Professional Documents
Culture Documents
it is possible to efficiently extract the eth root by exploit- 19 b"1 ="2 c, "1 mod "2
ing the following observation. Assuming that e1 > e2 , the 20 3 1 2 mod n
value of 21 return ð2 ; ?Þ
22 end
Vol. 100, No. 11, November 2012 | Proceedings of the IEEE 3067
Barenghi et al.: Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures
3068 Proceedings of the IEEE | Vol. 100, No. 11, November 2012
Barenghi et al.: Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures
constitute a security risk if the above technique is em- encryption or decryption during the normal (fault-free)
ployed in the computation of one of the two halves of the operation of the attacked device.
CRT-based decryption. If the undetected faulty value is An example of these attacks is the differential power
employed in the CRT reconstruction, it leads to the same attack whose goal is to construct a key-dependent model of
scenario as in the Bellcore attack. power consumption that depends on the switching activity
To obtain a protected CRT-based low overhead decryp- of the circuit, and try to find which one fits best the actual
tion algorithm, Boscher et al. [75] combined a checking measurements taken on the device. The most common way
strategy for the CRT recombination with a fully protected to protect against this kind of attacks is to design the device
exponentiation. such that it has a constant power consumption regardless
An alternate strategy to hinder attacks on RSA relies on of the ongoing computation.
propagating the effects of the injected fault on the whole Traditionally, fault attacks and power analysis attacks
computation, leading to a faulty output which is not ex- were considered disjoint attack methodologies. This led to
ploitable by the attacker. This strategy, denominated fault the assumption that protecting the device against each one
infective computation in [76], shifts the focus of the coun- of these two possible attacks individually, the device is
termeasure from detecting the faults, to directly hindering consequently protected against any combination of these
the attacker without altering the computation flow, thus two types of attacks. This assumption, however, proved to
implicitly preventing safe error attacks. A generalization of be false, and it has been shown that it is possible to exploit
this concept, denominated fault resilient computation, has fault attacks in order to enhance the efficiency of power
been presented in [77], focusing on the design of a circuit attacks. The key idea behind the combined attack is that a
which relies on dual-rail logic to implement the same key fault induced during a computation can alter, in addition
concept. to the result of the computation, also the power consumed
by the device due to a change in the switching activity of
D. Protection of ECC the circuit.
Elliptic curve cryptosystems can be protected by ex- The first combined attack technique was reported by
tending some of countermeasures that were developed for Amiel et al. [80]. In this work, the authors showed that it is
RSA and adapting them to the different group operations possible to attack an RSA exponentiation that was pro-
performed during ECC encryption/decryption. In [78], tected against power analysis attacks using a balanced
Ciet and Joye present a list of countermeasures for ECC algorithm with message randomization, by inducing ad hoc
taking into account all the previously proposed attacks. In faults. The technique involves the partial or total blanking
particular, the authors suggest, as a practical defense of the contents of the register holding the base value of the
against safe error and bit flipping attacks on the double- message m, which, in turn, reduces the power consump-
and-add ladder, to compute the kP through splitting k into tion of the multiplication by m. Since this multiplication is
two values. Furthermore, to avoid exploitable determi- performed only when the current bit of the secret expo-
nistic behavior, a random number r (smaller than k) should nent d is 1, the authors were able to obtain the secret key
be selected leading to the computation of ½k mod rP þ simply by observing which operations did consume less
½bk=rcP. A second suggested guideline is to avoid deci- power after the fault injection. The authors have also
sion checks in the same way they are avoided in the pointed out that this kind of attack cannot be prevented by
Montgomery laddering during RSA exponentiation. This simple countermeasures against faults such as checking
way, an error during the double-and-add ladder will yield a the signature at the end of the computation. This is due to
random result avoiding information leakage. Another in- the fact that the information leakage happens during the
formation leakage prevention approach, proposed in [79], computation and a posteriori checks cannot prevent it.
involves randomizing the base point P used in the kP One way to protect against these attacks is to detect the
operation. This countermeasure introduces further ran- injected fault immediately, rather than wait until the
domness into the scheme hindering the recovery of the computation of the signature is completed, and upon de-
value of k regardless of the faults induced during the tection, abort the process and thus avoid generating the
computation. power profile that divulges the secret key. Well-known
examples of this type of countermeasures are the error
detection codes based on either parity or residue checking.
