Showing papers presented at "Workshop on Fault Diagnosis and Tolerance in Cryptography in 2009"

Practical Fault Attack on a Cryptographic LSI with ISO/IEC 18033-3 Block Ciphers

Abstract: This paper presents practical fault attack results on six kinds of block ciphers listed in ISO/IEC 18033-3 that are implemented on an LSI: AES, DES, Camellia, CAST-128, SEED, and MISTY1. We developed an experimental environment that injects faults into any desired round by supplying a clock signal with a glitch. We examined practical attack assumptions and the fault model based on experimental results. We also succeeded in recovering AES keys in the LSI using Piret's attack, which uses only one faulty cipher text obtained using the proposed experimental environment.

Low Voltage Fault Attacks on the RSA Cryptosystem

Abstract: Fault injection attacks are a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms. The faults induced during the computation of the cryptographic primitives allow to extract pieces of information about the secret parameters stored into the device using the erroneous results. Various fault induction techniques have been researched, both to make practical several theoretical fault models proposed in open literature and to outline new kinds of vulnerabilities. In this paper we describe a non-invasive fault model based on the effects of underfeeding the power supply of an ARM general purpose CPU. We describe the methodology followed to characterize the fault model on an ARM9 microprocessor and propose and mount attacks on implementations of the RSA primitives.

WDDL is Protected against Setup Time Violation Attacks

Abstract: In order to protect crypto-systems against side channel attacks various countermeasures have been implemented such as dual-rail logic or masking. Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various kind of fault attacks scenarios have been published. However, very few publications available in the public literature detail the practical realization of such attacks. In this paper we present the result of a practical fault attack on AES in WDDL and its comparison with its non-protected equivalent. The practical faults on an FPGA running an AES encrypt or are realized by under-powering it and further exploited using Piret's attack. The results show that WDDL is protected against setup violation attacks by construction because a faulty bit is replaced by a null bit in the cipher text. Therefore, the fault leaks no exploitable information. We also give a theoretical model for the above results. Other references have already studied the potential of fault protection of the resynchronizing gates (delay-insensitive). In this paper, we show that non-resynchronizing gates (hence combinatorial DPL such as WDDL) are natively immune to setup time violation attacks.

A Fault Attack on ECDSA

Abstract: An advantage of schemes based on elliptic curve cryptography (ECC) is that they require a smaller key size than other public key schemes to guarantee the same level of security. Thus, ECC algorithms are well suited for systems with constrained resources like smart cards or mobile devices. When evaluating those devices, not only the security from a theoretical point of view, but also implementation attacks, like fault attacks, have to be taken into account. In this paper, we present a new fault attack on the elliptic curve digital signature algorithm (ECDSA). We use a modification of the program flow to retrieve parts of the ephemeral key. The retrieved information allows erforming a lattice attack to determine the secret signing key. Furthermore, we propose a countermeasure to prevent such an attack.

Optical Fault Attacks on AES: A Threat in Violet

Abstract: Microprocessors are the heart of the devices we rely on every day. However, their non-volatile memory, which often contains sensitive information, can be manipulated by ultraviolet (UV) irradiation. This paper gives practical results demonstrating that the non-volatile memory can be erased with UV light by investigating the effects of UV-Clight with a wavelength of 254nm on four different depackaged microcontrollers. We demonstrate that an adversary can use this effect to attack an AES software implementation by manipulating the 256-bit S-box table. We show that if only a single byte of the table is changed, 2 500 pairs of correct and faulty encrypted inputs are sufficient to recover the key with a probability of 90%, in case the key schedule is not modified by the attack. Furthermore, we emphasize this by presenting a practical attack on an AES implementation running on an 8-bit microcontroller. Our attack involves only a standard decapsulation procedure and the use of alow-cost UV lamp.

Using Optical Emission Analysis for Estimating Contribution to Power Analysis

Abstract: This paper shows that optical emissions from an operating chip have a good correlation with power traces and can therefore be used to estimate the contribution of different areas within the chip. I present a low-cost approach using inexpensive CCD cameras. The technique was used to recover data stored in SRAM, EEPROM and Flash of a 0.9 µm microcontroller. The result of a backside approach in analysing a 0.13 µm chip is also presented. Practical limits for this analysis in terms of sample preparation, operating conditions and chip technology are also discussed. Optical emission analysis can be used for partial reverse engineering of the chip structure by spotting the active areas. This can assist in carrying out optical fault injection attacks later, thereby saving the time otherwise required for exhaustive search.

Fault Analysis of the Stream Cipher Snow 3G

Abstract: Snow 3G is the backup encryption algorithm used in the mobile phone UMTS technology to ensure data confidentiality. Its design - a combiner with memory - is derived from the stream cipher Snow 2.0, with improvements against algebraic cryptanalysis and distinguishing attacks. No attack is known against Snow 3G today. In this paper, a fault attack against Snow 3G is proposed. Our attack recovers the secret key with only 22 fault injections.

