Results 1 - 10
of
19
Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures
- Proceedings of the IEEE
, 2012
"... Abstract—Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and softwa ..."
Abstract
-
Cited by 17 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and software implementations have exhibited vulnerabilities to side channel attacks, e.g., power analysis and fault injection attacks. This paper focuses on fault injection attacks that have been shown to require inexpensive equipment and a short amount of time. The paper provides a comprehensive description of these attacks on cryptographic devices and the countermeasures that have been developed against them. After a brief review of the widely used cryptographic algorithms, we classify the currently known fault injection attacks into low cost ones (which a single attacker with a modest budget can mount) and high cost ones (requiring highly skilled attackers with a large budget). We then list the attacks that have been developed for the important and commonly used ciphers and indicate which ones have been successfully used in practice. The known countermeasures against the previously described fault injection attacks are then presented, including intrusion detection and fault detection. We conclude the survey with a discussion on the interaction between fault injection attacks (and the corresponding countermeasures) and power analysis attacks. I.
Exploring the feasibility of low cost fault injection attacks on sub-threshold devices through an example of a 65nm aes implementation
- In RFID. Security and Privacy
, 2012
"... Abstract. The continuous scaling of VLSI technology and the aggressive use of low power strategies (such as subthreshold voltage) make it possible to imple-ment standard cryptographic primitives within the very limited circuit and power budget of RFID devices. On the other hand, such cryptographic i ..."
Abstract
-
Cited by 7 (3 self)
- Add to MetaCart
(Show Context)
Abstract. The continuous scaling of VLSI technology and the aggressive use of low power strategies (such as subthreshold voltage) make it possible to imple-ment standard cryptographic primitives within the very limited circuit and power budget of RFID devices. On the other hand, such cryptographic implementations raise concerns regarding their vulnerability to both active and passive side chan-nel attacks. In particular, when focusing on RFID targeted designs, it is important to evaluate their resistance to low cost physical attacks. A common low cost fault injection attack is the one which is induced by insuf-ficient supply voltage of the chip with the goal of causing setup time violations. This kind of fault attack relies on the possibility of gracefully degrading the per-formance of the chip. It is however, unclear whether this kind of low cost attack is feasible in the case of low voltage design since a reduction of the voltage may result in a catastrophic failure of the device rather than an isolated setup viola-tion. Furthermore, the effect that process variations may have on the fault model used by the attacker and consequently the success probability of the attack, are
Differential Fault Analysis of AES: Towards Reaching its Limits
"... Abstract. In this paper we present a theoretical analysis of the limits of the Differential Fault Analysis (DFA) of AES by developing an interrelationship between conventional cryptanalysis of AES and DFAs. We show that the existing attacks have not reached these limits and present techniques to rea ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper we present a theoretical analysis of the limits of the Differential Fault Analysis (DFA) of AES by developing an interrelationship between conventional cryptanalysis of AES and DFAs. We show that the existing attacks have not reached these limits and present techniques to reach these. More specifically, we propose optimal DFA on states of AES-128 and AES-256. We also propose attacks on the key schedule of the three versions of AES, and demonstrate that these are some of the most efficient attacks on AES to date. Our attack on AES-128 key schedule is optimal, and the attacks on AES-192 and AES-256 keyscheduleare veryclose tooptimal. Detailed experimentalresults have been provided for the developed attacks. The work has been compared to other works and also the optimal limits of Differential Fault Analysis of AES.
Meet-in-the-Middle and Impossible Differential Fault Analysis on AES
"... Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the e ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 2 32 intimeandmemory.However,sincethisattack,itisanopenproblem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 2 40 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 2 24 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 2 40 in time and memory.
