ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER
|
|
- Nora Atkins
- 5 years ago
- Views:
Transcription
1 ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER Amine DEHBAOUI ¹, Amir-Pasha Mirbaha ², Nicolas MORO¹, Jean-Max DUTERTRE ², Assia TRIA ¹ COSADE 2013 Paris, France (1) (2)
2 OUTLINE! Context! Round Modification Analysis on AES! Proposed Round Modification Analysis on AES! Electromagnetic Glitch Injection Technique! Concrete Results with EMG! Conclusion 1 NOVEMBRE 2014 PAGE 2
3 CONTEXT : FAULT INJECTION Plaintext Correct Ciphertext Faulty Ciphertext Fault injection means : Power supply glitch, Clock glitch, EM glitch, Laser shot disturb the encryption/decryption process through unusual environmental conditions in order to : reduce the encryption complexity (e.g. round reduction analysis), differential fault analysis = comparison between correct and faulty ciphertexts. 1 NOVEMBRE 2014 retrieve information on the encryption process (i.e. information leakage) PAGE 3
4 Round Modification Analysis on AES CEA 10 AVRIL 2012 PAGE 4 1 NOVEMBRE 2014
5 ADVANCED ENCRYPTION STANDARD 128 BITS REMINDER M Initial round cipher key K Final round Rounds 1..9 round key K i round key K 10 C PAGE 5
6 STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS M Round Modification Analysis Initial round cipher key K! Round Reduction Analysis decrease the number of executed rounds Final round Rounds 1..9 round key K i round key K 10! Round Increase Analysis increase the number of executed rounds! Round Alteration Analysis modification of the round order C PAGE 6
7 STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS M Round Modification Analysis Initial round cipher key K! Round Reduction Analysis H. Choukri et al. [2005] J.H. Park et al. [2011] Final round Rounds 1..9 round key K i RC comp with RCMAX round key K 10 K.S. Bae et al.[2011]! Round Increase Analysis J.M. Dutertre et al. #3 [2012]! Round Alteration Analysis J.M. Dutertre et al. #2 [2012] C PAGE 7
8 STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS Attack Target Mean Type Encryption sequence Req. texts H. Choukri et al. [FDTC 05] J.H. Park et al. [ETRI 11] K.S. Bae et al. [ICCIT 11] J.M. Dutertre et al. #2 [HOST 12] J.M. Dutertre et al. #3 [HOST 12] PIC16F877 8-bit ATmega128 8-bit ATmega128 8-bit Unknown mcu 0.35µm 8-bit Unknown mcu 0.35µm 8-bit Power Glitch Laser Laser Laser Laser Round Reduction Round Reduction Round Reduction Round Alteration Round Addition Key search average time R 0 -R m 2 1 second R 0 -R 1 -R hours R 0..R 8 -R second R 0..R 8 -R m -R f 3 1 second R 0..R 9 -R m=10 -R f= hour & 30 minutes PAGE 8
9 Proposed Round Modification Analysis on AES CEA 10 AVRIL 2012 PAGE 9 1 NOVEMBRE 2014
10 PROPOSED ROUND MODIFICATIONS ANALYSIS Round 9 K 9! ARK! Alteration of the operation SB! M 9!! CR++ CR=9 CR=10 Round 10 KS! SR! ARK! K 10! C!! C (correct ciphertext) = SR o SB(M 9 ) K 10 C (correct ciphertext) = FR (M 9 ) K 10 PAGE 10 10
11 PROPOSED ROUND MODIFICATIONS ANALYSIS Round 9 K 9! ARK! Alteration of the operation SB! M 9!! CR++ RC=9 RC=10 Round m=9 CR++ RC=9 RC=10 Round f=10 K 9! K 10! Round 10 KS! K 10! SR! C!! MC! ARK! KS! MCoSRoSB(M 9 )% ARK! SB! SR! KS! M 9! SB(M 9 )% SRoSB(M 9 )% ARK! D (faulty ciphertext) = SR o SB [MC o SR o SB(M 9 ) K 9 ] K 10 D (faulty ciphertext) = FR [ MR[M 9 ] K 9 ] K 10 D!! C (correct ciphertext) = SR o SB(M 9 ) K 10 C (correct ciphertext) = FR (M 9 ) K 10 11
12 PROPOSED ROUND MODIFICATIONS ANALYSIS 1 plaintext D (faulty ciphertext) = FR [MR(M 9 ) K 9 ] K 10 C (correct ciphertext) = FR (M 9 ) K 10 2 plaintexts M a M b FR -1 (D a K 10 ) FR -1 (D b K 10 )= MC(C a C b ) 2 hypothese on each K 10 byte Calculation time : < 1 second Alternative solution : 3 plaintexts, instead of 2 thus, 1 hypothesis for each K 10 byte PAGE 12
13 Electromagnetic Glitch injection Technique CEA 10 AVRIL 2012 PAGE 13 1 NOVEMBRE 2014
14 PRACTICAL ELECTROMAGNETIC GLITCH SETUP Control computer The target device Motorized stage Pulse generator Coil antenna. Pulse width : 10 ns Rise and fall transition time : 2ns Pulse amplitude : -200V / +200V The computer controls both the pulse generator (through a rs-232 link) and the target board (through a usb link). PAGE 14
