Abstract
We present an algebraic fault attack (AFA) solver for recovering secret bits from hardware implementations of the SHA family of hash functions. The crucial insight in our method is the use of SHA-based propagation and conflict-analysis methods in the inner-loop of a Boolean conflict-driven clause-learning SAT solver, à la the DPLL(T) paradigm. In our method the fault-injected part of the hash function is translated into a Boolean formula (which is then fed as input to the SAT solver), while the rest is encoded via a programmatic interface as part of the SAT solver’s propagation and conflict analysis routines. Such an approach enables the addition of learnt clauses to the SAT solver in an on-demand and lazy fashion. We evaluated our tool under a variety of fault models, and showed that we can recover the secret bits faster and with far fewer number of injected faults compared to previous best work. AFA is a powerful way of empirically verifying the strength of a cryptographic function’s implementation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
There are two basic approaches to implementation attacks, namely, passive and active implementation attacks. In passive attacks, the attacker measures some aspect of the computations on a target implementation via side-channel such as power consumption or timing, to find patterns that can be exploited. By contrast, in active attacks the target implementation is manipulated as part of the attack. In this paper, we consider only active attacks.
- 2.
Additional resources can be found at
https://sites.google.com/view/crypto-sat/algebraic-fault-analysis.
- 3.
A brief description about this encoding and our adaptation can be found here:
https://sites.google.com/view/crypto-sat/algebraic-fault-analysis.
- 4.
GAC refers to Generalized Arc-Consistency defined in Definition 1.
- 5.
Addition-Rotation-XOR.
References
Agoyan, M., Dutertre, J.-M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12510-2_13
Ali, S.S., Mukhopadhyay, D., Tunstall, M.: Differential fault analysis of AES: towards reaching its limits. J. Crypt. Eng. 3(2), 73–97 (2013)
Bailleux, O., Boufkhad, Y., Roussel, O.: New encodings of pseudo-boolean constraints into CNF. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 181–194. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_19
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)
Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259
Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_4
Bright, C., Ganesh, V., Heinle, A., Kotsireas, I., Nejati, S., Czarnecki, K.: MathCheck2: A SAT+CAS verifier for combinatorial conjectures. In: Gerdt, V.P., Koepf, W., Seiler, W.M., Vorozhtsov, E.V. (eds.) CASC 2016. LNCS, vol. 9890, pp. 117–133. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45641-6_9
Bright, C., Kotsireas, I., Ganesh, V.: A SAT+CAS method for enumerating Williamson matrices of even order. In: Proceedings of the Thirty-Second AAAI Conference on Artificial Intelligence, New Orleans, Louisiana, USA, 2–7 February 2018, pp. 6573–6580 (2018)
Courtois, N.T., Jackson, K., Ware, D.: Fault-algebraic attacks on inner rounds of DES. In: e-Smart 2010 Proceedings: The Future of Digital Security Technologies. Strategies Telecom and Multimedia (2010)
Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_25
Eastlake 3rd, D., Hansen, T.: US secure hash algorithms (SHA and SHA-based HMAC and HKDF). Technical report (2011)
Eén, N., Sorensson, N.: Translating pseudo-boolean constraints into SAT. J. Satisf. Boolean Model. Comput. 2, 1–26 (2006)
FIPS Publication: 180–4. Federal Information Processing Standards Publication, Secure Hash (2011)
Fischer, W., Reuter, C.A.: Differential fault analysis on Grøstl. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 44–54. IEEE (2012)
Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73368-3_52
Ganesh, V., O’Donnell, C.W., Soos, M., Devadas, S., Rinard, M.C., Solar-Lezama, A.: Lynx: a programmatic SAT solver for the RNA-folding problem. In: Cimatti, A., Sebastiani, R. (eds.) SAT 2012. LNCS, vol. 7317, pp. 143–156. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31612-8_12
