Attaques en fautes globales et locales sur les cryptoprocesseurs AES: mise en œuvre et contremesu... more Attaques en fautes globales et locales sur les cryptoprocesseurs AES: mise en œuvre et contremesures Soutenance prévue le 13 Décembre 2010 devant le jury composé de David NACCACHE
2011 IEEE International Symposium on Hardware-Oriented Security and Trust, 2011
Cryptographic implementations are vulnerable to physical attacks. Many countermeasures to resist ... more Cryptographic implementations are vulnerable to physical attacks. Many countermeasures to resist them have been proposed in the past. However, they are all specific to a given attacker and allow to mitigate the risk only up to a certain level: improved attacks on those countermeasures can most of the time be devised. Therefore, a new trend consists in making cryptographic implementations resilient to physical attacks. This strategy makes it possible to prove the countermeasure against all possible types of attackers captured by a security model. Several resilient schemes for the protection of block ciphers exist. For a given security objective, they all permit to reach the same security level. Therefore, they differentiate only according to their efficiency. We first show that the genuine versions of these protocols achieve different I/O bandwidth and computational performance. Our second contribution is to improve those protocols thanks to a message blinding, assuming passive attacks require more than two traces to be successful. Then, we bring as a third contribution the fact that the improved versions of the protocols are very much alike, and that the difference between them depends only from the specific details of their instantiation.
2009 International Conference on Reconfigurable Computing and FPGAs, 2009
The main challenge when implementing cryptographic algorithms in hardware is to protect them agai... more The main challenge when implementing cryptographic algorithms in hardware is to protect them against attacks that target directly the device. Two strategies are customarily employed by malevolent adversaries: observation and perturbation attacks, also called SCA and DFA in the abundant scientific literature on this topic. Numerous research efforts have been carried out to defeat respectively SCA or DFA. However, few publications deal with concomitant protection against both threats. The current consensus is to devise algorithmic countermeasures to DFA and subsequently to synthesize the DFA-protected design thanks to a DPA-resistant CAD flow. In this article, we put to the fore that this approach is the best neither in terms of performance nor of relevance. Notably, the contribution of this paper is to demonstrate that the strongest SCA countermeasure known so far, namely the dual-rail with precharge logic styles that do not evaluate early (EE), happen surprisingly to be almost natively immune to most DFAs. Therefore, unexpected two-inone solutions against SCA and DFA indeed exist and deserve a closer attention, because they ally simplicity with efficiency. In particular, we illustrate a logic style, called WDDL w/o EE, and a design flow that realizes in practice one possible combined DPA and DFA countermeasure especially suited for reconfigurable hardware.
2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008
This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanome... more This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanometer technology by the authors with the help of STMicroelectronics. The purpose of these prototype circuits is to experience with the published "implementation-level" attacks (SPA, DPA, EMA, templates, DFA). We report our conclusions about the practicability of these attacks: which ones are the most simple to mount, and which ones require more skill, time, equipments, etc. The potential of FPGAs as security evaluation commodities at design time is also detailed. Then, we discuss about "dual counter-measures", that are meant to resist both passive and active attacks. This study started four years ago with TIMA (Grenoble), in the framework of the project MARS . We highlight some research directions towards dependable and cost-effective dual countermeasures.
2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2009
In order to protect crypto-systems against side channel attacks various countermeasures have been... more In order to protect crypto-systems against side channel attacks various countermeasures have been implemented such as dual-rail logic or masking. Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various kind of fault attacks scenarios have been published. However, very few publications available in the public literature detail the practical realization of such attacks. In this paper we present the result of a practical fault attack on AES in WDDL and its comparison with its non-protected equivalent. The practical faults on an FPGA running an AES encryptor are realized by under-powering it and further exploited using Piret's attack. The results show that WDDL is protected against setup violation attacks by construction because a faulty bit is replaced by a null bit in the ciphertext. Therefore, the fault leaks no exploitable information. We also give a theoretical model for the above results. Other references have already studied the potential of fault protection of the resynchronizing gates (delayinsensitive). In this paper, we show that non-resynchronizing gates (hence combinatorial DPL such as WDDL) are natively immune to setup time violation attacks.
