fault sensitivity analysis
play

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto - PowerPoint PPT Presentation

Jul 04, 2023 •1.79k likes •2.17k views

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES

  1. Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES 2010 @ Santa Barbara 1

  2. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 2

  3. Differential Fault Analysis (DFA)  Basic idea  Make a differential path by fault injection  Get correct outputs and faulty outputs  Verify the differential path for each key candidate  General DFA attack requirements  Specific transient fault  Pairs of correct output and faulty output for the same input  General DFA countermeasures  Inherent resistance, prevent specific transient fault  e.g. WDDL [1]  Redundant calculation for error detection  e.g. Satoh’s AES [2] 19 Aug 2010 CHES 2010 @ Santa Barbara 3

  4. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 4

  5. Power-based Side-Channel Attacks  Basic idea  Power consumption depends on sensitive-data that is calculable with public variables and key guess  General attack procedures  Have a key guess  Calculate sensitive-data  Check the calculated data with recorded power consumption  Correct key guess matches the power consumption best!  Well-kown attacks  Correlation Power Analysis (CPA)  Differential Power Analysis (DPA) 19 Aug 2010 CHES 2010 @ Santa Barbara 5

  6. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 6

  7. General Introduction to FSA  Fault Sensitivity Analysis (FSA)  Fault-based  A new side channel leakage  Sensitive-data dependency for fault sensitivity  Similar Attack procedures to power-based attacks  Bypass some DFA countermeasures  What is Fault Sensitivity?  Sensitivity to the fault injection  E.g. Minimal clock frequency with correct output  Has data dependency  Can be used for key retrieval 19 Aug 2010 CHES 2010 @ Santa Barbara 7

  8. Review Fault Injection (The idea of FSA) Good Environment Input Output C Device (Key) C Threshold Change ( Side-channel Leakage) Fault Intensity Fault C’ Bad Environment Input Faulty Output C’ Device (Key) Works for different types of fault injection: overclock, low-power, laser 19 Aug 2010 CHES 2010 @ Santa Barbara 8

  9. Fault Sensitivity under an over-clock n n D in D out F/F Logic CLK Sensitive Data clk D in Critical Delay Timing illegal_clk1 illegal_clk2 Threshold as Fault Sensitivity 19 Aug 2010 CHES 2010 @ Santa Barbara 9

  10. Signal delays for AND gate  AND Gate (T X : delay time for signal X)  Assume T A < T B  When signal A=0, T C = T A + T AND (small)  When signal A=1, T C = T B + T AND (large)  T AND : Delay timing of AND gate B T A T B A Data Dependency !! T AND 0 input, small delay. C = A • B 19 Aug 2010 CHES 2010 @ Santa Barbara 10

  11. Signal delays for XOR gate  XOR Gate (T X : delay time for signal X)  Assume T A < T B  When signal A=0, T C = T B + T XOR  When signal A=1, T C = T B + T XOR  T XOR : Delay timing of XOR gate B T A T B A T XOR No Data Dependency !! C = A B 19 Aug 2010 CHES 2010 @ Santa Barbara 11

  12. How about an FSA Attack? FSA For Power-based attacks: Sensitive Data Attackers Key Fault Power Consumption Sensitivity 19 Aug 2010 CHES 2010 @ Santa Barbara 12

  13. FSA Attack Procedures  Collect pairs of public variables and fault sensitivity  Retrieval the key by the data analysis  Have a key guess  Calculate sensitive-data  Check the calculated data with recorded fault sensitivity  Directly apply the techniques in power analysis 19 Aug 2010 CHES 2010 @ Santa Barbara 13

  14. Case studies of FSA attacks FSA attack against PPRM1-AES FSA attack against WDDL-AES FSA attack against Satoh’s AES (recent work) 19 Aug 2010 CHES 2010 @ Santa Barbara 14

  15. CASE 1: FSA attacks against PPRM1-AES  PPRM1-AES: a low power AES implementation with “PPRM1 - Sbox” [4]  PPRM1 S-box PPRM1 S-box AND gate: 0 input, small delay. AND array … … AND array: XOR array More 0 inputs, smaller delay! 19 Aug 2010 CHES 2010 @ Santa Barbara 15

  16. As a result, for PPRM1 S-box More 0 inputs , Smaller delay!! Smaller hamming weight Less sensitive to overclock Fault sensitivity Typical Side Channel Leakage Exploitable by CPA-like analysis Input hamming weight 19 Aug 2010 CHES 2010 @ Santa Barbara 16

  17. Attack results against last round of PPRM1-AES Correlation Key guess All of the 16 key bytes can be identified clearly. 19 Aug 2010 CHES 2010 @ Santa Barbara 17

