#### DE LA RECHERCHE À L'INDUSTRIE





# ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH

<u>Amine DEHBAOUI</u><sup>1</sup>, Amir-Pasha MIRBAHA<sup>2</sup>, Nicolas MORO<sup>1</sup>, Jean-Max DUTERTRE<sup>2</sup>, Assia TRIA<sup>1</sup>

COSADE 2013

Paris, France



www.cea.fr



OUTLINE



www.emse.

#### Context

- Round Modification Analysis on AES
- Proposed Round Modification Analysis on AES
- Electromagnetic Glitch Injection Technique
- Concrete Results with EMG
- Conclusion



Fault injection means : Power supply glitch, Clock glitch, EM glitch, Laser shot ...

disturb the encryption/decryption process through unusual environmental conditions in order to :

- reduce the encryption complexity (e.g. round reduction analysis),
- differential fault analysis = comparison between correct and faulty ciphertexts.
- safe errors, HW/SW reverse engineering , ...
- $\square$  retrieve information on the encryption process (i.e. information leakage) | PAGE 3

# **Round Modification Analysis on**

AES



# ADVANCED ENCRYPTION STANDARD 128 BITS REMINDER





# STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS



**R**ound **M**odification Analysis

□ Round Reduction Analysis decrease the number of executed rounds

**Round Addition Analysis** increase the number of executed rounds

**Round Alteration Analysis** modification of the round order

PAGE 6

# STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS



C 2 2

**R**ound **M**odification Analysis

**Round Reduction Analysis** 

H. Choukri et al. [2005]

J.H. Park et al. [2011]

K.S. Bae et al.[2011]

**Round Addition Analysis** 

J.M. Dutertre et al. #3 [2012]



J.M. Dutertre et al. #2 [2012]

# STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS

Cea

| Attack                               | Target                      | Mean            | Туре                | Encryption sequence                            | Req.<br>texts | Key<br>search<br>average<br>time |
|--------------------------------------|-----------------------------|-----------------|---------------------|------------------------------------------------|---------------|----------------------------------|
| H. Choukri et al.<br>[FDTC'05]       | PIC16F877<br>8-bit          | Power<br>Glitch | Round<br>Reduction  | $R_0 - R_m$                                    | 2             | ≈ 1 second                       |
| J.H. Park et al.<br>[ETRI'11]        | ATmega128<br>8-bit          | Laser           | Round<br>Reduction  | $R_0 - R_1 - R_{10}$                           | 10            | ≈ 10 hours                       |
| K.S. Bae et al.<br>[ICCIT'11]        | ATmega128<br>8-bit          | Laser           | Round<br>Reduction  | R <sub>0</sub> R <sub>8</sub> -R <sub>10</sub> | 2             | ≈ 1 second                       |
| J.M. Dutertre et al.<br>#2 [HOST'12] | Unknown mcu<br>0.35µm 8-bit | Laser           | Round<br>Alteration | $R_0R_8-R_m-R_f$                               | 3             | ≈ 1 second                       |
| J.M. Dutertre et al.<br>#3 [HOST'12] | Unknown mcu<br>0.35µm 8-bit | Laser           | Round<br>Addition   | $R_0R_9-R_{m=10}-R_{f=11}$                     | 3             | ≈ 1 hour & 30 minutes            |

# Proposed Round Modification Analysis on AES



# PROPOSED ROUND MODIFICATIONS ANALYSIS

www.emse.fr



C (correct ciphertext) = FR  $(M_9) \oplus K_{10}$ 



## PROPOSED ROUND MODIFICATIONS ANALYSIS







1 plaintext 
$$= \begin{bmatrix} D \text{ (faulty ciphertext)} = \operatorname{FR} [\operatorname{MR}(M_9) \oplus K'_9] \oplus K'_{10} \\ C \text{ (correct ciphertext)} = \operatorname{FR} (M_9) \oplus K_{10} \end{bmatrix}$$

2 plaintexts  $M^{a} M^{b}$ 

 $\operatorname{FR}^{-1}(D^a \oplus \mathbf{K'}_{10}) \oplus \operatorname{FR}^{-1}(D^b \oplus \mathbf{K'}_{10}) = \operatorname{MC}(C^a \oplus C^b)$ 



2 hypothese on each  $K'_{10}$  byte (2<sup>16</sup> for a 128-bits AES key)



Calculation time : < 1 second



Alternative solution : 3 plaintexts, instead of 2 thus, 1 hypothesis for each  $K'_{10}$  byte

# **Electromagnetic Glitch injection Technique**

# PRACTICAL ELECTROMAGNETIC GLITCH SETUP





• Pulse amplitude : -200V / +200V

The computer controls both the pulse generator (through a rs-232 link) and the target board (through a usb link).

