Differential Fault Analysis

Commercial ventures and financial institutions have proposed and are relying upon smartcards and other security processors as a method for storing and transacting electronic currency. As users begin to accept electronic wallets as a viable option for storing their assets, the security community has placed these devices under closer scrutiny. The idea of using computational faults to break tamper resistant cryptographic devices has been recently highlighted in lot of researches. Biham and Shamir named this form of attack as Differential Fault Analysis (DFA). This paper summarizes the existing research on DFA, describes and analyzes a differential attack on various algorithms like DES, RSA, IDEA, RC5, DSA and other vulnerable ciphers. This paper also discusses some of the ways to prevent the Differential Fault Analysis. 0. Introduction Side-channel attacks occur when an attacker is able to use some additional information leaked from the implementation of a cryptographic function to cryptanalyze the function. Given enough sidechannel information, it is trivial to break a cipher. An attacker who can, for example, learn every input into every S-box in every one of DES's rounds can trivially calculate the key. Differential Fault analysis (DFA) fall under side channel attacks. The purpose of this paper is to outline the Differential Fault Analysis (DFA) method of attacking cryptographic algorithms. This paper is intended to provide a survey of DFA in terms of the how the attack is accomplished and which algorithms are vulnerable to this form of attack. The document is divided into four parts the first part provides an introduction to fault analysis. The second deals with differential fault analysis technique. The third part outlines the attacks on various algorithms. The fourth part looks at the ways that this attack can be avoided. 1. Overview of Fault Analysis Fault Analysis relates to the ability to investigate ciphers and extract keys by generating faults in a system that is in the possession of the attacker, or by natural faults that occur. Faults are most often caused by changing the voltage, tampering with the clock, or by applying radiation of various types. The attacks are based on encrypting the same piece of data (which are not necessarily known to the attacker) twice and comparing the results. A one-bit difference indicates a fault in one of the operations. Now a short computation can be applied for DES for example to identify the round in which the error has occurred. A whole set of operations can be carried out recover the DES sub-key which is the sub-key of the last round the. When this sub-key is known the attacker can either guess the missing 8 bits or simply peel of the last round for which he knows the sub-key and perform the attack on a reduced DES. Another type of fault analysis is the nonDifferential Fault analysis, but this is based on causing permanent damage to devices for the purpose of extracting symmetric keys. It must be mentioned that a trait of such attacks is that they do not require correct cipher texts. This leads to the attacker being able to make use of natural faulty units, without himself tampering with them. [1] Types of Faults Transient faults Consider a certification authority (CA) that is constantly generating certificates and sending them out to clients. Due to random transient hardware faults the CA might generate faulty certificates on rare occasions. If a faulty certificate is ever sent to a client, that client will be able to break the CA’s system and generate fake certificates. Note that on various systems, a client is alerted when a faulty certificate is received. Latent faults Latent faults are hardware or software bugs that are difficult to catch. As an example, consider the Intel floating point division bug. Such bugs may also cause a CA to generate faulty certificates from time to time. Induced faults When an adversary has physical access to a device she may try to purposely induce hardware faults. For instance, one may attempt to attack a tamper-resistant device by deliberately causing it to malfunction. The erroneous values computed by the device enable the adversary to extract the secret stored on it. [2] 2. Differential fault Analysis (DFA) In 1996, a new attack on cryptographic devices was proposed by researchers at Bellcore. This attack depends on introducing errors into key-dependent cryptographic operations through physical intrusion. Soon after, the initial Bellcore work which focused on public-key techniques was extended and applied to secret-key encryption techniques. It also motivated a series of discussions on the capabilities of secure hardware as a means of keeping the details of certain cryptographic algorithms confidential, and a variety of different threat models have now been considered as a result of their work. The reliance of many security systems on the use of secure hardware or secure processing makes a full evaluation of the potential of fault analysis very important. For developers and users alike an increased awareness of the threat posed by new and novel methods of cryptanalysis allows the development of more secure cryptographic implementations. In this note we will summarize these recent results and in particular we will assess their practical significance when applied to RSA and DES. [3] 3. Differential Fault Analysis on Various Algorithms In the next subsection we will discuss Differential Fault Attack (DFA) on DES. 3.1. DFA on DES The attack follows the Bellcore fundamental assumption that by exposing a sealed tamperproof device such as a smart card to certain physical effects (e.g., ionizing or microwave radiation), one can induce with reasonable probability a fault at a random bit location in one of the registers at some random intermediate stage in the cryptographic computation. Both the bit location and the round number are unknown to the attacker. It is further assumed that the attacker is in physical possession of the tamperproof-device, so that he can repeat the experiment with the same cleartext and key but without applying the external physical effects. As a result, he obtains two ciphertexts derived from the same (unknown) cleartext and key, where one of the ciphertexts is correct and the other is the result of a computation corrupted by a single bit error during the computation. For the sake of simplicity, we assume that one bit of the right half of the data in one of the 16 rounds of DES is flipped from 0 to 1 or vice versa, and that both the bit position and the round number are uniformly distributed. In the first step of the attack the round in which the fault occurred is identified. If the fault occurred in the right half of round 16, then only one bit in the right half of the ciphertext differs between the two ciphertexts. The left half of the ciphertext can differ only in output bits of the S box (or two S boxes) to which this single bit enters, and the difference must be related to non-zero entries in the difference distribution tables of these S boxes. In such a case, the six key bit of each such S box in the last round can be guessed, and any value which disagrees with the expected differences of these S boxes discarded (e.g., differential cryptanalysis). If the faults occur in round 15, we can gain information on the key bits entering more than two S boxes in the last round: the difference of the right half of the ciphertext equals the output difference of the F function of round 15. We guess the single bit fault in round 15, and verify whether it can cause the expected output difference, and also verify whether the difference of the right half of the ciphertext can cause the expected difference in the output of the F function in the last round (e.g., the difference of the left half of the ciphertext XOR the fault). If successful, we can discard possible key values in the last round, according to the expected differences. We can also analyze the faults in the 14 round in a similar way. We use counting methods in order to find the key. In this case, we count for each S box separately, and increase the counter by one for any pair which suggests the sixbit key value by at least one of its possible faults in either the 14, 15, or 16 round. This attack finds the last sub-key. Once this sub-key is known, we can proceed in two ways: We can use the fact that this sub-key contains 48 out of the 56 key bits in order to guess the missing 8 bits in all the possible 2=256 ways. Alternatively, we can use our knowledge of the last sub-key to peel up the last round (and remove faults that we already identified), and analyze the preceding rounds with the same data using the same attack. This latter approach makes it possible to attack triple DES (with 168 bit keys), or DES with independent subkeys (with 768 bit keys). [5] 3.2. Differential Fault Analysis on RSA Direct attacks on the famous RSA cryptosystem seem to require that one has to factor the modulus. The attack on RSA algorithm is as follows: Let n be the product of two primes p and q in RSA, e the public exponent which is publicly known and d be the private exponent stored inside the tamperproof device. Let M be a plaintext, then the corresponding ciphertext is C = M mod n. Denote the binary representation of the private exponent as d = d (t-1) |d (t-2)| ...|d (i)|...|d (1) |d (0), Where: d (i), takes value 1 or 0, is the i bit, t is the number of bits of d x|y denotes concatenation of x and y. Further, we denote C (0) = C, C(1) = C mod n, C(2) = C mod n, ..., C(t-1) = C. Given C and d, the corresponding plaintext M can be expressed as M =(C(t-1))(C(t-2) )...(C(i)) ...(C(1))(C(0))mod n. Attack 1: Suppose that one bit in the binary representation of d is changed from 1 to 0 or vice versa, and that the faulty bit position is randomly located. An attacker arbitrarily chooses a plaintext M and computes the ciphertext C. He then applies external physical effects to the tamperproof device and at the same time asks the device to decrypt C. Assuming that d(i)is changed to its complement d(i)', then the output of the device will be M'= C(t-1) )(C(t-2))...(C(i)) ...(C(1))(C (0)) mod n. Since he now possesses both M and M', he can compute M'/M = C (i) d /C (i) d (i) mod n. If M'/M = 1/C(i) mod n, then d(i) = 1, and if M'/M = C(i) mod n, then d(i) = 0. The attacker can pre-compute C (i) and 1/C (i) mod n for i = 0, 1, ..., t-1, and compares M'/M mod n to these values in order to determine one bit of d. He repeats the above process using either the same plaintext/ ciphertext pair or using different plaintext/ciphertext pairs until he finds enough information to obtain d.