fault sensitivity analysis
play

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto - PowerPoint PPT Presentation

Jul 04, 2023 •1.79k likes •2.17k views

Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES

  1. Fault Sensitivity Analysis Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Kazuo Ohta The University of Electro-Communications liyang@ice.uec.ac.jp Toshinori Fukunaga, Junko Takahashi NTT Information Sharing Platform Laboratories 19 Aug 2010 CHES 2010 @ Santa Barbara 1

  2. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 2

  3. Differential Fault Analysis (DFA)  Basic idea  Make a differential path by fault injection  Get correct outputs and faulty outputs  Verify the differential path for each key candidate  General DFA attack requirements  Specific transient fault  Pairs of correct output and faulty output for the same input  General DFA countermeasures  Inherent resistance, prevent specific transient fault  e.g. WDDL [1]  Redundant calculation for error detection  e.g. Satoh’s AES [2] 19 Aug 2010 CHES 2010 @ Santa Barbara 3

  4. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 4

  5. Power-based Side-Channel Attacks  Basic idea  Power consumption depends on sensitive-data that is calculable with public variables and key guess  General attack procedures  Have a key guess  Calculate sensitive-data  Check the calculated data with recorded power consumption  Correct key guess matches the power consumption best!  Well-kown attacks  Correlation Power Analysis (CPA)  Differential Power Analysis (DPA) 19 Aug 2010 CHES 2010 @ Santa Barbara 5

  6. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 6

  7. General Introduction to FSA  Fault Sensitivity Analysis (FSA)  Fault-based  A new side channel leakage  Sensitive-data dependency for fault sensitivity  Similar Attack procedures to power-based attacks  Bypass some DFA countermeasures  What is Fault Sensitivity?  Sensitivity to the fault injection  E.g. Minimal clock frequency with correct output  Has data dependency  Can be used for key retrieval 19 Aug 2010 CHES 2010 @ Santa Barbara 7

  8. Review Fault Injection (The idea of FSA) Good Environment Input Output C Device (Key) C Threshold Change ( Side-channel Leakage) Fault Intensity Fault C’ Bad Environment Input Faulty Output C’ Device (Key) Works for different types of fault injection: overclock, low-power, laser 19 Aug 2010 CHES 2010 @ Santa Barbara 8

  9. Fault Sensitivity under an over-clock n n D in D out F/F Logic CLK Sensitive Data clk D in Critical Delay Timing illegal_clk1 illegal_clk2 Threshold as Fault Sensitivity 19 Aug 2010 CHES 2010 @ Santa Barbara 9

  10. Signal delays for AND gate  AND Gate (T X : delay time for signal X)  Assume T A < T B  When signal A=0, T C = T A + T AND (small)  When signal A=1, T C = T B + T AND (large)  T AND : Delay timing of AND gate B T A T B A Data Dependency !! T AND 0 input, small delay. C = A • B 19 Aug 2010 CHES 2010 @ Santa Barbara 10

  11. Signal delays for XOR gate  XOR Gate (T X : delay time for signal X)  Assume T A < T B  When signal A=0, T C = T B + T XOR  When signal A=1, T C = T B + T XOR  T XOR : Delay timing of XOR gate B T A T B A T XOR No Data Dependency !! C = A B 19 Aug 2010 CHES 2010 @ Santa Barbara 11

  12. How about an FSA Attack? FSA For Power-based attacks: Sensitive Data Attackers Key Fault Power Consumption Sensitivity 19 Aug 2010 CHES 2010 @ Santa Barbara 12

  13. FSA Attack Procedures  Collect pairs of public variables and fault sensitivity  Retrieval the key by the data analysis  Have a key guess  Calculate sensitive-data  Check the calculated data with recorded fault sensitivity  Directly apply the techniques in power analysis 19 Aug 2010 CHES 2010 @ Santa Barbara 13

  14. Case studies of FSA attacks FSA attack against PPRM1-AES FSA attack against WDDL-AES FSA attack against Satoh’s AES (recent work) 19 Aug 2010 CHES 2010 @ Santa Barbara 14

