![Page 1: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/1.jpg)
IIT KHARAGPURDestroying Fault Invariant with Randomization
-A Countermeasure for AESagainst Differential Fault Attacks
Authors:Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay
(IIT KHARAGPUR)
CHES 2014
South Korea, Busan
September 24, 2014
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 1 / 48
![Page 2: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/2.jpg)
Outline
1 Preliminaries
2 LatinCrypt 2012 Infection Countermeasure
3 FDTC 2013 Attack
4 A Major Loop Hole in LatinCrypt 2012 Countermeasure
5 Piret and Quisquater’s Attack on Infection CountermeasureAttack Without Random Dummy RoundsComplexity AnalysisAttack in Presence of Random Dummy Rounds
6 Improved Countermeasure
7 Summary & Conclusion
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 2 / 48
![Page 3: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/3.jpg)
Preliminaries
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 3 / 48
![Page 4: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/4.jpg)
AES128
Plaintext ⊕ Key
Ciphertext
Round 1
Round i
Round 10
SubByte
ShiftRow
MixColumn
Add Round Key
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 4 / 48
![Page 5: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/5.jpg)
AES128: Round Function
I0 I4 I8 I12I1 I5 I9 I13I2 I6 I10 I14I3 I7 I11 I15
—S—
S[I0] S[I4] S[I8] S[I12]S[I1] S[I5] S[I9] S[I13]S[I2] S[I6] S[I10] S[I14]S[I3] S[I7] S[I11] S[I15]
—SR—
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—MC—
2 3 1 11 2 3 11 1 2 33 1 1 2
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—Add key—
I′0 ⊕ k0 I
′4 ⊕ k4 I
′8 ⊕ k8 I
′12 ⊕ k12
I′1 ⊕ k1 I
′5 ⊕ k5 I
′9 ⊕ k9 I
′13 ⊕ k13
I′2 ⊕ k2 I
′6 ⊕ k6 I
′10 ⊕ k10 I
′14 ⊕ k14
I′3 ⊕ k3 I
′7 ⊕ k7 I
′11 ⊕ k11 I
′15 ⊕ k15
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 5 / 48
![Page 6: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/6.jpg)
AES128: Round Function
I0 I4 I8 I12I1 I5 I9 I13I2 I6 I10 I14I3 I7 I11 I15
—S—
S[I0] S[I4] S[I8] S[I12]S[I1] S[I5] S[I9] S[I13]S[I2] S[I6] S[I10] S[I14]S[I3] S[I7] S[I11] S[I15]
—SR—
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—MC—
2 3 1 11 2 3 11 1 2 33 1 1 2
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—Add key—
I′0 ⊕ k0 I
′4 ⊕ k4 I
′8 ⊕ k8 I
′12 ⊕ k12
I′1 ⊕ k1 I
′5 ⊕ k5 I
′9 ⊕ k9 I
′13 ⊕ k13
I′2 ⊕ k2 I
′6 ⊕ k6 I
′10 ⊕ k10 I
′14 ⊕ k14
I′3 ⊕ k3 I
′7 ⊕ k7 I
′11 ⊕ k11 I
′15 ⊕ k15
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 5 / 48
![Page 7: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/7.jpg)
AES128: Round Function
I0 I4 I8 I12I1 I5 I9 I13I2 I6 I10 I14I3 I7 I11 I15
—S—
S[I0] S[I4] S[I8] S[I12]S[I1] S[I5] S[I9] S[I13]S[I2] S[I6] S[I10] S[I14]S[I3] S[I7] S[I11] S[I15]
—SR—
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—MC—
2 3 1 11 2 3 11 1 2 33 1 1 2
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—Add key—
I′0 ⊕ k0 I
′4 ⊕ k4 I
′8 ⊕ k8 I
′12 ⊕ k12
I′1 ⊕ k1 I
′5 ⊕ k5 I
′9 ⊕ k9 I
′13 ⊕ k13
I′2 ⊕ k2 I
′6 ⊕ k6 I
′10 ⊕ k10 I
′14 ⊕ k14
I′3 ⊕ k3 I
′7 ⊕ k7 I
′11 ⊕ k11 I
′15 ⊕ k15
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 5 / 48
![Page 8: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/8.jpg)
AES128: Round Function
I0 I4 I8 I12I1 I5 I9 I13I2 I6 I10 I14I3 I7 I11 I15
—S—
S[I0] S[I4] S[I8] S[I12]S[I1] S[I5] S[I9] S[I13]S[I2] S[I6] S[I10] S[I14]S[I3] S[I7] S[I11] S[I15]
—SR—
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—MC—
2 3 1 11 2 3 11 1 2 33 1 1 2
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—Add key—
I′0 ⊕ k0 I
′4 ⊕ k4 I
′8 ⊕ k8 I
′12 ⊕ k12
I′1 ⊕ k1 I
′5 ⊕ k5 I
′9 ⊕ k9 I
′13 ⊕ k13
I′2 ⊕ k2 I
′6 ⊕ k6 I
′10 ⊕ k10 I
′14 ⊕ k14
I′3 ⊕ k3 I
′7 ⊕ k7 I
′11 ⊕ k11 I
′15 ⊕ k15
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 5 / 48
![Page 9: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/9.jpg)
AES128: Round Function
I0 I4 I8 I12I1 I5 I9 I13I2 I6 I10 I14I3 I7 I11 I15
—S—
S[I0] S[I4] S[I8] S[I12]S[I1] S[I5] S[I9] S[I13]S[I2] S[I6] S[I10] S[I14]S[I3] S[I7] S[I11] S[I15]
—SR—
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—MC—
2 3 1 11 2 3 11 1 2 33 1 1 2
S[I0] S[I4] S[I8] S[I12]S[I5] S[I9] S[I13] S[I1]S[I10] S[I14] S[I2] S[I6]S[I15] S[I3] S[I7] S[I11]
—Add key—
I′0 ⊕ k0 I
′4 ⊕ k4 I
′8 ⊕ k8 I
′12 ⊕ k12
I′1 ⊕ k1 I
′5 ⊕ k5 I
′9 ⊕ k9 I
′13 ⊕ k13
I′2 ⊕ k2 I
′6 ⊕ k6 I
′10 ⊕ k10 I
′14 ⊕ k14
I′3 ⊕ k3 I
′7 ⊕ k7 I
′11 ⊕ k11 I
′15 ⊕ k15
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 5 / 48
![Page 10: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/10.jpg)
Fault Attack
Cipher Process
Plaintext Plaintext
Cipher Process
Fault
Correct Ciphertext
Output Analysis
⊕ Faulty Ciphertext
Only one fault sufficient to retrieve the entire secret key of AES.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 6 / 48
![Page 11: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/11.jpg)
Fault Attack
Cipher Process
Plaintext Plaintext
Cipher Process
Fault
Correct Ciphertext
Output Analysis
⊕ Faulty Ciphertext
Only one fault sufficient to retrieve the entire secret key of AES.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 6 / 48
![Page 12: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/12.jpg)
Fault Attack
1 Fault models to model the strength of adversary1 Bit flip Fault Model : Affects a bit of the intermediate result2 Constant Byte Fault Model : Requires control over fault value and
position3 Random Byte Fault Model : No control over fault value and position
2 Attacks that require both the correct and faulty ciphertext are knownas differential fault attacks
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 7 / 48
![Page 13: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/13.jpg)
Countermeasures Against Fault Attacks
![Page 14: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/14.jpg)
Detection Countermeasure
PT PT*
CT*CT
PT
CT
PT
CT
CT = CT* ? PT = PT* ?