15 PRACTICAL ELECTROMAGNETIC GLITCH SETUP Target Description Up-to-date 32-bit microcontroller Designed in a cmos130nm technology Based on the arm Cortex-M3 processor. Operating frequency is set to 24MHz. PAGE 15
16 Concrete Results with EMG CEA 10 AVRIL 2012 PAGE 16 1 NOVEMBRE 2014
17 EMG PROFILE OF THE TARGET 180V injected EMG during 20ns negative spike of less than 50ns width and 300mV amplitude. Fault Model instruction alteration PAGE 17
18 EXPERIMENTAL OUTLINE PAGE 18
19 TIMING CARTOGRAPHY OF EMG EFFECT PAGE 19
20 Conclusion CEA 10 AVRIL 2012 PAGE 20 1 NOVEMBRE 2014
21 Conclusion! Round Modification Analysis by targeting the round counter! Fault induced at the end of the penultimate round! Execution of a second penultimate round! EMG Fault model : instruction alteration! High occurrence rate / without triggering hardware interrupts 1 NOVEMBRE 2014 PAGE 21
22 Attack Target Mean Type Encryption sequence Req. texts H. Choukri et al. [FDTC 05] J.H. Park et al. [ETRI 11] PIC16F877 8-bit ATmega128 8-bit Power Glitch Laser Round Reduction Round Reduction Key search average time R 0 -R m 2 1 second R 0 -R 1 -R hours K.S. Bae et al. [ICCIT 11] ATmega128 8-bit Laser Round Reduction R 0..R 8 -R second J.M. Dutertre et al. #2 [HOST 12] Unknown mcu 0.35µm 8-bit Laser Round Alteration R 0..R 8 -R m -R f 3 1 second J.M. Dutertre et al. #3 [HOST 12] Unknown mcu 0.35µm 8-bit Laser Round Addition R 0..R 9 -R m=10 -R f= hour & 30 minutes Our experiment [COSADE 13] ARM Cortex-M3 based 130nm 32-bit EM Glitch Round Addition R 0..R 9 -R m=9 -R f= second
23 Any questions? PAGE 23 CEA 10 AVRIL NOVEMBRE 2014 Direction de la Recherche Technologique DSIS / LCS Systèmes et Architectures Sécurisés Commissariat à l énergie atomique et aux énergies alternatives Centre de Microélectronique de Provence Gardanne T. +33 (0) F. +33 (0) Etablissement public à caractère industriel et commercial RCS Paris B
24 Annexe : RMA Exceptionnel case CEA 10 AVRIL 2012 PAGE 24 1 NOVEMBRE 2014
25 RMA!!AN!EXCEPTIONAL!CASE! Round 9 K 9! ARK! An exceptional case may happen when a byte value in D a is equal to the corresponding byte on the second encryption; i.e. D a [byte i] = D b [byte i] EMG SB! M 9!! CR++ CR=9 CR=1 Round m=9 0 CR++ CR=9 CR=1 0 Round f=10 K 9! K 10! Round 10 KS! SR! KS! MC! ARK! MCoSRoSB(M 9 )% ARK! KS! SB! SR! M 9! SB(M 9 )% SRoSB(M 9 )% ARK! D!! K 10! C!! D"(faulty(ciphertext)(=(SRoSB[MCoSRoSB(M 9 )" (K 9 ]( (K 10" C"(correct(ciphertext)(="SRoSB(M 9 )" (K 10 ( 25
26 RMA!!AN!EXCEPTIONAL!CASE! An exceptional case may happen when a byte value in D a is equal to the corresponding byte on the second encryption; i.e. D a [byte i] = D b [byte i] 34% 5E% 32%43%F6%A8%88%5A%30%8D%31%31%98%A2%E0%37%07% 19%84%B0%92%95%C8%B1%D9%C4%4E%4D%1E%F2%C0%36% Round f=10 K 10! 39%25%84%1D%02%DC%09%FB%DC%11%85%97%19%6A%0B%32% 13%AB%D8%4B%7B%EA%FA%58%47%58%48%A5%50%B3%B2%DC% 49%4a%b5%1f%3b%08%83%e0%d1%21%34%6b%32%cd%31%cb% 8c%fc%54%6b%3a%46%9e%e0%b7%65%6d%0a%92%7b%a0%e1% SR! SRoSB(M 9 )% ARK! D!! 26
27 RMA!!AN!EXCEPTIONAL!CASE! Ronde 9 SB +1 osr +1 (D a " (K 10 ) SB +1 osr +1 (D b " (K 10 )=(MC(C a " (C b )! 2 8!hypotheses!! on(k 10" [7]"(byte([7](of(K 10 )( and(2!hypotheses!! on(each(other(k 10" byte( 2 8!x!2 15!=!2 23! hypotheses!! on(the(whole4k 10 " to(be(examined(by(using(c a (and(d a,(( and(by(calcula=ng(k 9 (and(k 10 " calculadon!dme!:!sdll!less!than!1!second! 27
28 RMA!!AN!EXCEPTIONAL!CASE! Ronde 9 Probability(of(this(excep=onal(case(=( 255( 1" (( 1@((((((((((((((x((((((((((((((x((((((((((((((((((((((=((1@((((((((((((((((((( ((%6.070( 256( 1" (( )( )( 255( 1" (( 256( 1" (( )( )( 255( 1" (( 256( 1" (( )( )( 255( 256( (( )( 16( with(1,(2(or(even(3(equal(byte(values(on(d a" (and( D b,(the(cryptanalysis(has(an(answer(in(a(short( calcula=on(=me( In(any(case,(there(is(a(faster(solu=on(:( using(3(plaintexts,(instead(of(2( 28
29 Annexe : Digital IC CEA 10 AVRIL 2012 PAGE 29 1 NOVEMBRE 2014
30 Synchronous Digital IC Timing Constraints n m data Logic D Q D pmax D Q Dff i Dff i+1 clk D clk->q T clk + T skew - T setup data arrival time = D clk->q + D pmax data required time = T clk + T skew - T setup T clk > D clk->q + D pmax - T skew + T setup F(Vdd) Violating this timing constraint results in fault injection. Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd PAGE 30
Electromagnetic Transient Fault Injection on AES
