FAULT TOLERANCE OF

CRYPTOGRAPHIC SYSTEMs
Debdeep Mukhopadhyay
CSE, IIT Kharagpur
debdeep@cse.iitkgp.ernet.in
What has faults to do with
Information Leakage?
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Taken from "The Sorcerer's Apprentice Guide to Fault Attacks, FDTC 2006
Background on
Cryptographic Algorithms
Techniques: Cryptographic Algorithms
ATTACKER
Key
(e)
encrypt
plaintext
message
retreat at
dawn
Key
(d)
decrypt
ciphertext
plaintext
message
retreat at
dawn
SENDER
ciphertext
sb%6x*cmf
RECEIVER
Types of Cryptographic Algorithms
Symmetric Key Ciphers: The sender and
the receiver share the same piece of key
for their message exchange.
Asymmetric Key Ciphers: The sender
encrypts the message using a public key
and the receiver decrypts using a secret
(or private) key.
Symmetric Key Setting
Assumptions
K
a
is the encryption key, K
b
is the decryption key.
For symmetric key ciphers, K
a
=K
b

- Only Alice and Bob knows K
a
(or K
b
)

- Eve has access to E, D and the Communication Channel but does
not know the key K
a
(or K
b
)


E
K
a

D
K
b

Communication
Channel
Message
Message
leaked Information
Eve
Alice
Bob
Types of symmetric key ciphers
Block Ciphers: Symmetric key ciphers,
where a block of data is encrypted

Stream Ciphers: Symmetric key ciphers,
where block size=1
Block Cipher
A symmetric key modern cipher encrypts
an n bit block of plaintext or decrypts an b
bit block of ciphertext.
Padding:
If the message has fewer than n bits, padding
must be done to make it n bits.
If the message size is not a multiple of n, then
it should be divided into n bit blocks and the
last block should be padded.
Components of a Modern Block
Cipher
Most important components:
PBox: It is a key-less fixed transposition
cipher
SBox: It is a key-less fixed substitution cipher
They are used to provide:
Diffusion: it hides the relationship between
the ciphertext and the plaintext
Confusion: it hides the relationship between
the ciphertext and the key
Principle of Confusion and
Diffusion
The design principles of Block Cipher
depends on these properties
The S-Box is used to provide
confusion, as it is dependent on the
unknown key
The P-Box is fixed, and there is no
confusion due to it
But it provides diffusion
Properly combining these is necessary.
Diffusion (P) Boxes
Straight Boxes


Expansion Boxes


Compression Boxes
Example
24x24 Box
Example
12x24 Box
01 15 02 13 06 17 03 19 09 04 21 11
14 05 12 16 18 07 24 10 23 08 22 20
01 03 02 01 06 17 03 07 09 04 09 11
02 05 12 04 06 07 12 10 11 08 10 08
01 15 02 13 06 17 03 19 09 04 21 11
Example
24x12 Box
SBox
1 1 1 2
2 2 1 2
1 2
( , ,..., )
( , ,..., )
...
( , ,..., )
n
n
m m n
y f x x x
y f x x x
y f x x x
=
=
=
An SBox (substitution box) is an mxn
substitution box, where m and n are not
necessarily same.
Each output bit is a Boolean function of the
inputs.
Non-linear SBox
1 11 1 12 2 1
2 21 1 22 2 2
1 1 2 2
...
...
...
...
n n
n n
m m m mn n
y a x a x a x
y a x a x a x
y a x a x a x
=
=
=
In a non-linear S-Box, each of the
elements cannot be expressed as above.
Eg.
3 2
1 1 2 2 1 1 2 3
( ) , ( ) y x x y x x x x = + = + +
Application of Ex-or
The key is known to both the encryptor and
decryptor and helps to recover the plaintext.
+ +
Key
Encryption Decryption
A product cipher made of 2 rounds
Diffusion and Confusion
8 bit plaintext
Sbox
4
Sbox
1
Sbox
2
2 4
1 3 6 7
K
2
bit 2, 4
K
1
bit 8
+
+
+
Practical Ciphers
Large data blocks

More S-Boxes

More rounds

These help to improve the diffusion and
confusion in the cipher.
Two classes of product ciphers
Feistel Ciphers, example DES (Data
Encryption Standard)


Non-Feistel Ciphers (Substitution
Permutation Networks), example AES
(Advanced Encryption System)
Feistel Cipher
Feistel cipher refers to a type of block cipher
design, not a specific cipher
Split plaintext block into left and right halves:
Plaintext = (L
0
,R
0
)
For each round i=1,2,...,n, compute
L
i
= R
i-1

R
i
= L
i-1
F(R
i-1
,K
i
)
where f is round function and K
i
is subkey
Ciphertext = (L
n
,R
n
)
Feistel Permutation
Decryption: Ciphertext = (L
n
,R
n
)
For each round i=n,n-1,,1, compute
R
i-1
= L
i

