Faulty Clock Detection for Crypto Circuits Against Differential Fault Analysis Attack



Similar documents
Study on the application of the software phase-locked loop in tracking and filtering of pulse signal

Domain 1: Designing a SQL Server Instance and a Database Solution

Modified Line Search Method for Global Optimization

Incremental calculation of weighted mean and variance

Output Analysis (2, Chapters 10 &11 Law)

Implementation of Low Power Scalable Encryption Algorithm

(VCP-310)

COMPARISON OF THE EFFICIENCY OF S-CONTROL CHART AND EWMA-S 2 CONTROL CHART FOR THE CHANGES IN A PROCESS

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

Ekkehart Schlicht: Economic Surplus and Derived Demand

Configuring Additional Active Directory Server Roles

In nite Sequences. Dr. Philippe B. Laval Kennesaw State University. October 9, 2008

Engineering Data Management

ADAPTIVE NETWORKS SAFETY CONTROL ON FUZZY LOGIC

A Secure Implementation of Java Inner Classes

CONTROL CHART BASED ON A MULTIPLICATIVE-BINOMIAL DISTRIBUTION

Evaluating Model for B2C E- commerce Enterprise Development Based on DEA

Systems Design Project: Indoor Location of Wireless Devices

I. Chi-squared Distributions

MTO-MTS Production Systems in Supply Chains

Multiplexers and Demultiplexers

CHAPTER 3 DIGITAL CODING OF SIGNALS

Definition. A variable X that takes on values X 1, X 2, X 3,...X k with respective frequencies f 1, f 2, f 3,...f k has mean

A Combined Continuous/Binary Genetic Algorithm for Microstrip Antenna Design

DAME - Microsoft Excel add-in for solving multicriteria decision problems with scenarios Radomir Perzina 1, Jaroslav Ramik 2

Reliability Analysis in HPC clusters


A probabilistic proof of a binomial identity

Soving Recurrence Relations

Running Time ( 3.1) Analysis of Algorithms. Experimental Studies ( 3.1.1) Limitations of Experiments. Pseudocode ( 3.1.2) Theoretical Analysis

Spam Detection. A Bayesian approach to filtering spam

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

The analysis of the Cournot oligopoly model considering the subjective motive in the strategy selection

Recovery time guaranteed heuristic routing for improving computation complexity in survivable WDM networks

Evaluation of Different Fitness Functions for the Evolutionary Testing of an Autonomous Parking System

Malicious Node Detection in Wireless Sensor Networks using Weighted Trust Evaluation

QUADRO tech. FSA Migrator 2.6. File Server Migrations - Made Easy

Annuities Under Random Rates of Interest II By Abraham Zaks. Technion I.I.T. Haifa ISRAEL and Haifa University Haifa ISRAEL.

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

Domain 1 - Describe Cisco VoIP Implementations

INVESTMENT PERFORMANCE COUNCIL (IPC) Guidance Statement on Calculation Methodology

Taking DCOP to the Real World: Efficient Complete Solutions for Distributed Multi-Event Scheduling

The Stable Marriage Problem

Department of Computer Science, University of Otago

Lecture 2: Karger s Min Cut Algorithm

Chapter 7 Methods of Finding Estimators

SYSTEM INFO. MDK - Multifunctional Digital Communications System. Efficient Solutions for Information and Safety

Capacity of Wireless Networks with Heterogeneous Traffic

ODBC. Getting Started With Sage Timberline Office ODBC

Convention Paper 6764

Ranking Irregularities When Evaluating Alternatives by Using Some ELECTRE Methods

Analyzing Longitudinal Data from Complex Surveys Using SUDAAN

Institute of Actuaries of India Subject CT1 Financial Mathematics

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

Document Control Solutions

Research Article Sign Data Derivative Recovery

Asymptotic Growth of Functions

CCH Accountants Starter Pack

Overview on S-Box Design Principles

CHAPTER 3 THE TIME VALUE OF MONEY

A Faster Clause-Shortening Algorithm for SAT with No Restriction on Clause Length

