Introduction to Fault Attacks

Differential Fault Attack

1
Introduction
Neural Public
Network Key

Cloud Fault Symmetric

Server Attack Key

Automotive PQC
Introduction Laser-FI

Neural Public
Row-Hammer
Network Key
EM-FI

Cloud Fault Symmetric

Server Attack Key

Clock-Glitch
Voltage-Glitch
Automotive PQC
 Fault Attacks on RSA
• Only decryption is subject to attacks Dan Boneh, Richard A. DeMillo, Richard J. Lipton:
On the Importance of Checking Cryptographic
• Assume: Protocols for Faults (Extended
1. Attacker can flip a single bit in key d Abstract). EUROCRYPT 1997: 37-51

2. S and corresponding message M known to attacker

Decryption device generatesM̂ satisfying
Mˆ S 2 di
i
𝑀 = 𝑆 𝑑 𝑚𝑜𝑑 𝑁
= i mod N 𝑡−1 𝑖
M S 2 di = 𝑆 2 𝑑𝑡−1+⋯+2 𝑑𝑖+⋯+𝑑0 𝑚𝑜𝑑 𝑁

෡ = 𝑆 𝑑෠ 𝑚𝑜𝑑 𝑁
𝑀
• If di = 0 then Mˆ M = S 2 mod N
i
𝑡−1 𝑖
= 𝑆 2 𝑑𝑡−1+⋯+2 𝑑𝑖+⋯+𝑑0 𝑚𝑜𝑑 𝑁

• If di = 1 then Mˆ M =1 S 2 mod N
i

Source : Koren and Krishna,

Morgan-Kaufman 2007

4
 Fault Attacks on RSA
• Assume that the attacker flips randomly a bit in d.
• Example: (e,N)=(7,77), d=43 d5d4d3d2d1d0 = 1010112
• Ciphertext=37 producing M=9 if no fault is injected and
Mˆ = 67 if a fault is injected
• Search for i such that 9 = (67  372 ) mod 77 i=3 (d3 = 1) since
i

(67  378 ) mod 77 = (67  53) mod 77 = 9

Source : Koren and Krishna,

Morgan-Kaufman 2007

5
 Differential Fault Analysis (DFA) of AES
PlainText

RoundKey AddRoundKey 1st Round

SubBytes
SubBytes
ShiftRows Repeat
Nr -1 ShiftRows
MixColumns
Round RoundKey AddRoundKey
RoundKey AddRoundKey

CipherText

First 9 Rounds Last Round

7
Plaintext
Block
Secret Key

XOR key
AES-128
Encryption
Byte Substitution
Loop 10 times

Shift Rows

Mix Columns RK1

RK2
(except for the last round) RK3
Ciphertext
Block Add Round Key RK10
Key Expansion
Effect of Error on AES
• Plaintext:
32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34
• 128-bit key:
2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
• Ciphertext:
39 25 84 1d 02 dc 09 fb dc 11 85 97 19 6a 0b 32

• A single error in the plaintext:

30 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34
• Results in the ciphertext:
c0 06 27 d1 8b d9 e1 19 d5 17 6d bc ba 73 37 c1
• A single error in the key: Source : Koren and Krishna,
2a 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c Morgan-Kaufman 2007
• Results in the ciphertext:
c4 61 97 9e e4 4d e9 7a ba 52 34 8b 39 9d 7f 84

• A single-bit error results in a totally scrambled output

9
Illustration of a DFA
PLAIN TEXT PLAIN TEXT

FAULT
INDUCTION
ENCRYPTION ENCRYPTION
ALGORITHM ALGORITHM

FAULT FREE FAULTY

CIPHER TEXT CIPHER TEXT

ANALYSIS

10
A Fault Injection Set-Up

• Time redundant AES-128 implemented

in Spartan 3A FPGA
• Fault injection using clock glitches at
various frequencies
• Xilinx DCM to drive fast clock frequency
• Internal state monitoring using
ChipScope Pro 12.3
Types of DFA
• Attack Location:
• Targeting the Data Path: Assume that the fault occurs in the AES data path.
• Targeting the AES Key Schedule: Assume that the fault occurs in the AES Key-
schedule.
• Fault Model:
• Single Byte
• Multiple Byte

