Provably Secure Concurrent Error Detection for Advanced Encryption Standard

Differential fault analysis (DFA) poses a significant threat to Advanced Encryption Standard (AES). Only a single faulty ciphertext is required for contemporary DFA to extract the secret key of AES using an average of 2 computations. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, and the resulting fault coverage indicates the security strength of CEDs. However, DFA-exploitable faults are not uniformly distributed and are a small subspace of the entire fault space. We provide a systematic study of various DFAs of AES and experimentally show that in the context of DFA, the attacker is capable of biasing the induced faults to improve the success rate of the attacks. Then we show that the fault coverage of most CED techniques drops significantly against the fault model used by the attacker. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating security against DFA. Good cryptographic designs always consider the worst scenario. Because a single carefully injected fault can leak the secret key, we propose a DFA-aware design flow for CEDs. We point out that CEDs should provide 100% fault coverage for DFA-exploitable faults. We show that cryptographic algorithm-specific CEDs have higher fault coverage against DFA faults and lower area overhead compared to general CEDs.

[1]  Christophe Clavier,et al.  Fault Analysis of DPA-Resistant Algorithms , 2006, FDTC.

[2]  Israel Koren,et al.  Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard , 2003, IEEE Trans. Computers.

[3]  Frédéric Valette,et al.  Detailed Analyses of Single Laser Shot Effects in the Configuration of a Virtex-II FPGA , 2008, 2008 14th IEEE International On-Line Testing Symposium.

[4]  David Naccache,et al.  Random Active Shield , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[5]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[6]  Ramesh Karri,et al.  Concurrent error detection schemes for fault-based side-channel cryptanalysis of symmetric block ciphers , 2002, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[7]  David Naccache,et al.  When Clocks Fail: On Critical Paths and Clock Faults , 2010, CARDIS.

[8]  Israel Koren,et al.  An Operation-Centered Approach to Fault Detection in Symmetric Cryptography Ciphers , 2007, IEEE Transactions on Computers.

[9]  Chong Hee Kim,et al.  Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[10]  Junko Takahashi,et al.  DFA Mechanism on the AES Key Schedule , 2007 .

[11]  Sylvain Guilley,et al.  Fault Analysis Attack on an FPGA AES Implementation , 2008, 2008 New Technologies, Mobility and Security.

[12]  Régis Leveugle,et al.  Double-Data-Rate Computation as a Countermeasure against Fault Analysis , 2008, IEEE Transactions on Computers.

[13]  Alessandro Barenghi,et al.  Exploring the Feasibility of Low Cost Fault Injection Attacks on Sub-threshold Devices through an Example of a 65nm AES Implementation , 2011, RFIDSec.

[14]  David Naccache,et al.  How to flip a bit? , 2010, 2010 IEEE 16th International On-Line Testing Symposium.

[15]  Amir Moradi,et al.  A Generalized Method of Differential Fault Attack Against AES Cryptosystem , 2006, CHES.

[16]  Michael Tunstall,et al.  Harnessing Biased Faults in Attacks on ECC-Based Signature Schemes , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  Debdeep Mukhopadhyay,et al.  A Diagonal Fault Attack on the Advanced Encryption Standard , 2009, IACR Cryptol. ePrint Arch..

[18]  Alan Kaminsky,et al.  An overview of cryptanalysis research for the advanced encryption standard , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[19]  Arash Reyhani-Masoleh,et al.  A Lightweight High-Performance Fault Detection Scheme for the Advanced Encryption Standard Using Composite Fields , 2011, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[20]  Takeshi Sugawara,et al.  High-Performance Concurrent Error Detection Scheme for AES Hardware , 2008, CHES.

[21]  Sylvain Guilley,et al.  WDDL is Protected against Setup Time Violation Attacks , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[22]  Debdeep Mukhopadhyay,et al.  Differential fault analysis of AES: towards reaching its limits , 2013, Journal of Cryptographic Engineering.

