## **Recent works on Fault and Cache Attacks**

### Debdeep Mukhopadhyay Dept of CSE, IIT Kharagpur

4/6/2010

## **Topics**

#### Multiple Byte Fault Attacks on AES

#### Differential Cache Trace Attacks on CLEFIA

## Multi-byte Fault Attacks on AES

4/6/2010



### Fault Model Used

- Multi Byte Faults (more practical)
  - Attacker induces fault at the input of the 8<sup>th</sup> round in some bytes
  - Fault value should be non-zero but can be arbitrary
- Improves the fault coverage.

### Diagonal of AES State Matrix

Definition 1. Diagonal: A diagonal is a set of four bytes of the state matrix, where the  $i^{th}$  diagonal is defined as follows:

$$D_i = \{ b_{j,(j+i)mod4} \quad ; \quad 0 \le j < 4 \}$$
(1)

According to the above definition and with reference to the state matrix of AES (refer figure 2) we obtain the following four diagonals.

 $D_0 = (b_{00}, b_{11}, b_{22}, b_{33})$  $D_1 = (b_{01}, b_{12}, b_{23}, b_{30})$  $D_2 = (b_{02}, b_{13}, b_{20}, b_{31})$  $D_3 = (b_{03}, b_{10}, b_{21}, b_{32})$ 

### Fault Models



- M0: One Diagonal affected.
- M1: Two Diagonals affected.
- M2: Three Diagonals affected.
- M3: Four Diagonals affected.

NTT Labs, Japan

## Fault Injection Set Up



#### Tools Used:

- AES Core Implemented on Xilinx Spartan 3E.
- Agilent Wavefrom (80 MHz)Generator
- Xilinx Chipscope Pro Embedded Logic Analyzer.

NTT Labs, Japan

### Equivalence of Faults according to M0



## Faults induced in Diagonal D<sub>0</sub> at the input of 8<sup>th</sup> round AES are all equivalent.

4/6/2010

## Inter-relationships depending on the Diagonals affected



## Equations if Diagonal D<sub>0</sub> is affected

 $\mathbf{CT} = \begin{pmatrix} x_1 & x_2 & x_3 & x_4 \\ x_5 & x_6 & x_7 & x_8 \\ x_9 & x_{10} & x_{11} & x_{12} \\ x_{12} & x_{14} & x_{15} & x_{16} \end{pmatrix} \quad \mathbf{CT}' = \begin{pmatrix} x_1 & x_2 & x_3 & x_4 \\ x_5' & x_6' & x_7' & x_8' \\ x_9' & x_{10}' & x_{11}' & x_{12}' \\ x_{12}' & x_{14}' & x_{15}' & x_{16}' \end{pmatrix} \quad \mathbf{K_{10}} = \begin{pmatrix} \kappa_1 & \kappa_2 & \kappa_3 & \kappa_4 \\ \kappa_5 & \kappa_6 & \kappa_7 & \kappa_8 \\ \kappa_9 & \kappa_{10} & \kappa_{11} & \kappa_{12} \\ \kappa_{12} & \kappa_{14}' & \kappa_{15}' & \kappa_{16}' \end{pmatrix}$ 

 $ISB(x_1 + k_1) + ISB(x'_1 + k_1) = 2[ISB(x_8 + k_8) + ISB(x'_8 + k_8)]$  $ISB(x_8 + k_8) + ISB(x'_8 + k_8) = ISB(x_{11} + k_{11}) + ISB(x'_{11} + k_{11})$  $ISB(x_{14} + k_{14}) + ISB(x'_{14} + k_{14}) = 3[ISB(x_8 + k_8) + ISB(x'_8 + k_8)]$ 

There are in total 4 such systems of equations for a diagonal D<sub>0</sub>.
Each system of equation gives 2<sup>8</sup> keys on an average.

•AES key size gets reduced to 2<sup>32</sup>.

•If the attacker does not know which diagonal is affected, then key size is 4.2<sup>32</sup>=2<sup>34</sup>.

