Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

Christoph Erwin Dobraunig, Stefan Mangard, Florian Mendel, Robert Primas

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it. In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios.

Originalspracheenglisch
TitelSelected Areas in Cryptography – SAC 2018
Redakteure/-innenCarlos Cid, Michael J. Jacobson
Herausgeber (Verlag)Springer
Seiten257-277
Seitenumfang21
ISBN (elektronisch)978-3-030-10970-7
ISBN (Print)978-3-030-10969-1
DOIs
PublikationsstatusVeröffentlicht - 2019
VeranstaltungThe 33rd ACM/SIGAPP Symposium On Applied Computing - Pau, Frankreich
Dauer: 9 Apr 201813 Apr 2018
https://www.sigapp.org/sac/sac2018/

Publikationsreihe

NameLecture Notes in Computer Science
Band11349

Konferenz

KonferenzThe 33rd ACM/SIGAPP Symposium On Applied Computing
KurztitelACM SAC 2018
LandFrankreich
OrtPau
Zeitraum9/04/1813/04/18
Internetadresse

Fingerprint

Authenticated Encryption
Fault Attacks
Cryptography
Fault
Initialization
Restriction
Scenarios
Target
Encryption
Reuse
Proof by induction
Uniqueness
Attack
Side channel attack
Software
Output
Evaluation
Demonstrate

Schlagwörter

    ASJC Scopus subject areas

    • !!Theoretical Computer Science
    • !!Computer Science(all)

    Dies zitieren

    Dobraunig, C. E., Mangard, S., Mendel, F., & Primas, R. (2019). Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje. in C. Cid, & M. J. Jacobson (Hrsg.), Selected Areas in Cryptography – SAC 2018 (S. 257-277). (Lecture Notes in Computer Science; Band 11349). Springer. https://doi.org/10.1007/978-3-030-10970-7_12

    Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje. / Dobraunig, Christoph Erwin; Mangard, Stefan; Mendel, Florian; Primas, Robert.

    Selected Areas in Cryptography – SAC 2018. Hrsg. / Carlos Cid; Michael J. Jacobson. Springer, 2019. S. 257-277 (Lecture Notes in Computer Science; Band 11349).

    Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

    Dobraunig, CE, Mangard, S, Mendel, F & Primas, R 2019, Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje. in C Cid & MJ Jacobson (Hrsg.), Selected Areas in Cryptography – SAC 2018. Lecture Notes in Computer Science, Bd. 11349, Springer, S. 257-277, The 33rd ACM/SIGAPP Symposium On Applied Computing, Pau, Frankreich, 9/04/18. https://doi.org/10.1007/978-3-030-10970-7_12
    Dobraunig CE, Mangard S, Mendel F, Primas R. Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje. in Cid C, Jacobson MJ, Hrsg., Selected Areas in Cryptography – SAC 2018. Springer. 2019. S. 257-277. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-030-10970-7_12
    Dobraunig, Christoph Erwin ; Mangard, Stefan ; Mendel, Florian ; Primas, Robert. / Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje. Selected Areas in Cryptography – SAC 2018. Hrsg. / Carlos Cid ; Michael J. Jacobson. Springer, 2019. S. 257-277 (Lecture Notes in Computer Science).
    @inproceedings{11fafea96ec0490c8dc3538d4c0ba3d4,
    title = "Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje",
    abstract = "In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it. In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios.",
    keywords = "Fault Attack, Statistical Ineffective Fault Attack, SIFA, Authenticated Encryption, Keyak, Ketje, Statistical ineffective fault attack, Authenticated encryption, Fault attack",
    author = "Dobraunig, {Christoph Erwin} and Stefan Mangard and Florian Mendel and Robert Primas",
    year = "2019",
    doi = "10.1007/978-3-030-10970-7_12",
    language = "English",
    isbn = "978-3-030-10969-1",
    series = "Lecture Notes in Computer Science",
    publisher = "Springer",
    pages = "257--277",
    editor = "Carlos Cid and Jacobson, {Michael J.}",
    booktitle = "Selected Areas in Cryptography – SAC 2018",

    }

    TY - GEN

    T1 - Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

    AU - Dobraunig, Christoph Erwin

    AU - Mangard, Stefan

    AU - Mendel, Florian

    AU - Primas, Robert

    PY - 2019

    Y1 - 2019

    N2 - In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it. In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios.

    AB - In the context of fault attacks on nonce-based authenticated encryption, an attacker faces two restrictions. The first is the uniqueness of the nonce for each new encryption that prevents the attacker from collecting pairs of correct and faulty outputs to perform, e.g., differential fault attacks. The second restriction concerns the verification/decryption, which releases only verified plaintext. While many recent works either exploit misuse scenarios (e.g. nonce-reuse, release of unverified plaintext), we turn the fact that the decryption/verification gives us information on the effect of a fault (whether a fault changed a value or not) against it. In particular, we extend the idea of statistical ineffective fault attacks (SIFA) to target the initialization performed in nonce-based authenticated encryption schemes. By targeting the initialization performed during decryption/verification, most nonce-based authenticated encryption schemes provide the attacker with an oracle whether a fault was ineffective or not. This information is all the attacker needs to mount statistical ineffective fault attacks. To demonstrate the practical threat of the attack, we target software implementations of the authenticated encryption schemes Keyak and Ketje. The presented fault attacks can be carried out without the need of sophisticated equipment. In our practical evaluation the inputs corresponding to 24 ineffective fault inductions were required to reveal large parts of the secret key in both scenarios.

    KW - Fault Attack

    KW - Statistical Ineffective Fault Attack

    KW - SIFA

    KW - Authenticated Encryption

    KW - Keyak

    KW - Ketje

    KW - Statistical ineffective fault attack

    KW - Authenticated encryption

    KW - Fault attack

    UR - http://www.scopus.com/inward/record.url?scp=85060712165&partnerID=8YFLogxK

    U2 - 10.1007/978-3-030-10970-7_12

    DO - 10.1007/978-3-030-10970-7_12

    M3 - Conference contribution

    SN - 978-3-030-10969-1

    T3 - Lecture Notes in Computer Science

    SP - 257

    EP - 277

    BT - Selected Areas in Cryptography – SAC 2018

    A2 - Cid, Carlos

    A2 - Jacobson, Michael J.

    PB - Springer

    ER -