 Okay, welcome to the second talk in this session, which is on information combining differential fault attacks on default by Marcel Lagerler, Christoph de Browning, Maria Eiseda, and Marcel is giving the talk. Thank you for the introduction. Today I will be talking about differential fault attacks on the default block cipher. So first of all, I will start with some backward information on what differential fault attacks are and how the default block cipher tries to protect against them. And then with that knowledge, we will show some attacks on the initial version of this block cipher with the simple key schedule. And next up, we will consider what happens if the conditions of the simple key schedule are no longer given and we have independent round keys. And finally, based on this knowledge of equivalent keys that I will get to, we will show some attacks on the strong key schedule as proposed in the final design. So let's start with some background on differential fault attacks. So maybe some of you remember differential crypt analysis, where the idea is that you have two messages with a given difference that lead to a certain internal difference delta t with some probability p. And based on this expected difference, we can then try to recover the key by guessing parts of the final round key and seeing whether we observe this expected difference. When we perform differential fault attacks, we do something different. But this time, we start with the same message twice and we then, in one of the computations, we disturb the computation by physically affecting the operating conditions of the device, for example, by glitching the clock or disturbing the power supply or something like that. And this would induce a fault during computation and we can then use this fault or difference in computation to perform a very similar key recovery attack as in differential crypt analysis. So maybe I want to talk about this fault attack in a bit more detail. So here is a zoomed in version of what we have seen just now. So that would be one aspect of the final round. And in the fault model proposed by the designers of the default block cipher, they said that an attacker can flip one arbitrary bit during one computation. And if the attacker can flip one arbitrary bit, they are able to induce a certain difference delta in and then they will observe a certain difference delta out based on the difference in this cipher text nibble. And with this transition, you can actually limit the number of values for U and V. And with this limited space for U and V, you also limit the space for the key. And this is essentially the idea of differential fault attacks to recover the key using much less complexity than in crypt analysis. And one important observation is that the number of solutions for U and V is actually written down in the differential distribution table, which is an important table for differential crypt analysis. And if this number of solutions is small, so if the DDT entry is small, this benefits the attacker in the sense that for fewer faults, they are able to reduce the key space much more effectively. Next, let's talk about the default block cipher. So this is a new design strategy proposed by Baxi et al at Asia Crypt 2021. And their idea was to use special S-boxes with linear structures to provide intrinsic resistance against differential fault attacks. So without any extra protection, the block cipher should be able to resist these kinds of attacks. And concretely, they proposed the block cipher default, which offers 128 bits of classical security and 64 bits of security against an attacker that is capable of inducing the faults that we have just mentioned. And there are two variants that I will be talking about. The initial one that is available on E-print uses a very simple key schedule where the master key is added after every round. And then the final version uses a much stronger key schedule, where four essentially independent keys are excelled in a rotating fashion. And it is based on the sandwich construction, where they have the cord for classical security and the layer on the outside for DFA security. This is what the block cipher looks like. So it is heavily inspired by the gift block cipher. Uses the same bit permutation, but it does have different S-boxes. So we have 32 S-boxes, and each of them contains four linear structures. And by now you might be wondering what a linear structure actually is. Well, it is best summarized using the differential distribution table. So this table summarizes which input difference along the columns, along the y-axis, leads to which output difference along the x-axis in how many cases. And that input difference of zero always leads to output difference of zero. That makes sense. And the special thing is that an input difference of six will also always lead to an output difference of A. And the same is true for a few other values. So we have four linear structures in total. And now we want to see how these linear structures affect the key recovery in differential fault attacks. So first, let's recall this model that I had earlier with the U and the U prime with a given input difference. And if we now have a linear structure alpha to beta, we can actually find that if we have a certain set of observation where K is a valid key that fits our observation, there is another valid key, Kx with beta, which will also fit all of our observations. Why is that the case? Well, we know that an input difference of alpha will always lead to the same output difference of beta. So we can XOR and alpha onto this unknown internal state. And this will lead to a difference of beta after the S-box due to the linear structure. And this can be canceled by another key, Kx with beta. And therefore, Kx with beta is also a valid key. And these betas are located according to a linear space. So if we perform an attack like this, we actually notice that we will always be left with an affine space of valid keys. And this observation is the basis for future observations that I will be talking about. So we have in the default block surface, we have four linear structures and 32 S-boxes. So in total, we expect to be left with two to the 64 key candidates when performing DFA on the final round. That's their security claim. But with that, we actually, we have seen a simplistic view of the final round. But now we want to build attacks that exploit the fact that we can attack multiple rounds