## Fault Injected across 2 Diagonals (Fault Model M<sub>1</sub>)





## Equations if Diagonals $D_0$ and $D_1$ are affected

$$a_{0} = ISB(x_{1} + k_{1}) + ISB(x'_{1} + k_{1})$$
  

$$a_{1} = ISB(x_{8} + k_{8}) + ISB(x'_{8} + k_{8})$$
  

$$a_{2} = ISB(x_{11} + k_{11}) + ISB(x'_{11} + k_{11})$$
  

$$a_{3} = ISB(x_{14} + k_{14}) + ISB(x'_{14} + k_{14})$$

- The equation reduces the space of the 4 key bytes of AES to 2<sup>16</sup>
- Two faulty ciphertexts reduce it to a unique value on an average (experimental result).

NTT Labs, Japan

## Fault Injected across 3 Diagonals (Fault Model M<sub>2</sub>)

| 8 <sup>th</sup> Round                    | 9 <sup>th</sup> Round                                                                                                           |                                                                         |                  |                |                 |  |  |  |
|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------|------------------|----------------|-----------------|--|--|--|
| Round Input After After After Mix Column |                                                                                                                                 | After<br>Mix Column                                                     |                  |                |                 |  |  |  |
|                                          | After After<br>Byte Sub Shift Row                                                                                               | 2F1 + 3F6 + F11                                                         | 2F5 + 3F10 + F4  | 2F4 + F3 + F8  | 3F2 + F7 + F12  |  |  |  |
|                                          | F1         F5         F9         F1         F5         F9           F2         F6         F10         F6         F10         F2 | F1 + 2F6 + 3F11                                                         | F5 + 2F10 + F4   | F9 + 3F3+ F8   | 2F2 + 3F7 + F12 |  |  |  |
|                                          | F3         F7         F11         F3         F7           F4         F8         F12         F4         F8         F12           | F1 + F6 + 2F11                                                          | F5 + F10 + 3F4   | F9 + 2F3 + 3F8 | F2 + 2F7 + 3F12 |  |  |  |
|                                          |                                                                                                                                 | 3F1 + F6 + F11                                                          | 3F5 + 2F10 + 2F4 | 3F9 + F3 + 2F8 | F2 + F7 + 2F12  |  |  |  |
|                                          |                                                                                                                                 | Invariant for any<br>fault injected<br>within diagonal<br>D0, D1 and D2 |                  |                |                 |  |  |  |

$$a_{0} = 2F_{1} + 3F_{6} + F_{11}$$

$$a_{1} = F_{1} + 2F_{6} + 3F_{11}$$

$$a_{2} = F_{1} + F_{6} + 2F_{11}$$

$$a_{3} = 3F_{1} + F_{6} + F_{11}$$

$$11a_{0} + 13a_{1} = 9a_{2} + 14a_{3}$$

4/6/2010

### Equations if $D_0$ , $D_1$ and $D_2$ are affected

$$a_{0} = ISB(x_{1} + k_{1}) + ISB(x'_{1} + k_{1})$$
  

$$a_{1} = ISB(x_{8} + k_{8}) + ISB(x'_{8} + k_{8})$$
  

$$a_{2} = ISB(x_{11} + k_{11}) + ISB(x'_{11} + k_{11})$$
  

$$a_{3} = ISB(x_{14} + k_{14}) + ISB(x'_{14} + k_{14})$$

- The equation reduces the space of the 4 key bytes of AES to 2<sup>24</sup>
- Four faulty ciphertexts reduce it to a unique value on an average (experimental result).

NTT Labs, Japan

## **Experimental Results**

|    | Clock           | No    | Model 0 | Model 1 | Model 2 | Model 3 |   | 970          | 20   | 199 | 145        | 995           | 0          |   |
|----|-----------------|-------|---------|---------|---------|---------|---|--------------|------|-----|------------|---------------|------------|---|
|    | Frequency (MHz) | Fault | (M0)    | (M1)    | (M2)    | (M3)    |   | 37.5<br>99.0 | 1 69 | 101 | 100        | 0/1           | 0          |   |
|    | 36.0            | 512   | 0       | 0       | 0       | 0       | V | 36.0         | 130  | 191 | 129        | -34<br>4706   | 0          |   |
|    | 36.1            | 512   | 0       | 0       | 0       | 0       |   | 38.1         | 27   | 116 | 185        | 185           | 0          |   |
|    | 36.2            | 512   | 0       | 0       | 0       | _ 0_ /  |   | 38.2         | 40   | 127 | _198 _     | _147 _        | _ 0 _      |   |
| -7 | 36.3            | 510   | 2       | 0       | 0       |         |   | 38.3         | 26   | 69  | 155        | 257           | 5          |   |
|    | 36.4            | 511   | 1       | 0       | 0       | 0       |   | 38.4         | 17   | 62  | 137        | 254           | 42         |   |
|    | 36.5            | 508   | 4       | 0       | 0       | 0       |   | 38.5         | 0    | 20  | 68         | 361           | 63         |   |
|    | 36.6            | 504   | 8       | 0       | 0       | 0<br>0  |   | 38.6         | 0    | 0   | 16         | 319           | 177        |   |
|    | 36.7            | 507   | 5       | 0       | 0 /     |         |   | 38.7         | 0    | 2   | 20         | 293           | 197        |   |
|    | 36.8            | 490   | 22      | 0       | 9⁄      | 0       |   | 38.8         | n i  | 1   | 8          | 200           | 213        |   |
|    | 36.9            | 489   | 23      | 0       | /0      | 0       |   | 98.0         | ő    | 11  | 49         | 968           | 01         | i |
|    | 37.0            | 419   | 79      | 14      | 0       | 0       |   | 90.0         | 18   | 50  | 444<br>107 | - 300<br>90.9 | 00         |   |
|    | 37.1            | 448   | 60      | 4 /     | 0       | 0       |   | 39.0         | 15   |     | 107        | -300<br>10∺   | 23         |   |
|    | 37.2            | 434   | 64      | 13      | 1       | 0       |   | 39.1         | 0    | 2   | 12         | 197           | 301        |   |
| 1  | 37.3            | 408   | 94      | 1/5     | 0       | 0       |   | 39.2         | 0    | 5   | 26         | 339           | 142        |   |
|    | 37.4            | 408   | 99      | 5       | 0       | 0       |   | 39.3         | 0    | 3   | 11         | 285           | 213        |   |
|    | 37.5            | 248   | 226     | 38      | 0       | 0       |   | 39.4         | 0    | 0   | 0          | 134           | <b>378</b> | i |
| _  | 37.6            | 214   | 205     | 84      | 9       | 0       |   | 39.5         | 0    | 0   | 6          | 138           | 368        | i |
|    | 37.7            | 128   | 205     | 122     | 57      | 0       |   | 39.6         | 0    | 0   | 0          | 150           | 362        |   |
|    | 37.8            | 76    | 1/80    | 133     | 123     | 0       |   | 39.7         | 0    | 0   | 0          | 21            | 491        |   |
|    | 37.9            | 20    | /122    | 145     | 225     | 0       |   | 90.8         | n    | ō   | 0          | 18            | 494        |   |
|    | 38.0            | 158   | 191     | 129     | 34      | 0       |   | 90.0         | 0    | 0   | n o        | 14            | 409        |   |
|    | 38.1            | 27    | 116     | 185     | 185     | 0       |   | 39.9         | 0    | 0   | 0          | 14            | 430<br>E10 |   |
|    | 38.2            | 40    | -127    | 198     | 147     | 0       |   | 40.0         | 0    | U   | U          | U             | 512        |   |
|    |                 |       |         |         |         |         |   |              |      |     |            |               |            |   |

4/6/2010

#### ATTACK REGION

## Conclusions

- The work investigates the effect of multiple byte faults on AES.
- The fault modeling is based on diagonals being affected by random faults.
- The work extends the coverage of the attack compared to previous works.
- Shows experimentally that multiple byte faults attacks are feasible.
- Future scope of work: Efficient Countermeasures against these attacks.

# Differential Trace Attacks on CLEFIA

4/6/2010

#### Cache Attacks : The Principle



#### **Classes of Cache Attacks**

#### Three ways to identify cache behavior

- Cache Trace Attacks
- Cache Access Attacks
- Cache Timing Attacks



#### **Bernstein's Cache Timing Experiment**



#### Bernstein's Cache Timing Attack



#### Clefia Structure





- 128 bit block cipher from Sony.
- Generalized Feistel Structure
- Number of rounds : 18
- Whitening Keys added at the beginning and end.
- Attacking Clefia requires finding any set of 4 round keys.
  - RK0, RK1, RK2, RK3

## Timing Attack Results

In around 2<sup>26</sup> Clefia encryptions the cipher can be shown to break in the face of cache timing attacks

3 GHz Intel Core 2 Duo

32 kB L1 Cache

1 GB RAM

Linux (Ubuntu 8.04)

gcc -4.2.4 with O3 optimization.

Attack Time:

First Phase (with known key): 1300 sec

Second Phase (with unknown key): 312.5 sec

Chester Rebeiro, Debdeep Mukhopadhyay, Junko Takahashi and Toshinori Fukunaga, "Cache Timing Attacks on Clefia", In the Proceedings of Indocrypt 2009.

### Trace Attacks

- The attacker has knowledge of the hits and miss patterns of the cache.
- It is a very powerful side channel.
- But the problem is how to obtain this information?
- We observed power consumptions of the device to identify the hit miss pattern.

## Power profiles and hit-miss patterns



Power Consumptions of 4 accesses to the CLEFIA S-Box, S<sub>0</sub>.
 But the correspondence is not so obvious for the complete cipher.

4/6/2010

### Concept of Differential Trace Attack



$$\langle in_0 \oplus k_0 \rangle = \langle S[in_0 \oplus k_0] \oplus in_1 \oplus k_1 \rangle$$

Reduces the key space from  $2^{2n}$  to  $2^{n+\delta}$ 

In order to reduce the key space further, we take another plaintext, resulting in a hit.

The corresponding equation is:

$$\langle in'_0 \oplus k_0 \rangle = \langle S[in'_0 \oplus k_0] \oplus in'_1 \oplus k_1 \rangle$$

### Concept of Differential Trace Attack

Combining these equations we have the following differential equation:

 $\langle in_0 \oplus in_1 \oplus in'_0 \oplus in'_1 \rangle = \langle S[in_0 \oplus k_0] \oplus S[in'_0 \oplus k_0] \rangle$ 

The uncertainty of the key now depends on the differential property of the S-Box.

Thus, if  $f_{avg}$  is the number of keys on an average that would satisfy the above equation, then the key is reduced to:

## Adapting the Attack for CLEFIA



#### Some interesting observations:

- Matrices M<sub>0</sub> and M<sub>1</sub> in the F functions does not attain complete diffusion (is not diffusion optimal).
- If 5 MSBs of the output of each S-Box are known, then 3 bits of F0 and 2 bits of F1 are computable.
- For a differential pair, the CLEFIA S-Boxes cause 60% in S0 and 50% in S1 input output differentials to be invalid.
- For a valid input output differential, on an average 1.28 actual values are possible for S0, while it is 1.007 for S1.

## **Attack on CLEFIA**

- We have developed an algorithm using the above facts to obtain the key in less than 2<sup>14</sup> encryptions.
- The attack employs the above properties, and the differential Cache Trace technique.
- The Cache Traces patterns are vital for the working of the attack.

## Obtaining Cache Trace Patterns from the Power Profiles

#### Test Platform:

- Xilinx XC2VP30 FPGA on the SASEBO side channel attack evaluation board.
- 300 MHz PowerPC-405 core
- 16 kB two way set associative data cache.
- 32 kB of the FPGAs block RAM configured as the processor memory.
- CLEFIA's reference code from SONY was run on PowerPC (http://www.sony.net/clefia)

## Power Profiles for two first round access patterns



- The difference is not so obvious as for the single S-Box seen earlier.
- However correlation analysis seems to pick up the small difference.

NTT Labs, Japan

## Correlation Analysis with no. of measurements



#### The power profiles for the same Hit Miss patterns show a strong correlation:

- It increases from 0.997 to 1 with the number of measurements (as shown above)
- For two different patterns it is around 0.8

NTT Labs, Japan

## Classification of Hit Miss Patterns

- This helps us to classify the Hit Miss patterns based on their power consumption:
  - for example the first round has 64 Hit Miss patterns.
  - We were able to create 64 different power profiles, corresponding to each Hit Miss pattern
  - This classification helps to identify an unknown Hit Miss pattern from an observed power profile

### **Present Activities**

- We have developed a counter-measure for CLEFIA to prevent the cache attacks:
  - idea: the entire table fits in one cache line.
- We are presently working on Formal Models for cache attacks.

## Thank You