Authentication - Access Control Default Security Active Directory Trusted Authentication Guest User or Anonymous (un-authenticated) Logging Out

Automatic Tuning for FOREX Trading System Using Fuzzy Time Series

Domain 1: Configuring Domain Name System (DNS) for Active Directory

HCL Dynamic Spiking Protocol

Determining the sample size

CS100: Introduction to Computer Science

The Role of Latin Square in Cipher Systems: A Matrix Approach to Model Encryption Modes of Operation

Convexity, Inequalities, and Norms

CHAPTER 7: Central Limit Theorem: CLT for Averages (Means)

Security Functions and Purposes of Network Devices and Technologies (SY0-301) Firewalls. Audiobooks

Domain 1 Components of the Cisco Unified Communications Architecture

Designing Incentives for Online Question and Answer Forums

CapNet: A Real-Time Wireless Management Network for Data Center Power Capping

Installment Joint Life Insurance Actuarial Models with the Stochastic Interest Rate

Domain 1: Identifying Cause of and Resolving Desktop Application Issues Identifying and Resolving New Software Installation Issues

>7011AUPS UNINTERRUPTIBLE P O W E R SUPPLIES

1 Computing the Standard Deviation of Sample Means

EUROCONTROL PRISMIL. EUROCONTROL civil-military performance monitoring system

Cantilever Beam Experiment

Week 3 Conditional probabilities, Bayes formula, WEEK 3 page 1 Expected value of a random variable

Floating Codes for Joint Information Storage in Write Asymmetric Memories

Optimize your Network. In the Courier, Express and Parcel market ADDING CREDIBILITY

How to read A Mutual Fund shareholder report

Managing and Implementing the Data Mining Process Using a Truly Stepwise Approach

Bond Valuation I. What is a bond? Cash Flows of A Typical Bond. Bond Valuation. Coupon Rate and Current Yield. Cash Flows of A Typical Bond

Chapter 10 Computer Design Basics

C.Yaashuwanth Department of Electrical and Electronics Engineering, Anna University Chennai, Chennai , India..

Non-life insurance mathematics. Nils F. Haavardsson, University of Oslo and DNB Skadeforsikring

Properties of MLE: consistency, asymptotic normality. Fisher information.

Case Study. Normal and t Distributions. Density Plot. Normal Distributions

Transcription:

Faulty Clock Detectio for Crypto Circuits Agaist Differetial Fault Aalysis Attack Pei uo ad Yusi Fei Email:sileceluo@coe.eu.edu, yfei@ece.eu.edu Departmet of Electrical ad Computer Egieerig Northeaster Uiversity, Bosto, MA 02115 Abstract. Clock glitch based Differetial Fault Aalysis (DFA) attack is a serious threat to cryptographic devices. Previous error detectio schemes for cryptographic devices target improvig the circuit reliability ad caot resist such DFA attacks. I this paper, we propose a ovel faulty clock detectio method which ca be easily implemeted either i FPGAs or itegrated circuits to detect the glitches i system clock. Results show that the proposed method ca detect glitches efficietly while eeds very few system resource. It is also highly recofigurable to tolerat clock iheret jitters, ad will ot ivolve complex desig work for differet processig techologies. Keywords: Clock glitch detectio, AES, differetial fault aalysis, side-chael attacks 1 itroductio Cryptosystems that provide ecryptio, decryptio, ad hashig fuctios have become the security egie of may critical systems ad ifrastructure. owever, their implemetatios, whether i software or hardware, are vulerable to side-chael attacks, which exploit parametric iformatio about cryptographic operatios icludig power cosumptio, timig iformatio, ad electromagetic emaatios to retrieve the secret key. Differetial Fault Aalysis (DFA) is a kid of side-chael attack, which itetioally ijects trasit faults ito a cryptosystem ad aalyzes the differece betwee the correct ad fault outputs to ifer the key. DFA was first iveted by Biham et. al. o the block cipher Data Ecryptio Stadard (DES) [1]. It was later applied to AES ad oly two pairs of correct ad faulty ciphertexts are required to break the cipher [2]. I [3], the fault model is relaxed to be a radom fault aywhere i oe of the four diagoals of the state matrix at the iput of the eighth roud of AES. It is show that eve if the fault iductio corrupts two or three diagoals, two to four faulty ciphertexts are eough to retrieve the correct key. The commoly used physical fault ijectio methods are clock glitchig, supply voltage variatio, ad laser radiatio. Clock glitchig is the most practical ad low-cost fault ijectio method, ad therefore clock glitch based DFA is more cotrollable ad becomes a real security threat. Work i [3] uses clock glitches to iject faults ito cryptographic devices. Work i [4] also demostrates the effectiveess of frequecy ijectio attacks o both a microcotroller ad a FPGA chip. Some high-level protectio methods for cryptographic systems employ error detectio ad correctio codes or redudacy [5,6] to improve the reliability of circuits, but caot resist clock glitch-based DFAs. Other protectio methods try to detect the fault ijectio sources ad therefore prevet DFAs [7]. I [7], a o-logic buffer-based delay chai is iserted, by moitorig the delay alog the delay chai, a possible clock glitch based DFA ca be detected. I [8], the authors desig a circuit with a master couter ad a slave couter clocked by the clock sigal, ad their results are compared to determie whether the differece is at least thus to detect the clock glitch. I this work, we propose a ew clock glitch detectio method which makes good use of the existig modules i ICs ad FPGAs. The proposed method ca be easily implemeted without cosiderig the complex process techology like i [7]. Meawhile, comparig with [8], our method is also highly recofigurable ad ca be easily cofigured accordig to differet requiremets of precisio ad system variatios. What s more, compare with previous methods, our scheme ca make good use of the existig resources i FPGAs ad ca also be implemeted efficietly i ASICs. Sythesis results show that our 1

proposed method has much lower resource overhead comparig with previous protectio schemes like i [5,6,9]. The rest of the paper is orgaized as follows. I Sectio 2, we revisit the basics of DFA attacks ad previous protectio methods. I Sectio 3, we describe the proposed detectio method ad discuss its advatages over the previous schemes. I Sectio 4, we show the sythesis ad simulatio results of the proposed method, ad compare it with previous protectio schemes. Fially we coclude the paper i Sectio 5. 2 Backgroud I this sectio, we briefly itroduce DFAs, ad review the existig work o ru-time error detectio of crypto circuits. 2.1 Differetial Fault Aalysis Attacks As fault aalysis is depedet o the algorithm of cryptosystem, we take AES [10] as example. AES-128 algorithm has te rouds of computatio, with the first ie rouds cosistig of four steps, SubByte, ShiftRow, MixColum, ad AddKey, ad the last roud just three steps - without MixColum. Previous work has demostrated that if faults ca be ijected betwee the MixColum operatio i roud eight ad SubByte operatio i roud te, DFA based o this fault model ca recover the last-roud key with just two pairs of correct ad faulty ciphertexts. Fig. 1 depicts the geeral DFA process. Before itroducig faults, the attacker first gets a pair of plaitext ad correct ciphertext (P, C), where P is a radomly chose plaitext ad C is the correspodig ciphertext with the last roud key as K 10. The attacker the ijects faults ito the cryptographic system ad obtai a faulty ciphertex, C, uder the same plaitext P. A fault caused by clock glitch that falls before the last roud computatio would result i a faulty iput P 10 to the last roud, istead of correct oe P 10. K 10 P 10 P 10 ' Fig. 1. Differetial fault aalysis model 2

