Fault Analysis of the ARIA and uBlock Block Ciphers

Characterization of all possible faults in a cryptosystem exploitable for fault attacks is a problem which is of both theoretical and practical interest for the cryptographic community. The complete knowledge of exploitable fault space is desirable while designing optimal countermeasures for any given crypto-implementation. In this paper, we address the exploitable fault characterization problem in the context of Differential Fault Analysis (DFA) attacks on block ciphers. The formidable size of the fault spaces demands an automated albeit fast mechanism for verifying each individual fault instance and neither thetraditional, cipher-specific, manual DFA techniques nor the generic and automated Algebraic Fault Attacks (AFA) [10] fulfill these criteria. Further, the diversified structures of different block ciphers suggest that such an automation should be equally applicable to any block cipher. This work presents an automatedframework for DFA identification, fulfilling all aforementioned criteria, which, instead of performing the attack just estimates the attack complexity for each individual fault instance. A generic and extendable data-mining assisted dynamic analysis framework capable of capturing a large class of DFA distinguishersis devised, along with a graph-based complexity analysis scheme. The framework significantly outperforms another recently proposed one [6], in terms of attack class coverage and automation effort. Experimental evaluation on AES and PRESENT establishes the effectiveness of the proposed framework in detectingmost of the known DFAs, which eventually enables the characterization of the exploitable fault space.

Download Full-text

Fully Automated Differential Fault Analysis on Software Implementations of Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2019.i3.1-29 ◽

2019 ◽

pp. 1-29 ◽

Cited By ~ 1

Author(s):

Xiaolu Hou ◽

Jakub Breier ◽

Fuyuan Zhang ◽

Yang Liu

Keyword(s):

Block Ciphers ◽

Fault Analysis ◽

Smt Solver ◽

Multiplication Operation ◽

Analysis Methodology ◽

Differential Fault Analysis ◽

Software Implementations ◽

Symmetric Block ◽

Assembly Analysis ◽

Effective Description

Differential Fault Analysis (DFA) is considered as the most popular fault analysis method. While there are techniques that provide a fault analysis automation on the cipher level to some degree, it can be shown that when it comes to software implementations, there are new vulnerabilities, which cannot be found by observing the cipher design specification.This work bridges the gap by providing a fully automated way to carry out DFA on assembly implementations of symmetric block ciphers. We use a customized data flow graph to represent the program and develop a novel fault analysis methodology to capture the program behavior under faults. We establish an effective description of DFA as constraints that are passed to an SMT solver. We create a tool that takes assembly code as input, analyzes the dependencies among instructions, automatically attacks vulnerable instructions using SMT solver and outputs the attack details that recover the last round key (and possibly the earlier keys). We support our design with evaluations on lightweight ciphers SIMON, SPECK, and PRIDE, and a current NIST standard, AES. By automated assembly analysis, we were able to find new efficient DFA attacks on SPECK and PRIDE, exploiting implementation specific vulnerabilities, and previously published DFA on SIMON and AES. Moreover, we present a novel DFA on multiplication operation that has never been shown for symmetric block ciphers before. Our experimental evaluation also shows reasonable execution times that are scalable to current cipher designs and can easily outclass the manual analysis. Moreover, we present a method to check the countermeasure-protected implementations in a way that helps implementers to decide how many rounds should be protected. We note that this is the first work that automatically carries out DFA on cipher implementations without any plaintext or ciphertext information and therefore, can be generally applied to any input data to the cipher.

Download Full-text

ExplFrame: Exploiting Page Frame Cache for Fault Analysis of Block Ciphers

2020 Design, Automation & Test in Europe Conference & Exhibition (DATE) ◽

10.23919/date48585.2020.9116219 ◽

2020 ◽

Cited By ~ 1

Author(s):

Anirban Chakraborty ◽

Sarani Bhattacharya ◽

Sayandeep Saha ◽

Debdeep Mukhopadhyay

Keyword(s):

Block Ciphers ◽

Fault Analysis

Download Full-text

A Framework to Counter Statistical Ineffective Fault Analysis of Block Ciphers Using Domain Transformation and Error Correction

IEEE Transactions on Information Forensics and Security ◽

10.1109/tifs.2019.2952262 ◽

2020 ◽

Vol 15 ◽

pp. 1905-1919 ◽

Cited By ~ 5

Author(s):

Sayandeep Saha ◽

Dirmanto Jap ◽

Debapriya Basu Roy ◽

Avik Chakraborty ◽

Shivam Bhasin ◽

...

