 The next talk is on persistent fault attacks and the talk is a joint work between Zinjia University, Entity Labs, Kuai Institute of North Electronic Equipments and the talk will be given by Fan Zhang from Zhejiang University. Okay, good afternoon, my name is Fan Zhang and this work is going to propose a new attack, a fault attack, but mainly focus on the fault analysis and this work is done by my students, also with Xiwen Wei and the professor equation from Zhejiang University. So, I just want to mention that some of the slides adopted from Joseph in the IAC summer school in 2015. A fault attack is an active attack and was first proposed by Dambone in 1996. It has two stages, the online fault injection stage and the offline fault analysis stage. The adversary needs some equipment to generate a non-invasive, semi-invasive or invasive injections. So, this could be done by the clock glitch, voltage glitch, EMFI or laser FI. Most of the fault attacks are non-invasive attacks. When we talk about the fault attacks, we need to mention about the fault model. It includes fault width, fault type, fault location and timing. So, for the location here, in which byte or nibble, the fault is injected and timing means in which round or in which operation the fault is injected. And those who experience physical experiments of fault attacks, you know it requires a very tight or precise timing control. And according to the durations, normally there are two types. One is called transient. Transient faults last a very short while, normally an operation in one round. Another is called a permanent fault, so it will damage the circuit. So, in this paper, we are going to propose a new fault, like a position of faults. Here, the faults will last a little bit longer, so it will cause multiple rounds or even multiple increptions. When we talk about the fault attacks, we need to address the countermeasures. Typically, there are two categories. One is to harden the hardware. So, for example, you're deploying the ring oscillators or some other sensors. The other is to harden the computations. For example, using the redundant encryption or the invasive decryption. I summarized some disadvantages of the previous work. First, that they require very tight timing synchronization between the encryption and the injection. Second, the analysis is relatively complicated due to the random value, also the fault propagation. And most of them may not work if there are some countermeasures against the fault attacks. Now, I introduce the position of the fault attack about the fault model. First, we assume the adversary can inject faults before the encryption of the fault cipher. Second, the inject fault is positioned across multiple rounds and multiple increptions. The third, the adversary is able to read the ciphertypes. This is quite normal. And the watchdog counter, this is out of our discussions. So, the core idea of the position fault attack is that instead of using the previous tightly coupled fault injections, we separate it into two stages. One is called loosely coupled fault injection and followed by a subsequent increase stage. So, totally we have three stages. The interesting part of this one is that the previous fault is injected to the lookup tables. However, the fault element may not be accessed during the encryption. So, some of the ciphertypes will be correct, some are incorrect. And I want to emphasize that first, both of the ciphertypes can be used for the fault analysis. And another thing is that we do not require the same plain text to be encrypted, I mean, for twice. And also, one important thing is that this attack is designed to defeat some countermeasures. And so, how we do the simple position fault analysis is just based on the statistical analysis on the last round. And suppose the collector element of the S-box, the value is V. After the fault injection, the value becomes V star. In a normal block cipher, in the last round, we have the output of S-box x or the V-key and becomes the cipher tax. So, we check the output of S-box, then you will see, like, V star will appear twice, and you will never see the value of V. By checking the thing, one specific byte of the cipher tax, you will see some values will have a probability of 2 over 256, and some values will have zero probability. Then the adversary has three types of options to explore the leakages. Once he sees the maximum value or the zero value, then he can directly know the value of the key. Or he can explore other leakages and which will reduce the key search space. So, here is an illustration of our analysis result. So, here is quite similar to the traditional DPA or CPA. So, the access is the number of the cipher tax, and the y-axis is the appearance of the probability of the values. So, once you saw the red curve, you know that you can reduce the key which is associated with the value of V. Once you see the blue curve, so he knows the key, which is associated to the value of V star. So, here are some comparisons. The advantage is that our attack is not differential, and so in nature, and also it does not require to control the plain text. And the adversary does not, I mean, necessarily to do the very tight synchronization. The fourth model here is quite relaxed, could be bite, nibble, or a bit. PFA also can be applied to the multiple fold setting, also can bypass some like redouncing fold counter measures. The disadvantage is that it may require higher numbers of cipher tax, and also could be detected by some building health check. Let's see how PFA on AES, so we assume like most people here know the T-box, S-box implantation. And I3 here is another implantation where the last round is using a different T-box, which can be found in the library libgcrypt. Here is the result on the PFA on the unprotected S-box, so we show the result here, and it's the exact same as the slides before. And our work is quite efficient and robust, and it can be done through the two aspects, one is from the theoretical estimation, the other one is by our code. So theoretical estimation is quite similar to the coupon credit problem, and both of the results showing they are quite consistent, so on average around 2,000 cipher tax are required to extract all the 16 bytes of key. And for the robustness, so we run the experiment for 1,000 times, and the required plain tax, cipher tax, range from 1,600 to the 3,500, on average is 2,200. Now we check how PFA can work against some countermeasures, and dual modular redundancy is a very well known for countermeasures. It can be done with time redundancy or some space redundancy. There are two types. One is called REDMR, redundant encryption based DMR. So the two modules will do the same encryption and compare the result. The second is called IDDMR. It's an inverse decryption based DMR. So the first module will do the encryption, and the output will be sent to the second module, and the decrypted plain tax will be compared with the original plain tax to see whether the fault is detected or not. So here in nature, PFA is against REDMR. So we focus more on the IDDMR. And this is because for IDDMR, the encryption S-box is different from the inverse S-box. So the countermeasure scheme has three different options based on the reaction. The first is called NCO. So the countermeasure didn't exploit any ciphertext, or we say ZVO. It just output all zero values, or RCO. It outputs a random number of ciphertexts. For the IDDMR, both of the modules are using the same memory, and the position fault is injected there. Then our PFA can defeat all these three types of countermeasures. But for the IDDMR, it's considered a little bit stronger countermeasures, but the thing is just slightly different. We check the PFA on the S-box with NCO, ZVO, and IDDMR first. So compared with REDMR, the more ciphertexts are required. This is because in REDMR, all the ciphertexts can be used for the analysis. But for the IDDMR, it's just a part of them can be used. So the ratio here is denoted as P, which is 0.56. And we did the experiment for 1000 times, and the number of required ciphertexts ranges from 300 to 700. So average is about 4,200. So if we increase the number of ciphertexts to about 7,200, and the success rate is around 100. The PFA on the S-box with RCO, and in this case, the adversary will not see the zero probability. But the slight probability difference can still be differentiated. So you can see from the figures. In practice, we can add two thresholds to differentiate the abnormal cases. So we set the top one as 90% of the maximal probability, and the top two as 1.1 as the minimal probability. And roughly we need around 20,000 ciphertexts to extract the keys for both of S-box and T-box implementations. And from the figures, things like top one, using top one is better than using top two. Next, we go through with case study, which is a low-heimer-based PFA. And low-heimer is a very threatening attack, first proposed by King in 2014. So the basic idea of low-heimer is that the adversary can repeatedly read two aggressive rows, and with a very high probability, it will have some bit flips in the victim's rows. The low-heimer attack is hardware-intrusive and can be triggered from the software code. And also it can gain the root privilege from the normal user privilege. So this is very, very powerful. Another concept is shared library, which is also very common in computer systems. So multiple processes and threads just share one copy of the library. And so the attack scenario is that the adversary can write his own code to do the AES encryption. Then with his user space, he can launch the low-heimer attack and try to flip one bit of the AES T-box. Then he can inform the victim to do the encryption and collect the ciphertext. He can do some offline analysis. So this is the basic idea. We don't have enough time, so I do not go through the details. But here is our setup of our low-heimer experiment. We did the experiment in an old laptop. The OS is open to 12 and with an old kernel. So the library we talked about is libgcrypt at 1.6.3. And the implementation is I3 I just mentioned. Here we show the last round, the T0 prime, the table in the