Electromagnetic Transient Fault Injection on AES Amine DEHBAOUI ¹, Jean-Max DUTERTRE ², Bruno ROBISSON ¹, Assia TRIA ¹ Fault Diagnosis and Tolerance in Cryptography Leuven, Belgium Sunday, September 9,
More informationElectromagnetic glitch on the AES round counter
Electromagnetic glitch on the AES round counter Amine Dehbaoui, Amir-Pasha Mirbaha, Nicolas Moro, Jean-Max Dutertre, Assia Tria To cite this version: Amine Dehbaoui, Amir-Pasha Mirbaha, Nicolas Moro, Jean-Max
More informationELECTROMAGNETIC FAULT INJECTION ON MICROCONTROLLERS
ELECTROMAGNETIC FAULT INJECTION ON MICROCONTROLLERS Nicolas Moro 1,3, Amine Dehbaoui 2, Karine Heydemann 3, Bruno Robisson 1, Emmanuelle Encrenaz 3 1 CEA Commissariat à l Energie Atomique et aux Energies
More informationFAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES
FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES Nicolas Moro 1,3, Karine Heydemann 3, Amine Dehbaoui 2, Bruno Robisson 1, Emmanuelle Encrenaz 3 1 CEA Commissariat à l Energie Atomique et aux Energies Alternatives
More informationFaults are often modeled according two fault models: Bit-set (resp. Bit-reset) Bit-flip
FDTC 2013 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells Cyril Roscian, Alexandre Sarafianos, Jean-Max Dutertre, Assia Tria Secured Architecture and System Laboratory Centre Microélectronique
More informationCountermeasures against EM Analysis
Countermeasures against EM Analysis Paolo Maistri 1, SebastienTiran 2, Amine Dehbaoui 3, Philippe Maurine 2, Jean-Max Dutertre 4 (1) (2) (3) (4) Context Side channel analysis is a major threat against
More informationBLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014
BLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014 Roman Korkikian, Sylvain Pelissier, David Naccache September 23, 2014 IN BRIEF Substitution Permutation Networks (SPN) Fault attacks Blind fault attack
More informationSIDE CHANNEL ANALYSIS : LOW COST PLATFORM. ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI
SIDE CHANNEL ANALYSIS : LOW COST PLATFORM ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI THE CEA Military Applications Division (DAM) Nuclear Energy Division (DEN) Technological Research Division
More informationFault-based Cryptanalysis on Block Ciphers
LIRMM / university of Montpellier COSADE 2017, Thursday April 13 2017, Paris, France 1/ 62 Outline 1 2 Fault Model Safe Error Attack DFA Statistical Fault Attack 3 Analog Level Digital Level Application
More informationSho Endo1, Naofumi Homma1, Yu-ichi Hayashi1, Junko Takahashi2, Hitoshi Fuji2 and Takafumi Aoki1
April 15, 2014 COSADE2014 A Multiple-fault Injection Attack by Adaptiv e Timing Control under Black-box Conditi ons and a Countermeasure Sho Endo1, Naofumi Homma1, Yu-ichi Hayashi1, Junko Takahashi2, Hitoshi
More information«Safe (hardware) design methodologies against fault attacks»
«Safe (hardware) design methodologies against fault attacks» Bruno ROBISSON Assia TRIA SESAM Laboratory (joint R&D team CEA-LETI/EMSE), Centre Microélectronique de Provence Avenue des Anémones, 13541 Gardanne,
More informationPARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE
PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University
More informationFault injection attacks on cryptographic devices and countermeasures Part 1
Fault injection attacks on cryptographic devices and countermeasures Part 1 Israel Koren Department of Electrical and Computer Engineering University of Massachusetts Amherst, MA Outline Introduction -
More informationWhen Clocks Fail On Critical Paths And Clock Faults
When Clocks Fail On Critical Paths And Clock Faults Michel Agoyan 1, Jean-Max Dutertre 2, David Naccache 1,3, Bruno Robisson 1, and Assia Tria 1 1 cea-leti {michel.agoyan, bruno.robisson, assia.tria}@cea.fr
More informationFault Attacks on AES with Faulty Ciphertexts Only
Fault Attacks on AES with Faulty Ciphertexts Only Thomas Fuhr, Eliane Jaulmes, Victor Lomné and Adrian Thillard ANSSI 51, Bd de la Tour-Maubourg, 75700 Paris 07 SP, France firstname.lastname@ssi.gouv.fr
More informationClock Glitch Fault Injection Attacks on an FPGA AES Implementation
Journal of Electrotechnology, Electrical Engineering and Management (2017) Vol. 1, Number 1 Clausius Scientific Press, Canada Clock Glitch Fault Injection Attacks on an FPGA AES Implementation Yifei Qiao1,a,
