Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and software implementations have exhibited vulnerabilities to side channel attacks, e.g., power analysis and fault injection attacks. This paper focuses on fault injection attacks that have been shown to require inexpensive equipment and a short amount of time. The paper provides a comprehensive description of these attacks on cryptographic devices and the countermeasures that have been developed against them. After a brief review of the widely used cryptographic algorithms, we classify the currently known fault injection attacks into low-cost ones (which a single attacker with a modest budget can mount) and high-cost ones (requiring highly skilled attackers with a large budget). We then list the attacks that have been developed for the important and commonly used ciphers and indicate which ones have been successfully used in practice. The known countermeasures against the previously described fault injection attacks are then presented, including intrusion detection and fault detection. We conclude the survey with a discussion on the interaction between fault injection attacks (and the corresponding countermeasures) and power analysis attacks.

/pdf/fault-injection-attacks-on-cryptographic-devices-theory-12qo1dda0z.pdf

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

Delay locked loops (320, 350) for generating a predetermined phase relationship between a pair of clocks (300, 310). A first delay-locked loop (320) includes delay elements arranged in a chain, the chain receiving an input clock (300) and generating, from each delay element, a set of phase vectors (330), each shifted a unit delay from the adjacent vector. The first delay-locked loop (320) adjusts the unit delays in the delay chain using a delay adjustment signal so that the phase vectors (330) span a predetermined phase shift of the input clock (300). A second delay-locked loop (350) selects, from the first delay-locked loop (320), a pair of phase vectors which brackets the phase of an input clock (300). A phase interpolator (560) receives the selected pair of vectors and generates an output clock and a delayed output clock, the amount of the delay being controlled by the delay adjustment signal of the first delay-locked loop circuitry. A phase detector (590) compares the delayed output clock with the input clock and adjusts the phase interpolator (560), based on the phase comparison, so that the phase of the delayed output clock is in phase with the input clock (410). As a result, there is a predetermined phase relationship being the amount of delay between the output clock (640) and the delayed output clock (360).

Delay locked loop circuitry for clock delay adjustment

This paper proposes a new fault-based attack called the Fault Sensitivity Analysis (FSA) attack, which unlike most existing fault-based analyses including Differential Fault Analysis (DFA) does not use values of faulty ciphertexts. Fault sensitivity means the critical condition when a faulty output begins to exhibit some detectable characteristics, e.g., the clock frequency when fault operation begins to occur. We explain that the fault sensitivity exhibits sensitive-data dependency and can be used to retrieve the secret key. This paper presents two practical FSA attacks against two AES hardware implementations on SASEBO-R, PPRM1-AES and WDDL-AES. Different from previous work, we show that WDDL-AES is not perfectly secure against setup-time violation attacks. We also discuss a masking technique as a potential countermeasure against the proposed fault-based attack.

/pdf/fault-sensitivity-analysis-1o9l3x9y6e.pdf

Fault sensitivity analysis

Evoked by the increasing need to integrate side-channel countermeasures into security-enabled commercial devices, evaluation labs are seeking a standard approach that enables a fast, reliable and robust evaluation of the side-channel vulnerability of the given products. To this end, standardization bodies such as NIST intend to establish a leakage assessment methodology fulfilling these demands. One of such proposals is the Welch’s t-test, which is being put forward by Cryptography Research Inc., and is able to relax the dependency between the evaluations and the device’s underlying architecture. In this work, we deeply study the theoretical background of the test’s different flavors, and present a roadmap which can be followed by the evaluation labs to efficiently and correctly conduct the tests. More precisely, we express a stable, robust and efficient way to perform the tests at higher orders. Further, we extend the test to multivariate settings, and provide details on how to efficiently and rapidly carry out such a multivariate higher-order test. Including a suggested methodology to collect the traces for these tests, we point out practical case studies where different types of t-tests can exhibit the leakage of supposedly secure designs.

/pdf/leakage-assessment-methodology-f0yjbgp6i4.pdf

Leakage Assessment Methodology

Rapid generation of high quality Gaussian random numbers is a key capability for simulations across a wide range of disciplines. Advances in computing have brought the power to conduct simulations with very large numbers of random numbers and with it, the challenge of meeting increasingly stringent requirements on the quality of Gaussian random number generators (GRNG). This article describes the algorithms underlying various GRNGs, compares their computational requirements, and examines the quality of the random numbers with emphasis on the behaviour in the tail region of the Gaussian probability density function.

