scispace - formally typeset
Search or ask a question
Journal ArticleDOI

FaultDroid: An Algorithmic Approach for Fault-Induced Information Leakage Analysis

Indrani Roy1, Chester Rebeiro1, Aritra Hazra2, Swarup Bhunia3
Indian Institute of Technology Madras1, Indian Institute of Technology Kharagpur2, University of Florida3
01 Sep 2020-ACM Transactions on Design Automation of Electronic Systems (Association for Computing Machinery (ACM))-Vol. 26, Iss: 1, pp 1-27
TL;DR: A framework for automated vulnerability analysis of fault attacks, referred to as FaultDroid, that enables a designer to automatically evaluate the fault attack vulnerabilities of a block cipher implementation and then incorporate efficient countermeasures.
Abstract: Fault attacks belong to a potent class of implementation-based attacks that can compromise a crypto-device within a few milliseconds. Out of the large numbers of faults that can occur in the device, only a very few are exploitable in terms of leaking the secret key. Ignorance of this fact has resulted in countermeasures that have either significant overhead or inadequate protection. This article presents a framework, referred to as FaultDroid, for automated vulnerability analysis of fault attacks. It explores the entire fault attack space, identifies the single/multiple fault scenarios that can be exploited by a differential fault attack, rank-orders them in terms of criticality, and provides design guidance to mitigate the vulnerabilities at low cost. The framework enables a designer to automatically evaluate the fault attack vulnerabilities of a block cipher implementation and then incorporate efficient countermeasures. FaultDroid uses a formal model of fault attacks on a high-level specification of a block cipher and hence is equally applicable to both software and hardware implementation of the cipher. As case studies, we employ FaultDroid to comprehensively evaluate the fault scenarios in several common ciphers—AES, CLEFIA, CAMELLIA, SMS4, SIMON, PRESENT, and GIFT—and assess their vulnerability.
Citations
More filters
Parity-based concurrent error detection of substitution-permutation network block ciphers

[...]

Ramesh Karri1, Grigori Kuznetsov2, Michael Goessel2
New York University1, University of Potsdam2
01 Jan 2003
TL;DR: In this paper, the parity code based concurrent error detection (CED) approach against such attacks in substitution-permutation network (SPN) symmetric block ciphers is described.
Abstract: Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. In this paper we will describe parity code based concurrent error detection (CED) approach against such attacks in substitution-permutation network (SPN) symmetric block ciphers [22]. The basic idea compares a carefully modified parity of the input plain text with that of the output cipher text resulting in a simple CED circuitry. An analysis of the SPN symmetric block ciphers reveals that on one hand, permutation of the round outputs does not alter the parity from its input to its output. On the other hand, exclusive-or with the round key and the non-linear substitution function (s-box) modify the parity from their inputs to their outputs. In order to change the parity of the inputs into the parity of outputs of an SPN encryption, we exclusive-or the parity of the SPN round function output with the parity of the round key. We also add to all s-boxes an additional 1-bit binary function that implements the combined parity of the inputs and outputs to the s-box for all its (input, output) pairs. These two modifications are used only by the CED circuitry and do not impact the SPN encryption or decryption. The proposed CED approach is demonstrated on a 16-input, 16-output SPN symmetric block cipher from [1].

123 citations

Posted Content
Differential Fault Intensity Analysis

[...]

Nahid Farhady Ghalaty1, Bilgiday Yuce1, Mostafa Taha1, Patrick Schaumont1
Virginia Tech1
01 Jan 2015-IACR Cryptology ePrint Archive
TL;DR: Differential Fault Intensity Analysis (DFIA) as mentioned in this paper combines the principles of differential power analysis and fault injection to detect side-channel leakage and active attacks based on Fault Injection.
Abstract: Recent research has demonstrated that there is no sharp distinction between passive attacks based on side-channel leakage and active attacks based on fault injection. Fault behavior can be processed as side-channel information, offering all the benefits of Differential Power Analysis including noise averaging and hypothesis testing by correlation. This paper introduces Differential Fault Intensity Analysis, which combines the principles of Differential Power Analysis and fault injection. We observe that most faults are biased - such as single-bit, two-bit, or three-bit errors in a byte - and that this property can reveal the secret key through a hypothesis test. Unlike Differential Fault Analysis, we do not require precise analysis of the fault propagation. Unlike Fault Sensitivity Analysis, we do not require a fault sensitivity profile for the device under attack. We demonstrate our method on an FPGA implementation of AES with a fault injection model. We find that with an average of 7 fault injections, we can reconstruct a full 128-bit AES key.

