A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack

Alfonso De Gregorio adg at crypto.lo.gy
Tue Jul 20 16:45:59 EDT 2010 

Quoting Jonathan Katz <jkatz at cs.umd.edu>:

> On Mon, 14 Jun 2010, Alfonso De Gregorio wrote:
>
>> The last Thursday, Vincent Rijmen announced a new clever attack on   
>> AES (and KASUMI) in a report posted to the Cryptology ePrint   
>> Archive: Practical-Titled Attack on AES-128 Using Chosen-Text   
>> Relations, http://eprint.iacr.org/2010/337
>
> Err...I read that paper by Rijmen as a bit of a joke. I think he was
> poking fun at some of these unrealistic attack models.

Dear Jonathan,

Thanks for your email. It is the only comment received so far and is  
greatly appreciated!
I've been off the net for a much needed holiday and unable to reply  
within the time I would have liked to. I'm sorry.

I can't speak for him, of course. Only Rijmen can tell and I'm adding  
his address in cc.
Yet, I believe his emphasis was on the existence of zero-query attacks  
on a symmetric encryption primitives -- he says the attack to be  
zero-query as the adversary does not need to observe the ciphertext  
the encryption oracle would output.

Now, I expect the unusual nature of the attack model might stir up a  
lively discussion. My post was soliciting comments in this regard.

Still, I would like to respectfully disagree wrt the objectives given  
to the paper, as to me the chosen-text relations model of analysis  
appears to be interesting and relevant. There are two scenario worth  
to be investigated:

Zero query
The first one is the plausibility and power of the chosen-text
relations model of analysis as presented in his paper. I believe
there might be applications endangered by zero-query attacks.
I claim this might be the case of white-box implementations; and I  
could be wrong.

No roll back
The second scenario arise when we consider the avenues of
analysis provided by chosen-text relations if we revoke the
adversary ability to roll back the encryption. If we do that, we
restore the analysis model to a variant of the DFA, where the
attacker can query both oracles. So, no zero-query but still
chosen-text relations to be exploited.

In the fault attacks setting, we expect from encryption primitives  
secure under related-key attacks resistance to attempts to recover the  
secret key by attackers tampering with the stored secret and observing  
the outputs of cryptographic primitive under the modified key  
(interesting in this regard the paper by Bellare and Cash to the  
upcoming Crypto on PRFs and PRPs providing RKA-security).

In a similar way, it would be fascinating to have symmetric encryption  
primitives secure under related plaintext attacks (RPA). They would  
provide resistance to attackers tampering with interim data, observing  
faulty ciphertext and querying the decryption oracle, before engaging  
in the key extraction step. (Of course, from the implementation side,  
fault tolerance techniques could be employed to protect crypto modules  
from attacks exploiting chosen-text relations.)

Thanks again.

Cheers,

alfonso


-- 
   Alfonso De Gregorio,  http://Crypto.lo.gy



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list