2008 Seventh European Dependable Computing Conference, 2008
Faults attacks are a powerful tool to break some implementations of robust cryptographic algorith... more Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various methods of faults attack on cryptographic systems have been discovered and researched. However, to the authors' knowledge, all the attacks published so far use a theoretical model of faults. In this paper we prove that we are able to reproduce
2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, 2010
Fault injections constitute a major threat to the security of embedded systems. The errors in the... more Fault injections constitute a major threat to the security of embedded systems. The errors in the cryptographic algorithms have been shown to be extremely dangerous, since powerful attacks can exploit few of them to recover the full secrets. Most of the resistance techniques to fault attacks have relied so far on the detection of faults. We present in this paper another strategy, based on the resilience against fault attacks. The core idea is to allow an erroneous result to be outputted, but with the assurance that this faulty information conveys no information about the chip's secrets. We first underline the benefits of FIR: false positive are never raised, secrets are not erased uselessly in case of faults injections, which increases the card lifespan if the fault is natural and not malevolent, high potential of resistance even in the context of multiple faults. Then we illustrate two families of fault injection resilience (FIR) schemes suitable for symmetric encryption. The first family is a protocol-level scheme that can be formally proved resilient. The second family mobilizes a special logic level. We notably detail how a countermeasure of this later family, namely dual-rail with precharge logic style, can both protect both against active and passive attacks, thereby bringing a combined global protection of the device. The cost of this logic is evaluated as lower than detection schemes. Finally, we also give some ideas about the modalities of adjunction of FIR to some certification schemes.
2008 New Technologies, Mobility and Security, 2008
... In some cases, even the secret enciphering key can be computed without breaking the algorithm... more ... In some cases, even the secret enciphering key can be computed without breaking the algorithm. This paper presents and analyzes the execution of the fault injection attack proposed by Piret and Quisquater in [?] against an FPGA implementation of the AES algorithm. ...
... Shivam Bhasin, Sylvain Guilley, Florent Flament, Nidhal Selmane, Jean-Luc Danger Institut TEL... more ... Shivam Bhasin, Sylvain Guilley, Florent Flament, Nidhal Selmane, Jean-Luc Danger Institut TELECOM / TELECOM ParisTech, CNRS LTCI (UMR 5141) Departement COMELEC ... As shown in figure 2, a WDDL AND gate consists of an AND gate (G) and a complementary OR gate ...
2009 International Conference on Reconfigurable Computing and FPGAs, 2009
The main challenge when implementing cryptographic algorithms in hardware is to protect them agai... more The main challenge when implementing cryptographic algorithms in hardware is to protect them against attacks that target directly the device. Two strategies are customarily employed by malevolent adversaries: observation and perturbation attacks, also called SCA and DFA in the abundant scientific literature on this topic. Numerous research efforts have been carried out to defeat respectively SCA or DFA. However, few publications deal with concomitant protection against both threats. The current consensus is to devise algorithmic countermeasures to DFA and subsequently to synthesize the DFA-protected design thanks to a DPA-resistant CAD flow. In this article, we put to the fore that this approach is the best neither in terms of performance nor of relevance. Notably, the contribution of this paper is to demonstrate that the strongest SCA countermeasure known so far, namely the dual-rail with precharge logic styles that do not evaluate early (EE), happen surprisingly to be almost natively immune to most DFAs. Therefore, unexpected two-inone solutions against SCA and DFA indeed exist and deserve a closer attention, because they ally simplicity with efficiency. In particular, we illustrate a logic style, called WDDL w/o EE, and a design flow that realizes in practice one possible combined DPA and DFA counter-measure especially suited for reconfigurable hardware.
