SNOW 3G is one of the core algorithms for confidentiality and integrity in several 3GPP wireless communication standards, including the new Next Generation (NG) 5G. It is believed to be resistant to classical cryptanalysis. In this paper, we show that SNOW 3G can be broken by a fault attack based on bitstream modification. By changing the content of some look-up tables in the bitstream, we reduce the non-linear state updating function of SNOW 3G to a linear one. As a result, it becomes possible to recover the key from a known plaintext-ciphertext pair. To our best knowledge, this is the first successful bitstream modification attack on SNOW 3G.

Assuring the security of the Internet of Things (IoT) is much more challenging than assuring the security of centralized environments, like the cloud. A reason for this is that IoT devices are often deployed in domains that are remotely managed and monitored. Thus, they cannot be protected from physical attacks as reliably as data centers. Up till now, implementations of many established, standardized algorithms including AES and SNOW 3G have been broken by physical attacks. In this paper, we show that even the most recently designed algorithms are also vulnerable. We attack an SRAM-based FPGA implementation of ACORN v3 stream cipher, a finalist of CAESAR cryptographic competition for authenticated encryption. By modifying the content of several look-up tables directly in the bitstream, we inject faults which reduce the nonlinear feedback function of ACORN to a linear one. As a result, it becomes possible to extract the full key from 2(15.34) bits of faulty keystream by an algebraic attack using 2(35.46) operations. Our results, once again confirm the necessity to rethink the way cryptographic algorithms are implemented in FPGAs.

In this paper, we present a bitstream modification attack on the Trivium stream cipher, an international standard under ISO/IEC 29192-3. By changing the content of three LUTs in the bitstream, we reduce the non-linear state updating function of Trivium to a linear one. This makes it possible to recover the key from 288 keystream bits using at most 219.41 operations. We also propose a countermeasure against bitstream modification attacks which obfuscates the bitstream using dummy and camouflaged LUTs which look legitimate to the attacker. We present an algorithm for injecting dummy LUTs directly into the bitstream without causing any performance or power penalty.

Bitstream reverse engineering is traditionally associated with Intellectual Property (IP) theft. Another, less known, threat deriving from that is bitstream modification attacks. It has been shown that the secret key can be extracted from FPGA implementations of cryptographic algorithms by injecting faults directly into the bitstream. Such bitstream modification attacks rely on changing the content of Look Up Tables (LUTs). Therefore, related countermeasures aim to make the task of identifying a LUT more difficult (e.g. by masking LUT content). However, recent advances in FPGA reverse engineering revealed information on how interconnects are encoded in the bitstream of Xilinx 7 series FPGAs. In this paper, we show that this knowledge can be used to break or weaken existing countermeasures, as well as improve existing attacks. Furthermore, a straightforward attack that re-routes the key to an output pin becomes possible. We demonstrate our claims on an FPGA implementation of SNOW 3G stream cipher, a core algorithm for confidentiality and integrity used in several 3GPP wireless communication standards, including the new Next Generation 5G.

With the growth of popularity of Field-Programmable Gate Arrays (FPGAs) in cloud environments, new paradigms such as FPGA-as-a-Service (FaaS) emerge. This challenges the conventional FPGA security models which assume trust between the user and the hardware owner. In an FaaS scenario, the user may want to keep data or FPGA configuration bitstream confidential in order to protect privacy or intellectual property. However, securing FaaS use cases is hard due to the difficulty of protecting encryption keys and other secrets from the hardware owner. In this paper we demonstrate that even advanced key provisioning and remote attestation methods based on Physical Unclonable Functions (PUFs) can be broken by profiling side-channel attacks employing deep learning. Using power traces from two profiling FPGA boards implementing an arbiter PUF, we train a Convolutional Neural Network (CNN) model to learn features corresponding to “0” and “1” PUF’s responses. Then, we use the resulting model to classify responses of PUFs implemented in FPGA boards under attack (different from the profiling boards). We show that the presented attack can overcome countermeasures based on encrypting challenges and responses of a PUF.

True Random Number Generators (TRNGs) create a hardware-based, non-deterministic noise that is used for generating keys, initialization vectors, and nonces in a variety of applications requiring cryptographic protection. A compromised TRNG may lead to a system-wide loss of security. In this brief, we show that an attack combining power analysis with bitstream modification is capable of classifying the output bits of a TRNG implemented in FPGAs from a single power measurement. We demonstrate the attack on the example of an open source AIS-20/31 compliant ring oscillator-based TRNG implemented in Xilinx Artix-7 28nm FPGAs. The combined attack opens a new attack vector which makes possible what is not achievable with pure bitstream modification or side-channel analysis.

