Fault Attacks on AES with Faulty Ciphertexts Only

Fuhr, Thomas; Jaulmes, Éliane; Lomné, Victor; Thillard, Adrian

doi:10.1109/fdtc.2013.18

Cited by 138 publications

(92 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It uses the knowledge of the localization bias of the fault model to recover the secret key [3,20]. DFIA is similar to side-channel analysis techniques in its use of distinguishers to distinguish the correct key hypothesis from the incorrect ones.…”

Section: Differential Fault Intensity Analysis (Dfia)mentioning

confidence: 99%

Fault Tolerant Infective Countermeasure for AES

2017

View full text Add to dashboard Cite

Infective countermeasures have been a promising class of fault attack countermeasures. However, they have been subjected to several attacks owing to lack of formal proofs of security and improper implementations. In this paper, we first provide a formal information theoretic proof of security for one of the most recently proposed state of the art infective countermeasures against DFA, under the assumption that the adversary does not change the flow sequence or skip any instruction. Subsequently, we identify weaknesses in the infection mechanism of the countermeasure that could be exploited by attacks which change the flow sequence. Furthermore, we propose an augmented infective countermeasure scheme obtained by introducing suitable randomizations that reduce the success probabilities of such attacks. Finally, we develop a fault tolerant implementation of the countermeasure using the x86 instruction set to make any attacks which attempt to change the control flow of the algorithm via instruction skips practically infeasible. All the claims have been validated by supporting simulations and real-life experiments on a SASEBO-W platform. We also compare the fault tolerance provided by our proposed countermeasure scheme against that provided by the existing scheme.

show abstract

Section: Differential Fault Intensity Analysis (Dfia)mentioning

confidence: 99%

Fault Tolerant Infective Countermeasure for AES

2017

View full text Add to dashboard Cite

show abstract

“…We discuss and compare several recently proposed biasedfault attacks, including Fault Sensitivity Analysis (FSA, [1]), Non-Uniform Error Value Analysis (NUEVA, [2]), Non-Uniform Faulty Value Analysis (NUFVA, [3]) and Differential Fault Intensity Analysis (DFIA, [4]). We show that these attacks share common ideas, and hence, their efficiency can be compared.…”

Section: Introductionmentioning

confidence: 99%

Analyzing the Efficiency of Biased-Fault Based Attacks

Ghalaty

Yuce

Schaumont

2016

IEEE Embedded Syst. Lett.

View full text Add to dashboard Cite

In this paper, we analyze a class of recently proposed fault analysis techniques, which adopt a biased fault model. The purpose of our analysis is to evaluate the relative efficiency of several recently proposed biased-fault attacks. We compare the relative performance of each technique in a common framework, using a common circuit and a common fault injection method. We show that, for an identical circuit and fault injection method (setup time violation through clock glitching), the number of faults per attack greatly varies according to the analysis technique. In particular, DFIA is more efficient than FSA, and FSA is more efficient than both NUEVA and NUFVA. In terms of number of fault injections until full key disclosure, for a typical case, FSA uses 8x more faults than DFIA, and NUEVA uses 33x more faults than DFIA. Hence, the post-processing technique selected in a biased-fault attack has a significant impact on the success of the attack.

show abstract

“…In [24] the authors propose to use Maximum likelihood, the mean Hamming weight or the Squared Euclidean Imbalance(SEI) as distinguishers. The Maximum likelihood approach requires an exact knowledge of the bias and is therefore discarded as an identifier.…”

Section: Attack For the Biased Fault Modelmentioning

confidence: 99%

“…This key addition (XOR) results in an exploitable relationship between the faulted output and the key. ChaCha and Salsa, however, have a different structure and use a hash function and not a block cipher as their source of randomness making the attacks proposed in [22][23][24] not applicable.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Fault Analysis of the ChaCha and Salsa Families of Stream Ciphers

Beckers

Gierlichs

Verbauwhede

2018

Smart Card Research and Advanced Applications

View full text Add to dashboard Cite

Abstract. We present a fault analysis study of the ChaCha and Salsa families of stream ciphers. We first show that attacks like differential fault analysis that are common in the block cipher setting are not applicable against these families of stream ciphers. Then we propose two novel fault attacks that can be used against any variant of the ciphers. We base our attacks on two different fault models: the stuck-at fault model and the biased fault model. Each of them is exploited differently by the attacker. If the attacker knows the plaintexts and the ciphertexts both fault models can be successfully exploited. If the ciphers operate on fixed yet unknown plaintexts only the biased fault model can be successfully exploited. We evaluate exemplary attacks using both models in simulation. Their low complexity confirms that they are practical. To the best of our knowledge these are the first fault attacks against ChaCha and Salsa that do not require faults in the control flow (e.g. instruction skip).

show abstract

Fault Attacks on AES with Faulty Ciphertexts Only

Cited by 138 publications

References 8 publications

Fault Tolerant Infective Countermeasure for AES

Fault Tolerant Infective Countermeasure for AES

Analyzing the Efficiency of Biased-Fault Based Attacks

Fault Analysis of the ChaCha and Salsa Families of Stream Ciphers

Contact Info

Product

Resources

About