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 8 / 48
![Page 15: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/15.jpg)
Infection Countermeasure
Cipher Round
Redundant Round
Diffusion
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 9 / 48
![Page 16: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/16.jpg)
LatinCrypt 2012 InfectionCountermeasure
![Page 17: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/17.jpg)
LatinCrypt 2012 Infection CountermeasureSNLF operates on a byte and SNLF(0) = 0
SNLF
Redundan
tCipher
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 10 / 48
![Page 18: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/18.jpg)
LatinCrypt 2012 Infection CountermeasureSNLF operates on a byte and SNLF(0) = 0
SNLF
Redundan
tCipher
Redundan
tCipher
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 10 / 48
![Page 19: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/19.jpg)
LatinCrypt 2012 Infection CountermeasureDummy rounds occur randomly
SNLF
Redundan
tCipher
Redundan
tCipher
Dummy
Dummy
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 10 / 48
![Page 20: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/20.jpg)
LatinCrypt 2012 Infection CountermeasureRoundFunction(β, k0) = β
Dummy
β
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 11 / 48
![Page 21: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/21.jpg)
LatinCrypt 2012 Infection CountermeasureRoundFunction(β, k0) = β
Redundan
tDummy
Redundan
t
β
Dummy
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 11 / 48
![Page 22: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/22.jpg)
LatinCrypt 2012 Infection CountermeasureRoundFunction(β, k0) = β
Redundan
tDummy
Cipher
Redundan
tCipher
β
Dummy
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 11 / 48
![Page 23: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/23.jpg)
FDTC 2013 Attack
![Page 24: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/24.jpg)
FDTC 2013 Attack
Fault f in I 101 , i .e., first byte of the second row in the input of 10th
cipher round of AES128
Countermeasure infects the faulty computation twice
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 12 / 48
![Page 25: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/25.jpg)
FDTC 2013 Attack
Fault f in I 101 , i .e., first byte of the second row in the input of 10th
cipher round of AES128
Countermeasure infects the faulty computation twice
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 12 / 48
![Page 26: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/26.jpg)
FDTC 2013 Attack
Fault f in I 101 , i .e., first byte of the second row in the input of 10th
cipher round of AES128
Countermeasure infects the faulty computation twice
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 12 / 48
![Page 27: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/27.jpg)
FDTC 2013 Attack
Fault f in I 101 , i .e., first byte of the second row in the input of 10th
cipher round of AES128
Countermeasure infects the faulty computation twiceI After the execution of 10th cipher round
I After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 12 / 48
![Page 28: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/28.jpg)
FDTC 2013 Attack
Fault f in I 101 , i .e., first byte of the second row in the input of 10th
cipher round of AES128
Countermeasure infects the faulty computation twiceI After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 12 / 48
![Page 29: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/29.jpg)
FDTC 2013 Attack
f
Step 6
R0 R1
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 13 / 48
![Page 30: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/30.jpg)
FDTC 2013 Attack
εf
Step 6 Step 7
R0 R1
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 13 / 48
![Page 31: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/31.jpg)
FDTC 2013 Attack
ε
ε SNLF[ε]
f
Step 6 Step 7 Step 11
Step 10 SNLF[ε]
R0 R1
β R2
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 13 / 48
![Page 32: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/32.jpg)
FDTC 2013 Attack
∆1
∆2
∆3
∆4
SNLF[ε]
ε
ε SNLF[ε]
f
Step 6 Step 7 Step 11
Step 10 Step 14
β R2
R0 R1
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 13 / 48
![Page 33: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/33.jpg)
FDTC 2013 Attack
∆1
∆2
∆3
∆4
∆1
∆2
∆3
∆4
ε
ε SNLF[ε]
β R2
f
C C*
Step 6 Step 7 Step 11
Step 10 Step 14SNLF[ε]
Step 14
R0 R1
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 13 / 48
![Page 34: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/34.jpg)
FDTC 2013 Attack: Infection Caused by the 10th CipherRound
1 The difference between correct (R1) and faulty computation (R0) is:0 0 0 0f 0 0 00 0 0 00 0 0 0
—S—
0 0 0 0ε 0 0 00 0 0 00 0 0 0
—SR—
0 0 0 00 0 0 ε0 0 0 00 0 0 0
2 After Infection Step, the difference is:
R0 ⊕ R1 =
0 0 0 00 0 0 ε⊕ SNLF [ε]0 0 0 00 0 0 0
where ε = S [I 101 ⊕ f ]⊕ S [I 101 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 14 / 48
![Page 35: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/35.jpg)
FDTC 2013 Attack: Infection Caused by the 10th CipherRound
1 The difference between correct (R1) and faulty computation (R0) is:0 0 0 0f 0 0 00 0 0 00 0 0 0
—S—
0 0 0 0ε 0 0 00 0 0 00 0 0 0
—SR—
0 0 0 00 0 0 ε0 0 0 00 0 0 0
2 After Infection Step, the difference is:
R0 ⊕ R1 =
0 0 0 00 0 0 ε⊕ SNLF [ε]0 0 0 00 0 0 0
where ε = S [I 101 ⊕ f ]⊕ S [I 101 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 14 / 48
![Page 36: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/36.jpg)
FDTC 2013 Attack: Infection Caused by the 10th CipherRound
1 The difference between correct (R1) and faulty computation (R0) is:0 0 0 0f 0 0 00 0 0 00 0 0 0
—S—
0 0 0 0ε 0 0 00 0 0 00 0 0 0
—SR—
0 0 0 00 0 0 ε0 0 0 00 0 0 0
2 After Infection Step, the difference is:
R0 ⊕ R1 =
0 0 0 00 0 0 ε⊕ SNLF [ε]0 0 0 00 0 0 0
where ε = S [I 101 ⊕ f ]⊕ S [I 101 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 14 / 48
![Page 37: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/37.jpg)
FDTC 2013 Attack: Infection Caused by the 10th CipherRound
1 The difference between correct (R1) and faulty computation (R0) is:0 0 0 0f 0 0 00 0 0 00 0 0 0
—S—
0 0 0 0ε 0 0 00 0 0 00 0 0 0
—SR—
0 0 0 00 0 0 ε0 0 0 00 0 0 0
2 After Infection Step, the difference is:
R0 ⊕ R1 =
0 0 0 00 0 0 ε⊕ SNLF [ε]0 0 0 00 0 0 0
where ε = S [I 101 ⊕ f ]⊕ S [I 101 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 14 / 48
![Page 38: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/38.jpg)
FDTC 2013 Attack: Infection Caused by the CompulsoryDummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
0 0 0 00 0 0 SNLF [ε]0 0 0 00 0 0 0
4 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
5 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
6 ∴ RoundFunction(R2, k0)⊕ β =
0 0 ∆1 00 0 ∆2 00 0 ∆3 00 0 ∆4 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 15 / 48
![Page 39: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/39.jpg)
FDTC 2013 Attack: Infection Caused by the CompulsoryDummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
0 0 0 00 0 0 SNLF [ε]0 0 0 00 0 0 0
4 When R2 = β, RoundFunction(R2, k
0)⊕ β = 0
5 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
6 ∴ RoundFunction(R2, k0)⊕ β =
0 0 ∆1 00 0 ∆2 00 0 ∆3 00 0 ∆4 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 15 / 48
![Page 40: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/40.jpg)
FDTC 2013 Attack: Infection Caused by the CompulsoryDummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
0 0 0 00 0 0 SNLF [ε]0 0 0 00 0 0 0
4 When R2 = β, RoundFunction(R2, k
0)⊕ β = 0
5 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
6 ∴ RoundFunction(R2, k0)⊕ β =
0 0 ∆1 00 0 ∆2 00 0 ∆3 00 0 ∆4 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 15 / 48
![Page 41: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/41.jpg)
FDTC 2013 Attack: Infection Caused by the CompulsoryDummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
0 0 0 00 0 0 SNLF [ε]0 0 0 00 0 0 0
4 When R2 = β, RoundFunction(R2, k
0)⊕ β = 0
5 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
6 ∴ RoundFunction(R2, k0)⊕ β =
0 0 ∆1 00 0 ∆2 00 0 ∆3 00 0 ∆4 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 15 / 48
![Page 42: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/42.jpg)