VI . POWER AND FAULT These codes, through adding redundant check bits to the
ATTACKS S YNERGIES data processed, are able to detect on the fly an invalid
Although we have focused in this paper on fault injection alteration of the data. However, the addition of circuitry to
attacks, we must keep in mind that there are other types of process the added check bits may help differential power
side channel attacks that a possible attacker may follow in analysis attacks since the check bits are highly correlated
an attempt to breach the security of a system. A commonly to the data bits being processed.
used approach is through power analysis attacks, which In [81] and [82], Regazzoni et al. reported the results of
measure the amount of power consumed while performing correlation power analysis attacks (that are more powerful
3072 Proceedings of the IEEE | Vol. 100, No. 11, November 2012
Barenghi et al.: Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures
lattice-based operations, which are currently of consider- A further research direction is represented by the ad-
able interest. vent of multicore processors in mobile environments.
Furthermore, the number of known countermeasures Since cryptoprimitives have been mainly designed and
is as large as the number of different fault attacks that have implemented on serial processors, there is an ongoing
been developed, and quite often, a countermeasure has transition to their implementation on multicore platforms.
been finely tuned to a specific attack. There is a need to Currently, it is unclear how to extend the known fault
design more general countermeasures that will be effective attack methodologies and techniques to a parallel algo-
against many fault attacks and yet be inexpensive. Devel- rithm, which may be processing several keys simulta-
oping theoretical generic countermeasures may be too neously or several plaintexts using one key. Another
ambitious, and a more promising approach seems to be related question is whether fault injection attacks (and
that of unifying the existing ones (e.g., [70] and [85]). The more generally, side-channel attacks) on parallel imple-
results in this field are still limited to a couple of primi- mentations will retain their feasibility on these modern
tives, thus a deeper insight is required. platforms. h
REFERENCES [13] ISO/IEC 18033-4:2005 Information AES,[ in Proc. Eur. Dependable Comput.
TechnologyVSecurity TechniquesVEncryption Conf., 2008, pp. 91–96.
[1] A. Menezes, P. C. van Oorschot, and AlgorithmsVPart 4: Stream Ciphers, ISO Std.,
S. A. Vanstone, Handbook of Applied [28] A. Barenghi, C. Hocquet, D. Bol,
2005. F.-X. Standaert, F. Regazzoni, and I. Koren,
Cryptography. Boca Raton, FL:
CRC Press, 1996. [14] Data Encryption Standard (DES), National BExploring the feasibility of low cost
Institute of Standards and Technology fault injection attacks on sub-threshold
[2] R. J. Anderson and M. G. Kuhn, BLow cost (NIST) Std., FIPS-46-3, 1999. devices through an example of a 65 nm
attacks on tamper resistant devices,[ in AES implementation,[ in Proc. Workshop
Proc. Int. Workshop Security Protocols, [15] M. Curtin, Brute Force: Cracking the
Data Encryption Standard. New York: RFID Security Privacy, 2011, pp. 48–60.
1998, pp. 125–136.
Springer-Verlag, 2005. [29] J.-M. Schmidt and C. Herbst, BA practical
[3] D. Boneh, R. DeMillo, and R. Lipton, fault attack on square and multiply,[ in
BOn the importance of eliminating [16] Advanced Encryption Standard, National
Institute of Standards and Technology Proc. Workshop Fault Diagnosis Tolerance
errors in cryptographic computations,[ Cryptogr., 2008, pp. 53–58.
J. Cryptology, vol. 14, no. 2, pp. 101–119, (NIST) Std., FIPS-197, 2001.
Nov. 2001. [17] J. Daemen and V. Rijmen, The Design of [30] M. Hutter, T. Plos, and J.-M. Schmidt,
Rijndael: AESVThe Advanced Encryption BContact-based fault injections and power
[4] E. Biham and A. Shamir, BDifferential fault analysis on RFID tags,[ in Proc. IEEE
analysis of secret key cryptosystems,[ in Standard. New York: Springer-Verlag,
2002. Eur. Conf. Circuit Theory Design, 2009,
Proc. CRYPTO, 1997, pp. 513–525. pp. 409–412.
