1 Introduction
-
An efficient correction procedure for single nibble/byte errors using RK codes is presented. The procedure, based on a compact Error Coefficient and Location Table (ECLT) is a substantial improvement compared with the regular syndrome analysis.
-
Inner–Outer code-based architecture is presented. A robust inner code is employed to detect and correct errors. An outer robust code detects critical events of undetected and miscorrected errors.
-
Induced error statistics. We report experiments using a clock glitch-based fault injector on cryptographic circuits (full- and small-scale AES [5], LED, PRESENT) on the SAKURA FPGA board. The experimental results confirm the long-standing assumption that an injected error can be modeled as an additive symmetric error.
-
The effectiveness of the RK code in detecting faults causing an arbitrary number of bit-flips is confirmed. The experiments show that the proposed architectures are capable of detecting errors of arbitrary multiplicity and correcting single errors, reliably recognizing erroneous corrections. The architectures are especially effective when they combine codes with a distance larger than 3 and an additional system-level validation by an outer code.
-
The experimental results indicate that a system level fault manager that employs a Compact Protection Code (CPC) [28] as an outer code is able to detect erroneous RK corrections with high probability. It can decrease the probability that a malicious fault will not be detected (at the first cycle it effects that computation), exponentially with the number of the CPC’s redundant bits.
2 Preliminaries
2.1 Natural and malicious faults
2.2 Security-oriented codes
3 Detection and correction architecture for Rabii–Keren codes
3.1 Construction algorithm of systematic Rabii–Keren codes
3.2 Detection and correction architecture for RK codes of distance \(d=3\)
\(\hat{h}_i\) | i | \(g_i\) | \(\hat{h}_i\) | i | \(g_i\) |
---|---|---|---|---|---|
1 10 12 | 0 | 7 | 1 5 8 | 11 | 12 |
1 9 1 | 1 | 9 | 1 1 13 | 12 | 13 |
1 13 6 | 2 | 10 | 1 5 3 | 13 | 7 |
1 12 4 | 3 | 9 | 1 6 5 | 14 | 2 |
1 15 5 | 4 | 11 | 1 14 7 | 15 | 8 |
1 14 5 | 5 | 10 | 1 0 0 | 16 | 1 |
1 14 1 | 6 | 14 | 0 1 0 | 17 | 1 |
1 13 0 | 7 | 12 | 0 0 1 | 18 | 1 |
0 1 13 | 8 | 12 | |||
1 10 3 | 9 | 8 | |||
1 6 13 | 10 | 10 |
3.3 Detection and correction architecture for RK codes of distance \(d>3\)
\(\hat{h}_i\) | i | \(g_i\) | \(\hat{h}_i\) | i | \(g_i\) |
---|---|---|---|---|---|
1 11 5 | 0 | 1 | 1 15 10 | 10 | 14 |
1 1 7 | 1 | 10 | 1 13 1 | 11 | 2 |
0 1 1 | 2 | 10 | 1 15 4 | 12 | 8 |
1 11 15 | 3 | 8 | 1 3 4 | 13 | 12 |
0 1 11 | 4 | 8 | 0 1 3 | 14 | 12 |
1 11 7 | 5 | 3 | 1 11 10 | 15 | 8 |
1 6 3 | 6 | 4 | 1 0 0 | 16 | 1 |
1 14 8 | 7 | 7 | 0 1 0 | 17 | 1 |
1 14 6 | 8 | 8 | 0 0 1 | 18 | 1 |
1 7 1 | 9 | 10 |
4 Inner–outer code-based architecture
-
Class C1: Undetected by the RK code Faults which were undetected, i.e., resulted in the all-zero syndrome. Fault events of class C1 occur when an error maps a codeword onto another codeword.
-
Class C2: Single errors Faults which affected only one symbol and could be corrected to the original codeword. Note that our experimental setup keeps the fault-unaffected ciphertext for reference and thus can attribute the fault precisely; an actual device under attack would not know the multiplicity of the injected attack. Fault events of class C2 occur when the error shifts a codeword to a word within a Hamming ball of radius t around it where t is the maximal number of erroneous symbols that the decoder is allowed to change, \(t\le (d-1)/2\).
-
Class C3: Recognized as suspicious Faults which resulted in multi-symbol errors and where the correction procedure stopped since it did not find a fitting entry in the ECLT.
-
Class C4: Erroneous correction Faults which were corrected but into a different codeword than the original one. This can happen if, e.g., for distance-3 code, an error of multiplicity 2 transforms a codeword into a non-codeword with distance 1 to a different codeword. Fault events of class C4 happen when the error shifts a codeword into any Hamming ball whose center is a different codeword.
