Linear Fault Analysis of Block Ciphers Zhiqiang Liu1, Dawu Gu1, Ya Liu1, Wei Li2 1. Shanghai Jiao Tong University 2. Donghua University ACNS 2012 June 28 , 2012 Shanghai Jiao Tong University Outline Brief Introduction of Fault Attack A New Extension to Fault Attack: Linear Fault Analysis (LFA) A Key Recovery Attack on SERPENT by Using LFA Conclusion and Discussion http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (1/5) Shanghai Jiao Tong University Fault analysis is a class of implementation attacks that disturb cryptographic computations so as to recover secret keys. In Eurocrypt 1996, Boneh et al. firstly proposed the idea of fault attack. In Crypto 1997, Biham et al. presented an extension to the above approach, i.e., Differential Fault Analysis (DFA). http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (2/5) Shanghai Jiao Tong University About fault injection: An attacker is able to deliberately interfere the normal operation of the device with voltage variations, clock glitches and lasers so as to induce faults. A laser with certain energy and wavelength could interfere fixed parts of the memory/registers without damaging them, resulting in single bit/byte error at some internal state accurately. http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (3/5) Shanghai Jiao Tong University Basic idea of differential fault analysis (DFA): Cryptographic Device X=1|1|0|0|1|0|1|0 Y=0|1|0|0|0|0|1|1 Cryptographic Procedures △Y=Y⊕Y*=1|0|0|1|1|1|1|0 X=1|1|0|0|1|0|1|0 Internal Round 1|0|0|0|1|0|1|1 1|0|0|0|0|0|1|1 http://LoCCS.sjtu.edu.cn Radiation X-Ray Micro-Probe Y*=1|1|0|1|1|1|0|1 Brief Introduction of Fault Attack (4/5) Shanghai Jiao Tong University Research work with respect to DFA: DFA has been used as an effective cryptanalytic tool to evaluate the security of various block ciphers such as DES, AES, IDEA, CLEFIA, SMS4, ARIA, Camellia, and so on. Some extensions to DFA have been presented in order to make fault attack more efficient. http://LoCCS.sjtu.edu.cn Brief Introduction of Fault Attack (5/5) Shanghai Jiao Tong University General countermeasure against DFA: Basically, DFA techniques target the last few rounds of a block cipher, i.e., faults will be triggered at the last few rounds of the cipher so as to induce information leakage. The general countermeasure against DFA is to protect the last few rounds of the cipher by means of redundancy. For a block cipher, the practical implementations used to thwart DFA will cover as less protected rounds as possible. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (1/8) We first apply the idea of linear cryptanalysis in fault attack and present a new fault attack on block ciphers called linear fault analysis (LFA). Fault Model and Assumption in LFA: Random single-bit/single-byte fault model induced at some certain round. The values and positions (within the impacted round) of the faults injected by the attacker are unknown and randomly distributed. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (2/8) Basic idea of LFA: http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (3/8) How LFA works? Let E be a block cipher and decompose the cipher into E = E1 ◦ E0. Let ΓP · P ⊕ΓC · C = ΓK ·K (also denoted as ΓP → ΓC) be a linear approximation for E1 with probability ½ +ε. Let SΓP→ΓC be a set consisting of all bits of P involving in the item ΓP · P. Suppose that an attacker has the ability to induce single-bit faults at the input of E1 repeatedly and the error bits don’t belong to the set SΓP→ΓC , then an effective distinguisher ΓC · C1 ⊕ ΓC · C2 = 0 for the cipher E with probability ½ + 2ε2 can be derived by the attacker. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (4/8) How LFA works? (to continue) Based on the above distinguisher, we can mount a key recovery attack on E′= E2 ◦E = E2 ◦E1 ◦E0 by guessing part of the subkey information used in E2. Attack procedure: Step 1. Given the linear characteristic ΓP → ΓC for E1, collect N pairs of ciphertexts, each pair consisting of a right ciphertext C1i under E′and the corresponding faulty ciphertext C2i derived by injecting single-bit fault at any position of the input of E1, where 1 ≤ i ≤ N. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (5/8) How LFA works? (to continue) Step 2. Let Kg denote the subkey information which is related to the item ΓC · E2-1(Cji). Then for each possible value of Kg, do as below: Initialize a counter TKg firstly. For each ciphertext pair (C1i, C2i), implement the partial decryptions of C1i and C2i respectively and compute the parity of ΓC · E2-1(C1i)⊕ΓC · E2-1(C2i). If the parity is 0, increase the relevant counter TKg by 1, and decrease by 1 otherwise. Store the value of Kg as well as the absolute value of the corresponding TKg. Step 3. For all possible values of Kg, compare the stored values and take the value of Kg as the correct key information if the absolute value of the corresponding TKg is maximal. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (6/8) Why the above attack works? Case 1: the guessed value of Kg is correct For any ciphertext pair (C1i, C2i) in which C2i is derived by inducing single-bit fault at the input of E1 such that the error bit is not in the set SΓP→ΓC: the equation ΓC · E2-1(C1i)⊕ΓC · E2-1(C2i) = 0 holds with probability ½ + 2ε2; For any ciphertext pair (C1i, C2i) where C2i is obtained by injecting single-bit fault at the input of E1 such that the error bit belongs to the set SΓP→ΓC: the equation ΓC · E2-1(C1i)⊕ΓC · E2-1(C2i) = 1 holds with probability ½ + 2ε2; Thus in this case, we can estimate |TKg| by the following formula: | TK g | N | 1 2 (# SP C ) / m | 4 2 http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (7/8) Why the above attack works? (to continue) Case 2: the guessed value of Kg is wrong According to the Wrong-Key Randomization Hypothesis, it’s assumed that the wrong guess of Kg results in a random-looking parity of ΓC · E21(C i)⊕Γ · E -1(C i). 1 C 2 2 Thus in this case the value of |TKg| approximates to 0. Therefore, it is feasible to distinguish the correct value of Kg from all wrong guesses of Kg by applying the above key recovery attack if given sufficient ciphertext pairs (C1i, C2i) . http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A New Extension to Fault Attack: Linear Fault Analysis (LFA) (8/8) The number of ciphertext pairs required in our key recovery attack can be estimated by the following formula: cN 1 1 4 | 1 2 (# SP C ) / m | 4 Moreover, similar result can be derived regarding the linear fault analysis under the condition of single-byte fault model. http://LoCCS.sjtu.edu.cn A Key Recovery Attack on SERPENT by Using LFA (1/7) SERPENT block cipher: Shanghai Jiao Tong University proposed by Anderson et al in 1998 As a candidate of AES contest, it was rated just behind the AES Rijndael classical SPN structure with 32 rounds block size: 128 bits key size: 128, 192 or 256 bits Schematic description of SERPENT at the right side http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (2/7) Current status of fault analysis for SERPENT: So far there isn't any known fault attack on SERPENT which can be done by inducing faults at the round earlier than the penultimate round of the cipher. Countermeasure against fault attack on SERPENT: It could be implemented by protecting the last two rounds of the cipher if taking into account the cost and efficiency of the implementation. However, our effective attack shows that LFA could be a threat to the protected implementation of SERPENT. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (3/7) Assume that single-bit faults can be injected at the input of the round 29 (that is, third from the last round) of SERPENT repeatedly and randomly. We construct twelve 2-round linear characteristics ΓPi → ΓCi (1 ≤ i ≤ 12) for the rounds from round 29 to round 30 of SERPENT. We could derive twelve distinguishers for the 31 rounds from round 0 to round 30 of SERPENT as below: Ci SERPENTlr1 (C1 ) Ci SERPENTlr1 (C2 ) 0, 1 i 12 http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (4/7) Linear characteristics used in our attack: http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (5/7) Linear characteristics used in our attack (to continue): http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (6/7) Linear characteristics used in our attack (to continue): http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University A Key Recovery Attack on SERPENT by Using LFA (7/7) By applying the above twelve distinguishers sequentially, we can recover all the 128 bits of K32. Strip the last round by decrypting with K32, and mount an attack on the reduced-round cipher similarly so as to get the 128 bits of K31. Attack complexity: data complexity: 223.14 correct/faulty ciphertext pairs time complexity: 231.73 SERPENT encryptions memory complexity: 226.14 bytes http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University Conclusion and Discussion (1/2) We have proposed a new extension to fault attack on block ciphers, i.e., linear fault analysis (LFA), in which linear cryptanalysis is combined with fault attack delicately. In order to illustrate the effectiveness of LFA, we have applied it to analyze the security of SERPENT and achieved the currently best cryptanalytic result on SERPENT with respect to fault attack. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University Conclusion and Discussion (2/2) Note that our key recovery attack on SERPENT has a data complexity which seems impractical for real cryptographic devices, but it does show that LFA could be a potential threat to the previously protected implementations (against fault attack) of block ciphers. For a block cipher, the number of protected rounds must be chosen very carefully in order to prevent security flaws as well as keep the corresponding implementation economical and efficient. We hope that LFA could be beneficial to determining this number. http://LoCCS.sjtu.edu.cn Shanghai Jiao Tong University Q&A Thanks! http://LoCCS.sjtu.edu.cn