Network virtualization has become a promising paradigm for supporting diverse vertical services in Software Defined Networks (SDNs). Each vertical service is carried by a virtual network (VN), which normally has a chaining structure. In this way, a Service Function Chain (SFC) is composed by an ordered set of virtual network functions (VNFs) to provide tailored network services. Such new programmable flexibilities for future networks also bring new network management challenges: how to collect and analyze network measurement data, and further predict and diagnose the performance of SFCs? This is a fundamental problem for the management of SFCs, because the VNFs could be migrated in case of SFC performance degradation to avoid Service Level Agreement (SLA) violation. Despite the importance of the problem, SFC performance analysis has not attracted much research attention in the literature. In this current paper, enabled by a novel detailed network debugging technology, In-band Network Telemetry (INT), we propose a learning based framework for early SFC fault prediction and diagnosis. Based on the SFC traffic flow measurement data provided by INT, the framework firstly extracts SFC performance features. Then, Long Short-Term Memory (LSTM) networks are utilized to predict the upcoming values for these features in the next time slot. Finally, Support Vector Machine (SVM) is utilized as network fault classifier to predict possible SFC faults. We also discuss the practical utilization relevance of the proposed framework, and conduct a set of network emulations to validate the performance of the proposed framework.

With the rising importance of information security, the necessity of implementing better security measures in the physical layer as well as the upper layers is becoming increasing apparent. Given the development of more accurate and less expensive measurement devices, high-performance computers, and larger storage devices, the threat of advanced attacks at the physical level has expanded from the military and governmental spheres to commercial products. In this paper, we review the issue of information security degradation through electromagnetic (EM)-based compromising of security measures in the physical layer (i.e., EM information security). Owing to the invisibility of EM radiation, such attacks can be serious threats. We first introduce the mechanism of information leakage through EM radiation and interference and then present possible countermeasures. Finally, we explain the latest research and standardization trends related to EM information security.

The differential fault analysis of SOSEMNAUK was presented in Africacrypt in 2011. In this paper, we improve previous work with algebraic techniques which can result in a considerable reduction not only in the number of fault injections but also in time complexity. First, we propose an enhanced method to determine the fault position with a success rate up to 99% based on the single-word fault model. Then, instead of following the design of SOSEMANUK at word levels, we view SOSEMANUK at bit levels during the fault analysis and calculate most components of SOSEMANUK as bit-oriented. We show how to build algebraic equations for SOSEMANUK and how to represent the injected faults in bit-level. Finally, an SAT solver is exploited to solve the combined equations to recover the secret inner state. The results of simulations on a PC show that the full 384 bits initial inner state of SOSEMANUK can be recovered with only 15 fault injections in 3.97h.

A practical model-checking (MC) approach for fault analysis, that is one of the most cost-effective tasks in software development, is proposed. The proposed approach is based on a technique, named “Program-oriented Modeling” (POM) for extracting a model from source code. The framework of model extraction by POM provides configurable abstraction based on user-defined transformation rules, and it supports trial-and-error model extraction. An environment for MC called POM/MC was also built. POM/MC analyzes C source code to extract Promela models used for the SPIN model checker. It was applied to an industrial software system to evaluate the efficiency of the configurable model extraction by POM for fault analysis. Moreover, it was shown that the proposed MC approach can reduce the effort involved in analyzing software faults by MC.

This paper presents an efficient method for differential fault analysis (DFA) on substitution-permutation network (SPN)-based block ciphers. A combination of a permutation cancellation and an algebraic key filtering technique makes it possible to reduce the computational cost of key filtering significantly and therefore perform DFAs with new fault models injected at an earlier round, which defeats conventional countermeasures duplicating or recalculating the rounds of interest. In this paper, we apply the proposed DFA to the LED block cipher. Whereas existing DFAs employ fault models injected at the 30th round, the proposed DFA first employs a fault model injected at the 29th round. We demonstrate that the proposed DFA can obtain the key candidates with only one pair of correct and faulty ciphertexts in about 2.1h even from the 29th round fault model and the resulting key space is reduced to 24.04

A method of round addition attack on substitution-permutation network (SPN) block ciphers using differential fault analysis (DFA) is presented. For the 128-bit advanced encryption standard (AES), we show that secret keys can be extracted using one correct ciphertext and two faulty ciphertexts. Furthermore, we evaluate the success rate of a round addition DFA attack, experimentally. The proposed method can also be applied to lightweight SPN block cipher such as KLEIN and LED.

We present a round addition differential fault analysis (DFA) for some lightweight 80-bit block ciphers. It is shown that only one correct ciphertext and two faulty ciphertexts are required to reconstruct secret keys in 80-bit Piccolo and TWINE, and the reconstructions are easier than 128-bit CLEFIA.

This article presents a differential fault analysis (DFA) technique using round addition for a generalized Feistel network (GFN) including CLEFIA and RC6. Here the term “round addition” means that the round operation executes twice using the same round key. The proposed DFA needs bypassing of an operation to count the number of rounds such as increment or decrement. To verify the feasibility of our proposal, we implement several operations, including increment and decrement, on a microcontroller and experimentally confirm the operation bypassing. The proposed round addition technique works effectively for the generalized Feistel network with a partial whitening operation after the last round. In the case of a 128-bit CLEFIA, we show a procedure to reconstruct the round keys or a secret key using one correct ciphertext and two faulty ciphertexts. Our DFA also works for DES and RC6.

This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.

In this paper, we present a fault analysis of the original NTRU public key cryptosystem. The fault model in which we analyze the cipher is the one in which the attacker is assumed to be able to fault a small number of coefficients of the polynomial input to (or output from) the second step of the decryption process but cannot control the exact location of injected faults. For this specific original instantiation of the NTRU encryption system with parameters (N,p,q), our attack succeeds with probability≈ and when the number of faulted coefficients is upper bounded by t, it requires O((pN)t) polynomial inversions in Z/p Z[x]/(xN-1).

The search for lightweight authentication protocols suitable for low-cost RFID tags constitutes an active and challenging research area. In this context, a family of protocols based on the LPN problem has been proposed: the so-called HB-family. Despite the rich literature regarding the cryptanalysis of these protocols, there are no published results about the impact of fault analysis over them. The purpose of this paper is to fill this gap by presenting fault analytic methods against a prominent member of the HB-family: HB+ protocol. We demonstrate that the fault analysis model can lead to a flexible and effective attack against HB-like protocols, posing a serious threat over them.

This paper describes a differential fault analysis (DFA) attack against CLEFIA. The proposed attack can be applied to CLEFIA with all supported keys: 128, 192, and 256-bit keys. DFA is a type of side-channel attack. This attack enables the recovery of secret keys by injecting faults into a secure device during its computation of the cryptographic algorithm and comparing the correct ciphertext with the faulty one. CLEFIA is a 128-bit blockcipher with 128, 192, and 256-bit keys developed by the Sony Corporation in 2007. CLEFIA employs a generalized Feistel structure with four data lines. We developed a new attack method that uses this characteristic structure of the CLEFIA algorithm. On the basis of the proposed attack, only 2 pairs of correct and faulty ciphertexts are needed to retrieve the 128-bit key, and 10.78 pairs on average are needed to retrieve the 192 and 256-bit keys. The proposed attack is more efficient than any previously reported. In order to verify the proposed attack and estimate the calculation time to recover the secret key, we conducted an attack simulation using a PC. The simulation results show that we can obtain each secret key within three minutes on average. This result shows that we can obtain the entire key within a feasible computational time.

As one of the logic-level countermeasures against DPA (Differential Power Analysis) attacks, Random Switching Logic (RSL) was proposed by Suzuki, Saeki and Ichikawa in 2004 . The RSL technique was applied to AES hardware and a prototype chip was implement with a 0.13-µm standard CMOS library for evaluating the DPA resistance . Although the main purpose of using RSL is to resist the DPA attacks, our experimental results of Clock-based Fault Analysis (CFA) show that one can reveal the secret information from the prototype chip. This paper explains the mechanism of the CFA attack and discusses the reason for the success of the attack against a prototype implementation of AES with RSL (RSL-AES). Furthermore, we consider an ideal RSL-AES implementation that counteracts the CFA attacks.

In this paper, we analyze behaviors of bridging faults in CMOS synchronous sequential circuits based on transient analysis. From analysis results, we expose dynamic and analog behaviors of the circuit caused by the bridging faults, which are oscillation, asynchronous sequential behavior, IDDT failure and IDDQ failure as well as logic error. In order to detect this kind of fault, we show that not only IDDQ testing but also IDDT testing and logic testing which guarantees correct state transitions are required.

This work presents an analysis of IDDQ dependency on the primary current that flows through the bridging fault and driven gates current. A maximum primary current depends only on the test vectors which minimize channel resistances of transistors. The driven gates current generates when intermediate voltage occurs on the faulty node with creation current path between VDD and GND through the driven gates, and its value depends on circuit parameters such as transistor sizes and fan-in number of driven gates.

The relationship between the change in transistor operation regions and the fault behavior of a mixed-signal circuit having a bridging fault was investigated. We also discussed determination of transistors to be observed for estimating the fault behavior. These results will be useful for modeling faulty behaviors and analyzing and diagnosing faults in mixed-signal circuits.

This paper describes IDDQ testability for bridging faults in a variety of flip-flops. The flip-flop is a basic element of the sequential circuit and there are various structures even for the same type. In this paper, we use five kinds of master-slave D-type flip-flops as the circuit under test. Target faults are two-line resistive bridging faults extracted from a circuit layout. A flip-flop with a deliberately introduced bridging fault is simulated by the SPICE simulator. Simulation results show that IDDQ testing cannot detect faults existing at specific points in some flip-flops, and this problem depends on the flip-flop structure. However, IDDQ testing has high fault coverage ( 98%) compared with traditional logic testing. We also examine performances of fully IDDQ testable flip-flops.

In order to ensure the reliability and safety of equipment installed in process lines, it is important that maintenance and management should make efficient use of machine diagnosis techniques. Machine diagnosis by means of acoustic signals has hitherto been beset with difficulty, but there is now a strong demand that new acoustic type diagnosis equipment (utilizing acoustic signals) be developed. In response to this demand, the authors recently conducted research on diagnosis of machine faults by means of the processing of acoustic signals. In this research they were able to develop new acoustic type machine diagnosis techniques, and, using these techniques, to develop acoustic diagnosis equipment for practical use.

An automatic tracing algorithm of the transistor-level performance faults in the waveform-based approach with CAD-linked electron beam test system which utilizes a transistor-level circuit data in CAD database is proposed. Performance faults mean some performance measure such as the temporal parameters (rise time, fall time and so on) lies outside of the specified range in a VLSI. Problems on automatic fault tracing in the transistor level are modeled by using graphs. Combinational circuits which consist of MOS transistors are considered. A single fault is assumed to be in a circuit. The algorithm utilizes Depth-First Search algorithm where faulty upstream interconnections are searched as deeply as possible. Treatment of the faults on downstream interconnections and on unmeasurable interconnections is given. Application of this algorithm to the 2k-transistor block of a CMOS circuit showed its validity in the simulation.

Experimental evidence of a two-step enhancement in electromigration lifetime is presented through pulsed testing that extends over a wide frequency range from 7 mHz to 50 MHz. It is also found, through an accompanying failure analysis, that the failure mechanism is not affected by current pulsing. Test samples were the lowew metal lines and the through-holes in double-level interconnects. The same results were obtained for both samples. The testing temperature of the test conductor was determined considering the Joule heating to eliminate errors in lifetime estimation due to temperature errors. A two-step enhancement in lifetime is extracted by normalizing the pulsed electromigration lifetime by the continuous one. The first step occurs in the frequency range from 0.1 to 10 kHz where the lifetime increases with (duty ratio)-2 and the second step occurs above 100 kHz with (duty ratio)-3. The transition frequency in the first-step enhancement shifts to the higher frequency region with a decrease in stress temperature or an increase in current density, whereas the transition frequency in the second step is not affected by these stress conditions. The lifetime enhancement is analyzed in relation to the relaxation process during the current pulsing. According to the two-step behavior, two distinct relaxation times are assumed as opposed to the single relaxation time in other proposed models. The results of the analysis agree with the experimental results for the dependence on the frequency and duty ratio of pulses. The two experimentally derived relaxation times are about 5 s and 1 µs.