Fault attack on AES with single-bit induced faults
Guido Bertoni2010, 2010 6th International Conference on Information Assurance and Security, IAS 2010
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
This work presents a differential fault attack against AES employing any key size, regardless of the key scheduling strategy. The presented attack relies on the injection of a single bit flip, and is able to check for the correctness of the injection of the fault a posteriori. This fault model nicely fits the one obtained through underfeeding a computing device employing a low cost tunable power supply unit. This fault injection technique, which has been successfully applied to hardware implementations of AES, receives a further validation in this paper where the target computing device is a system-on-chip based on the widely adopted ARM926EJ-S CPU core. The attack is successfully carried out against two different devices, etched in two different technologies (a generic 130nm and a low-power oriented 90nm library), running a software implementation of AES-192 and AES-256 and has been reproduced on multiple instances of the same chip.
Related papers
Exploring the feasibility of low cost fault injection attacks on sub-threshold devices through an example of a 65nm AES implementation
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2012
The continuous scaling of VLSI technology and the aggressive use of low power strategies (such as subthreshold voltage) make it possible to implement standard cryptographic primitives within the very limited circuit and power budget of RFID devices. On the other hand, such cryptographic implementations raise concerns regarding their vulnerability to both active and passive side channel attacks. In particular, when focusing on RFID targeted designs, it is important to evaluate their resistance to low cost physical attacks. A common low cost fault injection attack is the one which is induced by insufficient supply voltage of the chip with the goal of causing setup time violations. This kind of fault attack relies on the possibility of gracefully degrading the performance of the chip. It is however, unclear whether this kind of low cost attack is feasible in the case of low voltage design since a reduction of the voltage may result in a catastrophic failure of the device rather than an isolated setup violation. Furthermore, the effect that process variations may have on the fault model used by the attacker and consequently the success probability of the attack, are unknown. In this paper, we investigate these issues by evaluating the resistance to low cost fault injection attacks of chips implementing the AES cipher that were manufactured using a 65nm low power library and operate at subthreshold voltage. We show that it is possible to successfully breach the security of a custom implementation of the AES cipher. Our experiments have taken into account the expected process variations through testing of multiple samples of the chip. To the best of our knowledge, this work is the first attempt to explore the resistance against low cost fault injection attacks on devices that operate at subthreshold voltage and are very susceptible to process variations.
Low voltage fault attacks to AES and RSA on general purpose processors.” Cryptology ePrint Archive, Report 2010/130
2010
Abstract—Fault injection attacks have proven in recent times a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms. A number of different techniques aimed at disturbing the computation of a cryptographic primitive have been devised, and have been successfully employed to leak secret information inferring it from the erroneous results. In particular, many of these techniques involve directly tampering with the computing device to alter the content of the embedded memory, e.g. through irradiating it with laser beams. In this contribution we present a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature to attack a software implementation of a cryptosystem running on a full fledged CPU with a complete operating system. The platform under
Low voltage fault attacks to AES
Proceedings of the 2010 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2010, 2010
This paper presents a new fault based attack on the Advanced Encryption Standard (AES) with any key length, together with its practical validation through the use of low voltage induced faults. The CPU running the attacked algorithm is the ARM926EJ-S: a 32-bit processor widely deployed in computer peripherals, telecommunication appliances and low power portable devices. We prove the practical feasibility of this attack through inducing faults in the computation of the AES algorithm running on a full fledged Linux 2.6 operating system targeted to two implementations of the ARM926EJ-S on commercial development boards.
Low voltage fault attacks to AES and RSA on general purpose processors
2010
Fault injection attacks have proven in recent times a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms. A number of different techniques aimed at disturbing the computation of a cryptographic primitive have been devised, and have been successfully employed to leak secret information inferring it from the erroneous results. In particular, many of these techniques involve directly tampering with the computing device to alter the content of the embedded memory, e.g. through irradiating it with laser beams.
Differential fault analysis of AES using a single multiple-byte fault
2010
In this paper we present an improved fault attack on the Advanced Encryption Standard (AES). This paper presents an improvement on a recently published differential fault analysis of AES that requires one fault to recover the secret key being used. This attack requires that one byte entering into the eighth round is corrupted. We show that the attack is possible where more than one byte has been affected. Experimental results are described where a fault is injected using a glitch in the clock, demonstrating that this attack is practical.
Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures
Proceedings of the IEEE, 2000
Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and software implementations have exhibited vulnerabilities to side channel attacks, e.g., power analysis and fault injection attacks. This paper focuses on fault injection attacks that have been shown to require inexpensive equipment and a short amount of time. The paper provides a comprehensive description of these attacks on cryptographic devices and the countermeasures that have been developed against them. After a brief review of the widely used cryptographic algorithms, we classify the currently known fault injection attacks into low cost ones (which a single attacker with a modest budget can mount) and high cost ones (requiring highly skilled attackers with a large budget). We then list the attacks that have been developed for the important and commonly used ciphers and indicate which ones have been successfully used in practice. The known countermeasures against the previously described fault injection attacks are then presented, including intrusion detection and fault detection. We conclude the survey with a discussion on the interaction between fault injection attacks (and the corresponding countermeasures) and power analysis attacks.
Differential Fault Attacks against AES Tampering with the Instruction Flow
Proceedings of the 11th International Conference on Security and Cryptography, 2014
Most of the attacks against the Advanced Encryption Standard based on faults mainly aim at either altering the temporary value of the message or key during the computation. Few other attacks tamper the instruction flow in order to reduce the number of round iterations to one or two. In this work, we extend this idea and present fault attacks against the AES algorithm that exploit the misbehavior of the instruction flow during the last round. In particular, we consider faults that cause the algorithm to skip, repeat or corrupt one of the four AES round functions. In principle, these attacks are applicable against both software and hardware implementations, by targeting the execution of instructions or the control logic. As conclusion countermeasures against fault attacks must also cover the instruction flow and not only the processed data. a a A shorter version of this paper has been published in the Proceedings of SECRYPT 2014
Fault-based attacks on cryptographic hardware
2013 IEEE 16th International Symposium on Design and Diagnostics of Electronic Circuits & Systems (DDECS), 2013
Mobile and embedded systems increasingly process sensitive data, ranging from personal information including health records or financial transactions to parameters of technical systems such as car engines. Cryptographic circuits are employed to protect these data from unauthorized access and manipulation. Fault-based attacks are a relatively new threat to system integrity. They circumvent the protection by inducing faults into the hardware implementation of cryptographic functions, thus affecting encryption and/or decryption in a controlled way. By doing so, the attacker obtains supplementary information that she can utilize during cryptanalysis to derive protected data, such as secret keys. In the recent years, a large number of fault-based attacks and countermeasures to protect cryptographic circuits against them have been developed. However, isolated techniques for each individual attack are no longer sufficient, and a generic protective strategy is lacking.
Breaking Redundancy-Based Countermeasures with Random Faults and Power Side Channel
2018 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC)
Redundancy based countermeasures against fault attacks are a popular choice in security-critical commercial products, owing to its high fault coverage and applications to safety/reliability. In this paper, we propose a combined attack on such countermeasures. The attack assumes a random byte/nibble fault model with existence of side-channel leakage of the final comparison, and no knowledge of the faulty ciphertext. Unlike the previously proposed biased/multiple fault attack, we just need to corrupt one computation branch. Both analytical and experimental evaluation of this attack strategy is presented on software implementations of two state-of-the-art block ciphers, AES and PRESENT, on an ATmega328P microcontroller, via side-channel measurements and a laser-based fault injection. Moreover, this work establishes that even without the knowledge of the faulty ciphertexts, one can still perform differential fault analysis attacks, given the availability of side-channel information.
Stratification of Hardware Attacks: Side Channel Attacks and Fault Injection Techniques
SN Computer Science
Cryptographic devices have many encrypted and secured solutions to protect them against hardware attacks. Hardware designers spent huge amount of time and effort in implementing cryptographic algorithms, keeping the analysis of design constraints into consideration. Engineers face a challenge for building resistant-free embedded system against attacks called as side channel attacks. Therefore, there is a strong need to address issues related to side channel attacks. This paper is a review into the field of hardware security that will provide a deep investigation of types of side channel attacks and fault injection techniques with some real life examples further enhancing the researcher's vision to build efficient and secure systems to thwart attacks. Researchers will also be acquainted with some countermeasures against various attacks. Lastly, we have also discussed some future perspective that can give upcoming researchers a new domain to work on.
