Showing papers presented at "Workshop on Fault Diagnosis and Tolerance in Cryptography in 2011"

Practical Optical Fault Injection on Secure Microcontrollers

Abstract: In this paper we detail the latest developments regarding optical fault injection on secure micro controllers. On these targets, a combination of countermeasures makes fault injection less than trivial. We develop fault injection methods to show experimentally that protected smart cards are still vulnerable. We perform power signal guided fault injection, using a triggering mechanism based on real-time pattern recognition. Furthermore, the use of jitter-free diode lasers shows current countermeasures may be inadequate for the near future.

An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs

Abstract: The literature about fault analysis typically describes fault injection mechanisms, e.g. glitches and lasers, and cryptanalytic techniques to exploit faults based on some assumed fault model. Our work narrows the gap between both topics. We thoroughly analyse how clock glitches affect a commercial low-cost processor by performing a large number of experiments on five devices. We observe that the effects of fault injection on two-stage pipeline devices are more complex than commonly reported in the literature. While injecting a fault is relatively easy, injecting an exploitable fault is hard. We further observe that the easiest to inject and reliable fault is to replace instructions, and that random faults do not occur. Finally we explain how typical fault attacks can be mounted on this device, and describe a new attack for which the fault injection is easy and the cryptanalysis trivial.

The Fault Attack Jungle - A Classification Model to Guide You

Abstract: For a secure hardware designer, the vast array of fault attacks and countermeasures looks like a jungle. This paper aims at providing a guide through this jungle and at helping a designer of secure embedded devices to protect a design in the most efficient way. We classify the existing fault attacks on implementations of cryptographic algorithms on embedded devices according to different criteria. By doing do, we expose possible security threats caused by fault attacks and propose different classes of countermeasures capable of preventing them.

Local and Direct EM Injection of Power Into CMOS Integrated Circuits

Abstract: The paper aims at demonstrating experimentally that the tiny Electro Magnetic (EM) coupling between the tip end of a micro-antenna is sufficient to locally and directly inject power into CMOS Integrated Circuits (IC). More precisely, experimental results show that such electrical couplings are sufficient to disturb, with and without removing the IC package, the behavior of 90nm CMOS Ring Oscillators, a representative structure of CMOS logic but also a constituting element of some True Random Number Generators (TRNGs) or clock generator.

A Differential Fault Analysis on AES Key Schedule Using Single Fault

Abstract: Literature on Differential Fault Analysis (DFA) on AES-128 shows that it is more difficult to attack AES when the fault is induced in the key schedule, than when it is injected in the intermediate states. Recent research shows that DFA on AES key schedule still requires two faulty cipher texts, while it requires only one faulty cipher text and a brute-force search of $2^8$ AES-128 keys when the fault is injected inside the round of AES. The present paper proposes a DFA on AES-128 key schedule which requires only one single byte fault and a brute-force search of $2^8$ keys, showing that a DFA on AES key schedule is equally dangerous as a fault analysis when the fault is injected in the intermediate state of AES. Further, the fault model of the present attack is a single byte fault. This is more realistic than the existing fault model of injecting three byte faults in a column of the AES key which has a less chance of success. To the best of our knowledge the proposed attack is the best known DFA on AES key schedule and requires minimum number of faulty cipher text. The simulated attack, running on 3GHz Intel Core 2 Duo desktop machine with 2GB RAM, takes around 35 minutes to reveal the secret key.

Differential Fault Analysis on the SHA1 Compression Function

Abstract: In FDTC 2009, Li et al. published a DFA attack [20] against the symmetric block cipher SHACAL1 [11]. This block cipher substantially consists of the compression function of the hash function SHA1 [16] except for the final addition operation. When using the SHA1 compression function as a primitive in a keyed hash function like HMAC-SHA1 [17] or in a key derivation function it might be of some interest if the attack of Li et al. also applies to the SHA1 compression function. However, the final addition operation turns out to completely prevent this direct application. In this paper we extend the attack of Li et al. in order to overcome the problem of the final addition and to extract the secret inputs of the SHA1 compression function by analysing faulty outputs. Our implementation of the new attack needs about 1000 faulty outputs and a computation time of three hours on a normal PC to fully extract the secret inputs with high probability.

From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks on Key Expansion

Abstract: Since its announcement, AES has been subject to different DFA attacks. Most of these attacks target the AES with 128-bit key. However, the two other variants are nowadays deployed in various applications and are also submitted to the same attack path. In this paper, we adapt DFA techniques originally used on AES-128 in order to retrieve the whole keys of AES-192 and AES-256. The two main kinds of injection localization have been analyzed: faults during cipher and during Key Expansion computations. Analysis of this last case highlights different fault diffusion problems requiring to be solved to exploit the differential faults. Finally, we propose the first attack on AES-192 and AES-256 on Key Expansion. This attack leads finding the whole initial key with 16 fault injections in both cases.

