TY - GEN
T1 - Transient-steady effect attack on block ciphers
AU - Ren, Yanting
AU - Wang, An
AU - Wu, Liji
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2015.
PY - 2015
Y1 - 2015
N2 - A new Transient-Steady Effect attack on block ciphers called TSE attack is presented in this paper. The concept of transient-steady effect denotes the phenomenon that the output of a combinational circuit keeps a temporal value for a while before it finally switches to the correct value. Unlike most existing fault attacks, our attack does not need a large amount of encryptions to build a statistical model. By injecting a clock glitch to capture the temporal value caused by transientsteady effect, attackers can obtain the information of key from faulty outputs directly. This work shows that AES implementations, which have transient-steady property, are vulnerable to our attack. Experiments are successfully conducted on two kinds of unmasked S-boxes and one kind of masked S-box implemented in serial with FPGA board. After a moderate pre-computation, we need only 1 encryption to recover a key byte of the unmasked S-boxes, and 20 encryptions to recover a key byte of the masked S-box. Furthermore, we investigate the key recover method for parallel unmasked implementation, and discuss a possible attack scenario which may deem WDDL-AES insecure.
AB - A new Transient-Steady Effect attack on block ciphers called TSE attack is presented in this paper. The concept of transient-steady effect denotes the phenomenon that the output of a combinational circuit keeps a temporal value for a while before it finally switches to the correct value. Unlike most existing fault attacks, our attack does not need a large amount of encryptions to build a statistical model. By injecting a clock glitch to capture the temporal value caused by transientsteady effect, attackers can obtain the information of key from faulty outputs directly. This work shows that AES implementations, which have transient-steady property, are vulnerable to our attack. Experiments are successfully conducted on two kinds of unmasked S-boxes and one kind of masked S-box implemented in serial with FPGA board. After a moderate pre-computation, we need only 1 encryption to recover a key byte of the unmasked S-boxes, and 20 encryptions to recover a key byte of the masked S-box. Furthermore, we investigate the key recover method for parallel unmasked implementation, and discuss a possible attack scenario which may deem WDDL-AES insecure.
UR - http://www.scopus.com/inward/record.url?scp=84946094488&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-48324-4_22
DO - 10.1007/978-3-662-48324-4_22
M3 - Conference contribution
AN - SCOPUS:84946094488
SN - 9783662483237
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 433
EP - 450
BT - Cryptographic Hardware and Embedded Systems - 17th International Workshop, CHES 2015, Proceedings
A2 - Güneysu, Tim
A2 - Handschuh, Helena
PB - Springer Verlag
T2 - International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2015
Y2 - 13 September 2015 through 16 September 2015
ER -