SpringerLink
Log in

A Study of Persistent Fault Analysis

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2019)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11947))

Abstract

Persistent faults mark a new class of injections that perturb lookup tables within block ciphers with the overall goal of recovering the encryption key. Unlike earlier fault types persistent faults remain intact over many encryptions until the affected device is rebooted, thus allowing an adversary to collect a multitude of correct and faulty ciphertexts. It was shown to be an efficient and effective attack against substitution-permutation networks. In this paper, the scope of persistent faults is further broadened and explored. More specifically, we show how to construct a key-recovery attack on generic Feistel schemes in the presence of persistent faults. In a second step, we leverage these faults to reverse-engineer AES- and PRESENT-like ciphers in a chosen-key setting, in which some of the computational layers, like substitution tables, are kept secret. Finally, we propose a novel, dedicated, and low-overhead countermeasure that provides adequate protection for hardware implementations against persistent fault injections.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Banik, S., Bogdanov, A., Regazzoni, F.: Exploring energy efficiency of lightweight block ciphers. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 178–194. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_10

    Chapter  Google Scholar 

  2. Banik, S., Bogdanov, A., Regazzoni, F.: Compact circuits for combined AES encryption/decryption. J. Cryptogr. Eng. 9(1), 69–83 (2019). https://doi.org/10.1007/s13389-017-0176-3

    Article  Google Scholar 

  3. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259

    Chapter  Google Scholar 

  4. Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31

    Chapter  Google Scholar 

  5. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_4

    Chapter  Google Scholar 

  6. Clavier, C., Isorez, Q., Marion, D., Wurcker, A.: Complete reverse-engineering of AES-like block ciphers by SCARE and FIRE attacks. Cryptogr. Commun. Discrete Struct. Boolean Funct. Seq. 7(1), 121 (2015)

    MathSciNet  MATH  Google Scholar 

  7. Daemen, J., Rijmen, V.: The block cipher Rijndael. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 277–284. Springer, Heidelberg (2000). https://doi.org/10.1007/10721064_26

    Chapter  Google Scholar 

  8. Des: Data Encryption Standard. In: FIPS PUB 46, Federal Information Processing Standards Publication 46–2 (1977)

    Google Scholar 

  9. Dutta, A., Paul, G.: Deterministic hard fault attack on trivium. In: Yoshida, M., Mouri, K. (eds.) IWSEC 2014. LNCS, vol. 8639, pp. 134–145. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-09843-2_11

    Chapter  Google Scholar 

  10. Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_15

    Chapter  Google Scholar 

  11. Hernandez-Castro, J.C., Peris-Lopez, P., Aumasson, J.-P.: On the key schedule strength of PRESENT. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM/SETOP 2011. LNCS, vol. 7122, pp. 253–263. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28879-1_17

    Chapter  Google Scholar 

  12. Le Bouder, H., Guilley, S., Robisson, B., Tria, A.: Fault injection to reverse engineer DES-like cryptosystems. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS -2013. LNCS, vol. 8352, pp. 105–121. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05302-8_7

    Chapter  Google Scholar 

  13. Pan, J., Bhasin, S., Zhang, F., Ren, K.: One Fault is All it Needs: Breaking Higher-Order Masking with Persistent Fault Analysis. Cryptology ePrint Archive, Report 2019/008 (2019). https://eprint.iacr.org/2019/008

  14. San Pedro, M., Soos, M., Guilley, S.: FIRE: fault injection for reverse engineering. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 280–293. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21040-2_20

    Chapter  Google Scholar 

  15. Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-Box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_9

    Chapter  Google Scholar 

  16. Zhang, F., et al.: Persistent fault analysis on block ciphers. IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 150–172 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LASEC, École Polytechnique Fédérale de Lausanne, Lausanne, Switzerland

    Andrea Caforio & Subhadeep Banik

Authors
  1. Andrea Caforio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Subhadeep Banik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Subhadeep Banik .

Editor information

Editors and Affiliations

  1. Temasek Laboratories, Nanyang Technological University, Singapore, Singapore

    Shivam Bhasin

  2. Computer Science Department, Technion, Haifa, Israel

    Avi Mendelson

  3. Indian Statistical Institute, Kolkata, India

    Mridul Nandi

Appendices

Appendix

A Calculation of Low-Diffusion Keys

Algorithm 7 depicts the routine that calculates all 16 low-diffusion keys for PRESENT.

figure g

B Proof of Lemma 1

Proof

The access pattern follows from a simple calculation of the intermediate round key words. Set \(K_0 = \mathtt {0x01000000}\), \(K_1 = \mathtt {0x02000000}\), \(K_2 = \mathtt {0x02000000}\), \(K_3 = |a,a,a,a|\) and \(S(a) = 0\).

$$\begin{aligned} W_0&= K_0 = \mathtt {0x01000000} \\ W_1&= K_1 = \mathtt {0x02000000} \\ W_2&= K_2 = \mathtt {0x02000000} \\ W_3&= K_3 = |a, a, a, a| \\ W_4&= W_0 \oplus S(R(W_3)) \oplus rc_1 = \mathtt {0x00000000} \\ W_5&= W_1 \oplus W_4 = \mathtt {0x02000000} \\ W_6&= W_2 \oplus W_5 = \mathtt {0x00000000} \\ W_7&= W_3 \oplus W_6 = |a, a, a, a| \\ W_8&= W_4 \oplus S(R(W_7)) \oplus rc_2 = \mathtt {0x02000000} \\ W_9&= W_5 \oplus W_8 = \mathtt {0x00000000} \\ W_{10}&= W_6 \oplus W_9 = \mathtt {0x00000000} \\ W_{11}&= W_7 \oplus W_{10} = |a, a, a, a| \\ W_{12}&= W_8 \oplus S(R(W_{11})) \oplus rc_3 = \mathtt {0x06000000} \\ W_{13}&= W_9 \oplus W_{12} = \mathtt {0x06000000} \\ W_{14}&= W_{10} \oplus W_{13} = \mathtt {0x06000000} \\ W_{15}&= W_{11} \oplus W_{14} = |a \oplus \mathtt {0x06}, a, a, a| \\ W_{16}&= W_{12} \oplus S(R(W_{15})) \oplus rc_4 = |\mathtt {0x0e}, 0, 0, S(a \oplus \mathtt {0x06})| \\ W_{17}&= W_{13} \oplus W_{16} = |a \oplus \mathtt {0x08}, 0, 0, S(a \oplus \mathtt {0x06})| \\ W_{18}&= W_{14} \oplus W_{17} = |a \oplus \mathtt {0x0e}, 0, 0, S(a \oplus \mathtt {0x06})| \\ W_{19}&= W_{15} \oplus W_{18} = |a \oplus \mathtt {0x08}, a, a, a \oplus S(a \oplus \mathtt {0x06})| \\ W_{20}&= W_{16} \oplus S(R(W_{19})) \oplus rc_5 = |\mathtt {0x1e}, 0, S(a \oplus S(a \oplus \mathtt {0x06})), S(\mathtt {0x0b})| \\ W_{21}&= W_{17} \oplus W_{20} = |\mathtt {0x16}, 0, S(a \oplus S(a \oplus \mathtt {0x06})), S(\mathtt {0x0b}) \oplus S(a \oplus \mathtt {0x06})| \\ W_{22}&= W_{18} \oplus W_{21} = |\mathtt {0x18}, 0, S(a \oplus S(a \oplus \mathtt {0x06})), S(\mathtt {0x0b})| \\ W_{23}&= W_{19} \oplus W_{22} = |\mathtt {0x1a}, a, a \oplus S(a \oplus S(a \oplus \mathtt {0x06})), a \oplus S(a \oplus \mathtt {0x06}) \oplus S(\mathtt {0x0b})| \end{aligned}$$

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Caforio, A., Banik, S. (2019). A Study of Persistent Fault Analysis. In: Bhasin, S., Mendelson, A., Nandi, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2019. Lecture Notes in Computer Science(), vol 11947. Springer, Cham. https://doi.org/10.1007/978-3-030-35869-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35869-3_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35868-6

  • Online ISBN: 978-3-030-35869-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation