## Effective Attacks from Ineffective Faults

## Maria Eichlseder

Includes results of joint works with Joan Daemen, Christoph Dobraunig, Hannes Groß, Thomas Korak, Stefan Mangard, Florian Mendel, Robert Primas

ISCwsISC, 22 February 2021

## ㅊ Outline

4 Introduction to Fault Attacks

- Flipping Bits in Symmetric Crypto
- A Detour to Differential Cryptanalysis
(I) Countermeasures
- Error Detection \& Infection
- Fault Attack Variants
- Side-Channel Countermeasures

Llul Statistical Ineffective Fault Attacks

- Why \& how SIFA works
- SIFA against masked, redundant implementations

〔) Defending against SIFA

- Criterion for SIFA resistance
- A combined countermeasure


## Introduction to Fault Attacks

4

## Causing Faulty Computations

Extreme environmental conditions or targeted manipulations can cause errors in a processor's operation due to physical corruption. Examples:
$\complement^{\circ}$ Very high temperature
\& Unsupported supply voltage or current, voltage glitches
(18) Overclocking, clock glitches

Excessive memory accesses
E. Strong electric or magnetic fields
A. Ionizing radiation
D) Laser

## Possible Fault Effects

Fault effects in electronic devices have been studied at least since the 1950s, for example for radiation from nuclear testing:
믄 Long-term effects, e.g., cumulative effect of "Total Ionization Dose (TID)"
乡 Sudden effects, e.g., charged particle hits the circuit: "Single-Event Effects (SEE)"

- Causing permanent damage (hard error)
e.g., shorts between ground and power:
- Causing temporary damage (soft error)
e.g., transient pulse flips a bit in memory cell:

Some possible effects in processors:

- Flip a data bit
- Reset a data bit to 0
- Skip an instruction


## Possible Fault Effects

Fault effects in electronic devices have been studied at least since the 1950s, for example for radiation from nuclear testing:
믄 Long-term effects, e.g., cumulative effect of "Total Ionization Dose (TID)"
4 Sudden effects, e.g., charged particle hits the circuit: "Single-Event Effects (SEE)"

- Causing permanent damage (hard error)
e.g., shorts between ground and power: "Single-Event Latch-ups (SEL)"
- Causing temporary damage (soft error)
e.g., transient pulse flips a bit in memory cell: "Single-Event Upsets (SEU)"

Some possible effects in processors:

- Flip a data bit
- Reset a data bit to 0
- Skip an instruction


## Possible Fault Effects

Fault effects in electronic devices have been studied at least since the 1950s, for example for radiation from nuclear testing:
믄 Long-term effects, e.g., cumulative effect of "Total Ionization Dose (TID)"
4 Sudden effects, e.g., charged particle hits the circuit: "Single-Event Effects (SEE)"

- Causing permanent damage (hard error)
e.g., shorts between ground and power: "Single-Event Latch-ups (SEL)"
- Causing temporary damage (soft error)
e.g., transient pulse flips a bit in memory cell: "Single-Event Upsets (SEU)"

Some possible effects in processors:

- Flip a data bit
- Reset a data bit to 0
- Skip an instruction


## Scenario: Faulting a Block Cipher


(2) Multiple executions
(2) Get correct ciphertext $C$ and faulty $C^{4}$

## Scenario: Faulting a Block Cipher



Differential Fault Attacks [BS97]

1. Obtain correct $C$ and faulty $C^{4} N^{\prime}$
2. Compute the difference $\triangle C=C \cap C^{4}$ and derive the output difference of S-box $\mathcal{S}$ For each possible guess of

- Partially decrypt C, $c^{4}$ and check if the observed difference at the input of $\mathcal{S}$ matches the fault model
- If not, reject key candidate

4. Repeat to further narrow down the keys


## Differential Fault Attacks [BS97]

1. Obtain correct $C$ and faulty $C^{4} D^{4}$
2. Compute the difference $\Delta C=C \oplus C^{4}$ and derive the output difference of S-box $\mathcal{S}$

For each possible guess of

- Partially decrypt C, ${ }^{*}$ and check if the
observed difference at the input of $\mathcal{S}$
matches the fault model
- If not, reject key candidate

4. Repeat to further narrow down the keys


## Differential Fault Attacks [BS97]

1. Obtain correct $C$ and faulty $C^{4} N^{4}$
2. Compute the difference $\Delta C=C \oplus C^{4}$ and derive the output difference of S-box $\mathcal{S}$
3. For each possible guess of (parts of) $K_{4}$ :

