Martin Kreuzer

A fault attack on the LED block cipher

A fault-based attack on the new low-cost LED block cipher is reported. Parameterized sets of key candidates called fault tuples are generated, and filtering techniques are employed to quickly eliminate fault tuples not containing the correct key. Experiments for LED-64 show that the number of remaining key candidates is practical for performing brute-force evaluation even for a single fault injection. The extension of the attack to LED-128 is also discussed.

Algebraic attacks using SAT-solvers

Abstract Algebraic attacks lead to the task of solving polynomial systems over 𝔽2. We study recent suggestions of using SAT-solvers for this task. In particular, we develop several strategies for converting the polynomial system to a set of CNF clauses. This generalizes the approach in [Bard, Courtois, Jefferson, Cryptology ePrint Archive 2007, 2007]. Moreover, we provide a novel way of transforming a system over 𝔽2 e to a (larger) system over 𝔽2. Finally, the efficiency of these methods is examined using standard examples such as CTC, DES, and Small Scale AES.

Towards mixed structural-functional models for algebraic fault attacks on ciphers

Fault attacks are a major threat for hardware-implemented security primitives, and algebraic techniques (equation-solving) are one of the most powerful building blocks for such attacks. We show that structural models obtained from a circuit implementation of the analyzed cipher can lead to more efficient attacks than the functional models used in literature. We also discuss possible synergies of the traditional functional and the proposed structural models and show first results on mixed models that combine structural and functional information. The overspecification provided by the mixed models creates an optimization potential through a partial mixed model with different filter rules for the combination of the two models.

Integrating Algebraic and SAT Solvers

For solving systems of Boolean polynomials whose zeros are known to be contained in \(\mathbb {F}_2^n\), algebraic solvers such as the Boolean Border Basis Algorithm (BBBA) and SAT solvers use very different and possibly complementary methods to create new information. Based on suitable implementations of these solvers and conversion methods from Boolean polynomials to SAT clauses and back, we describe an automatic framework integrating the two solving techniques and exchanging newly found information between them. Using examples derived from cryptographic attacks, we present some initial experiments indicating the efficiency of this combination.

Computing Boolean Border Bases

Given a 0-dimensional polynomial system in a polynomial ring over F_2 having only F_2-rational solutions, we optimize the Border Basis Algorithm (BBA) for solving this system by introducing a Boolean BBA. This algorithm is further improved by optimizing the linear algebra steps. We discuss ways to combine it with SAT solvers, optimized methods for performing the combinatorial steps involved in the algorithm, and various approaches to implement the linear algebra steps. Based on our C++ implementation, we provide some timings to compare sparse and dense representations of the coefficient matrices and to Gröebner basis methods.

Estimating Photo-Voltaic Power Supply without Smart Metering Infrastructure

Due to the lack of appropriate grid communication infrastructure, many energy providers can only measure a very limited subset of their PV plants and therefore have only limited knowledge of the power flow inside their grid. Existing approaches to estimate the total amount of PV energy produced at present time (“nowcasting”) require external data such as sun radiation or temperature that are often not available on-line. Using approximate computational algebra, we construct polynomial models to derive grid-specific formulae estimating the PV power provisioning without the need of additional data. We evaluate our approach based on real data from a German energy provider and demonstrate the accuracy of the derived models. Besides nowcasting, two additional application scenarios, snapshot provisioning and simulation of power flow, are discussed.

Fault-based attacks on cryptographic hardware

Mobile and embedded systems increasingly process sensitive data, ranging from personal information including health records or financial transactions to parameters of technical systems such as car engines. Cryptographic circuits are employed to protect these data from unauthorized access and manipulation. Fault-based attacks are a relatively new threat to system integrity. They circumvent the protection by inducing faults into the hardware implementation of cryptographic functions, thus affecting encryption and/or decryption in a controlled way. By doing so, the attacker obtains supplementary information that she can utilize during cryptanalysis to derive protected data, such as secret keys. In the recent years, a large number of fault-based attacks and countermeasures to protect cryptographic circuits against them have been developed. However, isolated techniques for each individual attack are no longer sufficient, and a generic protective strategy is lacking.

3BA: A Border Bases Solver with a SAT Extension

Many search problems over Boolean variables can be formulated in terms of satisfiability of a set of clauses or solving a system of Boolean polynomials. On one hand, there exists a great variety of software coming from different areas such as commutative algebra, SAT or SMT, that can be used to tackle these instances. On the other hand, their approaches to inferring new constraints vary and seem to be complementary to each other. For instance, compare the handling of XOR constraints in SAT solvers to that in computer algebra systems. We present a C++ implementation of a platform that combines the power of the Boolean Border Basis Algorithm (BBBA) with a CDCL SAT solver in a portfolio-based fashion. Instead of building a complete fusion or a theory solver for a particular problem, both solvers work independently and interact through a communication interface. Hence a greater degree of flexibility is achieved. The SAT solver antom, which is currently used in the integration, can be easily replaced by any other CDCL solver. Altogether, this is the first open-source implementation of the BBBA and its combination with a SAT solver.