PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE

Similar documents
Parametric Trojans for Fault-Injection Attacks on Cryptographic Hardware

Multi-Stage Fault Attacks

Precise Fault-Injections using Voltage and Temperature Manipulation for Differential Cryptanalysis

Fault injection attacks on cryptographic devices and countermeasures Part 1

Syrvey on block ciphers

External Encodings Do not Prevent Transient Fault Analysis

A physical level perspective

Attacks on Advanced Encryption Standard: Results and Perspectives

Secret Key Algorithms (DES)

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

1-7 Attacks on Cryptosystems

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

EC500. Design of Secure and Reliable Hardware. Lecture 1 & 2

Block Ciphers that are Easier to Mask How Far Can we Go?

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

White-Box Cryptography State of the Art. Paul Gorissen

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

A Fault Attack Against the FOX Cipher Family

CSCE 813 Internet Security Symmetric Cryptography

A Differential Fault Attack against Early Rounds of (Triple-)DES

Cryptanalysis. Ed Crowley

Report on Present State of CIPHERUNICORN-A Cipher Evaluation (full evaluation)

Cryptography ThreeB. Ed Crowley. Fall 08

HOST Differential Power Attacks ECE 525

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Fault-Based Attack of RSA Authentication

Breaking Grain-128 with Dynamic Cube Attacks

Cache Timing Analysis of LFSR-based Stream Ciphers

Fault Injection Attacks and Countermeasures

Clock Glitch Fault Injection Attacks on an FPGA AES Implementation

Differential Cryptanalysis

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Cryptanalysis of Lightweight Block Ciphers

On-Line Self-Test of AES Hardware Implementations

CSC 474/574 Information Systems Security

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Wenling Wu, Lei Zhang

Lecture 2: Secret Key Cryptography

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER

Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks

Sho Endo1, Naofumi Homma1, Yu-ichi Hayashi1, Junko Takahashi2, Hitoshi Fuji2 and Takafumi Aoki1

Differential Fault Analysis of Trivium

Masking as a Side-Channel Countermeasure in Hardware

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

How microprobing can attack encrypted memory

Overview ECE 753: FAULT-TOLERANT COMPUTING 1/21/2014. Recap. Fault Modeling. Fault Modeling (contd.) Fault Modeling (contd.)

CRYPTOGRAPHIC devices are widely used in applications

Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64

Fault Attacks on Embedded Software: Threats, Design, and Mitigation

Breaking Korea Transit Card with Side-Channel Attack

Fault Attacks on Cryptosystems: Novel Threat Models, Countermeasures and Evaluation Metrics

Block Ciphers Introduction

Few Other Cryptanalytic Techniques

Content of this part

Fault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis

Attack on DES. Jing Li

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

arxiv: v1 [cs.cr] 27 Feb 2017

A Cache Timing Analysis of HC-256

CHAPTER 1 INTRODUCTION

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers

Fault Sensitivity Analysis

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

The CS 2 Block Cipher

3 rd SKINNY Breaking Competition

FAULT DETECTION IN THE ADVANCED ENCRYPTION STANDARD. G. Bertoni, L. Breveglieri, I. Koren and V. Piuri

A Parity Code Based Fault Detection for an Implementation of the Advanced Encryption Standard

P2_L6 Symmetric Encryption Page 1

Evaluating Tokenization Systems

Cryptanalysis. Andreas Klappenecker Texas A&M University

Hardware Security Challenges and Solutions. Mike Bartley TVS, Founder and CEO

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f

Secure Smartcard Design against Laser Fault Injection. FDTC 2007, September 10 th Odile DEROUET

Piret and Quisquater s DFA on AES Revisited

Countermeasures against EM Analysis

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

CAESAR: Cryptanalysis of the Full AES Using GPU-Like Hardware

Fundamentals of Cryptography

A Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

Evaluating memory protection of smartcards and similar devices. Wolfgang Killmann, T-Systems GEI GmbH

Cryptographic Concepts

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Trojan-tolerant Hardware

Two Attacks on Reduced IDEA (Extended Abstract)

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

Practical Aspects of Modern Cryptography

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Embedded System Security. Professor Patrick McDaniel Charles Sestito Fall 2015

(2½ hours) Total Marks: 75

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Linear Cryptanalysis of Reduced Round Serpent

NON LINEAR FEEDBACK STREAM CIPHER

Controlled Fault Injection: Wishful Thinking, Thoughtful Engineering,

Trojan-tolerant Hardware & Supply Chain Security in Practice

Transcription:

PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE Raghavan Kumar, University of Massachusetts Amherst Contributions by: Philipp Jovanovic, University of Passau Wayne P. Burleson, University of Massachusetts Amherst Ilia Polian, University of Passau 1

Motivation Hardware Trojans: malicious modifications of circuits by an untrusted (overseas) foundry. Here: Trojan insertion techniques by manufacturing process manipulation ( MAPLE Trojans ). Based on manipulation of V in -V out characteristics. Very low likelihood of detection by any means. Demonstration of a fault-based attack to a recent cryptosystem made possible by MAPLE Trojans. 2

Outline: Questions What are Hardware Trojans? How do MAPLE Trojans work? What are fault-based attacks on ciphers? How do MAPLE Trojans facilitate such attacks? What countermeasures are effective? 3

Hardware Trojans Original circuit design Manipulated fabricated circuit Untrustworthy third-party fab Trojan trigger Trojan payload 4

Hardware Trojans Triggering mechanism: Internal (time-based, physical condition) External (by user or by another component) Payload: Change functionality Leak information Denial of service Detection: Functional testing (like for manufacturing defects) Parametric / side-channel analysis Optical inspection 5

Underlying Attack Model Most Hardware Trojans, including MAPLE Trojans presented here, require two co-operating attackers. Attacker 1: Malicious fab (or individual employees) who plants the Trojan trigger/payload into the circuit. Attacker 2: User of the manufactured circuit who knows the triggering condition. Attacker 1 and 2 are in general not identical. Users of the circuit who are not attackers are interested in detecting the presence of a Trojan. 6

Are Hardware Trojans Real? Not known with certainty! No fully documented, published case. Strong indirect indications found. Large interest in academia, government / military, industry; significant research funding. Many assumptions in literature don t seem realistic. What is for sure: they are an interesting scientific problem with strong relationship to test. 7

Outline: Questions What are Hardware Trojans? How do MAPLE Trojans work? What are fault-based attacks on ciphers? How do MAPLE Trojans facilitate such attacks? What countermeasures are effective? 8

MAPLE Trojans Manipulate the V in -V out characteristic of a logic gate (here: inverter). TrojanArea: reduce the dopant area within a transistor s active area. TrojanConc: significantly reduce doping concentration. Both techniques can be applied to individual gate instances. 9

TrojanArea (view from above) Simple modification of mask layout 10

TrojanConc (cross-sectional view) Requires an extra mask and 2 extra process steps 11

Outline: Questions What are Hardware Trojans? How do MAPLE Trojans work? What are fault-based attacks on ciphers? How do MAPLE Trojans facilitate such attacks? What countermeasures are effective? 12

Fault-based Attacks Cryptographic systems (ciphers) restrict access to secret information to authorized persons. Traditional cryptanalysis obtains secret information without authorization by utilizing mathematical weaknesses of the cipher ( breaking the code ). Fault-based attacks target the hardware implementation of the cipher. Perform encoding / decoding with a fault injected into the circuit by a physical disturbance. Derive secret information by differential cryptanalysis. 13

Fault-based Attacks: Fault Injection A variety of techniques: Vary the supply voltage (generate a spike). Vary the clock frequency (generate a glitch). Overheat the device. Expose to intense light (laser). State-of-the-art attacks require very accurate fault injection (time and location). Use Trojan-infected gates for precise fault inj. Source: www.riscure.com 14

Fault-based Attacks: Post-processing round 1 round N C P K K fault injection K C C round 1 round N C A cipher E encrypts plaintext P into ciphertext C using secret key K. Solving C = E(P, K) breaks the cipher but is (should be) mathematically infeasible. Repeated encryption with fault injection f yields a faultaffected ciphertext C with C = E f (P, K). This information can assist in solving C = E(P, K). 15

Case Study: Lightweight Block Cipher PRINCE 2 64 bit key k = k 0 k 1 Key expansion into 192 bits: k 2 := (k 0 >>> 1) (k 0 >> 63). 10 rounds with 4 operations Nonlinear SBox S; multiplication with matrix M; addition of round constant RC j ; subkey addition k i. 16

Fault-based Cryptanalysis of PRINCE Stage 0: inject fault in round 9, derive a small set of candidates (~ 2 13 ) for expression (k 1 k 2 ). 17

Fault-based Cryptanalysis of PRINCE Stage 0: inject fault in round 9, derive a small set of candidates (~ 2 13 ) for expression (k 1 k 2 ). Stage 1: for each candidate from stage 1 compute value after round 10; inject fault in round 8; derive a small set of candidates (~ 2 16 ) for k 1. 18