memory. So the target is that to inject one bit flip in this 256 elements. And I want to mention that there are four tables in this area. Here's our result of the hammering. So roughly we tried 20 times. And five, four, six, five times I inject to the four different tables. And each trial is roughly one hour. And of course we have some techniques to do the speed-up. So we do the profiling. And yeah, so this is the result. And we implant this one with some sort of countermeasures. So we do it with IEDMR. And note that one injection can only recover four bytes. So totally we need four injections. And totally we need 8,200 cipher tags to break this type of AES T-box implementations. Okay, conclusion. We propose the position for analysis, which is a novel attack. And it can defeat some further countermeasures. And we did some implementations. Also we tried some different analysis. We do the security evaluation. So we demonstrate the low hammer-based PFA on the LibG script. Future work. Probably we need to do some more formal proofs on the serial side, rely on the coupon collector problem. And we are interested to reveal the case for the key scheduling because the AES table lookup will also be accessed there. And also some countermeasures. Okay, yeah, that's it. Thank you. So any questions or comments? Thank you for your talk. So I have two questions. The first is like it seems that you require the faulty ciphertext for your analysis. Requires what? You require the faulty ciphertext for your analysis. Yes. So what do you think? Does this attack will still work if you have an infective countermeasure? Does it work? If you have an infective countermeasure, will this attack work? Infective countermeasure. Not ineffective, infective countermeasure. I think probably this countermeasure cannot work because our analysis are based on the two types of ciphertext. No matter whether it's a faulty or collector, both ciphertexts can be used to do the analysis. So using part of the ciphertext just increase the number of ciphertexts. This is what I think. Okay. And another question is that if you are injecting fault, what is the probability? I mean you are doing a probabilistic analysis, a statistical analysis as per I understand. So what kind of metric did you use, statistical metric did you use to get your attack done? I mean like what kind of statistical metric? Statistical metric. Yeah, I mean for doing the attack, what kind of statistical metric did you use? So this one, we all know like that Rohanma is with some probabilities. So the key point here is that we targeted on the AES of S-Box, which is public. So the simple policy is that we just try to see whether the fault is injected and compare the known value of S-Box until we say for the specific, like any one element in the S-Box is flipped. So it's not like we just try, try, try until we find the bit flips. I see. Thank you. Any other questions? Okay. What kind of countermeasures you looked in while you do PFA on countermeasures? So in the presentations I said we explored two countermeasures. One is IEDMA. So it's just redundant encryption. The second is IEDMA, inversely with decryption. Okay. Yeah, thanks for your talk. I have a question because basically your criterion for deciding that bit is correct or not is according to the distribution of 40 ciphertexts, right? Yeah. So then you did the form the decryption last round. Okay. So in general, because the last round, your ninth round of the input plus key, that last round input is close to random. However, if you look at the first round, the first round will be the plaintext plus key and goes to your S-box. So in this way, I believe then the distribution will be easily to control and I believe precision will be better. I don't know, you already tried this or not? I'm not that clear about it, but the thing is that we want to demo the concept of position for attack. So the analysis on the last round, it seems to us is a very simple one. And we also, I have my students, we did the analysis, we do it in the ninth round and it will reduce the number of sector. But I'm not sure whether we can move to the first round. Like the first round. Not sure. I haven't tried yet. You haven't tried yet? Okay, thank you. So I have one question. Like you say that you don't need an explicit synchronization, right? So you can essentially target any round to do the attack. Is that so? So we say like actually not sure, not this one. In our assumption, so we, the adversary prepares the environment first. So he enjoyed the first at the very first round and then he informed the victim to start. So that's the reason why the fault can cross the 10 rounds. But we cannot say it can be injected any round, in the middle round. Not this one. And what kind of bitfills did you get when you did the Rohamara on T-tapers? Like 0 to 1, 1 to 0 or both? So we, I think we explore the, it says 0 to 1. So the first element is 0, 63. And we try to make it as 61. So it's 1 to 0 bit flips. Yeah. Are there any questions? Other questions or comments? If not, then let's thank the speaker once more.