Top

Journal of Cryptographic Engineering

Published in:

01-09-2015 | Regular Paper

Security analysis of concurrent error detection against differential fault analysis

Authors: Xiaofei Guo, Debdeep Mukhopadhyay, Chenglu Jin, Ramesh Karri

Published in: Journal of Cryptographic Engineering | Issue 3/2015

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Differential fault analysis (DFA) poses a significant threat to advanced encryption standard (AES). Only a single faulty ciphertext is required to extract the secret key. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, the resulting fault coverage indicates the security of CEDs against DFA. However, DFA-exploitable faults, which are a small subspace of the entire fault space, are not uniformly distributed. Therefore, fault coverage does not accurately measure the security of the CEDs against DFA. We provide a systematic study of DFA of AES and show that an attacker can inject biased faults to improve the success rate of the attacks. We propose fault entropy (FE) and fault differential entropy (FDE) to evaluate CEDs. We show that most CEDs with high fault coverage are not secure when evaluated with FE and FDE. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating the security of CEDs against DFA.

next article Vertical and horizontal correlation attacks on RNS-based exponentiations

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Appendix A describes the AES encryption algorithm.

Classic fault model, such as permanent single bit stuck-at faults, is not relevant for DFA.

Single, stuck-at fault model. The assumption of random fault in DFA is not relevant.

The number of faults is calculated with an assumption that the faults are injected at the input to the round. If the faults can be injected anywhere in the AES round, all these numbers can be proportionally scaled.

In practice, it may be subjected to clock, power, laser, or EM injection attack, but it is relatively feasible and affordable to use multiple countermeasures on the checker. To defend against clock glitch attack, one can use dual rail logic style [50]. To defend against power or EM pulse attack, one can use a power supply noise detector for the checker [40]. To defend against laser, one can use shielding [16].

This is demonstrated using clock glitch in Dutertre et al. [21].

This is demonstrated using laser in Canivet et al. [13].

For more details, we refer to [19].

The evaluation is similar to the attack presented in Lashermes et al. [34].

\(i\) and \(j\) are the row and column indices of the state matrix, respectively. Appendix 7.1 contains the detail of the AES algorithm.

The details of SubBytes are in Appendix A.

This means eight bit binary value in hex.

We compute the difference between the fault-free and the faulty 10th round input.

Agoyan, M., Dutertre, J.M., Mirbaha, A.P., Naccache, D., Ribotta, A.L., Tria, A.: How to Flip a Bit? IOLTS pp. 235–239 (2010)

Agoyan, M., Dutertre, J.M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Proc. CARDIS, pp. 182–193 (2010)

Ali, S.S., Mukhopadhyay, D.: A differential fault analysis on AES key schedule using single fault. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2011, Tokyo, Japan, September 29, 2011, pp. 35–42 (2011)

Ali, S.S., Mukhopadhyay, D.: Differential fault analysis of AES-128 key schedule using a single multi-byte fault. In: Smart Card Research and Advanced Applications - 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14–16, 2011, Revised Selected Papers, pp. 50–64 (2011)

Ali, S.S., Mukhopadhyay, D.: An improved differential fault analysis on AES-256. In: Progress in Cryptology - AFRICACRYPT 2011: 4th International Conference on Cryptology in Africa, Dakar, Senegal, July 5–7, 2011, Proceedings, pp. 332–347 (2011)

Ali, S.S., Mukhopadhyay, D., Tunstall, M.: Differential fault analysis of AES: towards reaching its limits. J. Cryptogr. Eng. 3, 73–97 (2013)

Amiel, F., Clavier, C., Tunstall, M.: Fault analysis of dpa-resistant algorithms. FDTC, pp. 223–236 (2006)

Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRef

Barenghi, A., Hocquet, C., Bol, D., Standaert, F.X., Regazzoni, F., Koren, I.: Exploring the Feasibility of low cost fault injection attacks on sub-threshold devices through an example of a 65 nm AES implementation, pp. 48–60 (2011)

10.

Battistello, A., Giraud, C.: Fault analysis of infective AES computations. FDTC, pp. 101–107 (2013)

11.

Bertoni, G., Breveglieri, L., Koren, I., Maistri, P., Piuri, V.: Error analysis and detection procedures for a hardware implementation of the advanced encryption standard. IEEE Trans. Comput. 52(4), 492–505 (2003)CrossRef

12.