L
i-1
= R
i
F(R
i-1
,K
i
)
where f is round function and K
i
is subkey
Plaintext = (L
0
,R
0
)
Formula works for any function F
But only secure for certain functions F
Encryption
Repeating/ Iterating this transformation we obtain the
Feistel Cipher
Non-Feistel Ciphers
Composed of only invertible components.
Input to round function consists of key and
the output of previous round
These functions are obtained by the
repeated application of Substitution
(invertible SBoxes) and Permutation.
Thus they are called Substitution
Permutation Networks (SPN).
RSA Cipher
A generate keys:
Select p,q large prime numbers (at least hundred
digits) and denote N=pq
Select a small odd integer e relatively prime
(only common factor is 1) to
Find integer d so that
(e,N) public key; (d,N) private key
B wants to send A a message M
B encrypts M using A's public key
M is restricted to 0 s M s N-1
A decrypts using private key d -
) 1 )( 1 ( ) ( = q p N |
) ( mod 1 N de | =
N M S
e
mod =
M N M N S
de d
= = mod mod
RSA Cipher - Example
p=7; q=11 N=77;
Select e=7 (relatively prime to 60)
d=43 since 743=301=1 mod 60
B wants to send M=9
B encrypts using the public key (e,N)=(7,77)


We decrypt using the private key
(d,N)=(43,77) -
60 6 10 ) ( = = N |
37 77 mod 4782969 77 mod 9
7
= =
9 77 mod 37
43
=
Side-Channel Attacks
Information obtained from physical
implementation:
Timing time needed to encrypt may depend
on bits of key
Power power profile may depend on bits of
the key
Attacker narrows the range of values to be
attempted
Fault Attacks
Another attack by injecting faults
Vary the supply voltage generate a spike
Vary the clock frequency generate a glitch
Overheat the device
Expose to intense light camera flash or
precise laser beam
Faults injected into a byte or a few bits

Fault Attacks on RSA
Only decryption is subject to attacks
Assume:
1. Attacker can flip a single bit in key d
2. S and corresponding message M known
to attacker
Decryption device generates satisfying


If then
If then
M

N
S
S
M
M
i
i
i
i
d
d
mod

2
2
=
N S M M
i
mod 1

2
=
N S M M
i
mod

2
= 0 =
i
d
1 =
i
d
Fault Attacks on RSA

Assume that the attacker flips randomly a bit
in d.
Example: (e,N)=(7,77), d=43
Ciphertext=37 producing M=9 if no fault is
injected and if a fault is injected
Search for i such that i=3
since
2 0 1 2 3 4 5
101011 = d d d d d d
67

= M
77 mod ) 37 67 ( 9
2
i
=
9 77 mod ) 53 67 ( 77 mod ) 37 67 (
8
= =
) 1 (
3
= d
Fault Attack on Symmetric
Ciphers: The TALE Of AES
Fault Attacks on Symmetric
Cryptosystems:
The AES Case Study
Fault Attacks on Block Ciphers
Attacks based on induction of faults
Both accidental and intentional
First conceived in 1996 by Boneh,
Demillo and Lipton
E. Biham developed Differential Fault
Analysis (DFA) attacker DES
Optical fault induction attacks : Ross
Anderson, Cambridge University
CHES 2002
Illustration of a Fault Attack
PLAIN TEXT
ENCRYPTION
ALGORITHM
FAULT FREE
CIPHER TEXT
PLAIN TEXT
ENCRYPTION
ALGORITHM
FAULTY
CIPHER TEXT
ANALYSIS
FAULT
INDUCTION
Fault Model Used
Single Byte Fault
Attacker induces fault at the input of the 8
th
round
in a single byte
Fault value should be non-zero but can be
arbitrary
Relaxing the requirements make the attack
more practical
No knowledge required of the fault value
Lesser bytes needed to be faulty
Lesser faulty cipher texts required
A Practical Scenario:
An Iterated AES Architecture
AES Round
Clk line
P
L
A
I
N
T
E
X
T

S
T
A
T
E

R
E
G

S
T
A
T
E

R
E
G

An Attacker can time his attack by counting the
number of clock cycles : Control on Fault Timing
C
I
P
H
E
R
T
E
X
T

Principle of the Attack
First, consider a single byte arbitrary
fault at the input of the 9
th
round.

ISB : Inverse Sub Byte

We develop a filter, which takes as
input the faulty and fault free
ciphertext.