Attaques en fautes globales et locales sur les cryptoprocesseurs AES: mise en œuvre et contremesu... more Attaques en fautes globales et locales sur les cryptoprocesseurs AES: mise en œuvre et contremesures Soutenance prévue le 13 Décembre 2010 devant le jury composé de David NACCACHE
2011 IEEE International Symposium on Hardware-Oriented Security and Trust, 2011
Cryptographic implementations are vulnerable to physical attacks. Many countermeasures to resist ... more Cryptographic implementations are vulnerable to physical attacks. Many countermeasures to resist them have been proposed in the past. However, they are all specific to a given attacker and allow to mitigate the risk only up to a certain level: improved attacks on those countermeasures can most of the time be devised. Therefore, a new trend consists in making cryptographic implementations resilient to physical attacks. This strategy makes it possible to prove the countermeasure against all possible types of attackers captured by a security model. Several resilient schemes for the protection of block ciphers exist. For a given security objective, they all permit to reach the same security level. Therefore, they differentiate only according to their efficiency. We first show that the genuine versions of these protocols achieve different I/O bandwidth and computational performance. Our second contribution is to improve those protocols thanks to a message blinding, assuming passive attacks require more than two traces to be successful. Then, we bring as a third contribution the fact that the improved versions of the protocols are very much alike, and that the difference between them depends only from the specific details of their instantiation.
2009 International Conference on Reconfigurable Computing and FPGAs, 2009
The main challenge when implementing cryptographic algorithms in hardware is to protect them agai... more The main challenge when implementing cryptographic algorithms in hardware is to protect them against attacks that target directly the device. Two strategies are customarily employed by malevolent adversaries: observation and perturbation attacks, also called SCA and DFA in the abundant scientific literature on this topic. Numerous research efforts have been carried out to defeat respectively SCA or DFA. However, few publications deal with concomitant protection against both threats. The current consensus is to devise algorithmic countermeasures to DFA and subsequently to synthesize the DFA-protected design thanks to a DPA-resistant CAD flow. In this article, we put to the fore that this approach is the best neither in terms of performance nor of relevance. Notably, the contribution of this paper is to demonstrate that the strongest SCA countermeasure known so far, namely the dual-rail with precharge logic styles that do not evaluate early (EE), happen surprisingly to be almost natively immune to most DFAs. Therefore, unexpected two-inone solutions against SCA and DFA indeed exist and deserve a closer attention, because they ally simplicity with efficiency. In particular, we illustrate a logic style, called WDDL w/o EE, and a design flow that realizes in practice one possible combined DPA and DFA countermeasure especially suited for reconfigurable hardware.
2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008
This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanome... more This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanometer technology by the authors with the help of STMicroelectronics. The purpose of these prototype circuits is to experience with the published "implementation-level" attacks (SPA, DPA, EMA, templates, DFA). We report our conclusions about the practicability of these attacks: which ones are the most simple to mount, and which ones require more skill, time, equipments, etc. The potential of FPGAs as security evaluation commodities at design time is also detailed. Then, we discuss about "dual counter-measures", that are meant to resist both passive and active attacks. This study started four years ago with TIMA (Grenoble), in the framework of the project MARS . We highlight some research directions towards dependable and cost-effective dual countermeasures.
2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2009
In order to protect crypto-systems against side channel attacks various countermeasures have been... more In order to protect crypto-systems against side channel attacks various countermeasures have been implemented such as dual-rail logic or masking. Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various kind of fault attacks scenarios have been published. However, very few publications available in the public literature detail the practical realization of such attacks. In this paper we present the result of a practical fault attack on AES in WDDL and its comparison with its non-protected equivalent. The practical faults on an FPGA running an AES encryptor are realized by under-powering it and further exploited using Piret's attack. The results show that WDDL is protected against setup violation attacks by construction because a faulty bit is replaced by a null bit in the ciphertext. Therefore, the fault leaks no exploitable information. We also give a theoretical model for the above results. Other references have already studied the potential of fault protection of the resynchronizing gates (delayinsensitive). In this paper, we show that non-resynchronizing gates (hence combinatorial DPL such as WDDL) are natively immune to setup time violation attacks.