  15. CASE 1: FSA attacks against PPRM1-AES  PPRM1-AES: a low power AES implementation with “PPRM1 - Sbox” [4]  PPRM1 S-box PPRM1 S-box AND gate: 0 input, small delay. AND array … … AND array: XOR array More 0 inputs, smaller delay! 19 Aug 2010 CHES 2010 @ Santa Barbara 15

  16. As a result, for PPRM1 S-box More 0 inputs , Smaller delay!! Smaller hamming weight Less sensitive to overclock Fault sensitivity Typical Side Channel Leakage Exploitable by CPA-like analysis Input hamming weight 19 Aug 2010 CHES 2010 @ Santa Barbara 16

  17. Attack results against last round of PPRM1-AES Correlation Key guess All of the 16 key bytes can be identified clearly. 19 Aug 2010 CHES 2010 @ Santa Barbara 17

  18. How much fault sensitivity data is needed? Less than 50 plaintexts (FS data) to obtain a 128-bit key. 19 Aug 2010 CHES 2010 @ Santa Barbara 18

  19. How many times of fault injection?  Which point is the fault sensitivity? Success rate of fault injection 1 0 Fre. of Clock  In our experiment C’ C Fre. of Clock Worst case: 120 times 19 Aug 2010 CHES 2010 @ Santa Barbara 19

  20. CASE 2: FSA attacks against WDDL-AES  Naturally immune to DFA attacks based on the setup-time violation. [2]  Dual-Rail Precharge Logic  Complementary wires: (ture,false)  “transient” fault will erase the secret information at the output.  WDDL is not perfectly immune to FSA attacks based on setup-time violation. 19 Aug 2010 CHES 2010 @ Santa Barbara 20

  21. WDDL’s Vulnerability against FSA (1/2)  First of all, no clear correlation between input data and fault sensitivity.  All types of gates are mixed up  However, we observed a data dependence at the output.  Imbalance of complementary wires leads to imbalance of critical path delays. 19 Aug 2010 CHES 2010 @ Santa Barbara 21

  22. WDDL’s Vulnerability against FSA (2/2)  Assume  Precharge value = 0  Delay_ture > Delay_false  then (1,0)  (0,0) happens easier than (0,1)  (0,0).  1 is more sensitive than 0 true false Vulnerability! WDDL Logic Exploitable by DPA-like analysis Difficult to make perfect matching wires. 19 Aug 2010 CHES 2010 @ Santa Barbara 22

  23. Attack result against WDDL-AES with 1200 plaintexts Correlation 3 of 16 key bytes can be identified. Key guess 19 Aug 2010 CHES 2010 @ Santa Barbara 23

  24. CASE 3: FSA attacks against Satoh’s AES  Satoh’s AES (CHES2008)  High performance AES with Error-detection Scheme  Successful FSA attack  Self-Template FSA  To be continued in the rump section. 19 Aug 2010 CHES 2010 @ Santa Barbara 24

  25. Outline  Differential Fault Analysis and its countermeasure  Power-based Side-Channel Attacks  DPA, CPA  A New Fault-based Attack  Fault Sensitivity Analysis (FSA)  Some Case Studies on SASEBO-R  FSA attack on PPRM1-AES  FSA attack on WDDL-AES  FSA attack on Satoh’s AES (recent result)  Conclusion 19 Aug 2010 CHES 2010 @ Santa Barbara 25

  26. Conclusion  A new side channel leakage: fault sensitivity  FSA has a potential to bypass some fault attack countermeasures.  Future work:  FSA countermeasures (mask technique?)  Stronger FSA attacks  Try other types of FSA under other fault injection methods 19 Aug 2010 CHES 2010 @ Santa Barbara 26

  27. References  [1]G. Piret and J.-J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. CHES 2003  [2] S. Guilley T. Graba N. Selmane, S. Bhasin and J.-L. Danger. WDDL is Protected Against Setup Time Violation Attacks. FDTC 2009  [3] Akashi Satoh, Takeshi Sugawara, Naofumi Homma, Takafumi Aoki: High-Performance Concurrent Error Detection Scheme for AES Hardware. CHES 2008  [4] S. Morioka and A. Satoh. An Optimized S-Box Circuit Architecture for Low Power AES Design. CHES2002 19 Aug 2010 CHES 2010 @ Santa Barbara 27

  28. Thank you for your attentions! Questions? 19 Aug 2010 CHES 2010 @ Santa Barbara 28

Recommend

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge

Bootstrapping Sensitivity analysis Qingyuan Zhao Statistical Laboratory, University of Cambridge August 3, 2020 @ JSM Sensitivity analysis The broader concept [Saltelli et al., 2004] Sensitivity analysis is the study of how the

477 views • 19 slides
Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi,

Optimizing Fault Injection in FMI Co-Simulation through Sensitivity Partitioning Mehrdad Moradi, Cludio Gomes, Bentley James Oakes and Joachim Denil Summersim 2019 July 22, 2019 Berlin, Germany Outline Introduction Context and

404 views • 28 slides
Assessing Fault Sensitivity in MPI Applications Charng-Da Lu Daniel A. Reed Center for

Assessing Fault Sensitivity in MPI Applications Charng-Da Lu Daniel A. Reed Center for

Assessing Fault Sensitivity in MPI Applications Charng-Da Lu Daniel A. Reed Center for Computational Microsoft Research Research SUNY at Buffalo Outline Introduction background and motivations reliability challenges of large PC

336 views • 33 slides
Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality

Decision Aid Methodologies In Transportation Lecture 3: Duality and sensitivity analysis Duality Sensitivity Analysis Shadi SHARIF AZADEH Transport and Mobility Laboratory TRANSP-OR cole Polytechnique Fdrale de Lausanne EPFL Motivation

394 views • 26 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics &amp; Computer

Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics &amp; Computer

DM545 Linear and Integer Programming Lecture 6 Sensitivity Analysis and Farkas Lemma Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Geometric Interpretation Sensitivity Analysis Outline

456 views • 28 slides
Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans

Introduction Study of the reference problem Sensitivity analysis Sensitivity analysis for the outages of nuclear power plants Kengy Barty , Fr eric Bonnans , and Laurent Pfeiffer ed INRIA Saclay and CMAP, Ecole

831 views • 32 slides
Data-driven sensitivity analysis for Matching estimators Giovanni Cerulli 1 1 IRCrES-CNR, Research

Data-driven sensitivity analysis for Matching estimators Giovanni Cerulli 1 1 IRCrES-CNR, Research

Sensitivity analysis for Matching Data-driven sensitivity analysis for Matching estimators Giovanni Cerulli 1 1 IRCrES-CNR, Research Institute on Sustainable Economic Growth London Stata Conference 2018 Cass Business School September 6-7 1 /

665 views • 25 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS,

Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS,

Variance-Based Sensitivity Analysis for SODEs Stochastic Simulators Conclusions Global Sensitivity Analysis in Stochastic Systems Olivier Le Matre, Omar Knio LIMSI CNRS, Orsay, France KAUST, Saudi-Arabia Duke University, Durham, North

981 views • 49 slides
Uncertainty, Stochastics &amp; Sensitivity Analysis Nathaniel Osgood Agent-Based Modeling

Uncertainty, Stochastics &amp; Sensitivity Analysis Nathaniel Osgood Agent-Based Modeling

Uncertainty, Stochastics &amp; Sensitivity Analysis Nathaniel Osgood Agent-Based Modeling Bootcamp for Health Researchers August 23, 2011 Types of Sensitivity Analyses Variables involved Type of variation One-way Single

375 views • 16 slides
Gaussian process regression for Sensitivity analysis GPSS Workshop on UQ, Sheffield, September

Gaussian process regression for Sensitivity analysis GPSS Workshop on UQ, Sheffield, September

