12 Defeating with Fault Injection a Combined Attack Resistant Exponentiation. Algorithm of Schmidt et al. Invariant. Idempotent element â ⤠2 such.
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
What is a combined attack? General principle • Combines a fault attack with a leakage analysis • Main goal: attack implementations resistant against fault and leakage analysis
• New implementations and new countermeasures often required
3
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
What is a combined attack? Example on L2R exponentiation
Add: classical fault checking mechanism - inverse operation calculation or - doubling the calculation to verify equality of both 4
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
What is a combined attack? Example on L2R exponentiation
𝑑𝑖 = 0
𝑑𝑖 = 1
M
M
M
𝑑 = 101
2
No SPA leakage, only multiplications 5
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
𝑑𝑖 = 1
M
M
What is a combined attack? Example on L2R exponentiation
Skip instruction Suppose 𝑅 1 = 0
6
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
What is a combined attack? Example on L2R exponentiation
𝑑𝑖 = 0
𝑑𝑖 = 1
M
M
M
𝑑 = 101
𝑑𝑖 = 1
M
2
The use of the faulted register 𝑅[1] is visible by SPA 7
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
M
What is a combined attack? History on asymmetric • 2007: Attack on atomic left-to-right exponentiation ─
Amiel et al. (FDTC)
• 2010: Resistant algorithms for RSA and ECC ─
Schmidt et al. (LATINCRYPT)
• 2011: Attack on scalar multiplication ─
Fan et al. (CHES)
• 2012: Attack on prime generation ─
Vuillaume et al. (COSADE)
• 2013: Attack on RSA-CRT ─
8
Barbu et al. (PKC)
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Agenda 1. What is a combined attack? 2. Algorithm of Schmidt et al. 3. Fault attack 1.
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
𝒊
Fault attack 𝒖 𝒅
• MSB part of 𝒅 • Let 𝒖 ∈
𝒕 𝟐
• Let 𝒅[𝒖] =
𝒓𝟏 𝑵
𝑡+𝜆−1
On complete algorithm 𝒅 + 𝒓𝟏 𝑵 𝑡 +λ 2
𝑡
+ 𝝀, 𝒕
𝒅 + 𝒓𝟏 𝝋(𝑵)
𝒅[𝒖]
𝒕+𝝀−𝟏 𝒊 𝒊=𝒕−𝒖 𝟐 . 𝒅𝒊
𝒅
and 𝒅 =
𝒕−𝒖−𝟏 𝒊 𝟐 . 𝒅𝒊 𝒊=𝟎
𝑯(𝒊 𝒎𝒐𝒅 𝑾)
• Approximation of 𝒅[𝒖] : 𝒕+𝝀−𝟏
𝟐𝒊 . 𝒅 + 𝒓 𝟏 𝑵
𝒅[𝒖] ≈ 𝒊=𝒕−𝒖
𝒕−𝒗−𝟏
𝒕+𝝀−𝟏
𝟐𝒊 . 𝒅𝒊 +
≈ 𝒅known + 𝒊=𝒕−𝒗−𝒖 30
𝒊
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
𝟐𝒊 . 𝒓𝟏 𝑵 𝒊 + carry 𝒊=𝒕−𝒗−𝒖
Fault attack On complete algorithm • MSB part of 𝒅 • Guesses on 𝒖 bits of 𝒅, 𝑾 bits of 𝑯 and 𝝀 bits of 𝒓𝟏 • Complete guessed exponent
• Validate guess by checking: 𝑺𝒖 ? = 𝒎𝒅[𝒖]+𝒅 mod 𝑵
31
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Fault attack On complete algorithm • LSB part of 𝒅 𝒕
𝒅
𝒓𝟏 𝑵
𝑡+𝜆−1
𝒅 + 𝒓𝟏 𝑵 𝑡 +λ 2
𝑡
• Let 𝒖 ∈ 𝟎, 𝟐 + 𝝀 • As previously, 𝒅 =
𝒅 + 𝒓𝟏 𝝋(𝑵)
𝒕 +𝝀−𝒖−𝟏 𝟐
𝒊=𝟎
𝒅[𝒖]
𝟐𝒊 . 𝑯(𝒊 𝒎𝒐𝒅 𝑾)
𝒖
𝒅
• Approximation of 𝒅[𝒖] : 𝒕+𝝀−𝟏
𝟐𝒊 . 𝒅 + 𝒓𝟏 𝝋(𝑵)
𝒅[𝒖] ≈ 𝒕 𝒊=𝟐+𝝀−𝒖
≈ 𝒅known +
𝒕 𝟐+𝝀−𝒗−𝟏
𝒕+𝝀−𝟏
𝟐 𝒊 . 𝜹𝒊 + 𝒕 𝒊= +𝝀−𝒗−𝒖 𝟐
with 𝜹𝒊 = (𝒅 − 𝒓𝟏 𝒑 + 𝒒 − 𝟏 32
𝒊
𝟐𝒊 . 𝒓𝟏 𝑵 𝒊 + carry 𝒕 𝒊= +𝝀−𝒗−𝒖 𝟐
𝒊
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Fault attack On complete algorithm • LSB part of 𝒅 • Guesses on 𝒖 bits of 𝒅, 𝑾 bits of 𝑯 and 𝝀 bits of 𝒓𝟏 • Complete guessed exponent
• Validate guess by checking: 𝑺𝒖 ? = 𝒎𝒅[𝒖]+𝒅 mod 𝑵
• Here, we recover 𝒖 bits of 𝜹 and not of 𝒅 • As 𝒅 and 𝒑 + 𝒒 − 𝟏 are fixed values between exponentiations • We can retrieve 𝒅 by faulting multiple times at the instant 𝒖
33
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Fault attack On complete algorithm • Computational complexity:
𝟐(𝒖+𝑾+𝝀) . 𝒕 𝓒=𝓞 𝒖
• Number of faults:
𝒕 𝓕=𝓞 𝒖
• Size of 𝒓𝟐 does not impact the attack, only the size 𝑾 • Applicability of the attack depends on the size 𝝀 of 𝒓𝟏
34
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Agenda 1. What is a combined attack? 2. Algorithm of Schmidt et al. 3. Fault attack 1.
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Combined attack Fault injection and differential side-channel
Fault
Remove the exponent blinding: - bypass (NOP) the call to this function or - bypass the multiplication by 𝑟1
36
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Combined attack Fault injection and differential side-channel • Execute the calculation many times (𝒌) on the attacked device ─
At each execution 𝒊 • Fault the step 6. execution • Acquire and store the side-channel trace 𝐶𝑖 of the exponentiation
─
Apply with these 𝒌 curves the differential analysis from Amiel et al. • Distinguishing multiplications from squaring operations – SAC 2008.
─
Allow to recover the secret exponent 𝒅
• Attack success depends essentially on the feasibility of the fault injection on the attacked hardware
37
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Combined attack Fault injection and template analysis • Template pre-processing phase required on the attack device ─
Need to store many curves of • The squaring operation 𝑅0 × 𝑅0 with random values 𝑅0 • The multiplication operation 𝑅0 × 𝑅1 with random values 𝑅0 and 𝑅1
• Execute the calculation many times (𝒖) on the attacked device ─
At each execution 𝒊 • Fault the step 6. execution • Acquire and store the side-channel trace 𝐶𝑖 of the exponentiation
─
Apply with these 𝒖 curves the Template analysis from Hanley et al. • Using templates to distinguish multiplications from squaring operations International Journal of Information Security, 10. 2011.
─
Allows to recover the secret exponent 𝒅
• Attack success depends essentially on the feasibility of the fault injection on the attacked hardware 38
INVESTORS CORPORATE PRESENTATION PRESENTATION –– aSEPTEMBER DATE – Confidentiality 2012 Resistant level Exponentiation Defeating with Fault Injection Combined Attack
Agenda 1. What is a combined attack? 2. Algorithm of Schmidt et al. 3. Fault attack 1.
to add new appropriate countermeasures into their code. To prevent those separate ... secret exponent with a practical number of faulted results. Our fault injections ..... different RSA keys (values and bit-length) with success. Table 1 gives ...
is to guide, a priori, the injection campaign to the faults that have a high ... VERIFY [7] proposes a new fault injection technique by ex- tending the ... method is only effective when each fault equivalence class is .... Lecture Notes in Computer.
In our work, we investigate the criterions of injection points ... future works are described in section 6. II. RELATED WORKS. Fault injection tools and methods exist for about twenty ... Our approach advances the art because it is based on types.
27 nov. 2015 - Electromagnetic waves can be used also as an active non- invasive medium of attack, although most research effort has been focused mainly on the generic problem of EM susceptibility. Moreover, the advancing fabrication process, aimed a
Springer, 1997. [DLV03]. P. Dusart ... Aleksandra Sowa, editors, Advanced Encryption Standard - AES, 4th International Conference, AES 2004, Bonn,. Germany, May 10-12, 2004, Revised Selected and Invited Papers, volume 3373 of Lecture.
that the complexity of a classical DSCA is 212A to retrieve 16 bytes compared to 228A of Algorithm 1. In order to break a masked implementation, a higher-.
Cryptographic circuits are often a foundation of security in nowadays systems. ... by modifying its description [JAR+94][LH00][ZME03] or to add a custom fault injector in the design. [FMR06]. .... design. The circuit is defined in a Verilog netlist.
Experimental results on the ISOLET database and ... Optimal design of speech recognizers on the basis ..... database are shown in Tables I and II, respectively.
of t is wor3R wasS¢ one w' ile t e aut or was at DUTV AcS. Online access forW( ...... In P r o cee dings of 2 i st ¥nt¥V Q y m p V on F aulti ol er ant. C o m puting ...
Read and Save Ebook moteur a explosion pot catalytique injection quasiturbine hcci mce5 allison v1710 systeme biellemanivelle de citroen 2cv rollsroyce ...
part of the work lies in the bi-directional communication mechanism be- tween both ... design ways to master the communication overhead. .... ware testing.
This particular Moteur A Explosion Pot Catalytique Injection Quasiturbine Moteur Hcci Moteur Mce5 Allison V1710. Systeme Biellemanivelle Moteur De Citroen 2cv Rollsroyce Merlin Rendement Dun Moteur A Explosion PDF start with Introduction, Brief Sessi
Nickel plating or stainless steels may be needed to help prevent mold corrosion ...... The thermal conductivity of copper alloys can be as much as three times ...
We bring new ideas to make both solvers cooperate through bi-directional constraint ... algorithm can send equalities, disequalities and Alldifferent constraints to fd, while .... on a union-find structure to represent the set of all equivalence clas
part of the work lies in the bi-directional communication mechanism be- tween both ... design ways to master the communication overhead. .... ware testing.
IEEE TRANSACTIONS ON SPEECH AND AUDIO PROCESSING, VOL. 10, NO. 3, MARCH 2002. 137 ... tied-mixture HMM (TMHMM) [1], [2] represents an important approach to ... mally performed separately from the optimization of pdf sharing .... A. Basic Approach ...
If malware tries to open a backdoor either by connecting to an IRC channel or binding a shell to a port, then ..... FILE.pdf. [37] http://msdn.microsoft.com/library/default.asp?url=/library/en- ... [38] http://www.rootkit.com/newsread.php?newsid=219.
Stop and restart using full throttle acceleration. Check for 1-2 and 2-3 shift aôcording to the. *rift speed table in the "Specifications". b. At 40 kmph (24 mph) in 3rd ...
Jun 19, 2005 - . I work for EADS Corporate Research Center, IT Security dpt. If you happen to need a A380 or Tigre helicopter, see me after my talk :) ..... station despites AP restrictions. 9http://www.python.org/.
Apr 12, 2013 - By using a mathematical model of the system, model-based fault diagnosis ..... The proposed method has been applied to the satellite model ...
Apr 12, 2013 - cusum test on the output of the detection observer triggers a bank of Unknown In- ... a growing interest in the scientific community. The higher ...