By examiig the differece betwee C ad C, the attack ca idetify the locatio of the faulty byte i the 16-byte AES state, deoted as i. The attacker the makes a assumptio of the last roud key byte Ki 10. For ay key guess Ki 10, the attacker ca iversely compute the last roud iput P 10 ad P 10 from the ciphertext outputs. { P10 = AES10 1 (C, K10 i ) P 10 = AES10 1 (C, Ki 10 ). (1) Certai characteristics of the differece betwee P 10 ad P 10 ca be used to extract the correct Ki 10. For clock glitch fault ijectio, illegal clock will cause a setup-time violatio sice flip-flops are triggered before the output sigals are fixed to a correct value. I [3], the authors show that faults may happe i either sigle bytes or multiple bytes, or eve i multiple diagoals. They also demostrate that relatioship amog faulty bytes ca be used to recover the last roud key bytes. Other fault ijectio methods would icur more complex fault models ad there will be differet characteristics amog faulty bytes ad such characteristics ca be used for attacks [2,11]. 2.2 DFA Coutermeasures Previous works agaist DFAs use redudacy or error detectio codes to capture faults at ru-time [5,6,9]. This kid of protectio schemes ca detect ay ijected faults iside the circuits whe the results of the predictor based o the codes (or a redudat copy) ad the compressor of the origial copy do ot match. The methods are useful whe the faults fall o either the origial circuit or the protectio circuit, or the faults ijected i both parts result i differet errors. owever, faults ijected by clock glitches fall o the commo iput of these two parts ad would affect the two circuits simultaeously to geerate the same outputs. It is highly possible that the faults caused by clock glitches will escape these high-level error detectio methods. For the scheme proposed i [7], a o-logic buffer-based delay chai is iserted ito the origial desig with propagatio delay (T d ) predefied durig desig phase ad 1/T d idicates the upper boud of the clock frequecy of the crypto circuit. If the circuit rus too fast (i.e. the applied clock frequecy is faster tha/t d ), timig errors might occur. Thus by moitorig the result o this delay chai, a possible clock glitch based fault attack might be detected. For this desig, the problem is that it ivolves complex desig work for differet process techology ad crypto circuits, ad the system frequecy caot be chaged after productio. 3 Proposed Clock Glitch Detectio Method I this sectio, we propose a ew clock glitch detectio method to resist glitch based DFAs. The mai idea is that glitches make the clock irregular, ad we desig a circuit to moitor the clock pulses ad detect such irregularity at ru-time. Deote the system clock used i the cryptographic circuit as clock. To measure the width of clock pulses, we itroduce aother higher-frequecy clock source clk. The structure of the proposed scheme is show i Fig. 2. The Width Couters take clock as the iput sigal ad clk as the triggerig clock. The couters measure the width of the high pulse ad low pulse of clock i umber of clk cycles ad store the results i two Width Registers, oe for high ad the other for low. Cosiderig two cosecutive cycles of clock, deote the Width Couters result as 0 for the first logic 1, which meas the umber of cycles of clk while clock = 1, ad defie 0 the umber of cycles of clk for clock = 0 i the first cycle. Similarly, use 1 ad 1 to deote the width of the logic 1 ad logic 0 of the followig cycle, show as i Fig. 3. If the target clock ad the referece clk are both stable, the: { 0 = 1 0 =. (2) 1 3

ow Pulse Width Couter igh Pulse Width Couter Width Registers Crypto module Crypto output Fig. 2. The block diagram of the clock glitch detectio circuit Number of cycles: Fig. 3. Couter of the clock glitch detectio circuit For clock with 50% duty cycle, we have: 0 = 1 = 0 = 1. (3) If the clock is ot costat, the width of logic 0 or logic 1 of clock is varyig. Such differece betwee two cosecutive clocks ca be used to detect glitches i the system clock. If there is a glitch i clock show as i Fig. 4. The it s obvious that: { 0 1, 1 2 0 1, 1, (4) 2 thus the glitch is detected ad Alarm triggered. Number of cycles: 2 2 Fig. 4. Whe glitch happes i clock 4

