Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Shivam Bhasin,Jingyu Pan,Fan Zhang

2018-01-01

Abstract:This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design.

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Nan Liao,Xiaoxin Cui,Kai Liao,Tian Wang,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1007/s11432-016-0071-7

2016-01-01

Science China Information Sciences

Abstract:Differential fault analysis(DFA) aiming at the advanced encryption standard(AES) hardware implementations has become a widely research topic. Unlike theoretical model, in real attack scenarios, popular and practical fault injection methods like supply voltage variation will introduce faults with random locations,unknown values and multibyte. For analyzing this kind of faults, the previous fault model needed six pairs of correct and faulty ciphertexts to recover the secret round-key. In this paper, on the premise of accuracy, a more efficient DFA attack with unknown and random faults is proposed. We introduce the concept of theoretical candidate number in the fault analysis. Based on this concept, the correct round-key can be identified in advance, so the proposed attack method can always use the least pairs of correct and faulty ciphertexts to accomplish the DFA attacks. To further support our opinion, random fault attacks based on voltage violation were taken on an FPGA board. Experiment results showed that about 97.3% of the attacks can be completed within 3 pairs of correct and faulty ciphertexts. Moreover, on average only 2.17 pairs of correct and faulty ciphertexts were needed to find out the correct round-key, showing significant advantage of efficiency compared with previous fault models. On the other hand, less amount of computation in the analyses can be realized with a high probability with our model, which also effectively improves the time efficiency in DFA attacks with unknown and random faults.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/cstic.2016.7464078

2016-01-01

Abstract:Random fault attacks against Advanced Encryption Standard (AES) hardware implementation are widely researched. In the previous fault analysis, 6 rounds of attacks are required to recover the correct round-key, which is not efficient enough for extensive analysis. In this paper, a more efficient fault model is proposed. Based on the analysis of theoretical key candidate number, the proposed attack method can complete the analysis as few as 3 rounds. Experiment results shows that nearly 90% of the attacks recover the correct round-key with 3 rounds and in average only 3.125 rounds are required with our proposed attack method.

Ni Yewen,Cui Xiaoxin,Wang Tian,Fan Yuanning,Han Qiankun,Liu Kefei,Cui Xiaole

DOI: https://doi.org/10.1109/ASICON.2017.8252468

2017-01-01

Abstract:The traditional random multi-byte fault model in AES fault attack only uses the faulty ciphertexts with diagonal-fault distributions to implement differential fault analysis. When there are not enough exploitable faulty ciphertexts, the round key could not be confirmed directly, and a comparatively large search space is still left for brute-force attack. In this paper, an improved differential fault analysis (DFA) using all-fault ciphertexts on AES was proposed. The all-fault ciphertexts could be used to optimize the selection of the brute-force space, which is helpful to recover the secret key quickly and improves the analysis efficiency. The experiment result demonstrated that by applying the DFA with all-fault ciphertexts, the time consumed on the brute-force attack can be reduced 60.81% on average, which significantly accelerated the process of cracking AES.

Yixia Liu,Xiaoxin Cui,Jian Cao,Xing Zhang

DOI: https://doi.org/10.1109/ASICON.2017.8252593

2017-01-01

Abstract:In this paper, a hybrid model is proposed to improve availability of ciphertext for differential fault attack (DFA) against AES. This model combines the fault models of the encryption process with the key schedule process. In the actual attack scenarios, we can use the pairs of correct and fault ciphertexts to match a variety of models, such as single-byte fault model, multi-byte fault model and two-line fault model at the same time. Theoretically, the fault attack based on this hybrid model can improve the attack efficiency by almost 50%. The experiment results show that using 2 pairs of correct and faulty diagonal ciphertext and 4 pairs of correct and faulty two-line ciphertexts can recover the entire AES-128 key, and the computational complexity is only 2(16) x 3+2(8) ML x 12, which is lower than any one type of the fault model.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Fan Zhang,Xinjie Zhao,Shize Guo,Tao Wang,Zhijie Shi