A High-Performance Fault Diagnosis Approach for the AES SubBytes Utilizing Mixed Bases

Abstract: The Sub Bytes (S-boxes) is the only non-linear transformation in the encryption of the Advanced Encryption Standard (AES), occupying more than half of its hardware implementation resources. One important required aspect of the hardware architectures of the S-boxes is the reliability of their implementations. This can be compromised by occurrence of internal faults or intrusion of the attackers. In this paper, we present a high-speed architecture for the S-boxes constructed using mixed bases to counteract these internal/malicious faults. Although using polynomial and normal bases for the S-boxes has been studied extensively, using mixed bases has just been considered very recently in CHES 2010. In the proposed fault detection scheme of this paper, we present formulations for multi-bit parities for the S-boxes using mixed bases. Then, these formulations are utilized in our error simulations and it is shown that the presented architecture reaches very high error coverage. Through our ASIC syntheses utilizing a 65-nm CMOS technology, we show that with comparable hardware complexity, the efficiency of the presented reliable architecture (without sub-pipelining) reaches around $5.02$ $\frac{Mbps}{\mu m^{2}}$, outperforming other fault detection schemes for composite field architectures.

A Cost-Effective FPGA-based Fault Simulation Environment

Abstract: In this contribution, we present an FPGA-based simulation environment for fault attacks on cryptographic hardware designs. With our methodology, we are able to simulate the effects of global fault attacks from e.g., spikes and local attacks from e.g., focused laser beams. The environment simulates transient bit-flip faults in sequential elements of a digital design. In this way it is tailored to the simulation of fault attacks on cryptographic designs. It is a tool to verify the design's behaviour in case of fault attacks and to verify implemented countermeasures. The environment is script-based for fully automated modification of the digital design and simulation. It can handle designs in VHDL as well as in Verilog language and does not require modifications to the design's source code. We used our environment in a case study and successfully tested the effectiveness of a fault detection countermeasure in an elliptic curve cryptography design.

Fault Sensitivity Analysis Against Elliptic Curve Cryptosystems

Abstract: In this paper, we present a fault-based security evaluation for an Elliptic Curve Cryptography (ECC) implementation using the Montgomery Powering Ladder (MPL). We focus in particular on the L´opez-Dahab algorithm, which is used to calculate a point on an elliptic curve efficiently without using the y - coordinate. Several previous fault analysis attacks cannot be applied to the ECC implementation employing the L´opez-Dahab algorithm in a straight-forward manner. In this paper, we evaluate the security of the L´opez-Dahab algorithm using Fault Sensitivity Analysis (FSA). Although the initial work on FSA was applied only to an Advanced Encryption Standard (AES) implementation, we apply the technique to the ECC implementation. Consequently, we found a vulnerability to FSA for the ECC implementation using the L´opez-Dahab algorithm.

On Protecting Cryptographic Applications Against Fault Attacks Using Residue Codes

Abstract: We propose a new class of error detection codes, {\em quadratic dual residue codes}, to protect cryptographic computations running on general-purpose processor cores against fault attacks. The assumed adversary model is a powerful one, whereby the attacker can inject errors anywhere in the data path of a general-purpose microprocessor by bit flipping. We demonstrate that quadratic dual residue codes provide a much better protection under this powerful adversary model compared to similar codes previously proposed for the same purpose in the literature. The adopted strategy aims to protect the single-precision arithmetic operations, such as addition and multiplication, which usually dominate the execution time of many public key cryptography algorithms in general-purpose microprocessors. Two so called {\em robust} units for addition and multiplication operations, which provide a protection against faults attacks, are designed and tightly integrated into the data path of a simple, embedded re-configurable processor. We report the implementation results that compare the proposed error detection codes favorably with previous proposals of similar type in the literature. In addition, we present performance evaluations of the software implementations of Montgomery multiplication algorithm using the robust execution units. Implementation results clearly show that it is feasible to implement robust arithmetic units with relatively low overhead even for a simple embedded processor.

Fault Injection, A Fast Moving Target in Evaluations

Abstract: Differential Fault Analysis has been known since 1996 (Dan Boneh, Richard A. DeMilIo and Richard ]. Lipton, "The Bellcore Attack") [1]. Before that, the implementations of cryptographic functions were developed without the awareness of fault analysis attacks. The first fault injection set-ups produced single voltage glitches or single light flashes at a single location on the silicon. A range of countermeasures has been developed and applied in cryptographic devices since. But while the countermeasures against perturbation attacks were being developed, attack techniques also evolved. The accuracy of the timing was improved, mUltiple light flashes were used to circumvent double checks, perturbation attacks were being combined with side channels such as power consumption and detection methods developed to prevent chips from blocking after they detected the perturbation attempt. Against all these second generation attack methods new countermeasures were developed. This raised the level of security of secure microcontroller chips to a high level , especially compared to products of ten years ago. The certification schemes are mandating more and more advanced tests to keep secure systems secure in the future. One of the latest requirements is light manipulation test using power consumption waveform based triggering with mUltiple light flashes at mUltiple locations on the silicon. If attack scenarios that are as complicated as this one are in scope where will it end? The equipment necessary for the attack is expensive and special software is required. The perturbation attacks that are performed outside security labs and universities are of a different level. The security laboratories need to improve their attack techniques to match the findings of academic research, attacks in the field and attacks developed by other laboratories. The level of required security is increasing, also increasing the price of the products because of the extra countermeasures that need to be implemented. These extra countermeasures result in significantly more complicated hardware designs, software implementations, higher power consumption and performance loss. Evaluation costs also increase with every extra penetration test that is added by the schemes because test set-ups have to be enhanced and more