Synthesis of Fault Attacks on Cryptographic Implementations

Fault attacks are attacks in which an adversary with physical access to a cryptographic device, say a smartcard, tampers with the execution of an algorithm to retrieve secret material. Since the seminal Bellcore attack on modular exponentiation, there has been extensive work to discover new fault attacks against cryptographic schemes and develop countermeasures against such attacks. Originally focused on high-level algorithmic descriptions, these efforts increasingly focus on concrete implementations. While lowering the abstraction level leads to new fault attacks, it also makes their discovery significantly more challenging. In order to face this trend, it is therefore desirable to develop principled, tool-supported approaches that allow a systematic analysis of the security of cryptographic implementations against fault attacks. We propose, implement, and evaluate a new approach for finding fault attacks against cryptographic implementations. Our approach is based on identifying implementation-independent mathematical properties, or fault conditions. We choose fault conditions so that it is possible to recover secret data purely by computing on sufficiently many data points that satisfy them. Fault conditions capture the essence of a large number of attacks from the literature, including lattice-based attacks on RSA. Moreover, they provide a basis for discovering automatically new attacks: using fault conditions, we specify the problem of finding faulted implementations as a program synthesis problem. Using a specialized form of program synthesis, we discover multiple faulted attacks on RSA and ECDSA. Several of the attacks found by our tool are new, and of independent interest.

[1]  Patrick Schaumont,et al.  SMT-Based Verification of Software Countermeasures against Side-Channel Attacks , 2014, TACAS.

[2]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[3]  Éliane Jaulmes,et al.  Horizontal Collision Correlation Attack on Elliptic Curves , 2013, Selected Areas in Cryptography.

[4]  David Novo,et al.  Sleuth: Automated Verification of Software Power Analysis Countermeasures , 2013, CHES.

[5]  Jörn-Marc Schmidt,et al.  A Fault Attack on ECDSA , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[6]  Sylvain Guilley,et al.  Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA , 2014, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[7]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[8]  Chao Wang,et al.  Synthesis of Masking Countermeasures against Side Channel Attacks , 2014, CAV.

[9]  Karine Heydemann,et al.  Formal verification of a software countermeasure against instruction skip attacks , 2013, Journal of Cryptographic Engineering.

[10]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[11]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[12]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[13]  Armando Solar-Lezama,et al.  Programming by sketching for bit-streaming programs , 2005, PLDI '05.

[14]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[15]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[16]  Sumit Gulwani,et al.  Synthesis of loop-free programs , 2011, PLDI '11.

[17]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[18]  Frédéric Valette,et al.  Using faults for buffer overflow effects , 2012, SAC '12.

[19]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[20]  Mehdi Tibouchi,et al.  Making RSA-PSS Provably Secure Against Non-Random Faults , 2014, IACR Cryptol. ePrint Arch..

[21]  David Naccache,et al.  Modulus Fault Attacks against RSA-CRT Signatures , 2011, CHES.

[22]  David Naccache,et al.  Fault Attacks on Projective-to-Affine Coordinates Conversion , 2013, COSADE.

[23]  Cédric Murdica,et al.  Physical security of elliptic curve cryptography , 2014 .

[24]  Andreas Zeller,et al.  Automated Fixing of Programs with Contracts , 2014 .

[25]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[26]  Alessandro Barenghi,et al.  A novel fault attack against ECDSA , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[27]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, 2013 Formal Methods in Computer-Aided Design.

[28]  Jacques Stern,et al.  Lattice Reduction in Cryptology: An Update , 2000, ANTS.

[29]  Claire Le Goues,et al.  GenProg: A Generic Method for Automatic Software Repair , 2012, IEEE Transactions on Software Engineering.

[30]  Sumit Gulwani,et al.  From relational verification to SIMD loop synthesis , 2013, PPoPP '13.

[31]  Jeffrey C. Lagarias,et al.  The computational complexity of simultaneous Diophantine approximation problems , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[32]  Claire Le Goues,et al.  Current challenges in automatic software repair , 2013, Software Quality Journal.

[33]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[34]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[35]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[36]  Louis Goubin,et al.  Formal verification of a CRT-RSA implementation against fault attacks , 2013, Journal of Cryptographic Engineering.

[37]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[38]  Alessandro Barenghi,et al.  A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA , 2013, J. Syst. Softw..

[39]  Marc Joye,et al.  Fault Analysis in Cryptography , 2012, Information Security and Cryptography.

[40]  Sylvain Guilley,et al.  A formal proof of countermeasures against fault injection attacks on CRT-RSA , 2013, Journal of Cryptographic Engineering.

[41]  David Naccache,et al.  Experimenting with Faults, Lattices and the DSA , 2005, Public Key Cryptography.

[42]  Pierre-Alain Fouque,et al.  Attacking Unbalanced RSA-CRT Using SPA , 2003, CHES.

[43]  Sumit Gulwani,et al.  From program verification to program synthesis , 2010, POPL '10.

[44]  Jacques Stern,et al.  Merkle-Hellman Revisited: A Cryptanalysis of the Qu-Vanstone Cryptosystem Based on Group Factorizations , 1997, CRYPTO.

[45]  Sumit Gulwani,et al.  Oracle-guided component-based program synthesis , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[46]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[47]  Michael Tunstall,et al.  Compiler Assisted Masking , 2012, CHES.

[48]  Frederik Vercauteren,et al.  Fault and Side-Channel Attacks on Pairing Based Cryptography , 2004, IACR Cryptology ePrint Archive.