Ni Yewen,Cui Xiaoxin,Wang Tian,Fan Yuanning,Han Qiankun,Liu Kefei,Cui Xiaole

DOI: https://doi.org/10.1109/ASICON.2017.8252468

2017-01-01

Abstract:The traditional random multi-byte fault model in AES fault attack only uses the faulty ciphertexts with diagonal-fault distributions to implement differential fault analysis. When there are not enough exploitable faulty ciphertexts, the round key could not be confirmed directly, and a comparatively large search space is still left for brute-force attack. In this paper, an improved differential fault analysis (DFA) using all-fault ciphertexts on AES was proposed. The all-fault ciphertexts could be used to optimize the selection of the brute-force space, which is helpful to recover the secret key quickly and improves the analysis efficiency. The experiment result demonstrated that by applying the DFA with all-fault ciphertexts, the time consumed on the brute-force attack can be reduced 60.81% on average, which significantly accelerated the process of cracking AES.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/cstic.2016.7464078

2016-01-01

Abstract:Random fault attacks against Advanced Encryption Standard (AES) hardware implementation are widely researched. In the previous fault analysis, 6 rounds of attacks are required to recover the correct round-key, which is not efficient enough for extensive analysis. In this paper, a more efficient fault model is proposed. Based on the analysis of theoretical key candidate number, the proposed attack method can complete the analysis as few as 3 rounds. Experiment results shows that nearly 90% of the attacks recover the correct round-key with 3 rounds and in average only 3.125 rounds are required with our proposed attack method.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Yewen Ni,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/asicon.2015.7517030

2015-01-01

Abstract:Setup time variation fault attacks that aim straightly at the FPGA devices have become hot spots nowadays. A high-efficient and accurate fault model aiming at FPGA-based cryptographic applications is proposed in this paper. Multi-diagonal faults are considered in this paper, thus more exploitable faulty ciphertexts can be gathered compared with the previous model. Multi-fault analysis is introduced due to the existence of multi-fault injection, which guarantees the accuracy of the result. Experiment result shows that the fault model brings a significant increase up to 36.5% of the exploitable faults compared with the previous method. Within 24 pairs of correct and faulty ciphertexts, the complete round key can be retrieved by this model.

Qingyuan Yu,Xiaoyang Dong,Lingyue Qin,Yongze Kang,Keting Jia,Xiaoyun Wang,Guoyan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i4.1-31

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs.

Yixia Liu,Xiaoxin Cui,Jian Cao,Xing Zhang

DOI: https://doi.org/10.1109/ASICON.2017.8252593

2017-01-01

Abstract:In this paper, a hybrid model is proposed to improve availability of ciphertext for differential fault attack (DFA) against AES. This model combines the fault models of the encryption process with the key schedule process. In the actual attack scenarios, we can use the pairs of correct and fault ciphertexts to match a variety of models, such as single-byte fault model, multi-byte fault model and two-line fault model at the same time. Theoretically, the fault attack based on this hybrid model can improve the attack efficiency by almost 50%. The experiment results show that using 2 pairs of correct and faulty diagonal ciphertext and 4 pairs of correct and faulty two-line ciphertexts can recover the entire AES-128 key, and the computational complexity is only 2(16) x 3+2(8) ML x 12, which is lower than any one type of the fault model.

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/icist.2016.7483412

2016-01-01

Abstract:A high-efficient fault attack on AES S-box is proposed in this paper. Faults are introduced in the encryption process by changing the mapping relationship of S-box. Based on the round in which the faults are introduced, two fault models are presented. Attack results show that the first model only needs 16 faulty ciphertexts to recover the 128-bit secret key. The second fault model is more efficient. In this model, two rounds of attacks are enough to find out the 4-byte round-key based on DFA on the 9th round S-box. For covering all the possible fault situations, influence of multi-byte faults are considered, which effectively improves the attack accuracy and reduces the attack rounds. Compared with previous fault models, our work in this paper shows significant advantage of efficiency.

Zhang Fan,Zhao Xinjie,Guo Shize,Shen Jizhong,Huang Jing,Hu Zijie

DOI: https://doi.org/10.1109/cc.2015.7188531

2015-01-01

Abstract:PRINCE is a 64-bit lightweight block cipher with a 128-bit key published at ASIACRYPT 2012. Assuming one nibble fault is injected, previous different fault analysis (DFA) on PRINCE adopted the technique from DFA on AES and current results are different. This paper aims to make a comprehensive study of algebraic fault analysis (AFA) on PRINCE. How to build the equations for PRINCE and faults are explained. Extensive experiments are conducted. Under nibble-based fault model, AFA with three or four fault injections can succeed within 300 seconds with a very high probability. Under other fault models such as byte-based, half word-based, word-based fault models, the faults become overlapped in the last round and previous DFAs are difficult to work. Our results show that AFA can still succeed to recover the full master key. To evaluate security of PRINCE against fault attacks, we utilize AFA to calculate the reduced entropy of the secret key for given amount of fault injections. The results can interpret and compare the efficiency of previous work. Under nibble-based fault model, the master key of PRINCE can be reduced to 2 9.69 and 2 36.10 with 3 and 2 fault injections on average, respectively.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Fan Zhang,Yiran Zhang,Xinjie Zhao,Shize Guo,Ziyuan Liang,Samiya Qureshi

