On the Need of Randomness in Fault Attack Countermeasures - Application to AES

Recent works show that a combination of perturbation and observation attacks on symmetric ciphers thwarts state-of-the-art countermeasures. In this paper, we first propose a new way - to our knowledge - to classify fault attacks against block ciphers, allowing us to exhibit their capacity to be combined with observation attacks. We then present a set of common protections against side-channel and fault attacks, namely higher-order masking schemes, detection and infection countermeasures, and how they can be combined. We show that the combination of a higher-order masking scheme and a detection countermeasure can actually be defeated by a slight variant of the combined attack of Roche et al., even if one applies their patch. Furthermore, we also demonstrate that none of the published infection countermeasures is robust against fault attacks. Finally, using randomness, we propose a set of enhanced countermeasures that thwart considered threats.

[1]  Emmanuel Prouff Smart Card Research and Advanced Applications - 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers , 2011, CARDIS.

[2]  Christophe Giraud,et al.  DFA on AES , 2004, AES Conference.

[3]  Christophe Giraud,et al.  On Second-Order Fault Analysis Resistance for CRT-RSA Implementations , 2009, WISTP.

[4]  Junko Takahashi,et al.  DFA Mechanism on the AES Key Schedule , 2007 .

[5]  I. Koren,et al.  Fault Diagnosis and Tolerance in Cryptography , 2006 .

[6]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[7]  Jörn-Marc Schmidt,et al.  A Continuous Fault Countermeasure for AES Providing a Constant Error Detection Rate , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[8]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[9]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of AES-128 Key Schedule Using a Single Multi-byte Fault , 2011, CARDIS.

[10]  Junko Takahashi,et al.  Differential Fault Analysis on AES with 192 and 256-Bit Keys , 2010, IACR Cryptol. ePrint Arch..

[11]  Pierre-Alain Fouque,et al.  Meet-in-the-Middle and Impossible Differential Fault Analysis on AES , 2011, CHES.

[12]  Jean-Pierre Seifert,et al.  Fault Based Cryptanalysis of the Advanced Encryption Standard (AES) , 2003, Financial Cryptography.

[13]  Matthieu Rivain,et al.  Differential Fault Analysis on DES Middle Rounds , 2009, CHES.

[14]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[15]  Thomas S. Messerges,et al.  Using Second-Order Power Analysis to Attack DPA Resistant Software , 2000, CHES.

[16]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[17]  Christophe Giraud,et al.  An Implementation of DES and AES, Secure against Some Attacks , 2001, CHES.

[18]  Debdeep Mukhopadhyay,et al.  A Differential Fault Analysis on AES Key Schedule Using Single Fault , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[19]  Christophe Giraud,et al.  Securing AES Implementation against Fault Attacks , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[20]  Michaël Quisquater,et al.  Secure Multiplicative Masking of Power Functions , 2010, ACNS.

[21]  Noémie Floissac,et al.  From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks on Key Expansion , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[22]  Chong Hee Kim,et al.  Improved Differential Fault Analysis on AES Key Schedule , 2012, IEEE Transactions on Information Forensics and Security.

[23]  Debdeep Mukhopadhyay,et al.  A Diagonal Fault Attack on the Advanced Encryption Standard , 2009, IACR Cryptol. ePrint Arch..

[24]  Debdeep Mukhopadhyay,et al.  An Improved Differential Fault Analysis on AES-256 , 2011, AFRICACRYPT.

[25]  Marc Joye,et al.  Strengthening hardware AES implementations against fault attacks , 2007, IET Inf. Secur..

[26]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[27]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[28]  Yang Li,et al.  On the Power of Fault Sensitivity Analysis and Collision Side-Channel Attacks in a Combined Setting , 2011, CHES.

[29]  Christophe Clavier,et al.  Passive and Active Combined Attacks on AES Combining Fault Attacks and Side Channel Analysis , 2007 .

[30]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[31]  Bruno Robisson,et al.  Design and characterisation of an AES chip embedding countermeasures , 2011, Int. J. Intell. Eng. Informatics.

[32]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[33]  Amir Moradi,et al.  A Generalized Method of Differential Fault Attack Against AES Cryptosystem , 2006, CHES.

[34]  Máire O'Neill,et al.  Differential Power Analysis of CAST-128 , 2010, 2010 IEEE Computer Society Annual Symposium on VLSI.

[35]  Vincent Rijmen,et al.  A Side-Channel Analysis Resistant Description of the AES S-Box , 2005, FSE.

[36]  Yang Li,et al.  Fault Sensitivity Analysis , 2010, CHES.

[37]  Yong Wang,et al.  An Extension of Differential Fault Analysis on AES , 2009, 2009 Third International Conference on Network and System Security.

[38]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[39]  Christof Paar,et al.  Higher Order Masking of the AES , 2006, CT-RSA.

[40]  Alexandre Venelli,et al.  Combined Attacks on the AES Key Schedule , 2012, IACR Cryptol. ePrint Arch..

[41]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.

[42]  Pierre Dusart,et al.  Differential Fault Analysis on A.E.S , 2003, ACNS.

[43]  Jovan Dj. Golic,et al.  Multiplicative Masking and Power Analysis of AES , 2002, CHES.

[44]  Sung-Ming Yen,et al.  Differential Fault Analysis on AES Key Schedule and Some Coutnermeasures , 2003, ACISP.

[45]  Helena Handschuh,et al.  Masking Does Not Protect Against Differential Fault Attacks , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[46]  Jean-Jacques Quisquater,et al.  New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough , 2008, CARDIS.

[47]  Moti Yung,et al.  A Comparative Cost/Security Analysis of Fault Attack Countermeasures , 2006, FDTC.

[48]  Jean-Jacques Quisquater,et al.  Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures , 2007, WISTP.

[49]  Chong Hee Kim,et al.  Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[50]  Johannes Blömer,et al.  Fault Based Collision Attacks on AES , 2006, FDTC.

[51]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[52]  Thomas Roche,et al.  Combined Fault and Side-Channel Attack on Protected Implementations of AES , 2011, CARDIS.