Reverse Engineering of a Secret AES-like Cipher by Ineffective …conferenze.dei.polimi.it/FDTC13/shared/FDTC-2013-session... · 2013-10-11 · Introduction Scope of the Attack Attack

Introduction Scope of the Attack Attack Steps Conclusion

Reverse Engineering of a Secret AES-like Cipher byIneffective Fault Analysis

Antoine Wurcker Christophe [email protected] [email protected]

Universite de Limoges

FDTC 2013

20-08-2013

Antoine Wurcker (Universite de Limoges) Reverse AES by IFA FDTC 2013 1 / 33


Outline

1 IntroductionAdvanced Encryption StandardIneffective Fault Analysis

2 Scope of the AttackModifications on AESConstraints on Attacker

3 Attack Steps

4 ConclusionGlobal ResultsFuture Works



Outline



3 Attack Steps




AES

AES Datapath

M

AddRoundKey(K0)

S0

Sr−1

SubBytes

ShiftRows

MixColumns

AddRoundKey(Kr )

Sr

S9

SubBytes

ShiftRows

AddRoundKey(K10)

C

r = 0 r = 1, . . . , 9 r = 10

Figure: The AES encryption path.



AES

AES KeySchedule

⊕ ⊕ ⊕ ⊕

Kr−1

RotWord

SubWord⊕Rcon(r)

Kr

Figure: The AES key schedule.



IFA

Ineffective Fault Analysis

Fault Model: Stuck at 0 a precise byte.

Fault effect:

Ciphertext not modified ⇒ the value was already 0.

Ciphertext modified ⇒ the value was not 0.

Remark:

IFA by-pass dual-execution countermeasure.



IFA

E5

23

AF

75

77

13

98

1A

08

9C

34

EE

B6

59

44

M⇓...

...

⇓C

45

E5

23

AF

75

77

13

98

1A

08

9C

34

EE

B6

59

44

M⇓...

...

⇓C ′

00

6=

Figure: Example of no-occurrence of IFA.



IFA

AB

5F

31

45

4C

DE

C6

11

58

90

67

6F

78

58

34

M⇓...

...

⇓C

00

AB

5F

31

45

4C

DE

C6

11

58

90

67

6F

78

58

34

M⇓...

...

⇓C

00

=

Figure: Example of occurrence of IFA.



Notations

Notations

mi : Byte number i of the input plaintext M.

ci : Byte number i of the output ciphertext C .

Kr : 128-bit Key of round number r .

kr ,i : Byte number i of the round key Kr .

S(): Function SubBytes.

S−1(0) : Preimage of 0 value by S-Box table

µi = k0,i ⊕ S−1(0)

Xr = {xr ,0, . . . , xr ,15}: Input state of SubBytes step of round rYr = {yr ,0, . . . , yr ,15}: Input state of ShiftRows step of round rZr = {zr ,0, . . . , zr ,15}: Input state of MixColumns step of round rTr = {tr ,0, . . . , tr ,15}: Input state of AddRoundKey step of round r



Outline



3 Attack Steps




Modifications on AES


The modifications allowed have to respect the constraints from the NISTdocument describing the AES:

1 The SBOX operation is a permutation table.⇒ 256! possible SBOX (' 21684).

2 The ShiftRows operation keeps shifting rows.⇒ 28 possible ShiftRows.

3 The MixColumns matrix stays circulant with four parameters ( 6= 0).⇒ 2554 possible MixColumns (' 232).

4 The RotWord operation keeps shifting word.⇒ 22 possible RotWord.

5 The Rcon vectors keeps the form [ρr−1, 0, 0, 0].⇒ 28 possible sets of Rcon vectors.




/ σ0

/ σ1

/ σ2

/ σ3

α0 α1 α2 α3

α3 α0 α1 α2

α2 α3 α0 α1

α1 α2 α3 α0

Figure: ShiftRows parameters. Figure: MixColumns matrix.

4η

⊕ ρr−1

Figure: RotWord parameter. Figure: Rcon[r ] parameter.