87 citations

Journal ArticleDOI
Based on the Role of Internet of Things Security in the Management of Enterprise Human Resource Information Leakage

[...]

Zhen Zeng1, Jiajia Zhang2
Central South University1, College of Business Administration2
05 Oct 2021-Wireless Communications and Mobile Computing
TL;DR: In this paper, the role of IoT security in the management of enterprise human resource information leakage is investigated, in order to use IoT security technology to reduce the possibility of information leakage.
Abstract: In recent years, the Internet of Things technology, which is an important part of the new generation of information technology, has developed rapidly. The Internet provides more comprehensive conditions for resource sharing at all levels of society. However, while the Internet provides convenience to the society and users, corporate human resource information security has been increasingly impacted, and the channels for personal information leakage on the Internet are also emerging endlessly and in various ways. This article studies the role of Internet of Things security in the management of enterprise human resource information leakage, in order to use Internet of Things security technology to reduce the possibility of information leakage and play the role of efficient and safe management of enterprise human resource information. Therefore, in the experiment, aiming at the problem of personnel information privacy, a privacy protection method based on secure network coding is proposed. This method uses the hybrid coding mechanism of network coding to effectively resist traffic analysis attacks, thereby protecting the information privacy of nodes. Aiming at the threat of data pollution and malicious attacks in the network coding process, GPU host is introduced, and a network coding method based on the CUDA parallel algorithm is proposed to improve the throughput of the network. Theoretical analysis and simulation experiments show that the method has good performance in privacy protection, computational overhead, and communication delay. In the final experimental results, it is concluded that with the support of IoT security technology, the average accuracy and recall rate of information privacy leakage detection results are not less than 85%.

2 citations

Journal ArticleDOI
FaultMeter: Quantitative Fault Attack Assessment of Block Cipher Software

[...]

Kethineni Keerthi, Chester Rebeiro
06 Mar 2023-IACR transactions on cryptographic hardware and embedded systems
TL;DR: FaultMeter as discussed by the authors is a framework that takes into account the cryptographic properties of the cipher, structure of the implementation, and the underlying Instruction Set Architecture's susceptibility to faults.
Abstract: Fault attacks are a potent class of physical attacks that exploit a fault njected during device operation to steal secret keys from a cryptographic device. The success of a fault attack depends intricately on (a) the cryptographic properties of the cipher, (b) the program structure, and (c) the underlying hardware architecture. While there are several tools that automate the process of fault attack evaluation, none of them consider all three influencing aspects.This paper proposes a framework called FaultMeter that builds on the state-of-art by not just identifying fault vulnerable locations in a block cipher software, but also providing a quantification for each vulnerable location. The quantification provides a probability that an injected fault can be successfully exploited. It takes into consideration the cryptographic properties of the cipher, structure of the implementation, and the underlying Instruction Set Architecture’s (ISA) susceptibility to faults. We demonstrate an application of FaultMeter to automatically insert optimal amounts of countermeasures in a program to meet the user’s security requirements while minimizing overheads. We demonstrate the versatility of the FaultMeter framework by evaluating five cipher implementations on multiple hardware platforms, namely, ARM (32 and 64 bit), RISC-V (32 and 64 bit), TI MSP-430 (16-bit) and Intel x86 (64-bit).

2 citations

References
More filters
Book
The Design of Rijndael: AES - The Advanced Encryption Standard

[...]

Joan Daemen, Vincent Rijmen
14 Feb 2002
TL;DR: The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked.
Abstract: 1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.

3,444 citations

"FaultDroid: An Algorithmic Approach..." refers background in this paper

  • ...FaultDroid can be used for a large variety of ciphers ranging from the standard block ciphers, such as AES [18], CLEFIA [47], and CAMELLIA [5], to light-weight ciphers with S-boxes, such as PRESENT [12] and GIFT [6], to light-weight ciphers without S-box, such as SIMON [8]....