Design and characterisation of an AES chip embedding countermeasures
International Journal of Intelligent Engineering Informatics, 2011
In critical communication infrastructures, hardware accelerators are often used to speed up cryptographic calculations. Their resistance to physical attacks determines how secure the overall infrastructure is. In this paper, we describe the implementation and characterisation of an AES accelerator embedding security features against physical attacks. This AES chip is implemented in HCMOS9gp 130nm STM technology. The countermeasure is based on duplication and works on complemented values in parallel. The chip was tested against side channel attacks showing the efficiency of the proposed countermeasure against such attacks. Fault injection tests based on the use of local laser shoots showed that the fault detection mechanism did indeed react as expected. However, using clock set-up time violations, 80% of the secret key were retrieved in less than 40 hours, thus illustrating the limits of the duplication counter-measure against a global fault attack which was published after the chip was designed.
A Generalized Method of Differential Fault Attack Against AES Cryptosystem
Cryptographic Hardware and Embedded Systems, 2006
In this paper we describe two differential fault attack techniques against Advanced Encryption Standard (AES). We propose two models for fault occurrence; we could find all 128 bits of key using one of them and only 6 faulty ciphertexts. We need approximately 1500 faulty ciphertexts to discover the key with the other fault model. Union of these models covers all faults that can occur in the 9th round of encryption algorithm of AES-128 cryptosystem. One of main advantage of proposed fault models is that any fault in the AES encryption from start (AddRoundKey with the main key before the first round) to MixColumns function of 9th round can be modeled with one of our fault models. These models cover all states, so generated differences caused by diverse plaintexts or ciphertexts can be supposed as faults and modeled with our models. It establishes a novel technique to cryptanalysis AES without side channel information. The major difference between these methods and previous ones is on the assumption of fault models. Our proposed fault models use very common and general assumption for locations and values of occurred faults.
Differential Fault Analysis of AES-128 Key Schedule Using a Single Multi-byte Fault
Lecture Notes in Computer Science, 2011
In this paper we propose an improved multi-byte differential fault analysis of AES-128 key schedule using a single pair of fault-free and faulty ciphertexts. We propose a four byte fault model where the fault is induced at ninth round key. The induced fault corrupts all the four bytes of the first column of the ninth round key which subsequently propagates to the entire tenth round key. The elegance of the proposed attack is that it requires only a single faulty ciphertext and reduce the search space of the key to 2 32 possible choices. Using two faulty ciphertexts the attack uniquely determines the key. The attack improves the existing DFA of AES-128 key schedule, which requires two faulty ciphertexts to reduce the key space of AES-128 to 2 32 , and four faulty ciphertexts to uniquely retrieve the key. Therefore, the proposed attack is more lethal than the existing attack as it requires lesser number of faulty ciphertexts. The simulated attack takes less than 20 minutes to reveal 128-bit secret key; running on a 8 core Intel Xeon E5606 processor at 2.13 GHz speed.
Can knowledge regarding the presence of countermeasures against fault attacks simplify power attacks on cryptographic devices?
2008
Side-channel attacks are nowadays a serious concern when implementing cryptographic algorithms. Powerful ways for gaining information about the secret key as well as various countermeasures against such attacks have been recently developed. Although it is well known that such attacks can exploit information leaked from different sources, most prior works have only addressed the problem of protecting a cryptographic device against a single type of attack. Consequently, there is very little knowledge on how a scheme for protecting a device against one type of side-channel attack may affect its vulnerability to other types of side-channel attacks. In this paper we focus on devices that include protection against fault injection attacks (using different error detection schemes) and explore whether the presence of such fault detection circuits affects the resistance against attacks based on power analysis. Using the AES S-Box as an example, we performed attacks on the unprotected implementation as well as modified implementations with parity check circuits or residue check circuits (mod3 and mod7). In particular, we focus on the question whether the knowledge of the presence of error detection circuitry in the cryptographic device can help an attacker who attempts to mount a power attack on the device. Our results show that the presence of error detection circuitry helps the attacker even if he is unaware of this circuitry, and that the benefit to the attacker increases with the number of check bits used for the purpose of error detection.