Constraints

Constraints on Attacker

We placed main constraints on an attacker:

1 The SBOX table is unknown.

2 The MixColumns coefficients are unknown.

3 The ShiftRows coefficients are unknown.

4 The fault can only be applied on SBOX output.

5 The key K is unknown.

The Key-Schedule operation is also constrained:

1 RotWord coefficient is unknown.

2 Rcon parameter is unknown.

3 Unavailable to fault injection (e.g. pre-computation).



Outline



3 Attack Steps




Retrieving K0 up to a Constant Byte


We obtain µi = k0,i ⊕ S−1(0) by exhausting mi while faulting the outputof i th S-Box of first round.

Eventually an IFA occurs and we obtain the equation:

S(mi ⊕ k0,i ) = 0

mi ⊕ k0,i = S−1(0)

mi = k0,i ⊕ S−1(0)

mi = µi

We retrieve every µi values by applying this method on each position.⇒ The set of candidates for K0 is reduced from 2128 to 28.





We obtain µi = k0,i ⊕ S−1(0) by exhausting mi while faulting the outputof i th S-Box of first round.

Eventually an IFA occurs and we obtain the equation:

S(mi ⊕ k0,i ) = 0

mi ⊕ k0,i = S−1(0)

mi = k0,i ⊕ S−1(0)

mi = µi

We retrieve every µi values by applying this method on each position.⇒ The set of candidates for K0 is reduced from 2128 to 28.



Lemma: ”Choosing” S-Box Input


LemmaThe knowledge of µi values allows us to choose any value x1,i up to theconstant value S−1(0).

Proof.Playing value mi = v ⊕ µi implies that:

x1,i = mi ⊕ k0,i

x1,i = v ⊕ µi ⊕ k0,i

x1,i = v ⊕ S−1(0)⊕ k0,i ⊕ k0,i

x1,i = v ⊕ S−1(0)

Remark: if v = 0 it implies x1,i = S−1(0)⇒ y1,i = 0





LemmaThe knowledge of µi values allows us to choose any value x1,i up to theconstant value S−1(0).

Proof.Playing value mi = v ⊕ µi implies that:

x1,i = mi ⊕ k0,i

x1,i = v ⊕ µi ⊕ k0,i

x1,i = v ⊕ S−1(0)⊕ k0,i ⊕ k0,i

x1,i = v ⊕ S−1(0)

Remark: if v = 0 it implies x1,i = S−1(0)⇒ y1,i = 0



Reversing ShiftRows Operation


Fault position: first S-Box of second round.

First step: Playing random messages until an IFA occurs.

Second step: Playing previous message with only one byte modified eachtime.On each row 1 position will break the IFA when 3 will not.

We play the second step until we get the 4 values that break IFA,revealing the 4 ShiftRows parameters.

⇒ The ShiftRows operation is reversed.





Fault position: first S-Box of second round.

First step: Playing random messages until an IFA occurs.

Second step: Playing previous message with only one byte modified eachtime.On each row 1 position will break the IFA when 3 will not.

We play the second step until we get the 4 values that break IFA,revealing the 4 ShiftRows parameters.

⇒ The ShiftRows operation is reversed.





⇒⊕K0 ⇒SB ⇒SR

⇓MC

⇐SB ⇐⊕K1

Figure: Position of IFA






⇓MC

⇐SB ⇐⊕K1

6= 6= 6= 6=

6=6=6=6=

6=6=6=6=

6=6=6=6=

Figure: Proof: shift parameter of second row is not 0






⇓MC

⇐SB ⇐⊕K1

6= 6= 6= 6=

6=6=6=6=

6=6=6=6=

6=6=6=6=

Figure: Proof: shift parameter of second row is 1






⇓MC

⇐SB ⇐⊕K1

6= 6= 6= 6=

6=6=6=6=

6=6=6=6=

6=6=6=6=







⇓MC

⇐SB ⇐⊕K1

6= 6= 6= 6=

6=6=6=6=

6=6=6=6=

6=6=6=6=




Lemma: Retrieving mki,j Values

Lemma: Retrieving mki ,j Values

Definition

mki,j are particular values that verifies: αj ∗ S(mki,j) = k1,i ⊕ S−1(0)

LemmaThe knowledge of µi values and ShiftRows parameters allows us tocalculate any value mki,j up to S−1(0).

