Chapter

Cryptographic Hardware and Embedded Systems, CHES 2010

Volume 6225 of the series Lecture Notes in Computer Science pp 320-334

Fault Sensitivity Analysis

  • Yang LiAffiliated withDepartment of Informatics, The University of Electro-Communications
  • , Kazuo SakiyamaAffiliated withDepartment of Informatics, The University of Electro-Communications
  • , Shigeto GomisawaAffiliated withDepartment of Informatics, The University of Electro-Communications
  • , Toshinori FukunagaAffiliated withNTT Information Sharing Platform Laboratories, NTT Corporation
  • , Junko TakahashiAffiliated withDepartment of Informatics, The University of Electro-CommunicationsNTT Information Sharing Platform Laboratories, NTT Corporation
  • , Kazuo OhtaAffiliated withDepartment of Informatics, The University of Electro-Communications

Abstract

This paper proposes a new fault-based attack called the Fault Sensitivity Analysis (FSA) attack, which unlike most existing fault-based analyses including Differential Fault Analysis (DFA) does not use values of faulty ciphertexts. Fault sensitivity means the critical condition when a faulty output begins to exhibit some detectable characteristics, e.g., the clock frequency when fault operation begins to occur. We explain that the fault sensitivity exhibits sensitive-data dependency and can be used to retrieve the secret key. This paper presents two practical FSA attacks against two AES hardware implementations on SASEBO-R, PPRM1-AES and WDDL-AES. Different from previous work, we show that WDDL-AES is not perfectly secure against setup-time violation attacks.

We also discuss a masking technique as a potential countermeasure against the proposed fault-based attack.

Keywords

Side-channel attacks Fault Sensitivity Analysis AES WDDL