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationFault Injection Attacks and Countermeasures
Fault Injection Attacks and Countermeasures Brněnské bezpečnostní setkávání, FEKT VUT Brno Jakub Breier 28 March 2018 Physical Analysis and Cryptographic Engineering Nanyang Technological University Singapore
More informationTHE MULTIPLE WAYS TO AUTOMATE THE APPLICATION OF SOFTWARE COUNTERMEASURES AGAINST PHYSICAL ATTACKS: PITFALLS AND GUIDELINES
Belleville Nicolas 1 Barry Thierno 1 Seriai Abderrahmane 1 Couroussé Damien 1 Heydemann Karine 2 Robisson Bruno 3 Charles Henri-Pierre 1 1 Univ Grenoble Alpes, CEA, List, F- 38000 Grenoble, France firstname.lastname@cea.fr
More informationOn Fault Injections in Generalized Feistel Networks
On Fault Injections in Generalized Feistel Networks Hélène Le Bouder 1, Gaël Thomas 2, Yanis Linge 3, Assia Tria 4 1 École Nationale Supérieure des Mines de Saint-Étienne 2 XLIM Université de Limoges 3
More informationAttacks on Advanced Encryption Standard: Results and Perspectives
Attacks on Advanced Encryption Standard: Results and Perspectives Dmitry Microsoft Research 29 February 2012 Design Cryptanalysis history Advanced Encryption Standard Design Cryptanalysis history AES 2
More informationJUST ONE FAULT Persistent Fault Analysis on Block Ciphers
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. 2. 3. 4. Introduction to Fault Attacks Persistent Fault
More informationChosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure
Fourth International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE 2013) Chosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure Takafumi Hibiki*, Naofumi Homma*,
More informationMulti-Stage Fault Attacks
Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013 Outline 1. Motivation 2. The PRINCE Block
More informationFault Attacks on Embedded Software: Threats, Design, and Mitigation
Fault Attacks on Embedded Software: Threats, Design, and Mitigation Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Acknowledgements FAME Project Team https://sites.google.com/view/famechip
More informationLow-cost Setup for Localized Semi-invasive Optical Fault Injection Attacks
Low-cost Setup for Localized Semi-invasive Optical Fault Injection Attacks Oscar M. Guillen 1 Michael Gruber 2 Fabrizio De Santis 2 1 Giesecke & Devrient 2 Technische Universität München COSADE 2017 Guillen,
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li 1, Kazuo Sakiyama 1, Shigeto Gomisawa 1, Toshinori Fukunaga 2, Junko Takahashi 1,2, and Kazuo Ohta 1 1 Department of Informatics, The University of Electro-Communications
More informationHigh Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures
1 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures Lionel Rivière 1,2,4, Zakaria Najm 1, Pablo Rauzy 1, Jean-Luc Danger 1,3, Julien Bringer 2, Laurent Sauvage 1,3 1 Institut
More informationLecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram
Lecture 2B RTL Design Methodology Transition from Pseudocode & Interface to a Corresponding Block Diagram Structure of a Typical Digital Data Inputs Datapath (Execution Unit) Data Outputs System Control
More informationREAL-TIME ADAPTIVE IMAGING FOR ULTRASONIC NONDESTRUCTIVE TESTING OF STRUCTURES WITH IRREGULAR SHAPES
REAL-TIME ADATIVE IMAGING FOR ULTRASONIC NONDESTRUCTIVE TESTING OF STRUCTURES WITH IRREGULAR SHAES Sébastien Robert, Léonard Le Jeune, Vincent Saint-Martin CEA-LIST, 91191 Gif-sur-Yvette Cedex, France
More informationStatistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes Christoph Dobraunig 1, Maria Eichlseder 1, Thomas Korak 1, Victor Lomné 2, and Florian Mendel 1 1 Graz University of Technology,
More informationOne Plus One is More than Two: A Practical Combination of Power and Fault Analysis Attacks on PRESENT and PRESENT-like Block Ciphers
One Plus One is More than Two: A Practical Combination of Power and Fault Analysis Attacks on PREENT and PREENT-like Block Ciphers ikhar Patranabis, Debdeep Mukhopadhyay Department of CE, IIT Kharagpur,
More informationFPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES
, suitable for DFA on AES Jonas Krautter, Dennis R.E. Gnad, Mehdi B. Tahoori 10.09.2018 INSTITUTE OF COMPUTER ENGINEERING CHAIR OF DEPENDABLE NANO COMPUTING KIT Die Forschungsuniversität in der Helmholtz-Gemeinschaft
