Electromagnetic Transient Fault Injection on AES Amine DEHBAOUI ¹, Jean-Max DUTERTRE ², Bruno ROBISSON ¹, Assia TRIA ¹ Fault Diagnosis and Tolerance in Cryptography Leuven, Belgium Sunday, September 9, 2012 (1) (2)
Outline Context Electromagnetic pulse injection Bench Transient electromagnetic fault on a software implementation of the AES Transient electromagnetic fault on a hardware implementation of the AES Transient electromagnetic fault on a hardware implementation of the AES with countermeasure Conclusion 17 septembre 2012 PAGE 2
Context : Synchronous Digital IC Timing Constraints n m data Logic 1 1 1 1 D pmax D Q D Q Dff i Dff i+1 clk D clk->q T clk + T skew - T setup data arrival time = D clk->q + D pmax data required time = T clk + T skew - T setup T clk > D clk->q + D pmax - T skew + T setup F(Vdd) Violating this timing constraint results in fault injection. Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd PAGE 3
CONTEXT : Fault Injection Plaintext 11001010101010101010 Correct Ciphertext 00001010101010101010 00001010101010100010 Faulty Ciphertext Modifying the behavior of the chip and recovering sensitive data Various experimental setups are used Underpowering / overclocking a device A rise in temperature may also induce faults The use of optical radiations : flash bulb, laser beam 17 septembre 2012 PAGE 4 The use of EM radiations : harmonic, pulse
CONTEXT : Fault Injection and the EM Channel EM Channel : main strengths Does not require depackaging the target. Does target the upper metal Layer (Power/Ground or Clock networks). May bypass some countermeasures (light sensors, global power filtering ). Low cost and no specific countermeasures. Our objectives : Report actual fault injections on two typical targets (HW/SW). Explain the behavior of the faults induced by a very short EM pulse (EMP). Analyze whether the effect of the EMP on the target is global or local. Find out the mechanism involved in the injection of a fault by an EMP. 17 septembre 2012 PAGE 5
Electromagnetic pulse injection Bench CEA 10 AVRIL 2012 PAGE 6 17 septembre 2012
Electromagnetic pulse injection Bench Platform built of : I/O Pulse generator Rohde & Schwartz magnetic antenna (500µm diameter) X-Y-Z motorized stage Control PC (GPIB + RS232 ) GPIB Pulse generator characteristics Amplitude : 1-100 V Pulse width : 9 ns 1 ms Rising / Falling times : 5 ns Low jitter : < 45 ps Target Motorized stage Trigger signal Pulse gen. MCU FPGA 17 septembre 2012 PAGE 7
Transient electromagnetic faults on a software implementation of the AES CEA 10 AVRIL 2012 PAGE 8 17 septembre 2012
Transient electromagnetic faults on a software implementation of the AES Smartcard emulation board 8-bits AVR Atmega 128 MCU (techno 0,35µm) Harvard architecture 128 KB Flash program memory 4 KB SRAM Operating voltage : 4.5 5.5 V Operating frequency : 3.57 MHz => Tclk = 280 ns Software AES implementation Power supply trace during EMP injection Is this voltage drop induces faults??? EMP parameters Z position EMP EMP Clk Rise/fall amplitude width period times < 500 µm 100V 50ns 280ns 5ns Voltage drop of about 200 mv 17 septembre 2012 PAGE 9
Transient electromagnetic faults on a software implementation of the AES AES state S0,0 S0,1 S0,2 S0,3 Powered chip : 5V Execution of the AES-128 Trigger signal at the beginning of the 10th round We swept the instant of the EMP by steps of 100ns At each step => 1000 encryptions with and without EMP The faulty byte is determined S1,0 S1,1 S1,2 S1,3 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3 AES encryption : Round 10 (90µs) S0,2 S1,0 S2,0 S3,0 S0,1 S3,1 S2,2 S1,3 S0,0 S0,3 S1,1 S2,3 S2,1 S1,2 S3,2 S3,3 PAGE 10 0,28 5,53 6,53 9,78 12,4 19,3 25,5 33,7 55,7 63,4 65,9 69,5 74,5 75 87,5 87,9 µs
