Jacques J. A. Fournier

A side-channel and fault-attack resistant AES circuit working on duplicated complemented values

Cryptographic circuits can be subjected to several kinds of side-channel and fault attacks in order to extract the secret key. Side-channel attacks can be carried by measuring either the power consumed or the EM waves emitted by the cryptographic module and trying to find a correlation between the given side-channel and the data manipulated [1]. Concerning fault attacks, in the case of differential fault attacks (DFA) [2], a cryptographic calculation is corrupted in such a way as to retrieve information about the secret key. Faults can be induced by different means such as lasers, voltage glitches, electromagnetic perturbations or clock skews. Several counter-measures, like in [3], have been separately proposed to tackle either kind of attack. In this paper, we describe the implementation of an AES chip where duplicated and complemented data paths provide resistance against both side-channel and fault attacks.

Adjusting Laser Injections for Fully Controlled Faults

Hardware characterizations of integrated circuits have been evolving rapidly with the advent of more precise, sophisticated and cost-efficient tools. In this paper we describe how the fine tuning of a laser source has been used to characterize, set and reset the state of registers in a 90 nm chip. By adjusting the incident laser beam’s location, it is possible to choose to switch any register value from ‘\(0\)’ to ‘\(1\)’ or vice-versa by targeting the PMOS side or the NMOS side. Plus, we show how to clear a register by selecting a laser beam’s power. With the help of imaging techniques, we are able to explain the underlying phenomenon and provide a direct link between the laser mapping and the physical gate structure. Thus, we correlate the localization of laser fault injections with implementations of the PMOS and NMOS areas in the silicon substrate. This illustrates to what extent laser beams can be used to monitor the bits stored within registers, with adverse consequences in terms of security evaluation of integrated circuits.

A DFA on AES Based on the Entropy of Error Distributions

Differential fault analysis (DFA) techniques have been widely studied during the past decade. To our best knowledge, most DFA techniques on the Advanced Encryption Standard (AES) either impose strong constraints on the fault injection process or require numerous faults in order to recover the secret key. This article presents a simple methodology based on information theory which allows to adapt the number of required faults for the analysis to the fault injection process. With this technique, the constraints on the fault model to recover the last round key are considerably lowered. Additionally, entropy is proposed as a tool to apprehend the most complex fault models in DFA. A practical realization and simulations are presented to illustrate our methodology.

Practical measurements of data path delays for IP authentication & integrity verification

This paper describes the results of the practical measurements done to determine the path delay associated with each bit of a hardware AES FPGA implementation using a clock glitch injection tool. We illustrate how the measured path delays can constitute a characteristic fingerprint of an Intellectuel Property (IP) and can be used to detect the insertion of hardware trojans. The influence of synthesis options and inter die variations on the measurements is also studied. Compared to trojan detection schemes based on path delay characterisations already proposed in the literature, our approach does not require any additional test circuit to be inserted in the IP. Moreover our results are based on practical measurements.

Design and characterisation of an AES chip embedding countermeasures

In critical communication infrastructures, hardware accelerators are often used to speed up cryptographic calculations. Their resistance to physical attacks determines how secure the overall infrastructure is. In this paper, we describe the implementation and characterisation of an AES accelerator embedding security features against physical attacks. This AES chip is implemented in HCMOS9gp 130 nm STM technology. The countermeasure is based on duplication and works on complemented values in parallel. The chip was tested against side channel attacks showing the efficiency of the proposed countermeasure against such attacks. Fault injection tests based on the use of local laser shoots showed that the fault detection mechanism did indeed react as expected. However, using clock set-up time violations, 80% of the secret key were retrieved in less than 40 hours, thus illustrating the limits of the duplication countermeasure against a global fault attack which was published after the chip was designed.

Increasing the efficiency of laser fault injections using fast gate level reverse engineering

Laser fault injections have been evolving rapidly with the advent of more precise, sophisticated and cost-efficient sources, optics and control circuits. In this paper, we show a methodology to improve the test coverage and to speed up analysis based on laser fault injections by only targeting standard cells of interest. We describe how to identify interesting spatial positions thanks to the use of some chemicals along with an automated Scanning Electron Microscope image acquisition, alignment and processing. Using the latter information, fault injections with a high success rate have been obtained against a hardware implemented AES module using a laser beam. With such tools and methodology, we show that attacks become much faster.

Review of fault injection mechanisms and consequences on countermeasures design

The secret keys handled by cryptographic devices can be extracted using fault attacks associated with cryptanalysis techniques. These faults can be induced by different means such as laser exposure, voltage or clock glitches, electromagnetic perturbation, etc. This paper provides a detailed insight into the physics and mechanisms involved in several fault injection processes. The paper also highlights the difficulty to design countermeasures while even hardware duplication, usually considered as secure, has proved to show flaws against low cost fault injection means.

ElectroMagnetic analysis (EMA) of software AES on Java mobile phones

Smartphones, whose market share has increased by 54% between 2009 and 2010, is one of the favored platform for “Convergence Computing”. Convergence Computing is a technology in which a single device can provide various services without any restrictions from external devices or networks. Today, smartphones as convergent single device have diverse functions and features such as calling, Internet surfing, game playing, banking, storage of personal and professional data, etc. Some of these use encryption algorithms such as AES (Advanced Encryption Standard). For example, this algorithm is used to authenticate server protocols or to encrypt confidential information. This paper shows that an Electromagnetic Analysis (EMA) on AES is possible on a Java mobile phone to extract secret keys. The latter can then be used for forensic purposes or to recover encrypted data stored in the device. Experiments involving two successful approaches are described and compared: Spectral Density based Approach (SDA) and Template based Resynchronisation Approach (TRA).

A survey of fault attacks in pairing based cryptography

The latest implementations of pairings allow efficient schemes for Pairing Based Cryptography. These make the use of pairings suitable for small and constrained devices (smart phones, smart cards…) in addition to more powerful platforms. As for any cryptographic algorithm which may be deployed in insecure locations, these implementations must be secure against physical attacks, and in particular fault attacks. In this paper, we present the state-of-the-art of fault attacks against pairing algorithms, more precisely fault attacks against the Miller algorithm and the final exponentiation which are the two parts of a pairing calculation.

Combining Image Processing and Laser Fault Injections for Characterizing a Hardware AES

Nowadays, the security level of secure integrated circuits makes simple attacks less efficient. The combination of invasive approaches and fault attacks can be seen as more and more pertinent to retrieve secrets from integrated circuits. This paper includes a practical methodology and its application. We first describe how to retrieve the physical areas of interest for the attack. Then, we perform a deep fault injection characterization of the area of found. For the former, a methodology based on circuit preparation, scanning electron microscope acquisitions, image registration and processing is given allowing to perform a controlled and localized laser fault attack with a state-of-the-art injection platform. The laser fault injection presented here allows the attacker to perform a “bit-set,” a “bit-reset” or a full register “reset”. Controlling the value stored in a flip-flop is critical for security. To illustrate this methodology, an encryption algorithm is targeted. We see that efficient methods that take advantage of the comparison between faulty and correct cipher texts, such as differential fault analysis or “safe error”, are particularly relevant with the proposed methodology. The overall methodology can efficiently be used to speed up an attack and to improve the test coverage.