  18. How much fault sensitivity data is needed? Less than 50 plaintexts (FS data) to obtain a 128-bit key. 19 Aug 2010 CHES 2010 @ Santa Barbara 18

  19. How many times of fault injection?  Which point is the fault sensitivity? Success rate of fault injection 1 0 Fre. of Clock  In our experiment C’ C Fre. of Clock Worst case: 120 times 19 Aug 2010 CHES 2010 @ Santa Barbara 19

  20. CASE 2: FSA attacks against WDDL-AES  Naturally immune to DFA attacks based on the setup-time violation. [2]  Dual-Rail Precharge Logic  Complementary wires: (ture,false)  “transient” fault will erase the secret information at the output.  WDDL is not perfectly immune to FSA attacks based on setup-time violation. 19 Aug 2010 CHES 2010 @ Santa Barbara 20

  21. WDDL’s Vulnerability against FSA (1/2)  First of all, no clear correlation between input data and fault sensitivity.  All types of gates are mixed up  However, we observed a data dependence at the output.  Imbalance of complementary wires leads to imbalance of critical path delays. 19 Aug 2010 CHES 2010 @ Santa Barbara 21

  22. WDDL’s Vulnerability against FSA (2/2)  Assume  Precharge value = 0  Delay_ture > Delay_false  then (1,0)  (0,0) happens easier than (0,1)  (0,0).  1 is more sensitive than 0 true false Vulnerability! WDDL Logic Exploitable by DPA-like analysis Difficult to make perfect matching wires. 19 Aug 2010 CHES 2010 @ Santa Barbara 22

  23. Attack result against WDDL-AES with 1200 plaintexts Correlation 3 of 16 key bytes can be identified. Key guess 19 Aug 2010 CHES 2010 @ Santa Barbara 23

  24. CASE 3: FSA attacks against Satoh’s AES  Satoh’s AES (CHES2008)  High performance AES with Error-detection Scheme  Successful FSA attack  Self-Template FSA  To be continued in the rump section. 19 Aug 2010 CHES 2010 @ Santa Barbara 24

  25. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 25

  26. Conclusion  A new side channel leakage: fault sensitivity  FSA has a potential to bypass some fault attack countermeasures.  Future work:  FSA countermeasures (mask technique?)  Stronger FSA attacks  Try other types of FSA under other fault injection methods 19 Aug 2010 CHES 2010 @ Santa Barbara 26

  27. References  [1]G. Piret and J.-J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003  [2] S. Guilley T. Graba N. Selmane, S. Bhasin and J.-L. Danger. WDDL is Protected Against Setup Time Violation Attacks. FDTC 2009  [3] Akashi Satoh, Takeshi Sugawara, Naofumi Homma, Takafumi Aoki: High-Performance Concurrent Error Detection Scheme for AES Hardware. CHES 2008  [4] S. Morioka and A. Satoh. An Optimized S-Box Circuit Architecture for Low Power AES Design. CHES2002 19 Aug 2010 CHES 2010 @ Santa Barbara 27

  28. Thank you for your attentions! Questions? 19 Aug 2010 CHES 2010 @ Santa Barbara 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge August 3, 2020 @ JSM Sensitivity analysis The broader concept [Saltelli et al., 2004] Sensitivity analysis is the study of how the

477 views • 19 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
Assessing Fault Sensitivity in MPI Applications Charng-Da Lu Daniel A. Reed Center for

Assessing Fault Sensitivity in MPI Applications Charng-Da Lu Daniel A. Reed Center for

Assessing Fault Sensitivity in MPI Applications Charng-Da Lu Daniel A. Reed Center for Computational Microsoft Research Research SUNY at Buffalo Outline Introduction background and motivations reliability challenges of large PC

336 views • 33 slides
Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality Sensitivity Analysis Shadi SHARIF AZADEH Transport and Mobility Laboratory TRANSP-OR cole Polytechnique Fdrale de Lausanne EPFL Motivation

394 views • 26 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics &amp; Computer

Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics &amp; Computer

DM545 Linear and Integer Programming Lecture 6 Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Geometric Interpretation Sensitivity Analysis Outline

456 views • 28 slides
Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Introduction Study of the reference problem Sensitivity analysis Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans , and Laurent Pfeiffer ed INRIA Saclay and CMAP, Ecole

831 views • 32 slides
Data-driven sensitivity analysis for Matching estimators Giovanni Cerulli 1 1 IRCrES-CNR, Research

Data-driven sensitivity analysis for Matching estimators Giovanni Cerulli 1 1 IRCrES-CNR, Research