12
Single Byte Faults in known DFAs
• Single Byte Fault
• Attacker induces fault at the input of the 8th round in
a single byte
• Fault value should be non-zero but can be arbitrary
• Relaxing the requirements make the attack more
practical
• No knowledge required of the fault value
• Lesser bytes needed to be faulty
• Lesser faulty cipher texts required

13
A Practical Scenario:
An Iterated AES Architecture

STATE REG
PLAINTEXT

STATE REG

CIPHERTEXT
AES Round

Clk line An Attacker can time his attack by counting the

number of clock cycles : Control on Fault Timing

14
Principle: Propagation of Fault Induced
f f’ f’ 2f’
f’
f’
3f’

9th Round Byte 9th round 9th Round

10th Round
Sub ShiftRow MixColumn
ByteSub
• First, consider a single byte arbitrary fault
at the input of the 9th round.
F1 F1
• ISB : Inverse Sub Byte (alternatively, 𝑆 −1 ) F2 F2
F3 F3
• We develop a filter, which takes as input F4 F4
the faulty and fault free ciphertext.
10th Round ShiftRow

15
The Patterns Gives the Following Equations
• ISB(x1+K1)+ISB(x1+F1+K1)=
2[ISB(x2+K2)+ISB(x2+F2+K2)]
• ISB(x2+K2)+ISB(x2+F2+K2)=
ISB(x3+K3)+ISB(x3+F3+K3)
• ISB(x4+K4)+ISB(x4+F4+K4)=
3[ISB(x2+K2)+ISB(x2+F2+K2)]

16
Important Points
• No dependency on the fault value.
• Finds out the key using two faulty encryptions
with a probability of almost one.
• Rest of the cases a third faulty cipher text is
needed
• Time Complexity is 216.
• One byte fault reveals 4 key bytes.
• To obtain the entire key, 4 faulty cipher texts needed.

17
When the Fault is Induced in the 8 th Round…
• Fault is induced at the input of 8th round.
• A one byte disturbance creates a 4 byte fault at
the input of the 9th round.
• Let us trace the disturbance through the last 3
rounds.
• Equations are of similar nature.

18
Propagation of Fault Induced at 8th Round Input
f f’ f’ 2f’
f’
f’
3f’
9th Round
8th Round 8th round 8th Round ByteSub
Byte Sub ShiftRow MixColumnF1
F2
F3
10th Round 10th Round 9th Round F4 9th Round
Shift Row Byte Sub MixColumn ShiftRow
A1 A2 A3 A4 A1 A2 A3 A4 2F1 F4 F3 3F2 F1
A6 A7 A8 A5 A5 A6 A7 A8 F1 F4 3F3 2F2 F2
A11 A12 A9 A10 A9 A10 A11 A12 F1 3F4 2F3 F2 F3
A16 A13 A14 A15 A13 A14 A15 A16 3F1 2F4 F3 F2 F4 19
 The Patterns Gives the
Following Equations
Here, ISB stands for
• ISB(x1+K00)+ISB(x1+A1+K00)= inverse of the SubBytes
2[ISB(x8+K13) +ISB(x8+A5+K13)] operation.
• ISB(x8+K13)+ISB(x8+A5+K13)=
ISB(x11+K22)+ISB(x11+A9+K22)
• ISB(x14+K31)+ISB(x14+A13+K31)=
3[ISB(x8+K13)+ISB(x8+A5+K13)]

20
Similar equations are derived for the other key bytes

For all the equations the worst case

For the Other Key Bytes
complexity is around 28 to 29.

Two faulty cipher text pairs reveal the

exact key with a probability of almost 1.

21
Conclusions

Faults can be catastrophic for cipher implementations

DFA works by combining differential cryptanalysis with faults

A random one byte fault at the input of 8th round of AES can reduce the key size drastically

Two such fault injections can uniquely give the key.

References:
1. Debdeep Mukhopadhyay:An Improved Fault Based Attack of the Advanced Encryption Standard.
AFRICACRYPT 2009: 421-434
2. Gilles Piret, Jean-Jacques Quisquater:A Differential Fault Attack Technique against SPN Structures, with
Application to the AES and KHAZAD. CHES 2003: 77-88

22
Can the Attack Work with One Faulty
Ciphertext?
• With one faulty cipher text:
• Number of possible values per 4 bytes of the key is
around 28.
• There are 232 possible candidates for 128 bits of the
AES key.
• Brute force key is thus possible!

DebdeepMukhopadhyay, An Improved Fault Based Attack of the Advanced Encryption Standard.

AFRICACRYPT 2009: LNCS 5580, pp 421-434

23
 Improvement of the Attack
• Current research shows that the AES key size can
be reduced from 232 to 28 for a single byte fault.

• The small complexity of the attack makes it

feasible on real life FPGA implementations of AES
using less sophisticated techniques, like clock
glitching.
Michael Tunstall, Debdeep Mukhopadhyay: Differential Fault Analysis of the Advanced Encryption
Standard using a Single Fault. IACR Cryptology ePrint Archive 2009: 575 (2009)

Michael Tunstall, Debdeep Mukhopadhyay, S,Ali, Differential Fault Analysis of the Advanced
Encryption Standard using a Single Fault, Cryptology ePrint Archive: Report 2009/575, WISTP 2011

24
 Reducing the Search space

• Search space reduced in two phases.

• First phase:
➢ Find the 232 candidates of 10th round key.
• Second phase
➢ Deduce four differential equation from differences {2f’,f’,f’,3f’}.
➢ Reduce the 232 candidates to 28 using the four differential equation.

25
Reducing the search space

•Find 232 candidates K10

232 Differential Equation

2F1 = S-1 (x 0  k 0 )  S−1 (x'0 k 0 )

F1 = S-1 (x13  k13 )  S−1 (x'13 k13 )
F1 = S-1 (x10  k10 )  S−1 (x'10 k10 )
3F1 = S-1 (x 7  k 7 )  S−1 (x'7 k 7 )
2128

26
Reducing the Search space
28
▪Find 232 candidates K10
Differential Equation
▪Find 232 Candidates of K9 using keyschedule
▪ Reduce K9 to 28 candidates
keyschedule

232
2f' ' = S9
( 0, 0 )

Differential Equation
f ' = S9
( 0 ,1)

f ' = S9
( 0, 2 )

3f ' = S9
( 0 , 3)

2128

27
Tallying the Differentials
AES key expansion
9th Round Key can be derived as:
The full set of
expanded equations
Reducing the Search space
28
▪Find 232 candidate K10
Differential Equation
▪Find 232 Candidates of K9 using keyschedule
▪ Reduce K9 to 28 candidates
keyschedule ▪Get the master key by 28 brute-force search

232
2f' ' = S9
( 0, 0 )

Differential Equation
f ' = S9
( 0 ,1)

f ' = S9
( 0, 2 )

3f ' = S9
( 0 , 3)

2128

39
 Summary of the DFA of AES
• Requires 28 brute-force search.

• Time complexity 232

40
 Reducing Time Complexity
• Existing DFA required to test 232 candidates of K10 by the 8th round
differential equation.
2f' ' = S9 (1)
( 0, 0 )

f ' = S9 (2)

( 0,1)

f ' = S9
( 0, 2 )
(3)
3f ' = S9
( 0,3)
(4)

• Equations (2) and (3) does not contain key byte k0 and k1

41
 First and the fourth quartets

Second and third quartets

Reducing Time
Complexity (Cont.)
Test by equation (2) and (3)

Test by equation (1) and (4)

42
 Reducing Time Complexity (Cont.)
• From first phase of the attack we have four quartets
{k0 , k13 ,k10 ,k7 }, {k12 ,k9 ,k6 ,k3 },{k8 ,k5 ,k2 ,k15} and
{k4 ,k1 ,k14 , k11 } each of size 28
• Split the first and fourth quartets in to two list of size
27
➢ L1 contains k0
➢ L2 contains k13, k10, k7.
➢ L3 contains k1
➢ L4 contains k4, k14, k11
• The second and third quartet are represented
by two lists L5 and L6 each of size 28

43 43
 Reducing Time Complexity (Cont.)
• Equation (2) and (3)require list L2 ,L4 ,L5 , and L6 .
• Number of possible keys required 27 x 27 x 28 x 28 =230 .
• 222 candidates satisfy the equation (2) and (3).
• Combine each of 222 candidates to four values of k0 and k1 from lists
L1 and L2.
• Number of candidates increased to 224 .
• Reduce 224 candidates to 28 by equation (1) and (4).

44
 Results

• Time complexity of the attack reduced to 230 from 232

• Attack is four times faster.

Ali, Mukhopadhyay 2011 (eprint):Time Complexity: 230

45
Countermeasures and
Improved Attacks
Differential Fault Intensity Attack (DFIA)

47
Countering Fault Attacks

Whose fault is It?

• Is the flaw in the algorithm?
• Is the flaw in the implementation?
How can Countermeasures be built?
• Does Classical Fault Tolerance work?

13 February 2024 Technion, Haifa 48

Detection Based Countermeasures

• Also known as Concurrent Error Detection (CED) techniques

• Use various kinds of redundancy to detect faults
• Vulnerable to attacks in the comparison step itself
• Vulnerable to biased fault attacks

13 February 2024 Technion, Haifa 49

The Basic Principle of CEDs

50
 Hardware Redundancy

To prevent bypassing, by injecting

the same fault twice, a better idea
Hardware redundancy duplicates hardware and detects would be to mix the state bytes in
faults by comparing the outputs of the two copies. the two datapaths in different ways!
Naturally, there is a 200% area over-head.

51
 Time Redundancy As number of cycles
are halved, the extra
Double-Data-Rate (DDR) is an alternative strategy
cycles can be used for
suitable for pipelined datapaths, targeting operations
redundancy.
which are not the critical path of the design.

Pipelined
32-bit D1 D2 D3 D4
Time redundancy SBox
computes the same
function twice, but
using the same
hardware. Naturally,
there is negligible area D1,D2 D3,D4 D1,D2 D3,D4 Rows of State
overhead, but Matrix of AES
throughput is affected. D1,D2 D3,D4 D1,D2 D3,D4

Paulo Maistri and Regis Leveugle, IEEE TC 2008

52
Hybrid Redundancy
Recomputing with Permuted Operands (REPO): Redundant rounds
are inserted in the encryption. In each redundant round, the input
data are permuted and AES computes the permuted data. Then, the
round output is inverse permuted and compared with the original
output. Any mismatch shows that faults are detected. REPO provides
close to 100% fault coverage to both permanent and transient faults.
A Useful Permutation for AES Rounds:
x01 x02 x03 x00 x00 x01 x02 x03
P x10 x11 x12 x13
x11 x12 x13 x10
x21 x22 x23 x20 x20 x21 x22 x23

x31 x32 x33 x30 x30 x31 x32 x33

Overhead P(AESRound(S))=AESRound(P(S))
around 20%

Xiaofei Guo and Ramesh Karri, DAC 2012.

53
Information Redundancy and Error Detecting Codes (EDCs)
• First generate check bits
• For each operation within
encryption predict check bits
• Periodically compare predicted
check bits to generated ones
• Predicting check bits for each
operation - most complex step
• Should be compared to
duplication
• Examples of EDC – parity based and
residue checks Source : Koren and Krishna,
Morgan-Kaufman 2007
• Can be applied at different levels –
word, byte, nibble

54
 Parity-based Code for AES
• Operations operate on bytes so byte-level parity is natural
• ShiftRows: Rotating the parity bits
• AddRoundKey: Add parity bits of state to those of key
• SubBytes: Expand Sbox to 2569 – add output parity bit; to propagate
incoming errors (rather than having to check) expand to 5129 – put Transformation Input
incorrect parity bit for inputs with incorrect parity Parity Bit(s) (input state matrix)
• MixColumns: The expressions are:
p 0, j = p 0, j  p 2, j  p 3, j  S 0( ,7j)  S1(,7j)
Parity Prediction Transformation
p1, j = p 0, j  p1, j  p 3, j  S (7)
1, j S (7)
2, j

p 2, j = p 0, j  p1, j  p 2, j  S 2( 7, j)  S3(,7j)
Predicted Transformation Result
p 3, j = p1, j  p 2, j  p 3, j  S3(,7j)  S 0( ,7j)
Parity Bit(s) (output state matrix)
(7)
where si , j is the msb of the state byte in position i,j Source : Koren and Krishna,
Morgan-Kaufman 2007

55
Does Detection Always Guarantee Security?
The Time Redundancy Countermeasure

S.Patranabis, A.Chakraborty, P.H.Nguyen and D.Mukhopadhyay. A Biased Fault Attack on

the Time Redundancy Countermeasure for AES. In Proceedings of Constructive Side Channel
Analysis and Secure Design 2015 (COSADE 2015), Berlin, Germany, April 2015

February 13, 2024 Technion, Haifa 57

Against Double Fault Attacks : Detection

February 13, 2024 Technion, Haifa 58

Against Double Fault Attacks: Misses

February 13, 2024 Technion, Haifa 59

 Beating The Countermeasure
• Improving fault collision probability
• Enhancing the probability of identical faults in original and redundant rounds
• Two major aspects
• The size of the fault space
• The probability distribution of faults in the fault space
• A smaller fault space enhances the fault collision probability
• A non-uniform probability distribution of faults in the fault space also enhances
the fault collision probability

February 13, 2024 Technion, Haifa 60

Uniform Fault Model
• All faults are equally likely

February 13, 2024 Technion, Haifa 61

Biased Fault Model
• A total of n faults possible under a fault model F
• Each fault fi has a probability of occurrence Pr[fi]
• Let V be the variance of the fault probability distribution
• Degree of Bias of a fault model increases with increase in V
Fault Pr[f1] Pr[f2] Pr[f3] Pr[f4] Pr[f5] Pr[f6] Pr[f7] Pr[f8] V
Mod
el
1 0.125 0.125 0.125 0.125 0.125 0.125 0.125 0.125 0
2 0.225 0.200 0.175 0.125 0.100 0.075 0.050 0.050 0.004
3 0.500 0.250 0.125 0.050 0.050 0.025 0 0 0.026

February 13, 2024 Technion, Haifa 62

The Fault Collision Probability
• With increase in bias, collision probability increases

February 13, 2024 Technion, Haifa 63

The Adversarial Perspective But what
about How can
we exploit
practical
feasibility? the bias?

February 13, 2024 Technion, Haifa 64

 Fault Intensity
The impact of fault varies with the tuning of the parameters of the fault inducing process.
More true for low cost equipment.

Insertion of Fault through Clock Glitches:

With increase of clock frequency more bits start getting affected.
We say the fault intensity increases!
Nahid Farhady Ghalaty, Bilgiday Yuce, Mostafa M. I. Taha, Patrick Schaumont:
Differential Fault Intensity Analysis. FDTC 2014: 49-58

February 13, 2024 Technion, Haifa 65

Differential Fault Intensity Analysis
(DFIA)
• Combines fault injection and DPA principles
• Induces biased faults by varying the fault intensity
• Applies a hypothesis test with biased faults
• Uses biased faults as the source of leakage

February 13, 2024 Technion, Haifa 66

Steps of a DFIA

The extraction of the key is like a side channel

analysis:
Guessing the key correctly helps in
observing the bias in the fault distribution

February 13, 2024 Technion, Haifa 67

Attack on the Time redundancy
Countermeasure
• All faults are restricted to a single byte Suitable

• Two kinds of fault models

• Situation-1: Attacker has control over
target byte
• Situation-2: Attacker has no
control over target byte
• Control over target byte makes fault
model more precise but is costly to
achieve
The Attack Procedure

Fault Distribution

Distinguishers used :
Hamming Distance (HD)
Squared Euclidean Imbalance (SEI)
Make a key hypothesis k and evaluate the
distinguishers
Correct hypothesis gives minimum
and maximum values respectively

