I recently attended two of the largest workshops about hardware security: FDTC and CHES in Busan, South Korea. As usual, lots of new results were presented there.
During the Fault Diagnosis and Tolerance in Cryptography workshop (FDTC), three presentations, including the invited speaker, were about different ways to attack Pairing Cryptography algorithms with fault and side-channel attacks. This indicates that focus has moved to this cryptographic primitive and the security of its hardware implementations. Two papers presented fault attacks against the Miller algorithm which is used to compute pairings. One of these paper showed that combining an initial fault in the Miller algorithm with a second fault to bypass the final exponentiation of a pairing was possible on their target device, a AVR XMEGA-A1 microcontroller.
Two different glitch attacks were presented against microcontrollers. One of them showed that heating the microcontroller helped to induce further effects when clock glitching. In the second paper, a combination of clock glitching and underpowering were applied on both ARM Cortex-M0 and a Atmel ATxmega 256 microcontrollers. The faults obtained were skipped or duplicate instruction executions as well as wrong calculations.
New fault attacks were presented against GOST, SIMON, SPECK, Feistel and Substitution-Permutation networks. Aside from attacks, a new countermeasure was presented to protect RSA implementations against multiple fault injections. The authors made a large effort to formalize fault injections as well as showing equivalence of some fault models. They then showed how to build provable secure countermeasure against high-order fault attacks (multiple faults) with a generic fault model. This may provide a good tool for hardware designers.
During the Workshop on Cryptographic Hardware and Embedded Systems (CHES), the best paper award was given to a team from Tohoku and Kobe. They showed that it is possible to build a detector inside a circuit with standard cells that detects if an electromagnetic (EM) probe is near the die. Usually, we use EM probes to either perform leakage acquisitions for side channel analysis or to inject localized faults using local electromagnetic radiations. If a chipset is equipped with such detector it may hinder such attacks. Their detector was implemented and tested within an AES processor. A video of their experiment was shown during the rump session.
Another team showed that a hardware Trojan construction presented last year which consists in modifying the dopant level of a gate into a circuit, can be detected when the circuit is analyzed with a FIB or a SEM.
A presentation leading to a nice demo (picture on the right) was given by people from Tel-Aviv University and Technion. Their idea was to extract the secret key used during GnuPG encryption only by touching the chassis of a laptop. They successfully demonstrated proof of their attack on stage.
New fault attacks were also presented. A team demonstrated that the countermeasure for AES which was defeated last year has other weaknesses and they proposed a different countermeasure. Another team combined fault attacks with side channel information to attack the AES key scheduler. Meanwhile, they solved an interesting previous open question about the Hamming weight of the key scheduler. They showed that two different keys can have the same key expansion Hamming weight. They provided an algorithm to construct such keys. A side channel analysis of prime number generation was presented by ANSSI. They attacked the prime sieving algorithm before the Miller-Rabin’s tests during the prime number generation. They applied their attack on a smartcard implementation.
An interesting presentation was made about Photonic Emission Analysis (PEA). A team from Berlin performed an analysis of an arbiter-based Physically Unclonable Function (PUF), which is a common construction of timing-based PUFs. The photonic emission principle is simple. Each CMOS transistor can emit photons during a switch of its state. These photons can be observed from the backside of the chips and thus give information about the physical location of the active part of the die. This team implemented its PUF on an Altera MAX V board. For the photonic emission analysis they used a Si-CCD camera and an InGaAs avalanche diode to provide both spatial and timing resolution. With their setup they obtained the timing of some reference challenges and then these timings were used to predict further PUF outputs of given challenges and finally clone the PUF.
To sum up, more and more complex and combined attacks are being realized and the theory behind them is becoming more fully understood. This progression is resulting in hardware attacks which are practical and sometimes devastating to the security of certain products. Links are are being made between previously separate domains to achieve practical attacks. I saw lot of amazing presentations and I had really nice discussions there. I hope to see you next year in Saint-Malo.
Kudelski Security Research 