Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet 13541 Gardanne
ReCoSoC’2010
Jean- Baptiste Rigaud Jean-Max Dutertre Michel Agoyan Bruno Robisson Assia Tria
Experimental Fault Injection based on the Prototyping of an AES Cryptosystem
5th International Workshop on Reconfigurable Communication-centric Systems on Chip
! Introduction. " Course Overview
! Design and use of an FPGA-based attack platform. " Fault Injection Principle (digital IC timing constraints)
" Experimental Results
! Conclusion.
1 / 24
! Attacked Circuit : AES Cryptosystem. " Algorithm and design " Prototyping of AES on SPARTAN-3
Outline
Master students in Microelectronics Design • Cryptography
• Secured Circuits
Application of academics courses • VHDL
• Design Methodology
• FPGA Prototyping
Two parts • 128 bit AES design : Spartan 3
• Injection fault platform : Virtex 5
• Cryptography
• Security of IC
Course overview
2 / 24
Why Cryptography? • Confidentiality
• Authentification
Tools for cryptography • Secret key scheme
• Public/private keys scheme
• Hash function
• Integrity
• Non repudiation
Plain text
Cyphering Decyphering
Cyper text Plain text
Cryptography
Applications • Credit card, mobile phone, pay TV, secured internet, etc.
3 / 24
Advanced Encryption Standard
• NIST 2001
• Key length : 128 bits
A good example for teaching IC design
• Data path and keyexpander synchronization
• Sbox modeling
AES cryptosystem
4 / 24
• Hash functions Area
• 20 S-boxes
Timing constraints
• Nominal clock frequency : 100 MHz
• 11 clock cycles / ciphering
External control
• Clock pin
• Start signal
AES Block diagram
5 / 24
Xilinx Spartan 3 evaluation board • Serial Link
• Simple control commands
• Automatic Test Generation (Perl)
• On the fly comparison of expected result (Open ssl' AES library)
Why FPGA target ? • Education purposes
• Faster integration • Easier fault injection due to long interconnection delays
AES Test environment
6 / 24
Design and Use of an FPGA-based Attack Platform
" Digital IC timing constraints (as a fault injection means).
" A Delay Locked Loop based attack platform.
! Theoretical work.
" Short overview of Differential Fault Attacks.
" Experimental results.
! Laboratory work.
" Synthesis of the attack platform.
7 / 24
Differential Fault Attack
K M C
0110010101100001 010110000110011
110101000101101
Faulty cipher text
Disturb the ciphering process through unusual environmental conditions.
retrieve information on the encryption process (i.e. information leakage)
Differential Fault Attack = comparison between correct and faulty cipher texts
Strong requirements : • control of the fault size (bit or byte level),
• target a given round (and only it).
8 / 24
" Synchronous IC principle (reminder)
Data are captured on the clock’s rising edge
Time between two rising edges (i.e. clock period) depends on the propagation delay
D Q D Q
Combinational logic
clk
data 1 1 1 1
propagation delay
Dffi Dffi+1
n-1 m-1
Digital IC timing constraint
9 / 24
D Q D Q
Logique
conbinatoire
clk
data 1 1 1 1
Dffi Dffi+1
n m
Dclk#Q
DpMax
Tclk + Tskew - δsu
data required time = Tclk + Tskew - δsu
data arrival time = Dclk#Q + DpMax
Tclk > Dclk!Q + DpMax - Tskew + δsu
Digital IC timing constraint
Violating this timing constraint results in fault injection.
10 / 24
outputs = f (inputs)
each Di had its own propagation delay
f logical function
• the logical states ( 0 / 1 ) → the propagation delay changes with the inputs
Propagation times depend on :
• the power supply voltage
• the temperature
Fault location - Propagation delay
n
delay
m
D0
D1
Dm-1
Combinational logic
inputs outputs
allow to change the fault location
Fault location : where delayDi > Tclk – setup time
Digital IC timing constraint
11 / 24
" Fault injection - Over clocking A well known approach decreasing the clock period until faults appear by setup time violation
clk
Tclk
Tclk fault
clk’
drawback : faults are injected at each clock cycle
Fault injection by setup time violation
propagation delay + setup time
drawback : faults are injected at each clock cycle
no timing control
12 / 24
" Fault injection – Local over clocking
clk
Tclk
Tclk - Δ
Setup time violation by modifying one clock cycle
fault injection cycle choice
fault-nature fine tuning through Δ fine control
δt variation step = 35 ps Experiment Tclk = 10 ns
clk’
(one-bit, two-bits faults)
Fault injection by setup time violation
≈ 300 steps @ 100 MHz
DpMax + δsu
13 / 24
clk’ generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5).
" Fault injection – Local over clocking (cont’d)
A DLL-based Attack Platform
clk
clk’
Tclk - Δ
Tclk
14 / 24
clk’ generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5).
" Fault injection – Local over clocking (cont’d)
clk
clk’
Tclk - Δ
clk ↓
Tclk
Δ/2
A DLL-based Attack Platform
14 / 24
clk’ generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5).
clk
clk’
Tclk - Δ
Tclk
clk ↑
clk ↓
" Fault injection – Local over clocking (cont’d)
All digital, easy to implement.
Δ
A DLL-based Attack Platform
14 / 24
Δ = 0
Synthesis of the attack platform
15 / 24
Δ = 20 x 35 ps
Synthesis of the attack platform
15 / 24
Δ = 40 x 35 ps
Synthesis of the attack platform
15 / 24
Δ = 60 x 35 ps
Synthesis of the attack platform
15 / 24
Δ = 80 x 35 ps
Synthesis of the attack platform
15 / 24
Δ = 100 x 35 ps
Synthesis of the attack platform
15 / 24
" Experimental setup
Fault injection experiments
clock
trigger
COM serial
COM serial
board AES
board
Clock generation
16 / 24
" Controllability of faults’ nature and location.
send the key K and the plaintext T to the test chip Δ ← 0
Targeting the final round of the AES
direct reading of the injected faults (by XORing a correct and faulty ciphertext)
Test campaign pseudo-code :
Fault injection experiments
Note that faults are located in the encryption data path (longest propagation delay).
17 / 24
Experimental results
No fault One-bit fault Two-bits fault Other fault
Target : final round (fclk, nom = 100 MHz)
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3
Tclk = 10000 ps
No fault D4
D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
350ps
Byte
ind
ex
Byte
nb.
6
Single bit fault 2 faulted bits 3 faulted bits
Tclk-Δ Tclk-Δ
0
7340ps 5240ps Tclk - Δ
18 / 24
14
Experimental results
Location control : plaintext variation
5485ps
7340ps 5240ps 350ps
7585ps
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
No fault One-bit fault Two-bits fault Other fault
Same key Different plaintext
Byte nb. 3
Byte nb. 13
1 2 3 4 5 6 7 8 9 10 11 12 13
15
Byte
ind
ex
0
0
Byte
ind
ex
19 / 24
" Fault injection based on power supply decrease.
VDD DpMax ( Dclk!Q, δsu, &Tskew & )
Tclk < Dclk!Q + DpMax - Tskew + δsu
(at nominal frequency)
n m
D0
D1
Dm-1
Tclk
Logique
inputs
DpMax + δsu + slack
n m
D0
D1
Dm-1
m
D0
D1
Dm-1 outputs m
D0
D1
Dm-1 logic Combinational
DpMax + δsu
outputs
Experimental results
logic Combinational
20 / 24
pico
seco
nds
Critical time as a function of VDD
Tclk
1st fault at 1,07 V
Experimental results
" Fault injection based on power supply decrease.
21 / 24
" Temperature increase (at nominal frequency)
Experimental results
22 / 24
DpMax ( Dclk!Q, δsu, &Tskew & )
1st fault at 210 °C
Experimental results
" Temperature increase (at nominal frequency)
23 / 24
Conclusion
An ambitious two in one course (Master or PhD students).
" Conclusion
Achievements: • Design methodology on a concrete programmable device,
• Development of a complete test environment (serial interface, command scripts),
• Implementation of the AES standard,
• Review of timing constraints and critical path issues,
• Design of a DLL-based attack platform,
• Practice of fault attacks,
• Awareness of hardware security.
24 / 24
FPGA : a well suited target.