[5] D. Boneh, R. A. DeMillo, and R. J. Lipton, [18] IEEE P-1619 Standard for Cryptographic
Protection of Data on Block-Oriented [31] F. Amiel, C. Clavier, and M. Tunstall,
BOn the importance of checking BFault analysis of DPA-resistant algorithms,[
cryptographic protocols for faults,[ in Storage Devices, IEEE Std., 2008.
in Proc. Workshop Fault Diagnosis Tolerance
Proc. EUROCRYPT, 1997, pp. 37–51. [19] IEEE Standard for Information
Cryptogr., 2006, vol. 4236, pp. 223–236.
[6] F. Bao, R. H. Deng, Y. Han, A. B. Jeng, Technology-Telecommunications and
Information Exchange Between Systems-Local [32] S. Govindavajhala and A. Appel, BUsing
A. D. Narasimhalu, and T.-H. Ngair, memory errors to attack a virtual machine,[
BBreaking public key cryptosystems and Metropolitan Area Networks-Specific
Requirements-Part 11: Wireless LAN in Proc. IEEE Symp. Security Privacy, 2003,
on tamper resistant devices in the pp. 154–165.
presence of transient faults,[ in Proc. Medium Access Control (MAC) and Physical
Int. Workshop Security Protocols, 1998, Layer (PHY) Specifications, IEEE Std., [33] J.-M. Schmidt and M. Hutter, BOptical
pp. 115–124. 1997. and EM fault-attacks on CRT-based RSA:
[20] I. Koren and C. M. Krishna, Fault Concrete results,[ in Proc. Austrian
[7] A. K. Lenstra, BMemo on RSA signature Workshop Microelectron., 2007, pp. 61–67.
generation in the presence of faults,[ Tolerant Systems. San Francisco,
Sep. 1996. CA: Morgan-Kaufman, 2007. [34] J.-M. Schmidt, M. Hutter, and T. Plos,
[21] R. Rivest, A. Shamir, and L. Adleman, BOptical fault attacks on AES: A threat in
[8] L. Breveglieri, I. Koren, D. Naccache, and violet,[ in Proc. Workshop Fault Diagnosis
J.-P. Seifert, Eds., Proceedings of the Third BMethod for obtaining digital signatures
and public-key cryptosystems,[ Commun. Tolerance Cryptogr., 2009, pp. 13–22.
International Workshop in Fault Diagnosis
and Tolerance in Cryptography, 10 October ACM, vol. 21, pp. 120–126, 1978. [35] S. Skorobogatov, BSemi-invasive attacksVA
2006, vol. 4236. Berlin, Germany: [22] P. Montgomery, BModular multiplication new approach to hardware security analysis,[
Springer-Verlag, 2006. without trial division,[ Math. Comput., Comput. Lab., Univ. Cambridge, Cambridge,
vol. 44, pp. 519–521, 1985. U.K., Tech. Rep. UCAM-CL-TR-630, 2005.
[9] L. Breveglieri, S. Gueron, I. Koren,
D. Naccache, and J.-P. Seifert, Eds., [23] STMicroelectronics, ST23 Highly Secure [36] S. P. Skorobogatov and R. J. Anderson,
Proceedings of the Fourth International Smartcard ICs, Jan. 2010. [Online]. Available: BOptical fault induction attacks,[ in Proc.
Workshop on Fault Diagnosis and http://www.st.com/stonline/products/ Workshop Cryptogr. Hardware Embedded
Tolerance in Cryptography, 10 September families/smartcard/sc_st23.htm. Syst., 2002, pp. 2–12.