[23]  Cecilia Metra,et al.  Concurrent detection of power supply noise , 2003, IEEE Trans. Reliab..

[24]  Ramesh Karri,et al.  Invariance-based concurrent error detection for Advanced Encryption Standard , 2012, DAC Design Automation Conference 2012.

[25]  Jean-Jacques Quisquater,et al.  New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough , 2008, CARDIS.

[26]  Sylvain Guilley,et al.  Practical Setup Time Violation Attacks on AES , 2008, 2008 Seventh European Dependable Computing Conference.

[27]  Ramesh Karri,et al.  Low cost concurrent error detection for the advanced encryption standard , 2004 .

[28]  Ingrid Verbauwhede,et al.  Hardware Designer's Guide to Fault Attacks , 2013, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[29]  Christophe Giraud,et al.  DFA on AES , 2004, AES Conference.

[30]  Ramesh Karri,et al.  Recomputing with Permuted Operands: A Concurrent Error Detection Approach , 2013, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[31]  Israel Koren,et al.  Fault-Tolerant Systems , 2007 .

[32]  Moti Yung,et al.  A Comparative Cost/Security Analysis of Fault Attack Countermeasures , 2006, FDTC.

[33]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[34]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[35]  Mark G. Karpovsky,et al.  Design of Cryptographic Devices Resilient to Fault Injection Attacks Using Nonlinear Robust Codes , 2012, Fault Analysis in Cryptography.

[36]  Amine Dehbaoui,et al.  Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[37]  Marc Joye,et al.  Strengthening hardware AES implementations against fault attacks , 2007, IET Inf. Secur..

[38]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[39]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[40]  Mark G. Karpovsky,et al.  Robust protection against fault-injection attacks on smart cards implementing the advanced encryption standard , 2004, International Conference on Dependable Systems and Networks, 2004.

[41]  Christophe Giraud,et al.  A Survey on Fault Attacks , 2004, CARDIS.

[42]  Yang Li,et al.  Fault Sensitivity Analysis , 2010, CHES.

[43]  Debdeep Mukhopadhyay,et al.  An Improved Fault Based Attack of the Advanced Encryption Standard , 2009, AFRICACRYPT.

[44]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[45]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of AES-128 Key Schedule Using a Single Multi-byte Fault , 2011, CARDIS.

[46]  Mitsugu Iwamoto,et al.  Information-Theoretic Approach to Optimal Differential Fault Analysis , 2012, IEEE Transactions on Information Forensics and Security.

[47]  Erkay Savas,et al.  On Selection of Modulus of Quadratic Codes for the Protection of Cryptographic Operations against Fault Attacks , 2014, IEEE Transactions on Computers.

[48]  Arash Reyhani-Masoleh,et al.  Concurrent Structure-Independent Fault Detection Schemes for the Advanced Encryption Standard , 2010, IEEE Transactions on Computers.

[49]  Giorgio Di Natale,et al.  A Novel Parity Bit Scheme for SBox in AES Circuits , 2007, 2007 IEEE Design and Diagnostics of Electronic Circuits and Systems.

[50]  Jean-Pierre Seifert,et al.  Fault Based Cryptanalysis of the Advanced Encryption Standard (AES) , 2003, Financial Cryptography.

[51]  Arash Reyhani-Masoleh,et al.  A High-Performance Fault Diagnosis Approach for the AES SubBytes Utilizing Mixed Bases , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[52]  Paolo Maistri,et al.  Countermeasures against fault attacks: The good, the bad, and the ugly , 2011, 2011 IEEE 17th International On-Line Testing Symposium.

[53]  Régis Leveugle,et al.  Glitch and Laser Fault Attacks onto a Secure AES Implementation on a SRAM-Based FPGA , 2011, Journal of Cryptology.

[54]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[55]  Bing-Fei Wu,et al.  Simple error detection methods for hardware implementation of Advanced Encryption Standard , 2006, IEEE Transactions on Computers.