Requirements on Fault Injection The state of PRINCE is organized in 4-bit nibbles. Stage-0 faults must be restricted to one nibble in round 9. No faults may be simultaneously present in other nibbles or in other rounds, otherwise post-processing won t work. Stage-1 faults: restricted to one nibble in round 8. We call faults according to this requirement exploitable for stage 0 / stage 1. 19

Cryptanalysis Details (Stage 0) Forward-propagate fault effect (Boolean difference) from round 9 to SBox in round 10. Backward-propagate the fault-free and the faulty ciphertext observed at the outputs to same location. Construct equations, use them for excluding key candidates (filtering). 20

Outline: Questions What are Hardware Trojans? How do MAPLE Trojans work? What are fault-based attacks on ciphers? How do MAPLE Trojans facilitate such attacks? What countermeasures are effective? 21

Fault Injection by MAPLE Trojan Manipulate some gates to make them weaker. Under nominal Vdd, the circuit will work normally. Under slightly reduced (~ 10%) Vdd, the manipulated gates will fail first (with certain probability). Select gates such as to inject exploitable faults. Example: 3 inverters belonging to the same state nibble in round constant addition. 22

Probability of Exploitable Faults Faults in one nibble in either round 8 or 9. TrojanConc (similar results for TrojanArea). ~10 5 for 10% Vdd reduction. 23

Results 10,000 executions of the attack with random plaintext. 4 5 fault injections sufficient for key reconstruction. stage 0 stage 1 24

Outline: Questions What are Hardware Trojans? How do MAPLE Trojans work? What are fault-based attacks on ciphers? How do MAPLE Trojans facilitate such attacks? What countermeasures are effective? 25

Detection of MAPLE Trojans Functional testing No fault effect under nominal Vdd. Too low probability of activation for slightly reduced Vdd. Not distinguishable from random fails under low Vdd. Side-channel analysis Only very few gates affected; impact minimal compared with circuit-global variability. Visual inspection No layout modification; changes in doping concentration or dopant area are nearly impossible to see. 26

Other Countermeasures On-chip voltage detectors Very moderate Vdd reduction to values that are routinely observed in regular operation due to power-supply noise. Limiting the number of encryptions Effective but does not tell whether circuit is manipulated. Frequent key exchange If a key is determined, only data protected by that key (before exchange) is compromised. Key distribution may not work if the attacker has physical access to the chip. 27

Conclusions New, extremely stealthy Trojans. Based on manufacturing process manipulation. Alter electrical characteristics of selected gates. Application to fault-based analysis shows feasibility (4-5 exploitable faults required for key recovery, 10,000 fault injections per exploitable fault). Future work: silicon experiments (with ETH Zurich), better understanding of countermeasures. 28

BACKUP SLIDES 29

Forward-propagation Effect propagation of fault f in nibble 0. M 1 = M SR round 9 RC 9 f SR 1 f M ϕ 0 (f) ϕ 1 (f) ϕ 2 (f) ϕ 3 (f) S 1 w x y z k 1 w x y z RC 10 round 10 ϕ 0 (b 0 b 1 b 2 b 3 ) = 0 b 1 b 2 b 3 RC 10 w x y z SR 1 w x y z M ϕ 0 (w) ϕ 2 (x) ϕ 3 (y) ϕ 3 (z) ϕ 1 (w) ϕ 3 (x) ϕ 0 (y) ϕ 0 (z) ϕ 2 (w) ϕ 0 (x) ϕ 1 (y) ϕ 1 (z) ϕ 3 (w) ϕ 1 (x) ϕ 2 (y) ϕ 2 (z) S 1, RC 11, k 1, k 2 30

Backward-propagation and Filtering RC 10 M 1 S 1 RC 11 C : faulty ciphertext k 1 k 2 ϕ 0 (w) ϕ 2 (x) ϕ 3 (y) ϕ 3 (z) ϕ 1 (w) ϕ 3 (x) ϕ 0 (y) ϕ 0 (z) ϕ 2 (w) ϕ 0 (x) ϕ 1 (y) ϕ 1 (z) ϕ 3 (w) ϕ 1 (x) ϕ 2 (y) ϕ 2 (z) RC 10 M 1 S 1 RC 11 round 10 C: fault-free ciphertext = S(C (k 1 k 2 ) RC 11 ) S(C (k 1 k 2 ) RC 11 ) System of equations over GF(16) with indeterminates k 1, k 16 (secret key), w, x, y, z. Exclude key candidates that violate these equations. 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback