Multiple Persistent Faults Analysis with Unknown Faults

doi:10.3969/j.issn.1671-1122.2023.05.005

Abstract

Abstract:

Persistent Fault Analysis (PFA) is a novel fault analysis technique proposed in 2018, which has attracted widespread attention from home and abroad. Although various analysis methods for different cryptographic systems have been proposed, research on the fault model with unknown fault values is still an open problem, which represents a more practical attack scenario. Particularly when dealing with multiple faults, it is more difficult to control the overlap of the original and faulty values. This paper proposed a multiple persistent fault analysis model under a relatively loose fault model. Attackers did not need to know any information about fault values, locations, or even number. By exploiting the property that persistent faults remained unchanged during all encryption processes, the range of fault values was narrowed down using the results of different bytes of ciphertext, eventually leading to key recovery. Both theoretical proof and simulation experiments were conducted to verify the effectiveness of the analysis model. Taking the AES-128 algorithm as an example, with only 150 ciphertexts under the condition of ciphertext-only, the number of candidate keys can be controlled within a small range. The success rate of the attack is above 99%, effectively reduce the required number of ciphertexts. By increasing the number of rounds, the key can be recovered even after frequent key-update, significantly reducing the difficulty of the attack.

Key words: persistent faults analysis, side-channel attacks, AES algorithm, fault injection attacks

CLC Number:

TP309

MAO Hongjing, CHENG Yukun, HU Honggang. Multiple Persistent Faults Analysis with Unknown Faults[J]. Netinfo Security, 2023, 23(5): 41-49.

Figures/Tables 8

References 16

[1]	JOVE M, TUNSTALL M. Fault Analysis in Cryptography[M]. Berlin: Springer 2012.
[2]	ALDERIGHI M, CASINI F, D’ANGELO S, et al. Evaluation of Single Event Upset Mitigation Schemes for SRAM Based FPGAs Using the FLIPPER Fault Injection Platform[C]// IEEE. 22nd IEEE International Symposium on Defect and Fault-Tolerance in VLSI Systems (DFT 2007). New York: IEEE, 2007: 105-113.
[3]	BAR-EI H, CHOUKRI H, NACCACHE D, et al. The Sorcerer’s Apprentice Guide to Fault Attacks[EB/OL]. (2006-01-23)[2023-02-20]. https://ieeexplore.ieee.org/document/1580506/metrics#metrics.
[4]	TORRANCE R, JAMES D. The State-of-the-Art in IC Reverse Engineering[C]// Springer. Cryptographic Hardware and Embedded Systems-CHES 2009: 11th International Workshop Lausanne. Berlin:Springer, 2009: 363-381.
[5]	ZHANG Fan, LOU Xiaoxuan, ZHAO Xinjie, et al. Persistent Fault Analysis on Block Ciphers[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018, 3: 150-172.
[6]	ZHANG Fan, ZHANG Yiran, JIANG Huilong, et al. Persistent Fault Attack in Practice[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020, 2: 172-195.
[7]	XU Guorui, ZHANG Fan, YANG Bolin, et al. Pushing the Limit of PFA: Enhanced Persistent Fault Analysis on Block Ciphers[C]// IEEE. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems. New York: IEEE, 2020: 1102-1116.
[8]	ZHANG Fan, FENG Tianxiang, LI Zhiqi, et al. Free Fault Leakages for Deep Exploitation: Algebraic Persistent Fault Analysis on Lightweight Block Ciphers[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022, 2: 289-311.
[9]	ENGELS S, SCHELLENBERG F, PAAR C. SPFA: SFA on Multiple Persistent Faults[C]// IEEE. 2020 Workshop on Fault Detection and Tolerance in Cryptography (FDTC). New York: IEEE, 2020: 49-56.
[10]	ZHENG Shihui, LIU Xudong, ZANG Shoujin, et al. A Persistent Fault-Based Collision Analysis Against the Advanced Encryption Standard[J]. IEEE Transactions on Computer Aided Design of Integrated Circuits and Systems, 2021, 40(6): 1117-1129. doi: 10.1109/TCAD.2021.3049687 URL
[11]	SOLEIMANY H, BAGHERI N, HADIPOUR H, et al. Practical Multiple Persistent Faults Analysis[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022, 1: 367-390.
[12]	BAGHERI N, SADEGHI S, RAVI P, et al. SIPFA: Statistical Ineffective Persistent Faults Analysis on Feistel Ciphers[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2022, 3: 367-390.
[13]	TANG Honghui, LIU Qiang. MPFA: An Efficient Multiple Faults-Based Persistent Fault Analysis Method for Low-Cost FIA[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2022, 41(9): 2821-2834. doi: 10.1109/TCAD.2021.3117512 URL
[14]	DAEMEN J, RIJMEN V. The Rijndael Block Cipher: AES Proposal[C]// NIST. First AES Candidate Conference (AES1). Gaithersburg: NIST, 1999: 343-348.
[15]	GRUBER M, PROBST M, TEMPELMEIER M. Persistent Fault Analysis of Ocb, Deoxys and Colm[C]// IEEE. 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). New York: IEEE, 2019: 17-24.
[16]	CARRE S, GUILLEY S, RIOUL O. Persistent Fault Analysis with Few Encryptions[C]// Springer. International Workshop on Constructive Side-Channel Analysis and Secure Design. Berlin:Springer, 2020: 3-24.

符号	说明
$C\left[ j \right]$	密文的第$j$个字节
${{K}_{R}}$	密文的第$j$个字节对应的最后一轮密钥
${{C}_{min}}$	注入故障后，密文某字节的缺失值
${{C}_{max}}$	注入故障后，密文某字节出现最多的值
$D\left[ j \right]$	密文第$j$个字节的缺失密文值集合
$M\left[ j \right]$	密文第$j$个字节出现最多的密文值集合
$v$	S盒中被替换的故障值
$u$	缺失密文值对应的S盒中的值
$\lambda $	注入持续故障的个数
$\lambda '$	$D\left[ j \right]$中元素的个数

故障数量$\lambda $	$2$		4		8		16
密文数量$N$	150	200	150	200	150	200	150	200
理论缺少密文值数量$\lambda '$	142.72	117.57	142.96	117.95	143.2	118.33	143.45	118.72
实际缺少密文值数量$\lambda '$	143	117	143	$118$	143	118	143	119
攻击成功率	99.213%	99.967%	99.269%	99.695%	99.323%	99.972%	99.374%	99.975%
候选故障值集合	${{2}^{7.3}}$	${{2}^{8}}$	${{2}^{8.17}}$	${{2}^{8}}$	${{2}^{8.11}}$	${{2}^{8}}$	${{2}^{8.07}}$	${{2}^{8}}$
候选密钥数量	${{2}^{23.13}}$	${{2}^{23}}$	${{2}^{8.11}}$	${{2}^{8}}$	${{2}^{8.07}}$	${{2}^{8}}$	${{2}^{8.02}}$	${{2}^{8}}$
计算复杂度	${{2}^{18.29}}$	${{2}^{17.73}}$	${{2}^{18.27}}$	${{2}^{17.71}}$	${{2}^{18.26}}$	${{2}^{17.69}}$	${{2}^{18.24}}$	${{2}^{17.68}}$

方案	$\lambda =2$			$\lambda >2$
方案	文献[9]方案	文献[11]方案	本文方案	文献[9]方案	文献[11]方案	本文方案
所需密文数量	7775	1552	146	1643	477	137
候选密钥数量	${{2}^{50}}$	${{2}^{23}}$	${{2}^{23}}$	${{2}^{50}}$	${{2}^{24.52}}$	${{2}^{8}}$
抗密钥更新策略	N	N	Y	N	N	Y
未知故障数量	N	N	Y	N	N	Y