Liu Leibo,Wang Bo,Zhu Min,Zhou Zhuoquan,Yin Shouyi,Wei Shaojun

2015-01-01

Abstract:The invention relates to a design method of randomized anti-fault-attack measures for reconfigurable array architecture. The method comprises the steps that firstly, the reconfigurable array architecture is provided, and a specific mapped data flow diagram of an encryption algorithm is obtained; secondly, expense ratio constraint conditions and anti-fault-attack capacity are preset; thirdly, expense generated in executing the encryption algorithm is calculated; fourthly, the sensitive point distribution, time search range and space search range of the encryption algorithm are determined; fifthly, time randomness and space randomness are preset, and corresponding sensitive point distribution, a corresponding time search range and a corresponding space search range are determined; sixthly, anti-fault-attack capacity is calculated and matched with the preset anti-fault-attack capacity; seventhly, an actual extra expense ratio is determined, and the preset time randomness and space randomness are adjusted to be matched with the preset expense ratio constraint conditions. The method can provide the basis for designing the randomized anti-fault-attack measures and effectively improve security.

Bo Wang,Leibo Liu,Chenchen Deng,Min Zhu,Shouyi Yin,Shaojun Wei

DOI: https://doi.org/10.1109/tifs.2016.2518130

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the increasing accuracy of fault injections, it has become possible to inject two faults into specific circuit regions precisely at a certain time. Unfortunately, most existing fault attack countermeasures are based on the single fault assumption, and it is, therefore, very difficult to resist double fault attacks. Reconfigurable array architecture (RAA) has the ability to introduce spatial and time randomness by dynamic reconfiguration, which can alleviate the threat of double fault attacks. This paper, for the first time, analyzes the double fault attack issues in the fault injection phase systematically. An evaluation model, named injection effort model (IEM), is proposed to quantify the efforts of a successful fault injection. In IEM, the real injection process is described mathematically using the probability method, so that a theoretical basis can be provided for the corresponding countermeasure design. Based on the concept of spatial and time randomization, three countermeasures are implemented on RAA for the purpose of decreasing the implementation overhead under the premise of ensuring the security. When these countermeasures are adopted, tradeoffs can be made between the double fault resistance and the extra overhead through changing the degree of randomness. Experiments are carried out to analyze the relationship between the resistance and the overhead using Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Camellia. When the overhead constraints in terms of throughput, hardware resources, and energy are 5%, 35%, and 10% respectively, the double fault resistance can increase by two to four orders of magnitude (ranging from 824 to 10 149 for different algorithms).

Kang Sun,Lingdi Ping,Jiebing Wang,Zugen Liu,Xuezeng Pan

DOI: https://doi.org/10.1109/imsccs.2006.208

2006-01-01

Abstract:Cryptographic algorithms are usually compute-intensive and more efficiently implemented in hardware than in software. By taking advantage of FPGA technology, some work offers high performance and flexible solutions for cryptographic algorithms. But FPGAs still have some drawbacks. To overcome inherent shortages of FPGA, a novel asynchronous reconfigurable cryptographic engine (ARCEN) is introduced. In this architecture, reconfigurable cryptographic array is the kernel. It routes signals asynchronously between adjacent cells through Neighbor-to-Neighbor wires with 4-phase handshaking protocol. Computation circuit for reconfigurable cell is developed with modified DSDCVS logic. Experiment results show that the architecture has a better performance than FPGA.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Hao Chen,Tao Wang,Xinjie Zhao,Fan Zhang,Yunfei Ma,Xiaohan Wang

