Shivam Bhasin,Jingyu Pan,Fan Zhang

2018-01-01

Abstract:This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design.

Fan Zhang,Yiran Zhang,Huilong Jiang,Xiang Zhu,Shivam Bhasin,Xinjie Zhao,Zhe Liu,Dawu Gu,Kui Ren

DOI: https://doi.org/10.13154/tches.v2020.i2.172-195

2020-01-01

Abstract:Persistence fault analysis (PFA) is a novel fault analysis technique proposed in CHES 2018 and demonstrated with rowhammer-based fault injections. However, whether such analysis can be applied to traditional fault attack scenario, together with its difficulty in practice, has not been carefully investigated. For the first time, a persistent fault attack is conducted on an unprotected AES implemented on ATmega163L microcontroller in this paper. Several critical challenges are solved with our new improvements, including (1) how to decide whether the fault is injected in SBox; (2) how to use the maximum likelihood estimation to pursue the minimum number of ciphertexts; (3) how to utilize the unknown fault in SBox to extract the key. Our experiments show that: to break AES with physical laser injections despite all these challenges, the minimum and average number of required ciphertexts are 926 and 1641, respectively. It is about 38% and 28% reductions of the ciphertexts required in comparison to 1493 and 2273 in previous work where both fault value and location have to be known. Furthermore, our analysis is extended to the PRESENT cipher. By applying the persistent fault analysis to the penultimate round, the full PRESENT key of 80 bits can be recovered. Eventually, an experimental validation is performed to confirm the accuracy of our attack with more insights. This paper solves the challenges in most aspects of practice and also demonstrates the feasibility and universality of PFA on SPN block ciphers.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Fan Zhang,Bolin Yang,Guorui Xu,Xiaoxuan Lou,Shivam Bhasin,Xinjie Zhao,Shize Guo,Kui Ren

2020-01-01

Abstract:Persistence is an intrinsic nature of many errors yet has not been caught enough attractions for years. In this chapter, the feature of persistence is applied to fault attacks (FAs), and the persistent FA is proposed. Different from traditional FAs, adversaries can prepare the fault injection stage before the encryption stage, which relaxes the constraint of the tight-coupled time synchronization. The persistent fault analysis (PFA) is elaborated on different implementations of AES-128, specially fault-hardened implementations based on dual modular redundancy (DMR). Our experimental results show that PFA is quite simple and efficient in breaking these typical implementations. To show the feasibility and practicability of our attack, a case study is illustrated on a few countermeasures of masking. This work puts forward a new direction of FAs and can be extended to attack other implementations under more interesting scenarios.

Xue Gong,Fan Zhang,Xinjie Zhao,Jie Xiao,Shize Guo

DOI: https://doi.org/10.1109/tifs.2024.3495234

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Persistent Fault Analysis (PFA) is a powerful analysis technique proposed in CHES 2018, which utilizes those faults that are injected before execution and persist throughout the encryption. However, when it is applied to the block cipher which has multiple S-boxes, the key can not be recovered in just one attack. The adversary has to conduct the fault attack several times and inject faults into all the distinct S-boxes. In this paper, we propose Key Schedule Guided Persistent Fault Attack (KGPFA), which utilizes the key schedule to guide the fault injection and fault analysis. By analyzing the key schedule, KGPFA exploits the relations between the key leakages caused by the same faulty S-box in various rounds. It can reduce the number of attacks and the number of faults required to recover the key. Our major contributions are twofold. Firstly, in the fault injection step, we provide Key Schedule Guided Persistent Fault Injection (KGPFI) strategies to reduce the number of attacks and the number of faults under the assumption of both ciphertext-only and known-plaintext attacks. Secondly, in the fault analysis step, as our target ciphers are Feistel-based, we propose the Ineffective Algebraic Persistent Fault Analysis (IAPFA) to extend the usage of Algebraic Persistent Fault Analysis (APFA) in the ineffective persistent fault setting. To demonstrate the effectiveness of our technique, we apply KGPFA to four widely used block ciphers with multiple S-boxes, DES, 3DES, LBlock, and Camellia. In our experiment, in the ciphertext-only attack, the key of DES can be recovered with 300 ineffective ciphertexts (coresponding to 827 ciphertexts) and four faulty S-boxes within 12.18min. Under the assumption of known-plaintext, the key of DES is recovered within two faulty S-boxes in 2.34h. For LBlock, the key is recovered with two faulty S-boxes and 100 ineffective ciphertexts (coresponding to 6211 ciphertexts) in 1.16min.