More informationStream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression
Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancrède Lepoint, María Naya-Plasencia, Pascal Paillier, Renaud Sirdey
More informationCODE ANALYSES FOR NUMERICAL ACCURACY WITH AFFINE FORMS: FROM DIAGNOSIS TO THE ORIGIN OF THE NUMERICAL ERRORS. Teratec 2017 Forum Védrine Franck
CODE ANALYSES FOR NUMERICAL ACCURACY WITH AFFINE FORMS: FROM DIAGNOSIS TO THE ORIGIN OF THE NUMERICAL ERRORS NUMERICAL CODE ACCURACY WITH FLUCTUAT Compare floating point with ideal computation Use interval
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing
More informationOn Analyzing Program Behavior Under Fault Injection Attacks
On Analyzing Program Behavior Under Fault Injection Attacks Jakub Breier Physical Analysis and Cryptographic Engineering Nanyang Technological University, Singapore jbreier@ntuedusg Abstract Fault attacks
More informationProduct Specification. 10Gbps 2KM XFP Transceiver PLXFP1310GLR02
Product Specification 10Gbps 2KM XFP Transceiver PLXFP1310GLR02 Product Features 9.95Gbps to 11.1Gbps data links 2km with 9/125µm SMF V20140818 1310nm FP laser Duplex LC Connector Hot-pluggable XFP footprint
More information2-Oct-13. the world s most energy friendly microcontrollers and radios
1 2 3 EFM32 4 5 LESENSE Low Energy Sensor Interface Autonomous sensing in Deep Sleep LESENSE with central control logic ACMP for sensor input DAC for reference generation Measure up to 16 sensors Inductive
More informationExternal Encodings Do not Prevent Transient Fault Analysis
External Encodings Do not Prevent Transient Fault Analysis Christophe Clavier Gemalto, Security Labs CHES 2007 Vienna - September 12, 2007 Christophe Clavier CHES 2007 Vienna September 12, 2007 1 / 20
More informationA Framework for the Analysis and Evaluation of Algebraic Fault Attacks on Lightweight Block Ciphers
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 1 A Framework for the Analysis and Evaluation of Algebraic Fault Attacks on Lightweight Block Ciphers Fan Zhang, Shize Guo, Xinjie Zhao, Tao Wang,
More informationFlash Memory Bumping Attacks
Flash Memory Bumping Attacks Sergei Skorobogatov http://www.cl.cam.ac.uk/~sps32 email: sps32@cam.ac.uk Introduction Data protection with integrity check verifying memory integrity without compromising
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationPrecise Fault-Injections using Voltage and Temperature Manipulation for Differential Cryptanalysis
Precise Fault-Injections using Voltage and Temperature Manipulation for Differential Cryptanalysis Raghavan Kumar $, Philipp Jovanovic e and Ilia Polian e $ University of Massachusetts, 12 USA e University
More informationTektronix DPO Demo 1 Board Instruction Manual
xx ZZZ Tektronix DPO Demo 1 Board Instruction Manual www.tektronix.com *P071253900* 071-2539-00 Copyright Tektronix. All rights reserved. Licensed software products are owned by Tektronix or its subsidiaries
More informationETSI TS V7.0.1 ( )
TS 101 116 V7.0.1 (1999-07) Technical Specification Digital cellular telecommunications system (Phase 2+); Specification of the 1.8 Volt Subscriber Identity Module - Mobile Equipment (SIM - ME) interface
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationRear Distance Detection with Ultrasonic Sensors Project Report
Rear Distance Detection with Ultrasonic Sensors Project Report 11.29.2017 Group #6 Farnaz Behnia Kimia Zamiri Azar Osaze Shears ECE 511: Microprocessors Fall 2017 1 Table of Contents 1. Abstract 3 2. Motivation
More informationFrom AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks
From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks Noémie Floissac and Yann L Hyver SERMA TECHNOLOGIES ITSEF 30, avenue Gustave Eiffel, 33608 Pessac, France Email: {n.floissac;y.lhyver}@serma.com
More informationDifferential Fault Analysis of Trivium
Differential Fault Analysis of Trivium Michal Hojsík 1, 3 and Bohuslav Rudolf 2, 3 1 The Selmer Center, University of Bergen, Norway 2 National Security Authority, Czech Republic 3 Department of Algebra,
More informationEM Analysis in the IoT Context: Lessons Learned from an Attack on Thread
EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread Daniel Dinu 1, Ilya Kizhvatov 2 1 Virginia Tech 2 Radboud University Nijmegen CHES 2018 Outline 1 Introduction 2 Side-Channel Vulnerability