Transient electromagnetic faults on a software implementation of the AES Occurrence rate of the induced faults versus EMP amplitude Deterministic and reproducible effect EMP injection prevents the CPU from executing some instructions by violating the timing constraints AddRoundKey opcodes 1 LDD R24, Y+ i load subkey 2 LD R25, X load state 3 EOR R24, R25 Exclusive OR 4 STD Z+i, R24 store result Slack > 0 SubBytes ans ShiftRows opcodes 1 LDD R26, Y+ i load state address 2 LDI R27, 0x00 3 SUBI R26, 0x00 4 SBCI R27, 0xF5 5 LD R24, X load state i 6 STD Y+k, R24 store state i 7 LDI R31, 0x00 8 SUBI R30, 0x00 9 SBCI R31, 0xF5 10 LD R24, Z load state i+1 11 STD Y+i, R24 store state i+1 Slack = 0 (+/-) ξ PAGE 11 Slack < 0
Transient electromagnetic faults on a hardware implementation of the AES CEA 10 AVRIL 2012 PAGE 12 17 septembre 2012
Transient electromagnetic faults on a hardware implementation of the AES Round Exe FPGA Spartan 3 Techno 130nm Operating voltage : 1.2 volts Operating frequency : 100 MHz Hardware AES implementation FSM Key Exp EMP parameters Z position < 500 µm EMP EMP Clk Rise/fall amplitude width period times 100V 10ns 10ns 5ns PAGE 13
Transient electromagnetic faults on a hardware implementation of the AES At each position, an EMP is injected 100V-10ns The corresponding faulted ciphertext is retrieved 1,000 encryptions of the same plaintext 30x30 different locations Antenna diameter : 500 µm Displacement step : 500 µm Faults cartography 0 7 mm 8 7 5 6 Round Exe 10 7 mm 5 15 FSM 4 3 20 2 Key Exp 25 1 30 0 5 10 15 20 25 0 30 Faulted bytes Localized effect of the EMP Good correlation between the Floorplan and the cartography 17 septembre 2012 Deterministic and reproducible effect PAGE 14
Transient electromagnetic faults on a hardware implementation of the AES byte 15 byte 14 byte 13 Y 0 Faults cartography byte 12 byte 11 byte 10 byte 9 byte 8 byte 7 byte 6 byte 5 Position 1 (X1, Y1, Z) 5 10 15 20 byte 4 25 byte 3 byte 2 byte 1 byte 0 byte 15 byte 14 30 0 5 10 15 20 25 30 Ability to inject single-bit and multi-bits faults into AES calculations Induced faults are timing faults occurrence May fault any paths (even subcritical paths) 0% 10% 20% 30% 40% 50% 60% Position 2 byte 15 (X2, Y2, Z) byte 14 Position 3 (X3, Y3, Z) X byte 13 byte 12 byte 11 byte 10 byte 9 byte 8 byte 7 byte 6 single-bit faults multi-bit faults byte 13 byte 12 byte 11 byte 10 byte 9 byte 8 byte 7 byte 6 byte 5 byte 4 byte 3 byte 2 byte 1 byte 0 0% 10% 20% 30% 40% 50% 60% occurrence byte 5 byte 4 byte 3 byte 2 byte 1 byte 0 PAGE 15 0% 10% 20% 30% 40% 50% 60%
Transient electromagnetic faults on a hardware implementation of the AES with countermeasure CEA 10 AVRIL 2012 PAGE 16 17 septembre 2012
Transient electromagnetic faults on a hardware implementation of the AES with countermeasure FPGA Spartan 3 Techno 130nm Operating voltage : 1.2 volts Operating frequency : 100 MHz Hardware AES implementation Countermeasure (detection of timing violations) CLK 1 Programmable monitoring delay CLK 1 delayed comp alarm PAGE 17
Transient electromagnetic faults on a hardware implementation of the AES with countermeasure At each position, an EMP is injected The corresponding faulted ciphertext (if any) is retrieved The value of the alarm flag is stored 1,000 encryptions of the same plaintext 30x30 different locations of the injection probe (step 500 µm) 0 0 8 5 5 7 6 alarm no alarm 10 15 20 10 15 20 5 4 3 2 25 25 1 30 0 5 10 15 20 25 30 Alarms cartography 30 0 0 5 10 15 20 25 30 Faults cartography Localized effect of the EMP The EMP is detected only in some positions Possibility to induce faults without triggering the alarm PAGE 18
Conclusion CEA 10 AVRIL 2012 PAGE 19 17 septembre 2012
Conclusion Ability to inject single-bit and multi-bits faults into AES calculations Induced faults are timing faults due to voltage drops Localized effect : the coupling depends of the IC Layout May bypass power supply low-pass filtering May fault any paths (even subcritical paths) 17 septembre 2012 PAGE 20
Any questions? PAGE 21 CEA 10 AVRIL 2012 17 septembre 2012 Email : amine.dehbaoui@cea.fr Direction de la Recherche Technologique DSIS / LCS Systèmes et Architectures Sécurisés Commissariat à l énergie atomique et aux énergies alternatives Centre de Microélectronique de Provence 13541 Gardanne T. +33 (0) 4.42.61.67.31 F. +33 (0) 4.42.61.65.92 Etablissement public à caractère industriel et commercial RCS Paris B 775 685 019