3.1 Implemetatio of the Proposed Scheme Oe key poit of the desig is to have a stable high frequecy referece clock source clk. For FPGA ad other embedded systems, clock geerator ad phase-locked loop (P) ca be desiged iside the devices i the desig phase. A alterative method is to use existig resources. Take FPGA for example, a digital clock maager (DCM) or a P ca be used to geerate higher frequecy with clock as the iput clock. The Digital Clock Maager (DCM) primitive i Xilix FPGA is used to implemet delay locked loop, digital frequecy sythesizer, digital phase shifter, or a digital spread spectrum [12]. The P i FPGA is used to geerate multiple clocks with defied phase ad frequecy relatioships to a give iput clock [13,14]. For example, there are up to 12 DCM modules i Virtex 5 FPGAs ad each ca be used to geerate utmost 32 higher frequecy, ad cascaded DCMs ca be used to geerate eve higher frequecy output [15]. Assume oe DCM module is used to geerate 32 frequecy clk, the for stable clock, 0 = 1 = 0 = 1 = 16. For P ad DCM, if there is a glitch i clock, the glitch will be detected ad meawhile the frequecy geeratio module will lose OCK ad some operatios are eeded to reset the module [12,13,14]. The details will be explaied ad simulated i Sectio 4. 3.2 Advatage of the Proposed Scheme Compared to the previous faulty clock detectio schemes, our proposed scheme has several advatages. Firstly, it has a low resource requiremet. It ca be easily implemeted i FPGAs ad ICs, oly aother higher frequecy clock source or a clock maagemet module (P, etc) is eeded. Secodly, the proposed scheme is easily cofigurable accordig to the precisio requiremet of the system. The method i [7] requires to isert a o-logic buffer-based delay chai to the circuits ad the delay caot be chaged after productio. The delay ad the delay chai desig are also techology depedet ad therefore it icreases the desig difficulty ad complexity. Thirdly, it is easy to cotrol the frequecy of referece clock clk, ad higher precisio ca be achieved by usig higher frequecy clk. What s more, our scheme also has cofigurable threshold of clock jitter by cotrollig the comparator. Assume that the clock has slight variatios ad the width of clock is ot costat, we set the comparator to tolerat differet betwee 0 ad 1 (ad the differece betwee 0 ad 1 ) below λ, i.e., the variatio is ot caused by clock glitchig ad therefore is acceptable: { 0 1 < λ 0 1 < λ. (5) For istace, assume the frequecy of clk is 32 of clock, we ca set λ = 2 such that the variatio of clock ca be at most the width of 2 clk. igher precisio ca be achieved by usig higher frequecy clk ad λ ca be chose accordig to the sesitivity level requiremet ad clock jitter. 4 Implemetatio ad simulatio results To verify the fuctioality of the proposed scheme, we use Virtex-5 FPGA ad its iteral DCM [12,13] to implemet the proposed scheme. The target clock is ruig at 5 Mz ad its duty cycle is 75%. We use DCM to geerate the higher frequecy clock clk with the frequecy 160 Mz. The simulatio result is show as i Fig. 5, with a glitch added i clock. The results show that the proposed scheme ca detect glitches efficietly, with a alarm triggered whe the glitch is detected. Meawhile, the proposed scheme is very robust, which ca recover the moitorig higher frequecy clock rapidly after losig OCK of the target clock. Details of the simulatio result are show as i Fig. 6. For the above simulatio settigs, 0 = 1 = 24 ad 0 = 1 = 8 whe there is o glitch. The register pre high ct( 0 ) holds value 24 ad the value of pre low ct( 0 ) is 8 if the system clock is stable. Whe clock glitch happes, the register of the curret result of 1 is 17 which is smaller tha 24, ad thus the glitch is detected. 5