FDTC 2013 Attack: Final Difference
7 Infection caused by compulsory dummy round does not affect ε.
C ⊕ C ∗ =
0 0 ∆1 00 0 ∆2 ε⊕ SNLF [ε]0 0 ∆3 00 0 ∆4 0
8 Infection SNLF[ε] caused by 10th cipher round is ineffective.
9 Attacker uses the value of ε = S [I 101 ⊕ f ]⊕ S [I 10] to make hypotheseson I 101 and key byte k1113 .
10 Repeat this process with two more pairs of faulty and correctciphertexts, using constant byte fault model.
11 The attack targets last three rows of the 10th round input.
12 Recover remaining 4 bytes of top row using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 16 / 48
![Page 43: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/43.jpg)
FDTC 2013 Attack: Final Difference
7 Infection caused by compulsory dummy round does not affect ε.
C ⊕ C ∗ =
0 0 ∆1 00 0 ∆2 ε⊕ SNLF [ε]0 0 ∆3 00 0 ∆4 0
8 Infection SNLF[ε] caused by 10th cipher round is ineffective.
9 Attacker uses the value of ε = S [I 101 ⊕ f ]⊕ S [I 10] to make hypotheseson I 101 and key byte k1113 .
10 Repeat this process with two more pairs of faulty and correctciphertexts, using constant byte fault model.
11 The attack targets last three rows of the 10th round input.
12 Recover remaining 4 bytes of top row using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 16 / 48
![Page 44: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/44.jpg)
FDTC 2013 Attack: Final Difference
7 Infection caused by compulsory dummy round does not affect ε.
C ⊕ C ∗ =
0 0 ∆1 00 0 ∆2 ε⊕ SNLF [ε]0 0 ∆3 00 0 ∆4 0
8 Infection SNLF[ε] caused by 10th cipher round is ineffective.
9 Attacker uses the value of ε = S [I 101 ⊕ f ]⊕ S [I 10] to make hypotheseson I 101 and key byte k1113 .
10 Repeat this process with two more pairs of faulty and correctciphertexts, using constant byte fault model.
11 The attack targets last three rows of the 10th round input.
12 Recover remaining 4 bytes of top row using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 16 / 48
![Page 45: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/45.jpg)
FDTC 2013 Attack: Final Difference
7 Infection caused by compulsory dummy round does not affect ε.
C ⊕ C ∗ =
0 0 ∆1 00 0 ∆2 ε⊕ SNLF [ε]0 0 ∆3 00 0 ∆4 0
8 Infection SNLF[ε] caused by 10th cipher round is ineffective.
9 Attacker uses the value of ε = S [I 101 ⊕ f ]⊕ S [I 10] to make hypotheseson I 101 and key byte k1113 .
10 Repeat this process with two more pairs of faulty and correctciphertexts, using constant byte fault model.
11 The attack targets last three rows of the 10th round input.
12 Recover remaining 4 bytes of top row using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 16 / 48
![Page 46: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/46.jpg)
FDTC 2013 Attack: Final Difference
7 Infection caused by compulsory dummy round does not affect ε.
C ⊕ C ∗ =
0 0 ∆1 00 0 ∆2 ε⊕ SNLF [ε]0 0 ∆3 00 0 ∆4 0
8 Infection SNLF[ε] caused by 10th cipher round is ineffective.
9 Attacker uses the value of ε = S [I 101 ⊕ f ]⊕ S [I 10] to make hypotheseson I 101 and key byte k1113 .
10 Repeat this process with two more pairs of faulty and correctciphertexts, using constant byte fault model.
11 The attack targets last three rows of the 10th round input.
12 Recover remaining 4 bytes of top row using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 16 / 48
![Page 47: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/47.jpg)
FDTC 2013 Attack: Final Difference
7 Infection caused by compulsory dummy round does not affect ε.
C ⊕ C ∗ =
0 0 ∆1 00 0 ∆2 ε⊕ SNLF [ε]0 0 ∆3 00 0 ∆4 0
8 Infection SNLF[ε] caused by 10th cipher round is ineffective.
9 Attacker uses the value of ε = S [I 101 ⊕ f ]⊕ S [I 10] to make hypotheseson I 101 and key byte k1113 .
10 Repeat this process with two more pairs of faulty and correctciphertexts, using constant byte fault model.
11 The attack targets last three rows of the 10th round input.
12 Recover remaining 4 bytes of top row using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 16 / 48
![Page 48: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/48.jpg)
Flaws Exploited by FDTC 2013 attack
1 The last cipher round is always the penultimate round: The attackercan verify target round using side channel.
2 A fault in last three rows of 10th round =⇒Infection caused by compulsory dummy round does not affect theerroneous byte.
Remark
What happens if the infection caused by compulsory dummy round affectsthe erroneous byte of 10th round??
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 17 / 48
![Page 49: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/49.jpg)
Flaws Exploited by FDTC 2013 attack
1 The last cipher round is always the penultimate round: The attackercan verify target round using side channel.
2 A fault in last three rows of 10th round =⇒Infection caused by compulsory dummy round does not affect theerroneous byte.
Remark
What happens if the infection caused by compulsory dummy round affectsthe erroneous byte of 10th round??
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 17 / 48
![Page 50: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/50.jpg)
Further Loop Holes in LatinCrypt 2012Countermeasure
![Page 51: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/51.jpg)
Extending FDTC 2013 Attack to the Top Row
Fault f in I 100 , i .e., first byte of the top row in the input of 10th
cipher round
Countermeasure infects the faulty computation twice
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 18 / 48
![Page 52: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/52.jpg)
Extending FDTC 2013 Attack to the Top Row
Fault f in I 100 , i .e., first byte of the top row in the input of 10th
cipher round
Countermeasure infects the faulty computation twice
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 18 / 48
![Page 53: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/53.jpg)
Extending FDTC 2013 Attack to the Top Row
Fault f in I 100 , i .e., first byte of the top row in the input of 10th
cipher round
Countermeasure infects the faulty computation twice
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 18 / 48
![Page 54: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/54.jpg)
Extending FDTC 2013 Attack to the Top Row
Fault f in I 100 , i .e., first byte of the top row in the input of 10th
cipher round
Countermeasure infects the faulty computation twiceI After the execution of 10th cipher round
I After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 18 / 48
![Page 55: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/55.jpg)
Extending FDTC 2013 Attack to the Top Row
Fault f in I 100 , i .e., first byte of the top row in the input of 10th
cipher round
Countermeasure infects the faulty computation twiceI After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 18 / 48
![Page 56: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/56.jpg)
Extending FDTC 2013 Attack to the Top Row
f
Step 6
R0 R1
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 19 / 48
![Page 57: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/57.jpg)
Extending FDTC 2013 Attack to the Top Row
ε
Step 6 Step 7
R0 R1
f
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 19 / 48
![Page 58: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/58.jpg)
Extending FDTC 2013 Attack to the Top Row
Step 6 Step 7 Step 11
Step 10
SNLF[ε]
R0 R1
β R2
f εε SNLF[ε]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 19 / 48
![Page 59: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/59.jpg)
Extending FDTC 2013 Attack to the Top Row
Step 6 Step 7 Step 11
Step 10
β R2
R0 R1
f ε
SNLF[ε]
Step 14
α1 ∆1
α2 ∆2
α3 ∆3
α4 ∆4
ε SNLF[ε]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 19 / 48
![Page 60: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/60.jpg)
Extending FDTC 2013 Attack to the Top Row
α2
α3
α4
C C*
Step 6 Step 7
Step 14
Step 14
R0 R1
f ε
α1 ∆1
α2 ∆2
α3 ∆3
α4 ∆4
Step 10
β R2
SNLF[ε]
Step 11
ε SNLF[ε]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 19 / 48
![Page 61: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/61.jpg)
Extending FDTC 2013 Attack to the Top Row
1 The differential between correct (R1) and faulty computation (R0) is:f 0 0 00 0 0 00 0 0 00 0 0 0
—S—
ε 0 0 00 0 0 00 0 0 00 0 0 0
—SR—
ε 0 0 00 0 0 00 0 0 00 0 0 0
2 After Infection Step, the differential is:
R0 ⊕ R1 =
ε⊕ SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
where ε = S [I 100 ⊕ f ]⊕ S [I 100 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 20 / 48
![Page 62: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/62.jpg)
Extending FDTC 2013 Attack to the Top Row
1 The differential between correct (R1) and faulty computation (R0) is:f 0 0 00 0 0 00 0 0 00 0 0 0
—S—
ε 0 0 00 0 0 00 0 0 00 0 0 0
—SR—
ε 0 0 00 0 0 00 0 0 00 0 0 0
2 After Infection Step, the differential is:
R0 ⊕ R1 =
ε⊕ SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
where ε = S [I 100 ⊕ f ]⊕ S [I 100 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 20 / 48
![Page 63: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/63.jpg)
Extending FDTC 2013 Attack to the Top Row
1 The differential between correct (R1) and faulty computation (R0) is:f 0 0 00 0 0 00 0 0 00 0 0 0
—S—
ε 0 0 00 0 0 00 0 0 00 0 0 0
—SR—
ε 0 0 00 0 0 00 0 0 00 0 0 0
2 After Infection Step, the differential is:
R0 ⊕ R1 =
ε⊕ SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
where ε = S [I 100 ⊕ f ]⊕ S [I 100 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 20 / 48
![Page 64: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/64.jpg)
Extending FDTC 2013 Attack to the Top Row
1 The differential between correct (R1) and faulty computation (R0) is:f 0 0 00 0 0 00 0 0 00 0 0 0
—S—
ε 0 0 00 0 0 00 0 0 00 0 0 0
—SR—
ε 0 0 00 0 0 00 0 0 00 0 0 0
2 After Infection Step, the differential is:
R0 ⊕ R1 =
ε⊕ SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
where ε = S [I 100 ⊕ f ]⊕ S [I 100 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 20 / 48
![Page 65: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/65.jpg)
Extending FDTC 2013 Attack to the Top Row
3 The differential of R2 and β is:
R2 ⊕ β =
SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
4 RoundFunction(R2, k0)⊕ β =
α1 0 0 0α2 0 0 0α3 0 0 0α4 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 21 / 48
![Page 66: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/66.jpg)
Extending FDTC 2013 Attack to the Top Row
3 The differential of R2 and β is:
R2 ⊕ β =
SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
4 RoundFunction(R2, k
0)⊕ β =α1 0 0 0α2 0 0 0α3 0 0 0α4 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 21 / 48
![Page 67: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/67.jpg)
