 So also hello from my side to the audience and since this is the first time I've been recorded and streamed to the internet also hello to the internet and my name is Christoph as already mentioned in a nice introduction and this is joint work with Maria, Thomas, Victor and Florian and for the people who might know what they usually do I usually do crypt analysis so they might wonder why is this guy doing vortex now and this is the first thing I want to talk about our intention why we did this work and give a short overview about this work so what you will see in this work are the first practical published fault attacks on a broad range of authenticated encryption schemes which work in a non-suspecting scenario so back then when we started with our work pretty much every published attack on authenticated encryption scheme schemes happened in non-suspecting scenarios since in case of the most prominent fault attacks the attacker must have the ability to process the same input or related inputs to a scheme more than once in order to get 40 or correct ciphertext for instance and in the case of authenticated encryption this is pretty much precluded due to the existence of the nonce so we did this work to counteract the impression that the sole existence and correct use of the nonce is a sufficient countermeasure against fault attacks this work is not intended to compare algorithms or make certain authenticated algorithms bad just because one explicit fault attack work on unprotected implementations of these algorithms so to all designers of the authenticated encryption schemes we discussed please don't be offended by the work we did our intention was not to show weaknesses of algorithms it's just to point out that fault protection is also necessary in the case of authenticated encryption so the reason why we just look at block cipher based mode of operations which either use AES or some block cipher which uses the AES run functions is first of all that there exist a lot of such modes and second of all it's that due to the nice and elegant structure of AES it's quite easy to demonstrate how the attacks work our attacks are based on work of 4R which has been presented at FTDC in 2013 and for the attack we assume that an attacker is able to change the distribution of intermediate values with the help of FORTS so to show that our assumptions about the FORTS is somehow reasonable we and with we I mean Thomas and Victor did FORT experience on several different hardware platforms to show the practical feasibility of this FORT attacks so first of all how do our FORT attacks works in the case of an attack complain AES so as you can see here I've pictured the last two rounds of AES where the big curse here symbolize the whole state of AES separated by the single round functions here so we have mixed column sub by chip rows and that key and the small squares here represent the single byte values of the state so in the case of AES if we encrypt different plain texts under the same secret key and look at the distribution of the single byte values we get we will get an uniform distribution as far as we know and this is also true if the inputs are not distributed uniformly in the case of AES we can also quite safely assume that also the single byte values in the second to last round are uniformly distributed what the attack can now tries to do is to influence the distribution of one single byte value just before the last application of mixed columns so that this byte value is now non uniformly distributed for instance an attacker can do this by voting the processing of this S-Box here and all an attacker now has to do is encrypt several plain texts trying to fault the encryption collect the ciphertexts and guess the four keypads of the last round which are needed to encrypt the bytes marked in gray and decrypt one round backwards and check the distribution for each key guess made here and we expect the distribution for wrong key gases of this byte to be closer to uniform than for the right key is so and what we also tried to do in this attack is that we tried to reduce the assumptions we make on the capabilities of an attacker and what an attacker can do as much as possible so for instance we do not assume anything about the distribution we get here due to the forts beside that it has to be non uniform and also we do not assume anything about the amount of forts an attacker makes or the exact position where he fought we just rely on the facts of the forts and also it is also not a big problem if a far chose no effects at all or that it does is that it changes the distribution here which is over all then close of the uniform so in the case of authenticated encryption schemes to check if the attack is in principle applicable we have to we have the scheme to fulfill two requirements so the first requirement is that and block safer core which should be attacked should process different inputs for each fort and the inputs do not have to be known and the second requirement we have is that we need to know the output of the rock cipher which is for them so first of all let's have a look at the ISO ISE as standard CCM ERX GCM and OCP so we were back the the encryptions of the schemes and since the CCM ERX and GCM all use a counter mode for encryption I will just show how the attack works on CCM and for OCP it's a bit different which we will see later so here you can see CCM and as the name implies it's a counter mode with CPC Mac and for instance in a fort attack we can try to attack the first block of the encryption as you can see here in a non-respective mode the nonce changes for every encryption so we will get always different inputs and also if the plaintext is known we know the output of the block cipher and the attack have shown it before works in a similar way to CCM if we now look at OCP the situation changes a bit especially if we look at the encryption of complete blocks here as you can see OCP uses a secret mask values which mask the input and output of the block cipher while this is not a big problem if the input is masked since we do not require the input of the block cipher to be known at all it's quite tricky if the output of the block cipher is masked luckily in the case of OCP we have the way how an incomplete last block is processed which differs from the complete block so here as before if you know the plaintext you know the output of the block cipher and you can do the simple AS attack so far we have only dealt with schemes which we call in the paper basic construction because basically the AS attack applies but as we have seen we with OCP we have also the case the input and outputs of block ciphers are masked which we call XAX like constructions and also we have weak block ciphers so first we are going to deal with the XAX like constructions as I've mentioned the masks that are used as secret and this is the problem why we cannot access the output of the block cipher so this value always depends on the secret key independent of how a concrete scheme implements it but additionally to the case that it only depends on the secret key we also have the case where it additionally depends on the nonce and also therefore changes for every invocation of the authenticated encryption scheme so but first we will focus on the case where it just