Cryptography Reference
In-Depth Information
Table 6.5 S-Boximplementations
Description
Tool
Area (#cells)
SB1
Truth Table
RTL Compiler©v06.10-s007
553
SB2
Truth table
Design Compiler©D-2010.03-SP5
474
SB3
Inversion truth table, affine
Design Compiler©D-2010.03-SP5
477
transform. as combinational logic
SB4
Mathematical expressions [421]
Design Compiler©D-2010.03-SP5
193
SB5
Mathematical expressions [433]
Design Compiler©D-2010.03-SP5
176
This section presents the results of some experiments conducted to show the error
profiles resulting from the injection of a single transient bit-flip fault (representative
of faults injected by means of a laser beam), and discusses how this information
can be used for choosing an appropriate code-based detection scheme. Bit flips are
injected into the logic gates description of a circuit implementation instead of errors
in the state being considered as before (see Tables 6.3 and 6.4 ).
The ShiftRow module is not a concern for faults attacks since it does not involve
any logic gate.
The AddRoundKey module resumes on a single layer of XOR gates; therefore
only errors of multiplicity 1 may occur at the output module, under the selected
fault model.
The MixColumns transformation operates on 32 input bits (four bytes in the same
column of the State matrix) and it consists of multiplications of each byte by
constant coefficients {02}, {03} and {01} in
2 8
(see before). A possible
implementation of the MixColumns operation is shown in Fig. 6.4 .Inthisimple-
mentation a redundant layer of XOR gates is added to perform the multiplications
by {02} and {03} independently of each other. Conversely, a “classical” imple-
mentation uses the result of the multiplication by {02} and the data to compute the
{03} multiplication. With this slight modification, any single fault propagates to
a single-bit error in the State matrix (possible fault sites are depicted in Fig. 6.9 ).
F (
)
The case of the SubBytes module is far less favorable. Several hardware
implementations can be designed, and the error propagation strongly depends on
the implementation of the S-Box. For ROM-based designs, any fault in the decoder
changes the expected address to another one. Thus the error multiplicity ranges
from 1 to 8 bits at the S-Box output. For standard cell designs, we implemented
different versions of the S-Box using different synthesis parameters and implemen-
tation styles. In particular, we implemented the following designs using the AMS
0.35
m technology library. Table 6.5 reports the characteristics of these designs.
Faults have been exhaustively simulated for each S-Box implementation. All
possible input values (256 values) are considered and the device is fault simulated
for each possible inversion of the logic value at each input and output of each gate by
using an in-house fault simulator [62]. The simulator allows collecting the number
of erroneous bits at the output of the S-Box for each possible pair P composed by
input/fault.
µ
 
Search WWH ::




Custom Search