Paper 2010/130
Low Voltage Fault Attacks to AES and RSA on General Purpose Processors
Alessandro Barenghi, Guido Bertoni, Luca Breveglieri, Mauro Pellicioli, and Gerardo Pelosi
Abstract
Fault injection attacks have proven in recent times a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms. A number of different techniques aimed at disturbing the computation of a cryptographic primitive have been devised, and have been successfully employed to leak secret information inferring it from the erroneous results. In particular, many of these techniques involve directly tampering with the computing device to alter the content of the embedded memory, e.g. through irradiating it with laser beams. In this contribution we present a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature to attack a software implementation of a cryptosystem running on a full fledged CPU with a complete operating system. The platform under consideration (an ARM9 CPU running a full Linux 2.6 kernel) is widely used in mobile computing devices such as smartphones, gaming platforms and network appliances. We fully characterise both the fault model and the errors induced in the computation, both in terms of ensuing frequency and corruption patterns on the computed results. At first, we validate the effectiveness of the proposed fault model to lead practical attacks to implementations of RSA and AES cryptosystems, using techniques known in open literature. Then we devised two new attack techniques, one for each cryptosystem. The attack to AES is able to retrieve all the round keys regardless both their derivation strategy and the number of rounds. A known ciphertext attack to RSA encryption has been devised: the plaintext is retrieved knowing the result of a correct and a faulty encryption of the same plaintext, and assuming the fault corrupts the public key exponent. Through experimental validation, we show that we can break any AES with roughly 4 kb of ciphertext, RSA encryption with 3 to 5 faults and RSA signature with 1 to 2 faults.
Note: The updated version can be found at: http://dx.doi.org/10.1016/j.jss.2013.02.021
Metadata
- Available format(s)
- Publication info
- Published elsewhere. An updated and extended version of this paper has been published in the Journal of Systems and Software
- Keywords
- RSA AES Cryptanalysis Fault Attacks
- Contact author(s)
- barenghi @ elet polimi it
- History
- 2013-03-21: last of 2 revisions
- 2010-03-08: received
- See all versions
- Short URL
- https://ia.cr/2010/130
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2010/130, author = {Alessandro Barenghi and Guido Bertoni and Luca Breveglieri and Mauro Pellicioli and Gerardo Pelosi}, title = {Low Voltage Fault Attacks to {AES} and {RSA} on General Purpose Processors}, howpublished = {Cryptology {ePrint} Archive, Paper 2010/130}, year = {2010}, url = {https://eprint.iacr.org/2010/130} }