eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.
You are looking at a specific version 20180118:125505 of this paper. See the latest version.

Paper 2018/071

Exploiting Ineffective Fault Inductions on Symmetric Cryptography

Christoph Dobraunig and Maria Eichlseder and Thomas Korak and Stefan Mangard and Florian Mendel and Robert Primas

Abstract

Since the seminal work of Boneh et al., the threat of fault attacks has been widely known and new techniques for fault attacks and countermeasures have been studied extensively. The vast majority of the literature on fault attacks focuses on the ability of fault attacks to change an intermediate value to a faulty one, such as differential fault analysis (DFA), collision fault analysis, statistical fault attack (SFA), fault sensitivity analysis, or differential fault intensity analysis. The other aspect of faults---that faults can be induced and do not change a value---has been far less researched. In case of symmetric ciphers, this area is covered by ineffective fault attacks (IFA). However, IFA relies on the ability of an attacker to induce reproducible deterministic faults like stuck-at faults for a smaller intermediate structure (e.g., one bit or byte), which is often considered to be impracticable. As a consequence, most countermeasures against fault attacks focus on the ability of faults to change intermediate values and usually try to detect such a change (detection-based), or to destroy the exploitable information if a fault happens (infective countermeasures). Such countermeasures implicitly assume that the release of ``fault-free'' ciphertexts in the presence of a fault-inducing attacker does not reveal any exploitable information. In this work, we challenge this assumption and show attacks that exploit the fact that intermediate values leading to such ``fault-free'' ciphertexts show a non-uniform distribution, while they should be uniformly distributed. The presented attacks are entirely practical and are demonstrated to work for software implementations of AES and for a hardware co-processor. These practical attacks rely on faults induced by means of clock glitches and hence, are achieved using only low-cost equipment. We target two countermeasures as example, simple time redundancy with comparison and an infective countermeasure presented at CHES 2014. However, our attacks can be applied to a wider range of countermeasures and are not restricted to these two countermeasures.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
fault attackinfective countermeasurefault detectioncountermeasurestatistical ineffective fault attack
Contact author(s)
christoph dobraunig @ iaik tugraz at
History
2018-09-04: revised
2018-01-18: received
See all versions
Short URL
https://ia.cr/2018/071
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.