Showing papers presented at "Workshop on Fault Diagnosis and Tolerance in Cryptography in 2018"

Laser Fault Injection at the CMOS 28 nm Technology Node: an Analysis of the Fault Model

Abstract: S. Skorobogatov and R. Anderson identified laser illumination as an effective technique to conduct fault attacks in 2002. In these early days of laser-induced fault injection, it was proven to be possible to inject single-bit faults into integrated circuits. This corresponds to the more restrictive fault model found in the fault attack bibliography. The target area under laser illumination (a few micrometers, down to ~1 µm) broadly matched that of a single transistor. It was consistent with a single-bit fault model. However, since then the technology of secure devices has evolved. In current circuits even the smallest laser spots may illuminate several logic cells. This raises the question of the validity of the single-bit fault model: does it still hold? In this work, we report an assessment of its validity through experimental results obtained from circuits designed at the 28 nm CMOS technology node. We also describe the main properties of the corresponding fault model obtained from both static and dynamic experiments.

Breaking Redundancy-Based Countermeasures with Random Faults and Power Side Channel

Abstract: Redundancy based countermeasures against fault attacks are a popular choice in security-critical commercial products, owing to its high fault coverage and applications to safety/reliability. In this paper, we propose a combined attack on such countermeasures. The attack assumes a random byte/nibble fault model with existence of side-channel leakage of the final comparison, and no knowledge of the faulty ciphertext. Unlike the previously proposed biased/multiple fault attack, we just need to corrupt one computation branch. Both analytical and experimental evaluation of this attack strategy is presented on software implementations of two state-of-the-art block ciphers, AES and PRESENT, on an ATmega328P microcontroller, via side-channel measurements and a laser-based fault injection. Moreover, this work establishes that even without the knowledge of the faulty ciphertexts, one can still perform differential fault analysis attacks, given the availability of side-channel information.

Genetic Algorithm-Based Electromagnetic Fault Injection

Abstract: Electromagnetic fault injection (EMFI) is a powerful active attack, requiring minimal modifications of the device under attack while having excellent penetration capabilities. The number of possible parameter combinations when characterizing an attack is usually huge, rendering exhaustive search impossible. In this work we present a novel evolutionary algorithm for optimizing the parameters for EM fault injection, which out-performs previous search methods for EMFI. The cryptographic device under attack is treated as a black box, with only a few very general assumptions on its inner workings. We test our evolutionary algorithm by attacking SHA-3 where we are able to obtain 40 times more faulty measurements and 20 times more distinct fault measurements than the random search. When coupled with the algebraic fault attack, we get 25% more exploitable faults per individual measurement.

The Impact of Pulsed Electromagnetic Fault Injection on True Random Number Generators

Abstract: Random number generation is a key function of today's secure devices. Commonly used for key generation, random number streams are more and more frequently used as the anchor of trust of several countermeasures such as masking. True Random Number Generators (TRNGs) thus become a relevant entry point for attacks that aim at lowering the security of integrated systems. Within this context, this paper investigates the robustness of TRNGs based on Ring Oscillators (focusing on the delay chain TRNG) against pulsed electromagnetic fault injection. Indeed, weaknesses in generating random bits for masking scheme degenerate the Side Channel resistance. Finally by exploiting fault results on delay chain TRNG some general guidelines to harden them are derived.

Locked out by Latch-up? An Empirical Study on Laser Fault Injection into Arm Cortex-M Processors

Abstract: Laser-based fault injection (LFI) is considered as one of the most powerful tools for active attacks against integrated circuits. However, only few empirical results are published for LFI into modern low-power microcontrollers with current process technologies. To fill this gap, we investigate LFI in four Cortex-M microcontrollers from different manufacturers: ST Microelectronics, NXP and Infineon. We note that those controllers differ from the ones used in high-security smartcard devices but argue that they are possibly built in similar process technologies making our results relevant for security evaluations. We were able to successfully inject precise faults into either the SRAM or the register file in all tested devices. We report our settings and fault maps in order to facilitate further fault attack investigations on these microcontrollers. As another contribution, we would like to emphasize the significant difficulties we encountered in some measurements due to the occurrence of latch-up effects. In many cases, the latch-up behavior of the integrated circuit prevented successful fault injections. This observation is largely underrepresented in scientific publications, which leads to an overestimation of the effectiveness of laser-based fault injection attacks under realistic circumstances.

Darth's Saber: A Key Exfiltration Attack for Symmetric Ciphers Using Laser Light

Abstract: This paper evaluates the effectiveness of exfiltrating a key from an AES primitive by injecting double transient faults into the digital circuit using two laser lights. We present some theoretical consideration on the effectiveness of this approach and show a few experimental results supporting our reasoning.

Glitch-Resistant Masking Schemes as Countermeasure Against Fault Sensitivity Analysis

Abstract: Fault Sensitivity Analysis is an attack on cryptographic implementations that exploits dependencies between the sensitive data and the intensity of an injected fault. Masking, an established Side-Channel Analysis countermeasure, was originally believed to resist Fault Sensitivity Analysis, until Moradi et al. presented a successful attack on several masked AES ASIC cores by leveraging Fault Sensitivity Analysis. However, the attacked masked implementations are known to be vulnerable to power analysis through glitches occurring from non-ideal gates in CMOS. This means that glitch-resistant masking schemes specifically have not been assessed against Fault Sensitivity Analysis. In this work we give a response to this matter and show that implementations protected with these glitch-resistant masking schemes provide Fault Sensitivity Analysis resistance by design. We argue our claims through a theoretical elaboration and provide further evidence through simulations for both ASIC and FPGA platforms. In our setup we give the attackers numerous, often unrealistic, advantages, only to see the attacks fail against glitch-resistant masking schemes.

Random Numbers Generation: Tests and Attacks

Abstract: The generation of random numbers is a keystone function in any cryptographic protocol. Indeed, in a security context, the random numbers generation shall withstand assaults from adversaries. It is thus paramount to validate both its functionality and its robustness in front of attacks, including fault injection attacks. The verification implies tests, which shall thus be carried out in nominal but also in perturbed operational environments. In this paper, we review standard tests already existing and still under development. As a first contribution, we suggest a new kind of metrics to assess the quality of the random sequences of bits. As a second contribution, we analyse fault injections in true random number generators and explore whether such faulted behavior can be self-induced within the circuit itself. This analysis reveals a plausible interpretation of the behavior of circuits based on the analysis of long term noise, e.g., TRNGs based on ring oscillators.