scispace - formally typeset
Search or ask a question

Showing papers presented at "Workshop on Fault Diagnosis and Tolerance in Cryptography in 2012"


Proceedings ArticleDOI
09 Sep 2012
TL;DR: Reporting actual faults injection induced by EMPs in targets and describing their main properties and explaining the coupling mechanism between the antenna used to produce the EMP and the targeted circuit, which causes the faults.
Abstract: This paper considers the use of electromagnetic pulses (EMP) to inject transient faults into the calculations of a hardware and a software AES. A pulse generator and a 500 um-diameter magnetic coil were used to inject the localized EMP disturbances without any physical contact with the target. EMP injections were performed against a software AES running on a CPU, and a hardware AES (with and without countermeasure) embedded in a FPGA. The purpose of this work was twofold: (a) reporting actual faults injection induced by EMPs in our targets and describing their main properties, (b) explaining the coupling mechanism between the antenna used to produce the EMP and the targeted circuit, which causes the faults. The obtained results revealed a localized effect of the EMP since the injected faults were found dependent on the spatial position of the antenna on top of the circuit's surface. The assumption that EMP faults are related to the violation of the target's timing constraints was also studied and ascertained thanks to the use of a countermeasure based on monitoring such timing violations.

190 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: A new way is proposed to classify fault attacks against block ciphers, allowing them to exhibit their capacity to be combined with observation attacks, and a set of common protections against side-channel and fault attacks, namely higher-order masking schemes, detection and infection countermeasures, and how they can be combined.
Abstract: Recent works show that a combination of perturbation and observation attacks on symmetric ciphers thwarts state-of-the-art countermeasures. In this paper, we first propose a new way - to our knowledge - to classifyfault attacks against block ciphers, allowing us to exhibit their capacity to be combined with observation attacks. We then present a set of common protections against side-channel and fault attacks, namely higher-order masking schemes, detection and infection countermeasures, and how they can be combined. We show that the combination of a higher-order maskingscheme and a detection countermeasure can actually be defeated by a slight variant of the combined attack of Roche et al., even if one applies their patch. Furthermore, we also demonstrate that none of the published infection countermeasures is robust against fault attacks. Finally, using randomness, we propose a set of enhanced countermeasures that thwart considered threats.

85 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: A simple methodology based on information theory which allows to adapt the number of required faults for the analysis to the fault injection process and entropy is proposed as a tool to apprehend the most complex fault models in DFA.
Abstract: Differential fault analysis (DFA) techniques have been widely studied during the past decade. To our best knowledge, most DFA techniques on the Advanced Encryption Standard (AES) either impose strong constraints on the fault injection process or require numerous faults in order to recover the secret key. This article presents a simple methodology based on information theory which allows to adapt the number of required faults for the analysis to the fault injection process. With this technique, the constraints on the fault model to recover the last round key are considerably lowered. Additionally, entropy is proposed as a tool to apprehend the most complex fault models in DFA. A practical realization and simulations are presented to illustrate our methodology.

50 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: This paper provides a definition of the objectives of shielding, and proposes an innovative solution based on random shielding, to make the geometry of the shield difficult to recognize, thereby making the "identification" phase of the attack harder than in previous schemes.
Abstract: Recently, some active shielding techniques have been broken (e.g. by FlyLogic). The caveat is that their geometry is easy to guess, and thus they can be bypassed with an affordable price. This paper has two contributions. First of all, it provides a definition of the objectives of shielding, which is seldom found in publicly available sources. Notably, we precise the expected functionality, but also the constraints it must meet to be both manufacturable and secure. Second, we propose an innovative solution based on random shielding. The goal of this shielding is to make the geometry of the shield difficult to recognize, thereby making the "identification" phase of the attack harder than in previous schemes. Also, a proof of the shielding existence for two layers of metal is provided, which guarantees that the generation of the layout will succeed. Finally, we provide real tests of the shield generation algorithm, that show it is computationally tractable even for large areas to protect.

