All You Need Is Fault: Zero-Value Attacks on AES and a New $\lambda$-Detection M&M

Haruka Hirata; Daiki Miyahara; Victor Arribas; Yang Li; Noriyuki Miura; Svetla Nikova; Kazuo Sakiyama

Paper 2023/1129

All You Need Is Fault: Zero-Value Attacks on AES and a New $\lambda$-Detection M&M

Haruka Hirata, University of Electro-Communications

Daiki Miyahara

, University of Electro-Communications

Victor Arribas

, KU Leuven, Rambus (United States)

Yang Li, University of Electro-Communications

Noriyuki Miura, Osaka University

Svetla Nikova

, KU Leuven, University of Bergen

Kazuo Sakiyama

, University of Electro-Communications

Abstract

Deploying cryptography on embedded systems requires security against physical attacks. At CHES 2019, M&M was proposed as a combined countermeasure applying masking against SCAs and information-theoretic MAC tags against FAs. In this paper, we show that one of the protected AES implementations in the M&M paper is vulnerable to a zero-value SIFA2-like attack. A practical attack is demonstrated on an ASIC board. We propose two versions of the attack: the first follows the SIFA approach to inject faults in the last round, while the second one is an extension of SIFA and FTA but applied to the first round with chosen plaintext. The two versions work at the byte level, but the latter version considerably improves the efficiency of the attack. Moreover, we show that this zero-value SIFA2 attack is specific to the AES tower-field decomposed S-box design. Hence, such attacks are applicable to any implementation featuring this AES S-box architecture. Then, we propose a countermeasure that prevents these attacks. We extend M&M with a fine-grained detection-based feature capable of detecting the zero-value glitch attacks. In this effort, we also solve the problem of a combined attack on the ciphertext output check of M&M scheme by using Kronecker's delta function. We deploy the countermeasure on FPGA and verify its security against both fault and side-channel analysis with practical experiments.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: A minor revision of an IACR publication in TCHES 2024
Keywords: AES fault attacks zero-value attacks SIFA2 FTA masking detection M&M
Contact author(s): h haruka @ uec ac jp
miyahara @ uec ac jp
varribas @ rambus com
liyang @ uec ac jp
nmiura @ ist osaka-u ac jp
svetla nikova @ esat kuleuven be
sakiyama @ uec ac jp
History: 2023-11-20: revised; 2023-07-19: received; See all versions
Short URL: https://ia.cr/2023/1129
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1129,
      author = {Haruka Hirata and Daiki Miyahara and Victor Arribas and Yang Li and Noriyuki Miura and Svetla Nikova and Kazuo Sakiyama},
      title = {All You Need Is Fault: Zero-Value Attacks on AES and a New $\lambda$-Detection M&M},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1129},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1129}},
      url = {https://eprint.iacr.org/2023/1129}
}