201 research outputs found
Template-based Fault Injection Analysis of Block Ciphers
We present the first template-based fault injection analysis of FPGA-based block cipher implementations. While template attacks have been a popular form of side-channel analysis in the cryptographic literature, the use of templates in the context of fault attacks has not yet been explored to the best of our knowledge. Our approach involves two phases. The first phase is a profiling phase where we build templates of the fault behavior of a cryptographic device for different secret key segments under different fault injection intensities. This is followed by a matching phase where we match the observed fault behavior of an identical but black-box device with the pre-built templates to retrieve the secret key. We present a generic treatment of our template-based fault attack approach for SPN block ciphers, and illustrate the same with case studies on a Xilinx Spartan-6 FPGA-based implementation of AES-128
Vulnerability Assessment of Ciphers To Fault Attacks Using Reinforcement Learning
A fault attack (FA) is one of the most potent threats to cryptographic applications. Implementing a FA-protected block cipher requires knowledge of the exploitable fault space of the underlying crypto algorithm. The discovery of exploitable faults is a challenging problem that demands human expertise and time. Current practice is to rely on certain predefined fault models. However, the applicability of such fault models varies among ciphers. Prior work discovers such exploitable fault models individually for each cipher at the expanse of a large amount of human effort. Our work completely replaces human effort by using reinforcement learning (RL) over the huge fault space of a block cipher to discover the effective fault models automatically. Validation on an AES block cipher demonstrates that our approach can automatically discover the effective fault models within a few hours, outperforming prior work, which requires days of manual analysis. The proposed approach also reveals vulnerabilities in the existing FA-protected block ciphers and initiates an end-to-end vulnerability assessment flow
Unleashing the Power of Differential Fault Attacks on QARMAv2
QARMAv2 represents a family of lightweight block ciphers introduced in
ToSC 2023. This new iteration, QARMAv2, is an evolution of the original QARMA
design, specifically constructed to accommodate more extended tweak values while
simultaneously enhancing security measures. This family of ciphers is available in
two distinct versions, referred to as QARMAv2--, where ββ signifies the block
length, with options for both 64-bit and 128-bit blocks, and ββ signifies the key
length. In this paper, for the first time, we present differential fault analysis (DFA)
of all the QARMAv2 variants- QARMAv2-64, and QARMAv2-128 by introducing
an approach to utilize the fault propagation patterns at the nibble level, with the
goal of identifying relevant faulty ciphertexts and vulnerable fault positions. This
technique highlights a substantial security risk for the practical implementation of
QARMAv2. By strategically introducing six random nibble faults into the input of
the -th and -th backward rounds within the -round QARMAv2-64,
our attack achieves a significant reduction in the secret key space, diminishing it
from the expansive to a significantly more smaller set of size . Additionally,
when targeting QARMAv2-128-128, it demands the introduction of six random nibble
faults to effectively reduce the secret key space from to a remarkably reduced
. To conclude, we also explore the potential extension of our methods to conduct
DFA on various other iterations and adaptations of the QARMAv2 cryptographic
scheme. To the best of our knowledge, this marks the first instance of a differential
fault attack targeting the QARMAv2 tweakable block cipher family, signifying an
important direction in cryptographic analysis
SDFA: Statistical-Differential Fault Attack on Linear Structured SBox-Based Ciphers
At Asiacrypt 2021, Baksi et al. proposed DEFAULT, the first block cipher which provides differential fault attack (DFA) resistance at the algorithm level, with 64-bit DFA security. Initially, the cipher employed a simple key schedule where a single key was XORed throughout the rounds, and the key schedule was updated by incorporating round-independent keys in a rotating fashion. However, at Eurocrypt 2022, Nageler et al. presented a DFA that compromised the claimed DFA security of DEFAULT, reducing it by up to 20 bits for the simple key schedule and allowing for unique key recovery in the case of rotating keys. In this work, we present an enhanced differential fault attack (DFA) on the DEFAULT cipher, showcasing its effectiveness in uniquely recovering the encryption key. We commence by determining the deterministic computation of differential trails for up to five rounds. Leveraging these computed trails, we apply the DFA to the simple key schedule, injecting faults at different rounds and estimating the minimum number of faults required for successful key retrieval. Our attack achieves key recovery with minimal faults compared to previous approaches. Additionally, we extend the DFA attack to rotating keys, first recovering equivalent keys with fewer faults in the DEFAULT-LAYER, and subsequently applying the DFA separately to the DEFAULT-CORE. Furthermore, we propose a generic DFA approach for round-independent keys in the DEFAULT cipher. Lastly, we introduce a new paradigm of fault attack that combines SFA and DFA for any linear structured SBOX based cipher, enabling more efficient key recovery in the presence of both rotating and round-independent key configurations. We call this technique Statistical-Differential Fault Attack (SDFA). Our results shed light on the vulnerabilities of the DEFAULT cipher and highlight the challenges in achieving robust DFA protection for linear structure SBOX-based ciphers
Divided We Stand, United We Fall: Security Analysis of Some SCA+SIFA Countermeasures Against SCA-Enhanced Fault Template Attacks
Protection against Side-Channel (SCA) and Fault Attacks (FA) requires two classes of countermeasures to be simultaneously embedded in a cryptographic implementation. It has already been shown that a straightforward combination of SCA and FA countermeasures are vulnerable against FAs, such as Statistical Ineffective Fault Analysis (SIFA) and Fault Template Attacks (FTA). Consequently, new classes of countermeasures have been proposed which prevent against SIFA, and also includes masking for SCA protection. While they are secure against SIFA and SCA individually, one important question is whether
the security claim still holds at the presence of a combined SCA and FA adversary. Security against combined attacks is, however, desired, as countermeasures for both threats are included in such implementations. In this paper, we show that some of the recently proposed combined SIFA and SCA countermeasures fall prey against combined attacks. To this end, we enhance the FTA attacks by considering side-channel information during fault injection. The success of the proposed attacks stems from some non-trivial fault propagation properties of S-Boxes, which remains unexplored in the original FTA proposal. The proposed attacks are validated on an open-source software implementation of Keccak with SIFA-protected χ5 S-Box with laser fault injection and power measurement, and a hardware implementation of a SIFA-protected χ3 S-Box through gate-level power trace simulation. Finally, we discuss some mitigation strategies to strengthen existing countermeasures
How Practical are Fault Injection Attacks, Really?
Fault injection attacks (FIA) are a class of active physical attacks, mostly used for malicious purposes such as extraction of cryptographic keys, privilege escalation, attacks on neural network implementations. There are many techniques that can be used to cause the faults in integrated circuits, many of them coming from the area of failure analysis.
In this paper we tackle the topic of practicality of FIA. We analyze the most commonly used techniques that can be found in the literature, such as voltage/clock glitching, electromagnetic pulses, lasers, and Rowhammer attacks. To summarize, FIA can be mounted on most commonly used architectures from ARM, Intel, AMD, by utilizing injection devices that are often below the thousand dollar mark. Therefore, we believe these attacks can be considered practical in many scenarios, especially when the attacker can physically access the target device
ΠΡΠ°ΠΊΠ° ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² Π½Π° Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²ΡΡΠ°Π±ΠΎΡΠΊΠΈ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΎΠΊ HMAC ΠΈ NMAC
One of the important problems arising in designing and practical implementation of cryptosystems is provide countermeasures against side-channel attacks. When implemented on a specific physical device, the algorithms, strength of which from the purely mathematical point of view is without great doubt, often employ weaknesses to such attacks.A fault analysis attack is one of the options of the side-channel attack on a cryptosystem. Its essence is that the attacker has an active influence on a physical device that provides computation (for example, a smart card). Faults caused by influence are then analysed in order to restore security information that is stored inside the device. These attacks are often significantly more efficient than passive side-channel attacks.The fault analysis attacks were proposed over 20 years ago. Since then, attacks have been successfully built owing to implementation of a number of symmetric and asymmetric crypto-algorithms. Also, a number of different methods for active influence on computation have been proposed, using specific physical effects and characteristics of the computing environment. Approaches to counteracting such types of attacks are also actively developing. For this, both physical and purely mathematical methods are used. However, it should be noted that cryptographic hash functions, and more complex crypto-schemes containing them as components (for example, some message authentication codes and digital signatures), are slightly presented in these papers.It is important to note that practical implementation of a specific attack requires that a combination of the following factors is available: a possibility of a specific physical impact on computation, an adequate mathematical model of such physical impact and a purely mathematical component of the attack that is a specific algorithms for introducing faults and further analysis of the results. At the same time, the solution of each of these problems separately is of independent theoretical value.The paper results do not involve the physical component of attack, aiming only at mathematics. In other words, a proposal is to present the specific algorithms for introducing faults and further analysis of the results. In this case, a specific fault model is considered known and specified. Several such models have been considered, based on the similar ones previously proposed for other algorithms.As an object of study, two standards to form message authentication codes have been selected: HMAC and NMAC. These standards can be based on any cryptographic hash function that provides the required level of security. The paper examines four examples of widely used hashes: MD5, MD4, SHA-1, SHA-0.The main results of the paper are as follows:- built specific algorithms for introducing faults in computation and their further analysis, allowing to discover secret information (secret keys);- finding and validation of estimates of such attacks (in terms of the number of introduced faults and the work factor of further analysis) for various combinations of parameters (algorithms and fault models);Β - shown that attacks timing can be reasonable.ΠΠ΄Π½ΠΎΠΉ ΠΈΠ· Π²Π°ΠΆΠ½ΡΡ
ΠΏΡΠΎΠ±Π»Π΅ΠΌ, Π²ΠΎΠ·Π½ΠΈΠΊΠ°ΡΡΠΈΡ
ΠΏΡΠΈ ΠΏΡΠΎΠ΅ΠΊΡΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ ΠΈ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ, ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ Π°ΡΠ°ΠΊΠ°ΠΌ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ. ΠΠ΅ΡΠ΅Π΄ΠΊΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ, ΡΡΠΎΠΉΠΊΠΎΡΡΡ ΠΊΠΎΡΠΎΡΡΡ
Ρ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΡΠΎΡΠΊΠΈ Π·ΡΠ΅Π½ΠΈΡ Π½Π΅ Π²ΡΠ·ΡΠ²Π°Π΅Ρ Π±ΠΎΠ»ΡΡΠΈΡ
ΡΠΎΠΌΠ½Π΅Π½ΠΈΠΉ, ΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡΡΡ ΡΡΠ·Π²ΠΈΠΌΡΠΌΠΈ ΠΊ ΡΠ°ΠΊΠΈΠΌ Π°ΡΠ°ΠΊΠ°ΠΌ ΠΏΡΠΈ ΠΈΡ
ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ Π½Π° ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΌ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΡΡΡΠΎΠΉΡΡΠ²Π΅.ΠΡΠ°ΠΊΠ° ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΎΠ΄Π½ΠΈΠΌ ΠΈΠ· Π²Π°ΡΠΈΠ°Π½ΡΠΎΠ² Π°ΡΠ°ΠΊΠΈ Π½Π° ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΡ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ. Π‘ΡΡΡ Π΅Π΅ ΡΠΎΡΡΠΎΠΈΡ Π² Π°ΠΊΡΠΈΠ²Π½ΠΎΠΌ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΠΈ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ Π½Π° ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ΅ ΡΡΡΡΠΎΠΉΡΡΠ²ΠΎ, ΠΎΡΡΡΠ΅ΡΡΠ²Π»ΡΡΡΠ΅Π΅ ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΠΉ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, ΡΠΌΠ°ΡΡ-ΠΊΠ°ΡΡΡ). ΠΠΎΠ»ΡΡΠ°Π΅ΠΌΡΠ΅ Π² ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ΅ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΡ Π·Π°ΡΠ΅ΠΌ Π°Π½Π°Π»ΠΈΠ·ΠΈΡΡΡΡΡΡ Ρ ΡΠ΅Π»ΡΡ Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ, Ρ
ΡΠ°Π½ΠΈΠΌΡΡ Π²Π½ΡΡΡΠΈ ΡΡΡΡΠΎΠΉΡΡΠ²Π°. ΠΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ Π°ΡΠ°ΠΊΠΈ Π·Π°ΡΠ°ΡΡΡΡ ΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡΡΡ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½Π΅Π΅ ΠΏΠ°ΡΡΠΈΠ²Π½ΡΡ
Π°ΡΠ°ΠΊ ΠΏΠΎ ΠΏΠΎΠ±ΠΎΡΠ½ΡΠΌ ΠΊΠ°Π½Π°Π»Π°ΠΌ.ΠΡΠ°ΠΊΠΈ ΠΌΠ΅ΡΠΎΠ΄ΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ±ΠΎΠ΅Π² Π±ΡΠ»ΠΈ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ Π² Π±ΠΎΠ»Π΅Π΅ 20 Π»Π΅Ρ Π½Π°Π·Π°Π΄. Π‘ ΡΠ΅Ρ
ΠΏΠΎΡ Π±ΡΠ»ΠΈ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΏΠΎΡΡΡΠΎΠ΅Π½Ρ Π°ΡΠ°ΠΊΠΈ Π½Π° ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ ΡΠ΅Π»ΠΎΠ³ΠΎ ΡΡΠ΄Π° ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ
ΠΈ Π°ΡΠΈΠΌΠΌΠ΅ΡΡΠΈΡΠ½ΡΡ
ΠΊΡΠΈΠΏΡΠΎΠ°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ². Π’Π°ΠΊΠΆΠ΅ Π±ΡΠ» ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½ ΡΡΠ΄ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΠΌΠ΅ΡΠΎΠ΄ΠΎΠ² ΠΎΡΡΡΠ΅ΡΡΠ²Π»Π΅Π½ΠΈΡ Π°ΠΊΡΠΈΠ²Π½ΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½Π° ΠΏΡΠΎΡΠ΅ΡΡ Π²ΡΡΠΈΡΠ»Π΅Π½ΠΈΠΉ, Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΡ
ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΡΡΠ΅ΠΊΡΠΎΠ² ΠΈ ΠΎΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΠ΅ΠΉ Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΠΎΠΉ ΡΡΠ΅Π΄Ρ. Π’Π°ΠΊΠΆΠ΅ Π°ΠΊΡΠΈΠ²Π½ΠΎ ΡΠ°Π·Π²ΠΈΠ²Π°ΡΡΡΡ ΠΈ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Ρ ΠΊ ΠΏΡΠΎΡΠΈΠ²ΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΡΠ°ΠΊΠΎΠ³ΠΎ ΡΠΎΠ΄Π° Π°ΡΠ°ΠΊΠ°ΠΌ. ΠΠ»Ρ ΡΡΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ ΠΊΠ°ΠΊ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΈΠ΅, ΡΠ°ΠΊ ΠΈ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ ΠΌΠ΅ΡΠΎΠ΄Ρ. ΠΠ΄Π½Π°ΠΊΠΎ ΡΠ»Π΅Π΄ΡΠ΅Ρ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠ΅ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΈ Π±ΠΎΠ»Π΅Π΅ ΡΠ»ΠΎΠΆΠ½ΡΠ΅ ΠΊΡΠΈΠΏΡΠΎΡΡ
Π΅ΠΌΡ, ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ ΠΈΡ
Π² ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½Ρ (Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ, Π½Π΅ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΊΠΈ ΠΈ ΡΠΈΡΡΠΎΠ²ΡΠ΅ ΠΏΠΎΠ΄ΠΏΠΈΡΠΈ), Π² ΡΠ°ΠΌΠΊΠ°Ρ
ΡΡΠΈΡ
ΡΠ°Π±ΠΎΡ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Ρ Π½Π΅Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ.ΠΠ°ΠΆΠ½ΠΎ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ Π΄Π»Ρ ΠΏΡΠ°ΠΊΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠΉ Π°ΡΠ°ΠΊΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΎΡΠ΅ΡΠ°Π½ΠΈΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΡ
ΡΠ°ΠΊΡΠΎΡΠΎΠ²: Π½Π°Π»ΠΈΡΠΈΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΠΈ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ Π½Π° Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ, Π°Π΄Π΅ΠΊΠ²Π°ΡΠ½ΠΎΠΉ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ Π΄Π°Π½Π½ΠΎΠ³ΠΎ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ Π²ΠΎΠ·Π΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΈ ΡΠΈΡΡΠΎ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠ³ΠΎ ΠΊΠΎΠΌΠΏΠΎΠ½Π΅Π½ΡΠ° Π°ΡΠ°ΠΊΠΈ --ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΠΎΠ³ΠΎ Π°Π»Π³ΠΎΡΠΈΡΠΌΠ° Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ². ΠΡΠΈ ΡΡΠΎΠΌ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ ΠΈΠ· ΡΡΠΈΡ
Π·Π°Π΄Π°Ρ ΠΏΠΎ ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»ΡΠ΅Ρ ΡΠ°ΠΌΠΎΡΡΠΎΡΡΠ΅Π»ΡΠ½ΡΡ ΡΠ΅ΠΎΡΠ΅ΡΠΈΡΠ΅ΡΠΊΡΡ ΡΠ΅Π½Π½ΠΎΡΡΡ.Π Π΅Π·ΡΠ»ΡΡΠ°ΡΡ Π½Π°ΡΡΠΎΡΡΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ Π½Π΅ Π·Π°ΡΡΠ°Π³ΠΈΠ²Π°ΡΡ ΡΠΈΠ·ΠΈΡΠ΅ΡΠΊΡΡ ΡΠΎΡΡΠ°Π²Π»ΡΡΡΡΡ Π°ΡΠ°ΠΊΠΈ, ΠΎΠ³ΡΠ°Π½ΠΈΡΠΈΠ²Π°ΡΡΡ Π»ΠΈΡΡ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΠΊΠΎΠΉ. ΠΠ½ΡΠΌΠΈ ΡΠ»ΠΎΠ²Π°ΠΌΠΈ, ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ². ΠΡΠΈ ΡΡΠΎΠΌ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½Π°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΠ±ΠΎΠ΅Π² ΡΡΠΈΡΠ°Π΅ΡΡΡ ΠΈΠ·Π²Π΅ΡΡΠ½ΠΎΠΉ ΠΈ Π·Π°Π΄Π°Π½Π½ΠΎΠΉ. Π Π°ΡΡΠΌΠΎΡΡΠ΅Π½ΠΎ Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΎ ΡΠ°ΠΊΠΈΡ
ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ Π±Π°Π·ΠΈΡΡΡΡΡΡ Π½Π° Π°Π½Π°Π»ΠΎΠ³Π°Ρ
, ΡΠ°Π½Π΅Π΅ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΡΡ
Π΄Π»Ρ Π΄ΡΡΠ³ΠΈΡ
Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ².Π ΠΊΠ°ΡΠ΅ΡΡΠ²Π΅ ΠΎΠ±ΡΠ΅ΠΊΡΠ° ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠΉ Π²ΡΠ±ΡΠ°Π½Ρ Π΄Π²Π° ΡΡΠ°Π½Π΄Π°ΡΡΠ° ΡΠΎΡΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΈΠΌΠΈΡΠΎΠ²ΡΡΠ°Π²ΠΎΠΊ: HMAC ΠΈ NMAC. Π£ΠΊΠ°Π·Π°Π½Π½ΡΠ΅ ΡΡΠ°Π½Π΄Π°ΡΡΡ ΠΌΠΎΠ³ΡΡ Π±Π°Π·ΠΈΡΠΎΠ²Π°ΡΡΡΡ Π½Π° Π»ΡΠ±ΠΎΠΉ ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΉ Ρ
ΡΡ-ΡΡΠ½ΠΊΡΠΈΠΈ, ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°ΡΡΠ΅ΠΉ Π½ΡΠΆΠ½ΡΠΉ ΡΡΠΎΠ²Π΅Π½Ρ ΡΡΠΎΠΉΠΊΠΎΡΡΠΈ. Π Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½Ρ ΡΠ΅ΡΡΡΠ΅ ΠΏΡΠΈΠΌΠ΅ΡΠ° ΡΠΈΡΠΎΠΊΠΎΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½Π½ΡΡ
Ρ
ΡΡΠ΅ΠΉ: MD5, MD4, SHA-1, SHA-0.ΠΡΠ½ΠΎΠ²Π½ΡΠΌΠΈ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠ°ΠΌΠΈ Π΄Π°Π½Π½ΠΎΠΉ ΡΠ°Π±ΠΎΡΡ ΡΠ²Π»ΡΡΡΡΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠ΅:-Β Β Β Β ΠΏΠΎΡΡΡΠΎΠ΅Π½Ρ ΠΊΠΎΠ½ΠΊΡΠ΅ΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π²Π½Π΅ΡΠ΅Π½ΠΈΡ ΠΈΡΠΊΠ°ΠΆΠ΅Π½ΠΈΠΉ Π² Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΡΠΎΡΠ΅ΡΡ, ΠΈ ΠΈΡ
Π΄Π°Π»ΡΠ½Π΅ΠΉΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠΈΠ΅ ΠΈΠ·Π²Π»Π΅ΡΡ ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ (ΡΠ΅ΠΊΡΠ΅ΡΠ½ΡΠ΅ ΠΊΠ»ΡΡΠΈ);-Β Β Β Β Π½Π°ΠΉΠ΄Π΅Π½Ρ ΠΈ ΠΎΠ±ΠΎΡΠ½ΠΎΠ²Π°Π½Ρ ΠΎΡΠ΅Π½ΠΊΠΈ ΡΠ»ΠΎΠΆΠ½ΠΎΡΡΠΈ ΡΠ°ΠΊΠΈΡ
Π°ΡΠ°ΠΊ (Π² ΡΠ΅ΡΠΌΠΈΠ½Π°Ρ
ΡΠΈΡΠ»Π° Π²Π½ΠΎΡΠΈΠΌΡΡ
ΡΠ±ΠΎΠ΅Π² ΠΈ ΡΡΡΠ΄ΠΎΠ΅ΠΌΠΊΠΎΡΡΠΈ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΡΠ΅Π³ΠΎ Π°Π½Π°Π»ΠΈΠ·Π°) Π΄Π»Ρ ΡΠ°Π·Π»ΠΈΡΠ½ΡΡ
ΡΠΎΡΠ΅ΡΠ°Π½ΠΈΠΉ ΠΏΠ°ΡΠ°ΠΌΠ΅ΡΡΠΎΠ²(Π°Π»Π³ΠΎΡΠΈΡΠΌΠΎΠ² ΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ ΡΠ±ΠΎΠ΅Π²);-Β Β Β Β ΠΏΠΎΠΊΠ°Π·Π°Π½ΠΎ, ΡΡΠΎ Π°ΡΠ°ΠΊΠΈ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½Ρ Π·Π° ΡΠ°Π·ΡΠΌΠ½ΠΎΠ΅ Π²ΡΠ΅ΠΌΡ
Linked Fault Analysis
Numerous fault models have been developed, each with distinct characteristics and effects. These models should be evaluated in light of their costs, repeatability, and practicability. Moreover, there must be effective ways to use the injected fault to retrieve the secret key, especially if there are some countermeasures in the implementation. In this paper, we introduce a new fault analysis technique called ``linked fault analysis\u27\u27 (LFA), which can be viewed as a more powerful version of well-known fault attacks against implementations of symmetric primitives in various circumstances, especially software implementations. For known fault analyses, the bias over the faulty value or the relationship between the correct value and the faulty one, both produced by the fault injection serve as the foundations for the fault model. In the LFA, however, a single fault involves two intermediate values. The faulty target variable, , is linked to a second variable, , such that a particular relation holds: . We show that LFA lets the attacker perform fault attacks without the input control, with much fewer data than previously introduced fault attacks in the same class. Also, we show two approaches, called LDFA and LIFA, that show how LFA can be utilized in the presence or absence of typical redundant-based countermeasures. Finally, we demonstrate that LFA is still effective, but under specific circumstances, even when masking protections are in place. We performed our attacks against the public implementation of AES in ATMEGA328p to show how LFA works in the real world. The practical results and simulations validate our theoretical models as well
Leakage Assessment in Fault Attacks: A Deep Learning Perspective
Generic vulnerability assessment of cipher implementations
against fault attacks (FA) is a largely unexplored research area to date.
Security assessment against FA is particularly important in the context
of FA countermeasures because, on several occasions, countermeasures
fail to fulfil their sole purpose of preventing FA due to flawed design or
implementation. In this paper, we propose a generic, simulation-based,
statistical yes/no experiment for evaluating fault-assisted information
leakage based on the principle of non-interference. The proposed exper-
iment is oblivious to the structure of countermeasure/cipher under test
and detects fault-induced leakage solely by observing the ciphertext dis-
tributions. Unlike a recently proposed approach that utilizes t-test
and its higher-order variants for detecting leakage at different moments
of ciphertext distributions, in this work, we present a Deep Learning
(DL) based leakage detection test. Our DL-based detection test is not
specific to only moment-based leakages and thus can expose leakages
in several cases where t-test based technique demands a prohibitively
large number of ciphertexts. We also present a systematic approach to
interpret the leakages from DL models. Apart from improving the leak-
age detection test, we explore two generalizations of the leakage assess-
ment experiment itself β one for evaluating against the Statistical ineffec-
tive fault model (SIFA), and another for assessing fault-induced leakages
originating from βnon-cryptographicβ peripheral components of a secu-
rity module. Finally, we present techniques for efficiently covering the
fault space of a block cipher by exploiting logic-level and cipher-level
fault equivalences. The efficacy of DL-based leakage detection, as well as
the proposed generalizations, has been evaluated on a rich test-suite of
hardened implementations from several countermeasure classes, includ-
ing open-source SIFA countermeasures and a hardware security module
called Secured-Hardware-Extension (SHE)
- β¦