Proof.We can play a full 0 state as input of first round MixColumns, except theposition t = bi/4c+ 4 ∗ j . This induces, with chosen v :

x2,i = αj ∗ S(v ⊕ S−1(0))⊕ k1,i

When v provokes an IFA on y2,i : v = mki,j ⊕ S−1(0)



Lemma: Retrieving mki,j Values

Lemma: Retrieving mki ,j Values

Definition

mki,j are particular values that verifies: αj ∗ S(mki,j) = k1,i ⊕ S−1(0)

LemmaThe knowledge of µi values and ShiftRows parameters allows us tocalculate any value mki,j up to S−1(0).

Proof.We can play a full 0 state as input of first round MixColumns, except theposition t = bi/4c+ 4 ∗ j . This induces, with chosen v :

x2,i = αj ∗ S(v ⊕ S−1(0))⊕ k1,i

When v provokes an IFA on y2,i : v = mki,j ⊕ S−1(0)



Reducing MixColumns by Retrieving Cycles Orders

Reducing MixColumns by Retrieving Cycles Orders (1/3)

Goal : find multiplicative order of βi,j = αi

αj.

RemarkWe place ourselves in case where at least one of the 6 orders of valuesβi,j is equals to 255. It’s concerning to 95.28% of cases.

Example : recovery of order of β1,2.

Equation given by an IFA on first S-Box of second round :{x2,0 = α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0

x2,0 = S−1(0)

⇒ α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)




Reducing MixColumns by Retrieving Cycles Orders (1/3)

Goal : find multiplicative order of βi,j = αi

αj.

RemarkWe place ourselves in case where at least one of the 6 orders of valuesβi,j is equals to 255. It’s concerning to 95.28% of cases.

Example : recovery of order of β1,2.

Equation given by an IFA on first S-Box of second round :{x2,0 = α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0

x2,0 = S−1(0)

⇒ α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)




Reducing MixColumns by Retrieving Cycles Orders (2/3)Knowledge of mk0,0 allows to play a plaintext byte value inducing :

z1,0 = S(mk0,0)⇒ α0 ∗ z1,0 = k1,0 ⊕ S−1(0)

That clean K1 and S−1(0) from previous equation :

α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)

k1,0 ⊕ S−1(0)⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 = 0

Knowledge of µi values allows to play a plaintext byte value inducing :

z1,3 = S(S−1(0)) = 0⇒ α3 ∗ z1,3 = 0

That clean α3 from previous equation :

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 = 0

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 = 0




Reducing MixColumns by Retrieving Cycles Orders (3/3)We use a random value θ

(0)1,2 :

z1,1 = τ(0)1,2 = S(θ

(0)1,2 ⊕ k0,0)

We exhaust z1,2 until an IFA occurs revealing the value θ(1)1,2 such as:

z1,2 = τ(1)1,2 = S(θ

(1)1,2 ⊕ k0,0)

We then reveal the sequence of θ(k)1,2 that verifies :

α1 ∗ τ (k)1,2 ⊕ α2 ∗ τ (k+1)

1,2 = 0

τ(k+1)1,2 = β1,2 ∗ τ (k)

1,2

⇒ τ(k)1,2 = (β1,2)k ∗ τ (0)

1,2

Eventually τ(n)1,2 = τ

(0)1,2 revealing that (β1,2)n = 1. n1,2 = n, order of β1,2.




Exploiting Data from Orders Retrieval

For each candidate for {α0, α1, α2, α3} we are now able to test order ofevery βi,j and drop the solutions that do not verify found orders ni,j .

We imposed that at least one order is equals to 255, it induces thatduring orders recovery we produced a sequence of 255 values

{θ(0)i,j , . . . , θ

(255)i,j }. That particular sequence will be set as reference for

further steps and noted {θ(0), . . . , θ(255)}. The concerned βi,j will also benoted β.