    [...]

  • ...For example, if the branch number [18] of the diffusion function is decreased, a greater number of exploitable faults can be...

    [...]

  • ...AES [18] 40 16 160 SPN CAMELLIA [5] 98 16 464 Feistel SMS4 [19] 128 16 388 Unbalanced Feistel CLEFIA [47] 148 8 440 Generalized Type II Feistel PRESENT [12] 94 16 512 SPN GIFT [6] 84 16 464 SPN SIMON [8] 192 32 1, 024 Balanced Feistel...

    [...]

Journal Article
PRESENT: An Ultra-Lightweight Block Cipher

[...]

Andrey Bogdanov1, Lars R. Knudsen, Gregor Leander1, Christof Paar1, Axel Poschmann1, Matthew Robshaw2, Yannick Seurin2, C. Vikkelsoe 
Ruhr University Bochum1, Orange S.A.2
01 Jan 2007-Lecture Notes in Computer Science
TL;DR: In this paper, the authors describe an ultra-lightweight block cipher, present, which is suitable for extremely constrained environments such as RFID tags and sensor networks, but it is not suitable for very large networks such as sensor networks.
Abstract: With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present . Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today's leading compact stream ciphers.

1,750 citations

Book ChapterDOI
Differential Fault Analysis of Secret Key Cryptosystems

[...]

Eli Biham1, Adi Shamir2
Technion – Israel Institute of Technology1, Weizmann Institute of Science2
17 Aug 1997
TL;DR: This work states that this attack is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).
Abstract: In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).

1,662 citations

"FaultDroid: An Algorithmic Approach..." refers background in this paper

  • ...Crypto-systems are highly vulnerable to a variety of physical attacks targeting key leakage [20]....

    [...]

Journal ArticleDOI
On the Importance of Eliminating Errors in Cryptographic Computations

[...]

Dan Boneh1, Richard A. DeMillo2, Richard J. Lipton3
Stanford University1, Telcordia Technologies2, Princeton University3
01 Jan 2001-Journal of Cryptology
TL;DR: A model for attacking various cryptographic schemes by taking advantage of random hardware faults shows that for many digital signature and identification schemes these incorrect outputs completely expose the secrets stored in the box.
Abstract: We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a black-box containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is affected by a random hardware fault causing it to output incorrect values. For example, the hardware fault flips an internal register bit at some point during the computation. We show that for many digital signature and identification schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for non-CRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in Fiat--Shamir identification is exposed after a small number (e.g. 10) of faulty executions of the protocol, and (4) the secret key used in Schnorr's identification protocol is exposed after a much larger number (e.g. 10,000) of faulty executions. Our estimates for the number of necessary faults are based on standard security parameters such as a 1024-bit modulus, and a 2-40 identification error probability. Our results demonstrate the importance of preventing errors in cryptographic computations. We conclude the paper with various methods for preventing these attacks.

528 citations

"FaultDroid: An Algorithmic Approach..." refers methods in this paper

  • ...For example, the fault layout {F31[1],F32[14],F33[2],F34[7]}, represents four faults of AES—two in the eighth round (1st byte after ShiftRows and 14th byte after MixColumns) and two in the ninth round (2nd byte after AddRoundKeys and 7th byte after SubBytes) respectively....

    [...]

  • ...It has been used to recover the secret key from various encryption schemes, such as AES [50], RSA [13], and ECC [11]....

    [...]

  • ...For instance, Moro et al. [36] provide a formally proven countermeasure against instruction skip attacks, whereas Christofi et al. [16] and Rauzy and Guilley [38] independently prove the security of several CRT-RSA implementations....

    [...]

  • ...Equivalent Set Function Elements Eq1 F28[1] to F28[16]; F29[1] to F29[16]; (size = 64) F30[1] to F30[16]; F31[1] to F31[16] Eq2 F32[1], F32[6], F32[11], F32[16] (size = 16) F33[1], F33[6], F33[11], F33[16] F34[1], F34[6], F34[11], F34[16] F35[1], F35[2], F35[3], F35[4] Eq3 F32[2], F32[7], F32[12], F32[13] (size = 16) F33[2], F33[7], F33[12], F33[13] F34[2], F34[7], F34[12], F34[13] F35[13],F35[14],F35[15],F35[16] Eq4 F32[3], F32[8], F32[9], F32[14] (size = 16) F33[3], F33[8], F33[9], F33[14] F34[3], F34[8], F34[9], F34[14] F35[9], F35[10], F35[11], F35[12] Eq5 F32[4], F32[5], F32[10], F32[15] (size = 16) F33[4], F33[5], F33[10], F33[15] F34[4], F34[5], F34[10], F34[15] F35[5], F35[6], F35[7], F35[8]...

