Cryptography Reference
In-Depth Information
Table 6.3
Detection capability for errors in a single byte
Error
multi-
# Errors
Percentage of the undetected errors
plicity
Parity for
State
Parity for
State +
parity for
S-Box
Parity
per
byte
Parity per
byte +
double
parity
CRC for
State
for
S-Box
1
5120
13.01
0
0
0
0
2
17920
86.31
86.31
94.38
81.84
0
3
35840
12.23
0
0
0
0
4
44800
86.01
86.01
88.75
76.10
0
5
35840
12.77
0
0
0
0
6
17920
86.22
86.22
83.13
70.5
0
7
5120
12.01
0
0
0
0
8
640
86.88
86.88
77.5
26.72
0
instances for two erroneous bits among eight bits), affecting one byte over 16 in the
State array, after one of the 4
40 operations executed during the encryption),
and the percentage of the undetected errors for each technique under evaluation.
As expected, errors with odd multiplicity are more easily detected with detection
schemes based on parity codes. Only solution “Parity for State” does not guarantee
a high error detection level since it uses a single parity bit for the whole 128-bit
State matrix. In contrast, the CRC-based scheme outperforms other techniques by
detecting even-multiplicity errors too, but at the cost of large penalties in terms of
area overhead, power consumption, and performance degradation (see Table
6.2
).
We also injected random errors affecting not only a single byte but bytes of any
subset of the state matrix with error multiplicity ranging from 1 to 64 faulty bits.
Note that even if errors affecting several bytes are not easily exploitable during
DFA (only one laser-based fault injection over 10,000 leads to an exploitable error),
their detection is of prime interest for detecting the attack itself. For each error
multiplicity, 1,000 randomly chosen injection positions in the State matrix have
been randomly selected, and this after every encryption operation (four operations
per round, for ten rounds). Finally, a total of 40,000 injections have been performed
for each error multiplicity, except for the case of multiplicity 1, where only 128
positions are available, and then 128
×
10
=
40 injections have been performed. A sample
of simulation results showing the number of undetected errors is reported in Table
6.4
.
Techniques “Parity per byte” [34] and “CRC for State” [425] detect all simulated
errors with multiplicity larger than six bits (and therefore solutions based on “Parity
per byte + double parity for S-Box" [34, 120]). In contrast, a large percentage of even
multiplicity errors are not detected by the “Parity for State" solution [424], mainly
due to errors occurring before the ShiftRows, MixColumns and AddRoundKey
operations, since a single parity bit over the 128-bit State is used for error detec-
tion. However, the use of a double parity bit for each S-Box (“Parity for State +
×