Extending FDTC 2013 Attack to the Top Row
5 Infection caused by compulsory dummy round affects ε.
C ⊕ C ∗ =
α1 ⊕ ε⊕ SNLF [ε] 0 0 0
α2 0 0 0α3 0 0 0α4 0 0 0
6 Attack of FDTC 2013 will not work.
7 α1 has to be unmasked.
We show that αi are interrelated and infection caused by compulsorydummy round is ineffective.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 22 / 48
![Page 68: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/68.jpg)
Extending FDTC 2013 Attack to the Top Row
5 Infection caused by compulsory dummy round affects ε.
C ⊕ C ∗ =
α1 ⊕ ε⊕ SNLF [ε] 0 0 0
α2 0 0 0α3 0 0 0α4 0 0 0
6 Attack of FDTC 2013 will not work.
7 α1 has to be unmasked.
We show that αi are interrelated and infection caused by compulsorydummy round is ineffective.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 22 / 48
![Page 69: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/69.jpg)
Extending FDTC 2013 Attack to the Top Row
5 Infection caused by compulsory dummy round affects ε.
C ⊕ C ∗ =
α1 ⊕ ε⊕ SNLF [ε] 0 0 0
α2 0 0 0α3 0 0 0α4 0 0 0
6 Attack of FDTC 2013 will not work.
7 α1 has to be unmasked.
We show that αi are interrelated and infection caused by compulsorydummy round is ineffective.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 22 / 48
![Page 70: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/70.jpg)
Extending FDTC 2013 Attack to the Top Row
5 Infection caused by compulsory dummy round affects ε.
C ⊕ C ∗ =
α1 ⊕ ε⊕ SNLF [ε] 0 0 0
α2 0 0 0α3 0 0 0α4 0 0 0
6 Attack of FDTC 2013 will not work.
7 α1 has to be unmasked.
We show that αi are interrelated and infection caused by compulsorydummy round is ineffective.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 22 / 48
![Page 71: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/71.jpg)
A Major Flaw in the Infection Scheme
Since RoundFunction(β, k0) = β we can write:
RoundFunction(R2, k0)⊕ β = RoundFunction(R2, k
0)⊕ RoundFunction(β, k0)
= MC (SR(S(R2)))⊕ k0 ⊕MC (SR(S(β)))⊕ k0
= MC (SR(S(R2)))⊕MC (SR(S(β)))
= MC (SR(S(R2)⊕ S(β)))
1 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
2 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 23 / 48
![Page 72: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/72.jpg)
A Major Flaw in the Infection Scheme
Since RoundFunction(β, k0) = β we can write:
RoundFunction(R2, k0)⊕ β = RoundFunction(R2, k
0)⊕ RoundFunction(β, k0)
= MC (SR(S(R2)))⊕ k0 ⊕MC (SR(S(β)))⊕ k0
= MC (SR(S(R2)))⊕MC (SR(S(β)))
= MC (SR(S(R2)⊕ S(β)))
1 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
2 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 23 / 48
![Page 73: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/73.jpg)
A Major Flaw in the Infection Scheme
Since RoundFunction(β, k0) = β we can write:
RoundFunction(R2, k0)⊕ β = RoundFunction(R2, k
0)⊕ RoundFunction(β, k0)
= MC (SR(S(R2)))⊕ k0 ⊕MC (SR(S(β)))⊕ k0
= MC (SR(S(R2)))⊕MC (SR(S(β)))
= MC (SR(S(R2)⊕ S(β)))
1 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
2 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 23 / 48
![Page 74: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/74.jpg)
A Major Flaw in the Infection Scheme
Since RoundFunction(β, k0) = β we can write:
RoundFunction(R2, k0)⊕ β = RoundFunction(R2, k
0)⊕ RoundFunction(β, k0)
= MC (SR(S(R2)))⊕ k0 ⊕MC (SR(S(β)))⊕ k0
= MC (SR(S(R2)))⊕MC (SR(S(β)))
= MC (SR(S(R2)⊕ S(β)))
1 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
2 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 23 / 48
![Page 75: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/75.jpg)
A Major Flaw in the Infection Scheme
Since RoundFunction(β, k0) = β we can write:
RoundFunction(R2, k0)⊕ β = RoundFunction(R2, k
0)⊕ RoundFunction(β, k0)
= MC (SR(S(R2)))⊕ k0 ⊕MC (SR(S(β)))⊕ k0
= MC (SR(S(R2)))⊕MC (SR(S(β)))
= MC (SR(S(R2)⊕ S(β)))
1 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
2 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 23 / 48
![Page 76: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/76.jpg)
A Major Flaw in the Infection Scheme
Since RoundFunction(β, k0) = β we can write:
RoundFunction(R2, k0)⊕ β = RoundFunction(R2, k
0)⊕ RoundFunction(β, k0)
= MC (SR(S(R2)))⊕ k0 ⊕MC (SR(S(β)))⊕ k0
= MC (SR(S(R2)))⊕MC (SR(S(β)))
= MC (SR(S(R2)⊕ S(β)))
1 When R2 = β, RoundFunction(R2, k0)⊕ β = 0
2 When R2 6= β, RoundFunction(R2, k0)⊕ β 6= 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 23 / 48
![Page 77: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/77.jpg)
Infection Removal of Compulsory Dummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
4 RoundFunction(R2, k0)⊕ β = MC (SR(S(R2)⊕ S(β)))
SNLF [ε] 0 0 00 0 0 00 0 0 00 0 0 0
–S & SR–
y 0 0 00 0 0 00 0 0 00 0 0 0
–MC–
2y 0 0 01y 0 0 01y 0 0 03y 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 24 / 48
![Page 78: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/78.jpg)
Infection Removal of Compulsory Dummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
4 RoundFunction(R2, k
0)⊕ β = MC (SR(S(R2)⊕ S(β)))SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
–S & SR–
y 0 0 00 0 0 00 0 0 00 0 0 0
–MC–
2y 0 0 01y 0 0 01y 0 0 03y 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 24 / 48
![Page 79: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/79.jpg)
Infection Removal of Compulsory Dummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
4 RoundFunction(R2, k
0)⊕ β = MC (SR(S(R2)⊕ S(β)))SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
–S & SR–
y 0 0 00 0 0 00 0 0 00 0 0 0
–MC–
2y 0 0 01y 0 0 01y 0 0 03y 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 24 / 48
![Page 80: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/80.jpg)
Infection Removal of Compulsory Dummy Round
3 The differential of R2 and β is:
R2 ⊕ β =
SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
4 RoundFunction(R2, k
0)⊕ β = MC (SR(S(R2)⊕ S(β)))SNLF [ε] 0 0 0
0 0 0 00 0 0 00 0 0 0
–S & SR–
y 0 0 00 0 0 00 0 0 00 0 0 0
–MC–
2y 0 0 01y 0 0 01y 0 0 03y 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 24 / 48
![Page 81: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/81.jpg)
Infection Removal of Compulsory Dummy Round
5 Therefore we can write the difference between correct and faultycomputation as:
C ⊕ C ∗ =
2y ⊕ ε⊕ SNLF [ε] 0 0 0
1y 0 0 01y 0 0 03y 0 0 0
6 y can be deduced from the above matrix.