Sensitivity analysis for Matching Data-driven sensitivity analysis for Matching estimators Giovanni Cerulli 1 1 IRCrES-CNR, Research Institute on Sustainable Economic Growth London Stata Conference 2018 Cass Business School September 6-7 1 /

665 views • 25 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS,

Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS,

Variance-Based Sensitivity Analysis for SODEs Stochastic Simulators Conclusions Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS, Orsay, France KAUST, Saudi-Arabia Duke University, Durham, North

981 views • 49 slides
Uncertainty, Stochastics &amp; Sensitivity Analysis Nathaniel Osgood Agent-Based Modeling

Uncertainty, Stochastics &amp; Sensitivity Analysis Nathaniel Osgood Agent-Based Modeling

Uncertainty, Stochastics &amp; Sensitivity Analysis Nathaniel Osgood Agent-Based Modeling Bootcamp for Health Researchers August 23, 2011 Types of Sensitivity Analyses Variables involved Type of variation One-way Single

375 views • 16 slides
Gaussian process regression for Sensitivity analysis GPSS Workshop on UQ, Sheffield, September

Gaussian process regression for Sensitivity analysis GPSS Workshop on UQ, Sheffield, September

Introduction FANOVA Pol. Chaos GPR Sensitivity Analysis Conclusion Gaussian process regression for Sensitivity analysis GPSS Workshop on UQ, Sheffield, September 2016 Nicolas Durrande, Mines St-tienne, durrande@emse.fr GPSS workshop on

830 views • 43 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Estimating the Accuracy of Dynamic Change-impact Analysis using Sensitivity Analysis Haipeng Cai

Estimating the Accuracy of Dynamic Change-impact Analysis using Sensitivity Analysis Haipeng Cai

Estimating the Accuracy of Dynamic Change-impact Analysis using Sensitivity Analysis Haipeng Cai Raul Santelices Tianyu Xu* University of Notre Dame, USA * Fudan University, China Supported by ONR Award N000141410037 SERE 2014

483 views • 29 slides
Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer

Differential Fault Analysis of Trivium Michal Hojsk 1 , 3 and Bohuslav Rudolf 2 , 3 1The Selmer Center, University of Bergen, Norway 2National Security Authority, Czech Republic 3Department of Algebra, Charles University in Prague, Czech

390 views • 19 slides
A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari,

A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari,

A study of microjets Fr ed eric Dreyer work in progress with Gavin Salam, Matteo Cacciari, Mrinal Dasgupta &amp; Gregory Soyez eorique et Hautes Laboratoire de Physique Th Energies LHCPhenoNet Paris, June 2014 Outline Introduction

565 views • 45 slides
Contents: 1. Introduction 1.1 Hybrid Video Coding 1.2 Object Oriented Coding 1.3 Advanced

Contents: 1. Introduction 1.1 Hybrid Video Coding 1.2 Object Oriented Coding 1.3 Advanced

The Hong Kong Polytechnic University Department of Electronic and Information Engineering, Centre for Multimedia Signal Processing Prof. W.C. Siu, Chair Professor and Centre Director 8 June, 2008 ICNNSP2008: IEEE International Conference on

685 views • 40 slides
STRUCTURE INTO MACHINE LEARNING TRINITY OF AI ALGORITHMS COMPUTE DATA 2 DEEP LEARNING IS

STRUCTURE INTO MACHINE LEARNING TRINITY OF AI ALGORITHMS COMPUTE DATA 2 DEEP LEARNING IS

Anima Anandkumar BEYOND BLACK BOXES: INFUSING STRUCTURE INTO MACHINE LEARNING TRINITY OF AI ALGORITHMS COMPUTE DATA 2 DEEP LEARNING IS DATA-HUNGRY STRUCTURE-INFUSED LEARNING Learning Data Priors = + Learning Data Priors = + How

579 views • 44 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006

Explaining Differential Fault Analysis on DES Christophe Clavier Michael Tunstall 5/18/2006 References Bull &amp; Innovatron Patents 2 Fault I njection Equipment: Laser 3 Bull &amp; Innovatron Patents Fault I njection Equipment: CLI O

423 views • 39 slides
Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1

Introduction Linear Cryptanalysis Against SPECK An Implementation of Wallns Algorithm Summary Automatic Search for Linear Trails of the SPECK Family Yuan Yao 1 , 2 Bin Zhang 2 Wenling Wu 2 1 TCA Laboratory, Institute of Software, Chinese

531 views • 41 slides
Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS

Differential Power Analysis (DPA) With Key Ranking and Enumeration Martijn Stam COINS Winterschool in Finse, May 2019 The Rise of Side-Channels The Ideal World 2 Modern Cryptology From Katz and Lindells Classic Textbook Three Principles

913 views • 46 slides

More recommend