- Partially decrypt $C, C^{4}$ and check if the observed difference at the input of $\mathcal{S}$ matches the fault model
- If not, reject key candidate

Repeat to further narrow down the keys


## Differential Fault Attacks [BS97]

1. Obtain correct $C$ and faulty $C^{4} \nabla^{4}$
2. Compute the difference $\Delta C=C \oplus C^{4}$ and derive the output difference of S-box $\mathcal{S}$
3. For each possible guess of (parts of) $K_{4}$ :

- Partially decrypt $C, C^{4}$ and check if the observed difference at the input of $\mathcal{S}$ matches the fault model
- If not, reject key candidate

4. Repeat to further narrow down the keys


## A Detour to Differential Cryptanalysis

- One of the two most important cryptanalytic attacks for secret-key crypto Biham and Shamir [BS90]
- Chosen-plaintext attack (no cheating with the implementation!)
- Main idea:

1. Predict effect of plaintext difference $\Delta M=$ 国 $M \oplus$ 会 $M^{*}$ on ciphertext difference $\Delta C=\square C \oplus D C^{*}$ without knowing $Q$, $K$
2. Use prediction as distinguisher to recover the key

Differential Properties of S-boxes
$\Delta \mathrm{in}=8 \rightarrow \Delta$ out $=?$

| $x$ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| $\mathcal{S}(x)$ | 2 | 0 | 4 | 3 | 9 | 5 | 6 | 7 | 1 | d | e | f | a | 8 | c | b |

Differential Properties of S-boxes
$\Delta \mathrm{in}=8 \quad \rightarrow \quad \Delta$ out $=?$

| $\Delta \mathrm{in}=8$ |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
|  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
| $x$ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |
| $\mathcal{S}(x)$ | 2 | 0 | 4 | 3 | 9 | 5 | 6 | 7 | 1 | d | e | f | a | 8 | c | b |

Differential Properties of S-boxes
$\Delta \mathrm{in}=8 \quad \rightarrow \quad \Delta$ out $=?$

| $\Delta \mathrm{in}=8$ |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
|  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
| $x$ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |
| $\mathcal{S}(x)$ | 2 | 0 | 4 | 3 | 9 | 5 | 6 | 7 | 1 | d | e | $f$ | a | 8 | c | b |

Differential Properties of S-boxes
$\Delta \mathrm{in}=8 \rightarrow \Delta$ out $=?$


## Differential Properties of S-boxes

$$
\Delta \mathrm{in}=8 \quad \rightarrow \quad \Delta \text { out } \in\{3, \mathrm{a}, \mathrm{c}, \mathrm{~d}\}
$$

| $x$ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |
| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
| $\mathcal{S}(x)$ | 2 | 0 | 4 | 3 | 9 | 5 | 6 | 7 | 1 | d | e | f | a | 8 | c | b |

- Knowing the value tells us the difference
- Knowing the difference tells us (something about) the value:

$$
\text { solutions }(\Delta \mathrm{in}, \Delta \mathrm{out}):=\{x: \mathcal{S}(x \oplus \Delta \mathrm{in}) \oplus \mathcal{S}(x)=\Delta \mathrm{out}\}
$$

Differential Distribution Table (DDT)

| $\mathrm{I} \backslash \mathrm{O}$ | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | a | b | c | d | e | f |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| 0 | 16 | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - |
| 1 | - | 4 | 4 | - | - | - | - | 4 | - | - | - | - | 4 | - | - | - |
| 2 | - | - | 4 | 4 | - | - | 4 | - | - | - | - | - | - | - | - | 4 |
| 3 | - | 4 | - | 4 | 4 | - | - | - | - | - | - | - | - | - | 4 | - |
| 4 | - | - | 4 | - | 4 | 4 | - | - | - | - | - | 4 | - | - | - | - |
| 5 | - | - | - | 4 | - | 4 | - | 4 | - | 4 | - | - | - | - | - | - |
| 6 | - | - | - | - | 4 | - | 4 | 4 | - | - | - | - | - | 4 | - | - |
| 7 | - | 4 | - | - | - | 4 | 4 | - | - | - | 4 | - | - | - | - | - |
| 8 | - | - | - | 4 | - | - | - | - | - | - | 4 | - | 4 | 4 | - | - |
| 9 | - | 4 | - | - | - | - | - | - | - | - | - | 4 | - | 4 | - | 4 |
| a | - | - | - | - | - | 4 | - | - | - | - | - | - | 4 | - | 4 | 4 |
| b | - | - | 4 | - | - | - | - | - | - | 4 | - | - | - | 4 | 4 | - |
| c | - | - | - | - | - | - | - | - | 16 | - | - | - | - | - | - | - |
| d | - | - | - | - | 4 | - | - | - | - | 4 | 4 | - | - | - | - | 4 |
| e | - | - | - | - | - | - | - | 4 | - | - | 4 | 4 | - | - | 4 | - |

