Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet 13541 Gardanne

ReCoSoC’2010

Jean- Baptiste Rigaud Jean-Max Dutertre Michel Agoyan Bruno Robisson Assia Tria

Experimental Fault Injection based on the Prototyping of an AES Cryptosystem

5th International Workshop on Reconfigurable Communication-centric Systems on Chip

!  Introduction. "  Course Overview

!  Design and use of an FPGA-based attack platform. "  Fault Injection Principle (digital IC timing constraints)

"  Experimental Results

!  Conclusion.

1 / 24

!  Attacked Circuit : AES Cryptosystem. "  Algorithm and design "  Prototyping of AES on SPARTAN-3

Outline

Master students in Microelectronics Design •  Cryptography

•  Secured Circuits

Application of academics courses •  VHDL

•  Design Methodology

•  FPGA Prototyping

Two parts •  128 bit AES design : Spartan 3

•  Injection fault platform : Virtex 5

•  Cryptography

•  Security of IC

Course overview

2 / 24

Why Cryptography? •  Confidentiality

•  Authentification

Tools for cryptography •  Secret key scheme

•  Public/private keys scheme

•  Hash function

•  Integrity

•  Non repudiation

Plain text

Cyphering Decyphering

Cyper text Plain text

Cryptography

Applications •  Credit card, mobile phone, pay TV, secured internet, etc.

3 / 24

Advanced Encryption Standard

•  NIST 2001

•  Key length : 128 bits

A good example for teaching IC design

•  Data path and keyexpander synchronization

•  Sbox modeling

AES cryptosystem

4 / 24

•  Hash functions Area

•  20 S-boxes

Timing constraints

•  Nominal clock frequency : 100 MHz

•  11 clock cycles / ciphering

External control

•  Clock pin

•  Start signal

AES Block diagram

5 / 24

Xilinx Spartan 3 evaluation board •  Serial Link

•  Simple control commands

•  Automatic Test Generation (Perl)

•  On the fly comparison of expected result (Open ssl' AES library)

Why FPGA target ? •  Education purposes

•  Faster integration •  Easier fault injection due to long interconnection delays

AES Test environment

6 / 24

Design and Use of an FPGA-based Attack Platform

"  Digital IC timing constraints (as a fault injection means).

"  A Delay Locked Loop based attack platform.

!  Theoretical work.

"  Short overview of Differential Fault Attacks.

"  Experimental results.

!  Laboratory work.

"  Synthesis of the attack platform.

7 / 24

Differential Fault Attack

K M C

0110010101100001 010110000110011

110101000101101

Faulty cipher text

Disturb the ciphering process through unusual environmental conditions.

retrieve information on the encryption process (i.e. information leakage)

Differential Fault Attack = comparison between correct and faulty cipher texts

Strong requirements : •  control of the fault size (bit or byte level),

•  target a given round (and only it).

8 / 24

"  Synchronous IC principle (reminder)

Data are captured on the clock’s rising edge

Time between two rising edges (i.e. clock period) depends on the propagation delay

D Q D Q

Combinational logic

clk

data 1 1 1 1

propagation delay

Dffi Dffi+1

n-1 m-1

Digital IC timing constraint

9 / 24

D Q D Q

Logique

conbinatoire

clk

data 1 1 1 1

Dffi Dffi+1

n m

Dclk#Q

DpMax

Tclk + Tskew - δsu

data required time = Tclk + Tskew - δsu

data arrival time = Dclk#Q + DpMax

Tclk > Dclk!Q + DpMax - Tskew + δsu

Digital IC timing constraint

Violating this timing constraint results in fault injection.

10 / 24

outputs = f (inputs)

each Di had its own propagation delay

f logical function

•  the logical states ( 0 / 1 ) → the propagation delay changes with the inputs

Propagation times depend on :

•  the power supply voltage

•  the temperature

Fault location - Propagation delay

n

delay

m

D0

D1

Dm-1

Combinational logic

inputs outputs

allow to change the fault location

Fault location : where delayDi > Tclk – setup time

Digital IC timing constraint

11 / 24

"  Fault injection - Over clocking A well known approach decreasing the clock period until faults appear by setup time violation

clk

Tclk

Tclk fault

clk’

drawback : faults are injected at each clock cycle

Fault injection by setup time violation

propagation delay + setup time

drawback : faults are injected at each clock cycle

no timing control

12 / 24

"  Fault injection – Local over clocking

clk

Tclk

Tclk - Δ

Setup time violation by modifying one clock cycle

fault injection cycle choice

fault-nature fine tuning through Δ fine control

δt variation step = 35 ps Experiment Tclk = 10 ns

clk’

(one-bit, two-bits faults)

Fault injection by setup time violation

≈ 300 steps @ 100 MHz

DpMax + δsu

13 / 24

clk’ generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5).

"  Fault injection – Local over clocking (cont’d)

A DLL-based Attack Platform

clk

clk’

Tclk - Δ

Tclk

14 / 24

clk’ generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5).

"  Fault injection – Local over clocking (cont’d)

clk

clk’

Tclk - Δ

clk ↓

Tclk

Δ/2

A DLL-based Attack Platform

14 / 24

clk’ generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5).

clk

clk’

Tclk - Δ

Tclk

clk ↑

clk ↓

"  Fault injection – Local over clocking (cont’d)

All digital, easy to implement.

Δ

A DLL-based Attack Platform

14 / 24

Δ = 0

Synthesis of the attack platform

15 / 24

Δ = 20 x 35 ps

Synthesis of the attack platform

15 / 24

Δ = 40 x 35 ps

Synthesis of the attack platform

15 / 24

Δ = 60 x 35 ps

Synthesis of the attack platform

15 / 24

Δ = 80 x 35 ps

Synthesis of the attack platform

15 / 24

Δ = 100 x 35 ps

Synthesis of the attack platform

15 / 24

"  Experimental setup

Fault injection experiments

clock

trigger

COM serial

COM serial

board AES

board

Clock generation

16 / 24

"  Controllability of faults’ nature and location.

send the key K and the plaintext T to the test chip Δ ← 0

Targeting the final round of the AES

direct reading of the injected faults (by XORing a correct and faulty ciphertext)

Test campaign pseudo-code :

Fault injection experiments

Note that faults are located in the encryption data path (longest propagation delay).

17 / 24

Experimental results

No fault One-bit fault Two-bits fault Other fault

Target : final round (fclk, nom = 100 MHz)

Step by step Tclk decrease (δt = 35 ps)

D0 D1

D2

D3

Tclk = 10000 ps

No fault D4

D5

D6

D7

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

350ps

Byte

ind

ex

Byte

nb.

6

Single bit fault 2 faulted bits 3 faulted bits

Tclk-Δ Tclk-Δ

0

7340ps 5240ps Tclk - Δ

18 / 24

14

Experimental results

Location control : plaintext variation

5485ps

7340ps 5240ps 350ps

7585ps

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

No fault One-bit fault Two-bits fault Other fault

Same key Different plaintext

Byte nb. 3

Byte nb. 13

1 2 3 4 5 6 7 8 9 10 11 12 13

15

Byte

ind

ex

0

0

Byte

ind

ex

19 / 24

"  Fault injection based on power supply decrease.

VDD DpMax ( Dclk!Q, δsu, &Tskew & )

Tclk < Dclk!Q + DpMax - Tskew + δsu

(at nominal frequency)

n m

D0

D1

Dm-1

Tclk

Logique

inputs

DpMax + δsu + slack

n m

D0

D1

Dm-1

m

D0

D1

Dm-1 outputs m

D0

D1

Dm-1 logic Combinational

DpMax + δsu

outputs

Experimental results

logic Combinational

20 / 24

pico

seco

nds

Critical time as a function of VDD

Tclk

1st fault at 1,07 V

Experimental results

"  Fault injection based on power supply decrease.

21 / 24

"  Temperature increase (at nominal frequency)

Experimental results

22 / 24

DpMax ( Dclk!Q, δsu, &Tskew & )

1st fault at 210 °C

Experimental results

"  Temperature increase (at nominal frequency)

23 / 24

Conclusion

An ambitious two in one course (Master or PhD students).

"  Conclusion

Achievements: •  Design methodology on a concrete programmable device,

•  Development of a complete test environment (serial interface, command scripts),

•  Implementation of the AES standard,

•  Review of timing constraints and critical path issues,

•  Design of a DLL-based attack platform,

•  Practice of fault attacks,

•  Awareness of hardware security.

24 / 24

FPGA : a well suited target.