Then we know that:

τ (i) = S(θ(i) ⊕ k0,0)

τ (i) = β ∗ τ (i−1)



Lemma: Relation K1-K0


This reduction of MixColumns candidates will use particular propertiesbrought by KeySchedule scheme:

Lemma

For i ∈ {0, 4, 1, 5, 2, 6, 3, 7}, we have k1,i ⊕ k1,i+8 = µi+4 ⊕ µi+8.

Proof.

k1,i+4 = k1,i ⊕ k0,i+4

k1,i+8 = k1,i+4 ⊕ k0,i+8

}⇒ k1,i⊕k1,i+8 = k0,i+4⊕k0,i+8 = µi+4⊕µi+8





This reduction of MixColumns candidates will use particular propertiesbrought by KeySchedule scheme:

Lemma

For i ∈ {0, 4, 1, 5, 2, 6, 3, 7}, we have k1,i ⊕ k1,i+8 = µi+4 ⊕ µi+8.

Proof.

k1,i+4 = k1,i ⊕ k0,i+4

k1,i+8 = k1,i+4 ⊕ k0,i+8

}⇒ k1,i⊕k1,i+8 = k0,i+4⊕k0,i+8 = µi+4⊕µi+8



Reducing MixColumns Using K1 Relations

Reducing MixColumns Using K1 Relations(1/2)

We will force the K0-K1 relation to appear in IFA equations. As inprevious step we use mk0,0 knowledge to clean K1 and S−1(0) :

α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)

k1,0 ⊕ S−1(0)⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 = 0

Then we use knowledge of mk1,i and mk2,i+8 to have z1,1 = S(mk1,i ) andz1,2 = S(mk2,i+8):

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 = 0

k1,i ⊕ S−1(0)⊕ k1,i+8 ⊕ S−1(0)⊕ α3 ∗ z1,3 = 0

k1,i ⊕ k1,i+8 ⊕ α3 ∗ z1,3 = 0

µi+4 ⊕ µi+8 ⊕ α3 ∗ z1,3 = 0

Then we exhaust value for z1,3 until we got an IFA.




Reducing MixColumns Using K1 Relations(1/2)We will force the K0-K1 relation to appear in IFA equations. As inprevious step we use mk0,0 knowledge to clean K1 and S−1(0) :

α0 ∗ z1,0 ⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)

k1,0 ⊕ S−1(0)⊕ α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 ⊕ k1,0 = S−1(0)

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 = 0

Then we use knowledge of mk1,i and mk2,i+8 to have z1,1 = S(mk1,i ) andz1,2 = S(mk2,i+8):

α1 ∗ z1,1 ⊕ α2 ∗ z1,2 ⊕ α3 ∗ z1,3 = 0

k1,i ⊕ S−1(0)⊕ k1,i+8 ⊕ S−1(0)⊕ α3 ∗ z1,3 = 0

k1,i ⊕ k1,i+8 ⊕ α3 ∗ z1,3 = 0

µi+4 ⊕ µi+8 ⊕ α3 ∗ z1,3 = 0

Then we exhaust value for z1,3 until we got an IFA.




Reducing MixColumns Using K1 Relations(2/2)

We recognise the message byte inducing the colliding z1,3 as a θ(p) value,then we know that z1,3 = τ (p):

µi+4 ⊕ µi+8 ⊕ α3 ∗ τ (p) = 0

µi+4 ⊕ µi+8 ⊕ α3 ∗ βp ∗ τ (0) = 0

τ (0) =µi+4 ⊕ µi+8

α3 ∗ βp

That type of relations constraint MixColumns parameters.

LemmaTwo equations of previous step allows to reduce the set of candidates forMixColumns parameters to 255 elements.