69
 Simulations-1 Number of
ciphertexts required
to guess the AES key
with 99% accuracy
• Identical faults introduced into both
original and redundant rounds
• Target byte chosen at random
Simulation results
• Same fault for original and redundant
computations
• Each fault injection yields a useful
ciphertext
• Attacks simulated on rounds 8 and 9
• Performed separately for each fault
model
Simulations-2
• Vary the degree of bias in the fault model
• Control the variance of the fault probability distribution
• Observe the number of fault injections to get a faulty ciphertext
• Two adversarial models:
• Type 1: Perfect control over target byte
• Type 2: No control over target byte

71
Simulations-2 (contd.)
Perfect Control on Byte
Faulted

No Control on Byte Faulted

72
Experimental Results
Useful Total Fault
ciphertexts Injections

73
Comments on Detection Schemes
• Bias of a fault model can be quantified in terms of the variance of
fault probability distribution
• Detection based countermeasures are vulnerable against biased fault
attacks that are practically achievable

February 13, 2024 Technion, Haifa 74

Modern Times
SIFA and FTA

75
 Ineffective Faults P

• Corruption depends upon the value

of the target intermediate. Round 1

• Example:
Round 2
• Consider a stuck-at-0 fault.
• No corruption happens if the
value of the target bit is 0.
• Ciphertext is faulty if the value Round n-1
of the target bit is 1.
• In the former case, we call the Round n
fault as ineffective fault.

C
 Statistical Ineffective Fault Analysis
A “not so intuitive” intuition
• The correct state space under the influence of
faults is biased for biased faults.
• Example:
• Consider the stuck-at-0 fault at the MSB of
a 4-bit state. State distribution w/o faults
• If value of the faulted state belongs to the
first 8 table entries the ciphertext is correct.
• The distribution of the state for correct
values only assumes 8 possible values
among 16.
Correct State distribution with faults
• Works for many other biased fault models.
 Statistical Ineffective Fault Analysis
A “not so intuitive” intuition
• The correct state space under the influence of
faults is biased for biased faults.
• Example:
• Consider the stuck-at-0 fault at the MSB of
a 4-bit state. State distribution w/o faults
• If value of the faulted state belongs to the
first 8 table entries the ciphertext is correct.
• The distribution of the state for correct
values only assumes 8 possible values
among 16.
Correct State distribution with faults
• Works for many other biased fault models.
SIFA analyzes correct ciphertexts instead of
faulty ones
 Statistical Ineffective Fault Analysis
A “not so intuitive” intuition
• The correct state space under the influence of
faults is biased for biased faults.
• Example:
• Consider the stuck-at-0 fault at the MSB of
a 4-bit state. State distribution w/o faults
• If value of the faulted state belongs to the
first 8 table entries the ciphertext is correct.
• The distribution of the state for correct
values only assumes 8 possible values
among 16.
Correct State distribution with faults
• Works for many other biased fault models.
SIFA analyzes correct ciphertexts instead of
faulty ones
C. Dobraunig, M. Eichlseder, T. Korak, S. Mangard, F. Mendel,
R. Primas, “SIFA: Exploiting Ineffective Fault Inductions on
Symmetric Cryptography”. TCHES 2018
 FA Templates: Exploiting Fault Propagation?
• Fault propagation through combinational net is data dependent.
• In the case of masking, fault propagation is dependent on actual unmasked values.
• What is the consequence?? Can we do powerful attacks??

Fault propagation through AND gate depends on We can get the values of all
the value of the unfaulted inputs unfaulted inputs just by knowing if
the output is correct or faulty.

Fault Template attacks

• Bypasses all combined
countermeasures.
• Can attack middle rounds.
S. Saha , A. Bag , D. B. Roy , S. Patranabis, and D. • Works without plaintext
Mukhopadhyay, “Fault Template Attacks on Block Ciphers ciphertext access.
Exploiting Fault Propagation”. EUROCRYPT 2020
 Fault Template Attack
Template Matching
Two Phases:
• Template Building (Offline):
[F, NF, F F] 0
• Attacker has full access to a device similar to the
[F, F, NF F] 1
target
• Knows the key and the mask. [F, NF, F NF] 4

…
…
• Constructs a template .
• : Set containing the outcome of some
function over attacker observables and fault
locations.
• : Part of the secret
• Template Matching (Online):
• Attacker injects faults at some predefined locations
and extract secret by using the template.
Fault Template Attack Template Matching
Two Phases:
• Template Building (Offline):
• Attacker has full access to a device similar to
[F, NF, F F] 0
the target
[F, F, NF F] 1
• Knows the key and the mask.
[F, NF, F NF] 4
• Constructs a template .