# PRACTICAL ELECTROMAGNETIC GLITCH SETUP

#### **Target Description**

- Up-to-date 32-bit microcontroller
- Designed in a cmos 130nm technology
- Based on the arm Cortex-M3 processor.
- Operating frequency is set to 24MHz.
- Can detect several types of hardware faults.



• When a specific type of hardware fault is detected, the processor raises its associated interrupt.

| Exception         | Description                                           |
|-------------------|-------------------------------------------------------|
| Hard fault        | Error during exception processing                     |
|                   | Has the highest priority                              |
| Bus fault         | Memory related fault                                  |
|                   | For an instruction or data memory transaction         |
| Memory            | Triggered by the memory protection unit               |
| Management Fault  | Possible access to a restricted memory area           |
| Usage Fault       | Fault related to instruction execution                |
|                   | Undefined instruction, illegal unaligned access, etc. |
| Clock Security    | Error on the high speed external clock                |
| $\mathbf{System}$ |                                                       |
| Programmable      | The power supply is under a user-defined threshold    |
| Voltage Detect    |                                                       |

# **Concrete Results with EMG**



## **EMG PROFILE OF THE TARGET**



#### **EM Channel : main strengths**

Does **not require depackaging** the target.

Does target the upper metal Layer (Power/Ground or Clock networks).



#### **Logical Effect :**

#### instruction alteration



# EXPERIMENTAL OUTLINE



#### Algorithm 2 Experimental process

| Set the relative position of the antenna on top of the       | surface of the package                                                                                                    |
|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| Define a time interval $[t_{min};t_{max}]$ to inject the EMG | Execution normale your calibration                                                                                        |
| Initialize the pulse generator                               | [ OK ] Debut de l'execution du programme                                                                                  |
| Define a time step $\Delta t$                                | [ OK ] 1 seconde de pause<br>[ OK ] Arret de la carte                                                                     |
| Initialize a random fixed key and plaintext                  | I OK J Recuperation des registres<br>[ OK ] Recuperation du registre xPSR<br>[ OK ] Recuperation du Fault Status Register |
| for $t = t_{min}$ step $\Delta t$ to $t_{max}$ do            | [ OK ] Reset de la carte pour l'execution suivante                                                                        |
| microcontroller_reset()                                      | Registres:<br>R0=0x200003F0                                                                                               |
| launch AES()                                                 | R1=0x200003E8<br>.R2=0x00010000<br>R3=0x00010800                                                                          |
| $send_pulse_with_delay(t)$                                   | R4=0×00000008<br>R5=0×0800088C                                                                                            |
| sleep(100ms)                                                 | R6=0×00000000<br>R7=0×00000000                                                                                            |
| microcontroller_stop()                                       | R8=0×00000000<br>R9=0×20000160<br>P10=0-00000000                                                                          |
| $results = microcontroller_get_status()$                     | $\begin{array}{c} R10 = 0 \times 00000000 \\ R11 = 0 \times 0000000 \\ R12 = 0 \times 00000100 \end{array}$               |
| print_and_store(results)                                     | Registres particuliers:                                                                                                   |
| end for                                                      | R13 Stack Pointer = 0x200003C8<br>R14 Link Register = 0xFFFFFF9<br>R15 Program Counter = 0x08006F6                        |
|                                                              | xPSR Program Status Register = 0x21000006                                                                                 |
|                                                              | <mark>Flags:</mark><br>N - Negative = Ø                                                                                   |
|                                                              | Z - Zero = 0<br>C - Carry = 1                                                                                             |
|                                                              | Q - Saturation = 0                                                                                                        |
|                                                              | Interruption:<br>Execution : UsageFault<br>UNDEFINSTR — Undefined instruction UsageFault                                  |





Fig. 3. Timing cartography of the EMG effect on the microcontroller

# Conclusion



# Conclusion



- Round Modification Analysis by targeting the round counter
- Fault induced at the end of the penultimate round
- Execution of a second penultimate round
- EMG Fault model : **instruction alteration**
- High occurrence rate / without triggering hardware interrupts