Retrieving MixColumns and RotWord parameters


In this step we use two types of equations combined:{k1,0 = k0,0 ⊕ S(k0,12+η)⊕ ρ0

k1,0 = αj ∗ S(mk0,j ⊕ k0,0)⊕ S−1(0)

⇒S(k0,12+η) = k0,0 ⊕ S−1(0)⊕ 1⊕ αj ∗ S(mk0,j ⊕ k0,0)

⇒S(k0,12+η) = µ0 ⊕ 1⊕ αj ∗ S(θ(q1)⊕k0,0)

⇒S(k0,12+η) = µ0 ⊕ 1⊕ αj ∗ τ (q1)

For each MixColumns parameter candidate we are able to calculateS(k0,12+η) and recognise it as a known τ (q2) value:

⇒S(k0,12+η) = τ (q2) = S(θ(q2) ⊕ k0,0)

⇒k0,12+η = θ(q2) ⊕ k0,0

⇒θ(q2) = µ0 ⊕ µ12+η

Then we got only 4 valid solutions, a second equation let only 1.




Retrieving MixColumns and RotWord parametersIn this step we use two types of equations combined:{

k1,0 = k0,0 ⊕ S(k0,12+η)⊕ ρ0

k1,0 = αj ∗ S(mk0,j ⊕ k0,0)⊕ S−1(0)

⇒S(k0,12+η) = k0,0 ⊕ S−1(0)⊕ 1⊕ αj ∗ S(mk0,j ⊕ k0,0)

⇒S(k0,12+η) = µ0 ⊕ 1⊕ αj ∗ S(θ(q1)⊕k0,0)

⇒S(k0,12+η) = µ0 ⊕ 1⊕ αj ∗ τ (q1)

For each MixColumns parameter candidate we are able to calculateS(k0,12+η) and recognise it as a known τ (q2) value:

⇒S(k0,12+η) = τ (q2) = S(θ(q2) ⊕ k0,0)

⇒k0,12+η = θ(q2) ⊕ k0,0

⇒θ(q2) = µ0 ⊕ µ12+η

Then we got only 4 valid solutions, a second equation let only 1.



Retrieving S−1(0)

Retrieving S−1(0)

We are now able to calculate k1,4, due to equations from KeySchedule:{k1,0 = k0,0 ⊕ τ (q2) ⊕ 1k1,4 = k1,0 ⊕ k0,4

⇒ k1,4 = k0,0 ⊕ τ (q2) ⊕ 1⊕ k0,4

⇒ k1,4 = µ0 ⊕ S−1(0)⊕ τ (q2) ⊕ 1⊕ µ4 ⊕ S−1(0)

⇒ k1,4 = τ (q2) ⊕ 1⊕ µ0 ⊕ µ4

We then use k1,4 to derive S−1(0) from a mki,j equation:

k1,4 = αj ∗ S(mk4,j ⊕ k0,0)⊕ S−1(0)

S−1(0) = αj ∗ S(θ(q3)⊕k0,0)⊕ k1,4

S−1(0) = αj ∗ τ (q3) ⊕ k1,4

RemarkWe are now able to infer the values of: S-Box, K0 and K1.



Retrieving S−1(0)

Retrieving S−1(0)We are now able to calculate k1,4, due to equations from KeySchedule:{

k1,0 = k0,0 ⊕ τ (q2) ⊕ 1k1,4 = k1,0 ⊕ k0,4

⇒ k1,4 = k0,0 ⊕ τ (q2) ⊕ 1⊕ k0,4

⇒ k1,4 = µ0 ⊕ S−1(0)⊕ τ (q2) ⊕ 1⊕ µ4 ⊕ S−1(0)

⇒ k1,4 = τ (q2) ⊕ 1⊕ µ0 ⊕ µ4

We then use k1,4 to derive S−1(0) from a mki,j equation:

k1,4 = αj ∗ S(mk4,j ⊕ k0,0)⊕ S−1(0)

S−1(0) = αj ∗ S(θ(q3)⊕k0,0)⊕ k1,4

S−1(0) = αj ∗ τ (q3) ⊕ k1,4

RemarkWe are now able to infer the values of: S-Box, K0 and K1.