DOI: https://doi.org/10.13232/j.cnki.jnju.2017.06.016

2017-01-01

Abstract:HIGHT is built by using ARX(addition modulo 2n,bit rotation and XOR)structure,which is suitable for resource-constrained environment such as Radio Frequency Identification(RFID)tag or ubiquitous computing system and it has been adopted as a standard block cipher by Telecommunications Technology Association(TTA)of Korea and ISO/IEC 18033-3.Since the accurate location of the injected fault cannot be successfully determined when fault failures are occurred,the success rate of the existing algebraic fault attack on HIGHT is always less than 100%.To improve the success rate and efficiency,a fault tolerant algebraic fault attack is proposed in this paper.Firstly,fault failures and its properties are studied and a complete distinguisher based on fault failures,fault locations and cipher differences for determining the accurate fault locations in all different scenarios is built.Then,HIGHT is described as a set of algebraic equations.The faulty ciphertext is generated via fault injections and fault differences are represented with algebraic equations.To make maximum use of the injected faults,fault failures are also described as a set of algebraic equations.In the meantime,the procedure of constructing algebraic equations for the inj ected faults is optimized to perform automatically to further make the attack easy to launch.Finally,the CryptoMiniSAT solver is applied to solve the equations for the key and the number of fault injections that required and success rate of the proposed attack are analyzed in theory.The simulation experiments show that compared with the existing algebraic fault attack on HIGHT,the success rate of the proposed attack has been improved to 100% and the method of con-structing algebraic equations for the injected faults is easier and can be performed automatically,the entire mater key bytes can be fully recovered in a rather smaller time by solving the algebraic equations with the CryptoMiniSAT solver,and the proposed attack can be easily extended to other cipher which has the similar structure.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Jianwei Yang,Jun Han,Fan Dai,Weizhen Wang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/tvlsi.2020.2971636

2020-01-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Aimed at improving the resistance against power analysis attacks, a systematic and architectural design approach for multicore processors is proposed in this article and is demonstrated in an eight-core prototype platform with low performance overhead and hardware cost. In order to introduce randomness in both the time dimension and the amplitude dimension and make realignment extremely difficult, the proposed multicore platform leverages several methods together, such as random task scheduling (RTS), random insertion of operations (RIO), and frequency and phase randomization (FPR). Moreover, a power state monitoring and control (PSMC) scheme is proposed to defend against power analysis attacks by keeping enough background noises. A test chip of the proposed multicore processor is fabricated in Taiwan Semiconductor Manufacturing Company (TSMC) 65-nm CMOS LP technology and can operate at up to 800 MHz with a 1.2-V supply. The Advanced Encryption Standard (AES) algorithm with these randomization methods is implemented on the processor. Measurement results show that the correlation power analysis (CPA) attacks and the power analysis attacks based on convolutional neural networks (CNNs) are unsuccessful even with 2 000 000 power traces when all the countermeasures are used.

Leibo Liu,Bo Wang,Shaojun Wei

DOI: https://doi.org/10.1007/978-981-10-8899-5_6

2018-01-01

Abstract:The physical attack countermeasures for reconfigurable cryptographic processors are mainly achieved in two ways. One way is to implement all the universal countermeasures to the reconfigurable architecture. Another way is to develop new countermeasures by using the characteristics of the reconfigurable computing. Traditional universal countermeasures do not take full advantage of the characteristics of reconfigurable computing and result in significant performance, area, and power overhead. In addition, new threatening attack methods such as the local electromagnetic attack with the attack precision of gate level, multiple fault attack which can introduce more than one fault in a single execution, and attacks based on ultra-low frequency (kHz level for instance) acoustic or electromagnetic signal continue to emerge. Various existing traditional countermeasures cannot be used to effectively resist these …

Shivam Bhasin,Jingyu Pan,Fan Zhang

2018-01-01

Abstract:This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design.