2007. Berlin, Germany: Springer-Verlag, [24] D. J. Bernstein, DNSCurve: Usable Security [37] M. Agoyan, J.-M. Dutertre, A.-P. Mirbaha,
2007. for DNS, Jan. 2009. [Online]. Available: D. Naccache, A.-L. Ribotta, and A. Tria,
[10] L. Breveglieri, S. Gueron, I. Koren, http://dnscurve.org/. BHow to flip a bit?[ in Proc. IEEE 16th Int.
D. Naccache, and J.-P. Seifert, Eds., On-Line Testing Symp., 2010, pp. 235–239.
[25] A. Barenghi, G. Bertoni, E. Parrinello, and
Proceedings of the Fifth International G. Pelosi, BLow voltage fault attacks on [38] R. Torrance and D. James, BThe
Workshop on Fault Diagnosis and the RSA cryptosystem,[ in Proc. Workshop state-of-the-art in IC reverse engineering,[ in
Tolerance in Cryptography, 10 August Fault Diagnosis Tolerance Cryptogr., 2009, Proc. Workshop Cryptogr. Hardware Embedded
2008. Berlin, Germany: Springer-Verlag, pp. 23–31. Syst., 2009, pp. 363–381.
2008. [26] A. Barenghi, G. M. Bertoni, L. Breveglieri, [39] B. Debraize and I. M. Corbella, BFault analysis
[11] SNOW 3G Specifications, European M. Pellicioli, and G. Pelosi, BLow voltage of the stream cipher snow 3G,[ in Proc.
Telecommunications Standards Institute fault attacks to AES,[ in Proc. Int. Symp. Workshop Fault Diagnosis Tolerance Cryptogr.,
Std., Sep. 2006. Hardware-Oriented Security Trust, 2010, 2009, pp. 103–110.
[12] P. Ekdahl and T. Johansson, BA new pp. 7–12. [40] F. Armknecht and W. Meier, BFault
version of the stream cipher SNOW,[ in [27] N. Selmane, S. Guilley, and J.-L. Danger, attacks on combiners with memory,[ in
Proc. Sel. Areas Cryptogr., 2003, vol. 2595, BPractical setup time violation attacks on Proc. Sel. Areas Cryptogr., 2006, vol. 3897,
pp. 47–61. pp. 36–50.
3074 Proceedings of the IEEE | Vol. 100, No. 11, November 2012
Barenghi et al.: Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures
[41] J. Bloemer and J.-P. Seifert, BFault based [57] IEEE Standard Specifications for [72] C. Giraud, BAn RSA implementation
cryptanalysis of the Advanced Encryption Password-Based Public-Key Cryptographic resistant to fault attacks and to simple
Standard (AES),[ in Proc. Financial Techniques, IEEE Std., 2009. power analysis,[ IEEE Trans. Comput.,
Cryptogr., 2003, pp. 162–181. [58] A. Barenghi, G. Bertoni, A. Palomba, and vol. 55, no. 9, pp. 1116–1120, Sep. 2006.
[42] C. Giraud, BDFA on AES,[ in Proc. Int. Conf. R. Susella, BA novel fault attack against [73] G. Fumaroli and D. Vigilant, BBlinded fault
Adv. Encryption Standard, 2005, vol. 3373, ECDSA,[ in Proc. IEEE Int. Symp. resistant exponentiation,[ in Proc. Workshop
pp. 27–41. Hardware-Oriented Security Trust, 2011, Fault Diagnosis Tolerance Cryptogr., 2006,
[43] A. Barenghi, G. M. Bertoni, L. Breveglieri, pp. 161–166. pp. 62–70.
M. Pellicioli, and G. Pelosi, BFault attack [59] A. Barenghi, G. M. Bertoni, L. Breveglieri, [74] C. H. Kim and J.-J. Quisquater, BHow can
on AES with single-bit induced faults,[ in G. Pelosi, and A. Palomba, BFault attack we overcome both side channel analysis
Proc. 6th Int. Conf. Inf. Assurance Security, to the elliptic curve digital signature and fault attacks on RSA-CRT?,[ in Proc.
2010, pp. 7–13. algorithm with multiple bit faults,[ in Workshop Fault Diagnosis Tolerance Cryptogr.,
[44] P. Dusart, G. Letourneux, and O. Vivolo, Proc. Int. Conf. Security Inf. Netw., 2011, 2007, pp. 21–29.