KeeLoq and Side-Channel Analysis-Evolution of an Attack

Abstract: Last year we were able to break KeeLoq, which is a 64 bit block cipher that is popular for remote keyless entry (RKE) systems. KeeLoq RKEs are widely used for access control purposes such as garage openers or car door systems. Even though the attack seems almost straightforward in hindsight, there where many practical and theoretical problems to overcome. In this talk I want to describe the evolution of the attack over about two years. Also, some possible future improvements using fault-injection will be mentioned. During the first phase of breaking KeeLoq, a surprisingly long time was spent on analyzing the target hardware, taking measurements and wondering why we did not succeed. In the second phase, we were able to use differential power analysis attacks successfully on numerous commercially available products employing KeeLoq code hopping. Our techniques allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in a few minutes. With similar techniques but with considerably more measurements (typically on the order of 10,000) we can extract the manufacturer key which is stored in every receiver device, e.g., a garage door opener unit. In the third phase, and most recent phase, we were able to come up with several improvements. Most notably, we found that an SPA (simple power analysis) attack allows to recover the manufacturer key with one measurement. In the talk, we will also speculate about extensions to fault-injection and timing attacks. It is important to note that most of our findings are not specific to KeeLoq but are - in principle - applicable to any symmetric cipher with an implementation that is not sidechannel resistant.

Protecting RSA against Fault Attacks: The Embedding Method

Abstract: Fault attacks constitute a major threat toward cryptographic products supporting RSA-based technologies. Most often, the public exponent is unknown, turning resistance to fault attacks into an intricate problem. Over the past few years, several techniques for secure implementations have been published, but none of them is fully satisfactory. We propose a completely different approach by embedding the public exponent into [the description of] the private key. As a result, we obtain a very efficient countermeasure with a 100% fault detection.

Blinded Fault Resistant Exponentiation Revisited

Abstract: Cryptographic algorithm implementations are subject to specific attacks, called side channel attacks, focusing on the analysis of their power consumption or execution time or on the analysis of faulty computations. At FDTC06, Fumaroli and Vigilant presented a generic method to compute an exponentiation resistant against different side channel attacks. However, even if this algorithm does not reveal information on the secrets in case of a fault attack, it can not be used to safely implement a crypto-system involving an exponentiation. In this paper, we propose a new exponentiation method without this drawback and give a security proof of resistance to fault attacks. As an application, we propose an RSA algorithm implemented using the Chinese Remainder Theorem protected against side channel attacks. The exponentiation algorithm is also33% faster than the previous method.

Securing AES Implementation against Fault Attacks

Abstract: On smart card environment, speed and memory optimization of cryptographic algorithms are an ongoing preoccupation. In addition, there is the necessity to protect the device against various attacks. In this paper we present a fault attack detection scheme for the AES using digest values. They are deduced from the mathematical description of each AES individual transformation. The security of our countermeasure is proved in a realistic Fault Model. Moreover we show that it can be combined with data masking to thwart efficiently both FA and DPA. Eventually, implementations of our method are presented, showing that it can be an interesting alternative to the traditional doubling countermeasure method.

Differential Fault Analysis on SHACAL-1

Abstract: SHACAL-1, known as one of the finalists of the NESSIE project, originates from the compression component of the widely used hash function SHA-1. The requirements of confusion and diffusion are implemented through mixing operations and rotations other than substitution and permutation, thus there exists little literature on its immunity against fault attacks. In this paper, we apply differential fault analysis on SHACAL-1 in a synthetic approach. We introduce the random word fault model, present some theoretical arguments, and give an efficient fault attack based on the characteristic of the cipher. Both theoretical predications and experimental results demonstrate that, 72 random faults are needed to obtain 512 bits key with successful probability more than 60%, while 120 random faults are enough to obtain 512 bits key with successful probability more than 99%.

Securing the Elliptic Curve Montgomery Ladder against Fault Attacks

Abstract: The Montgomery ladder method of computing elliptic curve scalar multiplication is esteemed as an efficient algorithm, inherently resistant to simple side-channel attacks as well as to various fault attacks. In FDTC 08, Fouque \etal present an attack on the Montgomery ladder in the presence of a point validation countermeasure, when the $y$-coordinate is not used. In this paper, we present an efficient countermeasure that renders the algorithm resistant to this attack as well as to other known fault attacks.

Fault Attack on Schnorr Based Identification and Signature Schemes

Abstract: In this paper, we study the security of Schnorr based identification and signature schemes. Like the carry attack of Fouque et al. at CHES last year, we exploit the carry knowledge from fault attack on other public-key schemes like DSA and other ECDSA signature scheme, Schnorr and GPS authentication and signature schemes. These attacks can be used to recover very efficiently the secret key and it is worth noticing that the complexity of the attack depends on the equation involving the secret key. We also present different techniques to learn the carry leakage using Fault Analysis.