Introduction FANOVA Pol. Chaos GPR Sensitivity Analysis Conclusion Gaussian process regression for Sensitivity analysis GPSS Workshop on UQ, Sheffield, September 2016 Nicolas Durrande, Mines St-tienne, durrande@emse.fr GPSS workshop on

830 views • 43 slides
Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier,

Fault Attacks Made Easy: Differential Fault Analysis Automation on Assembly Code Jakub Breier, Xiaolu Hou and Yang Liu 10 September 2018 1 / 25 Table of Contents Background and Motivation 1 Overview of DATAC DFA Automation Tool for

727 views • 25 slides
Estimating the Accuracy of Dynamic Change-impact Analysis using Sensitivity Analysis Haipeng Cai

Estimating the Accuracy of Dynamic Change-impact Analysis using Sensitivity Analysis Haipeng Cai

Estimating the Accuracy of Dynamic Change-impact Analysis using Sensitivity Analysis Haipeng Cai Raul Santelices Tianyu Xu* University of Notre Dame, USA * Fudan University, China Supported by ONR Award N000141410037 SERE 2014

483 views • 29 slides
San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition

San Andreas The Influence of Temperature, Sliding Velocity, and Rock Fault Analysis Composition at Depth On Fault Mechanics Background San Andreas Fault Observatory at Depth (SAFOD) Sample recovery of cores containing the two

410 views • 8 slides
Generalised Co-variation for Sensitivity Analysis in Bayesian Networks Silja Renooij

Generalised Co-variation for Sensitivity Analysis in Bayesian Networks Silja Renooij

Generalised Co-variation for Sensitivity Analysis in Bayesian Networks Silja Renooij Presentation for PGM 2012 Contents Sensitivity analysis in general in Bayesian networks Co-variation what, why and how? Examples

377 views • 18 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain

Securing RSA against Fault Analysis by Double Addition Chain Exponentiation Matthieu Rivain Oberthur Technologies &amp; Univ. of Luxembourg 04/24/09 | Session ID: CRYP-403 Session Classification: Agenda RSA and Fault Analysis A New

421 views • 27 slides
Sensitivity Analysis for Fuzzy- Sensitivity Analysis for Fuzzy- Logic-Based Life-Cycle Analysis

Sensitivity Analysis for Fuzzy- Sensitivity Analysis for Fuzzy- Logic-Based Life-Cycle Analysis

Sensitivity Analysis for Fuzzy- Sensitivity Analysis for Fuzzy- Logic-Based Life-Cycle Analysis Logic-Based Life-Cycle Analysis Approach Approach Chen Chen Chen and Gerardo W. Flintsch Chen and Gerardo W. Flintsch Roadway Infrastructure

722 views • 54 slides
Sensitivity Analysis in Real-Time Systems Enrico Bini Scuola Superiore Sant'Anna Why

Sensitivity Analysis in Real-Time Systems Enrico Bini Scuola Superiore Sant'Anna Why

ReTiS Lab Real Time Systems Laboratory Sensitivity Analysis in Real-Time Systems Enrico Bini Scuola Superiore Sant'Anna Why Sensitivity Analysis The scenario in Real-Time System design: stringent constraints from the hardware (energy

228 views • 6 slides
Model Validation, Sensitivity Analysis and Policy Analysis Jayendran Venkateswaran Model

Model Validation, Sensitivity Analysis and Policy Analysis Jayendran Venkateswaran Model

Model Validation, Sensitivity Analysis and Policy Analysis Jayendran Venkateswaran Model Validation Did we build the right model? Corresponds largely with testing if the model can replicate past behavior/ historical patterns

440 views • 13 slides
TreeAge Software Guide Sensitivity Analysis Antie-Eater Open the file Antie-Eater-0.trex OR

TreeAge Software Guide Sensitivity Analysis Antie-Eater Open the file Antie-Eater-0.trex OR

TreeAge Software Guide Sensitivity Analysis Antie-Eater Open the file Antie-Eater-0.trex OR build the following tree from scratch. To make the probability a variable, to be able to do sensitivity analysis on a variable: Double click on a

269 views • 10 slides

More recommend