Blömer, J., Seifert, J.P.: Fault Based cryptanalysis of the advanced encryption standard. FC, pp. 162–181 (2003)

13.

Boost C++ Libraries. http://www.boost.org/

14.

Breveglieri, L., Koren, I., Maistri, P.: An Operation-centered approach to fault detection in symmetric cryptography ciphers. IEEE Trans. Comput. 56, 635–649 (2007)MathSciNetCrossRef

15.

Briais, S., Cioranesco, J.M., Danger, J.L., Guilley, S., Naccache, D., Porteboeuf, T.: Random active shield. FDTC, pp. 103–113 (2012)

16.

Canivet, G., Clediere, J., Ferron, J., Valette, F., Renaudin, M., Leveugle, R.: Detailed analyses of single laser shot effects in the configuration of a Virtex-II FPGA. IOLTS, pp. 289–294 (2008)

17.

Canivet, G., Maistri, P., Leveugle, R., Clédière, J., Valette, F., Renaudin, M.: Glitch and laser fault attacks onto a secure aes implementation on a sram-based fpga. J. Cryptol. 24 (2011)

18.

Chih-Hsu, Y., Bing-Fei, W.: Simple error detection methods for hardware implementation of advanced encryption standard. IEEE Trans. Comput. 55(6), 730–731 (2006)

19.

Cover, T.M., Thomas, J.A.: Elements of information theory. Wiley (1991)

20.

Dehbaoui, A., Dutertre, J., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: Proc. IEEE FDTC, pp. 7–15 (2012)

21.

Dutertre, J.M., Fournier, J., Mirbaha, A.P., Naccache, D., Rigaud, J.B., Robisson, B., Tria, A.: Review of fault injection mechanisms and consequences on countermeasures design. DTIS, pp. 1–6 (2011)

22.

Giraud, C.: DFA on AES. AES, pp. 27–41 (2005)

23.

Guo, X., Karri, R.: Invariance-based concurrent error detection for advanced encryption standard. In: Design Automation Conference (DAC), 2012 49th ACM/EDAC/IEEE, 3–7 June 2012, San Francisco, CA, 573–578 (2012)

24.

Guo, X., Karri, R.: Recomputing with permuted operands: a concurrent error detection approach. IEEE Trans. CAD 32(10), 1595–1608 (2013)CrossRef

25.

Guo, X., Mukhopadhyay, D., Jin, C., Karri, R.: NREPO: normal basis recomputing with permuted operands. In: IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2014, pp. 118–123 (2014)

26.

Jarvinen, K., Blondeau, C., Page, D., Tunstall, M.: Harnessing biased faults in attacks on ECC-based signature schemes. FDTC, pp. 72–82 (2012)

27.

Joye, M., Manet, P., Rigaud, J.: Strengthening hardware AES implementations against fault attack. IET Inf. Sec. 1, 106–110 (2007)CrossRef

28.

Kaminsky, A., Kurdziel, M., Radziszowski, S.: An overview of cryptanalysis research for the advanced encryption standard. MILCOM, pp. 1310–1316 (2010)

29.

Karaklajić, D., Schmidt, J.M., Verbauwhede, I.: Hardware designer’s guide to fault attacks. IEEE Trans. VLSI 21(12), 2295–2306 (2013)CrossRef

30.

Karpovsky, M., Kulikowski, K.J., Taubin, A.: Robust protection against fault-injection attacks of smart cards implementing the advanced encryption standard. DNS, pp. 93–101 (2004)

31.

Karri, R., Wu, K., Mishra, P., Kim, Y.: Concurrent error detection schemes of fault based side-channel cryptanalysis of symmetric block ciphers. IEEE Trans. CAD 21(12), 1509–1517 (2002)CrossRef

32.

Khelil, F., Hamdi, M., Guilley, S., Danger, J.L., Selmane, N.: Fault analysis attack on an aes fpga implementation. In: Proc. New Technologies, Mobility and Security, pp. 1–5 (2008)

33.

Kim, C.H.: Differential fault analysis against AES-192 and AES-256 with minimal faults. FDTC, pp. 3–9 (2010)

34.

Lashermes, R., Reymond, G., Dutertre, J., Fournier, J., Robisson, B., Tria, A.: A DFA on AES based on the entropy of error distributions. FDTC, pp. 34–43 (2012)

35.

Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Proc. CHES, pp. 320–334 (2010)

36.

