ReCoSoC 2010 5th International Workshop on Reconfigurable Communication-centric Systems on Chip Experimental Fault Injection based on the Prototyping of an AES Cryptosystem Jean- Baptiste Rigaud Jean-Max Dutertre Michel Agoyan Bruno Robisson Assia Tria Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet 13541 Gardanne
Outline! Introduction. " Course Overview! Attacked Circuit : AES Cryptosystem. " Algorithm and design " Prototyping of AES on SPARTAN-3! Design and use of an FPGA-based attack platform. " Fault Injection Principle (digital IC timing constraints) " Experimental Results! Conclusion. 1 / 24
Course overview Master students in Microelectronics Design Cryptography Secured Circuits Application of academics courses VHDL Design Methodology FPGA Prototyping Two parts 128 bit AES design : Spartan 3 Cryptography Security of IC Injection fault platform : Virtex 5 2 / 24
Cryptography Why Cryptography? Confidentiality Authentification Tools for cryptography Secret key scheme Integrity Non repudiation Public/private keys scheme Hash function Cyphering Decyphering Applications Plain text Cyper text Plain text Credit card, mobile phone, pay TV, secured internet, etc. 3 / 24
AES cryptosystem Advanced Encryption Standard NIST 2001 Key length : 128 bits A good example for teaching IC design Data path and keyexpander synchronization Sbox modeling 4 / 24
Timing constraints AES Block diagram Nominal clock frequency : 100 MHz 11 clock cycles / ciphering Area Hash functions 20 S-boxes External control Clock pin Start signal 5 / 24
AES Test environment Xilinx Spartan 3 evaluation board Serial Link Simple control commands Automatic Test Generation (Perl) On the fly comparison of expected result (Open ssl' AES library) Why FPGA target? Education purposes Faster integration Easier fault injection due to long interconnection delays 6 / 24
Design and Use of an FPGA-based Attack Platform! Theoretical work. " Short overview of Differential Fault Attacks. " Digital IC timing constraints (as a fault injection means). " A Delay Locked Loop based attack platform.! Laboratory work. " Synthesis of the attack platform. " Experimental results. 7 / 24
Differential Fault Attack M K 0110010101100001 010110000110011 C 110101000101101 Faulty cipher text Disturb the ciphering process through unusual environmental conditions. Differential Fault Attack = comparison between correct and faulty cipher texts retrieve information on the encryption process (i.e. information leakage) Strong requirements : control of the fault size (bit or byte level), target a given round (and only it). 8 / 24
Digital IC timing constraint " Synchronous IC principle (reminder) propagation delay n-1 m-1 data Combinational D Q logic D Q 1 1 1 1 Dff i Dff i+1 clk Data are captured on the clock s rising edge Time between two rising edges (i.e. clock period) depends on the propagation delay 9 / 24
Digital IC timing constraint n m data Logique 1 1 1 1 conbinatoire D Q D pmax D Q Dff i Dff i+1 clk D clk#q T clk + T skew - δ su data arrival time = D clk#q + D pmax data required time = T clk + T skew - δ su T clk > D clk!q + D pmax - T skew + δ su Violating this timing constraint results in fault injection. 10 / 24
Digital IC timing constraint Fault location - Propagation delay delay outputs = f (inputs) n Combinational logic D 0 D 1 D m-1 m f logical function each D i had its own propagation delay inputs outputs Fault location : where delay Di > Tclk setup time Propagation times depend on : the logical states ( 0 / 1 ) the propagation delay changes with the inputs allow to change the fault location the power supply voltage the temperature 11 / 24
Fault injection by setup time violation " Fault injection - Over clocking A well known approach decreasing the clock period until faults appear by setup time violation T clk clk propagation delay + setup time T clk fault clk drawback : faults are injected at each clock cycle no timing control 12 / 24
" Fault injection Local over clocking Setup time violation by modifying one clock cycle Fault injection by setup time violation T clk clk D pmax + δ su clk T clk - Δ fault injection cycle choice fault-nature fine tuning through Δ fine control (one-bit, two-bits faults) δ t variation step = 35 ps Experiment T clk = 10 ns 300 steps @ 100 MHz 13 / 24
" Fault injection Local over clocking (cont d) A DLL-based Attack Platform clk generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5). Tclk clk clk Tclk - Δ 14 / 24
" Fault injection Local over clocking (cont d) A DLL-based Attack Platform clk generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5). Tclk clk Δ/2 clk clk Tclk - Δ 14 / 24
" Fault injection Local over clocking (cont d) A DLL-based Attack Platform clk generation : use of an on chip Delay Locked Loop (Xilinx Virtex-5). Tclk clk clk clk Δ clk Tclk - Δ All digital, easy to implement. 14 / 24
Synthesis of the attack platform Δ = 0 15 / 24
Synthesis of the attack platform Δ = 20 x 35 ps 15 / 24
Synthesis of the attack platform Δ = 40 x 35 ps 15 / 24
Synthesis of the attack platform Δ = 60 x 35 ps 15 / 24
Synthesis of the attack platform Δ = 80 x 35 ps 15 / 24
Synthesis of the attack platform Δ = 100 x 35 ps 15 / 24
Fault injection experiments " Experimental setup COM serial trigger Clock generation board AES board COM serial clock 16 / 24
Fault injection experiments " Controllability of faults nature and location. Targeting the final round of the AES direct reading of the injected faults (by XORing a correct and faulty ciphertext) Test campaign pseudo-code : send the key K and the plaintext T to the test chip Δ 0 Note that faults are located in the encryption data path (longest propagation delay). 17 / 24
Target : final round (f clk, nom = 100 MHz) Step by step T clk decrease (δ t = 35 ps) Experimental results Byte index 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 5240ps T clk - Δ 350ps 7340ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No Single 23 faulted bit bits fault D 6 D 7 T clk -Δ T clk = 10000 ps T clk -Δ 18 / 24
Experimental results Location control : plaintext variation Byte index 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 5240ps 350ps 7340ps Byte nb. 13 No fault One-bit fault Two-bits fault Other fault Byte index 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Byte nb. 3 Same key Different plaintext 5485ps 7585ps 19 / 24
" Fault injection based on power supply decrease. (at nominal frequency) Experimental results V DD D pmax ( D clk!q, δ su, &T skew & ) T clk < D clk!q + D pmax - T skew + δ su D pmax + δ D pmax su + slack + δ su n inputs Logique Combinational logic D 0 D 1 D m-1 D 0 D 1 m m outputs outputs D m-1 T clk 20 / 24
" Fault injection based on power supply decrease. Critical time as a function of V DD Experimental results picoseconds T clk 1st fault at 1,07 V 21 / 24
Experimental results " Temperature increase (at nominal frequency) 22 / 24
Experimental results " Temperature increase (at nominal frequency) D pmax ( D clk!q, δ su, &T skew & ) 1st fault at 210 C 23 / 24
Conclusion " Conclusion An ambitious two in one course (Master or PhD students). Achievements: Design methodology on a concrete programmable device, Development of a complete test environment (serial interface, command scripts), Implementation of the AES standard, Review of timing constraints and critical path issues, Design of a DLL-based attack platform, Practice of fault attacks, Awareness of hardware security. FPGA : a well suited target. 24 / 24