review of fault injection mechanisms and consequences on

Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet 13541 Gardanne

DTIS 2011

Bruno Robisson Jean-Baptiste Rigaud Assia Tria

Review of Fault Injection Mechanisms and Consequences on Countermeasures Design

6th International Conference on Design & Technology of Integrated Systems in Nanoscale Era

David Naccache Jean-Max Dutertre Jacques J.A. Fournier Amir-Pasha Mirbaha Ecole normale supérieure

Département d’Informatique Équipe de cryptographie 45, rue d’Ulm 75230 Paris

Outline

!  Outline

"  Fault attacks on cryptosystems.

2 / 22

"  Introduction

!  Focus

"  Fault injection means •  Laser •  Timing constraints violation (clock, voltage, temperature)

"  Countermeasures

"  Security evaluation of hardware duplication

"  Conclusion

Introduction

"  Fault attacks on physical implementation of cryptosystems

K M C

0110010101100001 010110000110011

110101000101101

Faulty cipher text

Disturb the ciphering process through unusual environmental conditions in order to :

•  reduce the ciphering complexity (e.g. round reduction number)

•  Differential Fault Attack = comparison between correct and faulty cipher texts

retrieve information on the encryption process (i.e. information leakage)

3 / 22

Introduction

"  DFA’s requirements (strong)

•  location,

•  timing (choice of the injection cycle),

•  focalization (i.e. number of faulted bits).

Fine control on:

4 / 22

C. Giraud: DFA on AES, Lecture Notes in Computer Science, 2005, Springer Berlin / Heidelberg, Volume 3373

G. Piret, J.-‐J. Quisquater: A DifferenMal Fault ANack Technique Against SPN Structures, with ApplicaMon to the AES, CHES 2003, LNCS 2779, Springer-‐Verlag

Fault injection means

!  Laser as a fault injection means Semi-invasive: chemical/mechanical opening while preserving functionality

Front side

Rear side

•  photoelectric effect (hν > Ebandgap)

•  reversed biased PN junction

data dependent sensitive areas

Fault injection mechanism:

5 / 22


"  Photoelectric effect

Diffusion n+

Substrate P (Gnd)

Laser

- + + +

+ + + + +

- +

- - -

- -

-

depletion region

E

Drain ( VDD )

Current transient

beam energy pulse duraMon

voltage transient

current (mA)

Instant response

Delayed response

time (ns)

6 / 22


•  propagates through combinational logic without memorization

•  propagates through combinational logic with memorization

•  memory flip (SRAM, register)

"  Voltage transient:

fault injection

Single Event Transient - SET

Single Event Upset - SEU

"  Experimental results

•  single-bit and single-byte fault injection

•  control of the injection time (~ 10ns)

•  focalization : ∅ 1µm

7 / 22 M. Agoyan, J.-‐M. Dutertre, A.-‐P. Mirbaha, D. Naccache, A.-‐L. RiboNa, A. Tria: How to flip a bit?, 16th InternaMonal On-‐Line TesMng Symposium, 2010


!  Timing constraints violation Non-invasive

•  data are captured on the clock’s rising edge

•  time between two rising edges (i.e. clock period) depends on the

"  Synchronous IC principle (reminder)

D Q D Q

Combinational logic

clk

data 1 1 1 1

propagation delay

Dffi Dffi+1

n-1 m-1

propagation delay 8 / 22

D Q D Q

Combinational logic

clk

data 1 1 1 1

Dffi Dffi+1

Dclk#Q

DpMax

Tclk + Tskew - δsu

Tclk > Dclk!Q + DpMax - Tskew + δsu

Timing constraint:

Violating this timing constraint results in fault injection

n-1 m-1


9 / 22

A well known approach decreasing the clock period until faults appear by setup time violation

clk

Tclk

Tclk fault

clk’

propagation delay + setup time

drawback : faults are injected at each clock cycle no timing control

"  Clock glitches

•  over clocking


10 / 22

clk

Tclk

Tclk - Δ

fault injection cycle choice

fault-nature fine tuning through Δ fine control

clk’

(one-bit, two-bits faults)

•  local over clocking (or clock glitching)


timing constraint violation by modifying one clock cycle

11 / 22

send random key K and plaintext T to the test chip Δ ← 0

Test campaign pseudo-code :


•  Experimental results on an AES cryptosystem

⇒ first reported fault → Tclk - Δ = critical time (K, T) single bit fault > 90%

12 / 22 M. Agoyan, J.-‐M. Dutertre, D. Naccache, B. Robisson, A. Tria: When Clocks Fail: On CriMcal Paths and Clock Faults, CARDIS 2010

No fault One-bit fault Two-bits fault Other fault

Fault injection mechanism

Step by step Tclk decrease (δt = 35 ps)

D0 D1

D2

D3 No fault

D4 D5

D6

D7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

200ps

Byte

ind

ex

Byte

nb.