More informationDFA on LS-Designs with a Practical Implementation on SCREAM
DFA on LS-Designs with a Practical Implementation on SCREAM Benjamin Lac, Anne Canteaut, Jacques Fournier, Renaud Sirdey To cite this version: Benjamin Lac, Anne Canteaut, Jacques Fournier, Renaud Sirdey.
More informationHardware Security. Debdeep Mukhopadhyay
Hardware Security Debdeep Mukhopadhyay Secured Embedded Architecture Laboratory (SEAL) Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Kharagpur, West Bengal, INDIA
More informationOn-Line Self-Test of AES Hardware Implementations
On-Line Self-Test of AES Hardware Implementations G. Di Natale, M. L. Flottes, B. Rouzeyre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier Université Montpellier II / CNRS
More informationPractical DFA on AES. Marc Witteman CTO June 13, 2013
Practical DFA on AES Marc Witteman CTO June 13, 2013 DFA on AES, how hard is that? 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults 2013 Christophe Giraud and Adrian Thillard 1 fault 2013 Riscure
More informationAES Advanced Encryption Standard
AES Advanced Encryption Standard AES is iterated block cipher that supports block sizes of 128-bits and key sizes of 128, 192, and 256 bits. The AES finalist candidate algorithms were MARS, RC6, Rijndael,
More informationBlock Ciphers Introduction
Technicalities Block Models Block Ciphers Introduction Orr Dunkelman Computer Science Department University of Haifa, Israel March 10th, 2013 Orr Dunkelman Cryptanalysis of Block Ciphers Seminar Introduction
More informationClock and Fuses. Prof. Prabhat Ranjan Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar
Clock and Fuses Prof. Prabhat Ranjan Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar Reference WHY YOU NEED A CLOCK SOURCE - COLIN O FLYNN avrfreaks.net http://en.wikibooks.org/wiki/atmel_avr
More informationBlock Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)
Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5) A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham -
More informationFault Sensitivity Analysis
Fault Sensitivity Analysis Yang Li 1, Kazuo Sakiyama 1, Shigeto Gomisawa 1, Toshinori Fukunaga 2, Junko Takahashi 1,2,andKazuoOhta 1 1 Department of Informatics, The University of Electro-Communications
More informationUsing Error Detection Codes to detect fault attacks on Symmetric Key Ciphers
Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers Israel Koren Department of Electrical and Computer Engineering Univ. of Massachusetts, Amherst, MA collaborating with Luca Breveglieri,
More informationMeet-in-the-middle fault analysis on word-oriented substitution-permutation network block ciphers
SECURITY AND COUNICATION NETWORKS Security Comm. Networks 215; 8:672 681 Published online 5 ay 214 in Wiley Online Library (wileyonlinelibrary.com). DOI: 1.12/sec.115 RESEARCH ARTICLE eet-in-the-middle
More informationHIGH PERFORMANCE LARGE EDDY SIMULATION OF TURBULENT FLOWS AROUND PWR MIXING GRIDS
HIGH PERFORMANCE LARGE EDDY SIMULATION OF TURBULENT FLOWS AROUND PWR MIXING GRIDS U. Bieder, C. Calvin, G. Fauchet CEA Saclay, CEA/DEN/DANS/DM2S P. Ledac CS-SI HPCC 2014 - First International Workshop
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationCHAPTER 6 CONCLUSION AND SCOPE FOR FUTURE WORK
134 CHAPTER 6 CONCLUSION AND SCOPE FOR FUTURE WORK 6.1 CONCLUSION Many industrial processes such as assembly lines have to operate at different speeds for different products. Process control may demand
More informationFault Attacks on Cryptosystems: Novel Threat Models, Countermeasures and Evaluation Metrics
Fault Attacks on Cryptosystems: Novel Threat Models, Countermeasures and Evaluation Metrics Nahid Farhady Ghalaty Dissertation submitted to the Faculty of the Virginia Polytechnic Institute and State University
More information24C08/24C16. Two-Wire Serial EEPROM. Preliminary datasheet 8K (1024 X 8)/16K (2048 X 8) General Description. Pin Configuration
Two-Wire Serial EEPROM Preliminary datasheet 8K (1024 X 8)/16K (2048 X 8) Low-voltage Operation 1.8 (VCC = 1.8V to 5.5V) Operating Ambient Temperature: -40 C to +85 C Internally Organized 1024 X 8 (8K),
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationModules v4. Pushing forward user environment management. Xavier Delaruelle FOSDEM 2018 February 4th 2018, ULB, Bruxelles
