Fault Sensitivity Analysis

Transcription

1 Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES Santa Barbara 1

2 Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES Santa Barbara 2

3 Differential Fault Analysis (DFA) Basic idea Make a differential path by fault injection Get correct outputs and faulty outputs Verify the differential path for each key candidate General DFA attack requirements Specific transient fault Pairs of correct output and faulty output for the same input General DFA countermeasures Inherent resistance, prevent specific transient fault e.g. WDDL [1] Redundant calculation for error detection e.g. Satoh s AES [2] 19 Aug 2010 CHES Santa Barbara 3

4 Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES Santa Barbara 4

5 Power-based Side-Channel Attacks Basic idea Power consumption depends on sensitive-data that is calculable with public variables and key guess General attack procedures Have a key guess Calculate sensitive-data Check the calculated data with recorded power consumption Correct key guess matches the power consumption best! Well-kown attacks Correlation Power Analysis (CPA) Differential Power Analysis (DPA) 19 Aug 2010 CHES Santa Barbara 5

6 Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES Santa Barbara 6

7 General Introduction to FSA Fault Sensitivity Analysis (FSA) Fault-based A new side channel leakage Sensitive-data dependency for fault sensitivity Similar Attack procedures to power-based attacks Bypass some DFA countermeasures What is Fault Sensitivity? Sensitivity to the fault injection E.g. Minimal clock frequency with correct output Has data dependency Can be used for key retrieval 19 Aug 2010 CHES Santa Barbara 7

8 Review Fault Injection (The idea of FSA) Input Good Environment Device (Key) Threshold ( Side-channel Leakage) Fault Bad Environment Device (Key) Output C C C Input Faulty Output C Change Fault Intensity Works for different types of fault injection: overclock, low-power, laser 19 Aug 2010 CHES Santa Barbara 8

9 Fault Sensitivity under an over-clock n n D in F/F D out Logic CLK Sensitive Data clk D in illegal_clk1 Critical Delay Timing illegal_clk2 Threshold as Fault Sensitivity 19 Aug 2010 CHES Santa Barbara 9

10 Signal delays for AND gate AND Gate (T X : delay time for signal X) T A Assume T A < T B When signal A=0, T C = T A + T AND (small) When signal A=1, T C = T B + T AND (large) T AND : Delay timing of AND gate A B T AND T B Data Dependency!! C = A B 0 input, small delay. 19 Aug 2010 CHES Santa Barbara 10

11 Signal delays for XOR gate XOR Gate (T X : delay time for signal X) Assume T A < T B When signal A=0, T C = T B + T XOR When signal A=1, T C = T B + T XOR T XOR : Delay timing of XOR gate T A A B T XOR T B No Data Dependency!! C = A B 19 Aug 2010 CHES Santa Barbara 11

12 How about an FSA Attack? FSA For Power-based attacks: Attackers Key Sensitive Data Fault Power Consumption Sensitivity 19 Aug 2010 CHES Santa Barbara 12

13 FSA Attack Procedures Collect pairs of public variables and fault sensitivity Retrieval the key by the data analysis Have a key guess Calculate sensitive-data Check the calculated data with recorded fault sensitivity Directly apply the techniques in power analysis 19 Aug 2010 CHES Santa Barbara 13

14 Case studies of FSA attacks FSA attack against PPRM1-AES FSA attack against WDDL-AES FSA attack against Satoh s AES (recent work) 19 Aug 2010 CHES Santa Barbara 14

15 CASE 1: FSA attacks against PPRM1-AES PPRM1-AES: a low power AES implementation with PPRM1-Sbox [4] PPRM1 S-box PPRM1 S-box AND array XOR array AND gate: 0 input, small delay. AND array: More 0 inputs, smaller delay! 19 Aug 2010 CHES Santa Barbara 15

16 As a result, for PPRM1 S-box More 0 inputs, Smaller delay!! Smaller hamming weight Less sensitive to overclock Fault sensitivity Typical Side Channel Leakage Exploitable by CPA-like analysis Input hamming weight 19 Aug 2010 CHES Santa Barbara 16

17 Attack results against last round of PPRM1-AES Correlation All of the 16 key bytes can be identified clearly. Key guess 19 Aug 2010 CHES Santa Barbara 17

18 How much fault sensitivity data is needed? Less than 50 plaintexts (FS data) to obtain a 128-bit key. 19 Aug 2010 CHES Santa Barbara 18

19 How many times of fault injection? Which point is the fault sensitivity? 1 Success rate of fault injection 0 In our experiment Fre. of Clock C C Worst case: 120 times Fre. of Clock 19 Aug 2010 CHES Santa Barbara 19

20 CASE 2: FSA attacks against WDDL-AES Naturally immune to DFA attacks based on the setup-time violation. [2] Dual-Rail Precharge Logic Complementary wires: (ture,false) transient fault will erase the secret information at the output. WDDL is not perfectly immune to FSA attacks based on setup-time violation. 19 Aug 2010 CHES Santa Barbara 20

21 WDDL s Vulnerability against FSA (1/2) First of all, no clear correlation between input data and fault sensitivity. All types of gates are mixed up However, we observed a data dependence at the output. Imbalance of complementary wires leads to imbalance of critical path delays. 19 Aug 2010 CHES Santa Barbara 21

22 WDDL s Vulnerability against FSA (2/2) Assume Precharge value = 0 Delay_ture > Delay_false then (1,0) (0,0) happens easier than (0,1) (0,0). 1 is more sensitive than 0 WDDL Logic true false Vulnerability! Exploitable by DPA-like analysis Difficult to make perfect matching wires. 19 Aug 2010 CHES Santa Barbara 22

23 Attack result against WDDL-AES with 1200 plaintexts Correlation 3 of 16 key bytes can be identified. Key guess 19 Aug 2010 CHES Santa Barbara 23

24 CASE 3: FSA attacks against Satoh s AES Satoh s AES (CHES2008) High performance AES with Error-detection Scheme Successful FSA attack Self-Template FSA To be continued in the rump section. 19 Aug 2010 CHES Santa Barbara 24

25 Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES Santa Barbara 25

26 Conclusion A new side channel leakage: fault sensitivity FSA has a potential to bypass some fault attack countermeasures. Future work: FSA countermeasures (mask technique?) Stronger FSA attacks Try other types of FSA under other fault injection methods 19 Aug 2010 CHES Santa Barbara 26

27 References [1]G. Piret and J.-J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003 [2] S. Guilley T. Graba N. Selmane, S. Bhasin and J.-L. Danger. WDDL is Protected Against Setup Time Violation Attacks. FDTC 2009 [3] Akashi Satoh, Takeshi Sugawara, Naofumi Homma, Takafumi Aoki: High-Performance Concurrent Error Detection Scheme for AES Hardware. CHES 2008 [4] S. Morioka and A. Satoh. An Optimized S-Box Circuit Architecture for Low Power AES Design. CHES Aug 2010 CHES Santa Barbara 27

28 Thank you for your attentions! Questions? 19 Aug 2010 CHES Santa Barbara 28