Alberto Battistello

Fault Analysis of Infective AES Computations

Fault attacks are a common threat for embedded secure implementations. Among the various kinds of countermeasures proposed so far, the principle of infective computation seems to be one of the most efficient ways to counteract this threat. However, each and every original infective countermeasure suggested for asymmetric cryptosystems has been broken. Nowadays only two propositions for symmetric ciphers are still believed to be secure. Our paper presents the first attacks on both infective symmetric implementations, thus proving that these propositions rely on incomplete security analyses. By breaking the two last surviving infective methods, this paper shows once again that it is very difficult to design a secure infective countermeasure.

Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme

A common countermeasure against side-channel attacks consists in using the masking scheme originally introduced by Ishai, Sahai and Wagner (ISW) at Crypto 2003, and further generalized by Rivain and Prouff at CHES 2010. The countermeasure is provably secure in the probing model, and it was showed by Duc, Dziembowski and Faust at Eurocrypt 2014 that the proof can be extended to the more realistic noisy leakage model. However the extension only applies if the leakage noise \(\sigma \) increases at least linearly with the masking order \(n\), which is not necessarily possible in practice.

A Note on the Security of CHES 2014 Symmetric Infective Countermeasure

Over the years, fault injection has become one of the most dangerous threats for embedded devices such as smartcards. It is thus mandatory for any embedded system to implement efficient protections against this hazard. Among the various countermeasures suggested so far, the idea of infective computation seems fascinating, probably due to its aggressive strategy. Originally conceived to protect asymmetric cryptosystems, infective computation has been recently adapted to symmetric systems. This paper investigates the security of a new symmetric infective countermeasure suggested at CHES 2014. By noticing that the number of executed rounds is not protected, we develop four different attacks that exploit the infection algorithm to disturb the round counter and related variables. Our attacks allow one to efficiently recover the secret key of the underlying cryptosystem by using any of the three most popular fault models used in literature.

Common Points on Elliptic Curves: The Achilles’ Heel of Fault Attack Countermeasures

Elliptic curve cryptosystems offer many advantages over RSA-like cryptography, such as speed and memory saving. Nonetheless the advent of side-channel and fault-injection attacks mined the security of such implementations. Several countermeasures have been devised to thwart these threats, so that simple attacks on state-of-the-art secured implementations seem unlikely. We took up the challenge and show that a simple fault attack using a very relaxed fault model can defeat well known countermeasures. After introducing the notion of common points, we exhibit a new fault-injection attack that breaks state-of-the-art secured implementations. Our new attack is particularly dangerous since no control on the injected error is required and only one fault is sufficient to retrieve the secret.

Lost in Translation: Fault Analysis of Infective Security Proofs

At FDTC 2014, two new infective countermeasures were suggested to efficiently protect the CRT-RSA against FA. The security of these countermeasures has been translated from the security of their detective counterparts, the latter being proved secure thanks to a formal analysis tool. In this article, we reveal a flaw in the proof of security of the translation. Furthermore, we exhibit several attacks on both infective countermeasures with respect to the very same fault model originally considered. We thus prove that such a methodology does not provide secure results and must not be used to design effective countermeasures.

Combined Attack on CRT-RSA Why Public Verification Must Not Be Public?

This article introduces a new Combined Attack on a CRT-RSA implementation resistant against Side-Channel Analysis and Fault Injection attacks. Such implementations prevent the attacker from obtaining the signature when a fault has been induced during the computation. Indeed, such a value would allow the attacker to recover the RSA private key by computing the

Analysis of a Code-Based Countermeasure Against Side-Channel and Fault Attacks

gcd

Fault Cryptanalysis of CHES 2014 Symmetric Infective Countermeasure

of the public modulus and the faulty signature. The principle of our attack is to inject a fault during the signature computation and to perform a Side-Channel Analysis targeting a sensitive value processed during the Fault Injection countermeasure execution. The resulting information is then used to factorize the public modulus, leading to the disclosure of the whole RSA private key. After presenting a detailed account of our attack, we explain how its complexity can be significantly reduced by using lattice reduction techniques. We also provide simulations that confirm the efficiency of our attack as well as two different countermeasures having a very small impact on the performance of the algorithm. As it performs a Side-Channel Analysis during a Fault Injection countermeasure to retrieve the secret value, this article recalls the need for Fault Injection and Side-Channel Analysis countermeasures as monolithic implementations.

INTEGRITY VERIFICATION OF CRYPTOGRAPHIC KEY PAIRS

The design of robust countermeasures against Side-Channel Analysis or Fault Attacks is always a challenging task. At WISTP’14, a single countermeasure designed to thwart in the same effort both kinds of attacks was presented. This countermeasure is based on coding theory and consists in a specific encoding of the manipulated data acting in the same time as a random masking and an error detector. In this paper, we prove that this countermeasure does not meet the ambitious objectives claimed by its authors. Indeed, we exhibit a bias in the distribution of the masked values that can be exploited to retrieve the sensitive data from the observed side-channel leakage. Going further, we show that this bias is inherent to the nature of the encoding and that randomizing the code itself can be useful to reduce the bias but cannot completely fix the scheme.