Thwarting Fault Attacks against Lightweight Cryptography using SIMD Instructions

Lac, Benjamin; Canteaut, Anne; Fournier, Jacques; Sirdey, Renaud

doi:10.1109/iscas.2018.8351693

Cited by 11 publications

(10 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conditionals in a Boolean program are implemented through data-multiplexing: both results are sequentially computed and the relevant output is obtained by demultiplexing these intermediary results based on the conditional. Finally, the massively parallel nature of a bitsliced implementation can be exploited to provide intra-instruction redundancy (encrypting the same data in redundant slices) as well as various forms of temporal redundancy (processing data at distinct rounds in distinct, randomly-chosen slices) [37,32]. In a bitsliced setting, these techniques translate into end-to-end protection, protecting a cipher from the moment the plaintext is introduced to the moment the ciphertext is produced.…”

Section: Preliminariesmentioning

confidence: 99%

See 1 more Smart Citation

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Kiaei

Mercadier

Dagand

et al. 2021

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

The design of software countermeasures against active and passive adversaries is a challenging problem that has been addressed by many authors in recent years. The proposed solutions adopt a theoretical foundation (such as a leakage model) but often do not offer concrete reference implementations to validate the foundation. Contributing to the experimental dimension of this body of work, we propose a customized processor called SKIVA that supports experiments with the design of countermeasures against a broad range of implementation attacks. Based on bitslice programming and recent advances in the literature, SKIVA offers a flexible and modular combination of countermeasures against power-based and timing-based side-channel leakage and fault injection. Multiple configurations of side-channel protection and fault protection enable the programmer to select the desired number of shares and the desired redundancy level for each slice. Recurring and security-sensitive operations are supported in hardware through custom instruction-set extensions. The new instructions support bitslicing, secret-share generation, redundant logic computation, and fault detection. We demonstrate and analyze multiple versions of AES from a side-channel analysis and a fault-injection perspective, in addition to providing a detailed performance evaluation of the protected designs. To our knowledge, this is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure.

show abstract

Section: Preliminariesmentioning

confidence: 99%

“…We protect our implementation against data faults using intra-instruction redundancy (IIR) [37,32,15]. We support either a direct redundant implementation, in which the duplicated slices contain the same value, or a complementary redundant implementation, in which the duplicated slices are complemented pairwise.…”

Section: Data-redundant Computationmentioning

confidence: 99%

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Kiaei

Mercadier

Dagand

et al. 2021

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

show abstract

“…This paper states that depending on the floorplanning used during the implementation process, it is possible to difficult fault injections, but does not constitute a countermeasure as such. In [23], a software countermeasure is presented where the so-called Single Instruction Multiple Data instructions are used, where redundancies are implemented in data processing to avoid injection of faults. The paper [24] presents two algorithm-level countermeasures focused on preventing DPA attacks on the Trivium cipher, but not against fault injections.…”

Section: Comparative With Other Schemesmentioning

confidence: 99%

“…The frequency costs of the different proposed designs range from 0.72 to 0.96. Regarding [23], we can see that it is a software-oriented scheme and therefore resource consumption is not applicable. In this proposal, no fault coverage is provided and the frequency degradation is below the schemes proposed in this paper.…”

Section: Comparative With Other Schemesmentioning

confidence: 99%

Trivium Stream Cipher Countermeasures Against Fault Injection Attacks and DFA

et al. 2021

View full text Add to dashboard Cite

Attacks on cryptocircuits are becoming increasingly sophisticated, requiring designers to include more and more countermeasures in the design to protect it against malicious attacks. Fault Injection Attacks and Differential Fault Analysis have proven to be very dangerous as they are able to retrieve the secret information contained in cryptocircuits. In this sense, Trivium cipher has been shown to be vulnerable to this type of attack. This paper presents four different fault detection schemes to protect Trivium stream cipher implementations against fault injection attacks and differential fault analysis. These countermeasures are based on the introduction of hardware redundancy and signature analysis to detect fault injections during encryption or decryption operations. This prevents the attacker from having access to the faulty key stream and performing differential fault analysis. In order to verify the correct operation and the effectiveness of the presented schemes, an experimental system of non-invasive active attacks using the clock signal in FPGA has been designed. This system allows to know the fault coverage for both multiple and single faults. In addition, the results of area consumption, frequency degradation, and fault detection latency for FPGA and ASIC implementations are presented. The results show that all proposed countermeasures are able to provide a fault coverage above 79% and one of them reaches a coverage of 99.99%. It has been tested that the number of cycles for fault detection is always lower than the number of cycles needed to apply the differential fault analysis reported in the literature for the Trivium cipher.

show abstract

“…Software countermeasures can be based for example on coding theory [BH16, BCC + 14], instruction redundancy [PYGS16,LCFS17], or infection [GST12]. We note that TADA is capable of analyzing single bit flip vulnerabilities and therefore, it can check whether the countermeasure was implemented sufficiently.…”

Section: Tada Usagementioning

confidence: 99%

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers

Hou

Breier

Zhang

et al. 2019

TCHES

View full text Add to dashboard Cite

Differential Fault Analysis (DFA) is considered as the most popular fault analysis method. While there are techniques that provide a fault analysis automation on the cipher level to some degree, it can be shown that when it comes to software implementations, there are new vulnerabilities, which cannot be found by observing the cipher design specification.This work bridges the gap by providing a fully automated way to carry out DFA on assembly implementations of symmetric block ciphers. We use a customized data flow graph to represent the program and develop a novel fault analysis methodology to capture the program behavior under faults. We establish an effective description of DFA as constraints that are passed to an SMT solver. We create a tool that takes assembly code as input, analyzes the dependencies among instructions, automatically attacks vulnerable instructions using SMT solver and outputs the attack details that recover the last round key (and possibly the earlier keys). We support our design with evaluations on lightweight ciphers SIMON, SPECK, and PRIDE, and a current NIST standard, AES. By automated assembly analysis, we were able to find new efficient DFA attacks on SPECK and PRIDE, exploiting implementation specific vulnerabilities, and previously published DFA on SIMON and AES. Moreover, we present a novel DFA on multiplication operation that has never been shown for symmetric block ciphers before. Our experimental evaluation also shows reasonable execution times that are scalable to current cipher designs and can easily outclass the manual analysis. Moreover, we present a method to check the countermeasure-protected implementations in a way that helps implementers to decide how many rounds should be protected. We note that this is the first work that automatically carries out DFA on cipher implementations without any plaintext or ciphertext information and therefore, can be generally applied to any input data to the cipher.

show abstract

Thwarting Fault Attacks against Lightweight Cryptography using SIMD Instructions

Cited by 11 publications

References 43 publications

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Custom Instruction Support for Modular Defense Against Side-Channel and Fault Attacks

Trivium Stream Cipher Countermeasures Against Fault Injection Attacks and DFA

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers

Contact Info

Product

Resources

About