Fault Attacks on XEX Mode with Application to Certain Authenticated Encryption Modes

Abstract

The XOR-Encrypt-XOR (XEX) block cipher mode was introduced by Rogaway in 2004. XEX mode uses nonce-based secret masks (L) that are distinct for each message. The existence of secret masks in XEX mode prevents the application of conventional fault attack techniques, such as differential fault analysis. This work investigates other types of fault attacks against XEX mode that either eliminate the effect of the secret masks or retrieve their values. Either of these outcomes enables existing fault attack techniques to then be applied to recover the secret key. To estimate the success rate and feasibility, we ran simulations for ciphertext-only fault attacks against 128-bit AES in XEX mode. The paper discusses also the relevance of the proposed fault attacks to certain authenticated encryption modes based on XEX, such as OCB2, OTR, COPA, SHELL and ElmD. Finally, we suggest effective countermeasures to provide resistance to these fault attacks.

Appendices

Appendix A: Practical Example for a Fault Attack Using Fault Model B

Retrieving One Byte. We demonstrate the fault attack in Sect. 4.3 with the following example:

Steps [1–2]. We first collect \((2 \times 48 = 96)\) faulty bytes in which 48 bytes share the two mask bytes \(\{L_{32}, (2^{8}L)_{32}\}\), and the other 48 bytes share their consecutive mask bytes \(\{(2L)_{32}, (2^{9}L)_{32}\}\). These 96 bytes can be obtained using three sets: A, B and G, where each set contains 32 consecutive blocks (see Fig. 6). Set A shares the two mask bytes \(\{L_{32}, (2L)_{32}\}\), set B shares \(\{(2^{8}L)_{32}, (2^{9}L)_{32}\}\) and set G shares \(\{(2^{128}L)_{32}, (2^{129}L)_{32}\}\). Remember that the mask bytes \((2^{128}L)_{32}\) and \((2^{129}L)_{32}\) are continued masks of \(\{L_{32}, (2^{8}L)_{32}\}\) and \(\{{2L}_{32}, (2^{9}L)_{32}\}\) respectively.

The targeted block indexes in each set are:

Set A:

$$\begin{aligned} i\in \left\{ \begin{array}{c} 1,9,17,25,33,41,49,57,65,73,81,89,97,105,113,121, \\ 2,10,18,26,34,42,50,58,66,74,82,90,98,106,114,122 \end{array} \right\} \end{aligned}$$

Set B:

$$\begin{aligned} i\in \left\{ \begin{array}{c} 9,17,25,33,41,49,57,65,73,81,89,97,105,113,121,129, \\ 10,18,26,34,42,50,58,66,74,82,90,98,106,114,122,130 \end{array} \right\} \end{aligned}$$

Set G:

$$\begin{aligned} i\in \left\{ \begin{array}{c} 129,137,145,153,161,169,177,185,193,201,209,217,2 25,233,241,249 \\ 130,138,146,154,162,170,178,186,194,202,210,218,226,234,242,250 \end{array} \right\} \end{aligned}$$

The index (jk) of the faulty ciphertext byte corresponds to each block in every row of all sets A, B and G is:

$$\begin{aligned} jk\in \left\{ \begin{array}{c} 32,31,30,23,22,21,20,13,12,11,10,03,02,01,00,33 \end{array} \right\} \end{aligned}$$

However, to target each ciphertext byte, we inject a fault to its corresponding internal state byte \(s^{i,(9),(AK)}_{jk^{'}}\) where \(k^{'} = (k+j)\mod 4\). The faulty ciphertext byte indexes are not the same as the targeted internal byte indexes because of the last ShiftRow operation.

Step 3. XOR-ing two ciphertext bytes of the same index jk from two consecutive blocks will give the following result:

$$\begin{aligned} C[i+1]_{jk}&= \quad s^{i+1,(10),(SR)}_{jk} \quad \oplus K^{10}_{jk} \oplus 2^iL_{jk} \\&= \quad 2^iL_{jk} \quad \oplus K^{10}_{jk} \oplus s^{i+1,(10),(SB)}_{jk^{'}} \\&= \quad 2^iL_{jk} \quad \oplus K^{10}_{jk} \oplus \hbox {sbox}[s^{i+1,(9),(AK)}_{jk^{'}}] \\ C[i+2]_{jk}&= \quad 2^{i+1}L_{jk} \quad \oplus K^{10}_{jk} \oplus \hbox {sbox}[s^{i+2,(9),(AK)}_{jk^{'}}] \\ C[i+1]_{jk} \oplus C[i+2]_{jk}&= \quad (2^i3L)_{jk} \oplus \hbox {sbox}[s^{i+1,(9),(AK)}_{jk^{'}}] \oplus \hbox {sbox}[s^{i+2,(9),(AK)}_{jk^{'}}] \end{aligned}$$