## Design of AES [DR02] - Round Function (10 or 12 or 14 Rounds)



2 ShiftRows (SR)


3 MixColumns (MC)


4 AddRoundKey (AK)

| $a_{00}$ | $a_{01}$ | $a_{02}$ | $a_{03}$ |
| :--- | :--- | :--- | :--- |
| $a_{10}$ | $a_{11}$ | $a_{12}$ | $a_{13}$ |
| $a_{20}$ | $a_{21}$ | $a_{22}$ | $a_{23}$ |
| $a_{30}$ | $a_{31}$ | $a_{32}$ | $a_{33}$ |$+$| $k_{00}$ | $k_{01}$ | $k_{02}$ | $k_{03}$ |
| :--- | :--- | :--- | :--- |
| $k_{10}$ | $k_{11}$ | $k_{12}$ | $k_{13}$ |
| $k_{20}$ | $k_{21}$ | $k_{22}$ | $k_{23}$ |
| $k_{30}$ | $k_{31}$ | $k_{32}$ | $k_{33}$ |$=$| $b_{00}$ | $b_{01}$ | $b_{02}$ | $b_{03}$ |
| :--- | :--- | :--- | :--- |
| $b_{10}$ | $b_{11}$ | $b_{12}$ | $b_{13}$ |
| $b_{20}$ | $b_{21}$ | $b_{22}$ | $b_{23}$ |
| $b_{30}$ | $b_{31}$ | $b_{32}$ | $b_{33}$ |

## AES - Simple DFA

- Assume the attacker can cause precise 1-bit flips in Round 9 of AES, before S-box
- For each of $2^{8}$ key guesses, Test if the partial decryption produces the expected 1-bit flip.



## AES - Piret and Quisquater's DFA [PQ03]

- Assume the attacker can cause imprecise 1-byte errors

SB-SubBytes
SR-ShiftRows
MC - MixColumns

- For each of $2^{32}$ key guesses, Test if the partial decryption produces the expected 1-byte error. (This can be optimized to require only 2 faulty encryptions to recover the full key)



## Countermeasures


and Countermeasures against Countermeasures :-)

## Types of Countermeasures

© Physical level

- Shielding of the circuit so that it's harder to access
- Sensors that detect tampering

路 Implementation-level

- Detect or correct errors
- Randomize the execution details

2. Protocol-level

- Prevent an attacker from collecting useful data by limiting key usage, randomizing inputs, ...


## Error Detection

(3) For DFA, the attacker requires the faulty ciphertext $C^{4} N^{4}$ and the correct ciphertext $C D$ for the same plaintext $M$ 国
(D) Countermeasure 1: Error Detection

- Check the correctness of each encryption
- For example by evaluating it twice
- Only return result if correct



## Error Detection

(b) For DFA, the attacker requires the faulty ciphertext $C^{4} \mathrm{~N}^{\text {4 }}$ and the correct ciphertext $C D$ for the same plaintext $M$ 읔
(I) Countermeasure 2: Authenticated Encryption (AEAD) AEAD typically prevents DFA by design:

E During AEAD Encryption, a random nonce is
used to "randomize" the inputs $M \rightarrow$ cannot get $C, C^{4}$ for the same $M$
D During AEAD Decryption, results are only returned if the authentication tag was verified correctly, so we usually don't get $C^{4}$

## Infection-based Countermeasures

(0) For DFA, the attacker requires the faulty ciphertext $C^{4} \nabla^{4}$ and the correct ciphertext $C D$ for the same plaintext $M$ 国
(T) Countermeasure 3: Infection

- Do 2 encryptions + many dummy rounds
- If error detected, return dummy garbage
- Can perform checks after every round
- Example for AES: [TBM14]

return if success, else 自


## Ineffective Fault Attacks (IFA) [Cla07] and Friends

- Observation: In practice, it's often easier to cause biased errors than bitflips
- Example: Stuck-at-0 error sets bit (or byte) to 0
- If the attacker can reliably cause such errors, there are very simple attacks:



## Ineffective Fault Attacks (IFA) [Cla07] and Friends

- Observation: In practice, it's often easier to cause biased frors than bitflips
- Example: Stuck-at-0 error sets bit (or byte) to 0
- If the attacker can reliably cause such err(d), there are very simple attacks:



## Statistical Fault Attacks (SFA) [FJLT13]

- Assume the attacker can cause a biased error (e.g., reset to 0 with prob. $\frac{1}{2}$ ).
- For each of $2^{32}$ key guesses,

Test if the partial decryption produces a non-uniform distribution llll with a metric such as the Squared Euclidean Imbalance (SEI) or Pearson's $\chi^{2}$ :

$$
\operatorname{SEI}(\hat{p})=\sum_{x \in \mathcal{X}}\left|\hat{p}(x)-\frac{1}{\# \mathcal{X}}\right|^{2}
$$



## Side-Channel Countermeasures

IFA allows to "peek" at intermediate values, similar to side-channel attacks.
Many side-channel countermeasures help against IFA and friends:

Hiding: Randomize the order of instructions, insert dummy instructions, etc., to make it harder for the attacker to hit the right bit
... Masking: Replace each data bit $x$ by $d+1$ random bits $x_{0}, x_{1}, \ldots, x_{d}$ with

$$
x=x_{0} \oplus x_{1} \oplus \ldots \oplus x_{d}
$$

Then learning up to $d$ bits $x_{i}$ is useless for the attacker.

## Statistical Ineffective Fault Attacks III

## Statistical Ineffective Fault Attacks (SIFA) [DEK+18; DEG+18]

So far, we inserted faults right before / after S-boxes. When the attacker can only place 1 fault, error detection and/or masking prevent these attacks.

8 SIFA idea 1: Use only faulty encryptions where no fault was detected: This condition may lead to a bias in some intermediate variables!

8 SIFA idea 2: Place fault inside the S-box circuit, but measure before/after S-box with SFA methods!

This approach can attack implementations with masking and error detection. It may, however, require more data (1000s of messages).

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

How are values distributed if we consider only ineffective faults $X^{\boldsymbol{h}}=X$ ?

| $x^{4}$ |  |  |  |  |
| :---: | :---: | :---: | :---: | :---: |
|  | 00 | 01 | 10 | 11 |
| 00 | 1 | 0 | 0 | 0 |
| 01 | 1 | 0 | 0 | 0 |
| 10 | 1 | 0 | 0 | 0 |
| 11 | 1 | 0 | 0 | 0 |
| 1 |  |  |  |  |
| 0.75 |  |  |  |  |
| 0.5 |  |  |  |  |
| 0.25 |  |  | 1 | 1 |
| 0 | 0 | 1 | 2 | 3 |

(a) Stuck-at-0

(b) Random-And

(c) Bit-flip

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

How are values distributed if we consider only ineffective faults $X^{\dagger}=X$ ?

|  | $x^{4}$ |  |  |  |  |
| :---: | :---: | :---: | :---: | :---: | :---: |
|  | 00 | 01 | 10 | 11 |  |
| 00 | 1 | 0 | 0 | 0 |  |
| 01 | 1 | 0 | 0 | 0 |  |
| 10 | 1 | 0 | 0 | 0 |  |
| 11 | 1 | 0 | 0 | 0 |  |
| 1 |  |  |  |  |  |
| 0.75 |  |  |  |  |  |
| 0.5 |  |  |  |  |  |
| 0.25 |  | 1 | 1 | 1 |  |
| 0 | 0 | 1 | 2 | 3 |  |

(a) Stuck-at-0

|  | $x^{4}$ |  |  |  |
| :---: | :---: | :---: | :---: | :---: |
|  | 00 | 01 | 10 | 11 |
| 00 | 1 | 0 | 0 | 0 |
| 01 | $\frac{1}{2}$ | $\frac{1}{2}$ | 0 | 0 |
| 10 | $\frac{1}{2}$ | 0 | $\frac{1}{2}$ | 0 |
| 11 | $\frac{1}{4}$ | $\frac{1}{4}$ | $\frac{1}{4}$ | $\frac{1}{4}$ |


(b) Random-And

(c) Bit-flip

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

How are values distributed if we consider only ineffective faults $X^{\zeta}=X$ ?

|  | $x^{4}$ |  |  |  |
| ---: | :---: | :---: | :---: | :---: |
|  | 00 | 01 | 10 | 11 |
| 00 | 1 | 0 | 0 | 0 |
| 01 | 1 | 0 | 0 | 0 |
| 10 | 1 | 0 | 0 | 0 |
| 11 | 1 | 0 | 0 | 0 |
| 1 |  |  |  |  |
| 0.75 |  |  |  |  |
| 0.5 |  |  |  |  |
| 0.25 |  | 1 | 1 | 1 |
| 0 | 0 | 1 | 2 | 3 |

(a) Stuck-at-0


(b) Random-And

(c) Bit-flip

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

How are values distributed if we consider only ineffective faults $X^{h}=X$ ?

| $x^{4}$ |  |  |  |  |
| :---: | :---: | :---: | :---: | :---: |
| 00011011 |  |  |  |  |
| 00 | 1 | 0 | 0 |  |
| $x$ non-uniform |  |  |  |  |
|  |  |  |  |  |
| 11 | 1 | 0 | 0 | 0 |
| 0.10.70.50.5 |  |  |  |  |
| 25 |  |  |  |  |
|  | 0 | 1 | 2 |  |
|  | (a) St | uck | at-0 |  |


(b) Random-And

| $x^{4}$ |  |  |  |  |  |
| :--- | :--- | :--- | :--- | :--- | :---: |
|  | 00 | 0 | 10 | 11 |  |
| 00 | 0 | 0 | 0 | 1 |  |
| 01 | 0 | 0 | 1 | 0 |  |
| 10 | 0 | 1 | 0 | 0 |  |
| 11 | 1 | 0 | 0 | 0 |  |
| 0.7 |  |  |  |  |  |
| 0.75 |  |  |  |  |  |
| 0.25 |  |  |  |  |  |
| 0.25 | 1 |  |  |  |  |
| 0 | 0 | 1 | 2 | 3 |  |

(c) Bit-flip

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

1. Inject fault with non-uniform distribution $p_{\text {eq }}\left(x^{4}\right)=\mathbb{P}\left[x^{4}=x^{4} \mid x^{4}=X\right]$
2. Keep only samples where no error was detected (ineffective fault, like IFA)

- Fault Ineffectivity Rate $\pi_{\mathrm{eq}}=\mathbb{P}\left[X^{4}=X\right]$ is the ratio of these samples

3. Guess part of key and compute backwards as before
4. Statistically test distribution $p_{\mathrm{eq}}\left(x^{4}\right)$ like SFA: is it non-uniform?

- CHI (Pearson's $\chi^{2}$ ) or SEI (Squared Euclidean Imbalance)
- LLR (log-likelihood ratio) if ineffective distribution $p_{\text {eq }}(\cdot)$ is known

5. If it looks uniform, reject key candidate; if non-uniform, keep it

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

1. Inject fault with non-uniform distribution $p_{\mathrm{eq}}\left(x^{4}\right)=\mathbb{P}\left[X^{4}=x^{4} \mid x^{4}=X\right]$
2. Keep only samples where no error was detected (ineffective fault, like IFA)

- Fault Ineffectivity Rate $\pi_{\text {eq }}=\mathbb{P}\left[X^{4}=X\right]$ is the ratio of these samples

3. Guess part of key and compute backwards as before
4. Statistically test distribution $p_{\mathrm{eq}}\left(x^{4}\right)$ like SFA: is it non-uniform?

- CHI (Pearson's $\chi^{2}$ ) or SEI (Squared Euclidean Imbalance)
- LLR (log-likelihood ratio) if ineffective distribution $p_{\text {eq }}(\cdot)$ is known

5. If it looks uniform, reject key candidate; if non-uniform, keep it

## SIFA Idea 1: Ineffective Faults \& Fault Distribution Tables

1. Inject fault with non-uniform distribution $p_{\mathrm{eq}}\left(x^{4}\right)=\mathbb{P}\left[x^{4}=x^{4} \mid x^{4}=X\right]$
2. Keep only samples where no error was detected (ineffective fault, like IFA)

- Fault Ineffectivity Rate $\pi_{\text {eq }}=\mathbb{P}\left[X^{4}=X\right]$ is the ratio of these samples

3. Guess part of key and compute backwards as before
4. Statistically test distribution $p_{\mathrm{eq}}\left(x^{4}\right)$ like SFA: is it non-uniform?

- CHI (Pearson's $\chi^{2}$ ) or SEI (Squared Euclidean Imbalance)
- LLR (log-likelihood ratio) if ineffective distribution $p_{\text {eq }}(\cdot)$ is known

5. If it looks uniform, reject key candidate; if non-uniform, keep it

This also works if the fault induction method is noisy (only works sometimes, with probability $\sigma$ )

## Example: Bytewise Random-AND and Infection Countermeasure

- Fault model: Bytewise fault that flips each 1 to 0 with probability $\frac{1}{2}$
(2) Fault ineffectivity rate: $\pi_{\text {eq }}=(3 / 4)^{8} \approx 10 \%$
- Implementation: AES + infection countermeasure, target round 40 of 22+22=44
(7) Hit a suitable round with prob. $\sigma \approx 0.315$ among ineffective samples.
(7) Distribution $p_{\text {eq }}(x)$ for correct key and uniform distribution $\theta$ :

0.0150
0.0100
0.0050
0.00000

20
40

## Example: Bytewise Random-AND and Infection Countermeasure

- Fault model: Bytewise fault that flips each 1 to 0 with probability $\frac{1}{2}$
(2) Fault ineffectivity rate: $\pi_{\text {eq }}=(3 / 4)^{8} \approx 10 \%$
- Implementation: AES + infection countermeasure, target round 40 of 22+22=44
(1) Hit a suitable round with prob. $\sigma \approx 0.315$ among ineffective samples.
(1) Distribution $p_{\text {eq }}(x)$ for correct key and uniform distribution $\theta$ :

$$
p_{\mathrm{eq}}(x)=\sigma \cdot 2^{8-h w(x)} / 3^{8}+(1-\sigma) \cdot 2^{-8} .
$$



## Example: Bytewise Random-AND and Infection Countermeasure


(a) $\operatorname{LLR}(\hat{p})$ statistic

(b) $\mathrm{CHI}(\hat{p})$ statistic (similar to SEI)

## SIFA Idea 2: Faulting Inside an S-box

- So far, we placed the fault before the S-box and tested at the same position
- We can also place the fault inside the S-box and test at the input or output

(2) Can turn bitflip faults into nice non-uniform ineffective distributions
( Can work even for implementations protected with masking


## SIFA on Masked Implementations with Detection Countermeasures



## SIFA Example: Inside a Masked S-box Circuit

- Example S-box: A smaller version of SHA-3's S-box $(\chi)$
- 3-bit input $a, b, c$, masked as
- $a=a_{0} \oplus a_{1}$
- $b=b_{0} \oplus b_{1}$
- $c=c_{0} \oplus c_{1}$
- 3-bit output $r, s, t$, masked as
- $r=r_{0} \oplus r_{1}$
- $s=s_{0} \oplus s_{1}$
- $t=t_{0} \oplus t_{1}$
- Implemented as circuit of instructions / gates $\quad$ XOR $\oplus, \quad$ AND $\odot, \quad$ NOT $\ominus$


## SIFA Example: Inside a Masked S-box Circuit

Input: $\left\{a_{0}, a_{1}, b_{0}, b_{1}, c_{0}, c_{1}\right\}$

$$
\begin{array}{ll}
\mathrm{T}_{0} \leftarrow \overline{b_{0}} \odot c_{1} ; & \mathrm{T}_{2} \leftarrow a_{1} \odot b_{1} \\
\mathrm{~T}_{1} \leftarrow \overline{b_{0}} \odot c_{0} ; & \mathrm{T}_{3} \leftarrow a_{1} \odot b_{0} \\
\mathrm{~T}_{0} \leftarrow \mathrm{~T}_{0} \oplus a_{0} ; & \mathrm{T}_{2} \leftarrow \mathrm{~T}_{2} \oplus c_{1} \\
\mathrm{r}_{0} \leftarrow \mathrm{~T}_{0} \oplus \mathrm{~T}_{1} ; & \mathrm{t}_{1} \leftarrow \mathrm{~T}_{2} \oplus \mathrm{~T}_{3}
\end{array}
$$

$$
\mathrm{T}_{0} \leftarrow \overline{c_{0}} \odot a_{1} ; \quad \mathrm{T}_{2} \leftarrow b_{1} \odot c_{1}
$$

$$
\mathrm{T}_{1} \leftarrow \overline{c_{0}} \odot a_{0} ; \quad \mathrm{T}_{3} \leftarrow b_{1} \odot c_{0}
$$

$$
\mathrm{T}_{0} \leftarrow \mathrm{~T}_{0} \oplus b_{0} ; \quad \mathrm{T}_{2} \leftarrow \mathrm{~T}_{2} \oplus a_{1}
$$

$$
S_{0} \leftarrow \mathrm{~T}_{0} \oplus \mathrm{~T}_{1} ; \quad r_{1} \leftarrow \mathrm{~T}_{2} \oplus \mathrm{~T}_{3}
$$

$$
4 a_{0}
$$

$$
\mathrm{T}_{0} \leftarrow \overline{a_{0}} \odot b_{1} ; \quad \mathrm{T}_{2} \leftarrow c_{1} \odot a_{1}
$$

$$
\mathrm{T}_{1} \leftarrow \overline{a_{0}} \odot b_{0} ; \quad \mathrm{T}_{3} \leftarrow c_{1} \odot a_{0}
$$

$$
\mathrm{T}_{0} \leftarrow \mathrm{~T}_{0} \oplus c_{0} ; \quad \mathrm{T}_{2} \leftarrow \mathrm{~T}_{2} \oplus b_{1}
$$

$$
t_{0} \leftarrow \mathrm{~T}_{0} \oplus \mathrm{~T}_{1} ; \quad s_{1} \leftarrow \mathrm{~T}_{2} \oplus \mathrm{~T}_{3}
$$

Output: $\left\{r_{0}, r_{1}, s_{0}, s_{1}, t_{0}, t_{1}\right\}$


## SIFA Example: Inside a Masked S-box Circuit

- Cause a bitflip fault in $Y a_{0}$ at the indicated moment
- The faulty value goes into $3 \odot s$
- Correctness of the $\odot$-output depends on the other input
- if the other input is 0 , the $\odot$-output is correct
- if the other input is 1 , the $\odot$-output is faulty



## SIFA Example: Inside a Masked S-box Circuit

- The S-box output is correct if $\odot$ with $c_{1}$ is correct and
- both $\odot$ s with $b_{0}, b_{1}$ are correct: $b_{0}=b_{1}=0$, or
- both $\odot$ s with $b_{0}, b_{1}$ are faulty: $b_{0}=b_{1}=1$
- Either way, $b=b_{0} \oplus b_{1}=0$
- If the cipher output is correct, learn $b=0$ (bias)
- Use as before to recover the key!



## SIFA Example: Application to AES


(a) Correct key guess

(b) Wrong key guess

Figure: Results for bitsliced AES implementation on 32-bit platform (ARM Cortex M4) with masking (1st order) and error detection (temporal redundancy). Simulated byte-stuck-at-0 faults. Recovered distribution after S-box in round 9. [DEG+18]

## Statistical (Ineffective) Fault Attacks - Summary



## Statistical (Ineffective) Fault Attacks - Summary



## Statistical (Ineffective) Fault Attacks - Summary



## Statistical (Ineffective) Fault Attacks - Summary



Statistical (Ineffective) Fault Attacks - Summary


## Statistical (Ineffective) Fault Attacks - Summary



Statistical (Ineffective) Fault Attacks - Summary


Statistical (Ineffective) Fault Attacks - Summary


Diff.
cryptanalysis DC [BS90]


Diff. fault attack Stat. fault attack
DFA [BS97]


SFA [FJLT13;
DEK+16]


Ineff. fault attack
IFA [Cla07]


Statistical
Ineffective Fault Attack SIFA

Statistical (Ineffective) Fault Attacks - Summary


Diff.
cryptanalysis DC [BS90]


Diff. fault attack Stat. fault attack
DFA [BS97]


SFA [FJLT13;
DEK+16]


Ineff. fault attack IFA [Cla07]


Statistical Ineffective Fault Attack SIFA
[DEK+18;
DEG+18]

## Defending against SIFA ?

## SIFA Resistance

In a masked implementation, the gates are all incomplete operations: learning all inputs of one gate is not sufficient to learn all shares of one variable.

SIFA on masked implementations works because the fault can

1. propagate to several nonlinear gates and then
2. disappear depending on the other inputs of all these gates.

This way, the effectivity of the fault can depend on all shares of a variable and "reveal" this variable as a non-uniform distribution in the unmasked variables.

An implementation is
is either
by error detection
or activates (propagates to)
if each possible single fault

## SIFA Resistance

In a masked implementation, the gates are all incomplete operations: learning all inputs of one gate is not sufficient to learn all shares of one variable.

SIFA on masked implementations works because the fault can

1. propagate to several nonlinear gates and then
2. disappear depending on the other inputs of all these gates.

This way, the effectivity of the fault can depend on all shares of a variable and "reveal" this variable as a non-uniform distribution in the unmasked variables.

An implementation is single-fault SIFA-resistant if each possible single fault
(0) is either detected by error detection
(1) or activates (propagates to) at most one nonlinear gate.

## Building SIFA-Resistant Implementations [DDE+20]

Two variants for error detection between 2 redundant computations:

- Local checks: Compare relevant intermediate variables during computation
- One approach: Analyze circuit graph to identify critical variables
- Easier to develop, but may require many checks

Global checks:Compare only the final unmasked cipher output

- Need to ensure that all relevant faults propagate to the output
- One approach: Use only invertible gates like the Toffoli gate
- More elegant and flexible, but sometimes hard/impossible to develop


## Building SIFA-Resistant Implementations [DDE+20]

Two variants for error detection between 2 redundant computations:

- Local checks: Compare relevant intermediate variables during computation
- One approach: Analyze circuit graph to identify critical variables
- Easier to develop, but may require many checks
- Global checks: Compare only the final unmasked cipher output
- Need to ensure that all relevant faults propagate to the output
- One approach: Use only invertible gates like the Toffoli gate
- More elegant and flexible, but sometimes hard/impossible to develop

Example: Single-fault SIFA-resistant $\chi_{3}, 2$ shares, local checks


Example: Single-fault SIFA-resistant $\chi_{3}, 2$ shares, global checks


## Conclusion

4 Statistical Ineffective Fault Attacks are a very powerful type of fault attacks
7 Effective against state-of-the-art countermeasures including error detection and side-channel countermeasures (hiding, masking)
(D New countermeasures needed

- Proposal by Daemen et al. [DDE+20]: combine masking \& detection with special circuit structure (local checks and/or Toffoli gates)
- Several other approaches with varying effectivity and efficiency have been published
() With enough effort (money, time, data), attackers may be able to defeat countermeasures - make sure this effort is higher than it's worth!


## Questions

## Bibliography I

[BS90] Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Advances in Cryptology - CRYPTO 1990. Vol. 537. LNCS. Springer, 1990, pp. 2-21. DOI: 10.1007/3-540-38424-3_1.
[BS97] Eli Biham and Adi Shamir. Differential Fault Analysis of Secret Key Cryptosystems. Advances in Cryptology - CRYPTO '97. Vol. 1294. LNCS. Springer, 1997, pp. 513-525. DOI: 10.1007/BFb0052259.
[Cla07] Christophe Clavier. Secret External Encodings Do Not Prevent Transient Fault Analysis. Cryptographic Hardware and Embedded Systems - CHES 2007. Vol. 4727. LNCS. Springer, 2007, pp. 181-194. DOI: 10.1007/978-3-540-74735-2_13.
[DDE+20] Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Groß, Florian Mendel, and Robert Primas. Protecting against Statistical Ineffective Fault Attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020.3 (2020), pp. 508-543. DoI: 10.13154/tches.v2020.i3.508-543.

## Bibliography II

[DEG+18] Christoph Dobraunig, Maria Eichlseder, Hannes Groß, Stefan Mangard, Florian Mendel, and Robert Primas. Statistical Ineffective Fault Attacks on Masked AES with Fault Countermeasures. Advances in Cryptology - ASIACRYPT 2018. Vol. 11273. LNCS. Springer, 2018, pp. 315-342. DoI: 10.1007/978-3-030-03329-3_11.
[DEK+16] Christoph Dobraunig, Maria Eichlseder, Thomas Korak, Victor Lomné, and Florian Mendel. Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes. Advances in Cryptology - ASIACRYPT 2016. Vol. 10031. LNCS. Springer, 2016, pp. 369-395. DOI: 10.1007/978-3-662-53887-6_14.
[DEK+18] Christoph Dobraunig, Maria Eichlseder, Thomas Korak, Stefan Mangard, Florian Mendel, and Robert Primas. SIFA: Exploiting Ineffective Fault Inductions on Symmetric Cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 2018.3 (2018), pp. 547-572. doI:
10.13154/tches.v2018.i3.547-572.

## Bibliography III

[DR02] Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, 2002. ISBN: 3-540-42580-2. DOI: 10.1007/978-3-662-04722-4.
[FJLT13] Thomas Fuhr, Éliane Jaulmes, Victor Lomné, and Adrian Thillard. Fault Attacks on AES with Faulty Ciphertexts Only. Fault Diagnosis and Tolerance in Cryptography - FDTC 2013. IEEE Computer Society, 2013, pp. 108-118. DoI: 10.1109/FDTC. 2013.18.
[PQ03] Gilles Piret and Jean-Jacques Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. Cryptographic Hardware and Embedded Systems - CHES 2003. Vol. 2779. LNCS. Springer, 2003, pp. 77-88. DOI: 10.1007/978-3-540-45238-6_7.

## Bibliography IV

[TBM14] Harshal Tupsamudre, Shikha Bisht, and Debdeep Mukhopadhyay. Destroying Fault Invariant with Randomization - A Countermeasure for AES Against Differential Fault Attacks. Cryptographic Hardware and Embedded Systems CHES 2014. Vol. 8731. LNCS. Springer, 2014, pp. 93-111.