Hao, R., Li, B., Ma, B., Song, L.: Algebraic fault attack on the SHA-256 compression function. Int. J. Res. Comput. Sci. 4(2), 1 (2014)
Hemme, L., Hoffmann, L.: Differential fault analysis on the SHA-1 compression function. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 54–62. IEEE (2011)
Hojsík, M., Rudolf, B.: Differential fault analysis of trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_10
Jeong, K., Lee, C.: Differential fault analysis on block cipher LED-64. In: (Jong Hyuk) Park, J.J., Leung, V., Wang, C.L., Shon, T. (eds.) Future Information Technology, Application, and Service. LNEE, vol. 164, pp. 747–755. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-4516-2_79
Jeong, K., Lee, Y., Sung, J., Hong, S.: Security analysis of HMAC/NMAC by using fault injection. J. Appl. Math. 2013, 6 (2013)
Li, R., Li, C., Gong, C.: Differential fault analysis on SHACAL-1. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 120–126. IEEE (2009)
Liang, J.H., Ganesh, V., Poupart, P., Czarnecki, K.: Learning rate based branching heuristic for SAT solvers. In: Creignou, N., Le Berre, D. (eds.) SAT 2016. LNCS, vol. 9710, pp. 123–140. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40970-2_9
Luo, P., Athanasiou, K., Fei, Y., Wahl, T.: Algebraic fault analysis of SHA-3. In: 2017 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 151–156. IEEE (2017)
Luo, P., Fei, Y., Zhang, L., Ding, A.A.: Differential fault analysis of SHA3-224 and SHA3-256. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 4–15. IEEE (2016)
Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Mohamed, M.S.E., Bulygin, S., Buchmann, J.: Improved differential fault analysis of Trivium. In: COSADE 2011, pp. 147–158 (2011)
Nejati, S., Liang, J.H., Gebotys, C., Czarnecki, K., Ganesh, V.: Adaptive restart and CEGAR-based solver for inverting cryptographic hash functions. In: Paskevich, A., Wies, T. (eds.) VSTTE 2017. LNCS, vol. 10712, pp. 120–131. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72308-2_8
Nossum, V.: SAT-based Preimage Attacks on SHA-1 (2012)
Opturion: Opturion CPX 1.0.2. http://cpx.opturion.com/cpx.html. Accessed 30 Mar 2018
Philipp, T., Steinke, P.: PBLib – a library for encoding pseudo-boolean constraints into CNF. In: Heule, M., Weaver, S. (eds.) SAT 2015. LNCS, vol. 9340, pp. 9–16. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24318-4_2
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Wang, W., Søndergaard, H., Stuckey, P.J.: A bit-vector solver with word-level propagation. In: Quimper, C.-G. (ed.) CPAIOR 2016. LNCS, vol. 9676, pp. 374–391. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33954-2_27
Zhang, F., Zhao, X., Guo, S., Wang, T., Shi, Z.: Improved algebraic fault analysis: a case study on piccolo and applications to other lightweight block ciphers. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 62–79. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40026-1_5
Zhao, X., Guo, S., Zhang, F., Shi, Z., Ma, C., Wang, T.: Improving and evaluating differential fault analysis on LED with algebraic techniques. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 41–51. IEEE (2013)
Acknowledgments
The authors would like to thank Jia Hui Liang for his support with MapleSAT. The second author was financially supported by the DFG project “Algebraische Fehlerangriffe” [KR 1907/6-2].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Nejati, S., Horáček, J., Gebotys, C., Ganesh, V. (2018). Algebraic Fault Attack on SHA Hash Functions Using Programmatic SAT Solvers. In: Hooker, J. (eds) Principles and Practice of Constraint Programming. CP 2018. Lecture Notes in Computer Science(), vol 11008. Springer, Cham. https://doi.org/10.1007/978-3-319-98334-9_47
Download citation
DOI: https://doi.org/10.1007/978-3-319-98334-9_47
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98333-2
Online ISBN: 978-3-319-98334-9
eBook Packages: Computer ScienceComputer Science (R0)