Skip to main content
notice

Doctoral Thesis Defense - June 14, 2016 - Application of Fault Analysis to Some Cryptographic Standards

June 9, 2016
|


Onur Duman

Tuesday, June 14, 2016 at 2:00 p.m.
Room EV003.309

You are invited to attend the following M.A.Sc. (Information Systems Security) thesis examination.

Examining Committee

Dr. C. Assi, Chair
Dr. A. Youssef, Supervisor
Dr. C. Assi, CIISE Examiner
Dr. W. Hamouda, External Examiner (ECE)

Abstract

Cryptanalsis methods can be classified as pure mathematical attacks, such as linear and differential cryptanalysis, and implementation dependent attacks such as power analysis and fault analysis. Pure mathematical attacks exploit the mathematical structure of the cipher to reveal the secret key inside the cipher. On the other hand, implementation dependent attacks assume that the attacker has access to the cryptographic device to launch the attack. Fault analysis is an example of a side channel attack in which the attacker is assumed to be able to induce faults in the cryptographic device and observe the faulty output. Then, the attacker tries to recover the secret key by combining the information obtained from the faulty and the correct outputs. Even though fault analysis attacks may require access to some specialized equipment to be able to insert faults at specific locations or at specific times during the computation, the resulting attacks usually have time and memory complexities which are far more practical as compared to pure mathematical attacks.

Recently, several AES-based primitives were approved as new cryptographic standards throughout the world. For example, Kuznyechik was approved as the standard block cipher in Russian Federation, and Kalyna and Kupyna were approved as the standard block cipher and the hash function, respectively, in Ukraine. Given the importance of these three new primitives, in this thesis, we analyze their resistance against fault analysis attacks.

Firstly, we modified a differential fault analysis (DFA) attack that was applied on AES and applied it on Kuzneychik. Application of DFA on Kuznyechik was not a trivial task because of the linear transformation layer used in the last round of Kuznyechik. In order to bypass the effect of this linear transformation operation, we had to use an equivalent representation of the last round which allowed us to recover the last two round keys using a total of four faults and break the cipher.

Secondly, we modified the attack we applied on Kuzneychik and applied it on Kalyna.  Kalyna has a complicated key scheduling and it uses modulo 264 addition operation for applying the first and last round keys.  This makes Kalyna more resistant to DFA as compared to AES and Kuznyechik but it is still practically breakable because the number of key candidates that can be recovered by DFA can be brute-forced in a reasonable time.  We also considered the case where the SBox entries of Kalyna are not known and showed how to recover a set of candidates for the SBox entries.

Lastly, we applied two fault analysis attacks on Kupyna hash function. In the first case, we assumed that the SBoxes and all the other function parameters are known, and in the second case we assumed that the SBoxes were kept secret and attacked the hash function accordingly. Kupyna can be used as the underlying hash function for the construction of MAC schemes such as secret IV, secret prefix, NMAC or NMAC. In our analysis, we showed that secret inputs of Kupyna can be recovered using fault analysis.

To conclude, we analyzed two newly accepted standard ciphers (Kuznyechik, Kalyna) and one newly approved standard hash function (Kupyna) for their resistance against fault attacks. We also analyzed Kalyna and Kupyna with the assumption that these ciphers can be deployed with secret user defined SBoxes in order to increase their security.

 

Graduate Program Coordinators

For more information, contact Silvie Pasquarelli or Mireille Wahba.




Back to top

© Concordia University