7 2y can be unmasked.
8 And the attack of FDTC 2013 can be mounted.
9 Now, this attack can target any 12 bytes of 10th round input.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 25 / 48
![Page 82: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/82.jpg)
Infection Removal of Compulsory Dummy Round
5 Therefore we can write the difference between correct and faultycomputation as:
C ⊕ C ∗ =
2y ⊕ ε⊕ SNLF [ε] 0 0 0
1y 0 0 01y 0 0 03y 0 0 0
6 y can be deduced from the above matrix.
7 2y can be unmasked.
8 And the attack of FDTC 2013 can be mounted.
9 Now, this attack can target any 12 bytes of 10th round input.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 25 / 48
![Page 83: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/83.jpg)
Infection Removal of Compulsory Dummy Round
5 Therefore we can write the difference between correct and faultycomputation as:
C ⊕ C ∗ =
2y ⊕ ε⊕ SNLF [ε] 0 0 0
1y 0 0 01y 0 0 03y 0 0 0
6 y can be deduced from the above matrix.
7 2y can be unmasked.
8 And the attack of FDTC 2013 can be mounted.
9 Now, this attack can target any 12 bytes of 10th round input.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 25 / 48
![Page 84: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/84.jpg)
Infection Removal of Compulsory Dummy Round
5 Therefore we can write the difference between correct and faultycomputation as:
C ⊕ C ∗ =
2y ⊕ ε⊕ SNLF [ε] 0 0 0
1y 0 0 01y 0 0 03y 0 0 0
6 y can be deduced from the above matrix.
7 2y can be unmasked.
8 And the attack of FDTC 2013 can be mounted.
9 Now, this attack can target any 12 bytes of 10th round input.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 25 / 48
![Page 85: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/85.jpg)
Infection Removal of Compulsory Dummy Round
5 Therefore we can write the difference between correct and faultycomputation as:
C ⊕ C ∗ =
2y ⊕ ε⊕ SNLF [ε] 0 0 0
1y 0 0 01y 0 0 03y 0 0 0
6 y can be deduced from the above matrix.
7 2y can be unmasked.
8 And the attack of FDTC 2013 can be mounted.
9 Now, this attack can target any 12 bytes of 10th round input.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 25 / 48
![Page 86: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/86.jpg)
FDTC 2013 Attack Extended to the Top Row
1y
1y
3y
C C*
Step 6 Step 7
Step 14
Step 14
R0 R1
f ε
2y ∆1
1y ∆2
1y ∆3
3y ∆4
Step 10
β R2
SNLF[ε]
Step 11
ε SNLF[ε]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 26 / 48
![Page 87: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/87.jpg)
Piret and Quisquater’s Attack
![Page 88: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/88.jpg)
Relaxing the Restrictions of FDTC 2013 Attack
1 The attack assumes constant byte fault model which requiresprecise control over fault position and value.
2 The attack can retrieve only last 3 rows of k11 using 12*3 = 36faults.
3 The top row of k11 has to be recoverd using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 27 / 48
![Page 89: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/89.jpg)
Relaxing the Restrictions of FDTC 2013 Attack
1 The attack assumes constant byte fault model which requiresprecise control over fault position and value.
2 The attack can retrieve only last 3 rows of k11 using 12*3 = 36faults.
3 The top row of k11 has to be recoverd using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 27 / 48
![Page 90: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/90.jpg)
Relaxing the Restrictions of FDTC 2013 Attack
1 The attack assumes constant byte fault model which requiresprecise control over fault position and value.
2 The attack can retrieve only last 3 rows of k11 using 12*3 = 36faults.
3 The top row of k11 has to be recoverd using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 27 / 48
![Page 91: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/91.jpg)
Relaxing the Restrictions of FDTC 2013 Attack
1 The attack assumes constant byte fault model which requiresprecise control over fault position and value.
2 The attack can retrieve only last 3 rows of k11 using 12*3 = 36faults.
3 The top row of k11 has to be recoverd using brute force search.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 27 / 48
![Page 92: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/92.jpg)
Piret and Quisquater’s Attack in absence of RandomDummy Rounds
The attack targets the penultimate round of AES, e.g, in case ofAES128, input of 9th round is the target.
Fault f in I 90 , i .e., first byte of the top row in the input of 9th cipherround
Countermeasure infects faulty computation thrice
I After the execution of 9th cipher roundI After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 28 / 48
![Page 93: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/93.jpg)
Piret and Quisquater’s Attack in absence of RandomDummy Rounds
The attack targets the penultimate round of AES, e.g, in case ofAES128, input of 9th round is the target.
Fault f in I 90 , i .e., first byte of the top row in the input of 9th cipherround
Countermeasure infects faulty computation thrice
I After the execution of 9th cipher roundI After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 28 / 48
![Page 94: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/94.jpg)
Piret and Quisquater’s Attack in absence of RandomDummy Rounds
The attack targets the penultimate round of AES, e.g, in case ofAES128, input of 9th round is the target.
Fault f in I 90 , i .e., first byte of the top row in the input of 9th cipherround
Countermeasure infects faulty computation thrice
I After the execution of 9th cipher roundI After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 28 / 48
![Page 95: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/95.jpg)
Piret and Quisquater’s Attack in absence of RandomDummy Rounds
The attack targets the penultimate round of AES, e.g, in case ofAES128, input of 9th round is the target.
Fault f in I 90 , i .e., first byte of the top row in the input of 9th cipherround
Countermeasure infects faulty computation thriceI After the execution of 9th cipher round
I After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 28 / 48
![Page 96: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/96.jpg)
Piret and Quisquater’s Attack in absence of RandomDummy Rounds
The attack targets the penultimate round of AES, e.g, in case ofAES128, input of 9th round is the target.
Fault f in I 90 , i .e., first byte of the top row in the input of 9th cipherround
Countermeasure infects faulty computation thriceI After the execution of 9th cipher roundI After the execution of 10th cipher round
I After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 28 / 48
![Page 97: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/97.jpg)
Piret and Quisquater’s Attack in absence of RandomDummy Rounds
The attack targets the penultimate round of AES, e.g, in case ofAES128, input of 9th round is the target.