Architecture | Symbols | Bits | Fault events | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Circuit | d | #Dec | \(k_q\) | \(r_q\) | k | r | Nonlinear checker | System-level fault manager | ||||
Class C1 | Class C2 | Class C3 | Class C4 | Class S1 | Class S2 | |||||||
Undetected by the RK code | Single errors (corrected by RK code) | Recognized as suspicious (by RK code) | Erroneous corrections by RK code | Recognized as erroneous by CPC outer code | Unrecognised as erroneous by CPC outer code | |||||||
Small-sc. | 3 | 1 | 16 | 3 | 64 | 12 | 0.0179 | 5.9337 | 87.4101 | 6.6383 | 62463 (93.8%) | 4099 (6.2%) |
AES | 5 | 1 | 16 | 7 | 64 | 28 | 0 | 5.9337 | 94.0662 | 0.0001 | 1 (100%) | 0 (0%) |
AES | 3 | 1 | 32 | 3 | 128 | 12 | 0.0239 | 0.0033 | 86.7272 | 13.2456 | 124347 (93.7%) | 8348 (6.3%) |
3 | 2 | 32 | 6 | 128 | 24 | 0.0067 | 0.0033 | 88.1006 | 11.8894 | 117540 (98.8%) | 1421 (1.2%) | |
5 | 2 | 32 | 14 | 128 | 56 | 0 | 0.0033 | 99.9956 | 0.0011 | 11 (100%) | 0 (0%) | |
LED-64 | 3 | 1 | 16 | 3 | 64 | 12 | 0.0234 | 0.0015 | 92.6682 | 7.3069 | 68923 (94.0%) | 4380 (6.0%) |
5 | 1 | 16 | 7 | 64 | 28 | 0 | 0.0015 | 99.9985 | 0 | 0 | 0 | |
Present | 3 | 1 | 16 | 3 | 64 | 12 | 0.0229 | 0 | 92.7018 | 7.2753 | 68427 (93.8%) | 4555 (6.2%) |
5 | 1 | 16 | 7 | 64 | 28 | 0 | 0 | 100 | 0 | 0 | 0 |
-
Class S1: Recognized by the outer code Seemingly successful but erroneous corrections which created an inconsistency when recalculating the outer code.
-
Class S2: Unrecognized by the outer code Seemingly successful but erroneous corrections not noticed by the system.
5 Experimental results
5.1 Fault injection methodology
5.2 Induced error statistics
Circuit | d | #Dec | \(k_q\) | \(r_q\) | k | r | \(r_o=4\) | \(r_o=8\) | \(r_o=12\) | \(r_o=16\) |
---|---|---|---|---|---|---|---|---|---|---|
Small-sc. | 3 | 1 | 16 | 3 | 64 | 12 | 0.4099% | 0.0246% | 0.0017% | 0.0001% |
AES | 5 | 1 | 16 | 7 | 64 | 28 | 0% | 0% | 0% | 0% |
AES | 3 | 1 | 32 | 3 | 128 | 12 | 0.8348% | 0.0539% | 0.0035% | 0.0002% |
3 | 2 | 32 | 6 | 128 | 24 | 0.1421% | 0.0085% | 0.0004% | 0.0001% | |
5 | 2 | 32 | 14 | 128 | 56 | 0% | 0% | 0% | 0% | |
LED-64 | 3 | 1 | 16 | 3 | 64 | 12 | 0.4380% | 0.0288% | 0.0024% | 0.0001% |
5 | 1 | 16 | 7 | 64 | 28 | 0% | 0% | 0% | 0% | |
Present | 3 | 1 | 16 | 3 | 64 | 12 | 0.4555% | 0.0290% | 0.0021% | 0.0001% |
5 | 1 | 16 | 7 | 64 | 28 | 0% | 0% | 0% | 0% |
Cipher | Unprot. round | RK (\(d=3\)) | BCH (\(d=3\)) | RK (\(d=5\)) | BCH (\(d=5\)) | TMR |
---|---|---|---|---|---|---|
Small-scale AES | 37 | 202 | 169 | 328 | 267 | 108 |
AES (1 decoder) | 173 | 388 | 392 | \({-}{-}\) | \({-}{-}\) | 421 |
AES (2 decoders) | 173 | 465 | 419 | 572 | 462 | 421 |
LED-64 | 39 | 221 | 213 | 257 | 248 | 133 |
Present | 23 | 165 | 148 | 240 | 243 | 57 |
5.3 Classification of fault events
Cipher | Code | #Bits | Undetected faults | ||
---|---|---|---|---|---|
Distance | k | r | Linear | RK | |
Small scale | 3 | 64 | 12 | 176 | 179 |
AES | 5 | 64 | 28 | 0 | 0 |
Full scale | 3 | 128 | 12 | 234 | 239 |
AES | 5 | 128 | 28 | 0 | 0 |
LED 64 | 3 | 64 | 12 | 239 | 234 |
5 | 64 | 28 | 0 | 0 | |
Present | 3 | 64 | 12 | 231 | 229 |
5 | 64 | 28 | 0 | 0 |