Hardware obfuscation is a well-known countermeasure against reverse engineering. For FPGA designs, obfuscation can be implemented with a small overhead by using underutilised logic cells; however, its effectiveness depends on the stealthiness of the added redundancy. In this paper, we show that it is possible to deobfuscate an SRAM FPGA design by ensuring the full controllability of each instantiated look-up table input via iterative bitstream modification. The presented algorithm works directly on bitstream and does not require the possession of a flattened netlist. The feasibility of our approach is verified on the example of an obfuscated SNOW 3G design implemented on a Xilinx 7-series FPGA.

Clock randomization is one of the oldest countermeasures against side-channel attacks. Various implementations have been presented in the past, along with positive security evaluations. However, in this paper we show that it is possible to break countermeasures based on a randomized clock by sampling side-channel measurements at a frequency much higher than the encryption clock, synchronizing the traces with pre-processing, and targeting the beginning of the encryption. We demonstrate a deep learning-based side-channel attack on a protected FPGA implementation of AES which can recover a subkey from less than 500 power traces. In contrast to previous attacks on FPGA implementations of AES which targeted the last round, the presented attack uses the first round as the attack point. Any randomized clock countermeasure is significantly weakened by an attack on the first round because the effect of randomness accumulated over multiple encryption rounds is lost.

Deep learning transformed side-channel analysis and made many conventional countermeasures obsolete. This brings the need for more effective, deep learning-resistant defense mechanisms. We propose a method for protecting hardware implementations of cryptographic algorithms that combines clock randomization with duplication. The presented method ensures that the duplicated block generates algorithmic noise that is dependent on the input of the primary block and has a similar power profile. In addition, the duplicated block does not create any secret key-related leakage. We evaluate the presented method on the example of the Advanced Encryption Standard (AES) algorithm implemented in FPGA. Our experimental results show that the protected AES implementation is resistant to deep learning-based power analysis.

CRYSTALS-Kyber has been selected by the NIST as a post-quantum public-key encryption and key establishment algorithm to be standardized. This makes it important to develop side-channel attack resistant implementations of CRYSTALS-Kyber. In this paper, we propose utilizing duplication combined with clock randomization as a means of protecting CRYSTALS-Kyber FPGA implementations from side-channel attacks. Such a countermeasure has been proven effective in ensuring side-channel resistance of AES FPGA implementations. It has the benefits of universal coverage, glitch immunity, and zero clock cycle overhead. We present a protected version of CRYSTALS-Kyber built on the top of the lightweight unprotected implementation by Xing el al. Our security evaluation shows that the protected implementation is resistant to deep learning-based side-channel attacks.

Advances in Field-Programmable Gate Array (FPGA) technology in recent years have resulted in an expansion of its usage in a very wide spectrum of applications. Apart from serving the traditional prototyping purposes, FPGAs are currently regarded as an integral part of embedded systems used in many industries, including communication, medical, aerospace, automotive, and military. Moreover, the emerging trend of AI has found FPGAs to be at the technological forefront with their use as deep learning acceleration platforms. The demand for FPGAs has grown to the point that major companies (e.g. Amazon) are offering cloud-based access to FPGAs, known as FPGA-as-a-Service. In many applications, FPGAs handle sensitive data and/or host cryptographic algorithm implementations. These FPGAs are not always located in a tamper-resistant environment, which makes their security a major concern, especially in light of the ever-growing number of publications demonstrating effective attacks specifically tailored to exploit the physical traits of FPGA implementations. In this survey, we cover the subset of those attacks that involve tampering with the FPGA configuration bitstream. We start by discussing how the FPGA vendors attempt to protect their products and how malicious parties try to overcome this protection. We then proceed to present the different bitstream modification attacks that can be found in the literature organized according to their targets. Finally, we present various countermeasures that can be deployed, drawing on bibliographic references from works specifically focused on FPGA bitstream protection, as well as those initially proposed for different purposes or devices that can be adapted for bitstream protection.

The emergence of deep learning has revolutionized side-channel attacks, making them a serious threat to cryptographic systems. Clock randomization is a well-established mitigation technique against side-channel attacks that, when combined with duplication, has been shown to effectively protect FPGA implementations of block ciphers and post-quantum KEMs. In this paper, we present two deep-learning-based side-channel attacks on an FPGA implementation of AES protected with the clock randomization and duplication countermeasure. The attacks are based on identifying sporadic synchronicity in the execution of the encryption rounds of the two AES cores. We remedy this vulnerability by presenting three modular additions to the original design of the countermeasure that restores its security and increases its robustness.