Exp-Fault – CAD for Assurance

By: Sayandeep Saha, Debdeep Mukhopadhyay, and Pallab Dasgupta (IIT Kharagpur)

Stage: Algorithm Level

Summary

Exp-Fault is a tool for automatically constructing fault attack for a given block cipher algorithm. The tool takes a high-level description and an executable of the cipher as input. Internally, it constructs a graphical description of the cipher from the high-level description, and mines the fault simulation data generated from the executable. Linking the properties found from data mining with the graphical description, the tool figures out fault attacks along with their computational and fault complexity.

Contact

Sayandeep Saha

Input/Output Interface

Input: A high-level description in a given input language (Please see the original paper: ExpFault: An Automated Framework for Exploitable Fault Characterization in Block Ciphers), an executable of the cipher
Output: Exploitability status of the fault, number of injections required, the attack description, the attack graph (only supported internally)

Dependencies

Weka package of Java

References

Saha, Sayandeep; Mukhopadhyay, Debdeep; Dasgupta, Pallab

ExpFault: An Automated Framework for Exploitable Fault Characterization in Block Ciphers Journal Article

In: IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 2, pp. 242-276, 2018.

Abstract | Links | BibTeX

@article{Saha_Mukhopadhyay_Dasgupta_2018,

title = {ExpFault: An Automated Framework for Exploitable Fault Characterization in Block Ciphers},

author = {Sayandeep Saha and Debdeep Mukhopadhyay and Pallab Dasgupta},

url = {https://tches.iacr.org/index.php/TCHES/article/view/882},

doi = {10.13154/tches.v2018.i2.242-276},

year  = {2018},

date = {2018-05-01},

journal = {IACR Transactions on Cryptographic Hardware and Embedded Systems},

volume = {2018},

number = {2},

pages = {242-276},

abstract = {Malicious exploitation of faults for extracting secrets is one of the most practical and potent threats to modern cryptographic primitives. Interestingly, not every possible fault for a cryptosystem is maliciously exploitable, and evaluation of the exploitability of a fault is nontrivial. In order to devise precise defense mechanisms against such rogue faults, a comprehensive knowledge is required about the exploitable part of the fault space of a cryptosystem. Unfortunately, the fault space is diversified and of formidable size even while a single cryptoprimitive is considered and traditional manual fault analysis techniques may often fall short to practically cover such a fault space within reasonable time. An automation for analyzing individual fault instances for their exploitability is thus inevitable. Such an automation is supposed to work as the core engine for analyzing the fault spaces of cryptographic primitives. In this paper, we propose an automation for evaluating the exploitability status of fault instances from block ciphers, mainly in the context of Differential Fault Analysis (DFA) attacks. The proposed framework is generic and scalable, which are perhaps the two most important features for covering diversified fault spaces of formidable size originating from different ciphers. As a proof-of-concept, we reconstruct some known attack examples on AES and PRESENT using the framework and finally analyze a recently proposed cipher GIFT [BPP+17] for the first time. It is found that the secret key of GIFT can be uniquely determined with 1 nibble fault instance injected at the beginning of the 25th round with a reasonable computational complexity of 214.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

Acknowledgments

Synopsys CAD Lab