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Wei Xiong,Yanze Li,Changpeng Sun,Huanlin Luo,Jiafeng Liu,Jian Wang,Jinmei Lai,Gang Qu

DOI: https://doi.org/10.1145/3526241.3530317

2022-01-01

Abstract:Block RAMs (BRAMs) play an important role in modern heterogenous FPGAs, hence how to test them comprehensively and effectively becomes a major concern. On-chip Partial Bitstream Relocation (PBR) technique based on FPGA Dynamic Partial Reconfiguration (DPR) can decrease the time spent on configuring modules in FPGA while reducing the memory resources overhead for storing partial bitstreams of the reconfigurable modules. The previous PBR technique is difficult to be combined with BRAM test directly, because they are somehow tedious, unsuitable for large-scale design or limited to specific devices. Besides, the problem exists for BRAM testing is that fault model is still incomplete and testing algorithms need to be improved to achieve higher fault coverage. An Effective BRAM test method based on a novel PBR technique is proposed in this paper. Our test method establishes a complete fault model for BRAM and improves the testing algorithms for faults in BRAM ECC circuits and intra-word coupling faults in SRAM cells. On-board experiments are carried out with Xilinx xc7vx690t device, and 14 BRAM configurations are used to fully test BRAMs. In conjunction with the proposed PBR technique, the number of configurations can be reduced to 10, which leads to a 35.7% time saving.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Yewen Ni,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/asicon.2015.7517030

2015-01-01

Abstract:Setup time variation fault attacks that aim straightly at the FPGA devices have become hot spots nowadays. A high-efficient and accurate fault model aiming at FPGA-based cryptographic applications is proposed in this paper. Multi-diagonal faults are considered in this paper, thus more exploitable faulty ciphertexts can be gathered compared with the previous model. Multi-fault analysis is introduced due to the existence of multi-fault injection, which guarantees the accuracy of the result. Experiment result shows that the fault model brings a significant increase up to 36.5% of the exploitable faults compared with the previous method. Within 24 pairs of correct and faulty ciphertexts, the complete round key can be retrieved by this model.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Nan Liao,Xiaoxin Cui,Kai Liao,Tian Wang,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1007/s11432-016-0071-7

2016-01-01

Science China Information Sciences

Abstract:Differential fault analysis(DFA) aiming at the advanced encryption standard(AES) hardware implementations has become a widely research topic. Unlike theoretical model, in real attack scenarios, popular and practical fault injection methods like supply voltage variation will introduce faults with random locations,unknown values and multibyte. For analyzing this kind of faults, the previous fault model needed six pairs of correct and faulty ciphertexts to recover the secret round-key. In this paper, on the premise of accuracy, a more efficient DFA attack with unknown and random faults is proposed. We introduce the concept of theoretical candidate number in the fault analysis. Based on this concept, the correct round-key can be identified in advance, so the proposed attack method can always use the least pairs of correct and faulty ciphertexts to accomplish the DFA attacks. To further support our opinion, random fault attacks based on voltage violation were taken on an FPGA board. Experiment results showed that about 97.3% of the attacks can be completed within 3 pairs of correct and faulty ciphertexts. Moreover, on average only 2.17 pairs of correct and faulty ciphertexts were needed to find out the correct round-key, showing significant advantage of efficiency compared with previous fault models. On the other hand, less amount of computation in the analyses can be realized with a high probability with our model, which also effectively improves the time efficiency in DFA attacks with unknown and random faults.

Di Wang,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1049/el.2018.1153

2018-01-01

Electronics Letters

Abstract:In the security system, there is a lot of sensitive information, and the leakage of the secret key will cause security failure. In this Letter, combining the fault injection analysis of SM4 (Chinese block cipher algorithm standard), a key leakage Trojan payload circuit that requires only 4 XOR gates was designed and verified. By estimation, the area and power consumption is <1% of that in popular solutions. The scheme was successfully verified using FPGA. This Letter makes contribution to the defence for key-leakage type Trojan.

Yukun Cheng,Mengce Zheng,Fan Huang,Jiajia Zhang,Honggang Hu,Nenghai Yu

DOI: https://doi.org/10.1109/trustcom53373.2021.00086

2021-01-01

Abstract:Persistent Fault Attack (PFA) is a recently proposed Fault Attack (FA) method in CHES 2018. It is able to recover full AES secret key in the Single-Byte-Fault scenario. It is demonstrated that classical FA countermeasures, such as Dual Modular Redundancy (DMR) and mask protection, are unable to thwart PFA. In this paper, we propose a fast-detection and faultcorrection algorithm to prevent PFA. We construct a fixed input and output pair to detect faults rapidly. Then we build two extra redundant tables to store the relationship between the adjacent elements in the S-box, by which the algorithm can correct the faulty elements in the S-box. Our experimental results show that our algorithm can effectively prevent PFA in both Single-ByteFault and Multiple-Bytes-Faults scenarios. Compared with the classical FA countermeasures, our algorithm has a much better effect against PFA. Further, the time cost of our algorithm is 40% lower than the classical FA countermeasures.