43 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: This paper will show that EM backside injection (case of flip chip bga packages) has little or no interest, and that a new fault injection technique, called Forward Body Biaising Injection (FBBI), must be preferred to EM injection to produce transient faults, especially when LASER shots are detected by the target.
Abstract: These last years, the advances realized by technologists and circuit designers were particularly important. Alongside these advances, the demand of secure objects tended to broaden from smartcard towards high performance integrated products. These Systems on Chip that will have ultimately to offer robustness guarantees against physical attacks, have characteristics radically different from those of smartcards. Indeed, the comparison of SoC with smartcards highlights that SoC: - operate at several hundreds of MHz against few tens of MHz for smartcards, - feature several millions of CMOS gates against roughly one hundred thousand for modern smartcards, - are designed with advanced CMOS technologies (45nm, 32nm) on a bulk or a Silicon on insulator substrate, while smartcards are currently designed with the 90nm process, - have a large number of IO and supply/ground pins and are often encapsulated in a ball grid array package. These observations raise questions about the vulnerabilities of tomorrow's embedded systems against physical attacks. Will an adversary be able to analyze the power consumption of such systems? Will he be able to inject transient faults and exploit them in such systems? If the issue of physical vulnerabilities of SoC remains, as designers of secure circuits, we can only wonder about the means that could be used by adversaries in order to inject transient faults into a SoC running at several hundreds of MHz encapsulated in a bga package. Considering that adversaries can access only the front side of such systems, the above questions lead to consider the ElectroMagnetic waves as the main medium for inject faults. Within this context, two EM platforms for injecting faults into circuits will be described during the presentation. The first platform is a harmonic injection platform. The latter has been developed in order to be able to disturb some analogue blocks as on-chip clock generators or some TRNGs. The challenges related to this kind of injection will be discussed before presenting some experimental results. The second platform is dedicated to the injection of EM pulses. This type of injection platform has been developed to inject transient faults within sensitive operations performed by some cryptomodules or any processing elements. Two types of platforms can be designed. A medium voltage platform (0-100V) centered on a pulse generator available on the market. A high voltage platform (50V-1kV) based on a homemade pulse generator. Experimental results obtained when applying the Piret-Quisquater attack will be analyzed to identify one of the electrical behaviors that could explain the occurrence of transient faults. Finally, we will show that EM backside injection (case of flip chip bga packages) has little or no interest. Indeed, a new fault injection technique, called Forward Body Biaising Injection (FBBI), must be preferred to EM injection to produce transient faults, especially when LASER shots are detected by the target. The equipment required to apply a FBBI is low cost and really similar to the one used to produce an EM pulse. The main difference is the replacement of the coil producing the magnetic field by a thin tungsten rod in order to directly establish an electrical contact with the substrate. With such a direct contact (instead of a magnetic coupling), the fault can be produced with a low amplitude pulse generator. Additionally, the spatial resolution is expected to be better than with an EM pulse. The two electrical behaviors underlying this simple technique will be described before giving some experimental results obtained on a CRT based RSA, running on a secure device featuring a modular arithmetic co-processor.

42 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: Combined attacks on the AES key schedule based on the work of Roche et al. are presented, which defeat most AES implementations secure against both high-order side-channel attacks and fault attacks.
Abstract: We present combined attacks on the AES key schedule based on the work of Roche et al. \cite{Roche2011}. The main drawbacks of the original attack are: the need for high repeatability of the fault, a very particular fault model and a very high complexity of the key recovery algorithm. We consider more practical fault models, we obtain improved key recovery algorithms and we present more attack paths for combined attacks on AES. We propose to inject faults on the different operations of the key schedule instead of the key state of round 9 or the corresponding data state. We also consider fault injections in AES constants such as the RCon or the affine transformation of the SubWord. By corrupting these constants, the attacker can easily deduce the value of the error. The key recovery complexity can then be greatly improved. Notably, we can obtain a complexity identical to a classical differential side-channel attack. Our attacks defeat most AES implementations secure against both high-order side-channel attacks and fault attacks.

31 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: A DFA on Grøstl-256, a hash algorithm that imitates the main structures of AES, is presented, able to completely recover the whole input message using a one-bit and a random-byte fault model.
Abstract: This paper presents a DFA on Gr{\o}stl-256, a hash algorithm that imitates the main structures of AES. Although our attack is inspired by the classical fault attacks on AES these could not be adapted directly. The attack is able to completely recover the whole input message using a one-bit and a random-byte fault model. It needs 16 errors to invert the output transformation $\Omega_n$ and on average 280 errors for each compression step. When Gr{\o}stl is used in a keyed hash function like HMAC, this attack is able to retrieve the secret key from about 300 faulty outputs in less than three minutes.