Fault f in I 90 , i .e., first byte of the top row in the input of 9th cipherround
Countermeasure infects faulty computation thriceI After the execution of 9th cipher roundI After the execution of 10th cipher roundI After the execution of compulsory dummy round
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 28 / 48
![Page 98: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/98.jpg)
Differential after 9th round
1 Without Countermeasure
R0 ⊕ R1 =
2f ′ 0 0 0f ′ 0 0 0f ′ 0 0 0
3f ′ 0 0 0
2 With Countermeasure
R0 ⊕ R1 =
2f ′ ⊕ SNLF [2f ′] 0 0 0f ′ ⊕ SNLF [f ′] 0 0 0f ′ ⊕ SNLF [f ′] 0 0 0
3f ′ ⊕ SNLF [3f ′] 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 29 / 48
![Page 99: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/99.jpg)
Differential after 9th round
1 Without Countermeasure
R0 ⊕ R1 =
2f ′ 0 0 0f ′ 0 0 0f ′ 0 0 0
3f ′ 0 0 0
2 With Countermeasure
R0 ⊕ R1 =
2f ′ ⊕ SNLF [2f ′] 0 0 0f ′ ⊕ SNLF [f ′] 0 0 0f ′ ⊕ SNLF [f ′] 0 0 0
3f ′ ⊕ SNLF [3f ′] 0 0 0
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 29 / 48
![Page 100: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/100.jpg)
Differential after 10th round
1 Without Countermeasure
R0 ⊕ R1 =
S[I 100 ] ⊕ S[I 100 ⊕ P0] 0 0 0
0 0 0 S[I 101 ] ⊕ S[I 101 ⊕ P1]
0 0 S[I 102 ] ⊕ S[I 102 ⊕ P2] 0
0 S[I 103 ] ⊕ S[I 103 ⊕ P3] 0 0
2 With Countermeasure
R0 ⊕ R1 =
z0 ⊕ SNLF [z0] 0 0 0
0 0 0 z1 ⊕ SNLF [z1]0 0 z2 ⊕ SNLF [z2] 00 z3 ⊕ SNLF [z3] 0 0
where zi = S [I 10i ] ⊕ S [I 10i ⊕ Pi ⊕ SNLF [Pi ]], i ∈ {0, . . . , 3}.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 30 / 48
![Page 101: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/101.jpg)
Differential after 10th round
1 Without Countermeasure
R0 ⊕ R1 =
S[I 100 ] ⊕ S[I 100 ⊕ P0] 0 0 0
0 0 0 S[I 101 ] ⊕ S[I 101 ⊕ P1]
0 0 S[I 102 ] ⊕ S[I 102 ⊕ P2] 0
0 S[I 103 ] ⊕ S[I 103 ⊕ P3] 0 0
2 With Countermeasure
R0 ⊕ R1 =
z0 ⊕ SNLF [z0] 0 0 0
0 0 0 z1 ⊕ SNLF [z1]0 0 z2 ⊕ SNLF [z2] 00 z3 ⊕ SNLF [z3] 0 0
where zi = S [I 10i ] ⊕ S [I 10i ⊕ Pi ⊕ SNLF [Pi ]], i ∈ {0, . . . , 3}.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 30 / 48
![Page 102: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/102.jpg)
Equations for the keys
1 Without Countermeasure
2 · f ′ = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k11
0 ]
1 · f ′ = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k11
13 ]
1 · f ′ = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k11
10 ]
3 · f ′ = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k11
7 ]
where T and T ∗ is correct and faulty ciphertext resp.
2 With Countermeasure
2 · f ′ ⊕ SNLF [2 · f ′] = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k110 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k1113 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k1110 ]
3 · f ′ ⊕ SNLF [3 · f ′] = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k117 ]
where T and T ∗ is correct and faulty ciphertext resp.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 31 / 48
![Page 103: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/103.jpg)
Equations for the keys
1 Without Countermeasure
2 · f ′ = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k11
0 ]
1 · f ′ = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k11
13 ]
1 · f ′ = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k11
10 ]
3 · f ′ = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k11
7 ]
where T and T ∗ is correct and faulty ciphertext resp.
2 With Countermeasure
2 · f ′ ⊕ SNLF [2 · f ′] = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k110 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k1113 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k1110 ]
3 · f ′ ⊕ SNLF [3 · f ′] = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k117 ]
where T and T ∗ is correct and faulty ciphertext resp.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 31 / 48
![Page 104: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/104.jpg)
Infection of Compulsory dummy round
1 Due to the presence of compulsory dummy round, the differencebetween the final faulty and correct ciphertext:
T ⊕ T ∗ =
m0 ⊕ cdr0 cdr4 cdr8 cdr12cdr1 cdr5 cdr9 m1 ⊕ cdr13cdr2 cdr6 m2 ⊕ cdr10 cdr14cdr3 m3 ⊕ cdr7 cdr11 cdr15
mj = zj ⊕ SNLF [zj ], j ∈ {0, . . . , 3}.
2 Using the relation:RoundFunction(R2, k
0)⊕ β = MC (SR(S(R2)⊕ S(β))) we have:
T ⊕ T ∗ =
m0 ⊕ g1(F1,F2) 1F3 h1(F4,F5,F6) 3F7
g2(F1,F2) 1F3 h2(F4,F5,F6) m1 ⊕ 2F7
g3(F1,F2) 3F3 m2 ⊕ h3(F4,F5,F6) 1F7
g4(F1,F2) m3 ⊕ 2F3 h4(F4,F5,F6) 1F7
Fi , i ∈ {1, . . . , 7} is infection caused by compulsory dummy round andgj and hj , j ∈ {1, . . . , 4} are linear functions.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 32 / 48
![Page 105: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/105.jpg)
Infection of Compulsory dummy round
1 Due to the presence of compulsory dummy round, the differencebetween the final faulty and correct ciphertext:
T ⊕ T ∗ =
m0 ⊕ cdr0 cdr4 cdr8 cdr12cdr1 cdr5 cdr9 m1 ⊕ cdr13cdr2 cdr6 m2 ⊕ cdr10 cdr14cdr3 m3 ⊕ cdr7 cdr11 cdr15
mj = zj ⊕ SNLF [zj ], j ∈ {0, . . . , 3}.
2 Using the relation:RoundFunction(R2, k
0)⊕ β = MC (SR(S(R2)⊕ S(β))) we have:
T ⊕ T ∗ =
m0 ⊕ g1(F1,F2) 1F3 h1(F4,F5,F6) 3F7
g2(F1,F2) 1F3 h2(F4,F5,F6) m1 ⊕ 2F7
g3(F1,F2) 3F3 m2 ⊕ h3(F4,F5,F6) 1F7
g4(F1,F2) m3 ⊕ 2F3 h4(F4,F5,F6) 1F7
Fi , i ∈ {1, . . . , 7} is infection caused by compulsory dummy round andgj and hj , j ∈ {1, . . . , 4} are linear functions.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 32 / 48
![Page 106: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/106.jpg)
P&Q’s Attack on LatinCrypt 2012 Countermeasure:Infection Removal
1 After removing infection caused by compulsory dummy round weobtain:
T ⊕ T ∗ =
m0 0 0 00 0 0 m1
0 0 m2 00 m3 0 0
where mj = zj ⊕ SNLF [zj ], j ∈ {0, . . . , 3}.
2 We can deduce zj(two possibilities) from mj which gives 24
possibilities for T ∗.3 Now, we can make hypotheses on 4 bytes of last round key k11.
2 · f ′ ⊕ SNLF [2 · f ′] = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k110 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k1113 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k1110 ]
3 · f ′ ⊕ SNLF [3 · f ′] = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k117 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 33 / 48
![Page 107: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/107.jpg)
P&Q’s Attack on LatinCrypt 2012 Countermeasure:Infection Removal
1 After removing infection caused by compulsory dummy round weobtain:
T ⊕ T ∗ =
m0 0 0 00 0 0 m1
0 0 m2 00 m3 0 0
where mj = zj ⊕ SNLF [zj ], j ∈ {0, . . . , 3}.
2 We can deduce zj(two possibilities) from mj which gives 24
possibilities for T ∗.
3 Now, we can make hypotheses on 4 bytes of last round key k11.
2 · f ′ ⊕ SNLF [2 · f ′] = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k110 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k1113 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k1110 ]
3 · f ′ ⊕ SNLF [3 · f ′] = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k117 ]
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 33 / 48
![Page 108: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/108.jpg)
P&Q’s Attack on LatinCrypt 2012 Countermeasure:Infection Removal
1 After removing infection caused by compulsory dummy round weobtain:
T ⊕ T ∗ =
m0 0 0 00 0 0 m1
0 0 m2 00 m3 0 0
where mj = zj ⊕ SNLF [zj ], j ∈ {0, . . . , 3}.
2 We can deduce zj(two possibilities) from mj which gives 24
possibilities for T ∗.3 Now, we can make hypotheses on 4 bytes of last round key k11.
2 · f ′ ⊕ SNLF [2 · f ′] = S−1[T0 ⊕ k110 ]⊕ S−1[T ∗0 ⊕ k110 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T13 ⊕ k1113 ]⊕ S−1[T ∗13 ⊕ k1113 ]
1 · f ′ ⊕ SNLF [1 · f ′] = S−1[T10 ⊕ k1110 ]⊕ S−1[T ∗10 ⊕ k1110 ]
3 · f ′ ⊕ SNLF [3 · f ′] = S−1[T7 ⊕ k117 ]⊕ S−1[T ∗7 ⊕ k117 ]CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 33 / 48
![Page 109: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/109.jpg)
Complexity Analysis
1 24 values of T ∗ gives 24 ∗ 1036 candidate values for 4 bytes of k11.