Modules v4 Pushing forward user environment management Xavier Delaruelle FOSDEM 2018 February 4th 2018, ULB, Bruxelles whoami I am Xavier Delaruelle Work at CEA, a large research
More informationMPC55xx Highlighted Features
MPC55xx Highlighted Features Why Do I Need an etpu? Number one constraint of microcontrollers is their limited ability to perform high speed time related tasks. Limited by CPU interrupt overhead in servicing
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationSpecifications PMD-1208FS
Document Revision 1.1, May, 2005 Copyright 2005, Measurement Computing Corporation Typical for 25 C unless otherwise specified. Specifications in italic text are guaranteed by design. Analog input section
More informationBreaking the Bitstream Decryption of FPGAs
Breaking the Bitstream Decryption of FPGAs 05. Sep. 2012 Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany Acknowledgment Christof Paar Markus Kasper Timo Kasper Alessandro Barenghi
More informationA Fault-Resistant AES Implementation Using Differential Characteristic of Input and Output
A Fault-Resistant AES Implementation Using Differential Characteristic of Input and Output JeongSoo Park Hoseo University Asan, ChungNam, Korea sizeplay@nate.com KiSeok Bae Kyungpook National University
More informationA Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices
Author manuscript, published in "DCIS'08: Conference on Design of Circuits and Integrated Systems, (2008)" A Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices G. Di Natale,
More informationImproved Linear Sieving Techniques with Applications to Step-Reduced LED-64
Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64 Itai Dinur 1, Orr Dunkelman 2,4, Nathan eller 3 and Adi Shamir 4 1 École normale supérieure, France 2 University of Haifa, Israel
More informationDFA on AES. Christophe Giraud. Oberthur Card Systems, 25, rue Auguste Blanche, Puteaux, France.
DFA on AES Christophe Giraud Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France. c.giraud@oberthurcs.com Abstract. In this paper we describe two different DFA attacks on the AES. The
More informationAn In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs
2011 Workshop on Fault Diagnosis and Tolerance in Cryptography An In-depth and Black-box Characterization of the Effects of Clock es on 8-bit MCUs Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede
More informationModule Introduction. PURPOSE: The intent of this module is to explain MCU processing of reset and interrupt exception events.
Module Introduction PURPOSE: The intent of this module is to explain MCU processing of reset and interrupt exception events. OBJECTIVES: - Describe the difference between resets and interrupts. - Identify
More informationST Enables The Wireless Charging World
ST Enables The Wireless Charging World Wearable Consumer & Industrial Dual Mode TRx Wearable Solution Wireless Charging Reference Design 1 Watt wireless delivery Transmitter STWBC-WA 1W STEVAL-ISB038V1T
More informationTesting Gated Mode on Hybrid 4.1
Testing Gated Mode on Hybrid 4.1 1 Injection Scheme of SuperKEKB RF frequency 508 MHz 2503 bunches noisy bunches 100ns apart 20 µs frame ~ cooling: 4ms noisy / ~ 400 packets ~ 16 ms clean continuous injection
More informationHello, and welcome to this presentation of the STM32 I²C interface. It covers the main features of this communication interface, which is widely used
Hello, and welcome to this presentation of the STM32 I²C interface. It covers the main features of this communication interface, which is widely used to connect devices such as microcontrollers, sensors,
More informationPower Analysis Attacks against FPGA Implementations of the DES
Power Analysis Attacks against FPGA Implementations of the DES François-Xavier Standaert 1, Sıddıka Berna Örs2, Jean-Jacques Quisquater 1, Bart Preneel 2 1 UCL Crypto Group Laboratoire de Microélectronique
More informationHT1628 RAM Mapping LCD Driver
RAM Mapping 116 2 LCD Driver Features Logic voltage 2.4V~5.5V LCD operating voltage (VLCD) 2.4V~5.5V LCD display 2 commons, 116 segments Support a maximum of 58 4 bit Display RAM Duty Static, 1/2; Bias
More informationECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.