Propagation of Fault Induced
f f f 2f
f
f
3f
F
1

F
2

F
3

F
4

F
1

F
2

F
3

F
4

9
th
Round Byte
Sub
9
th
round
ShiftRow
9
th
Round
MixColumn
10
th
Round
ByteSub
10
th
Round ShiftRow
The Patterns Gives the
Following Equations
ISB(x
1
+K
1
)+ISB(x
1
+F
1
+K
1
)=
2[ISB(x
2
+K
2
)+ISB(x
2
+F
2
+K
2
)]
ISB(x
2
+K
2
)+ISB(x
2
+F
2
+K
2
)=
ISB(x
3
+K
3
)+ISB(x
3
+F
3
+K
3
)
ISB(x
4
+K
4
)+ISB(x
4
+F
4
+K
4
)=
3[ISB(x
2
+K
2
)+ISB(x
2
+F
2
+K
2
)]
Important Points
No dependency on the fault value.
Finds out the key using two faulty
encryptions with a probability of around
0.99
Rest of the cases a third faulty cipher text is
needed
Time Complexity is 2
16
.
One byte fault reveals 4 key bytes.
To obtain the entire key, 4 faulty cipher texts
needed.

When the Fault is Induced in the
8
th
Round
Fault is induced at the input of 8
th

round
A one byte disturbance creates a 4
byte fault at the input of the 9
th
round
Let us trace the disturbance through
the last 3 rounds
Equations of similar nature

Propagation of Fault Induced
f f f 2f
f
f
3f
F
1

F
2

F
3

F
4

F
1

F
2

F
3

F
4

8
th
Round
Byte Sub
8
th
round
ShiftRow
8
th
Round
MixColumn
9
th
Round
ByteSub
9
th
Round
ShiftRow
2F
1
F
4
F
3
3F
2

F
1
F
4
3F
3
2F
2

F
1
3F
4
2F
3
F
2

3F
1
2F
4
F
3
F
2

A
1
A
2
A
3
A
4

A
5
A
6
A
7
A
8

A
9
A
10
A
11
A
12

A
13
A
14
A
15
A
16

A
1
A
2
A
3
A
4

A
5
A
6
A
7
A
8

A
9
A
10
A
11
A
12

A
16
A
15
A
14
A
13

9
th
Round
MixColumn
10
th
Round
Byte Sub
10
th
Round
Shift Row
The Patterns Gives the
Following Equations
ISB(x
1
+K
00
)+ISB(x
1
+A
1
+K
00
)=
2[ISB(x
8
+K
13
) +ISB(x
8
+F
2
+K
2
)]
ISB(x
8
+K
13
)+ISB(x
8
+A
5
+K
00
)=
ISB(x
11
+K
22
)+ISB(x
11
+A
9
+K
22
)
ISB(x
14
+K
31
)+ISB(x
14
+A
13
+K
31
)=
3[ISB(x
8
+K
13
)+ISB(x
8
+A
5
+K
13
)]

For the Other Key Bytes
Similar equations are derived for the
other key bytes


For all the equations the worst case
complexity is around 2
8
to 2
9
.
Two faulty cipher text pairs reveal the
exact key with a high probability.

Can the Attack Work with One
Faulty Ciphertext?
With one faulty cipher text:
Number of possible values per 4 bytes of
the key is around 2
8
.
There are 2
32
possible candidates for 128
bits of the AES key.
Brute force key is thus possible:
Taking around 30 minutes on an Intel Core-2
Duo Platform
Taking seconds in 8 core machines.
Why 2
32
?
On an average there is one solution to the equation:
S
-1
(x) ^ S
-1
(x ^ )=

Thus for one value of
1
there is 1 value for k
1
, k
8
, k
11
, k
14
which
satisfies the equations.

Thus for all the 2
8
values of
1
, there are 2
8
values for k
1
, k
8
, k
11
,
k
14.

Thus the total size of AES key is 2
32

Improvement of the Attack
Our current research shows that the AES key
size can be reduced from 2
32
to 2
8
for a
single byte fault with a time complexity of 2
30
.

The small complexity of the attack makes it
feasible on real life FPGA implementations of
AES using less sophisticated techniques, like
clock glitching.
Effect of clock glitches on Faults
MULTI-BYTE FAULT
ATTACKS ON AES
Fault Model Used
Multi Byte Faults (more practical)
Attacker induces fault at the input of the
8
th
round in some bytes
Fault value should be non-zero but can be
arbitrary
Improves the fault coverage.
Diagonal of AES State Matrix
Fault Models
M0: One Diagonal affected.
M1: Two Diagonals affected.
M2: Three Diagonals affected.
M3: Four Diagonals affected.
Fault Injection Setup
Tools Used:
AES Core Implemented on Xilinx Spartan 3E.
Agilent Wavefrom (80 MHz)Generator
Xilinx Chipscope Pro Embedded Logic Analyzer.
Equivalence of Faults according to M0
Faults induced in Diagonal D
0
at the input of 8
th