consecutively if we have the same key in every round. So how do we do this? First of all, I want to reiterate the intuition behind this simple key schedule. And the idea is that you can learn the same information in each round as the same key is used in each round. However, we can abuse the strong and non-linearity of the extra S-boxes. So we might have two or three S-boxes in sequence and thus combine information across rounds. And in our attack, we do a three-step attack where we first attack only the final round to reduce the key space as much as possible to two to the 64 keys. Then we attack two rounds consecutively. And we only need to consider the smaller key space from before. And then we can reduce the key space even more to two to the 32 keys. And finally, we attack three consecutive rounds to reduce the key space to a very practical two to the 16 remaining keys. So let's see that in detail. First of all, we start with the final round. So for each S-box, we perform two-folded computations, which allows us to restrict the key to the far possible values that remain due to the linear structures. And then we repeat that whole process for all the S-boxes in the final round. And then we can actually start with the more important stuff of the attack. We can fold S-boxes earlier. And the crucial part is that we always have some overlapping keys. So the keys here and down here will be overlapping. And here and down here will be overlapping. And with these overlapping keys, we are able to reduce the combinations of different keys. And then only two to the 32 keys remain after we fold all the S-boxes in the penultimate round. And finally, we also perform a few, we also perform folded computations with a few of the suitable S-boxes in the third to last round. And if we do that for that S-box, we also see that there are a few overlapping keys. And then we repeat that for the other suitable S-boxes. And we're left with two to the 16 possible keys. Crucially, all of these attacks are possible because we have the same key in each round. So to summarize, we can combine information across rounds to attack a simple key schedule where the same key is used in every round. And in a naive attack, we need 112 for the computations. While in an optimized attack, we can reduce that down to 16 to get a similar reduction in key space. But what happens if we do not have this property of equal round keys? What if all the round keys are independently chosen? Well, first recall the slide of the effect of linear structures. You can see that here we only modeled the key after the S-box. But we can also expand our model to include an independent key addition before the S-box. And this is where the interesting stuff happens. If we have a key addition before and after the S-box, this linear structure actually leads to equivalent keys. So instead of having this unknown difference at the value at the unknown value, instead of having the alpha difference of the linear structure at the unknown value u, it actually can become part of this key before the S-box. So if we exit a key before the S-box with alpha and the key after the S-box with beta, these two differences will be canceled by the linear structure in the S-box. And then these keys will perform the exact same computation. So for the same input, they will always deliver the same output. And therefore, we no longer need to distinguish between them as they map the same input to the same output anyway. So this is what happens for a single S-box. You might want to consider what happens for multiple S-boxes in sequence. In that case, we can apply these linear structures to each of the S-boxes. So we can start with the leftmost in that case, and then the middle one, and then the rightmost. And for each of them, we can pick one of the four linear structures to excel onto. And actually, we can even choose a linear combination of all of these linear structures. And that way, we can define what we call equivalence classes. So we can define huge spaces of keys that all correspond to the same identical behavior, mapping the same plaintext to the same ciphertext. And because working with these equivalence classes is kind of tedious, we want to pick a representative from each equivalence class such that we have something easier to deal with. So how do we pick the representatives? Well, we want to pick them in such a way that our attack becomes easier. If, for example, if we start the attack at the ciphertext C, we want to pick the representatives in such a way that the candidates for K3 are very little. So we might only have four candidates for K3, and we can then push the uncertainty into the previous key, K2. And here, we do the same thing. We push the uncertainty into K1, and so on. And if we do that for n independent keys, we can push the uncertainty of n minus 1 keys into the previous one. And because this is all comes directly from the linear structures, we can actually use DFA to recover the normalized variant, so this representative. We can recover these representatives for n minus 1 keys uniquely and only for the final round key we are left with a little bit of uncertainty due to the linear structures in the S-boxes. So in the default block cipher, we can then apply this idea. So we have four linear structures in each S-box, in total, 2 to the 64 linear structures per round. And now we want to consider what happens if we have n independent round keys. So each round key has 128 bits, so we expect 2 to the 128n. Oh, so we have 2 to the 128n independent keys. But actually, we get a much smaller set of 2 to the 64n plus 64 equivalence classes due to the linear structures. And each equivalence class corresponds to a distinct key permutation. So as an example, you can see this key up here. So the top one in blue is one of one key generated by the default key schedule. And it actually performs the exact same computation as the green one down below. But you can clearly see that the green key contains much less entropy. So we were able to restrict the first three sub-keys to only a much smaller space where all the nibbles are 0 to 3. And based on this observation, oh, yes, there's one more thing. This whole idea of taking a key and getting it normalized representative can be represented as a linear operation. So we can define a matrix that takes some key k. We multiply that matrix onto this key, and we then get its normalized equivalent. And with that matrix, we will now show how to