Differential Fault Attack on SIMON with Very Few Faults Ravi Anand 1 , Akhilesh Siddhanti 2 , Subhamoy Maitra 3 , Sourav Mukhopadhyay 4 . Indian Institute of Technology Kharagpur, Kharagpur BITS Pilani, Goa Campus, Goa Applied Statistics Unit, Indian Statistical Institute, Kolkata Indian Institute of Technology Kharagpur, Kharagpur INDOCRYPT 2018 Ravi, Akhilesh, Subhamoy, Sourav INDOCRYPT 2018 1 / 26
26
Embed
Differential Fault Attack on SIMON with Very Few Faultsindocrypt/slides18/indocrypt18Ravi.pdf · Outline 1 Introduction 2 Proposed Di erential Fault Attack 3 Identifying fault locations
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Differential Fault Attack on SIMONwith Very Few Faults
Ravi Anand1, Akhilesh Siddhanti2,Subhamoy Maitra3, Sourav Mukhopadhyay4.
Indian Institute of Technology Kharagpur, Kharagpur
BITS Pilani, Goa Campus, Goa
Applied Statistics Unit, Indian Statistical Institute, Kolkata
Indian Institute of Technology Kharagpur, Kharagpur
• Consider we encrypt a plaintext P = {p0, p1, · · · , p(2n−1)} using keyK and obtain ciphertext C = {c0, c1, · · · , c(2n−1)}.• Repeat the experiment, where P is encrypted with K , but a 1-bit
fault is injected in the r th round, and a faulty ciphertext
C (γ) = {c(γ)0 , c
(γ)1 , · · · , c(γ)
(2n−1)}, is obtained.
• Determine the location of the injected fault, i.e., γ.
The process of determining γ is same for all the three variants, andconsists of two phases, the offline phase and the online phase.
Figure: The plot of s ji on index (i) and fault location (j) for faults injected in(T − 5)th roundRavi, Akhilesh, Subhamoy, Sourav INDOCRYPT 2018 11 / 26
Online Phase
• A fault free ciphertext C is obtained for P using key K
• Obtain faulty ciphertext C (γ) from P and K by injecting a fault atlocation γ, 0 ≤ γ ≤ 2n − 1, in the internal state Sr .
• After having λ faulty ciphertexts, calculate trail for each C (γ)
• For each τ (γ), the adversary calculates the correlation µ(S (j), τ (γ))and α(S (γ)) = |{j : (µ(S (j), τ (γ))) > µ(S (γ), τ (γ))}|.• For every γ, a table T(γ) is prepared, in which each fault location j is
arranged in the decreasing order of the correlation coefficientµ(S (j), τ (γ)).
• Consider all possible set S (γ) of fault locations, whereS (γ) = {j : (µ(S (j), τγ)) ≥ µ(Sγ , τγ)} and α(S (γ)) = |S (γ)|.• For λ faults injected, (α(Sγ))λ many possible combinations of fault
locations are needed.
Table: Expected number of times the SAT solver needs to be run to arrive at acorrect set of fault locations.
SIMON2n/4n Round Number of α(Sγ) Number of times SATVariant injected Faults (λ) solver is run (=(α(Sγ))λ)
These experiments were conducted on a consumer grade laptop HP-15D103TXwith CPU specifications Intel(R) Core(TM) i5-4200M CPU @ 2.50GHz runningSageMath version 8.1 along with Cryptominisat package on Ubuntu BionicBeaver (development branch).