2008 Seventh European Dependable Computing Conference, 2008
Faults attacks are a powerful tool to break some implementations of robust cryptographic algorith... more Faults attacks are a powerful tool to break some implementations of robust cryptographic algorithms such as AES and DES. Various methods of faults attack on cryptographic systems have been discovered and researched. However, to the authors' knowledge, all the attacks published so far use a theoretical model of faults. In this paper we prove that we are able to reproduce
2010 Workshop on Fault Diagnosis and Tolerance in Cryptography, 2010
Fault injections constitute a major threat to the security of embedded systems. The errors in the... more Fault injections constitute a major threat to the security of embedded systems. The errors in the cryptographic algorithms have been shown to be extremely dangerous, since powerful attacks can exploit few of them to recover the full secrets. Most of the resistance techniques to fault attacks have relied so far on the detection of faults. We present in this paper another strategy, based on the resilience against fault attacks. The core idea is to allow an erroneous result to be outputted, but with the assurance that this faulty information conveys no information about the chip's secrets. We first underline the benefits of FIR: false positive are never raised, secrets are not erased uselessly in case of faults injections, which increases the card lifespan if the fault is natural and not malevolent, high potential of resistance even in the context of multiple faults. Then we illustrate two families of fault injection resilience (FIR) schemes suitable for symmetric encryption. The first family is a protocol-level scheme that can be formally proved resilient. The second family mobilizes a special logic level. We notably detail how a countermeasure of this later family, namely dual-rail with precharge logic style, can both protect both against active and passive attacks, thereby bringing a combined global protection of the device. The cost of this logic is evaluated as lower than detection schemes. Finally, we also give some ideas about the modalities of adjunction of FIR to some certification schemes.
2008 New Technologies, Mobility and Security, 2008
... In some cases, even the secret enciphering key can be computed without breaking the algorithm... more ... In some cases, even the secret enciphering key can be computed without breaking the algorithm. This paper presents and analyzes the execution of the fault injection attack proposed by Piret and Quisquater in [?] against an FPGA implementation of the AES algorithm. ...
... Shivam Bhasin, Sylvain Guilley, Florent Flament, Nidhal Selmane, Jean-Luc Danger Institut TEL... more ... Shivam Bhasin, Sylvain Guilley, Florent Flament, Nidhal Selmane, Jean-Luc Danger Institut TELECOM / TELECOM ParisTech, CNRS LTCI (UMR 5141) Departement COMELEC ... As shown in figure 2, a WDDL AND gate consists of an AND gate (G) and a complementary OR gate ...
2009 International Conference on Reconfigurable Computing and FPGAs, 2009
The main challenge when implementing cryptographic algorithms in hardware is to protect them agai... more The main challenge when implementing cryptographic algorithms in hardware is to protect them against attacks that target directly the device. Two strategies are customarily employed by malevolent adversaries: observation and perturbation attacks, also called SCA and DFA in the abundant scientific literature on this topic. Numerous research efforts have been carried out to defeat respectively SCA or DFA. However, few publications deal with concomitant protection against both threats. The current consensus is to devise algorithmic countermeasures to DFA and subsequently to synthesize the DFA-protected design thanks to a DPA-resistant CAD flow. In this article, we put to the fore that this approach is the best neither in terms of performance nor of relevance. Notably, the contribution of this paper is to demonstrate that the strongest SCA countermeasure known so far, namely the dual-rail with precharge logic styles that do not evaluate early (EE), happen surprisingly to be almost natively immune to most DFAs. Therefore, unexpected two-inone solutions against SCA and DFA indeed exist and deserve a closer attention, because they ally simplicity with efficiency. In particular, we illustrate a logic style, called WDDL w/o EE, and a design flow that realizes in practice one possible combined DPA and DFA counter-measure especially suited for reconfigurable hardware.
Uploads
Papers by Nidhal Selmane