DOI: https://doi.org/10.1109/PADSW.2018.8645010

2018-01-01

Abstract:The block cipher LED is well suited for resource-constrained scenarios. However, it is vulnerable to the recent fault attacks and different results have been achieved even under the same fault model. In this paper, a comprehensive investigation is conducted on the fault analysis on LED. A novel differential fault analysis is proposed, which is based on the so-called constraint equations. The proposed attack can combine constraint equations at different levels, pushing the differential fault analysis on LED towards its limit in terms of the time complexity, the data complexity and the remained key search space. Under random nibble fault model, SINGLE fault injection can reduce the key search space of LED-64 to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">7.90</sup> within 1.89s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">17.65</sup> within 7 minutes in prior finest contributions. As to DFA on LED-128, TWO fault injections can reduce the key search space to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">15.82</sup> within 247.88s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">21.96</sup> within 16 minutes in previous work. To the best of our knowledge, the scheme that we proposed is the most efficient fault attack on LED cryptosystems.

Xinjie Zhao,Shize Guo,Fan Zhang,Zhijie Shi,Chujiao Ma,Tao Wang

DOI: https://doi.org/10.1109/FDTC.2013.14

2013-01-01

Abstract:This paper proposes a fault analysis technique on LED by combining algebraic cryptanalysis and differential fault analysis (DFA). The technique is called algebraic differential fault analysis (ADFA). In ADFA on LED, we use DFA to deduce the possible fault differences of the correct and faulty S-Box input in the last round, and convert them into algebraic equations. We then combine the equation set of LED with the injected fault and use the CryptoMiniSat solver to recover the secret key. Our experiments show that, on a common PC, ADFA can succeed on LED under the nibble-based fault model within three minutes and with only one fault injection, which is more efficient than previous DFA work. To evaluate DFA on LED, we first propose an improved evaluation algorithm of DFA, then provide a modified ADFA approach to compute the solutions for the secret key. The results are more accurate than previous work. We also successfully extend ADFA on LED to other fault models using a single fault injection, where traditional DFAs are difficult to launch.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Hao Chen,Tao Wang,Xinjie Zhao,Fan Zhang,Yunfei Ma,Xiaohan Wang

DOI: https://doi.org/10.13232/j.cnki.jnju.2017.06.016

2017-01-01

Abstract:HIGHT is built by using ARX(addition modulo 2n,bit rotation and XOR)structure,which is suitable for resource-constrained environment such as Radio Frequency Identification(RFID)tag or ubiquitous computing system and it has been adopted as a standard block cipher by Telecommunications Technology Association(TTA)of Korea and ISO/IEC 18033-3.Since the accurate location of the injected fault cannot be successfully determined when fault failures are occurred,the success rate of the existing algebraic fault attack on HIGHT is always less than 100%.To improve the success rate and efficiency,a fault tolerant algebraic fault attack is proposed in this paper.Firstly,fault failures and its properties are studied and a complete distinguisher based on fault failures,fault locations and cipher differences for determining the accurate fault locations in all different scenarios is built.Then,HIGHT is described as a set of algebraic equations.The faulty ciphertext is generated via fault injections and fault differences are represented with algebraic equations.To make maximum use of the injected faults,fault failures are also described as a set of algebraic equations.In the meantime,the procedure of constructing algebraic equations for the inj ected faults is optimized to perform automatically to further make the attack easy to launch.Finally,the CryptoMiniSAT solver is applied to solve the equations for the key and the number of fault injections that required and success rate of the proposed attack are analyzed in theory.The simulation experiments show that compared with the existing algebraic fault attack on HIGHT,the success rate of the proposed attack has been improved to 100% and the method of con-structing algebraic equations for the injected faults is easier and can be performed automatically,the entire mater key bytes can be fully recovered in a rather smaller time by solving the algebraic equations with the CryptoMiniSAT solver,and the proposed attack can be easily extended to other cipher which has the similar structure.

