Fault Sensitivity Analysis

Similar documents
Fault Sensitivity Analysis

Fault Sensitivity Analysis

On the Power of Fault Sensitivity Analysis and Collision Side-Channel Attacks in a Combined Setting

Sho Endo1, Naofumi Homma1, Yu-ichi Hayashi1, Junko Takahashi2, Hitoshi Fuji2 and Takafumi Aoki1

Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits

Fault injection attacks on cryptographic devices and countermeasures Part 1

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

Fault Sensitivity Analysis Meets Zero-Value Attack

FDTC 2010 Fault Diagnosis and Tolerance in Cryptography. PACA on AES Passive and Active Combined Attacks

Hardware Security. Debdeep Mukhopadhyay

Differential Fault Analysis on the AES Key Schedule

HOST Differential Power Attacks ECE 525

Masking as a Side-Channel Countermeasure in Hardware

Chosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

Side-channel Power Analysis of Different Protection Schemes Against Fault Attacks on AES

A physical level perspective

External Encodings Do not Prevent Transient Fault Analysis

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Fault Analysis Study of the Block Cipher FOX64

Power Analysis Attacks

High-performance Concurrent Error Detection Scheme for AES Hardware

Fault Attacks on Cryptosystems: Novel Threat Models, Countermeasures and Evaluation Metrics

A Fault Attack Against the FOX Cipher Family

When Clocks Fail On Critical Paths And Clock Faults

The embedded security challenge: Protecting bits at rest

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers

Outline. Embedded Security. Black-box Security. B. Gierlichs CryptArchi, Trégastel, June 2008

Countermeasures against EM Analysis

Piret and Quisquater s DFA on AES Revisited

PRACTICAL DPA ATTACKS ON MDPL. Elke De Mulder, Benedikt Gierlichs, Bart Preneel, Ingrid Verbauwhede

Side Channel Attacks: A Primer

Fault Injection Resilience

Prototype IC with WDDL and Differential Routing DPA Resistance Assessment

Fault Tolerant Infective Countermeasure for AES

Introduction to Software Countermeasures For Embedded Cryptography

Keynote: White-Box Cryptography

«Safe (hardware) design methodologies against fault attacks»

Breaking the Bitstream Decryption of FPGAs

Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs

@ 2014 SEMAR GROUPS TECHNICAL SOCIETY.

Software Protection Against Fault and Side Channel Attacks

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Block Ciphers that are Easier to Mask How Far Can we Go?

Evaluating the Duplication of Dual-Rail Logics on FPGAs

Fault Injection Attacks and Countermeasures

Security against Timing Analysis Attack

On the Simplicity of Converting Leakages from Multivariate to Univariate

Correlation-Enhanced Power Analysis Collision Attack

COSADE Conference Series

A Simple Power Analysis Attack Against the Key Schedule of the Camellia Block Cipher

From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks

Protecting Last Four Rounds of CLEFIA is Not Enough Against Differential Fault Analysis

PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE

Practical Electromagnetic Template Attack on HMAC

Multi-Stage Fault Attacks

Combined SCA and DFA Countermeasures Integrable in a FPGA Design Flow

Implementing Virtual Secure Circuit Using A Custom-Instruction Approach

Practical DFA on AES. Marc Witteman CTO June 13, 2013

Non-Profiled Deep Learning-Based Side-Channel Attacks

Destroying Fault Invariant with Randomization

Energy Evaluation of AES based Authenticated Encryption Algorithms (Online + NMR)

On the Easiness of Turning Higher-Order Leakages into First-Order

Clock Glitch Fault Injection Attacks on an FPGA AES Implementation

Hardware-Focused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES

Fault Attacks on Embedded Software: Threats, Design, and Mitigation

BLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014

ASIC Performance Comparison for the ISO Standard Block Ciphers

A Defense Mechanism for Differential Power Analysis Attack in AES

SIDE CHANNEL RISK EVALUATION AND MEASUREMENT (SCREAM)

A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis

Principal Component Analysis and Side-Channel Attacks - Master Thesis

Power Analysis of MAC-Keccak: A Side Channel Attack. Advanced Cryptography Kyle McGlynn 4/12/18

Fault-based Cryptanalysis on Block Ciphers

Analysis and Design of Clock-glitch Fault Injection within an FPGA

EC500. Design of Secure and Reliable Hardware. Lecture 1 & 2

Silent SIMON: A Threshold Implementation under 100 Slices

A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN

Physical Security Evaluation at an Early Design-Phase: A Side-Channel Aware Simulation Methodology

