Protecting block ciphers against differential fault attacks without re-keying

In this article, we propose a new method to protect block cipher implementations against Differential Fault Attacks (DFA). Our strategy, so-called “Tweak-in-Plaintext”, ensures that an uncontrolled value ('tweak-in') is inserted into some part of the block cipher plaintext, thus effectively rendering DFA much harder to perform. Our method is extremely simple yet presents many advantages when compared to previous solutions proposed at AFRICACRYPT 2010 or CARDIS 2015. Firstly, we do not need any Tweakable block cipher, nor any related-key security assumption (we do not perform any re-keying). Moreover, performance for lightweight applications is improved, and we do not need to send any extra data. Finally, our scheme can be directly used with standard block ciphers such as AES or PRESENT. Experimental results show that the throughput overheads, for incorporating our scheme into AES-128, range between χ 5% to χ 26.9% for software, and between χ 3.1% to χ 25% for hardware implementations; depending on the tweak-in size.

[1]  Ramesh Karri,et al.  Parity-Based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers , 2003, CHES.

[2]  Florian Mendel,et al.  On the Security of Fresh Re-keying to Counteract Side-Channel and Fault Attacks , 2014, IACR Cryptol. ePrint Arch..

[3]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[4]  Marc Joye,et al.  Strengthening hardware AES implementations against fault attacks , 2007, IET Inf. Secur..

[5]  Debdeep Mukhopadhyay,et al.  Using Tweaks to Design Fault Resistant Ciphers , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[6]  Makoto Nagata,et al.  Ring Oscillator under Laser: Potential of PLL-based Countermeasure against Laser Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[7]  Florian Mendel,et al.  Towards Fresh and Hybrid Re-Keying Schemes with Beyond Birthday Security , 2015, CARDIS.

[8]  Georg Sigl,et al.  Attack on a DFA Protected AES by Simultaneous Laser Fault Injections , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[9]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[10]  Adrian Thillard,et al.  On the Need of Randomness in Fault Attack Countermeasures - Application to AES , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[11]  Florian Mendel,et al.  Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes , 2016, ASIACRYPT.

[12]  Sylvain Guilley,et al.  Fault Injection Resilience , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[13]  Dipanwita Roy Chowdhury,et al.  Preventing Fault Attacks Using Fault Randomization with a Case Study on AES , 2017, ACISP.

[14]  Guido Bertoni,et al.  Efficient Software Implementation of AES on 32-Bit Platforms , 2002, CHES.

[15]  Christophe Giraud,et al.  A Note on the Security of CHES 2014 Symmetric Infective Countermeasure , 2016, COSADE.

[16]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[17]  Debdeep Mukhopadhyay,et al.  Destroying Fault Invariant with Randomization - A Countermeasure for AES Against Differential Fault Attacks , 2014, CHES.

[18]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[19]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[20]  Sylvain Guilley,et al.  WDDL is Protected against Setup Time Violation Attacks , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[21]  Jean-Jacques Quisquater,et al.  Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures , 2007, WISTP.

[22]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[23]  Anne Canteaut,et al.  DFA on LS-Designs with a Practical Implementation on SCREAM , 2017, COSADE.

[24]  Jean-Max Dutertre,et al.  Efficiency of a glitch detector against electromagnetic fault injection , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[25]  Michael Tunstall,et al.  Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output , 2012, LATINCRYPT.

[26]  M. Karpovsky,et al.  Robust Codes for Fault Attack Resistant Cryptographic Hardware , 2005 .

[27]  Tor Helleseth Maximal-Length Sequences , 2011, Encyclopedia of Cryptography and Security.

[28]  Andrey Bogdanov,et al.  Cryptanalysis of Two Fault Countermeasure Schemes , 2015, INDOCRYPT.

[29]  Wei He,et al.  Cheap and Cheerful: A Low-Cost Digital Sensor for Detecting Laser Fault Injection Attacks , 2016, SPACE.

[30]  Adrian Thillard,et al.  Fault Attacks on AES with Faulty Ciphertexts Only , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[31]  François-Xavier Standaert,et al.  Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices , 2010, AFRICACRYPT.

[32]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[33]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[34]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[35]  Wei He,et al.  Bypassing Parity Protected Cryptography using Laser Fault Injection in Cyber-Physical System , 2016, CPSS@AsiaCCS.

[36]  Karine Heydemann,et al.  Formal verification of a software countermeasure against instruction skip attacks , 2013, Journal of Cryptographic Engineering.

[37]  Thomas Peyrin,et al.  Looting the LUTs: FPGA Optimization of AES and AES-like Ciphers for Authenticated Encryption , 2017, INDOCRYPT.

[38]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[39]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.