scispace - formally typeset
Search or ask a question

Showing papers presented at "Workshop on Fault Diagnosis and Tolerance in Cryptography in 2014"


Proceedings ArticleDOI
23 Sep 2014
TL;DR: Differential Fault Intensity Analysis is introduced, which combines the principles of Differential Power Analysis and fault injection and finds that with an average of 7 fault injections, it can reconstruct a full 128-bit AES key.
Abstract: Recent research has demonstrated that there is no sharp distinction between passive attacks based on side-channel leakage and active attacks based on fault injection. Fault behavior can be processed as side-channel information, offering all the benefits of Differential Power Analysis including noise averaging and hypothesis testing by correlation. This paper introduces Differential Fault Intensity Analysis, which combines the principles of Differential Power Analysis and fault injection. We observe that most faults are biased - such as single-bit, two-bit, or three-bit errors in a byte - and that this property can reveal the secret key through a hypothesis test. Unlike Differential Fault Analysis, we do not require precise analysis of the fault propagation. Unlike Fault Sensitivity Analysis, we do not require a fault sensitivity profile for the device under attack. We demonstrate our method on an FPGA implementation of AES with a fault injection model. We find that with an average of 7 fault injections, we can reconstruct a full 128-bit AES key.

103 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: In this article, the authors propose two extremely stealthy hardware Trojans that facilitate fault-injection attacks in cryptographic blocks. But they do not describe how they can be used to inject faults into an ASIC implementation of the recently introduced lightweight cipher PRINCE.
Abstract: We propose two extremely stealthy hardware Trojans that facilitate fault-injection attacks in cryptographic blocks. The Trojans are carefully inserted to modify the electrical characteristics of predetermined transistors in a circuit by altering parameters such as doping concentration and do pant area. These Trojans are activated with very low probability under the presence of a slightly reduced supply voltage (0.001 for 20% Vdd reduction). We demonstrate the effectiveness of the Trojans by utilizing them to inject faults into an ASIC implementation of the recently introduced lightweight cipher PRINCE. Full circuit-level simulation followed by differential cryptanalysis demonstrate that the secret key can be reconstructed after around 5 fault-injections.

59 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: An in-depth analysis of the vulnerability of two different microcontroller platforms on clock and supply voltage tampering, showing that the fetch stage and the execution stage of the instruction pipeline are mainly affected by clock glitches, leading to skipped or duplicated execution or faulty calculation results.
Abstract: Forcing faulty outputs of devices implementing cryptographic primitives in order to reveal some secret information is a well-known attack strategy. Tampering with the clock signal or the supply voltage are two popular techniques for generating erroneous behaviour. In this work we perform an in-depth analysis of the vulnerability of two different microcontroller platforms on clock and supply voltage tampering. The influence on three different groups of instructions is discussed in detail: arithmetical/logical instructions, branch instructions and memory instructions. A novel approach, combining short-time under powering with clock glitches, is applied in order to increase the reproducibility of the fault and the probability for the fault to occur. Results show that the fetch stage and the execution stage of the instruction pipeline are mainly affected by clock glitches, leading to skipped or duplicated execution or faulty calculation results. One sample per platform is used for the experiments, but for each fault type an interval for the parameters leading to the fault with a probability of 100% is given. The values in the middle of this interval are less sensitive to sample distribution as well as environmental influences. This knowledge allows to efficiently attack software implementations of cryptographic primitives implemented on one of the evaluated platforms.

54 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: In this paper, the authors demonstrate two fault attacks on SIMON and one fault attack on SPECK and show that these families of ciphers are vulnerable to differential fault attacks.
Abstract: In 2013, the US National Security Agency proposed two new families of lightweight block ciphers: SIMON and SPECK. Currently, linear and differential cryptanalytic results for SIMON are available in the literature but no fault attacks have been reported so far on these two cipher families. In this paper, we show that these families of ciphers are vulnerable to differential fault attacks. Specifically, we demonstrate two fault attacks on SIMON and one fault attack on SPECK. The first attack on SIMON assumes a bit-flip fault model and recovers the n-bit last round key of SIMON using n/2 bit faults. The second attack on SIMON uses a more practical, random byte fault model and requires n/8 faults on average to retrieve the last round key. The attack presented on SPECK also assumes a bit-flip fault model and recovers the n-bit last round key of SPECK using n/3 bit faults on average.