where \(k^{'} = (k+j)\mod 4\). We calculate the value of \((C[i+1]_{jk} \oplus C[i+2]_{jk})\) from every two consecutive blocks in each set. This yields the following equations:

Set A:

$$\begin{aligned} C[i+1]_{jk} \oplus C[i+2]_{jk}&= (3L)_{32} \oplus \hbox {sbox}[s^{i+1,(9),(AK)}_{jk^{'}}] \oplus \hbox {sbox}[s^{i+2,(9),(AK)}_{jk^{'}}] \end{aligned}$$

Set B:

$$\begin{aligned} C[i+1]_{jk} \oplus C[i+2]_{jk}&= (2^83L)_{32} \oplus \hbox {sbox}[s^{i+1,(9),(AK)}_{jk^{'}}] \oplus \hbox {sbox}[s^{i+2,(9),(AK)}_{jk^{'}}] \end{aligned}$$

Set G:

$$\begin{aligned} C[i+1]_{jk} \oplus C[i+2]_{jk}&= (2^{128}3L)_{32} \oplus \hbox {sbox}[s^{i+1,(9),(AK)}_{jk^{'}}] \oplus \hbox {sbox}[s^{i+2,(9),(AK)}_{jk^{'}}] \end{aligned}$$

where the value of \( (2^{128}3L)_{32}\) is uniquely determined by the values of \((3L)_{32}\) and \((2^83L)_{32}\), as discussed previously. Each set gives 16 values for \((C[i+1]_{jk} \oplus C[i+2]_{jk})\), and in total 48 values.

The sbox in AES is resistant against differential analysis. Thus, knowing the XOR of \(\hbox {sbox}[s^{i+1,(9),(AK)}_{jk^{'}}]\) and \(\hbox {sbox}[s^{i+2,(9),(AK)}_{jk^{'}}]\) neither uniquely determines \(s^{i+1,(9),(AK)}_{jk^{'}}\) nor \(s^{i+2,(9),(AK)}_{jk^{'}}\). However, the injected faults will bias the faulty internal bytes to the all-zero byte. We, therefore, proceed by assuming that one of the faulty bytes is zero, namely that \(s^{i+2,(9),(AK)}_{jk^{'}} = 0\). This assumption is valid \(50\%\) of the time only. We then apply our statistical distinguisher to the value of \(s^{i+1,(9),(AK)}_{jk^{'}}\) that is determined by this assumption.

Step 4. For each of the \(2^{16}\) candidates for \((3L)_{32}\) and \((2^83L)_{32}\), compute the value for \(s^{i+1,(9),(AK)}_{jk^{'}}\) in sets A, B and G. By completing this step, we will have 48 values for \(s^{i+1,(9),(AK)}_{jk^{'}}\) for each of the \(2^{16}\) candidates. Use the hamming weight distinguisher to predict the correct value for \((3L)_{32}\) and \((2^83L)_{32}\) and their continued mask \((2^{128}3L)_{32}\).

Retrieving All Bytes. This attack requires a message of at least 3722 full blocks encrypted using 128-bit AES in XEX mode. Note that this attack does not require all the 3722 blocks to be faulted. The steps to retrieve the entire mask L (see Fig. 7 in Appendix C) are as follows:

1. 1.

   For blocks \((1\le i\le 250)\), perform the fault attack, as in Sect. 4.3 and the example at the beginning of this appendix, on certain blocks (shown as orange bytes in Fig. 7) to retrieve the two mask bytes \(\{(3L)_{32}\), \((2^83L)_{32}\}\) and their continued byte \((2^{128}3L)_{32}\).

   Note that the byte \((2^{128}3L)_{32}\) continues to appear as \((2^{136}3L)_{31}\), \(\cdots \), \((2^{240}3L)_{00}\), \((2^{248}3L)_{33}\).

