Authors: |
- Qingyuan Yu , School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China
- Xiaoyang Dong , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China; Zhongguancun Laboratory, Beijing, China; Shandong Institute of Blockchain, Jinan, China
- Lingyue Qin , BNRist, Tsinghua University, Beijing, China; Zhongguancun Laboratory, Beijing, China
- Yongze Kang , School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China
- Keting Jia , Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China; Zhongguancun Laboratory, Beijing, China
- Xiaoyun Wang , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; Zhongguancun Laboratory, Beijing, China
- Guoyan Zhang , School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; Shandong Institute of Blockchain, Jinan, China
|
Abstract: |
Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs. |