…
…
• : Set containing the outcome of some
function over attacker observables and
fault locations.
• : Part of the secret
• Template Matching (Online):
• Attacker injects faults at some predefined
locations and extract secret by using the
template.
 Fault Template Attack
Attacker capabilities:
• No ciphertext access.
• Only knows if the output is faulty or not.
• Works for all FA countermeasures using
detection
• Can fix the plaintext to some (unknown)
value.
• Inject one fault per encryption at a specific
location.
• Access to plaintext leads to similar attacks
• Maybe little easier
 Fault Template Attack
Attacker capabilities:
• No ciphertext access.
1
• Only knows if the output is faulty or not.
• Works for all FA countermeasures using
detection
• Can fix the plaintext to some (unknown)
value.
• Inject one fault per encryption at a specific
location.
• Access to plaintext leads to similar attacks
• Maybe little easier
 Fault Template Attack
Attacker capabilities: F, if
• No ciphertext access. C, if
1
• Only knows if the output is faulty or not.
• Works for all FA countermeasures using
detection
• Can fix the plaintext to some (unknown)
value.
• Inject one fault per encryption at a specific
location.
• Access to plaintext leads to similar attacks
• Maybe little easier
 Fault Template Attack
Attacker capabilities: F, if
• No ciphertext access. C, if 1
• Only knows if the output is faulty or not.
• Works for all FA countermeasures using
detection
• Can fix the plaintext to some (unknown)
value.
• Inject one fault per encryption at a specific
location.
• Access to plaintext leads to similar attacks
• Maybe little easier
 Fault Template Attack
Attacker capabilities: F, if
• No ciphertext access. C, if 1
• Only knows if the output is faulty or not.
• Works for all FA countermeasures using
detection
• Can fix the plaintext to some (unknown)
value.
• Inject one fault per encryption at a specific
location.
• Access to plaintext leads to similar attacks
• Maybe little easier
 Fault Template Attack
Attacker capabilities:
• No ciphertext access.
• Only knows if the output is faulty or not.
• Works for all FA countermeasures using
detection
• Can fix the plaintext to some (unknown)
value.
• Inject one fault per encryption at a specific
location. 1
• Access to plaintext leads to similar attacks
• Maybe little easier
F, if
C, if
 Fault Template Attack
Attacker capabilities:
• No ciphertext access.
• Only knows if the output is faulty
or not.
• Works for all FA
countermeasures using 1
detection State
• Can fix the plaintext to some F/C F/C F/C F/C
F, if
(unknown) value.
C, if
• Inject one fault per encryption at a
specific location.
• Access to plaintext leads to similar
attacks
• Maybe little easier
 Fault Template Attack
Attacker capabilities: Fault Correct
• No ciphertext access.
• Only knows if the output is faulty or
not.
• Works for all FA countermeasures
using detection
• Can fix the plaintext to some
(unknown) value.
• Access to plaintext leads to similar
attacks • Extracts an intermediate state (for fixed plaintext).
• Maybe little easier • Recovery of two consecutive intermediate states leads to
a middle round attack.
 Fault Template Attack
Masking:
• SCA countermeasure.
• Also effective against some classes of FAs
• BFA/Safe Error
• Makes power consumption independent of processed
data
• Requires fresh randomness at every execution.
• Split a value into multiple shares
such that .
• Function is split into functions
such that .
• Splitting is trivial for linear functions.
• Nonlinear functions require special attention.
 Fault Template Attack
FTA on Masking:
• Faulting linear terms (XORs) in the logic
does not work.
• Mask changes at each execution
• Attack is only possible if all shares are
faulted together
• Multi-bit faults
• For non-linear functions we exploit the
effect of fault propagation.
• Fault only propagates through AND
gates if one input is faulted and other
inputs are 1.
 Fault Template Attack
stuck-at/ flip
FTA on Masking:
• Faulting linear terms (XORs) in the logic
does not work.
• Mask changes at each execution
• Attack is only possible if all shares are
faulted together
Actual output:
• Multi-bit faults
: Faulted
• For non-linear functions we exploit the
: Correct
effect of fault propagation.
• Fault only propagates through AND
gates if one input is faulted and other
inputs are 1.
 Automatic Leakage
Assessment for Faults

