Quantitative Fault Injection Analysis

Abstract

Active fault injection is a credible threat to real-world digital systems computing on sensitive data. Arguing about security in the presence of faults is non-trivial, and state-of-the-art criteria are overly conservative and lack the ability of fine-grained comparison. However, comparing two alternative implementations for their security is required to find a satisfying compromise between security and performance. In addition, the comparison of alternative fault scenarios can help optimize the implementation of effective countermeasures.

In this work, we use quantitative information flow analysis to establish a vulnerability metric for hardware circuits under fault injection that measures the severity of an attack in terms of information leakage. Potential use cases range from comparing implementations with respect to their vulnerability to specific fault scenarios to optimizing countermeasures. We automate the computation of our metric by integrating it into a state-of-the-art evaluation tool for physical attacks and provide new insights into the security under an active fault attacker.

A Probabilistic Computation

1.1 A.1 Methodology

The isolated computation of \(V[S\mid Y, Y'=y']\) for each \(y'\in \mathcal {Y}\) allows not only the parallel computation of the vulnerability but also a probabilistic computation. Here, instead of computing the exact value of \(V[S\mid Y, Y']\), we can approximate it using a subset of \(\mathcal {Y}\). Specifically, we use the Monte-Carlo method [32], where the mean of a set of samples is used to estimate the mean of a probability distribution. This is a good approximation if the sample set is large enough and each sample is chosen independently. The quality of the approximation is given by the Confidence Interval (CI), which provides a range in which the true distribution mean lies with a certain probability (given by the confidence level).

Fig. 13.

Leakage over the number of runs for probabilistic computation with a set fault injected to the first input (i.e., \(x_0\) or \(x_{0,0}\)) Leakage is given in blue while upper and lower bounds of the confidence range (\(95\%\)) are given in black. Lighter colors represent different executions. The precise leakage is marked in red. (Color figure online)

To compute the FIA vulnerability probabilistically, we randomly select N faulty output values \(y'\in \mathcal {Y}\) and compute \(V[S\mid Y, Y'=y']\) (as done in Algorithm 1). We then estimate the overall vulnerability by scaling the mean of the samples by the number of existing faulty outputs \(y'\):

$$\begin{aligned} V[S\mid Y, Y'] \approx |\mathcal {Y}| \frac{\sum _{i=0}^N V[S\mid Y, Y'=y'_i]}{N} \end{aligned}$$

(2)

Then the CI can be calculated using the Central Limit Theorem as \((\mu - z \frac{\sigma }{\sqrt{N}}, \mu + z \frac{\sigma }{\sqrt{N}})\), where \(\mu \) is the sample mean, \(\sigma \) is the sample standard deviation, and z is the z-score of the confidence level. The z-score of common confidence levels is 1.64 for a \(90\%\) confidence level, 1.96 for a \(95\%\) confidence level, and 2.57 for a \(99\%\) confidence level. For efficient computation, an iterative formula for mean and variance can be used. The CI is defined for the mean vulnerability and therefore must be scaled up for the overall vulnerability, similar to Eq. 2. This results in a CI that grows with the number of possible output values.

1.2 A.2 Evaluation

In Fig. 13, we show the convergence of the estimated leakage to the real leakage over the number of executions for four different circuits. While the estimation improves with an increasing number of executions, several thousand executions are required to obtain a high-confidence result. Thus, this only becomes interesting for circuits with a high number of output bits, and for most of the designs we analyzed, the exact computation is faster than running the probabilistic algorithm so often. Interestingly, however, there are some cases where the probabilistic algorithm yields the exact leakage after only one iteration (cf. Fig. 13b and 13d). This is the case when the vulnerability is the same for all possible output values, i.e., the expression \(\max _{s}(\sum _{x} \textsf{Pr}[s] \textsf{Pr}[x]\textsf{Pr}[y \mid x,s]\sum _{f} \textsf{Pr}[f]\textsf{Pr}[y' \mid x,s])\) is the same for all \((y, y')\). Further investigation is required to determine the set of circuits for which this holds. If this can be easily determined, the computation can be accelerated significantly, e.g., running 10 iterations for the \(4\times \) PRESENT S-box & KeyAdd takes only 3.87 s instead of about 3.5 h to get the exact leakage for four faults.