2. 2.

   For blocks \((1+248j)\le i\le (250+248j)\) where \(j \in \{1,\dots , 15\}\), perform the same attack in step 1. Each iteration is shown in Fig. 7 as successive coloured bytes as yellow, blue, pink, \(\dots \), lime.

   Each iteration retrieves extra bytes and starts just after the previous one.

3. 3.

   Work backwards to calculate the mask bytes and begin with the last faulty block (shown as lime in Fig. 7). Use Eq. (1) during the transition from one iteration of faults to the previous iteration. For example, we can calculate \((2^{3464}3L)_{33}\) (grey byte) from \((2^{3464}3L)_{00}\) (pink byte) and \((2^{3472}3L)_{32}\) (lime byte). That is, the byte retrieved in the last iteration is not lost.

4. 4.

   Repeat this approach working backward every 250-block iteration until we retrieve the entire \(2^{128}3L\). Note that any internal state contains at most two faulty bytes.

5. 5.

   Compute the original mask L from \(2^{128}3L\) using the primitive polynomial.

Appendix B: Experimental Results

We ran a simulated experiment to retrieve one byte of a secret mask given faulty ciphertexts only and using the attack method in Sect. 4.3 cis extended to retrieve the entire L mask. The experiment uses 128-bit AES as the underlying block cipher. We implemented this using the C language and the GNU GCC compiler run on a desktop computer.

To simulate fault model B, we used the pseudo-random C function rand() and the AES with different input messages to determine when the fault should occur. In either case, we used one bit of the output to determine when the stuck-at-zero action occurs. These generated faults are injected to AES in XEX mode.

Retrieving One Byte. As a preliminary step, we performed several sub-experiments with different numbers of faulty bytes to determine how many faulty bytes are needed to obtain a high success rate. We started with 2 faulty bytes that share one mask byte and increase by 2 for every following iteration till the number of faulty bytes is 32 such that every targeted block has only one faulty byte. For each iteration, we computed the success rate over 1000 simulations using different plaintext messages and nonces. We performed these experiments twice: one run uses faults generated from the rand() function and the second uses faults from the output of AES in XEX mode.

Secondly, we computed the success rate for the attack using 96 faulty bytes, as described in Sect. 4.3 and Appendix A. This approach provides the hamming weight distinguisher with 48 faulty bytes that share only two mask bytes.

The results of this experiment are presented in Table 2 for the number of faulty bytes ranging from 2 to 32 and lastly 96. Note that the success rates in both columns are close to each other. Note also that only the last row provides a high success rate of at least \(99.9\%\).

Table 2. Success rate of fault attacks using fault model B at round 9.

Fig. 2.

Success rate to determine one mask byte for different probabilities.

Finally, we evaluated the success rate to retrieve one mask byte considering a more relaxed injection probabilities (p) to bias the faulty byte towards zero. Figure 2 compares the success rate and data complexity for \(p \in \{0.5,0.375,0.25\}\). Note that the success rate is about 0.96 when \(p = 0.5\) and about 0.87 when \(p = 0.375\) in case of (1 faulty byte/block), and these probabilities increase to 0.999 and 0.975 respectively in case of (2 faulty bytes/block). That is, for low injection probabilities, if an attacker is able to fault more bytes per block, the success rate will increase.

Retrieve the Whole Mask. We performed an experiment to demonstrate the success rate of retrieving the entire secret mask \(2^{128}3L\) as discussed in Sect. 4.3 and Appendix A. Each byte is retrieved using 96 faulty bytes. The success rate is also computed over 1000 different plaintext messages each of length 3722 blocks and each with a different nonce. We found that the success rate to retrieve every bit in the mask \(2^{2144}3L\) is \(99.2\%\) when using AES as the pseudo-random function, and \(99.3\%\) when using the rand() function.

Appendix C: Figures

Fig. 3.

Masks containing the byte \(L_{32}\).

Fig. 4.

Graphical representation of round 9 attack to retrieve the value of \((3L)_{00}\).

Fig. 5.

Graphical representation of round 8 attack to retrieve four bytes in L.

Fig. 6.

Mask bytes targeted according to the position of faulty bytes.

Fig. 7.

Technique to retrieve all bytes of \(2^{128}3L\). (Color figure online)