Differential Fault Analysis on the AES Key Schedule, Cryptology ePrint Archive
, 2007
"... This letter proposes a differential fault analysis on the AES key schedule and shows how an entire 128-bit AES key can be retrieved. In the workshop at FDTC 2007, we presented the DFA mechanism on the AES key schedule and proposed general attack rules. Using our proposed rules, we showed an efficien ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
This letter proposes a differential fault analysis on the AES key schedule and shows how an entire 128-bit AES key can be retrieved. In the workshop at FDTC 2007, we presented the DFA mechanism on the AES key schedule and proposed general attack rules. Using our proposed rules, we showed an efficient attack that can retrieve 80 bits of the 128-bit key. Recently, we have found a new attack that can obtain an additional 8 bits compared with our previous attack. As a result, we present most efficient attack for retrieving 88 bits of the 128-bit key using approximately two pairs of correct and faulty ciphertexts. 1
Differential fault analysis on AES with 192 and 256-bit key.” Cryptology ePrint Archive, Report 2010/023
, 2010
"... This paper describes a differential fault analysis (DFA) on AES with 192 and 256-bit keys. We show a new attack in which both 192 and 256-bit keys are retrieved within a feasible computational time. In order to verify the proposed attack and estimate the calculation time, we implement the proposed a ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
This paper describes a differential fault analysis (DFA) on AES with 192 and 256-bit keys. We show a new attack in which both 192 and 256-bit keys are retrieved within a feasible computational time. In order to verify the proposed attack and estimate the calculation time, we implement the proposed attack using C code on a PC. As a result, we suc-cessfully recover the original 192-bit key using 3 pairs of correct and faulty ciphertexts within 5 minutes, and 256-bit key using 2 pairs of correct and faulty ciphertexts and 2 pairs of correct and faulty plaintexts within 10 minutes. 1 1
DFA Mechanism on the AES Key Schedule
"... This paper describes a DFA (Differential Fault Analysis) mechanism on the AES key scheduling process and shows how an entire 128-bit AES key can be retrieved. We make a detailed analysis of the DFA mechanism on the AES key schedule and propose general attack rules. As a result of reconsidering the b ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
(Show Context)
This paper describes a DFA (Differential Fault Analysis) mechanism on the AES key scheduling process and shows how an entire 128-bit AES key can be retrieved. We make a detailed analysis of the DFA mechanism on the AES key schedule and propose general attack rules. As a result of reconsidering the best attack approach on the basis of analysis, we present a more efficient attack than the previous one. We show that we can retrieve an entire 128-bit AES key using 2-pairs of correct and faulty ciphertexts with a 48-bit brute-force search, 4-pairs of them with a 16-bit brute-force search and 7-pairs of them without brute-force search. These steps are enough to calculate the key with feasible computation resources. 1.
Silicon-level Solutions to Counteract Passive and Active Attacks
"... This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanometer technol-ogy by the authors with the help of STMicroelectronics. The purpose of these prototype circuits is to experience with the published “implementation-level ” attacks (SPA, DPA, EMA, templates, ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
This article presents a family of cryptographic ASICs, called SecMat, designed in CMOS 130 nanometer technol-ogy by the authors with the help of STMicroelectronics. The purpose of these prototype circuits is to experience with the published “implementation-level ” attacks (SPA, DPA, EMA, templates, DFA). We report our conclusions about the practicability of these attacks: which ones are the most simple to mount, and which ones require more skill, time, equipments, etc. The potential of FPGAs as security eval-uation commodities at design time is also detailed. Then, we discuss about “dual counter-measures”, that are meant to resist both passive and active attacks. This study started four years ago with TIMA (Grenoble), in the framework of the project MARS [31]. We highlight some research direc-tions towards dependable and cost-effective dual counter-measures.
A-SOFT-AES: Self-adaptive software-implemented fault-tolerance for AES
- In: 2013 IEEE 19th International On-Line Testing Symposium (IOLTS). IEEE
, 2013
"... Abstract—The Advanced Encryption Standard (AES) is one of the most widespread encryption techniques used by millions of users worldwide. Although AES was designed to withstand linear or differential attacks, the security of encrypted messages is not guaranteed. Bit flips occurring during the encrypt ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—The Advanced Encryption Standard (AES) is one of the most widespread encryption techniques used by millions of users worldwide. Although AES was designed to withstand linear or differential attacks, the security of encrypted messages is not guaranteed. Bit flips occurring during the encryption due to runtime failures or purposely invoked by an attacker are a major security concern and can significantly jeopardize integrity, privacy, and confidentiality and hence the security of the system. Therefore, techniques to increase the reliability (fault-tolerance) and with it the security of cryptographic systems are necessary. This work proposes a self-adaptive software-implemented fault-tolerance methodology for AES (A-SOFT-AES) to enhance its fault-tolerance. This technique is based on a pool of software-implemented fault-tolerance techniques out of which it dynamically chooses the best one in terms of performance, cost, and fault-tolerance for a wide range of fault rates. Therefore, it provides superior flexibility over classic hardware-based implementations. I.
A New Bulk Built-in Current Sensor-Based Strategy for Dealing with Long-Duration Transient Faults in Deep-Submicron Technologies
"... Abstract—Today’s deeply-scaled technology-based integrated circuits are highly sensitive to soft error, tending to be even more in the future. In fact, emerging critical issues are related to transient faults that now can be as long as circuits ’ clock periods. This work presents a novel improved st ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Today’s deeply-scaled technology-based integrated circuits are highly sensitive to soft error, tending to be even more in the future. In fact, emerging critical issues are related to transient faults that now can be as long as circuits ’ clock periods. This work presents a novel improved strategy based on bulk built-in current sensors that is able to cope with long-duration transient faults. Our cost-effective approach is a concurrent error detection scheme with recovery procedure, and rather than existing similar strategy, it has faster correction latency and uses less recovery resources. Keywords-concurrent error detection schemes, fault attacks, long-duration transient faults, soft errors I.