Gaussian random number generators

Amongst the many existing countermeasures against Side Channel Attacks (SCA) on symmetrical cryptographic algorithms, masking is one of the most widespread, thanks to its relatively low overhead, its low performance loss and its robustness against first-order attacks. However, several articles have recently pinpointed the limitations of this countermeasure when matched with variance-based and other high-order analyses. In this article, we present a new form of Boolean masking for the Advanced Encryption Standard (AES) called "RSM", which shows the same level in performances as the state-of-the-art, while being less area consuming, and secure against Variance-based Power Analysis (VPA) and second-order zero-offset CPA. Our theoretical security evaluation is then validated with simulations as well as real-life CPA and VPA on an AES 256 implemented on FPGA.

https://hal.archives-ouvertes.fr/hal-00666337/document

RSM: a small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs

Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various methods of faults attack on cryptographic systems have been discovered and researched. However, to the authors' knowledge, all the attacks published so far use a theoretical model of faults. In this paper we prove that we are able to reproduce experimentally the random errors model used by G. Piret and J.J. Quisquater (2003) to realize practical fault attack on a smart card embedding an AES encryptor by under-powering it. In spite of the fact that this method is a convenient fault injection technique to set up, it does not often appear in the open literature. We argue that the fault model is consistent with a setup violation: errors appear at the end of combinatorial logic cones, caused by an early sampling in the downwards registers. We also carry out an extensive characterization of the faults, in terms of spatial and temporal localization.

Practical Setup Time Violation Attacks on AES

Detecting hardware trojans is a difficult task in general. In this article we study hardware trojan horses insertion and detection in cryptographic intellectual property (IP) blocks. The context is that of a fabless design house that sells IP blocks as GDSII hard macros, and wants to check that final products have not been infected by trojans during the foundry stage. First, we show the efficiency of a medium cost hardware trojans detection method if the placement or the routing have been redone by the foundry. It consists in the comparison between optical microscopic pictures of the silicon product and the original view from a GDSII layout database reader. Second, we analyze the ability of an attacker to introduce a hardware trojan horse without changing neither the placement nor the routing of the cryptographic IP logic. On the example of an AES engine, we show that if the placement density is beyond 80%, the insertion is basically impossible. Therefore, this settles a simple design guidance to avoid trojan horses insertion in cryptographic IP blocks: have the design be compact enough, so that any functionally discreet trojan necessarily requires a complete replace and re-route, which is detected by mere optical imaging (and not complete chip reverse-engineering).

/pdf/hardware-trojan-horses-in-cryptographic-ip-cores-1vjxhjfw1u.pdf

Hardware Trojan Horses in Cryptographic IP Cores

High speed true random number generator based on open loop structures in FPGAs

This paper presents an easy to design Physically Unclonable Function (PUF). The proposed PUF implementation is a loop composed of $N$ identical and controllable delay chains which are serially assembled in a loop to create a single ring oscillator. The frequency discrepancies resulting from the oscillator driven by complementary combinations of the delay chains allows to characterize one device. The presented PUF, nicknamed the Loop PUF (LPUF), returns a frequency comparison of loops made of $N$ delay chains ($N\geq2$). The comparisons are done sequentially on the same structure. Unlike others PUFs based on delays, there is no specific routing constraints. Hence the LPUF is particularly flexible and easy to design. The basic use of the Loop PUF is to generate intrinsic device keys for cryptographic algorithms. It can also be used to generate challenge response pairs for simple authentication. Experiments have been carried out on CYCLONE II FPGAs to assess the performance of the LPUF, such as randomness, uniqueness and steadiness. They clearly show both the easiness of design and the quality level of the LPUF. The measurement time \emph{vs} steadiness, as well as resistance against side-channel and modeling attacks are discussed.

/pdf/an-easy-to-design-puf-based-on-a-single-oscillator-the-loop-2hsbdjryx9.pdf

Jean-Luc Danger

Papers

RSM: a small and fast countermeasure for AES, secure against 1st and 2nd-order zero-offset SCAs

Practical Setup Time Violation Attacks on AES

Hardware Trojan Horses in Cryptographic IP Cores

High speed true random number generator based on open loop structures in FPGAs

An Easy-to-Design PUF Based on a Single Oscillator: The Loop PUF