attack on dfa protected aes by simultaneous laser fault injections · 2 aes instances, one clock...

Attack on DFA protected AES by Simultaneous LaserFault Injections

Bodo Selmkea, Johann Heyszla, Georg Siglb, 08 / 16 / 2016

aFraunhofer Institue AISECbTechnische Universität München

� Laser Fault Injection

� Protected Hardware Implementation

� Symmetric algorithm (AES)

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 1

© Fraunhofer

FA Countermeasures

1. Direct detection by specialized sensors

2. Handling of faults with various forms of redundancy (Time, Space)

Detection Raise an alarm (interrupt signal)→ Discard output of faulty ciphertext

Infection Transform ("infect") ciphertext→ Render analysis of output by DFA impossible

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 2

© Fraunhofer

Our practical Investigation

Demonstrate successful attack against AES with duplication-basedcountermeasure using two simultaneous laser shots

� AES on FPGA

� Protection by a countermeasure based on hardware duplication

� Determine locations for Laser Fault Injection→ AES state registers

� Carry out Fault Injections into AES

� Apply DFA on record of output data→ Determine if attack is feasible (We used the DFA by Saha et al.)

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 3

© Fraunhofer

Redundant AES DesignFeatures

AES core

� 2 AES instances, one clock cycle per round

� Infection Countermeasure based on the design by Lomné et al.

� 48 MHz clock frequency

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 4

© Fraunhofer

Redundant AES DesignInfection Scheme

state 0

Δ state

outputstate 0

state 1

I state

mask

state 1

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 5

© Fraunhofer

Redundant AES DesignInfection Scheme

state 0

Δ state

outputstate 0

I state

mask

state 1 outputstate 1

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 6

© Fraunhofer

Redundant AES DesignInfection Scheme

state 0

Δ state

outputstate 0

state 1

I state

mask

state 1

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 7

© Fraunhofer

Redundant AES DesignFeatures cont’d

AES core

� 2 AES instances, one clock cycle per round

� Infection Countermeasure based on the design by Lomné et al.

� 48 MHz clock frequency

Generation of Trigger Signal

� Implemented on FPGA

� Adjustable delay counters, initiated with the start-signal of the AES

Device Under Test

� Xilinx Spartan-6 FPGA

� 45 nm feature size

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 8

© Fraunhofer

Used Laser System

� 2× infrared (1064 nm) laserwith 800 ps pulse length

� Beams independentlypositionable by laser scanners

� Combination of both beamsby beam splitter

� 4 µm spot size

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 9

© Fraunhofer

Preliminary InvestigationLocating the AES State Registers

� Attack requires knowledge of register location

� Use of dedicated FPGA-design to locate individual flip-flops

� Precision of the Laser sufficient to inject matching fault?

� 3-Step Approach to find the flip-flops of interest:1. Locate a BRAM near the area where the relevant slices are assumed2. Evaluate optimal focal plane for maximum precision3. Scan area to locate the specific flip-flops

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 10

© Fraunhofer

Preliminary InvestigationFF-Verification Design

Slice n

D5FF DFF

C5FF CFF

B5FF BFF

A5FF AFF

Slice n +1

D5FF DFF

C5FF CFF

B5FF BFF

A5FF AFF

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 11

© Fraunhofer

Preliminary InvestigationFF-Verification Design

Slice #527

-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]

-15.0

-10.0

-5.0

0.0

5.0

10.0

15.0

y [µ

m]

no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7

� scan field 60 µm×30 µm

� step size 200 nm

� 2 laser shots per location:flip-flops initialized to 0 and 1

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 12

© Fraunhofer

Preliminary InvestigationFF-Verification Design

Slice #526

-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]

-15.0

-10.0

-5.0

0.0

5.0

10.0

15.0

y [µ

m]

no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7

� scan field 60 µm×30 µm

� step size 200 nm

� 2 laser shots per location:flip-flops initialized to 0 and 1

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 13

© Fraunhofer

Preliminary InvestigationFF-Verification Design

Set (0→ 1) and Reset (1→ 0) sensitive areas

-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]

-15.0

-10.0

-5.0

0.0

5.0

10.0

15.0

y [µ

m]

no faults

logic error

set

rst

flip

� scan field 60 µm×30 µm

� step size 200 nm

� 2 laser shots per location:flip-flops initialized to 0 and 1

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 14

© Fraunhofer

Performing the attack on the AESProcedure

Preparation

� Positioning of both lasers according to the previous results

� Evaluation of correct timing for the fault injection

Attack

� Start AES computation

� Inject fault into state registers during round 7

� Record output

� Test if attack was successful (Perform DFA based on ciphertext pair)

