Destroying Fault Invariant with Randomization

Researchers have demonstrated the ineffectiveness of deterministic countermeasures and emphasized on the use of randomness for protecting cryptosystems against fault attacks. One such countermeasure for AES was proposed in LatinCrypt 2012, which masks the faulty output with secret values. However this countermeasure does not affect the erroneous byte in the faulty computation of the last AES round and is thus shown to be flawed in FDTC 2013. In this paper, we examine the LatinCrypt 2012 countermeasure in detail and identify its additional flaws in order to develop a robust countermeasure. We bring out the major weakness in the infection mechanism of the LatinCrypt 2012 countermeasure which not only makes the attack of FDTC 2013 much more flexible, but also enables us to break this seemingly complex countermeasure using Piret & Quisquater’s attack that requires only 8 pairs of correct and faulty ciphertexts. Finally, we combine all our observations and propose a countermeasure that employs randomness much more effectively to prevent state-of-the-art differential fault attacks against AES.