2 Repeating the attack with another pair of faulty and correctciphertext gives atmost 2 candidate values.
3 Total 8 faulty ciphertexts required to retrieve all 16 bytes of k11.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 34 / 48
![Page 110: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/110.jpg)
Complexity Analysis
1 24 values of T ∗ gives 24 ∗ 1036 candidate values for 4 bytes of k11.
2 Repeating the attack with another pair of faulty and correctciphertext gives atmost 2 candidate values.
3 Total 8 faulty ciphertexts required to retrieve all 16 bytes of k11.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 34 / 48
![Page 111: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/111.jpg)
Complexity Analysis
1 24 values of T ∗ gives 24 ∗ 1036 candidate values for 4 bytes of k11.
2 Repeating the attack with another pair of faulty and correctciphertext gives atmost 2 candidate values.
3 Total 8 faulty ciphertexts required to retrieve all 16 bytes of k11.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 34 / 48
![Page 112: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/112.jpg)
Attack in Presence of Random Dummy Rounds
Compulsory dummy round
10th Cipher Round
10th Redundant Round
9th Cipher Round
FavourableCase
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 35 / 48
![Page 113: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/113.jpg)
Attack in Presence of Random Dummy Rounds
Compulsory dummy round
10th Cipher Round
10th Redundant Round
9th Cipher Round
Case 2
10th Red Round Random Dummy
FavourableCase
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 35 / 48
![Page 114: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/114.jpg)
Attack in Presence of Random Dummy Rounds
Compulsory dummy round
10th Cipher Round
10th Redundant Round
9th Cipher Round
Case 2
10th Red Round Random Dummy
Random Dummy 10th Red Round
Case 3
FavourableCase
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 35 / 48
![Page 115: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/115.jpg)
Attack in Presence of Random Dummy Rounds
Compulsory dummy round
10th Cipher Round
10th Redundant Round
9th Cipher Round
Case 2
10th Red Round Random Dummy
Random Dummy 10th Red Round
Case 3
Random Dummy Random Dummy
Case 4
FavourableCase
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 35 / 48
![Page 116: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/116.jpg)
Attack in Presence of Random Dummy Rounds
1 Number of random dummy rounds : d
2 Total number of rounds : 22 + d + 1
3 Target round of fault injection : (22 + d − 2)th RoundFunction.
4 (22 + d)th RoundFunction: 10th cipher round.
5 ∴ The probability of (22 + d − 2)th RoundFunction being a 9th cipher
round: (19+d)!/((19)!·(d)!)(21+d)!/((21)!·(d)!)
6 If d = 20 then the probability that 40th RoundFunction is a 9th cipherround is nearly 0.26.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 36 / 48
![Page 117: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/117.jpg)
Attack in Presence of Random Dummy Rounds
1 Number of random dummy rounds : d
2 Total number of rounds : 22 + d + 1
3 Target round of fault injection : (22 + d − 2)th RoundFunction.
4 (22 + d)th RoundFunction: 10th cipher round.
5 ∴ The probability of (22 + d − 2)th RoundFunction being a 9th cipher
round: (19+d)!/((19)!·(d)!)(21+d)!/((21)!·(d)!)
6 If d = 20 then the probability that 40th RoundFunction is a 9th cipherround is nearly 0.26.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 36 / 48
![Page 118: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/118.jpg)
Attack in Presence of Random Dummy Rounds
1 Number of random dummy rounds : d
2 Total number of rounds : 22 + d + 1
3 Target round of fault injection : (22 + d − 2)th RoundFunction.
4 (22 + d)th RoundFunction: 10th cipher round.
5 ∴ The probability of (22 + d − 2)th RoundFunction being a 9th cipher
round: (19+d)!/((19)!·(d)!)(21+d)!/((21)!·(d)!)
6 If d = 20 then the probability that 40th RoundFunction is a 9th cipherround is nearly 0.26.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 36 / 48
![Page 119: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/119.jpg)
Attack in Presence of Random Dummy Rounds
1 Number of random dummy rounds : d
2 Total number of rounds : 22 + d + 1
3 Target round of fault injection : (22 + d − 2)th RoundFunction.
4 (22 + d)th RoundFunction: 10th cipher round.
5 ∴ The probability of (22 + d − 2)th RoundFunction being a 9th cipher
round: (19+d)!/((19)!·(d)!)(21+d)!/((21)!·(d)!)
6 If d = 20 then the probability that 40th RoundFunction is a 9th cipherround is nearly 0.26.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 36 / 48
![Page 120: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/120.jpg)
Attack in Presence of Random Dummy Rounds
1 Number of random dummy rounds : d
2 Total number of rounds : 22 + d + 1
3 Target round of fault injection : (22 + d − 2)th RoundFunction.
4 (22 + d)th RoundFunction: 10th cipher round.
5 ∴ The probability of (22 + d − 2)th RoundFunction being a 9th cipher
round: (19+d)!/((19)!·(d)!)(21+d)!/((21)!·(d)!)
6 If d = 20 then the probability that 40th RoundFunction is a 9th cipherround is nearly 0.26.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 36 / 48
![Page 121: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/121.jpg)
Attack in Presence of Random Dummy Rounds
1 Number of random dummy rounds : d
2 Total number of rounds : 22 + d + 1
3 Target round of fault injection : (22 + d − 2)th RoundFunction.
4 (22 + d)th RoundFunction: 10th cipher round.
5 ∴ The probability of (22 + d − 2)th RoundFunction being a 9th cipher
round: (19+d)!/((19)!·(d)!)(21+d)!/((21)!·(d)!)
6 If d = 20 then the probability that 40th RoundFunction is a 9th cipherround is nearly 0.26.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 36 / 48
![Page 122: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/122.jpg)
Simulation Results
0 5 10 15 20 25 30
0
100
200
300
400
Number of Random Dummy Rounds: d
Ave
rage
Nu
mb
erof
Fau
lty
En
cryp
tion
s
Figure: Piret & Quisquater’s Attack on Algorithm 1
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 37 / 48
![Page 123: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/123.jpg)
Flaws in LatinCrypt 2012 Countermeasure
1 The last cipher round is always the penultimate round: The attackercan verify target round using side channel.
2 A fault in last three rows of 10th round =⇒Infection caused by compulsory dummy round does not affect theerroneous byte.
3 Countermeasure uses same value to infect erroneous as well asnon-erroneous byte.
4 The effect of infection varies for different rounds.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 38 / 48
![Page 124: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/124.jpg)
Flaws in LatinCrypt 2012 Countermeasure
1 The last cipher round is always the penultimate round: The attackercan verify target round using side channel.
2 A fault in last three rows of 10th round =⇒Infection caused by compulsory dummy round does not affect theerroneous byte.
3 Countermeasure uses same value to infect erroneous as well asnon-erroneous byte.
4 The effect of infection varies for different rounds.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 38 / 48
![Page 125: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/125.jpg)
Flaws in LatinCrypt 2012 Countermeasure
1 The last cipher round is always the penultimate round: The attackercan verify target round using side channel.
2 A fault in last three rows of 10th round =⇒Infection caused by compulsory dummy round does not affect theerroneous byte.
3 Countermeasure uses same value to infect erroneous as well asnon-erroneous byte.
4 The effect of infection varies for different rounds.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 38 / 48
![Page 126: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/126.jpg)
Flaws in LatinCrypt 2012 Countermeasure
1 The last cipher round is always the penultimate round: The attackercan verify target round using side channel.
2 A fault in last three rows of 10th round =⇒Infection caused by compulsory dummy round does not affect theerroneous byte.