Fig. 5. Simulatio result of the proposed scheme Fig. 6. Detailed results of the couter registers To evaluate the implemetatio overheads of the proposed glitch detectio scheme, we implemet a glitch detectio scheme based o the origial AES usig P i Verilog ad sythesize it i Cadece Ecouter RT Compiler with the Nagate 45m Opecell library versio v2009 07. The desigs were placed ad routed usig Cadece Ecouter. The latecy, the area overhead of the protectio schemes were estimated usig Cocurret Curret Source (CCS) model uder typical operatio coditio assumig a supply voltage of 1.1V ad a temperature of 25 Celsius degree. The sythesis results are show i Table 1. Table 1. Overhead Evaluatio of the Proposed Detectio Method Circuit Area (um 2 ) Power (mw ) OrigialAES 13987.9 20.4 P roposed 14392.5 22.8 The results show that the proposed glitch detectio scheme icurs 2.9% area overhead ad cosumes 12% more power tha the origial AES implemetatio. Comparig with the scheme proposed i [7] with oly about 0.47% area overhead, our proposed method cosumes a little more area. But for FPGAs, our scheme ca make good use of iteral DCM ad P modules. What s more, our method ca be very easy to implemet while the scheme i [7] ivolves complex desig work for differet FPGA families ad IC process techologies. 5 Coclusio I this paper, we propose a simple method to detect clock glitches ad the results show that the proposed scheme ca detect glitches i clock efficietly while eeds much fewer resource overhead tha the previous 6

protectio schemes. Compared with previous schemes, the proposed scheme is desiged specifically for clock glitch detectio ad it is highly recofigurable. The proposed scheme ivolves o complex work i desig phase for differet process techology. Refereces 1. E. Biham ad A. Shamir, Differetial fault aalysis of secret key cryptosystems, i Advaces i CryptologyCRYPTO 97. Spriger, 1997, pp. 513 525. 2. G. Piret ad J.-J. Quisquater, A differetial fault attack techique agaist SPN structures, with applicatio to the AES ad KAZAD, i Cryptographic ardware ad Embedded Systems-CES 2003. Spriger, 2003, pp. 77 88. 3. D. Saha, D. Mukhopadhyay, ad D. R. Chowdhury, A diagoal fault attack o the Advaced Ecryptio Stadard, IACR Cryptology eprit Archive, vol. 2009, p. 581, 2009. 4. S. Skorobogatov, Sychroizatio method for SCA ad fault attacks, Joural of Cryptographic Egieerig, vol. 1, o. 1, pp. 71 77, 2011. 5. M. Karpovsky, K. J. Kulikowski, ad A. Taubi, Differetial fault aalysis attack resistat architectures for the advaced ecryptio stadard, i Smart Card Research ad Advaced Applicatios VI. Spriger, 2004, pp. 177 192. 6. C.-. Ye ad B.-F. Wu, Simple error detectio methods for hardware implemetatio of advaced ecryptio stadard, Computers, IEEE Trasactios o, vol. 55, o. 6, pp. 720 731, 2006. 7.. Igarashi, Y. Shi, M. Yaagisawa, ad N. Togawa, Cocurret faulty clock detectio for crypto circuits agaist clock glitch based DFA, i Circuits ad Systems (ISCAS), 2013 IEEE Iteratioal Symposium o. IEEE, 2013, pp. 1432 1435. 8. M. Rohleder, T. Koch, V. itovtcheko, ad T. uedeke, Clock glitch detectio circuit, Dec. 29 2011, us Patet App. 13/131,349. [Olie]. Available: http://www.google.com/patets/us20110317802 9. M. Karpovsky, K. J. Kulikowski, ad A. Taubi, Robust protectio agaist fault-ijectio attacks o smart cards implemetig the advaced ecryptio stadard, i Depedable Systems ad Networks, 2004 Iteratioal Coferece o. IEEE, 2004, pp. 93 101. 10. P. FIPS, 197, Advaced Ecryptio Stadard (AES), vol. 26, 2001. 11. Y. i, K. Sakiyama, S. Gomisawa, T. Fukuaga, J. Takahashi, ad K. Ohta, Fault sesitivity aalysis, i Cryptographic ardware ad Embedded Systems, CES 2010. Spriger, 2010, pp. 320 334. 12. DS485: Digital Clock Maager (DCM) Module. 13. DS622: Phase ocked oop (P) Module (v2.00a). 14. Altera Phase-ocked oop (Altera P) Megafuctio User Guide. 15. UG190: Virtex-5 FPGA User Guide. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information