depends on the secret key and we give us an example of a scheme which is such an XAX like construction according to us with COPA which is a CISA candidate but it's not the only scheme where the attack works for instance it also works on L&D so here you can see the encryption of COPA we have this value V here which just depends on the nonce and associated data and we also have value L here which is the encryption of zero this value L is also used to mask the inputs and the outputs of the block cipher course you can see here however this value is not nonce dependent so if we again focus on this first block which gives us cipher text the masking value does not change over multiple invocations of the scheme so we can basically do the following we can treat this two times L part as part of the last wrong key which is used in AS and apply the statistic for the attack to recover this last wrong key and then if this key is recovered we can either repeat the attack to recover the round key of round nine or we can recover the equivalent round key of the upcoming block cipher call and then solve this linear system of equations but in both cases the attack complexity meaning number of needed forts is doubled so now we also have two cases where the value of data k depends on the nonce and therefore changes so in the case in the first case we assume that value of that depends on the key and on the nonce can be calculated independently which means that we can remove the influence of the nonce on the cipher text and then perform the attack which we have seen before in a quite straightforward manner however if the masking value changes for every invocation of the block cipher in an unpredictable way there's no way to apply the attack in a straightforward way and someone has to look at the concrete scheme to make any assumptions on how this fort attack carries over so last but not least we will have a look at the recover block ciphers and there we have picked the CISA candidates the oxys and the also which both use the AS round function so as you can see here with that particular block ciphers you can design authenticated encryption schemes in a quite elegant way from my perspective so all what you have to do in this USB like mode is to encrypt the plain text that plain text and the sum of the plain text under different weeks here now we can again focus on the first block and as you can see here we have access to the input and access to the output but of course we have to see how to recover block cipher works to check if the attack is applicable and in the case of the oxys PC 256 is used as weaker block cipher it is just because of the reason that we can calculate the influence of the tweak of each round separately from the influence of the key so the attacker knows the round tweak values here and the key part keeps constant so we do not have any problems in the key recover attack and cannot can do the fourth attack in the same way as an AS so now let's come to the summary those are all the schemes where we have concluded that the attack works but keep in mind this is not a complete list we have had a quite restricted look at schemes just an AS based schemes and also I want to point out again that we do not show weaknesses of algorithms we just want to point out that protection against for taxes needed now let's come to the verification or the implementation of the fourth attacks so in principle what Victor and Thomas did was to execute two different ways to insert the fourths so the first way was by using clock switches and the second way was using a laser to forward intermediate values step of clock switches they attacked and general purpose microcontroller where either AS was running as a software implementation or an AS hardware co-process of it and also with the laser they attacked a smart card microcontroller or more concretely the AS co-process of the smart card microcontroller and in short the result show that key recovery is possible with small number of 40 self-attacks so to get more insight here is the attack on an 8x mega 256 a3 this microcontroller was running a software implementation of AS and we tried to influence the distribute of a single byte before this the distribution of a single byte before the last mix column application with the help of a single block what I have pictured here in the diagram is the squared Euclidean imbalance which we have used as a measure for the non-uniformity of this byte and the red line shows the non-uniformity or the squared Euclidean imbalance which we get if we guess the correct key and the blue line here shows the highest value we get for any wrong key so all wrong keys are in the blue area below here and what you can see in this diagram is that we need about 30 or 40 self-attacks to reliably distinguish the correct four keypads from the from the wrong four keypads and as I've promised before the attack is quite robust so to show this and out of curiosity we have from another experiment namely instead of inserting a single clock switch we have inserted 50 clock glitches in consecutive cycles and the result show that the deck even works better now so we only need 25 for the self-attacks now to recover or to reliably recover the correct key and if you're curious how many faults you need if you attack smartcard microcontroller via laser I can tell you it's around 15 so to conclude we have shown that statistical fault attacks are powerful tool in practice if you attack unprotected implementation we have also pointed out that in general the nonce is not enough to protect authenticated encryption schemes against for the tax and and and at last I still want to emphasis that the attacks do not have anything to do with weaknesses of the shown algorithms or weaknesses of as they work on a wider range of modes and schemes but of course to say anything about the ability one have to evaluate and look at this so thank you for attention as I've mentioned you have to look at the concrete scheme to say anything so I don't want to say without having a picture anything about the capability of that's a good question so if you skip an instruction then you whether most surely not see a uniform distribution right but if you shoot with a laser on it then yeah and yeah exactly and and with a clock glitch you also have I'm not an expert in this but I imagine that you have different delays of the signals which are which are rolling and also some different differences on the chip on the quality of the single transistors that if you're shortly glitch that some value is sampled not before once but some intermediate during the calculation and obviously as since we've tried out this value has some bias or luckily yes exactly that that's why we did the practical experiments to some somehow verify our assumption yeah yeah in in the case of so I didn't do the attacks so I can tell you what others have for me so in the case of laser for the attacks it was quite tricky since it was an ES co-processor which runs on which has which which has its own operating system and runs on its own clock and the only thing which is kind of observer and attack is when the microcontroller sends the command to start an encryption and so what they did is wait for this comment and at the title delay to laser and then shoot at a certain point and see