    [...]

Proceedings ArticleDOI
The SIMON and SPECK lightweight block ciphers

[...]

Ray Beaulieu1, Douglas Shors1, Jason Smith1, Stefan Treatman-Clark1, Bryan Weeks1, Louis Wingers1 
National Security Agency1
07 Jun 2015
TL;DR: Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design and these goals were balanced in the design of Simon and Speck.
Abstract: The Simon and Speck families of block ciphers were designed specifically to offer security on constrained devices, where simplicity of design is crucial. However, the intended use cases are diverse and demand flexibility in implementation. Simplicity, security, and flexibility are ever-present yet conflicting goals in cryptographic design. This paper outlines how these goals were balanced in the design of Simon and Speck.

504 citations

"FaultDroid: An Algorithmic Approach..." refers methods in this paper

  • ...To test FaultDroid, we selected three standard blocks ciphers: AES, CAMELLIA, and SMS4; three light-weight ciphers: CLEFIA, PRESENT, and GIFT; and cipher SIMON, which does not use S-boxes (Table 5)....

    [...]

  • ...• FaultDroid is the first framework that can evaluate fault attack vulnerabilities in ciphers like SIMON, which rely on Boolean AND instead of S-boxes for non-linearity....

    [...]

  • ...Equivalent Set Function Elements Eq1 F28[1] to F28[16]; F29[1] to F29[16]; (size = 64) F30[1] to F30[16]; F31[1] to F31[16] Eq2 F32[1], F32[6], F32[11], F32[16] (size = 16) F33[1], F33[6], F33[11], F33[16] F34[1], F34[6], F34[11], F34[16] F35[1], F35[2], F35[3], F35[4] Eq3 F32[2], F32[7], F32[12], F32[13] (size = 16) F33[2], F33[7], F33[12], F33[13] F34[2], F34[7], F34[12], F34[13] F35[13],F35[14],F35[15],F35[16] Eq4 F32[3], F32[8], F32[9], F32[14] (size = 16) F33[3], F33[8], F33[9], F33[14] F34[3], F34[8], F34[9], F34[14] F35[9], F35[10], F35[11], F35[12] Eq5 F32[4], F32[5], F32[10], F32[15] (size = 16) F33[4], F33[5], F33[10], F33[15] F34[4], F34[5], F34[10], F34[15] F35[5], F35[6], F35[7], F35[8]...

    [...]

  • ...Such ciphers (e.g., SIMON [8]) are becoming popular due to their implementation of friendly structures....

    [...]

  • ...• We use FaultDroid to make an extensive evaluation of various fault scenarios in a variety of block cipher algorithms, namely AES, CLEFIA, CAMELLIA, SMS4, SIMON, PRESENT, and GIFT....

    [...]

Related Papers (5)
SAFARI: Automatic Synthesis of Fault-Attack Resistant Block Cipher Implementations

[...]

01 Apr 2020-IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
Indrani Roy, Chester Rebeiro, Aritra Hazra, Swarup Bhunia 
Fault Analysis in Cryptography

[...]

21 Jun 2012
Marc Joye, Michael Tunstall
Fault Attacks on AES with Faulty Ciphertexts Only

[...]

20 Aug 2013
Thomas Fuhr, Éliane Jaulmes, Victor Lomné, Adrian Thillard 
Differential Fault Analysis for Block Ciphers: an Automated Conservative Analysis

[...]

09 Sep 2014
Giovanni Agosta, Alessandro Barenghi, Gerardo Pelosi, Michele Scandale 
Ciphertext-Only Fault Attacks on PRESENT

[...]

01 Sep 2014
Fabrizio De Santis, Oscar M. Guillen, Ermin Sakic, Georg Sigl