A Note on the Security of CHES 2014 Symmetric Infective Countermeasure

Over the years, fault injection has become one of the most dangerous threats for embedded devices such as smartcards. It is thus mandatory for any embedded system to implement efficient protections against this hazard. Among the various countermeasures suggested so far, the idea of infective computation seems fascinating, probably due to its aggressive strategy. Originally conceived to protect asymmetric cryptosystems, infective computation has been recently adapted to symmetric systems. This paper investigates the security of a new symmetric infective countermeasure suggested at CHES 2014. By noticing that the number of executed rounds is not protected, we develop four different attacks that exploit the infection algorithm to disturb the round counter and related variables. Our attacks allow one to efficiently recover the secret key of the underlying cryptosystem by using any of the three most popular fault models used in literature.

[1]  David A. Wagner,et al.  Cryptanalysis of a provably secure CRT-RSA algorithm , 2004, CCS '04.

[2]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[3]  Cécile Canovas,et al.  In(security) Against Fault Injection Attacks for CRT-RSA Implementations , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[4]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[5]  Michael Tunstall,et al.  Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output , 2012, LATINCRYPT.

[6]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[7]  Christophe Giraud,et al.  DFA on AES , 2004, AES Conference.

[8]  Sung-Ming Yen,et al.  Cryptanalysis of Two Protocols for RSA with CRT Based on Fault Infection , 2006, FDTC.

[9]  Debdeep Mukhopadhyay,et al.  An Improved Fault Based Attack of the Advanced Encryption Standard , 2009, AFRICACRYPT.

[10]  Michael Tunstall,et al.  Round Reduction Using Faults , 2005 .

[11]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[12]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[13]  Debdeep Mukhopadhyay,et al.  Destroying Fault Invariant with Randomization - A Countermeasure for AES Against Differential Fault Attacks , 2014, CHES.

[14]  Benoit Feix,et al.  Defeating with Fault Injection a Combined Attack Resistant Exponentiation , 2013, COSADE.

[15]  Adrian Thillard,et al.  On the Need of Randomness in Fault Attack Countermeasures - Application to AES , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[16]  David Naccache,et al.  Fault Round Modification Analysis of the advanced encryption standard , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[17]  Christophe Giraud,et al.  Fault Analysis of Infective AES Computations , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[18]  Debdeep Mukhopadhyay,et al.  Fault Tolerant Infective Countermeasure for AES , 2015, IACR Cryptol. ePrint Arch..

[19]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .