Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto - - PowerPoint PPT Presentation

fault sensitivity analysis
SMART_READER_LITE
LIVE PREVIEW

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto - - PowerPoint PPT Presentation

Jul 04, 2023 1.79k likes •2.17k views

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES

slide-1
SLIDE 1

19 Aug 2010 CHES 2010 @ Santa Barbara 1

Fault Sensitivity Analysis

Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories

slide-2
SLIDE 2

19 Aug 2010 CHES 2010 @ Santa Barbara 2

Outline

 Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks

 DPA, CPA

 A New Fault-based Attack

 Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R

 FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)

 Conclusion

slide-3
SLIDE 3

19 Aug 2010 CHES 2010 @ Santa Barbara 3

Differential Fault Analysis (DFA)

 Basic idea

 Make a differential path by fault injection  Get correct outputs and faulty outputs  Verify the differential path for each key candidate

 General DFA attack requirements

 Specific transient fault  Pairs of correct output and faulty output for the same input

 General DFA countermeasures

 Inherent resistance, prevent specific transient fault  e.g. WDDL [1]  Redundant calculation for error detection  e.g. Satoh’s AES [2]

slide-4
SLIDE 4

19 Aug 2010 CHES 2010 @ Santa Barbara 4

Outline

 Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks

 DPA, CPA

 A New Fault-based Attack

 Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R

 FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)

 Conclusion

slide-5
SLIDE 5

19 Aug 2010 CHES 2010 @ Santa Barbara 5

Power-based Side-Channel Attacks

 Basic idea

 Power consumption depends on sensitive-data that is calculable

with public variables and key guess

 General attack procedures

 Have a key guess  Calculate sensitive-data  Check the calculated data with recorded power consumption

 Correct key guess matches the power consumption best!  Well-kown attacks

 Correlation Power Analysis (CPA)  Differential Power Analysis (DPA)

slide-6
SLIDE 6

19 Aug 2010 CHES 2010 @ Santa Barbara 6

Outline

 Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks

 DPA, CPA

 A New Fault-based Attack

 Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R

 FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)

 Conclusion

slide-7
SLIDE 7

19 Aug 2010 CHES 2010 @ Santa Barbara 7

General Introduction to FSA

 Fault Sensitivity Analysis (FSA)

 Fault-based  A new side channel leakage

 Sensitive-data dependency for fault sensitivity  Similar Attack procedures to power-based attacks

 Bypass some DFA countermeasures

 What is Fault Sensitivity?

 Sensitivity to the fault injection  E.g. Minimal clock frequency with correct output  Has data dependency

 Can be used for key retrieval

slide-8
SLIDE 8

19 Aug 2010 CHES 2010 @ Santa Barbara 8

C’ C Review Fault Injection (The idea of FSA)

Good Environment Device (Key)

Input Output C

Bad Environment Device (Key)

Input Faulty Output C’ Fault Threshold ( Side-channel Leakage) Works for different types of fault injection: overclock, low-power, laser Change Fault Intensity

slide-9
SLIDE 9

19 Aug 2010 CHES 2010 @ Santa Barbara 9

Fault Sensitivity under an over-clock

Logic F/F CLK Din Dout n n

clk illegal_clk1 Din

Critical Delay Timing Threshold as Fault Sensitivity

illegal_clk2

Sensitive Data

slide-10
SLIDE 10

19 Aug 2010 CHES 2010 @ Santa Barbara 10

Signal delays for AND gate

 AND Gate (TX: delay time for signal X)

 Assume TA < TB  When signal A=0, TC= TA + TAND (small)  When signal A=1, TC= TB + TAND (large)  TAND: Delay timing of AND gate

A B C = A • B

TA TAND TB Data Dependency !! 0 input, small delay.

slide-11
SLIDE 11

19 Aug 2010 CHES 2010 @ Santa Barbara 11

Signal delays for XOR gate

 XOR Gate (TX: delay time for signal X)

 Assume TA < TB  When signal A=0, TC= TB + TXOR  When signal A=1, TC= TB + TXOR  TXOR: Delay timing of XOR gate

A B C = A B

TA TXOR TB No Data Dependency !!

slide-12
SLIDE 12

19 Aug 2010 CHES 2010 @ Santa Barbara 12

How about an FSA Attack?

Sensitive Data Attackers

For Power-based attacks:

Power Consumption Key

FSA

Fault Sensitivity

slide-13
SLIDE 13

19 Aug 2010 CHES 2010 @ Santa Barbara 13

FSA Attack Procedures

 Collect pairs of public variables and fault

sensitivity

 Retrieval the key by the data analysis

 Have a key guess  Calculate sensitive-data  Check the calculated data with recorded fault

sensitivity

 Directly apply the techniques in power

analysis

slide-14
SLIDE 14

19 Aug 2010 CHES 2010 @ Santa Barbara 14

Case studies of FSA attacks

FSA attack against PPRM1-AES FSA attack against WDDL-AES FSA attack against Satoh’s AES (recent work)

slide-15
SLIDE 15

19 Aug 2010 CHES 2010 @ Santa Barbara 15

CASE 1: FSA attacks against PPRM1-AES

 PPRM1-AES: a low power AES

implementation with “PPRM1-Sbox” [4]

 PPRM1 S-box

PPRM1 S-box

AND array XOR array

… … AND gate: 0 input, small delay. AND array: More 0 inputs, smaller delay!

slide-16
SLIDE 16

19 Aug 2010 CHES 2010 @ Santa Barbara 16

As a result, for PPRM1 S-box More 0 inputs , Smaller delay!! Smaller hamming weight Less sensitive to overclock

Fault sensitivity Input hamming weight Typical Side Channel Leakage Exploitable by CPA-like analysis

slide-17
SLIDE 17

19 Aug 2010 CHES 2010 @ Santa Barbara 17

Attack results against last round of PPRM1-AES

Key guess Correlation All of the 16 key bytes can be identified clearly.

slide-18
SLIDE 18

19 Aug 2010 CHES 2010 @ Santa Barbara 18

How much fault sensitivity data is needed?

Less than 50 plaintexts (FS data) to obtain a 128-bit key.

slide-19
SLIDE 19

19 Aug 2010 CHES 2010 @ Santa Barbara 19

How many times of fault injection?

 Which point is the fault sensitivity?  In our experiment

  • Fre. of Clock

Success rate of fault injection 1

  • Fre. of Clock

C C’

Worst case: 120 times

slide-20
SLIDE 20

19 Aug 2010 CHES 2010 @ Santa Barbara 20

CASE 2: FSA attacks against WDDL-AES

 Naturally immune to DFA attacks based on

the setup-time violation. [2]

 Dual-Rail Precharge Logic  Complementary wires: (ture,false)  “transient” fault will erase the secret information

at the output.

 WDDL is not perfectly immune to FSA

attacks based on setup-time violation.

slide-21
SLIDE 21

19 Aug 2010 CHES 2010 @ Santa Barbara 21

WDDL’s Vulnerability against FSA (1/2)

 First of all, no clear correlation between input

data and fault sensitivity.

 All types of gates are mixed up

 However, we observed a data dependence at

the output.

 Imbalance of complementary wires leads to

imbalance of critical path delays.

slide-22
SLIDE 22

19 Aug 2010 CHES 2010 @ Santa Barbara 22

WDDL’s Vulnerability against FSA (2/2)

 Assume

 Precharge value = 0  Delay_ture > Delay_false

 then (1,0)  (0,0) happens easier than (0,1)  (0,0).

 1 is more sensitive than 0

WDDL Logic

true false Difficult to make perfect matching wires.

Vulnerability!

Exploitable by DPA-like analysis

slide-23
SLIDE 23

19 Aug 2010 CHES 2010 @ Santa Barbara 23

Attack result against WDDL-AES with 1200 plaintexts

Key guess Correlation 3 of 16 key bytes can be identified.

slide-24
SLIDE 24

19 Aug 2010 CHES 2010 @ Santa Barbara 24

CASE 3: FSA attacks against Satoh’s AES

 Satoh’s AES (CHES2008)

 High performance AES with Error-detection

Scheme

 Successful FSA attack

 Self-Template FSA

 To be continued in the rump section.

slide-25
SLIDE 25

19 Aug 2010 CHES 2010 @ Santa Barbara 25

Outline

 Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks

 DPA, CPA

 A New Fault-based Attack

 Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R

 FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)

 Conclusion

slide-26
SLIDE 26

19 Aug 2010 CHES 2010 @ Santa Barbara 26

Conclusion

 A new side channel leakage: fault sensitivity  FSA has a potential to bypass some fault

attack countermeasures.

 Future work:

 FSA countermeasures (mask technique?)  Stronger FSA attacks  Try other types of FSA under other fault injection

methods

slide-27
SLIDE 27

19 Aug 2010 CHES 2010 @ Santa Barbara 27

References

 [1]G. Piret and J.-J. Quisquater. A Differential Fault Attack

Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003

 [2] S. Guilley T. Graba N. Selmane, S. Bhasin and J.-L.

  • Danger. WDDL is Protected Against Setup Time Violation
  • Attacks. FDTC 2009

 [3] Akashi Satoh, Takeshi Sugawara, Naofumi

Homma, Takafumi Aoki: High-Performance Concurrent Error Detection Scheme for AES Hardware. CHES 2008

 [4] S. Morioka and A. Satoh. An Optimized S-Box Circuit

Architecture for Low Power AES Design. CHES2002

slide-28
SLIDE 28

19 Aug 2010 CHES 2010 @ Santa Barbara 28

Thank you for your attentions!

Questions?