Fault Tolerant Architectures for Cryptography and Hardware Security

The advent of cloud computing and IoT have heralded an era of unprecedented levels of embedded technology and device connectivity across the globe. However, this raises concerns related to security and privacy. While one alleviate such concerns is to resort to the use of cryptographic modules for secure computation, cryptographic implementations themselves could be subjected to implementation attacks such as side-channel and fault injection analysis. In this chapter, we provide the readers with some introductory material on fault attacks, which should be helpful in understanding the subsequent chapters and technical discussions in the book.

This chapter presents to the readers some classical fault attacks on both public as well as symmetric-key cryptosystems. We begin with the celebrated fault analysis of the decryption algorithm in RSA. This is followed by an ensemble of fault analysis techniques targeting the Advanced Encryption Standard (AES). We end with a more recent fault attack targeting Grain-128 - an eSTREAM finalist and popularly used stream cipher. Nearly all the fault attacks described in this chapter can be achieved with low -cost fault injection techniques such as clock/voltage glitches.

In the previous chapter, we have presented to the reader differential fault attack (DFA) techniques where the adversary analyzes the propagation of an induced fault across the rounds of a block cipher/stream cipher to recover the key. The key recovery process in such attacks usually involves solving a system of equations, tracing the fault propagation characteristics. There exists, in literature, another class of fault attacks that differ from the aforementioned attack strategy in principle. These attacks do not exploit the differential between the fault-free and faulty ciphertexts; rather, they focus on the nature of the fault distribution observed under a variety of fault injection parameters. In many ways, the attack principles are more similar to side-channel analysis in the sense that the observed fault nature serves as a key-dependent leakage, which can then be used to distinguish the correct key guess from the wrong key guesses via a distinguisher. In this chapter, we discuss two such techniques, usually targeting block ciphers - fault sensitivity analysis (FSA) and differential fault intensity analysis (DFIA).

Laser fault injection constitutes a powerful tool for a precise injection of faults into the device, allowing an adversary to carefully adjust timing and position on the chip. On the other hand, the cost of such equipment is high and the profiling time is non-negligible. In this chapter, we provide a theoretical background on laser fault injection, followed by practical evaluation of this technique on 8-bit microcontroller. We first profile the device to examine what fault models are possible and then we provide a case study on ChaCha family of stream ciphers.

In this chapter, we present to the readers a recently reported fault attack technique in the cryptographic literature - attacks exploiting the Rowhammer bug on actual modern-day processors. Rowhammer attacks have exposed a serious vulnerability in modern DRAM chips to induce bit flips in data which is stored in memory. We present here a methodology to combine timing analysis to perform the hammering in a controlled manner to create bit flips in cryptographic keys which are stored in memory. The attack would require only user level privilege for Linux kernel versions before 4.0 and is unaware of the memory location of the key. An intelligent combination of timing Prime \(+\) Probe attack and row-buffer collision is shown to induce bit flip faults in a 1024 bit RSA key on modern processors using realistic number of hammering attempts. This demonstrates the feasibility of fault analysis of ciphers using purely software means on commercial x86 architectures. The attack is also relevant for the newest Linux kernel in a Cross-VM environment where the VMs having root privilege are not denied to access the pagemap.

In the preceding discussion, we have presented to the readers a variety of fault attacks on a wide range of cryptographic algorithms across hardware and software-based implementations. It is therefore established, by now, that fault attacks are a serious threat to the security of hardware implementations, and consequently, sound countermeasures must be designed to tackle such threats. In this section, we present a classical approach popularly employed to resist such attacks, namely detection. Since most of the fault attacks described so far exploit transient faults during algorithm execution rather than permanent faults in the target device, the countermeasure strategy is to detect any such occurrence of faults during every execution of the cryptographic algorithm.

In the previous chapter, we have introduced to the readers several examples of countermeasures against differential fault analysis. These countermeasures are all redundancy-based, and use a concurrent error detection mechanism to infer the presence of a fault. It is important to note here that these classical redundancy-based countermeasures are designed under the assumption that all faults in a given fault space occur with equal probability. In real-life implementations, such instances of fault attacks are usually rare to find, wherein an adversary an inject faults uniformly at random. Rather, practical fault injection attacks are often found to exhibit a characteristic bias in the fault-distribution, which may be related to the device/design specifications. In this chapter, we demonstrate to the readers how fault bias acts as a threat to the security of classical countermeasures.

The previous discussion has illustrated to the reader the vulnerabilities of classical redundancy based countermeasure techniques, and potential workarounds to avoid the same via fault space transformation. In this chapter, we introduce a different flavor of countermeasures against fault analysis - infective countermeasures. Infective countermeasures are superior to detection based countermeasures in the sense that they avoid the use of explicit comparison steps that are themselves vulnerable to fault attacks. Infective countermeasures can be broadly classified into two categories - deterministic and randomized. Since all deterministic infective countermeasures have been demonstrated to be insecure in principle (Lomné et al, Fault diagnosis and tolerance in Cryptography – FDTC 2012, 2012, [114]), we focus on state-of-the-art randomized infective countermeasures in this chapter. We present to the reader an infective countermeasure for AES-128 proposed by Gierlichs et al. (Progress in cryptology – LATINCRYPT 2012, 2012, [70]), which was the first randomized infective countermeasure to be proposed in the literature. Unfortunately, this countermeasure is found to have certain vulnerabilities against fault attacks (Battistello and Giraud, Fault diagnosis and tolerance in cryptography – FDTC 2013, 2013, [22]), which we subsequently present to the reader. Finally, we present to the reader a second infective countermeasure for AES-128 proposed by Tupsamudre et al. (Cryptographic Hardware and Embedded Systems–CHES 2014, 2014, [173]) that successfully overcomes these vulnerabilities, and is currently the most secure infective countermeasure in the literature.

In this chapter, we present to the readers two fault injection sensors against powerful fault injection techniques like laser and electromagnetic glitch. The first sensor is built upon a watchdog ring oscillator monitor with a standard Phase Locked Loop (PLL) block. Owing to the scarcity of PLL in resource-deficient devices, an all-digital alternative is proposed. The sensors are designed to be more reactive to fault injection methods than the sensitive target, in order to raise an alarm with solid security margin. Both countermeasures are low-cost and can be used to protect any arbitrary target circuit. Practical validation against near-infrared laser on Xilinx Virtex-5 FPGA is provided.