Lifeng Hu,Fan Zhang,Ziyuan Liang,Ruyi Ding,Xingyu Cai,Zonghui Wang,Wenguang Jin

DOI: https://doi.org/10.1016/j.cose.2022.103003

IF: 5.105

2023-01-01

Computers & Security

Abstract:With the rise of the concept of Trusted Execution Environments (TEEs), such as Intel Software Guard Extensions (SGX), researchers are prompted to constantly verify its effectiveness. Controlled-channel attacks are proposed to construct side channels against the shielding systems by intentionally provoking page faults. So far, various powerful and noise-free controlled-channel attacks have been introduced. However, there are some challenges encountered in the actual practice of these attacks, e.g., extensive manual effort is always required to analyze the target binary and identify conditional control-flow patterns. In this paper, we present FaultMorse, an automated controlled-channel attack. We adopt a global perspective to analyze the page fault sequence and find a specific recurring pattern that corresponds to some specific instructions in the program. Most of the secret bits can be automatically deduced by analyzing the locations of the recurring pattern in the page fault sequence. Compared to previous works, FaultMorse can reduce the complexity of analysis. We propose a method to control page fault counts to improve the attack performance. We implement our FaultMorse attack on a physical machine and evaluate its effectiveness, universality, and page-fault rate. The experimental results show that for some known vulnerable algorithms, FaultMorse can automatically deduce more than 99% of the secret bits. (C) 2022 Elsevier Ltd. All rights reserved.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Xun Zhan,Tao Zheng,Shixiang Gao

DOI: https://doi.org/10.1109/sere-c.2014.28

2014-01-01

Abstract:Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current randomization techniques either are lack of enough entropy or have significant time or space overhead. In this paper, we present a novel fine-grained randomization technique at basic block level. In contrast to previous work, our technique dealt with critical technical challenges including indirect branches, callbacks and position independent codes properly at least cost. We implement an efficient prototype randomization system which supports Linux ELF file format and x86 architecture. Our evaluation demonstrated that it can defend ROP attacks with tiny performance overhead (4% on average) successfully.

Liu Leibo,Wang Bo,Zhu Min,Zhou Zhuoquan,Yin Shouyi,Wei Shaojun

2015-01-01

Abstract:The invention discloses an anti-failure injection attacking method and device for the interchange of the input and the output of registers. The anti-failure injection attacking method for the interchange of the input and output of registers comprises the following steps: S1, obtaining a first maximum data width required when an encryption algorithm is operated on the target integrated circuit; S2, obtaining a second maximum data width required when an encryption algorithm is operated on the target integrated circuit according to the first maximum data width; S3, grouping a plurality of registers required to be subjected to the interchange of input and output according to the second maximum data width; S4, modifying a plurality of circuits at the registers in each group; S5, confirming the control number of circuits subjected to data selection at the register circuits of each group; S6, confirming the data selecting rules of the circuits at the registers in each group according to the control number. Through the adoption of the anti-failure injection attacking method, the registers for storing the data of the encryption algorithm are not fixed, so that the possibility of successfully injecting failures into circuits is lowered, and the safety of the circuits is improved.

Leibo Liu,Bo Wang,Shaojun Wei

DOI: https://doi.org/10.1007/978-981-10-8899-5

2018-01-01

Abstract:The present invention discloses a reconfigurable cryptographic processor. The reconfigurable cryptographic processor is characterized by comprising: a configuration module, for acquiring and assigning a configuration parameter; a transmission module, for transmitting to-be-processed data according to the assigned configuration parameter; a processing module, for obtaining processed data and transmitting the processed data to the transmission module to output, wherein the processing module comprises an array operation cache for storing intermediate data and interaction data; a reconfigurable array, for realizing the operation, wherein each reconfigurable unit has a token driver enabling end for token enabling; and an asynchronous driver enabling network, for obtaining a token enabling network according to the assigned configuration parameter to provide a data jumping and transmission mode of the operation and to complete driving of the reconfigurable array, so as to control the reconfigurable cryptographic processor to enter into a corresponding working mode. According to the reconfigurable cryptographic processor provided by the embodiment of the present invention, the driver execution process is enabled by using the token, so that flexibility and execution performance are improved, power consumption is reduced, and security and reliability are better ensured.