One Plus One is More than Two: A Practical Combination of Power and Fault Analysis Attacks on PRESENT and PRESENT-like Block Ciphers

Combined Fault and Side-Channel Attack on Protected Implementations of AES

On the Optimality of Mutual Information Analysis for Discrete Leakages Cryptarchi June 29-30, 2015 Leuven

On Analyzing Program Behavior Under Fault Injection Attacks

Fault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis

Countering power analysis attacks by exploiting characteristics of multicore processors

Flash Memory Bumping Attacks

Improved Leakage Model Based on Genetic Algorithm

Fault Attack on AES with Single-Bit Induced Faults

Information Leakage Attacks Against Smart Card Implementations of Cryptographic Algorithms and Countermeasures A Survey

WhoamI. Attacking WBC Implementations No con Name 2017

DPA CONTEST 08/09 A SIMPLE IMPROVEMENT OF CLASSICAL CORRELATION POWER ANALYSIS ATTACK ON DES

Second-Order Power Analysis Attacks against Precomputation based Masking Countermeasure

Correlated Power Noise Generator as a Low Cost DPA Countermeasures to Secure Hardware AES Cipher

Fault Attacks on AES with Faulty Ciphertexts Only

Efficient DPA Attacks on AES Hardware Implementations

Test Vector Leakage Assessment (TVLA) Derived Test Requirements (DTR) with AES

POWER ANALYSIS RESISTANT SRAM

Transcription:

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES 2010 @ Santa Barbara 1

Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 2

Differential Fault Analysis (DFA) Basic idea Make a differential path by fault injection Get correct outputs and faulty outputs Verify the differential path for each key candidate General DFA attack requirements Specific transient fault Pairs of correct output and faulty output for the same input General DFA countermeasures Inherent resistance, prevent specific transient fault e.g. WDDL [1] Redundant calculation for error detection e.g. Satoh s AES [2] 19 Aug 2010 CHES 2010 @ Santa Barbara 3

Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 4

Power-based Side-Channel Attacks Basic idea Power consumption depends on sensitive-data that is calculable with public variables and key guess General attack procedures Have a key guess Calculate sensitive-data Check the calculated data with recorded power consumption Correct key guess matches the power consumption best! Well-kown attacks Correlation Power Analysis (CPA) Differential Power Analysis (DPA) 19 Aug 2010 CHES 2010 @ Santa Barbara 5

Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 6

General Introduction to FSA Fault Sensitivity Analysis (FSA) Fault-based A new side channel leakage Sensitive-data dependency for fault sensitivity Similar Attack procedures to power-based attacks Bypass some DFA countermeasures What is Fault Sensitivity? Sensitivity to the fault injection E.g. Minimal clock frequency with correct output Has data dependency Can be used for key retrieval 19 Aug 2010 CHES 2010 @ Santa Barbara 7

Review Fault Injection (The idea of FSA) Input Good Environment Device (Key) Threshold ( Side-channel Leakage) Fault Bad Environment Device (Key) Output C C C Input Faulty Output C Change Fault Intensity Works for different types of fault injection: overclock, low-power, laser 19 Aug 2010 CHES 2010 @ Santa Barbara 8

Fault Sensitivity under an over-clock n n D in F/F D out Logic CLK Sensitive Data clk D in illegal_clk1 Critical Delay Timing illegal_clk2 Threshold as Fault Sensitivity 19 Aug 2010 CHES 2010 @ Santa Barbara 9

Signal delays for AND gate AND Gate (T X : delay time for signal X) T A Assume T A < T B When signal A=0, T C = T A + T AND (small) When signal A=1, T C = T B + T AND (large) T AND : Delay timing of AND gate A B T AND T B Data Dependency!! C = A B 0 input, small delay. 19 Aug 2010 CHES 2010 @ Santa Barbara 10

Signal delays for XOR gate XOR Gate (T X : delay time for signal X) Assume T A < T B When signal A=0, T C = T B + T XOR When signal A=1, T C = T B + T XOR T XOR : Delay timing of XOR gate T A A B T XOR T B No Data Dependency!! C = A B 19 Aug 2010 CHES 2010 @ Santa Barbara 11

How about an FSA Attack? FSA For Power-based attacks: Attackers Key Sensitive Data Fault Power Consumption Sensitivity 19 Aug 2010 CHES 2010 @ Santa Barbara 12