BDifferential fault analysis on A.E.S.,[ pp. 63–72. [75] A. Boscher, H. Handschuh, and E. Trichina,
Appl. Cryptogr. Netw. Security, vol. 2846, [60] IBM, Ibm 4764 pci-x Cryptographic Coprocessor BBlinded fault resistant exponentiation
pp. 293–306, 2003. Specifications. [Online]. Available: http:// revisited,[ in Proc. Workshop Fault Diagnosis
[45] A. Moradi, M. T. M. Shalmani, and www.ibm.com/security/cryptocards/pdfs/ Tolerance Cryptogr., 2009, pp. 3–9.
M. Salmasizadeh, BA generalized method bs330.pdf. [76] S.-M. Yen, S. Kim, S. Lim, and S.-J. Moon,
of differential fault attack against AES [61] M. Karpovsky and A. Taubin, BNew class of BRSA speedup with Chinese remainder
cryptosystem,[ in Proc. Int. Workshop nonlinear systematic error detecting codes,[ theorem immune against hardware fault
Cryptogr. Hardware Embedded Syst., 2006, IEEE Trans. Inf. Theory, vol. 50, no. 8, cryptanalysis,[ IEEE Trans. Comput., vol. 52,
pp. 91–100. pp. 1818–1820, Aug. 2004. no. 4, pp. 461–472, Apr. 2003.
[46] C.-N. Chen and S.-M. Yen, BDifferential [62] R. Karri, K. Wu, P. Mishra, and Y. Kim, [77] S. Guilley, L. Sauvage, J.-L. Danger, and
fault analysis on aes key schedule and some BFault-based side-channel cryptanalysis N. Selmane, BFault injection resilience,[
countermeasures,[ in Proc. Inf. Security tolerant Rijndael symmetric block cipher Proc. Workshop Fault Diagnosis Tolerance
Privacy, 2003, pp. 217–217. architecture,[ in Proc. IEEE Int. Symp. Cryptogr., 2010, pp. 51–65.
[47] D. Peacham and B. Thomas, BA DFA attack Defect Fault Tolerance VLSI Syst., 2001, [78] M. Ciet and M. Joye, BElliptic curve
against the AES key schedule,[ SiVenture pp. 427–435. cryptosystems in the presence of permanent
Whitepaper, Oct. 2006. [63] P. Maistri, P. Vanhauwaert, and R. Leveugle, and transient faults,[ Designs Codes Cryptogr.,
[48] C. H. Kim and J.-J. Quisquater, BNew BA novel double-data-rate AES architecture vol. 36, no. 1, pp. 33–43, 2005.
differential fault analysis on AES key resistant against fault injection,[ in Proc. [79] A. Dominguez-Oviedo and M. Hasan,
schedule: Two faults are enough,[ in Workshop Fault Diagnosis Tolerance Cryptogr., BError detection and fault tolerance in
Proc. Int. Conf. Smart Card Res. Adv. 2007, pp. 54–61. ECSM using input randomization,[
Appl., 2008, pp. 48–60. [64] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, IEEE Trans. Dependable Secure Comput.,
[49] C. Aumüller, P. Bier, W. Fischer, P. Hofreiter, and V. Piuri, BError analysis and detection vol. 6, no. 3, pp. 175–187, Jul.-Sep. 2009.
and J.-P. Seifert, BFault attacks on RSA procedures for a hardware implementation [80] F. Amiel, K. Villegas, B. Feix, and L. Marcel,
with CRT: Concrete results and practical of the advanced encryption standard,[ IEEE BPassive and active combined attacks:
countermeasures,[ in Proc. Workshop Trans. Comput., vol. 52, no. 4, pp. 492–505, Combining fault attacks and side channel
Cryptogr. Hardware Embedded Syst., 2003, Apr. 2003. analysis,[ in Proc. Workshop Fault Diagnosis
pp. 81–95. [65] G. Bertoni, L. Breveglieri, I. Koren, and Tolerance Cryptogr., 2007, pp. 92–102.
