International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Automatic Search of Meet-in-the-Middle Differential Fault Analysis on AES-like Ciphers

Authors:
Qingyuan Yu , School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China
Xiaoyang Dong , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China; Zhongguancun Laboratory, Beijing, China; Shandong Institute of Blockchain, Jinan, China
Lingyue Qin , BNRist, Tsinghua University, Beijing, China; Zhongguancun Laboratory, Beijing, China
Yongze Kang , School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China
Keting Jia , Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, Beijing, China; Zhongguancun Laboratory, Beijing, China
Xiaoyun Wang , Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; Zhongguancun Laboratory, Beijing, China
Guoyan Zhang , School of Cyber Science and Technology, Shandong University, Qingdao, China; Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China; Shandong Institute of Blockchain, Jinan, China
Download:
DOI: 10.46586/tches.v2023.i4.1-31
URL: https://tches.iacr.org/index.php/TCHES/article/view/11156
Search ePrint
Search Google
Abstract: Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs.
BibTeX
@article{tches-2023-33338,
  title={Automatic Search of Meet-in-the-Middle Differential Fault Analysis on AES-like Ciphers},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2023, Issue 4},
  pages={1-31},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11156},
  doi={10.46586/tches.v2023.i4.1-31},
  author={Qingyuan Yu and Xiaoyang Dong and Lingyue Qin and Yongze Kang and Keting Jia and Xiaoyun Wang and Guoyan Zhang},
  year=2023
}