Xue Gong,Fan Zhang,Xinjie Zhao,Jie Xiao,Shize Guo

DOI: https://doi.org/10.1109/tifs.2024.3495234

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Persistent Fault Analysis (PFA) is a powerful analysis technique proposed in CHES 2018, which utilizes those faults that are injected before execution and persist throughout the encryption. However, when it is applied to the block cipher which has multiple S-boxes, the key can not be recovered in just one attack. The adversary has to conduct the fault attack several times and inject faults into all the distinct S-boxes. In this paper, we propose Key Schedule Guided Persistent Fault Attack (KGPFA), which utilizes the key schedule to guide the fault injection and fault analysis. By analyzing the key schedule, KGPFA exploits the relations between the key leakages caused by the same faulty S-box in various rounds. It can reduce the number of attacks and the number of faults required to recover the key. Our major contributions are twofold. Firstly, in the fault injection step, we provide Key Schedule Guided Persistent Fault Injection (KGPFI) strategies to reduce the number of attacks and the number of faults under the assumption of both ciphertext-only and known-plaintext attacks. Secondly, in the fault analysis step, as our target ciphers are Feistel-based, we propose the Ineffective Algebraic Persistent Fault Analysis (IAPFA) to extend the usage of Algebraic Persistent Fault Analysis (APFA) in the ineffective persistent fault setting. To demonstrate the effectiveness of our technique, we apply KGPFA to four widely used block ciphers with multiple S-boxes, DES, 3DES, LBlock, and Camellia. In our experiment, in the ciphertext-only attack, the key of DES can be recovered with 300 ineffective ciphertexts (coresponding to 827 ciphertexts) and four faulty S-boxes within 12.18min. Under the assumption of known-plaintext, the key of DES is recovered within two faulty S-boxes in 2.34h. For LBlock, the key is recovered with two faulty S-boxes and 100 ineffective ciphertexts (coresponding to 6211 ciphertexts) in 1.16min.

Xiaojie Dai,Xingxin Wang,Xue Qu,Baolei Mao,Wei Hu

DOI: https://doi.org/10.26599/tst.2023.9010035

2024-04-01

Abstract:Fault analysis is a frequently used side-channel attack for cryptanalysis. However, existing fault attack methods usually involve complex fault fusion analysis or computation-intensive statistical analysis of massive fault traces. In this work, we take a property-based formal verification approach to fault analysis. We derive fine-grained formal models for automatic fault propagation and fusion, which establish a mathematical foundation for precise measurement and formal reasoning of fault effects. We extract the correlations in fault effects in order to create properties for fault verification. We further propose a method for key recovery, by formally checking when the extracted properties can be satisfied with partial keys as the search variables. Experimental results using both unprotected and masked advanced encryption standard (AES) implementations show that our method has a key search complexity of 216, which only requires two correct and faulty ciphertext pairs to determine the secret key, and does not assume knowledge about fault location or pattern.

computer science, information systems,engineering, electrical & electronic, software engineering

Xinjie Zhao,Shize Guo,Tao Wang,Fan Zhang,Zhijie Shi

DOI: https://doi.org/10.1007/s11859-012-0875-7

2012-01-01

Abstract:This article proposes an enhanced differential fault analysis (DFA) method named as fault-propagation pattern-based DFA (FPP-DFA). The main idea of FPP-DFA is using the FPP of the ciphertext difference to predict the fault location and the fault-propagation path. It shows that FPP-DFA is very effective on SPN structure block ciphers using bitwise permutation, which is applied to two block ciphers. The first is PRESENT with the substitution-permutation sequence. With the fault model of injecting one nibble fault into the r -2nd round, on average 8 and 16 faults can reduce the key search space of PRESENT-80/128 to 2 14.7 and 2 21.1 , respectively. The second is PRINTcipher with the permutation-substitution sequence. For the first time, it shows that although the permutation of PRINTcipher is secret key dependent, FPP-DFA still works well on it. With the fault model of injecting one nibble fault into the r -2nd round, 12 and 24 effective faults can reduce the key search space of PRINTcipher-48/96 to 2 13.7 and 2 22.8 , respectively.

Bo Wang,Leibo Liu,Chenchen Deng,Min Zhu,Shouyi Yin,Shaojun Wei

DOI: https://doi.org/10.1109/tifs.2016.2518130

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the increasing accuracy of fault injections, it has become possible to inject two faults into specific circuit regions precisely at a certain time. Unfortunately, most existing fault attack countermeasures are based on the single fault assumption, and it is, therefore, very difficult to resist double fault attacks. Reconfigurable array architecture (RAA) has the ability to introduce spatial and time randomness by dynamic reconfiguration, which can alleviate the threat of double fault attacks. This paper, for the first time, analyzes the double fault attack issues in the fault injection phase systematically. An evaluation model, named injection effort model (IEM), is proposed to quantify the efforts of a successful fault injection. In IEM, the real injection process is described mathematically using the probability method, so that a theoretical basis can be provided for the corresponding countermeasure design. Based on the concept of spatial and time randomization, three countermeasures are implemented on RAA for the purpose of decreasing the implementation overhead under the premise of ensuring the security. When these countermeasures are adopted, tradeoffs can be made between the double fault resistance and the extra overhead through changing the degree of randomness. Experiments are carried out to analyze the relationship between the resistance and the overhead using Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Camellia. When the overhead constraints in terms of throughput, hardware resources, and energy are 5%, 35%, and 10% respectively, the double fault resistance can increase by two to four orders of magnitude (ranging from 824 to 10 149 for different algorithms).