round AES are all equivalent.
Inter-relationships depending on the
Diagonals affected
Equations if Diagonal D
0
is affected
There are in total 4 such systems of equations for a diagonal D
0
.
Each system of equation gives 2
8
keys on an average.
AES key size gets reduced to 2
32
.
If the attacker does not know which diagonal is affected, then key size is
4.2
32
=2
34
.
Fault Injected across 2 Diagonals
(Fault Model M
1
)
Equations if Diagonals D
0
and D
1

are affected
The equation reduces the space of the 4
key bytes of AES to 2
16

Two faulty ciphertexts reduce it to a
unique value on an average
(experimental result).
Fault Injected across 3 Diagonals
(Fault Model M
2
)
Equations if D
0
, D
1
and D
2
are affected
The equation reduces the space of the 4 key
bytes of AES to 2
24

Four faulty ciphertexts reduce it to a unique
value on an average (experimental result).
Experimental Results

ATTACK REGION
Fault Tolerance:
Countermeasures
Block the Faulty Output
Must first detect injected fault, then
prevent attacker from observing the
erroneous output
Block the output (e.g., generate all zeroes
output)
Produce a random output misleading the
attacker
Fault Detection Required
Two approaches:
1. Duplicate encryption (decryption) process
(hardware or time redundancy) and compare results
injected faults transient and will manifest differently
Spatial duplication redundant encryption unit or use
decryption unit & compare to original plaintext
Temporal duplication reuse hardware or re-execute
software
2. Use error-detection codes require smaller
overhead but possibly a lower coverage.
Error Detecting Codes (EDCs)
First generate check bits
For each operation within encryption predict check bits
Periodically compare predicted check bits to generated
ones
Predicting check bits for each operation - most complex
step: Should be compared to duplication
Examples of EDC parity based and residue checks
Can be applied at different
levels word, byte,
nibble
Parity-based Code for AES
Operations operate on bytes so byte-level
parity is natural
Tricky part is to predict the parity bits.





ShiftRows: rotating the parity bits
AddRoundKey: add parity bits of state to those
of key
Transformation
Transformation Input
(input state matrix)
Transformation Result
(output state matrix)
Parity Bit(s)
Parity Prediction
Predicted
Parity Bit(s)
Parity Bits for Sboxes
SubBytes:
Expand Sbox to 2569 add output parity bit;
to propagate incoming errors (rather than
having to check) expand to 5129
put incorrect parity bit for inputs with incorrect
parity

Parity Bits for MixColumns
Mix-Columns: The expressions are:




where is the msb of the state byte in
position i,j

) 7 (
, 0
) 7 (
, 3
, 3 , 2 , 1 , 3
) 7 (
, 3
) 7 (
, 2 , 2 , 1 , 0 , 2
) 7 (
, 2
) 7 (
, 1 , 3 , 1 , 0 , 1
) 7 (
, 1
) 7 (
, 0 , 3 , 2 , 0 , 0
j j
j j j j
j j j j j j
j j j j j j
j j j j j j
S S p p p p
S S p p p p
S S p p p p
S S p p p p
=
=
=
=
) 7 (
, j i
s
Conclusions
Cryptosystems are vulnerable to faults.
Revelation of faulty computations may end up
in giving the key.
AES-128 (the present day world standard)
can be reduced to 8 bits of security with a
single well-formed byte fault.
It is not so difficult to obtain these faults in
ciphering hardware.
Need fault tolerance for security!:
more so when we move to unreliable platforms like
nano-technology where wrong computations are
more expected.
References
G. Piret, J. J. Quisquater: A Differential Fault Attack Technique against SPN Structures, with
Application to the AES and Khazad. CHES 2003.

DebdeepMukhopadhyay, An Improved Fault Based Attack of the Advanced Encryption Standard.
AFRICACRYPT 2009: LNCS 5580, pp421-434.

Michael Tunstall, Debdeep Mukhopadhyay, and Sk. Subidh Ali, ''Differential Fault Analysis of the
Advanced Encryption Standard using a Single Fault'', To Appear in the Proceedings of WISTP,
Greece, Cryptology eprint Archive, Report 2009/575

DhimanSaha, DebdeepMukhopadhyay, DipanwitaRoyChowdhury, A Diagonal Fault Attack on the
Advanced Encryption Standard, Cryptology ePrint Archive, Report 2009/581.

ToshinoriFukunaga, Junko Takahashi: Practical Fault Attack on a Cryptographic LSI with ISO/IEC
18033-3 Block Ciphers. FDTC 2009.

Subidh Ali and DebdeepMukhopadhyay, Acceleration of Differential Fault Analysis of the
Advanced Encryption Standard Using Single Fault, Cryptology ePrint Archive, Report 2010/451.

I. Koren and C. M. Krishna, Fault-Tolerant Systems,, Morgan-Kaufman, San Francisco, CA, 2007.