build some attacks on the strong key schedule. So to review the strong key schedule, we have four keys, key 0 to key 3, which are used in a rotating fashion. So they rotate throughout every round of the cipher. And each of the keys is calculated. So key 1 is calculated from key 0 using four rounds of the un-keyed block cipher. Because they use four rounds, actually, because four rounds provide full diffusion, it's actually hard to use partial knowledge about k1 to derive something about k0. But we don't really need that. We just assume that these keys are independent for our attack. So how do we build our attack? Well, the main idea that we had is that we first of all pretend that there are six independent keys and consider them completely independent. And only afterwards do we want to add the condition that key 0 and key 4 are equal, and key 1 and key 5 are equal. But let's start with performing DFA to get some information. So we start by performing differential fault attacks to get key 0 to key 4 in a normalized way. So we can recover the normalized candidates for the five outermost keys based on this idea of the representatives. And for the key 5, the inner key, we will be left with 2 to the 64 candidates. 2 to the 64 candidates is quite a bit. But luckily, we can express this information that we have about the keys as a system of linear equations. And the system of linear equations is very compact and can be efficiently manipulated using any kind of programming language that you would desire. With that efficient representation of this key space, we can then apply the matrix that we have defined earlier that can be used to normalize a key. We can also use it to map all of these restricted normalized keys to the much larger set. So we have to the much larger set of the 2 to the 384 non-normalized keys. So we essentially take the 2 to the 64 representatives we have and expand them into the 2 to the 64 equivalence classes. With this much larger space, we can now actually add the condition that key 0 and key 4 are equal and key 1 and key 5 are equal because now we consider the whole set. And also just to repeat it, we don't need to store this large number of solutions. It's just the dimension of the space that I mentioned of the solution space of the system of equations. So if we add this condition that wrote it in key schedule is met, we can actually reduce the space by a huge factor to 2 to the 192. And this actually exactly corresponds to one equivalence class of the final of four keys, essentially. And now we can add the condition. Yeah, I do not care about the whole equivalence class. I only care about getting one representative. And if we add this condition that we have a normalized key, we are left with a single key for that performs exactly the operations that matches exactly the behavior of the cipher. So with that normalized key, there's still one little caveat that we need to consider. In particular, we have this, if you remember this sandwich construction of the layer, then the core and then the layer again, we can use this normalized, this equivalent key for the default layer, but we cannot use it for the default core because the default car has strong S boxes. But we can use the key to unwrap this default layer. And then we are only left with the default core and there we can actually do easy DFA. So this is a classical block cipher with classical S boxes. We can use any method in the literature to attack this and then we get the actual key. And so to summarize, we can attack the proposed version of the default block ciphers by using this idea of normalized keys to combine information across six rounds of the block cipher, which was thought to be impossible by the designers. And this works under the assumption that we have this strong key schedule with the repeating keys. And we need in a naive attack, 384 reported computations, but in an optimized attack, we can reduce that to about 84. And I think there might be even be more optimization potentially if more engineering effort is invested. And to summarize like the ideas in this paper, first of all, we have seen the classical interpretation of only attacking the last round, which is very slow. And then we have proposed a few attacks on the simple key schedule. So we have the multi-round attack that I've shown in the beginning. And we also have an idea of combining fault information from encryption and decryption at the same time, which can also lead to a reduction in key space. And to combat the idea of this stronger key schedule, we also have, first of all, the generic differential fault attacks using normalized keys. This is essentially just assuming all keys are independent and then just using the idea of normalized keys until you add the plain text, which is very slow, but it's very generic. So it's a noteworthy result. We have the idea of a similar idea of using combining encryption and decryption knowledge to reduce the key space even more. But I think the most powerful attack is the one I've shown just now. So the final one, where we combine information across many rounds are using the idea of normalized keys and information combining. To conclude, we have seen an interesting concept to provide cypher-level fault resistance. Unfortunately, this idea of cypher-level fault resistance remains an open problem and it seems substantial ideas beyond linear structures are necessary. If you're interested in this work, I invite you to read the paper, which is available on ePrint and also via Springer. And you can also find the implementations of all these attacks that were implemented in Python on our GitLab server. Thanks all and feel free to ask some questions. Thanks for the talk. Do you have any questions? What I talk, did you actually execute this fault attack on a real device? No, we did not. We only did it on software simulation. So what are you assuming then, which kind of fault types? Are you then assuming glitching attacks or somehow power consumption or what type do you assume? So we have used the fault model as specified by the designers of the block server that specify an attacker can flip in one arbitrary bit during computation. Okay, thank you. I guess this is a very strong fault model, but I think weaker fault models would also be possible but the analysis would look a bit different. But the idea of equivalent keys would remain, of course. Okay, if there are no more questions, then it's time to speak again. Thank you.