48 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: It is proved that fault attacks against pairing-based cryptography are indeed possible and even practical - thus posing a serious threat - and the first practical fault attack against a complete pairing computation is conducted.
Abstract: Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these has been practically evaluated. We accomplish this task and prove that fault attacks against pairing-based cryptography are indeed possible and even practical - thus posing a serious threat. Moreover, we successfully conduct a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We inject the first fault into the computation of the Miller Algorithm and apply the second fault to completely skip the final exponentiation. We introduce a low-cost setup that allows us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation.

41 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: This work investigates combined fault attacks by performing clock-glitch attacks under the impact of heating by performing practical experiments on an 8-bit AVR microcontroller and identifies that the success rate of glitch attacks performed at an ambient temperature of 100°C is higher than under room temperature.
Abstract: Fault attacks have been widely studied in the past but most of the literature describes only individual fault-injection techniques such as power/clock glitches, EM pulses, optical inductions, or heating/cooling. In this work, we investigate combined fault attacks by performing clock-glitch attacks under the impact of heating. We performed practical experiments on an 8-bit AVR microcontroller which resulted in the following findings. First, we identified that the success rate of glitch attacks performed at an ambient temperature of 100°C is higher than under room temperature. We were able to induce more faults and significantly increase the time frame when the device is susceptible to glitches which makes fault attacks easier to perform in practice. Second, and independently of the ambient temperature, we demonstrate that glitches cause individual instructions to repeat, we are able to add new random instructions, and we identified that opcode gets modified such that address registers of individual instructions get changed. Beside these new results, this is the first work that reports results of combined glitch and thermo attacks.

30 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: This paper studies the existing CRT-RSA countermeasures against fault-injection attacks, and presents a way to design a provable high-order countermeasure (for a well-defined and reasonable fault model).
Abstract: In this paper we study the existing CRT-RSA countermeasures against fault-injection attacks. In an attempt to classify them we get to achieve deep understanding of how they work. We show that the many countermeasures that we study (and their variations) actually share a number of common features, but optimize them in different ways. We also show that there is no conceptual distinction between test-based and infective countermeasures and how either one can be transformed into the other. Furthermore, we show that faults on the code (skipping instructions) can be captured by considering only faults on the data. These intermediate results allow us to improve the state of the art in several ways: (a) we fix an existing and that was known to be broken countermeasure (namely the one from Shamir), (b) we drastically optimize an existing countermeasure (namely the one from Vigilant) which we reduce to 3 tests instead of 9 in its original version, and prove that it resists not only one fault but also an arbitrary number of randomizing faults, (c) we also show how to upgrade countermeasures to resist any given number of faults: given a correct first-order countermeasure, we present a way to design a provable high-order countermeasure (for a well-defined and reasonable fault model). Finally, we pave the way for a generic approach against fault attacks for any modular arithmetic computations, and thus for the automatic insertion of countermeasures.

23 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: A novel fault attack against Substitution Permutation Networks that relies only on the number of faulty cipher texts originated from the same unknown plaintext and can be applied against any round thus any round key can be extracted.
Abstract: This paper presents a novel fault attack against Substitution Permutation Networks. The main advantage of the method is an absence of necessity to know the exact cipher's input and output values. The attack relies only on the number of faulty cipher texts originated from the same unknown plaintext. The underlying model is a multiple bit-set or bit-reset faults injected several times at the same intermediate round state. This method can be applied against any round thus any round key can be extracted. The attack was shown to be efficient by simulation against several SPN block ciphers.