Retrieving Rcon parameter


We know all AES parameters except ρ, that allows to control T2 state.We exhaust t2,0 values until an IFA occurs on first S-Box of third round:

y3,0 = 0

S(x3,0) = 0

S(t2,0 ⊕ k2,0) = 0

k2,0 = t2,0 ⊕ S−1(0)

We learn k2,0 and then we can simply calculate ρ:

k2,0 = k1,0 ⊕ S(k1,12+η)⊕ ρρ = k1,0 ⊕ S(k1,12+η)⊕ k2,0





We know all AES parameters except ρ, that allows to control T2 state.We exhaust t2,0 values until an IFA occurs on first S-Box of third round:

y3,0 = 0

S(x3,0) = 0

S(t2,0 ⊕ k2,0) = 0

k2,0 = t2,0 ⊕ S−1(0)

We learn k2,0 and then we can simply calculate ρ:

k2,0 = k1,0 ⊕ S(k1,12+η)⊕ ρρ = k1,0 ⊕ S(k1,12+η)⊕ k2,0



Simulations Results

Simulations Results

Step # of faultsRetrieving µi values 2055.96Retrieving ShiftRows 138.50Retrieving βi,j orders 22339.80Retrieving cross-orders relations 0Retrieving K1 relations 915.77Retrieving MixColumns and RotWord 64.30Retrieving S−1(0) 0Retrieving Rcon 127.5Total 25641.83

Figure: Experimental results on an unprotected implementation.



Simulations Results

Simulations Results

Step # of faultsRetrieving µi values 2055.96Retrieving ShiftRows 138.50Retrieving βi,j orders 22339.80Retrieving cross-orders relations 0Retrieving K1 relations 915.77Retrieving MixColumns and RotWord 64.30Retrieving S−1(0) 0Retrieving Rcon 127.5Total 25641.83

Figure: Experimental results on an unprotected implementation.



Outline



3 Attack Steps




Global Results

Global Results

We by-pass the dual-execution countermeasure.

In 95.28% of cases we retrieve the whole algorithm specifications in anaverage of ∼ 25k required fault number.

With reasonable over-costs, we are able to extend our attack to twoharder configurations:

1 Full entropy MixColumns matrix: MixColumns matrix is no morecirculant and is composed of 16 independent parameters. This newattack is valid in 99.99% of cases (instead of 95.28%).

2 Extended Rcon parameters: Rcon is no more dependant from anunique value ρ but each round have it’s own independent value.



Future Works

Future Works

Search tricks in order to reduce fault number.

Extend attack to 5% remaining cases.

Adapt attack when fault is done on exclusive-or (⊕) operationsinstead of table lookup.

Study adaptability of this attack in presence of different type ofcounter-measures.

Study how the knowledge of the key facilitates the attack (adecryption function available on the device give ability to find thekey).



Questions

Questions

Thank you for your attention.

Any Question ?


Proof: Only 255 MixColumns Candidates Remains

Proof: Only 255 MixColumns Candidates Remains

Proof.

τ (0) =µ1,i+4⊕µ1,i+8

α3∗βp1

τ (0) =µ1,i+8⊕µ1,i+12

α3∗βp2

}⇒ βp1−p2 =

µ1,i+4 ⊕ µ1,i+8

µ1,i+8 ⊕ µ1,i+12

⇒ (αi?

αj?)p1−p2 =

µ1,i+4 ⊕ µ1,i+8

µ1,i+8 ⊕ µ1,i+12

⇒ αp1−p2

i? =µ1,i+4 ⊕ µ1,i+8

µ1,i+8 ⊕ µ1,i+12∗ αp1−p2

j?

It remains 255 valid pairs (αi? , αj?). Already acquired relations extendthis property to other MixColumns parameters.

RemarkFor each of 255 candidates for MixColumns parameters we are able tocalculate τ (0) and β, then the whole sequence (τ (k))k=0,...,254.


Simulation’s Oracle

Simulation’s Oracle

We ran simulations using an oracle taking as input:

the parameters of the modified AES

the round and S-Box position that is considered as faulted

the message we decide to play

it gives back a boolean value indicating if the fault was ineffective or not.


Reverse Engineering of a Secret AES-like Cipher by Ineffective …conferenze.dei.polimi.it/FDTC13/shared/FDTC-2013-session... · 2013-10-11 · Introduction Scope of the Attack Attack

Documents