Jun-Sheng Ng,Juncheng Chen,Si Wu,Nay Aung Kyaw,Kwen-Siong Chong,Zhiping Lin,Bah-Hwee Gwee

DOI: https://doi.org/10.1109/ISCAS46773.2023.10181344

2023-01-01

Abstract:We present a side-channel attack (SCA) resistant asynchronous-logic (async-logic) AES accelerator that integrates synchronous-logic (sync-logic) Block RAMs (BRAMs) in FPGA as the Substitution-Box. We successfully identify the timing requirements to integrate sync-logic BRAMs in our async-logic AES accelerator and validate our proposed AES accelerator on the Sakura-X FPGA board. With the integration of BRAMs, we improve the resource utilization on FPGA by 1.6x when compared to the state-of-the-art async-logic AES accelerator, while reducing the power overhead by 1.4x. We comprehensively evaluate the SCA resistance of our proposed async-logic AES accelerator with 11 attacking models in both time and frequency domains. Based on our evaluations, we show that our proposed async-logic AES accelerator is highly secure against SCA with 30 million EM traces. This is more than 6000x improvement when compared to the benchmark sync-logic AES accelerator and 1.5x improvement when compared to the state-of-the-art async-logic AES accelerator.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao,Wei He,Lumin Xu,Yunfei Ma

DOI: https://doi.org/10.1155/2017/8051728

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:HIGHT is a lightweight block cipher which has been adopted as a standard block cipher. In this paper, we present a bit-level algebraic fault analysis (AFA) of HIGHT, where the faults are perturbed by a stealthy HT. The fault model in our attack assumes that the adversary is able to insert a HT that flips a specific bit of a certain intermediate word of the cipher once the HT is activated. The HT is realized by merely 4 registers and with an extremely low activation rate of about 0.000025. We show that the optimal location for inserting the designed HT can be efficiently determined by AFA in advance. Finally, a method is proposed to represent the cipher and the injected faults with a merged set of algebraic equations and the master key can be recovered by solving the merged equation system with an SAT solver. Our attack, which fully recovers the secret master key of the cipher in 12572.26 seconds, requires three times of activation on the designed HT. To the best of our knowledge, this is the first Trojan attack on HIGHT.

Jayeeta Chaudhuri,Hassan Nassar,Dennis R.E. Gnad,Jorg Henkel,Mehdi B. Tahoori,Krishnendu Chakrabarty

2024-10-22

Abstract:FPGAs are now ubiquitous in cloud computing infrastructures and reconfigurable system-on-chip, particularly for AI acceleration. Major cloud service providers such as Amazon and Microsoft are increasingly incorporating FPGAs for specialized compute-intensive tasks within their data centers. The availability of FPGAs in cloud data centers has opened up new opportunities for users to improve application performance by implementing customizable hardware accelerators directly on the FPGA fabric. However, the virtualization and sharing of FPGA resources among multiple users open up new security risks and threats. We present a novel fault attack methodology capable of causing persistent fault injections in partial bitstreams during the process of FPGA reconfiguration. This attack leverages power-wasters and is timed to inject faults into bitstreams as they are being loaded onto the FPGA through the reconfiguration manager, without needing to remain active throughout the entire reconfiguration process. Our experiments, conducted on a Pynq FPGA setup, demonstrate the feasibility of this attack on various partial application bitstreams, such as a neural network accelerator unit and a signal processing accelerator unit.

Cryptography and Security

Zhang Fan,Zhao Xinjie,Guo Shize,Shen Jizhong,Huang Jing,Hu Zijie

DOI: https://doi.org/10.1109/cc.2015.7188531

2015-01-01

Abstract:PRINCE is a 64-bit lightweight block cipher with a 128-bit key published at ASIACRYPT 2012. Assuming one nibble fault is injected, previous different fault analysis (DFA) on PRINCE adopted the technique from DFA on AES and current results are different. This paper aims to make a comprehensive study of algebraic fault analysis (AFA) on PRINCE. How to build the equations for PRINCE and faults are explained. Extensive experiments are conducted. Under nibble-based fault model, AFA with three or four fault injections can succeed within 300 seconds with a very high probability. Under other fault models such as byte-based, half word-based, word-based fault models, the faults become overlapped in the last round and previous DFAs are difficult to work. Our results show that AFA can still succeed to recover the full master key. To evaluate security of PRINCE against fault attacks, we utilize AFA to calculate the reduced entropy of the secret key for given amount of fault injections. The results can interpret and compare the efficiency of previous work. Under nibble-based fault model, the master key of PRINCE can be reduced to 2 9.69 and 2 36.10 with 3 and 2 fault injections on average, respectively.

Xinjie Zhao,Fan Zhang,Shize Guo,Zheng Gong

DOI: https://doi.org/10.1007/s11432-017-9179-4

2018-01-01

Science China Information Sciences

Abstract:Dear editor, Fault analysis is a very powerful technique used to break cryptographic inplementations.In particular,bit-level fault attacks (BLFAs),where one or a few isolated bits are flipped to inject faults,are among the imost efficient of the lot.Because it requires both precise fault injection and sophisticated key extraction,a BLFA is very difficult to conduct in practice.However,if the underlying cryptographic hardware is maliciously modified,a BLFA can be easily achieved.This recent security threat is popularly known as a hardware Trojan horse (HTH) [1].An HTH is a byproduct of the very popular and economically necessary outsourcing trend in the semiconductor industry.A well-designed HTH can precisely inject any type of bit-level fault.The corresponding attack is called a hardware-Trojan-based bit-level fault attack (HTH-BLFA).