Mozaffari-Kermani, M., Reyhani-Masoleh, A.: Concurrent structure-independent fault detection schemes for the advanced encryption standard. IEEE Trans. Comput. 59(5), 608–622 (2010)

37.

Maistri, P.: Countermeasures against fault attacks: the good, the bad, and the ugly. IOLTS, pp. 134–137 (2011)

38.

Maistri, P., Leveugle, R.: Double-data-rate computation as a countermeasure against fault analysis. IEEE Trans. Comput. 57(11), 1528–1539 (2008)MathSciNetCrossRef

39.

Malkin, T., Standaert, F.X., Yung, M.: A comparative cost/security analysis of fault attack countermeasures. FDTC, pp. 109–123 (2005)

40.

Metra, C., Schiano, L., Favalli, M.: Concurrent detection of power supply noise. IEEE Trans. Reliab. 52(4), 469–475 (2003)CrossRef

41.

Moradi, A., Shalmani, M.T.M., Salmasizadeh, M.: A generalized method of differential fault attack against AES cryptosystem. In: Proc. CHES, pp. 91–100 (2006)

42.

Mozaffari-Kermani, M., Reyhani-Masoleh, A.: A lightweight high-performance fault detection scheme for the advanced encryption standard using composite field. IEEE Trans. VLSI 19(1), 85–91 (2011)CrossRef

43.

Mukhopadhyay, D.: An improved fault based attack of the advanced encryption standard. AFRICACRYPT, pp. 421–434 (2009)

44.

National Institute of Standards and Technology (NIST): Advanced Encryption Standard (AES). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf (2001)

45.

Dusart, P., L, G., Vivolo, O.: Differential fault analysis on AES. Cryptology ePrint Archive (2003)

46.

Piret, G., Quisquater, J.: A differential fault attack technique against spn structures, with application to the AES and Khazad. In: Proc. CHES, pp. 77–88 (2003)

47.

Saha, D., Mukhopadhyay, D., Chowdhury, D.R.: A diagonal fault attack on the advanced encryption standard. IACR Cryptology ePrint Archive, p. 581 (2009)

48.

Sakiyama, K., Li, Y., Ohta, K., Iwamoto, M.: Information-theoretic approach to optimal differential fault analysis. IEEE Trans. Inf. Forensics Secur. 7(1), 109–120 (2012)CrossRef

49.

Satoh, A., Sugawara, T., Homma, N., Aoki, T.: High-performance concurrent error detection scheme for AES hardware. In: Proc. CHES, pp. 100–112 (2008)

50.

Selmane, N., Bhasin, S., Guilley, S., Graba, T., Danger, J.L.: WDDL is protected against setup time violation attacks. FDTC, pp. 73–83 (2009)

51.

Selmane, N., Guilley, S., Danger, J.L.: Practical setup time violation attacks on aes. EDCC, pp. 91–96 (2008)

52.

Takahashi, J., Fukunaga, T., Yamakoshi, K.: DFA mechanism on the AES key schedule. FDTC, pp. 62–74 (2007)

53.

Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential fault analysis of the advanced encryption standard using a single fault. WISTP, pp. 224–233 (2011)

54.

Wu, K., Karri, R., Kuznetsov, G., Goessel, M.: Low cost concurrent error detection for the advanced encryption standard. ITC, pp. 1242–1248 (2004)

55.

Xilinx: ChipScope Pro. http://www.xilinx.com/support/documentation/dt_chipscopepro.htm

56.

Yumbul, K., Erdem, S., Savas, E.: On selection of modulus of quadratic codes for the protection of cryptographic operations against fault attacks. IEEE Trans. Comput. (99), 1 (PP) (2012)

Title: Security analysis of concurrent error detection against differential fault analysis
Authors: Xiaofei Guo
Debdeep Mukhopadhyay
Chenglu Jin
Ramesh Karri
Publication date: 01-09-2015
Publisher: Springer Berlin Heidelberg
Published in: Journal of Cryptographic Engineering / Issue 3/2015
Print ISSN: 2190-8508
Electronic ISSN: 2190-8516
DOI: https://doi.org/10.1007/s13389-014-0092-8

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2015

Multiprecision multiplication on AVR revisited

Vertical and horizontal correlation attacks on RNS-based exponentiations

A new method for enhancing variety and maintaining reliability of PUF responses and its evaluation on ASICs

Fast software implementation of binary elliptic curve cryptography

Premium Partner