Practical Differential Fault Attack on AES
1 like1,497 views
Marc Witteman discusses practical differential fault analysis (DFA) on the AES encryption algorithm. He summarizes that prior DFA work using single faults is impractical due to unknown fault parameters. Witteman's approach uses multiple faults injected over a short period, selecting those matching a fault model. Key space is reduced through voting and exclusion of candidates using 24-50 faults. The remaining key bits can then be brute forced rapidly. This "single-minute DFA" replaces less practical "single-fault DFA" methods and enables fast extraction of AES keys.
![What’s wrong with single-fault DFA?
Fault model must be known
• Unknown byte hit?
blind byte hit multiplies search space by 4
• Unknown round hit?
blind round hit multiplies search space by 10
• Unknown operation hit?
9
void mix_column( unsigned char* column ) {
unsigned char a = column[0];
unsigned char b = column[1];
unsigned char c = column[2];
unsigned char d = column[3];
column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d;
column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a;
column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b;
column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c;
}
Alternative faults change effect](https://image.slidesharecdn.com/practicaldfaonaes-170912150909/85/Practical-Differential-Fault-Attack-on-AES-9-320.jpg)
![2. Fault selection
• Hit ‘Key addition’, ‘Substitute’, Shift row’, or ‘Mix column’
• Check that only 4 output bytes change
• Accept that some faults have alternative fault model
Usable
Too little
Too much
13
void mix_column( unsigned char* column ) {
unsigned char a = column[0];
unsigned char b = column[1];
unsigned char c = column[2];
unsigned char d = column[3];
column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d;
column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a;
column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b;
column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c;
}](https://image.slidesharecdn.com/practicaldfaonaes-170912150909/85/Practical-Differential-Fault-Attack-on-AES-13-320.jpg)
Practical Differential Fault Attack on AES
- 1. Practical DFA on AES Marc Witteman – CTO June 13, 2013
- 2. DFA on AES, how hard is that? • 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults • 2013 Christophe Giraud and Adrian Thillard 1 fault • 2013 Riscure up to 50 faults Is Riscure stupid? 2
- 3. Outline • How does single fault DFA on AES work? • What’s wrong with single fault DFA? • So, how does Riscure do DFA? • Demo 3
- 4. Fault impact on AES • Inject fault before ultimate MixColumn Fault randomly changes chosen byte • MixColumn propagates fault in column • ShiftRow propagates fault to 4 cells • One fault affects 4 output bytes 4 AddKey Substitute ShiftRow AddKey Output Substitute ShiftRow MixColumn Fault 9th round 10th round MixColumn ShiftRow
- 5. Finding the fault value • Fault in specific byte propagates to 4 output bytes • Each fault pair of correct and faulty output bytes halves the number of values for the random fault Out0 on fault Out7 on fault Out10 on fault Out13 on fault Outall on fault Group of 4 affected output bytes reduces possible fault values in known byte to about 15
- 6. Finding the key value • A specific fault value matches with two key values • Group key space reduced from 32 bits to ~8 bits Mapping Fault value Key value 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 + 2 * 2 * 2 * 2 = 240 4 faults can break the key • 4 x 32 reduced to 4 x 8 bits • Remaining entropy is 32 bits • Can be brute forced K0 K10 K13K7
- 7. One fault catches all • Inject fault before in round 8 Fault randomly changes chosen byte • MixColumn propagates fault in column • ShiftRow propagates fault to 4 cells • MixColumn propagates 4 faults in 4 columns • ShiftRow propagates 4 faults to 16 cells, exposing 16 key bytes • So, one correct + fault pair + 32 bit brute force reveals 128 bit key! 7 AddKey Substitute ShiftRow AddKey Output Substitute ShiftRow MixColumn Fault 9th round 10th round MixColumn ShiftRow AddKey MixColumn 8th round 9th round MixColumn ShiftRow
- 8. What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? 8 Faults in same column are non-distinguishable
- 9. What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? blind byte hit multiplies search space by 4 • Unknown round hit? blind round hit multiplies search space by 10 • Unknown operation hit? 9 void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; } Alternative faults change effect
- 10. What’s wrong with single-fault DFA? Fault model must be known • Unknown byte hit? blind byte hit multiplies search space by 4 • Unknown round hit? blind round hit multiplies search space by 10 • Unknown operation hit? out-of-model faults mess up the key search Practice • 32 bit AES brute force takes 20 minutes • With unknowns this can grow to days • Brute force key search impossible when input missing • We hate waiting 10
- 11. Our approach Experience If a target is vulnerable to fault injection, it’s relatively easy to collect multiple faults Procedure 1. acquire outputs while injecting faults (almost a minute) 2. select faults that match the fault model (few ms) 3. use voting and exclusion to reduce key space to 0..24 bits using 24..50 faults (few ms) 4. brute force to match input or fault model (few sec) 11 We replace single-fault DFA by single-minute DFA
- 12. 1. Acquisition Glitch parameters response trigger glitch command
- 13. 2. Fault selection • Hit ‘Key addition’, ‘Substitute’, Shift row’, or ‘Mix column’ • Check that only 4 output bytes change • Accept that some faults have alternative fault model Usable Too little Too much 13 void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; }
- 14. 3. Key space reduction (one fault) • 4 potential fault bytes per group → join possible key values • Almost half of all key bytes match • Frequency = probability 14 Fault in A Fault in B Fault in C Fault in D Fault in ANY A E I M B F J N C G K O D H L P
- 15. 3. Key space reduction (multi fault) 15 1 2 1+2 sum(8) sum(12) 1 2 1*2*(1+2) prodsum(4) prodsum(8) Voting Voting and Exclusion Full key extraction takes 32 up to 50 unique faults
- 16. 4. Brute force When to brute force? • Verify correctness of candidates • Only few faults available • Can be efficient when 24 bits (or less) missing • Too little variation in faults How to brute force? • Match keys with input/output • Reverse last round and detect earlier faults 16
- 17. Conclusion • Prior AES DFA work not practical due to • Unknowns • Out-of-model faults • DFA practical when • Fault selection on format • Candidates selected by voting • Practical DFA on AES can be fast replace ‘single-fault’ by ‘single-minute’ • Remaining research questions • Attack skipped rounds? • Attack without duplicate plaintext? 17
- 18. Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA 94105 USA Phone: +1 650 646 99 79 inforequest@riscure.com Riscure B.V. Frontier Building, Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 15 251 40 90 www.riscure.com Contact: Marc Witteman CTO