Showing papers presented at "Workshop on Fault Diagnosis and Tolerance in Cryptography in 2008"

A Practical Fault Attack on Square and Multiply

Abstract: In order to provide security for a device, cryptographic algorithms are implemented on them. Even devices using a cryptographically secure algorithm may be vulnerable to implementation attacks like side channel analysis or fault attacks. Most fault attacks on RSA concentrate on the vulnerability of the Chinese Remainder Theorem to fault injections. A few other attacks on RSA which do not use this speed-up technique have been published. Nevertheless, these attacks require a quite precise fault injection like a bit flip or target a special operation without any possibility to check if the fault was injected in the intended way, like in safe-error attacks.In this paper we propose a new attack on square and multiply, based on a manipulation of the control flow. Furthermore, we show how to realize this attack in practice using non-invasive spike attacks and discuss impacts of different side channel analysis countermeasures on our attack. The attack was performed using low cost equipment.

Fault Attack on Elliptic Curve Montgomery Ladder Implementation

Abstract: In this paper, we present a new fault attack on elliptic curve scalar product algorithms. This attack is tailored to work on the classical Montgomery ladder method when the y-coordinate is not used. No weakness has been reported so far on such implementations, which are very efficient and were promoted by several authors. But taking into account the twist of the elliptic curves, we show how, with few faults (around one or two faults), we can retrieve the full secret exponent even if classical countermeasures are employed to prevent fault attacks. It turns out that this attack has not been anticipated as the security of the elliptic curve parameters in most standards can be strongly reduced. Especially, the attack is meaningful on some NIST or SECG parameters.

Exploiting Hardware Performance Counters

Abstract: We introduce the usage of hardware performance counters (HPCs) as a new method that allows very precise access to known side channels and also allows access to many new side channels. Many current architectures provide hardware performance counters, which allow the profiling of software during runtime. Though they allow detailed profiling they are noisy by their very nature; HPC hardware is not validated along with the rest of the microprocessor. They are meant to serve as a relative measure and are most commonly used for profiling software projects or operating systems. Furthermore they are only accessible in restricted mode and can only be accessed by the operating system. We discuss this security model and we show first implementation results, which confirm that HPCs can be used to profile relatively short sequences of instructions with high precision. We focus on cache profiling and confirm our results by rerunning a recently published time based cache attack in which we replaced the time profiling function by HPCs.

Improved Differential Fault Analysis on CLEFIA

Abstract: We propose a more efficient differential fault analysis (DFA) attack on CLEFIA, the 128-bit block cipher developed by Sony Corporation in 2007. In the previous study, the most efficient DFA attack on CLEFIA with a 128-bit key uses approximately 18 pairs of correct and faulty ciphertexts. We develop a new attack method and show that only 2 pairs of correct and faulty ciphertexts are needed to retrieve the 128-bit key. The proposed attack uses a characteristic of the CLEFIA algorithm,a four-branch generalized Feistel structure with four 32-bit data lines. The simulation results of the proposed attack show that it takes less than 1 minute for 74.1% of a total simulation times, and less than 1 hour for 98.1% when using a PC.

Silicon-level Solutions to Counteract Passive and Active Attacks

Abstract: This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanometer technology by the authors with the help of STMicroelectronics.The purpose of these prototype circuits is to experience with the published ``implementation-level'' attacks(SPA, DPA, EMA, templates, DFA). We report our conclusions about the practicability of these attacks:which ones are the most simple to mount, and which ones require more skill, time, equipments, etc.The potential of FPGAs as security evaluation commodities at design time is also detailed.Then, we discuss about ``dual counter-measures'', that are meant to resist both passive and active attacks.This study started four years ago with TIMA (Grenoble), in the framework of the project MARS. We highlight some research directions towards dependable and cost-effective dual counter-measures.

Comparative Analysis of Robust Fault Attack Resistant Architectures for Public and Private Cryptosystems

Abstract: The adaptive and active nature of fault based side-channel attacks along with the large arsenal of fault injection methods complicates the design of effective countermeasures. To overcome the unpredictability of fault attackers protection methods based on robust codes were proposed which can provide uniform error detection against all errors eliminating possible weaknesses in the protection. In this paper we evaluate and compare the error detection properties and hardware overheads of architectures based on robust, partially robust, and minimum distance robust codes for both public and private key cryptosystems.

