Differential fault analysis: Difference between revisions

Content deleted Content added

Inline

Revision as of 21:33, 19 March 2023

Differential fault analysis (DFA) is a type of active side-channel attack in the field of cryptography, specifically cryptanalysis. The principle is to induce faults—unexpected environmental conditions—into cryptographic operations to reveal their internal states.

Principles

Taking a smartcard containing an embedded processor as an example, some unexpected environmental conditions it could experience include being subjected to high temperature, receiving unsupported supply voltage or current, being excessively overclocked, experiencing strong electric or magnetic fields, or even receiving ionizing radiation to influence the operation of the processor. When stressed like this, the processor may begin to output incorrect results due to physical data corruption, which may help a cryptanalyst deduce the instructions that the processor is running, or what the internal state of its data is.^[1]^[2]

For DES and Triple DES, about 200 single-flipped bits are necessary to obtain a secret key.^[3] DFA has also been applied successfully to the AES cipher.^[4]

Many countermeasures have been proposed to defend from these kinds of attacks. Most of them are based on error detection schemes.^[5]^[6]

Fault injection

A fault injection attack involves stressing the transistors responsible for encryption tasks to generate faults that will then be used as input for analysis. The stress can be an electromagnetic pulse (EM pulse or laser pulse).

Practical fault injection consists of using an electromagnetic probe connected to a pulser or a laser generating a disturbance of a similar length to the processor's cycle time (of the order of a nanosecond). The energy transferred to the chip may be sufficient to burn out certain components of the chip, so the voltage of the pulser (a few hundred volts) and the positioning of the probe must be finely calibrated. For greater precision, the chips are often decapsulated (chemically eroded to expose the bare silicon).^[7]

References

^ Eli Biham, Adi Shamir: The next Stage of Differential Fault Analysis: How to break completely unknown cryptosystems (1996)
^ Dan Boneh and Richard A. DeMillo and Richard J. Lipton: On the Importance of Checking Cryptographic Protocols for Faults, Eurocrypt (1997)
^ Ramesh Karri, et al.: Fault-Based Side-Channel Cryptanalysis Tolerant Rijndael Symmetric Block Cipher Architecture (2002)
^ Christophe Giraud: DFA on AES (2005)
^ Xiaofei Guo, et al.: Invariance-based Concurrent Error Detection for Advanced Encryption Standard (2012)
^ Rauzy and Guilley: Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA (2014) (Open Access version)
^ "Fault Injection". eshard.com. 2021-11-01. Retrieved 2021-11-23.

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

[1] Eli Biham, Adi Shamir: The next Stage of Differential Fault Analysis: How to break completely unknown cryptosystems (1996)

[2] Dan Boneh and Richard A. DeMillo and Richard J. Lipton: On the Importance of Checking Cryptographic Protocols for Faults, Eurocrypt (1997)

[3] Ramesh Karri, et al.: Fault-Based Side-Channel Cryptanalysis Tolerant Rijndael Symmetric Block Cipher Architecture (2002)

[4] Christophe Giraud: DFA on AES (2005)

[5] Xiaofei Guo, et al.: Invariance-based Concurrent Error Detection for Advanced Encryption Standard (2012)

[6] Rauzy and Guilley: Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA (2014) (Open Access version)

[7] "Fault Injection". eshard.com. 2021-11-01. Retrieved 2021-11-23.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

