Cryptography Reference
In-Depth Information
The attack in [55], based on the “safe-error” principle, can be extended to the case
of an attack on one byte. In this case all the input bits of an S-Box must be stuck-at-0.
Then, by applying all 256 values at the input of the S-Box, a collision appears: when
the byte has the same value as the key, the result equals the one obtained with the
stuck-at fault.
In [296] the authors propose a generalization of the attack on a single byte, focus-
ing on three or four bytes in the first State array column. The faults can be injected at
any step of the AES process. For the attack to be successful, it is necessary to know
whether the error affects three or four bytes or not. Furthermore, six and 1,500 error
injections have to be performed for three and four faulty bytes respectively.
In this chapter, we do not discuss the actual capabilities of injecting faults accord-
ing to the hypotheses underlying the attacks. Nevertheless, from this overview, the
following can be concluded:
•
Errors affecting one byte (or even four in [296]) of the State are easily exploitable.
Thus it is of prime importance to detect errors located within a byte of the State.
All error multiplicities (1 to 8) have to be considered.
•
According to the variety of reported attacks, all rounds of the AES are prone to
fault injections. Thus, the data protection mechanism must span the whole AES
process.
•
While errors affecting more than one byte are not typically exploitable, their
detection is of interest since it helps in detecting an attack (for instance laser-based
attacks need in practice many shots before succeeding in flipping bits within a
single byte). Second, the ingenuity of hackers may make these attacks efficient in
the future.
6.4 Error Detection Methods
Online testing methods aim at detecting errors in data processed by a device in mission
mode. These errors are characterized by their multiplicity, i.e. the number of bits in
the erroneous data that differ from the excepted data value (e.g. single- or multiple-bit
errors). Error multiplicity is strongly correlated to the hardware implementation of
the device and the faults likely to affect its structure (effect, duration and location in
space and time dimensions).
Error detection exploits different forms of redundancy, namely hardware,
temporal and information redundancies. The methods are generally evaluated in
terms of error detection rate, error detection latency, performance, and area cost,
and less frequently in terms of the capacity to detect the most likely errors. The
following subsections review several error detection mechanisms and evaluate these
mechanisms with regard to classical criteria. A discussion on the error detection rate
is deferred to Sect.
6.5
.