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 15

© Fraunhofer

Performing the attack on the AESResults

Shots Non-ExploitableFaults

Exploitable Faults Attack SuccessRatio

80000 21845 229 0.29 %

� Low success rate

� Single successful FI is sufficient

� Time to success: ≈ 5min

Problems:

� Jitter of laser shot

� Drift of laser spot location

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 16

© Fraunhofer

Performing the attack on the AESFeasibility of the Attack in practice

� The attack required knowledge of the location of the state registers� Activity-Analysis can reveal location of the AES cores

� Reverse-Engineering Methods can identify locations of registers

� Matching flip-flops can be found by exhaustive search(128 combinations)

� Stress on the device is low enough (All FI on single DUT)

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 17

© Fraunhofer

DiscussionCountermeasures

Prevent this attack on state registers:� Fault Space Transformation (Patranabis et al.a)

� Add an additional MixColumns / InvMixColumns Operation to one branch� The associated state register stores MixColumns-transformed version of

state� FI in the combinatorial path might be feasible

� Parity Check for altered register contents

Raising attack complexity:

� Scrambling of the flip-flop locations

� Varying timing between both AES cores

aUsing State Space Encoding To Counter Biased Fault Attacks on AES Countermeasures,2015

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 18

© Fraunhofer

Conclusion

� We successfully show how two lasers can be used in an attack

� As example, broke duplication-based infective countermeasures

� Results principally affect most hardware duplication-basedcountermeasures!

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 19

© Fraunhofer

Thank your for your attentionQuestions?

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 20

© Fraunhofer

Contact Information

Dipl.-Ing. Bodo Selmke

Department Hardware Security (HWS)

Fraunhofer-Institute forApplied and Integrated Security (AISEC)

Address: Parkring 485748 Garching (near Munich)Germany

Internet: http://www.aisec.fraunhofer.de

Phone: +49 89 3229986-132Fax: +49 89 3229986-222E-Mail: bodo.selmke@aisec.fraunhofer.de

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 21

© Fraunhofer

Backup Slides

-100.0 -80.0 -60.0 -40.0 -20.0 0.0 20.0 40.0 60.0 80.0 100.0x [µm]

-30.0

-10.0

10.0

30.0

y [µ

m]

no data

no faults

logic error

#562

other flipflop

-100.0 -80.0 -60.0 -40.0 -20.0 0.0 20.0 40.0 60.0 80.0 100.0x [µm]

-30.0

-10.0

10.0

30.0

y [µ

m]

no data

no faults

logic error

#527

other flipflop

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 22

© Fraunhofer

Backup Slides

Slice #562

-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]

-15.0

-10.0

-5.0

0.0

5.0

10.0

15.0

y [µ

m]

no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 23

© Fraunhofer

Backup Slides

Total number of bit faults

-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]

-15.0

-10.0

-5.0

0.0

5.0

10.0

15.0

y [µ

m]

no faults

logic error

1 flip-flop

2 flip-flops

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 24

© Fraunhofer

Backup Slides

state

key

plaintext

ciphertext

'0'

SubBytes ShiftRows MixColumns

roundkey

Key-Schedule

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 25

© Fraunhofer

Backup Slides

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 26

© Fraunhofer

Backup Slides

-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm

-4.0

-3.0

-2.0

-1.0

0.0

1.0

2.0

3.0

4.0

y in

µm

Address = 0, Bit = 0

set

set + other bit(s)

rst

rst + other bit(s)

toggle

toggle + other bit(s)

other bit(s)

no faults

-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm

-4.0

-3.0

-2.0

-1.0

0.0

1.0

2.0

3.0

4.0

y in

µm

Address = 4, Bit = 0

set

set + other bit(s)

rst

rst + other bit(s)

toggle

toggle + other bit(s)

other bit(s)

no faults

-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm

-4.0

-3.0

-2.0

-1.0

0.0

1.0

2.0

3.0

4.0

y in

µm

Address = 4, Bit = 0

set

set + other bit(s)

rst

rst + other bit(s)

toggle

toggle + other bit(s)

other bit(s)

no faults

Pulse energy 1.0 nJ

2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 27

© Fraunhofer