FIMA: Fault Intensity Map Analysis
We present a new statistical fault analysis technique called fault intensity map analysis (FIMA) that evaluates the responses of cryptographic implementations to biased-fault injections with varying intensities. FIMA exploits information from fault bias, as well as the correlation between fault distribution and intensity, to retrieve the secret key with fewer fault injections than existing techniques. FIMA generalizes several existing statistical fault analysis techniques, such as fault sensitivity analysis (FSA), differential fault intensity analysis (DFIA), ciphertext-only fault analysis (CFA), and statistical ineffective fault analysis (SIFA). FIMA has the flexibility of using different observables, e.g., faulty ciphertexts, correct ciphertexts under ineffective fault inductions, and data-dependent intensity profiles, and is successful against a wide range of countermeasures. In this paper, we use FIMA to retrieve the entire 128-bit secret key of the Ascon authenticated cipher, a CAESAR finalist for lightweight applications. On a software implementation of Ascon, simulations show that FIMA recovers the secret key with fewer than 50% of the fault injections required by previous techniques that rely on fault bias alone; furthermore, in the presence of error-detection and infective countermeasures, FIMA is \(6\times \) more efficient than previous bias-based techniques.
KeywordsAuthenticated encryption Fault bias Fault image Fault intensity FIMA SIFA Statistical fault analysis
This work was supported by NIST award 70NANB18H219 for Lightweight Cryptography in Hardware and Embedded Systems.
- 3.Bernstein, D.: Cryptographic competitions (2016). https://competitions.cr.yp.to/caesar.html
- 6.Dobraunig, C., Eichlseder, M., Korak, T., Lomné, V., Mendel, F.: Statistical fault attacks on nonce-based authenticated encryption schemes. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 369–395. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_14CrossRefGoogle Scholar
- 7.Dobraunig, C., Eichlseder, M., Korak, T., Mangard, S., Mendel, F., Primas, R.: SIFA: exploiting ineffective fault inductions on symmetric cryptography. IACR Trans. Cryptogr. Hardw. Embedded Syst. 2018, 547–572 (2018)Google Scholar
- 8.Fuhr, T., Jaulmes, E., Lomné, V., Thillard, A.: Fault attacks on AES with faulty ciphertexts only. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 108–118. IEEE (2013)Google Scholar
- 11.Ghalaty, N.F., Yuce, B., Taha, M., Schaumont, P.: Differential fault intensity analysis. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 49–58. IEEE (2014)Google Scholar
- 13.Lashermes, R., Reymond, G., Dutertre, J.M., Fournier, J., Robisson, B., Tria, A.: A DFA on AES based on the entropy of error distributions. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 34–43. IEEE (2012)Google Scholar
- 14.Li, W., et al.: Ciphertext-only fault analysis on the led lightweight cryptosystem in the internet of things. IEEE Trans. Dependable Secure Comput. (2018)Google Scholar
- 19.Patranabis, S., Chakraborty, A., Mukhopadhyay, D., Chakrabarti, P.P.: Fault space transformation: a generic approach to counter differential fault analysis and differential fault intensity analysis on AES-like block ciphers. IEEE Trans. Inf. Forensics Secur. 12(5), 1092–1102 (2017)CrossRefGoogle Scholar
- 20.Patranabis, S., et al.: Lightweight design-for-security strategies for combined countermeasures against side channel and fault analysis in IoT applications. J. Hardw. Syst. Secur., 1–29 (2018)Google Scholar
- 21.Potestad-Ordóñez, F., Jiménez-Fernández, C., Valencia-Barrero, M.: Experimental and timing analysis comparison of FPGA trivium implementations and their vulnerability to clock fault injection. In: 2016 Conference on Design of Circuits and Integrated Systems (DCIS), pp. 1–6. IEEE (2016)Google Scholar