[50] S.-M. Yen and M. Joye, BChecking before P. Maistri, BAn efficient hardware-based [81] F. Regazzoni, T. Eisenbarth, J. GroQschädl,
output may not be enough against fault-based fault diagnosis scheme for AES: Performances L. Breveglieri, P. Ienne, I. Koren, and
cryptanalysis,[ IEEE Trans. Comput., vol. 49, and cost,[ in Proc. IEEE Int. Symp. Defect Fault C. Paar, BPower attacks resistance of
no. 9, pp. 967–970, Sep. 2000. Tolerance VLSI Syst., 2004, pp. 130–138. cryptographic s-boxes with added error
[51] G. Hardy, An Introduction to the Theory [66] A. Butter, C. Kao, and J. Kuruts, BDES detection circuits,[ in Proc. IEEE Int.
of Numbers, 5th ed. Oxford, U.K.: encryption and decryption unit with Symp. Defect Fault Tolerance VLSI, 2007,
Oxford Univ. Press, 1979. error checking,[ U.S., Patent 5 432 848, pp. 508–516.
Jul. 1995. [82] F. Regazzoni, T. Eisenbarth, L. Breveglieri,
[52] D. E. Knuth, Art of Computer Programming,
Volume 2: Seminumerical Algorithms, [67] A. Shamir, BMethod and apparatus for P. Ienne, and I. Koren, BCan knowledge
3rd ed. Reading, MA: Addison-Wesley, protecting public key schemes from timing regarding the presence of countermeasures
Nov. 1997. and fault attacks,[ U.S., Patent 5 991 415, against fault attacks simplify power attacks
1999. on cryptographic devices?,[ in Proc. IEEE
[53] J. Blomer, M. Otto, and J. P. Seifert,
[68] M. Ciet and M. Joye, BPractical fault coun- Int. Symp. Defect Fault-Tolerance VLSI Syst.,
BSign change fault attacks on elliptic
termeasures for Chinese remaindering based 2008, pp. 202–210.
curve cryptosystems,[ in Proc. Workshop
Fault Diagnosis Tolerance Cryptogr., 2005, RSA,[ in Proc. Workshop Fault Diagnosis [83] The Transport Layer Security (TLS) Protocol
pp. 25–40. Tolerance Cryptogr., 2005, pp. 124–131. Version 1.2, Internet Engineering Task Force
[69] M. Joye, BProtecting RSA against fault attacks: (IETF) Std., 2008.
[54] I. Biehl, B. Meyer, and V. Müller,
BDifferential fault attacks on elliptic The embedding method,[ in Proc. Workshop [84] D. Coppersmitsh, M. Franklin, J. Patarin, and
curve cryptosystems,[ in Proc. CRYPTO, Fault Diagnosis Tolerance Cryptogr., 2009, M. Reiter, BLow-exponent RSA with related
2000, pp. 131–146. pp. 41–45. messages,[ in Proc. EUROCRYPT, 1996,
[70] A. Boscher, H. Handschuh, and E. Trichina, pp. 1–9.
[55] P.-A. Fouque, R. Lercier, D. Réal, and
F. Valette, BFault attack on elliptic curve BFault resistant RSA signatures: Chinese [85] M. Joye, BOn the security of a unified
montgomery ladder implementation,[ in remaindering in both directions,[ countermeasure,[ in Proc. Workshop
Proc. Workshop Fault Diagnosis Tolerance Cryptology ePrint Archive, Rep. 2010/038, Fault Diagnosis Tolerance Cryptogr., 2008,
Cryptogr., 2008, pp. 92–98. 2010. pp. 87–91.
[56] Digital Signature Standard (DSS), [71] M. Joye and S.-M. Yen, BThe Montgomery
National Institute of Standards and powering ladder,[ in Proc. Workshop
Technology (NIST) Std., FIPS-186-3, Cryptogr. Hardware Embedded Syst., 2003,
2009. pp. 291–302.
Vol. 100, No. 11, November 2012 | Proceedings of the IEEE 3075