A fault-resistant implementation of AES using differential bytes between input and output
The Journal of Supercomputing, 2014
Pervasive computing environments focus on integrating computing and communications with the surrounding physical environment. As a potential threat in the physical environment, fault attacks using the injection of practical faults have been introduced for extracting secret keys stored in low-cost devices. In particular, the advanced encryption standard (AES) has been broken by various fault attacks, and satisfactory countermeasures have yet to be introduced. This paper proposes a new countermeasure that can prevent fault attacks by verifying differential bytes of input and output in the encryption process and the key expansion process, respectively. The results of computer simulations and fault injection experiments verify that the proposed countermeasure against fault attacks outperforms existing countermeasures in terms of fault detection and efficiency.
Power-based Side Channel Analysis and Fault Injection: Hacking Techniques and Combined Countermeasure
International Journal of Advanced Computer Science and Applications, 2021
Over the last years, physical attacks have been massively researched due to their capability to extract secret information from cryptographic engine. These hacking techniques are based on exploiting information from physical implementations instead of cryptographic algorithm flaws. Faultinjection attacks (FA) and Side-channel analysis (SCA) are the most popular techniques of implementation attacks. Aiming to secure cryptographic devices against such attacks, many studies have proposed a variety of developed and sophisticated countermeasures. Hence, the majority of these secured approaches are used for precise and single attack and it is difficult to thwart hybrid attack, such as combined power and fault attacks. In this work, the Advanced Encryption Standard is used as a case study in order to analyse the most well-known physical-based Hacking techniques: Differential Fault Analysis (DFA) and Correlation Power Analysis (CPA). Consequently, with the knowledge of such contemporary hac...
Countermeasures against fault attacks on software implemented AES: Effectiveness and cost
2010
In this paper we present software countermeasures specifically designed to counteract fault injection attacks during the execution of a software implementation of a cryptographic algorithm and analyze the efficiency of these countermeasures. We propose two approaches based on the insertion of redundant computations and checks, which in their general form are suitable for any cryptographic algorithm. In particular, we focus on selective instruction duplication to detect single errors, instruction triplication to support error correction, and parity checking to detect corruption of a stored value. We developed a framework to automatically add the desired countermeasure, and we support the possibility to apply the selected redundancy to either all the instructions of the cryptographic routine or restrict it to the most sensitive ones, such as table lookups and key fetching. Considering an ARM processor as a target platform and AES as a target algorithm, we evaluate the overhead of the proposed countermeasures while keeping the robustness of the implementation high enough to thwart most or all of the known fault attacks. Experimental results show that in the considered architecture, the solution with the smallest overhead is per-instruction selective doubling and checking, and that the instruction triplication scheme is a viable alternative if very high levels of injected fault resistance are required.
Security Analysis of Aes Using Functionality Fault Model
Journal of Circuits, Systems and Computers, 2007
Security of cryptographic circuits is a major concern. Smartcards are targeted by sophisticated attacks like fault attacks that combine physical disturbance and cryptanalysis. We propose a methodology and a tool (PAFI) to analyze the robustness of circuits under fault attacks using fault injection in simulation. The number of injections is reduced by taking into account the function of the latches in the whole circuit. We tested a circuit implementing the cryptosystem AES and showed that our approach reduces the number of fault injections to be performed (- 80%). Moreover, most of the selected injection points are the ones that lead to known fault attacks (95%).
Fault analysis attack on an FPGA AES implementation
New Technologies, Mobility and Security Conference and Workshops, NTMS 2008, 2008
Hardware implementation of cryptographic algorithms are widely used to secure wireless networks. They guarantee good security performance at low processing and energy costs. However, unlike traditional implementations, they are vulnerable to side channel attacks. Particularly, fault attacks have proved their efficiency in cracking hardware implementation of some robust symmetric and asymmetric encryption algorithms. In this paper, we develop an FPGA version of the attack proposed by Piret and Quisquater in [?] against the AES (Advanced Encryption Standard) algorithm. Through temporal and spatial analyses of the rounds that have been affected by the fault injection process, we adapt the aforementioned attack to our context. The results obtained in this paper can serve to design a more secure FPGA implementation of AES. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4689099
Meet-in-the-Middle and Impossible Differential Fault Analysis on AES
Lecture Notes in Computer Science, 2011
Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 2 32 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 2 40 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 2 24 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 2 40 in time and memory.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.