96
Testing Block Ciphers for Fault Attacks

Securing cryptographic devices against fault

attacks

➢ Several countermeasures exist :

o Either extremely resource hungry
o Or not robust against all possible
faults
o Broken!!!
➢ Malicious faults are highly repeatable.
➢ Different fault models.
➢ How do we know what is secure and
what is not?
 ALAFA: Automatic Leakage Assessment
• Formalization of leakage due to faults
• General test for leakage assessment:
• Simple
• Statistical
• Similar to well-accepted Side-
Channel Leakage assessment
method TVLA
• Simulation-based
• Algorithm-agnostic
Sayandeep Saha, S. Nishok Kumar, Sikhar Patranabis, Debdeep Mukhopadhyay, Pallab
Dasgupta:
ALAFA: Automatic Leakage Assessment for Fault Attack
Countermeasures. DAC 2019: 136
ALAFA: Automatic Leakage Assessment
Information Leakage in Fault Attacks

• Ciphertext under the influence of

faults is the leakage source
• Several different ways of leakage
exploitation:
• Analytical (DFA)
• Statistical (SFA/SIFA)
• How to detect the leakage in a
general way?
• Formally:
ALAFA: Automatic Leakage Assessment
Information Leakage in Fault Attacks

Fault value under a specific Key • Leakage is algorithm

model dependent
• Depends on:
• Fault model and value
• Plaintext
• Key
Observable Leakage Plaintext
• Leakage function is complex
function
• Some of the leakage
component are secret
• What are the secrets here?
ALAFA: Automatic Leakage Assessment
An Interesting Observation

Fault value under a specific

model Key
• What are the secrets here?
• Key
• Fault value
• Leaking the exact value of the
Leakage Plaintext fault has the same effect as
Observable
function leaking the key.
ALAFA: Automatic Leakage Assessment
Condition for “No Leakage”

• General idea:
• Mutual Information (MI)
https://www.barnesandnoble.com/w/the-perfect-
between the secrets and the secret-rob-buyea/1127870628
observables should be zero
• Plaintext variable must be kept fixed
• Violating of any of these two
conditions indicates leakage
• We use the first one in this work.
 ALAFA
• Formalization of leakage due to faults
• General test for leakage assessment
based on non-interference
o Simple
o Statistical
o Similar to well-accepted Side-
Channel Leakage assessment
method TVLA
• Simulation-based
• Algorithm-agnostic

S. Saha, S. Nishok Kumar, S. Patranabis, D. Mukhopadhyay, P. Dasgupta

“ALAFA: Automatic Leakage Assessment for Fault Attack
Countermeasures.”, DAC 2019.
ALAFA
Non-Interference: Equivalent Definition
ALAFA: Automatic Leakage Assessment
Non-Interference: Equivalent Definition

• Easy to verify
• Equality of distributions can be justified in
many ways.
ALAFA: Automatic Leakage Assessment
The t-test

• Two Sample t-test:

o Check if
• Also used in Side-Channel (TVLA).
• Higher order extension exists.
• We test with 99.99% confidence.
o Leak: if |t| > 4.5
o No leak: if |t| < -4.5
Conclusions

• Faults can be catastrophic for cipher implementations

• DFA (Differential Fault Analysis) works by combining differential cryptanalysis with faults

• A random one byte fault at the input of 8th round of AES can reduce the key size drastically:

Two such fault injections can uniquely give the key.

• Biased Faults can be utilized in Differential fault Intensity (DFIA) Attacks

• There are exciting prospects on fault analysis research, counter-measure design,

validation/testing.

108