Building Secure Hardware ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria Stefan Mangard Infineon Technologies, Munich, Germany Stefan.Mangard@infineon.com Outline Assets and Requirements
More informationSpecifications
Specifications 18200-10 Cole-Parmer Instrument Company 625 East Bunker Court Vernon Hills, Illinois 60061-1844 (847) 549-7600 (847) 247-2929 (Fax) 800-323-4340 www.coleparmer.com e-mail: techinfo@coleparmer.com
More informationFault Analysis of the ChaCha and Salsa Families of Stream Ciphers
Fault Analysis of the ChaCha and Salsa Families of Stream Ciphers Arthur Beckers, Benedikt Gierlichs, and Ingrid Verbauwhede imec-cosic KU Leuven Kasteelpark Arenberg 10, 3001 Leuven-Heverlee, Belgium
More informationAVR XMEGA Product Line Introduction AVR XMEGA TM. Product Introduction.
AVR XMEGA TM Product Introduction 32-bit AVR UC3 AVR Flash Microcontrollers The highest performance AVR in the world 8/16-bit AVR XMEGA Peripheral Performance 8-bit megaavr The world s most successful
More informationNext Generation CEA Computing Centres
Next Generation IO @ CEA Computing Centres J-Ch Lafoucriere ORAP Forum #39 2017-03-28 A long History of Storage Architectures Last Century Compute Systems Few Cray Supercomputers (vectors and MPP) Few
More informationChapter 15. ARM MCUs Architecture, Programming and Development Tools
Chapter 15 ARM MCUs Architecture, Programming and Development Tools Lesson 2 ARM Microcontrollers 2 ARM CPUs/MCUs CPUs ARM-7 and ARM-9 CPUs PowerPC 750,ColdFire, TigerSHARC MCUs ST72x, LPC21xx, ARM Cortex
More informationPAPYRUS FUTURE. CEA Papyrus Team
PAPYRUS FUTURE CEA ABSTRACT SYNTAX The definition of a DSML abstract syntax in Papyrus is done with the profile editor. It lets define abstract syntax constraints in OCL and Java. Ongoing: Façade [1] lets
More informationLGR-5325 Specifications
s Revision 1.0, April, 2010 Copyright 2010, Measurement Computing Corporation s All specifications are subject to change without notice. Typical for 25 C unless otherwise specified. s in italic text are
More informationON PRACTICAL RESULTS OF THE DIFFERENTIAL POWER ANALYSIS
Journal of ELECTRICAL ENGINEERING, VOL. 63, NO. 2, 212, 125 129 COMMUNICATIONS ON PRACTICAL RESULTS OF THE DIFFERENTIAL POWER ANALYSIS Jakub Breier Marcel Kleja This paper describes practical differential
More informationHCTL-2017 Quadrature Decoder/Counter Interface ICs
Products > Motion Control Encoder Solutions > Integrated Circuits > Decoder > HCTL-2017 HCTL-2017 Quadrature Decoder/Counter Interface ICs Description HCTL-2xxx series is a direct drop-in replacement for
More informationAlain MERLE, PhD Strategic Marketing Manager CYBERSECURITY OF MEDICAL DEVICES
Alain MERLE, PhD Strategic Marketing Manager Alain.merle@cea.fr CYBERSECURITY OF MEDICAL DEVICES SECURITY OF MD: A BRIEF HISTORY 2 THE LAST PUBLICATIONS Security evaluation analysis Black box testing Covering
More informationCombined Fault and Side-Channel Attack on Protected Implementations of AES
Combined Fault and Side-Channel Attack on Protected Implementations of AES Thomas Roche, Victor Lomné, and Karim Khalfallah ANSSI, 51, Bd de la Tour-Maubourg, 75700 Paris 07 SP, France firstname.lastname@ssi.gouv.fr
More informationIntroduction to Software Countermeasures For Embedded Cryptography
Introduction to Software Countermeasures For Embedded Cryptography David Vigilant UMPC Master, 1 st December, 2017 Outline 1 Context and Motivations 2 Basic Rules and Countermeasures Examples Regarding
More informationUSB-1602HS-2AO Specifications
s Revision 1.0, March, 2009 Copyright 2009, Measurement Computing Corporation s All specifications are subject to change without notice. Typical for 25 C unless otherwise specified. All signal names refer
More informationTitle Laser testing and analysis of SEE in DDR3 memory components
Title Laser testing and analysis of SEE in DDR3 memory components Name P. Kohler, V. Pouget, F. Wrobel, F. Saigné, P.-X. Wang, M.-C. Vassal pkohler@3d-plus.com 1 Context & Motivation Dynamic memories (DRAMs)
More informationDesign and development of embedded systems for the Internet of Things (IoT) Fabio Angeletti Fabrizio Gattuso
Design and development of embedded systems for the Internet of Things (IoT) Fabio Angeletti Fabrizio Gattuso Microcontroller It is essentially a small computer on a chip Like any computer, it has memory,
More information