6

0

9140ps 7940ps Tclk - Δ


13 / 22

Tclk = 10000 ps




D0 D1

D2

D3 No fault

D4 D5

D6

D7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

200ps

Byte

ind

ex

Byte

nb.

6

Tclk-Δ

0



13 / 22




D0 D1

D2

D3

D4 D5

D6

D7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

200ps

Byte

ind

ex

Byte

nb.

6

Single bit fault

Tclk-Δ

0



13 / 22




D0 D1

D2

D3

D4 D5

D6

D7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

200ps

Byte

ind

ex

Byte

nb.

6

2 faulted bits

Tclk-Δ

0



13 / 22




D0 D1

D2

D3

D4 D5

D6

D7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

200ps

Byte

ind

ex

Byte

nb.

6

3 faulted bits

Tclk-Δ

0



13 / 22

combinational logic

VDD DpMax ( Dclk!Q, δsu, ⏐Tskew ⏐ )

Tclk < Dclk!Q + DpMax - Tskew + δsu

at nominal frequency

n m

D0

D1

Dm-1

Tclk

inputs

DpMax + δsu + slack

n m

D0

D1

Dm-1 outputs


"  Voltage deprivation

14 / 22

VDD DpMax ( Dclk!Q, δsu, ⏐Tskew ⏐ )

Tclk < Dclk!Q + DpMax - Tskew + δsu

at nominal frequency

n

Tclk

inputs n m

D0

Dm-1 outputs m

D0

Dm-1

DpMax + δsu + slack


"  Voltage deprivation

14 / 22

logic combinational D1

pico

seco

nds

critical time increases as VDD decreases

Tclk

1st fault (VDD = 1.07V)


"  Voltage deprivation: experimental results

15 / 22


"  Temperature increase at nominal frequency

16 / 22

DpMax ( Dclk!Q, δsu, ⏐Tskew ⏐ )


"  Temperature increase: experimental results

Tclk

1st fault (210°C)

17 / 22

Countermeasures

!  Countermeasures against fault attacks "  Cutting the access point

"  Environment monitoring

"  Fault detection/correction

18 / 22

"  Cutting the access point

Power lines filtering

Metallic shielding

Glue logic

Internal clock

Countermeasures

18 / 22


Metallic shielding

Glue logic

Internal clock

Voltage sensor

Light sensor

Temperature sensor

Frequency sensor

Countermeasures

18 / 22

"  Environment monitoring


Metallic shielding

Glue logic

Internal clock

Voltage sensor

Light sensor

Temperature sensor

Frequency sensor

Hardware redundancy

Duplication Duplication

Triplication with vote

ECC Parity bits

Timing redundancy

Countermeasures

18 / 22

"  Fault detection/correction

Security evaluation of hardware duplication

!  Security evaluation of hardware duplication "  Laser attacks against hardware duplication

AES RoundExe

input

outputAES

AES RoundExe

outputAES comp.

19 / 22 M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, A. Tria: A Side-‐Channel and Fault-‐ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011)



AES RoundExe

input

AES RoundExe

comp.

alarm

laser spot


faulty outputAES

faulty outputAES ≠ faulty outputAES



AES RoundExe

input

AES RoundExe

comp.

alarm

laser spot

high fault nb. inconsistent with DFA’s requirements



faulty outputAES


"  Timing constraint violation attacks on hardware duplication

AES RoundExe

AES RoundExe

comp.

alarm

Clock alteration ⇒ fault location = critical paths

faulty outputAES

single bit fault input

20 / 22

M. Agoyan, S. Bouquet, M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecMng aes chip and yet using clock set-‐up Mme violaMons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, 2011



"  Timing constraint violation attacks on hardware duplication

AES RoundExe

AES RoundExe

comp.

alarm

Clock alteration ⇒ fault location = critical paths

faulty outputAES

single bit fault

Probability of CM dismiss:

input

Hardware duplication is broken:

DFA’s schemes apply

20 / 22

M. Agoyan, S. Bouquet, M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecMng aes chip and yet using clock set-‐up Mme violaMons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, 2011

faulty outputAES = faulty outputAES

Conclusion

!  Overview of faults attacks on cryptosystems "  Strong requirements regarding the injected faults

"  Laser as a fault injection means "  Fault injection through timing constraint violation

!  Overview of countermeasures against fault attacks

!  Security evaluation of hardware duplication broken by clock alteration

!  General conclusion: "  Take care of properties of fault injection means

"  CM design is still research work

[email protected] 21 / 22


•  Experimental results on an AES cryptosystem (con’t)

critical time distribution (10,000 tries)

22 / 22

review of fault injection mechanisms and consequences on

Documents