3 Countermeasure uses same value to infect erroneous as well asnon-erroneous byte.
4 The effect of infection varies for different rounds.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 38 / 48
![Page 127: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/127.jpg)
Improved Countermeasure
![Page 128: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/128.jpg)
Improved Countermeasure
Redundan
tCipher
BLFN
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 129: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/129.jpg)
Improved Countermeasure
BLFN
Redundan
tCipher
BLFN
Dummy
β
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 130: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/130.jpg)
Improved Countermeasure
Redundan
tCipher
BLFN BLFN
OR
γ δ Dummy
β
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 131: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/131.jpg)
Improved Countermeasure
~x
Redundan
tCipher
BLFN BLFN
OR
γ δ Dummy
β
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 132: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/132.jpg)
Improved Countermeasure
BLFN
Redundan
tCipher
BLFN
OR~x x
γ δ Dummy
β
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 133: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/133.jpg)
Improved Countermeasure
~x
Redundan
tCipher
BLFN
Dummy
BLFN
OR
γ δ
OR x
Cipher
β
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 134: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/134.jpg)
Improved Countermeasure
~x
Redund antCipher
BLFNDum
my
BLFN
OR
γ=0 δ=0
OR x
Cipher
β
1 0
Cipher Matrix
0
Zero Matrix
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 135: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/135.jpg)
Improved Countermeasure
~x
Redundan
tCipher
BLFN
Dummy
BLFN
OR
γ=1 δ
OR x
Cipher
β
0 1
Zero Matrix
1
Random Matrix
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 39 / 48
![Page 136: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/136.jpg)
Improved Countermeasure
1 Fault injection in any of the cipher, redundant or dummy round =⇒Every byte in the resulting ciphertext is infected with a differentvalue.
2 The resulting infected faulty ciphertext is completely random.
3 More than one random dummy round after the last cipher round.
4 The improved countermeasure protects both SPN ciphers and Feistelciphers.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 40 / 48
![Page 137: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/137.jpg)
Summary & Conclusion
1 The infection mechanism of LatinCrypt 2012 countermeasure isshown to be ineffective.
2 An improved countermeasure is developed, which outputs acompletely random value in case of fault injection so that fault attackis impossible.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 41 / 48
![Page 138: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/138.jpg)
Summary & Conclusion
1 The infection mechanism of LatinCrypt 2012 countermeasure isshown to be ineffective.
2 An improved countermeasure is developed, which outputs acompletely random value in case of fault injection so that fault attackis impossible.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 41 / 48
![Page 139: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/139.jpg)
Thank You !
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 42 / 48
![Page 140: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/140.jpg)
References
1 D.Boneh, R.A.DeMillo, and R.J.Lipton. On the Importance ofChecking Cryptographic Protocols for Faults (ExtendedAbstract). InW. Fumy, editor, Advances in Cryptology - EUROCRYPT 97, volume1233 of Lecture Notes in Computer Science, pages 37-51. Springer,1997.
2 E.Biham and A.Shamir. Differential cryptanalysis of DES-likecryptosystems.In B.S. Kaliski (ed.) Advances in CryptologyCRYPTO 97, LNCS, vol. 1294, pp. 513-525. Springer (1997).
3 C.Giraud. DFA on AES. In H. Dobbertin, V. Rijmen, A. Sowa (eds.)AES Conference, Lecture Notes in Computer Science, vol. 3373, pp.27-41. Springer(2004).
4 J.Blomer and J-P.Seifert. Fault based cryptanalysis of the AdvancedEncryption Standard. In R.N. Wright (ed.) Financial Cryptography,Lecture Notes in Computer Science, vol. 2742, pp. 162-181. Springer(2003).
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 43 / 48
![Page 141: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/141.jpg)
5 G.Piret and J.J.Quisquater. A Differential Fault Attack Techniqueagainst SPN Structures, with Application to the AES and KHAZAD .In Cryptographic Hardware and Embedded Systems - CHES 2003 ,volume 2779 Lecture Notes in Computer Science, pp 77-88. Springer,2003.
6 D.Mukhopadhyay. An Improved Fault Based Attack of the AdvancedEncryption Standard. In B. Preneel editor, AFRICACRYPT 2009,volume 5580 of Lecture Notes in Computer Science, pages421-434.Springer,2009.
7 Thomas Fuhr, Eliane Jaulmes, Victor Lomne, Adrian Thillard. FaultAttacks on AES with Faulty Ciphertexts Only, fdtc, pp.108-118, 2013.In Fault Diagnosis and Tolerance in Cryptography, 2013.
8 D.Mukhopadhyay, M.Tunstall, S.Ali. Differential Fault Analysis of theAdvanced Encryption Standard Using a Single Fault. In InformationSecurity Theory and Practice. Security and Privacy of Mobile Devicesin Wireless Communication 2011, Volume 6633 of Lecture Notes inComputer Science, pages 224-233 . Springer,2011.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 44 / 48
![Page 142: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/142.jpg)
9 R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L.Wingers. The SIMON and SPECK Families of Lightweight BlockCiphers. Cryptology ePrint Archive, Report 2013/404, 2013.Available at http://eprint.iacr.org/.
10 L. Genelle, C. Giraud, and E. Prouff. Securing AES ImplementationAgainst Fault Attacks. In L. Breveglieri, I. Koren, D. Naccache, E.Oswald, and J.-P. Seifert, editors, Fault Diagnosis and Tolerance inCryptography FDTC 2009. IEEE Computer Society, 2009.
11 M. Medwed and Jorn-Marc-Schmidt. A Continuous Fault Counter-measure for AES Providing a Constant Error Detection Rate. In L.Breveglieri, M. Joye, I. Koren, D. Naccache, and I. Verbauwhede,editors, FDTC. IEEE Computer Society, 2010.
12 M. Joye, P. Manet, and J.-B. Rigaud. Strengthening Hardware AESImplementations against Fault Attacks. IET Information Security,1:106-110, 2007.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 45 / 48
![Page 143: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/143.jpg)
13 J. Fournier, J.-B. Rigaud, S. Bouquet, B. Robisson, A. Tria, J.-M.Dutertre, and M. Agoyan. Design and Characterisation of an AESChip Embedding Countermeasures. International Journal ofIntelligent Engineering Informatics 2011, 1:328347, 2011.
14 T. Malkin, F.-X. Standaert, and M. Yung. A ComparativeCost/Security Analysis of Fault Attack Countermeasures. FaultDiagnosis and Tolerance in Cryptography(FDTC), 2006.
15 Lomne, V., Roche, T., Thillard, A. On The Need of Randomness inFault Attack Countermeasures-Application to AES. Fault Diagnosisand Tolerance in Cryptography(FDTC), 2012.
16 A.Battistello and C.Giraud. Fault Analysis of Infective AESComputations, fdtc, pp: 101-107, 2013. In Fault Diagnosis andTolerance in Cryptography, 2013. Also available at’http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=06623560’.
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 46 / 48
![Page 144: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/144.jpg)
17 Benedikt Gierlichs, Jorn-Marc Schmidt, Michael Tunstall: InfectiveComputation and Dummy Rounds: Fault Protection for BlockCiphers without Check-before-Output. In A. Hevia and G. Neven,editors, LATINCRYPT 2012, volume 7533 of LNCS, pages 305-321.Springer, 2012.
18 Daemen, J., Rijmen, V.: AES proposal: Rijndael (1999).
19 FIPS PUB 197: Advanced Encryption Standard (AES). FederalInformation Processing Standards Publication 197, National Instituteof Standards and Technology (NIST), Gaithersburg (2001).
20 R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L.Wingers. The SIMON and SPECK Families of Lightweight BlockCiphers. Cryptology ePrint Archive, Report 2013/404, 2013.Available at http://eprint.iacr.org/
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 47 / 48
![Page 145: IIT KHARAGPUR - Destroying Fault Invariant with ... · Harshal Tupsamudre, Shikha Bisht, Debdeep Mukhopadhyay (IIT KHARAGPUR) CHES 2014 South Korea, Busan September 24, 2014 CHES](https://reader033.vdocuments.us/reader033/viewer/2022042221/5ec7c0378789c43c93295b74/html5/thumbnails/145.jpg)
21 H. A. Alkhzaimi and M. M. Lauridsen. Cryptanalysis of the SIMONFamily of Block Ciphers. Cryptology ePrint Archive, Report2013/543, 2013. Avaliable at http://eprint.iacr.org/
22 F. Abed, E. List, S. Lucks, and J. Wenzel. Differential Cryptanalysisof Reduced-Round Simon. Cryptology ePrint Archive, Report2013/526, 2013. Available at http://eprint.iacr.org/.
23 Javad Alizadeh, Nasour Bagheri, Praveen Gauravaram, AbhishekKumar and Somitra Kumar Sanadhya. Linear Cryptanalysis of RoundReduced SIMON. IACR Cryptology eprint Archive, Report 2013/663,2013. Available at http://eprint.iacr.org/2013/663
CHES 2014 (South Korea, Busan) IIT KHARAGPUR September 24, 2014 48 / 48