FSA Attack Procedures Collect pairs of public variables and fault sensitivity Retrieval the key by the data analysis Have a key guess Calculate sensitive-data Check the calculated data with recorded fault sensitivity Directly apply the techniques in power analysis 19 Aug 2010 CHES 2010 @ Santa Barbara 13

Case studies of FSA attacks FSA attack against PPRM1-AES FSA attack against WDDL-AES FSA attack against Satoh s AES (recent work) 19 Aug 2010 CHES 2010 @ Santa Barbara 14

CASE 1: FSA attacks against PPRM1-AES PPRM1-AES: a low power AES implementation with PPRM1-Sbox [4] PPRM1 S-box PPRM1 S-box AND array XOR array AND gate: 0 input, small delay. AND array: More 0 inputs, smaller delay! 19 Aug 2010 CHES 2010 @ Santa Barbara 15

As a result, for PPRM1 S-box More 0 inputs, Smaller delay!! Smaller hamming weight Less sensitive to overclock Fault sensitivity Typical Side Channel Leakage Exploitable by CPA-like analysis Input hamming weight 19 Aug 2010 CHES 2010 @ Santa Barbara 16

Attack results against last round of PPRM1-AES Correlation All of the 16 key bytes can be identified clearly. Key guess 19 Aug 2010 CHES 2010 @ Santa Barbara 17

How much fault sensitivity data is needed? Less than 50 plaintexts (FS data) to obtain a 128-bit key. 19 Aug 2010 CHES 2010 @ Santa Barbara 18

How many times of fault injection? Which point is the fault sensitivity? 1 Success rate of fault injection 0 In our experiment Fre. of Clock C C Worst case: 120 times Fre. of Clock 19 Aug 2010 CHES 2010 @ Santa Barbara 19

CASE 2: FSA attacks against WDDL-AES Naturally immune to DFA attacks based on the setup-time violation. [2] Dual-Rail Precharge Logic Complementary wires: (ture,false) transient fault will erase the secret information at the output. WDDL is not perfectly immune to FSA attacks based on setup-time violation. 19 Aug 2010 CHES 2010 @ Santa Barbara 20

WDDL s Vulnerability against FSA (1/2) First of all, no clear correlation between input data and fault sensitivity. All types of gates are mixed up However, we observed a data dependence at the output. Imbalance of complementary wires leads to imbalance of critical path delays. 19 Aug 2010 CHES 2010 @ Santa Barbara 21

WDDL s Vulnerability against FSA (2/2) Assume Precharge value = 0 Delay_ture > Delay_false then (1,0) (0,0) happens easier than (0,1) (0,0). 1 is more sensitive than 0 WDDL Logic true false Vulnerability! Exploitable by DPA-like analysis Difficult to make perfect matching wires. 19 Aug 2010 CHES 2010 @ Santa Barbara 22

Attack result against WDDL-AES with 1200 plaintexts Correlation 3 of 16 key bytes can be identified. Key guess 19 Aug 2010 CHES 2010 @ Santa Barbara 23

CASE 3: FSA attacks against Satoh s AES Satoh s AES (CHES2008) High performance AES with Error-detection Scheme Successful FSA attack Self-Template FSA To be continued in the rump section. 19 Aug 2010 CHES 2010 @ Santa Barbara 24

Outline Differential Fault Analysis and its countermeasure Power-based Side-Channel Attacks DPA, CPA A New Fault-based Attack Fault Sensitivity Analysis (FSA) Some Case Studies on SASEBO-R FSA attack on PPRM1-AES FSA attack on WDDL-AES FSA attack on Satoh s AES (recent result) Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 25

Conclusion A new side channel leakage: fault sensitivity FSA has a potential to bypass some fault attack countermeasures. Future work: FSA countermeasures (mask technique?) Stronger FSA attacks Try other types of FSA under other fault injection methods 19 Aug 2010 CHES 2010 @ Santa Barbara 26

References [1]G. Piret and J.-J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003 [2] S. Guilley T. Graba N. Selmane, S. Bhasin and J.-L. Danger. WDDL is Protected Against Setup Time Violation Attacks. FDTC 2009 [3] Akashi Satoh, Takeshi Sugawara, Naofumi Homma, Takafumi Aoki: High-Performance Concurrent Error Detection Scheme for AES Hardware. CHES 2008 [4] S. Morioka and A. Satoh. An Optimized S-Box Circuit Architecture for Low Power AES Design. CHES2002 19 Aug 2010 CHES 2010 @ Santa Barbara 27

Thank you for your attentions! Questions? 19 Aug 2010 CHES 2010 @ Santa Barbara 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback