At the most recent CHES workshop, Hossein Hadipour of the Graz University of Technology presented an important step forward in exploiting persistent faults in crypto.
Differential Fault Analysis (DFA) is a well-known attack class that can lead to the compromise of a secret key when faults are injected during the execution of a cryptographic implementation. However, injecting transient faults at the right time can be challenging. Persistent faults are a category of faults that may be easier applied than transient faults since they do not require precise timing and stay active for a longer period. Persistent faults may, for instance, be applied by corrupting an S-box when its data is moved in memory, or by altering the apparent value of a memory location through a probe needle or a continuous laser beam.
Previous research into DFA showed that persistent faults can be exploited, but this research had multiple limitations. The original attack required knowledge of the exact fault model, i.e., the location of the faults in the algorithm. Further, it resulted in a very high remaining key space to be explored, namely 50 bits in the case of AES-128. And finally, it required at least one input-output pair for a brute-force analysis of the remaining key space. These disadvantages did largely undo the advantage of persistent fault attacks over transient fault attacks. As a result, there were hardly any practical results in the field reported.
The Graz team developed several new attack algorithms to improve persistent fault attacks. These were both simulated and tested on an implementation of the AES-128 algorithm. Through an analysis of all the AES rounds, rather than just the final ones, they were able to extract more information. This allowed faster extraction of the key under more complex conditions, such as a lack of knowledge of fault locations, occurrence of multiple faults, and absence of a plaintext.
The first part of the attack works with little more than 1000 faulty ciphertexts resulting from multiple and unknown persistent faults. The attack reduces the remaining key space to a mere 9 bits. The second part of the attack uses only the faulty ciphertexts to select the correct key from the remaining key space.
These improvements have significant practical implications. For instance, when AES is used for encryption, an attacker should never have access to the plaintext, which would prevent all DFA applications that require a plaintext-ciphertext pair to identify the correct key. With this new method, attackers may be able to extract a key when only corrupted ciphertext is available. Additionally, the lack of known fault locations, or long brute force methods make this new attack attractive.
With these new improvements we can expect more enthusiasm for persistent fault injection amongst attackers, and we should anticipate practical application in the field. Fortunately, many countermeasures against transient fault injection also work against persistent fault injection. Riscure is happy to advise device makers on how to make their products more robust against this and other threats.
If you have any questions, contact us at inforequest@riscure.com.