[145283] in cryptography@c2.net mail archive
A Fault Attack Construction Based On Rijmen's Chosen-Text
daemon@ATHENA.MIT.EDU (Alfonso De Gregorio)
Fri Jul 9 12:51:41 2010
Date: Mon, 14 Jun 2010 16:40:03 +0200
From: Alfonso De Gregorio <adg@crypto.lo.gy>
To: cryptography@metzdowd.com
Cc: vincent.rijmen@esat.kuleuven.be
The last Thursday, Vincent Rijmen announced a new clever attack on AES =20
(and KASUMI) in a report posted to the Cryptology ePrint Archive: =20
Practical-Titled Attack on AES-128 Using Chosen-Text Relations, =20
http://eprint.iacr.org/2010/337
I believe the related-subkey model is an interesting model to look at =20
and, with this email, I would like to solicit comments from the =20
community about chosen-text relations attacks and their implications.
For example, this model might be pretty relevant while attacking =20
white-box implementations of the target encryption algorithm with =20
embedded secret key, assuming the ability to tamper with at least 1bit =20
of the round output (debugging...).
A Fault Attack
In order to further solicit comments, I would like to contribute a =20
fault attack construction based on chosen-text relations attack.
First, it is worth to note how the zero-query attack provided by =20
chosen-text-relations-in-the-middle can be transformed into an attack =20
with a single-query to both the encryption and decryption oracles. It =20
is possible to do so by resuming the interrupted encryption after =20
applying the specific difference delta to the state (ie, no rollback =20
anymore) and querying the decryption oracle.
More specifically:
- halt the computer in the middle of execution of an encryption routine;
- apply the specific difference delta to the state;
- resume the encryption and output the ciphertext c*;
- query the decryption oracle with c* and retrieve the modified plaintext p*=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