| Attack                               | Target                                 | Mean            | Туре                | Encryption sequence                                                   | Req.<br>texts | Key<br>search<br>average<br>time |
|--------------------------------------|----------------------------------------|-----------------|---------------------|-----------------------------------------------------------------------|---------------|----------------------------------|
| H. Choukri et al.<br>[FDTC'05]       | PIC16F877<br>8-bit                     | Power<br>Glitch | Round<br>Reduction  | $R_0 - R_m$                                                           | 2             | ≈ 1<br>second                    |
| J.H. Park et al.<br>[ETRI'11]        | ATmega128<br>8-bit                     | Laser           | Round<br>Reduction  | $R_0 - R_1 - R_{10}$                                                  | 10            | ≈ 10<br>hours                    |
| K.S. Bae et al.<br>[ICCIT'11]        | ATmega128<br>8-bit                     | Laser           | Round<br>Reduction  | R <sub>0</sub> R <sub>8</sub> -R <sub>10</sub>                        | 2             | ≈ 1<br>second                    |
| J.M. Dutertre et al.<br>#2 [HOST'12] | Unknown mcu<br>0.35µm 8-bit            | Laser           | Round<br>Alteration | $R_0R_8-R_m-R_f$                                                      | 3             | ≈ 1<br>second                    |
| J.M. Dutertre et al.<br>#3 [HOST'12] | Unknown mcu<br>0.35µm 8-bit            | Laser           | Round<br>Addition   | R <sub>0</sub> R <sub>9</sub> -R <sub>m=10</sub> -R <sub>f=11</sub> , | 3             | ≈ 1 hour<br>& 30<br>minutes      |
| Our experiment<br>[COSADE'13]        | ARM Cortex-M3<br>based 130nm<br>32-bit | EM<br>Glitch    | Round<br>Addition   | R <sub>0</sub> R <sub>9</sub> -R <sub>m=9</sub> ,-R <sub>f=10</sub> , | 2             | ≈1<br>second                     |

# Annexe : RMA Exceptionnel case



# **RMA – An Exceptional Case**





| An exceptional case may happen when a byte value in $D^a$ is equal to |                               |                                 |             |  |
|-----------------------------------------------------------------------|-------------------------------|---------------------------------|-------------|--|
| Example:                                                              | the correspond                | ing byte on the second encr     | yption;     |  |
|                                                                       | 1.e.                          | $D^a$ [byte i] = $D^b$ [byte i] |             |  |
| <i>M<sup>a</sup></i> : 32 43 F6 A8                                    | 88 5A 30 8D 31                | 31 98 A2 E0 37 07 34            |             |  |
| <i>M<sup>b</sup></i> : 19 84 B0 92                                    | 95 C8 B1 D9 C4                | 4E 4D 1E F2 C0 36 5E            |             |  |
|                                                                       |                               |                                 | Round f=10' |  |
| <i>C<sup>a</sup></i> : 39 25 84 1D                                    | 02 DC 09 FB DC 1              | 1 85 97 19 6A 0B 32             | К' 10       |  |
| <i>C<sup>b</sup></i> : 13 AB D8 4B                                    | 7B EA FA 58 47 5              | 8 48 A5 50 B3 B2 DC             |             |  |
|                                                                       |                               |                                 |             |  |
| <i>D<sup>a</sup>:</i> 49 4a b5 1f                                     | 3b 08 83 <mark>e0</mark> d1 2 | 21 34 6b 32 cd 31 cb            |             |  |
| <b>D</b> <sup>b</sup> :8c fc 54 6b                                    | 3a 46 9e <mark>e0</mark> b7 6 | 5 6d 0a 92 7b a0 e1             |             |  |
|                                                                       | _                             |                                 |             |  |

D

 $SRoSB(M_{g'})$ 



# **RMA – An Exceptional Case**

D<sup>a</sup>: 49 4a b5 1f 3b 08 83 e0 d1 21 34 6b 32 cd 31 cb D<sup>b</sup>: 8c fc 54 6b 3a 46 9e e0 b7 65 6d 0a 92 7b a0 e1

 $\mathsf{SB}^{-1} \cup \mathsf{SR}^{-1} (D^a \oplus K'_{10}) \oplus \mathsf{SB}^{-1} \cup \mathsf{SR}^{-1} (D^b \oplus K'_{10}) = \mathsf{MC} (C^a \oplus C^b)$ 



# 2<sup>8</sup> hypotheses

on  $K'_{10}$  [7] (byte [7] of  $K'_{10}$ ) and **2 hypotheses** on each other  $K'_{10}$  byte







calculation time : still less than 1 second



Probability of this exceptional case =

$$1-\frac{\binom{255}{1}}{\binom{256}{1}}\times\frac{\binom{255}{1}}{\binom{256}{1}}\times\dots+\frac{\binom{255}{1}}{\binom{256}{1}}=1-\frac{\binom{255}{256}}{\binom{256}{256}}^{16}\approx\%6.070$$

with 1, 2 or even 3 equal byte values on  $D^a$  and  $D^b$ , the cryptanalysis has an answer in a short calculation time

In any case, there is a faster solution : using 3 plaintexts, instead of 2



Direction de la Recherche Technologique DSIS / LCS Systèmes et Architectures Sécurisés

Commissariat à l'énergie atomique et aux énergies alternatives Centre de Microélectronique de Provence | 13541 Gardanne T. +33 (0) 4.42.61.67.31 | F. +33 (0) 4.42.61.65.92

Etablissement public à caractère industriel et commercial | RCS Paris B 775 685 019

# **Annexe : Digital IC**

# Synchronous Digital IC Timing Constraints



| PAGE 30