22 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: Practical implementations of fault attacks against the Miller Algorithm validating common fault models used against pairings are described and it is shown that some blinding techniques proposed to protect the algorithm against Side-Channels Analyses cannot be used as countermeasures against the implemented fault attacks.
Abstract: Pairing based cryptography (PBC) is touted as an efficient approach to address usability and privacy issues in the cyberspace. Like most cryptographic algorithms, PBC must be robust not only against theoretical cryptanalysis but also against practical physical attacks such as fault injections. The computation of the Tate pairing can be divided into two parts, the Miller Algorithm and the Final Exponentiation. In this paper, we describe practical implementations of fault attacks against the Miller Algorithm validating common fault models used against pairings. In the light of the implemented fault attacks, we show that some blinding techniques proposed to protect the algorithm against Side-Channels Analyses cannot be used as countermeasures against the implemented fault attacks.

17 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: A new attack is presented which is based on the fact that, because of the zero-to-zero mapping of the AES Sbox inversion circuit, the critical path when processing the zero input is notably shorter than for all other inputs.
Abstract: Previous works have shown that the combinatorial path delay of a cryptographic function, e.g., The AES S-box, depends on its input value. Since the relation between critical path delay and input value seems to be relatively random and highly dependent on the routing of the circuit, up to now only template or some collision attacks could reliably extract the used secret key of implementations not protected against fault attacks. Here we present a new attack which is based on the fact that, because of the zero-to-zero mapping of the AES Sbox inversion circuit, the critical path when processing the zero input is notably shorter than for all other inputs. Applying the attack to an AES design protected by an state-of-the-art fault detection scheme, we are able to fully recover the secret key in less than eight hours. Note that we neither require a known key measurement step (template case) nor a high similarity between different S-box instances (collision case). The only information gathered from the device is whether a fault occurred when processing a chosen plaintext.

15 citations


Proceedings ArticleDOI
23 Sep 2014
TL;DR: The security of GOST against side-channel attacks is examined with algebraic fault analysis (AFA), which combines the algebraic cryptanalysis with the fault attack and proves that keeping some components in a cipher secret cannot guarantee its security against fault attacks.
Abstract: GOST is a well-known block cipher as the official encryption standard for the Russian Federation. A special feature of GOST is that its eight S-boxes can be secret. However, most of the researches on GOST assume that the design of these S-boxes is known. In this paper, the security of GOST against side-channel attacks is examined with algebraic fault analysis (AFA), which combines the algebraic cryptanalysis with the fault attack. Three AFAs on GOST, which have different attack goals in different scenarios, are investigated. The results show that 8 fault injections are required to recover the secret key when the full design of GOST is known, which is less than 64 fault injections required in previous work. 64 fault injections are required to recover the eight unknown S-boxes assuming the key is known. 270 fault injections are required to recover the key and the eight S-boxes when both are unknown. The results prove that AFA is very effective and keeping some components in a cipher secret cannot guarantee its security against fault attacks.

Proceedings ArticleDOI
23 Sep 2014
TL;DR: This method is based on an in-depth analysis of the GFN properties and examines the diffusion of faults, both at the block level and at the S-box level, in order to find the number of S-boxes impacted by a fault.
Abstract: In this paper, we propose a generic method to assess the vulnerability to Differential Fault Analysis of generalized Feistel networks (GFN). This method is based on an in-depth analysis of the GFN properties. First the diffusion of faults is studied, both at the block level and at the S-box level, in order to have a fault which maximizes the number of S-boxes impacted by a fault. Then the number of faults in an S-box required to find the key is evaluated. By combining these results, a precise assessment of the vulnerability to fault attacks of GFN can be made. This method is then used on several examples of Feistel ciphers.

Proceedings ArticleDOI
23 Sep 2014
TL;DR: The applicability of timing, power, or fault attacks to implementations of pairings is an important research topic and some of the known results in this area are reviewed.
Abstract: In the last decade pairings have become an important, and often indispensable, ingredient in the construction of identity-based and attribute-based cryptosystems, as well as group signatures and credential systems. Consequently, the applicability of timing, power, or fault attacks to implementations of pairings is an important research topic. We will review some of the known results in this area.