In(security) Against Fault Injection Attacks for CRT-RSA Implementations

Abstract: Since its invention in 1977, the celebrated RSA primitive has remained unbroken from a mathematical point of view, and has been widely used to build provably secure encryption or signature protocols. However, the introduction in 1996 of a new model of attacks - based on fault injections - by Boneh, deMillo and Lipton suggests the use of specific countermeasures to obtain a secure RSA implementation. In the special case of CRT implementations, many protections have been proposed and most of them have been proven insufficient to ensure resistance against DFA. In the present paper, we show that the Ciet-Joye method proposed in FDTC'2005 [10] does not completely prevent fault injection attacks: for a CRT-RSA with a 1024-bit modulus, we show that 13 faulty signatures are enough to recover the secret exponent with a probability greater than 50%, which can be improved to 99% with 83 faulty signatures.

Masking Does Not Protect Against Differential Fault Attacks

Abstract: Over the past ten years, cryptographic algorithms have been found to be vulnerable against side-channel attacks such as power analysis attacks, timing attacks, electromagnetic radiation attacks and fault attacks. These attacks capture leaking information from an implementation of the algorithm in software or in hardware and apply cryptanalytical and statistical tools to recover the secret keys. A very well-known countermeasure against these attacks is to randomize every execution of the algorithm and every intermediate piece of data with a so-called masking method. In this paper we demonstrate that traditional countermeasures such as masking methodsfor symmetric cryptosystems are completely inefficient against fault attacks. In other words, differential fault attacks still apply on masked data. As an example we show how to recover secret keys from two masked AES implementations using a basic differential fault attack.

A Generic Fault Countermeasure Providing Data and Program Flow Integrity

Abstract: So far many software countermeasures against fault attacks have been proposed. However, most of them are tailored to a specific cryptographic algorithm or focus on securing the processed data only. In this work we present a generic and elegant approach by using a highly fault secure algebraic structure. This structure is compatible to finite fields and rings and preserves its error detection property throughout addition and multiplication. Additionally, we introduce a method to generate a fingerprint of the instruction sequence. Thus, it is possible to check the result for data corruption as well as for modifications in the program flow. This is even possible if the order of the instructions is randomized. Furthermore, the properties of the countermeasure allow the deployment of error detection as well as error diffusion. We point out that the overhead for the calculations and for the error checking within this structure is reasonable and that the transformations are efficient. In addition we discuss how our approach increases the security in various kinds of fault scenarios.

On the Security of a Unified Countermeasure

Abstract: Implementation attacks are a major threat for cryptographic applications. Recently, Baek and Vasyltsov (ISPEC 2007) proposed a unified countermeasure for protecting elliptic curve implementations against a variety of implementation attacks, including differential power attacks and fault attacks. This paper studies the security of this countermeasure. In particular, it shows that the fault coverage is less than what was anticipated. Further security weaknesses are also pointed out.

Error Detection for Borrow-Save Adders Dedicated to ECC Unit

Abstract: Differential Fault Analysis (DFA) is a real threat for elliptic curve cryptosystems. This paper describes an elliptic curve cryptoprocessor unit resistant against fault injection. This resistance is provided by the use of parity preserving logic gates in the operating structure of the ECC unit, which is based on borrow-save adders. The proposed countermeasure provides a high coverage fault detection and induces an acceptable area overhead (+ 38 %).

Attacks on Authentication and Signature Schemes Involving Corruption of Public Key (Modulus)

Abstract: Brier et al (2006) showed how to attack RSA by induction of faults in public modulus n. We propose to use the same kind of technique to attack other asymmetric cryptographic schemes. The most interesting case in which we use a somewhat different approach is the attack on Elliptic Curves based signature protocol (namely ECDSA). Here we also take advantage of the short keys to offer a nontrivial practical attack that enables us to fully recover the private key. Different idea is used to attack Guillou-Quisquater authentication scheme (GQ). This demonstrates how the difference between schemes influences the details of the modulus corruption attacks. Special efforts were devoted to calculate the amount of corrupted data to perform the attack on each scheme. Various ways of protection against fault injection attacks on public key elements are discussed.

Aspects of the Development of Secure and Fault-Resistant Hardware

Abstract: Designing "secure hardware" like a chip card controller, is a challenging task for hardware manufacturers: More and more attacks that are also more and more sophisticated generate a need for more and more countermeasures. Developers of these devices have to live with certain additional constraints and this does not make their life easier. The difficulties that the designer of such a system is confronted with, are pointed out. This might give the scientific community some impression of the problems that would be interesting to be solved.