24 citations


Proceedings ArticleDOI
Sho Endo1, Yang Li, Naofumi Homma1, Kazuo Sakiyama, Kazuo Ohta, Takafumi Aoki1 
09 Sep 2012
TL;DR: The proposed countermeasure can detect both DFA and FSA attacks based on setup time violation faults and can be implemented in ASIC for an AES module and demonstrate its validity through an experiment using a prototype FPGA implementation.
Abstract: In this paper, we present an efficient countermeasure against Fault Sensitivity Analysis (FSA) based on a configurable delay blocks (CDBs). FSA is a new type of fault attack which exploits the relationship between fault sensitivity and secret information. Previous studies reported that it could break cryptographic modules equipped with conventional countermeasures against Differential Fault Analysis (DFA) such as redundancy calculation, Masked AND-OR and Wave Dynamic Differential Logic (WDDL). The proposed countermeasure can detect both DFA and FSA attacks based on setup time violation faults. The proposed ideas are to use a CDB as a time base for detection and to combine the technique with Li's countermeasure concept which removes the dependency between fault sensitivities and secret data. Post-manufacture configuration of the delay blocks allows minimization of the overhead in operating frequency which comes from manufacture variability. In this paper, we present an implementation of the proposed countermeasure, and describe its configuration method. We also investigate the hardware overhead of the proposed countermeasure implemented in ASIC for an AES module and demonstrate its validity through an experiment using a prototype FPGA implementation.

24 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: This work extends their attack in a number of ways, but the main focus is an alternative fault model motivated by existing fault injection results, which shows that injecting biased faults allows an attacker to reveal security-critical data with significantly fewer faults and/or a significantly faster search through the remaining candidates.
Abstract: This paper presents an extension of the byte-fault attack on signature schemes presented by Giraud et al. Our work extends their attack in a number of ways, but the main focus is an alternative fault model motivated by existing fault injection results. Instead of assuming faults are uniformly distributed (i.e., a given bit is flipped with probability 1/2), we consider the case where faults are biased (i.e., the probability differs from 1/2). Our results show that injecting biased faults allows an attacker to reveal security-critical data with significantly fewer faults and/or a significantly faster search through the remaining candidates.

10 citations


Proceedings ArticleDOI
09 Sep 2012
TL;DR: The proposed circuit simulation method for Fault Sensitivity Analysis (FSA) extracts fault sensitivity data from post place-and-route logic simulation results, thus it can easily be integrated with conventional LSI design flow.
Abstract: Circuit simulation method for Fault Sensitivity Analysis (FSA) is proposed. The simulation can be used both for (i) security evaluation before fabrication and (ii) investigation of leak mechanism. The proposed method extracts fault sensitivity data from post place-and-route logic simulation results, thus it can easily be integrated with conventional LSI design flow. As a proof of concept, the proposed method is applied to netlist of an AES implementation on 130-nm SASEBO LSI. In the experiment, key recovery attack is successfully recreated using simulated data of a standard implementation (AES_Comp). In addition, to bridge a gap between the simulation and real measurement, we model the effect of induced timing jitter (measurement noise) on the resulting correlation.

9 citations


Proceedings ArticleDOI
Dawu Gu1, Juanru Li1, Sheng Li1, Zhouqian Ma1, Zheng Guo1, Junrong Liu1 
09 Sep 2012
TL;DR: The analysis makes use of statistical cryptanalysis techniques in practice rather than theoretically, and exploits the weakness of bit-permutation adopted by many lightweight block ciphers under fault attack.
Abstract: Differential fault analysis is one of the most efficient side channel attack techniques that threat the security of block cipher. However, it often requires a penultimate or an antepenultimate round faulty encryption and is not suitable for middle round fault. This paper presents attacks combining differential fault analysis with statistical cryptanalysis techniques against lightweight ciphers. The analysis makes use of statistical cryptanalysis techniques in practice rather than theoretically, and exploits the weakness of bit-permutation adopted by many lightweight block ciphers under fault attack. Specific attacks against PRESENT and PRINT\scriptsize{CIPHER} ormalsize are given to prove the validity. The result shows that about one fifth of the iterative rounds are needed to be protected for these lightweight ciphers with bit-permutation.

Proceedings ArticleDOI
09 Sep 2012
TL;DR: This paper discusses the generations of these algorithms and how these generations are affected by fault attacks, and offers a perspective on approaches that could offer increased resistance against fault attacks and other implementation attacks.
Abstract: Symmetric cryptographic algorithms include stream ciphers, block ciphers, MAC algorithms, and hash functions. This paper discusses the generations of these algorithms and how these generations are affected by fault attacks. It also offers a perspective on approaches that could offer increasedresistance against fault attacks and other implementation attacks.