@@ Line 1: / Line 1: @@
 {{Short description|Type of active side channel attack}}
-'''Differential fault analysis''' (DFA) is a type of active [[side-channel attack]] in the field of [[cryptography]], specifically [[cryptanalysis]]. The principle is to induce ''faults''—unexpected environmental conditions—into cryptographic operations, to reveal their internal states.
+'''Differential fault analysis''' (DFA) is a type of active [[side-channel attack]] in the field of [[cryptography]], specifically [[cryptanalysis]]. The principle is to induce ''faults''—unexpected environmental conditions—into cryptographic operations to reveal their internal states.
 == Principles ==
-If we take a [[smartcard]] containing an embedded [[secure cryptoprocessor|processor]] as an example, we can think it might be subjected to high temperature, unsupported [[power supply|supply voltage or current]], excessively high [[overclocking]], strong [[electric field|electric]] or [[magnetic field]]s, or even [[ionizing radiation]] to influence the operation of the processor. When stressed like this, the processor may begin to output incorrect results due to physical [[data corruption]], which may help a [[cryptanalyst]] deduce the instructions that the processor is running, or what its internal data state is.<ref>Eli Biham, Adi Shamir: The next Stage of Differential Fault Analysis: How to break completely unknown cryptosystems (1996)</ref><ref>Dan Boneh and Richard A. DeMillo and Richard J. Lipton: On the Importance of Checking Cryptographic Protocols for Faults, Eurocrypt (1997)</ref>
+Taking a [[smartcard]] containing an embedded [[secure cryptoprocessor|processor]] as an example, some unexpected environmental conditions it could experience include being subjected to high temperature, receiving unsupported [[power supply|supply voltage or current]], being excessively [[overclocking|overclocked]], experiencing strong [[electric field|electric]] or [[magnetic field]]s, or even receiving [[ionizing radiation]] to influence the operation of the processor. When stressed like this, the processor may begin to output incorrect results due to physical [[data corruption]], which may help a [[cryptanalyst]] deduce the instructions that the processor is running, or what the internal state of its data is.<ref>Eli Biham, Adi Shamir: The next Stage of Differential Fault Analysis: How to break completely unknown cryptosystems (1996)</ref><ref>Dan Boneh and Richard A. DeMillo and Richard J. Lipton: On the Importance of Checking Cryptographic Protocols for Faults, Eurocrypt (1997)</ref>
-For [[Data Encryption Standard|DES]] and [[Triple DES]], about 200 single-flipped bits are necessary to obtain a secret [[key (cryptography)|key]].<ref>Ramesh Karri, et al.: Fault-Based Side-Channel Cryptanalysis Tolerant Rijndael Symmetric Block Cipher Architecture (2002)</ref> DFA was also applied successfully to the [[Advanced Encryption Standard|AES]] cipher.<ref>Christophe Giraud: DFA on AES (2005)</ref>
+For [[Data Encryption Standard|DES]] and [[Triple DES]], about 200 single-flipped bits are necessary to obtain a secret [[key (cryptography)|key]].<ref>Ramesh Karri, et al.: Fault-Based Side-Channel Cryptanalysis Tolerant Rijndael Symmetric Block Cipher Architecture (2002)</ref> DFA has also been applied successfully to the [[Advanced Encryption Standard|AES]] cipher.<ref>Christophe Giraud: DFA on AES (2005)</ref>
-Many countermeasures have been proposed to defend from this kind of attacks. Most of them are based on error detection schemes.<ref>Xiaofei Guo, et al.: [http://dl.acm.org/citation.cfm?id=2228463 Invariance-based Concurrent Error Detection for Advanced Encryption Standard] (2012)</ref><ref>Rauzy and Guilley: [http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6976633 Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA] (2014) ([https://eprint.iacr.org/2014/559 Open Access version])</ref>
+Many countermeasures have been proposed to defend from these kinds of attacks. Most of them are based on error detection schemes.<ref>Xiaofei Guo, et al.: [http://dl.acm.org/citation.cfm?id=2228463 Invariance-based Concurrent Error Detection for Advanced Encryption Standard] (2012)</ref><ref>Rauzy and Guilley: [http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6976633 Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA] (2014) ([https://eprint.iacr.org/2014/559 Open Access version])</ref>
 == Fault injection ==
-The fault injection attack consists of stressing the transistors responsible for encryption tasks, to generate a fault that will then be used as DFA input. The perturbation element can be an electromagnetic pulse (EM pulse or laser pulse).
+A fault injection attack involves stressing the [[Transistor|transistors]] responsible for [[encryption]] tasks to generate faults that will then be used as input for analysis. The stress can be an electromagnetic pulse (EM pulse or [[laser]] pulse).
-So the fault injection consists of using an electromagnetic probe connected to a pulser or a laser generating a disturbance of the order of the processor cycle time (of the order of a nanosecond). The energy transferred to the chip may be sufficient to burn out certain components of the chip, so the voltage of the pulser (a few hundred volts) and the positioning of the probe must be finely calibrated. For greater precision, the chips are often decapsulated (chemically eroded to expose the bare silicon).<ref> {{cite web |url=https://eshard.com/fault-injection |title=Fault Injection |date=2021-11-01 |website=eshard.com |access-date=2021-11-23}} </ref>
+Practical fault injection consists of using an electromagnetic probe connected to a pulser or a laser generating a disturbance of a similar length to the processor's [[Clock rate|cycle time]] (of the order of a nanosecond). The energy transferred to the chip may be sufficient to burn out certain components of the chip, so the voltage of the pulser (a few hundred volts) and the positioning of the probe must be finely calibrated. For greater precision, the chips are often decapsulated (chemically eroded to expose the bare silicon).<ref> {{cite web |url=https://eshard.com/fault-injection |title=Fault Injection |date=2021-11-01 |website=eshard.com |access-date=2021-11-23}} </ref>
 ==References==