DOI: https://doi.org/10.1007/978-3-642-40026-1_5

2013-01-01

Abstract:This paper proposes some techniques to improve algebraic fault analysis (AFA). First, we show that building the equation set for the decryption of a cipher can accelerate the solving procedure. Second, we propose a method to represent the injected faults with algebraic equations when the accurate fault location is unknown. We take Piccolo as an example to illustrate our AFA and compare it with differential fault analysis (DFA). Only one fault injection is required to break Piccolo with the improved AFA. Finally, we extend the proposed AFA to other lightweight block ciphers, such as MIBS, LED, and DES. For the first time, the full secret key of DES can be recovered with only a single fault injection.

孙维东,俞军,沈磊

DOI: https://doi.org/10.15943/j.cnki.fdxb-jns.2013.03.003

2013-01-01

Abstract:The ability of symmetric encryption algorithm AES and DES against the differential fault analysis is examined.Two kinds of differential fault analysis on AES are described,and the initial key is recovered by software emulation.The result shows that the attack on AES can be realized by 20 times of fault-inductions.Then a new differential fault analysis on DES is described.The principle of this attack is analogous to differential fault analysis on AES.Result shows that attack on DES needs more fault-inductions.Therefore symmetric encryption algorithm AES and DES without any protection are vulnerable to differential fault analysis.It is presented that such attacks can be resisted by fault-detection.

Qingyuan Yu,Xiaoyang Dong,Lingyue Qin,Yongze Kang,Keting Jia,Xiaoyun Wang,Guoyan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i4.1-31

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Yewen Ni,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/asicon.2015.7517030

2015-01-01

Abstract:Setup time variation fault attacks that aim straightly at the FPGA devices have become hot spots nowadays. A high-efficient and accurate fault model aiming at FPGA-based cryptographic applications is proposed in this paper. Multi-diagonal faults are considered in this paper, thus more exploitable faulty ciphertexts can be gathered compared with the previous model. Multi-fault analysis is introduced due to the existence of multi-fault injection, which guarantees the accuracy of the result. Experiment result shows that the fault model brings a significant increase up to 36.5% of the exploitable faults compared with the previous method. Within 24 pairs of correct and faulty ciphertexts, the complete round key can be retrieved by this model.

Fan Zhang,Tianxiang Feng,Zhiqi Li,Kui Ren,Xinjie Zhao

DOI: https://doi.org/10.46586/tches.v2022.i2.289-311

2022-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Persistent Fault Analysis (PFA) is a new fault analysis method for block ciphers proposed in CHES 2018, which utilizes those faults that persist in encryptions. However, one fact that has not been raised enough attention is that: while the fault itself does persist in the entire encryption, the corresponding statistical analysis merely leverages fault leakages in the last one or two rounds, which ignores the valuable leakages in deeper rounds. In this paper, we propose Algebraic Persistent Fault Analysis (APFA), which introduces algebraic analysis to facilitate PFA. APFA tries to make full usage of the free fault leakages in the deeper rounds without incurring additional fault injections. The core idea of APFA is to build similar algebraic constraints for the output of substitution layers and apply the constraints to as many rounds as possible. APFA has many advantages compared to PFA. First, APFA can bypass the manual deductions of round key dependencies along the fault propagation path and transfer the burdens to the computing power of machine solvers such as Crypto-MiniSAT. Second, thanks to the free leakages in the deeper round, APFA requires a much less number of ciphertexts than previous PFA methods, especially for those lightweight block ciphers such as PRESENT, LED, SKINNY, etc. Only 10 faulty ciphertexts are required to recover the master key of SKINNY-64-64, which is about 155 times of reduction as compared to the state-of-the-art result. Third, APFA can be applied to the block ciphers that cannot be analyzed by PFA due to the key size, such as PRESENT-128. Most importantly, APFA replaces statistical analysis with algebraic analysis, which opens a new direction for persistent-fault related researches.