Keyword(s):

Error Correction ◽

Block Ciphers ◽

Fault Analysis ◽

Domain Transformation

Download Full-text

A Novel Differential Fault Analysis on the Key Schedule of SIMON Family

Electronics ◽

10.3390/electronics8010093 ◽

2019 ◽

Vol 8 (1) ◽

pp. 93 ◽

Cited By ~ 2

Author(s):

Jinbao Zhang ◽

Ning Wu ◽

Fang Zhou ◽

Muhammad Yahya ◽

Jianhua Li

Keyword(s):

Block Ciphers ◽

Fault Model ◽

Fault Analysis ◽

Research Attention ◽

Key Schedule ◽

Differential Fault Analysis ◽

Detailed Simulation ◽

Exact Position ◽

Propagation Properties ◽

Fourth Round

As a family of lightweight block ciphers, SIMON has attracted lots of research attention since its publication in 2013. Recent works show that SIMON is vulnerable to differential fault analysis (DFA) and existing DFAs on SIMON assume the location of induced faults are on the cipher states. In this paper, a novel DFA on SIMON is proposed where the key schedule is selected as the location of induced faults. Firstly, we assume a random one-bit fault is induced in the fourth round key KT−4 to the last. Then, by utilizing the key schedule propagation properties of SIMON, we determine the exact position of induced fault and demonstrate that the proposed DFA can retrieve 4 bits of the last round key KT−1 on average using one-bit fault. Till now this is the largest number of bits that can be cracked as compared to DFAs based on random bit fault model. Furthermore, by reusing the induced fault, we prove that 2 bits of the penultimate round key KT−2 could be retrieved. To the best of our knowledge, the proposed attack is the first one which extracts a key from SIMON based upon DFA on the key schedule. Finally, correctness and validity of our proposed attack is verified through detailed simulation and analysis.

Download Full-text

Pushing the Limit of PFA: Enhanced Persistent Fault Analysis on Block Ciphers

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems ◽

10.1109/tcad.2020.3048280 ◽

2020 ◽

pp. 1-1

Author(s):

Guorui Xu ◽

Fan Zhang ◽

Bolin Yang ◽

Xinjie Zhao ◽

Wei He ◽

...

Keyword(s):

Block Ciphers ◽

Fault Analysis

Download Full-text

ExpFault: An Automated Framework for Exploitable Fault Characterization in Block Ciphers

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i2.242-276 ◽

2018 ◽

pp. 242-276 ◽

Cited By ~ 3

Author(s):

Sayandeep Saha ◽

Debdeep Mukhopadhyay ◽

Pallab Dasgupta

Keyword(s):

Defense Mechanisms ◽

Block Ciphers ◽

Fault Analysis ◽

Proof Of Concept ◽

Secret Key ◽

Cryptographic Primitives ◽

Differential Fault Analysis ◽

Comprehensive Knowledge ◽

Fault Characterization ◽

First Time

Malicious exploitation of faults for extracting secrets is one of the most practical and potent threats to modern cryptographic primitives. Interestingly, not every possible fault for a cryptosystem is maliciously exploitable, and evaluation of the exploitability of a fault is nontrivial. In order to devise precise defense mechanisms against such rogue faults, a comprehensive knowledge is required about the exploitable part of the fault space of a cryptosystem. Unfortunately, the fault space is diversified and of formidable size even while a single cryptoprimitive is considered and traditional manual fault analysis techniques may often fall short to practically cover such a fault space within reasonable time. An automation for analyzing individual fault instances for their exploitability is thus inevitable. Such an automation is supposed to work as the core engine for analyzing the fault spaces of cryptographic primitives. In this paper, we propose an automation for evaluating the exploitability status of fault instances from block ciphers, mainly in the context of Differential Fault Analysis (DFA) attacks. The proposed framework is generic and scalable, which are perhaps the two most important features for covering diversified fault spaces of formidable size originating from different ciphers. As a proof-of-concept, we reconstruct some known attack examples on AES and PRESENT using the framework and finally analyze a recently proposed cipher GIFT [BPP+17] for the first time. It is found that the secret key of GIFT can be uniquely determined with 1 nibble fault instance injected at the beginning of the 25th round with a reasonable computational complexity of 214.

Download Full-text