Jörn-Marc Schmidt

A Practical Fault Attack on Square and Multiply

In order to provide security for a device, cryptographic algorithms are implemented on them. Even devices using a cryptographically secure algorithm may be vulnerable to implementation attacks like side channel analysis or fault attacks. Most fault attacks on RSA concentrate on the vulnerability of the Chinese Remainder Theorem to fault injections. A few other attacks on RSA which do not use this speed-up technique have been published. Nevertheless, these attacks require a quite precise fault injection like a bit flip or target a special operation without any possibility to check if the fault was injected in the intended way, like in safe-error attacks.In this paper we propose a new attack on square and multiply, based on a manipulation of the control flow. Furthermore, we show how to realize this attack in practice using non-invasive spike attacks and discuss impacts of different side channel analysis countermeasures on our attack. The attack was performed using low cost equipment.

RFID and Its Vulnerability to Faults

Radio Frequency Identification (RFID) is a rapidly upcoming technology that has become more and more important also in security-related applications. In this article, we discuss the impact of faults on this kind of devices. We have analyzed conventional passive RFID tags from different vendors operating in the High Frequency (HF) and Ultra-High Frequency (UHF) band. First, we consider faults that have been enforced globally affecting the entire RFID chip. We have induced faults caused by temporarily antenna tearing, electromagnetic interferences, and optical inductions. Second, we consider faults that have been caused locally using a focused laser beam. Our experiments have led us to the result that RFID tags are exceedingly vulnerable to faults during the writing of data that is stored into the internal memory. We show that it is possible to prevent the writing of this data as well as to allow the writing of faulty values. In both cases, tags confirm the operation to be successful. We conclude that fault analysis poses a serious threat in this context and has to be considered if cryptographic primitives are embedded into low-cost RFID tags.

A Fault Attack on ECDSA

An advantage of schemes based on elliptic curve cryptography (ECC) is that they require a smaller key size than other public key schemes to guarantee the same level of security. Thus, ECC algorithms are well suited for systems with constrained resources like smart cards or mobile devices. When evaluating those devices, not only the security from a theoretical point of view, but also implementation attacks, like fault attacks, have to be taken into account. In this paper, we present a new fault attack on the elliptic curve digital signature algorithm (ECDSA). We use a modification of the program flow to retrieve parts of the ephemeral key. The retrieved information allows erforming a lattice attack to determine the secret signing key. Furthermore, we propose a countermeasure to prevent such an attack.

Infective computation and dummy rounds: fault protection for block ciphers without check-before-output

Implementation attacks pose a serious threat for the security of cryptographic devices and there are a multitude of countermeasures that are used to prevent them. Two countermeasures used in implementations of block ciphers to increase the complexity of such attacks are the use of dummy rounds and redundant computation with consistency checks to prevent fault attacks. In this paper we present several countermeasures based on the idea of infective computation. Our countermeasures ensure that a fault injected into a cipher, dummy, or redundant round will infect the ciphertext such that an attacker cannot derive any information on the secret key being used. This has one clear advantage: the propagation of faults prevents an attacker from being able to conduct any fault analysis on any corrupted ciphertexts. As a consequence, there is no need for any test at the end of an implementation to determine if a fault has been injected and a ciphertext can always be returned.

The Temperature Side Channel and Heating Fault Attacks

In this paper, we present practical results of data leakages of CMOS devices via the temperature side channel—a side channel that has been widely cited in literature but not well characterized yet. We investigate the leakage of processed data by passively measuring the dissipated heat of the devices. The temperature leakage is thereby linearly correlated with the power leakage model but is limited by the physical properties of thermal conductivity and capacitance. We further present heating faults by operating the devices beyond their specified temperature ratings. The efficiency of this kind of attack is shown by a practical attack on an RSA implementation. Finally, we introduce data remanence attacks on AVR microcontrollers that exploit the Negative Bias Temperature Instability (NBTI) property of internal SRAM cells. We show how to recover parts of the internal memory and present first results on an ATmega162. The work encourages the awareness of temperature-based attacks that are known for years now but not well described in literature. It also serves as a starting point for further research investigations.

Optical Fault Attacks on AES: A Threat in Violet

Microprocessors are the heart of the devices we rely on every day. However, their non-volatile memory, which often contains sensitive information, can be manipulated by ultraviolet (UV) irradiation. This paper gives practical results demonstrating that the non-volatile memory can be erased with UV light by investigating the effects of UV-Clight with a wavelength of 254nm on four different depackaged microcontrollers. We demonstrate that an adversary can use this effect to attack an AES software implementation by manipulating the 256-bit S-box table. We show that if only a single byte of the table is changed, 2 500 pairs of correct and faulty encrypted inputs are sufficient to recover the key with a probability of 90%, in case the key schedule is not modified by the attack. Furthermore, we emphasize this by presenting a practical attack on an AES implementation running on an 8-bit microcontroller. Our attack involves only a standard decapsulation procedure and the use of alow-cost UV lamp.

Combined implementation attack resistant exponentiation

Different types of implementation attacks, like those based on side channel leakage and active fault injection, are often considered as separate threats. Countermeasures are, therefore, often developed and implemented accordingly. However, Amiel et al. showed that an adversary can successfully combine two attack methods to overcome such countermeasures. In this paper, we consider instances of these combined attacks applied to RSA and elliptic curve-based cryptosystems. We show how previously proposed countermeasures may fail to thwart these attacks, and propose a countermeasure that protects the variables in a generic exponentiation algorithm in the same scenario.

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis

Leakage-resilient cryptography aims at developing new algorithms for which physical security against side-channel attacks can be formally analyzed. Following the work of Dziembowski and Pietrzak at FOCS 2008, several symmetric cryptographic primitives have been investigated in this setting. Most of them can be instantiated with a block cipher as underlying component. Such an approach naturally raises the question whether certain block ciphers are better suited for this purpose. In order to answer this question, we consider a leakage-resilient re-keying function, and evaluate its security at different abstraction levels. That is, we study possible attacks exploiting specific features of the algorithmic description, hardware architecture and physical implementation of this construction. These evaluations lead to two main outcomes. First, we complement previous works on leakage-resilient cryptography and further specify the conditions under which they actually provide physical security. Second, we take advantage of our analysis to extract new design principles for block ciphers to be used in leakage-resilient primitives. While our investigations focus on side-channel attacks in the first place, we hope these new design principles will trigger the interest of symmetric cryptographers to design new block ciphers combining good properties for secure implementations and security against black box (mathematical) cryptanalysis.

A Continuous Fault Countermeasure for AES Providing a Constant Error Detection Rate

Many implementations of cryptographic algorithms have shown to be susceptible to fault attacks. To detect manipulations, countermeasures have been proposed. In the case of AES, most countermeasures deal with the non-linear and the linear part separately, which either leaves vulnerable points at the interconnections or causes different error detection rates across the algorithm. In this paper, we present a way to achieve a constant error detection rate throughout the whole algorithm. The use of extended AN+B codes together with redundant table lookups allows to construct a countermeasure that provides complete protection against adversaries who are able to inject faults of byte size or less. The same holds for adversaries who skip an instruction. Other adversaries are detected with a probability of more than

A Generic Fault Countermeasure Providing Data and Program Flow Integrity

99\%