MAO Hongjing,CHENG Yukun,HU Honggang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2023.05.005

2023-01-01

Abstract:Persistent Fault Analysis（PFA）is a novel fault analysis technique proposed in 2018, which has attracted widespread attention from home and abroad. Although various analysis methods for different cryptographic systems have been proposed, research on the fault model with unknown fault values is still an open problem, which represents a more practical attack scenario. Particularly when dealing with multiple faults, it is more difficult to control the overlap of the original and faulty values. This paper proposed a multiple persistent fault analysis model under a relatively loose fault model. Attackers did not need to know any information about fault values, locations, or even number. By exploiting the property that persistent faults remained unchanged during all encryption processes, the range of fault values was narrowed down using the results of different bytes of ciphertext, eventually leading to key recovery. Both theoretical proof and simulation experiments were conducted to verify the effectiveness of the analysis model. Taking the AES-128 algorithm as an example, with only 150 ciphertexts under the condition of ciphertext-only, the number of candidate keys can be controlled within a small range. The success rate of the attack is above 99%, effectively reduce the required number of ciphertexts. By increasing the number of rounds, the key can be recovered even after frequent key-update, significantly reducing the difficulty of the attack.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Chujiao Ma,Dawu Gu

DOI: https://doi.org/10.1109/FDTC.2014.13

2014-01-01

Abstract:GOST is a well-known block cipher as the official encryption standard for the Russian Federation. A special feature of GOST is that its eight S-boxes can be secret. However, most of the researches on GOST assume that the design of these S-boxes is known. In this paper, the security of GOST against side-channel attacks is examined with algebraic fault analysis (AFA), which combines the algebraic cryptanalysis with the fault attack. Three AFAs on GOST, which have different attack goals in different scenarios, are investigated. The results show that 8 fault injections are required to recover the secret key when the full design of GOST is known, which is less than 64 fault injections required in previous work. 64 fault injections are required to recover the eight unknown S-boxes assuming the key is known. 270 fault injections are required to recover the key and the eight S-boxes when both are unknown. The results prove that AFA is very effective and keeping some components in a cipher secret cannot guarantee its security against fault attacks.

Nan Liao,Xiaoxin Cui,Tian Wang,Kai Liao,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1109/icist.2016.7483412

2016-01-01

Abstract:A high-efficient fault attack on AES S-box is proposed in this paper. Faults are introduced in the encryption process by changing the mapping relationship of S-box. Based on the round in which the faults are introduced, two fault models are presented. Attack results show that the first model only needs 16 faulty ciphertexts to recover the 128-bit secret key. The second fault model is more efficient. In this model, two rounds of attacks are enough to find out the 4-byte round-key based on DFA on the 9th round S-box. For covering all the possible fault situations, influence of multi-byte faults are considered, which effectively improves the attack accuracy and reduces the attack rounds. Compared with previous fault models, our work in this paper shows significant advantage of efficiency.

Zhang Fan,Zhao Xinjie,Guo Shize,Shen Jizhong,Huang Jing,Hu Zijie

DOI: https://doi.org/10.1109/cc.2015.7188531

2015-01-01

Abstract:PRINCE is a 64-bit lightweight block cipher with a 128-bit key published at ASIACRYPT 2012. Assuming one nibble fault is injected, previous different fault analysis (DFA) on PRINCE adopted the technique from DFA on AES and current results are different. This paper aims to make a comprehensive study of algebraic fault analysis (AFA) on PRINCE. How to build the equations for PRINCE and faults are explained. Extensive experiments are conducted. Under nibble-based fault model, AFA with three or four fault injections can succeed within 300 seconds with a very high probability. Under other fault models such as byte-based, half word-based, word-based fault models, the faults become overlapped in the last round and previous DFAs are difficult to work. Our results show that AFA can still succeed to recover the full master key. To evaluate security of PRINCE against fault attacks, we utilize AFA to calculate the reduced entropy of the secret key for given amount of fault injections. The results can interpret and compare the efficiency of previous work. Under nibble-based fault model, the master key of PRINCE can be reduced to 2 9.69 and 2 36.10 with 3 and 2 fault injections on average, respectively.