Ying Li,Lan Chen,Jian Wang,Guanfei Gong

DOI: https://doi.org/10.1109/host54066.2022.9840090

2022-01-01

Abstract:Embedded memory are important components in system-on-chip, which may be crippled by aging and wear faults or Hardware Trojan attacks to compromise run-time security. The current built-in self-test and pre-silicon verification lack efficiency and flexibility to solve this problem. To this end, we address such vulnerabilities by proposing a run-time memory security detecting framework in this paper. The solution builds mainly upon a centralized security detection controller for partially reconfigurable inspection content, and a static memory wrapper to handle access conflicts and buffering testing cells. We show that a field programmable gate array prototype of the proposed framework can pursue 16 memory faults and 3 types Hardware Trojans detection with one reconfigurable partition, whereas saves 12.7% area and 2.9% power overhead compared to a static implementation. This architecture has more scalable capability with little impact on the memory accessing throughput of the original chip system in run-time detection.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/cstic.2016.7464078

2016-01-01

Abstract:Random fault attacks against Advanced Encryption Standard (AES) hardware implementation are widely researched. In the previous fault analysis, 6 rounds of attacks are required to recover the correct round-key, which is not efficient enough for extensive analysis. In this paper, a more efficient fault model is proposed. Based on the analysis of theoretical key candidate number, the proposed attack method can complete the analysis as few as 3 rounds. Experiment results shows that nearly 90% of the attacks recover the correct round-key with 3 rounds and in average only 3.125 rounds are required with our proposed attack method.

Jiyuan Bai,Xiang Wang,Zifeng Zhao,Zikang Zhang,Chang Cai,Gengsheng Chen

DOI: https://doi.org/10.1016/j.microrel.2023.115311

IF: 1.6

2024-01-01

Microelectronics Reliability

Abstract:Fault tolerance is crucial for mission-critical FPGA-based systems in radiation environments. Soft-core processors in these systems, performing both control and computational tasks, require efficient soft error mitigation techniques to enhance their fault tolerance. In this paper, we investigate the variation trends in the fault tolerance of various processor components as the software workload changes. Based on our investigation, we propose a reconfigurable soft error mitigation framework that dynamically switches the hardening strategies for the processor according to the running workloads. The innovative application of dynamic partial reconfiguration technique in FPGAs enables time-multiplexing of the same circuit region to accommodate various hardening schemes, consequently achieving high area efficiency. We apply the framework to an open-source dual-issue superscalar RISC-V processor on a Xilinx ZCU102 FPGA board. Compared to traditional spatial redundancy-based hardening techniques, the proposed framework achieves a 20.84 % reduction in LUT utilization and a 20.53 % reduction in flip-flop utilization. The effectiveness of our framework has been evaluated through fault injection campaigns. The results indicate that, on average, only 0.05 % of faults would lead to system failure after hardening. Therefore, our work offers a new perspective on dynamic soft error mitigation in reconfigurable systems.

Bo Wang,Leibo Liu,Chenchen Deng,Min Zhu,Shouyi Yin,Zhuoquan Zhou,Shaojun Wei

DOI: https://doi.org/10.1109/tifs.2016.2612638

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Traditional detection countermeasures against fault attacks have been criticized as insecure because of the fragile comparison operation that can be maliciously bypassed. In order to avoid the comparison, infection countermeasures have been designed to confuse the faulty ciphertexts so that the output cannot be further explored. This paper presents an infection method that resists fault attacks using the existing Benes network module in high-performance crypto processors. The Benes network is originally used to accelerate permutation operations in block ciphers. The hamming weight of the differential results is balanced by modifying specific network switches, without changing the network topology. A further confusion is performed to destroy the determinacy by configuring part of the network with a random bit-stream. Furthermore, a statistical evaluation method is presented to quantitatively verify the proposed countermeasure in addition to a formal proof of security. This also provides a new concept for the evaluation of future random-enhanced infection methods. Experiments are carried out using Advanced Encryption Standard (AES), triple Data Encryption Standard (DES), and Camellia as examples. Under statistical evaluation, the results show that the proposed countermeasure improves the fault resistance by over four orders of magnitude compared with the unprotected case. Also, the performance and the area overhead are within 10% compared with the original Benes network.