes de Chiffrement Légers

The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du projet FUI Paclido, qui a pour but de définir de nouveaux protocoles et algorithmes de sécurité pour l’Internet des Objets, et plus particulièrement les réseaux de capteurs sans fil. Cette thèse s’intéresse donc aux algorithmes de chiffrements authentifiés dits à bas coût ou également, légers, pouvant être implémentés sur des systèmes très limités en ressources. Une première partie des contributions porte sur la conception de l’algorithme léger Lilliput-AE, basé sur un schéma de Feistel généralisé étendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisé par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques théoriques menées contre des solutions déjà existantes, notamment un certain nombre de candidats à la compétition LWC du NIST. Elle présente donc des analyses spécifiques des algorithmes Skinny et Spook ainsi qu’une étude plus générale des attaques de type boomerang contre les schémas de Feistel

Implementação em software de cifradores autenticados para processadores ARM

Orientador: Julio César López HernándezDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Algoritmos de cifração autenticada são ferramentas usadas para proteger dados, de forma a garantir tanto sigilo quanto autenticidade e integridade. Implementações criptográficas não possuem apenas exatidão e eficiência como seus principais objetivos: sistemas computacionais podem vazar informação sobre seu com- portamento interno, de forma que uma má implementação pode comprometer a segu- rança de um bom algoritmo. Dessa forma, esta dissertação tem o objetivo de estudar as formas de implementar corretamente algoritmos criptográficos e os métodos para optimizá-los sem que percam suas características de segurança. Um aspecto impor- tante a ser levado em consideração quando implementando algoritmos é a arquitetura alvo. Nesta dissertação concentra-se na família de processadores ARM. ARM é uma das arquiteturas mais utilizadas no mundo, com mais de 100 bilhões de chips vendidos. Esta dissertação foca em estudar e implementar duas famílias de cifradores auten- ticados: NORX e Ascon, especificamente para processadores ARM Cortex-A de 32 e 64 bits. Descrevemos uma técnica de optimização orientada a pipeline para NORX que possui desempenho melhor que o atual estado da arte, e discutimos técnicas utilizadas em uma implementação vetorial do NORX. Também analisamos as características de uma implementação vetorial do Ascon, assim como uma implementação vetorial de múltiplas mensagensAbstract: Authenticated encryption algorithms are tools used to protect data, in a way that guar- antees both its secrecy, authenticity, and integrity. Cryptographic implementations do not have only correctness and efficiency as its main goals: computer systems can leak information about their internal behavior, and a bad implementation can compromise the security of a good algorithm. Therefore, this dissertation aims to study the forms of correctly and efficiently implementing crypto- graphic algorithms and the methods of optimizing them without losing security char- acteristics. One important aspect to take into account during implementation and opti- mization is the target architecture. In this dissertation, the focus is on the ARM family of processors. ARM is one of the most widespread architectures in the world, with more than 100 billion chips deployed. This dissertation focus on studying and implementing two different families of au- thenticated encryption algorithms: NORX and Ascon, targeting 32-bits and 64-bits ARM Cortex-A processors. We show a pipeline oriented technique to implement NORX that¿s faster than the current state-of-art; and we also discuss the techniques used on a vectorial implementation of NORX. We also describe and analyze the characteristics of a vectorial implementation of Ascon, as well as a multiple message vectorial imple- mentationMestradoCiência da ComputaçãoMestre em Ciência da Computaçã

Electromagnetic Side-Channel Resilience against Lightweight Cryptography

Side-channel attacks are an unpredictable risk factor in cryptography. Therefore, observations of leakages through physical parameters, i.e., power and electromagnetic (EM) radiation, etc., of digital devices are essential to minimise vulnerabilities associated with cryptographic functions. Compared to costs in the past, performing side-channel attacks using inexpensive test equipment is becoming a reality. Internet-of-Things (IoT) devices are resource-constrained, and lightweight cryptography is a novel approach in progress towards IoT security. Thus, it would provide sufficient data and privacy protection in such a constrained ecosystem. Therefore, cryptanalysis of physical leakages regarding these emerging ciphers is crucial. EM side-channel attacks seem to cause a significant impact on digital forensics nowadays. Within existing literature, power analysis seems to have considerable attention in research whereas other phenomena, such as EM, should continue to be appropriately evaluated in playing a role in forensic analysis.The emphasis of this thesis is on lightweight cryptanalysis. The preliminary investigations showed no Correlation EManalysis (CEMA) of PRESENT lightweight algorithm. The PRESENT is a block cipher that promises to be adequate for IoT devices, and is expected to be used commercially in the future. In an effort to fill in this research gap, this work examines the capabilities of a correlation EM side-channel attack against the PRESENT. For that, Substitution box (S-box) of the PRESENT was targeted for its 1st round with the use of a minimum number of EM waveforms compared to other work in literature, which was 256. The attack indicates the possibility of retrieving 8 bytes of the secret key out of 10 bytes. The experimental process started from a Simple EMA (SEMA) and gradually enhanced up to a CEMA. The thesis presents the methodology of the attack modelling and the observations followed by a critical analysis. Also, a technical review of the IoT technology and a comprehensive literature review on lightweight cryptology are included