Cryptography Reference
In-Depth Information
Table 6.6
Fault versus error multiplicity on S-Boxes output
0
1
2
3
4
5
6
7
8
SB1
201806
36551
6448
2033
953
474
235
62
14
81.2 %
14.7 %/
78.2 %
2.6 %/
13.8 %
0.8 %/
4.4 %
0.4 %/
2.0 %
0.2 %/
1.0 %
0.1 %/
0.5 %
0.0 %/
0.1 %
0.0 %/
0.0 %
SB2
191854
23849
16609
8212
3801
1544
619
145
23
77.8 %
9.7 %/
43.5 %
6.7 %/
30.3 %
3.3 %/
15.0 %
1.5 %/
6.9 %
0.6 %/
2.8 %
0.3 %/
1.1 %
0.1 %/
0.3 %
0.0 %/
0.0 %
SB3
175674
7311
8973
4808
9949
27511
8486
212
20
72.3 %
3.0 %/
10.9 %
3.7 %/
13.3 %
2.0 %/
7.2 %
4.1 %/
14.8 %
11.3 %/
40.9 %
3.5 %/
12.6 %
0.1 %/
0.3 %
0.0 %/
0.0 %
SB4
31632
16289
9688
14484
16418
13639
8641
1517
2252
27.6 %
14.2 %/
19.6 %
8.5 %/
11.7 %
12.6 %/
17.5 %
14.3 %/
19.8 %
11.9 %/
16.5 %
7.5 %/
10.4 %
1.3 %/
1.8 %
2.0 %/
2.7 %
SB5
12323
7060
15431
18079
23306
23705
10120
1868
236
11.0 %
6.3 %/
7.1 %
13.8 %/
15.5 %
16.1 %/
18.1 %
20.8 %/
23.4 %
21.1 %/
23.8 %
9.0 %/
10.1 %
1.7 %/
1.9 %
0.2 %/
0.2 %
A
B%/
C%
A = number of pairs {input/fault}, B % = percentage over the total number of pairs, C % = percentage
without considering pairs leading to 0 errors
in terms of power consumption, performance and area according to the chosen
synthesis parameters. However, the synthesis tool generates also quite different
implementations depending on whether the initial VHDL description is based on
a truth table or a mathematical expression. When starting from a truth table, the
number of errors at the output of the S-Box is concentrated around one or two
erroneous bits. In contrast, mathematical-based architectures (SB3, SB4, SB5) are
composed of several blocks that operate in cascade, and an error in a particular
element is spread over several output bits. Therefore this type of implementation,
first is, more sensitive to faults (72.4 % of pairs generate an error at the output for
SB4 and 89.0 % for SB5, while only 18.8 % do so for SB1), and, second, generates
a higher number of output errors (the highest average is between 4 and 5).
Countermeasures based on the use of single parity bit suffer from a low detection
rate even for multiple errors. A possible solution is presented in [219, 222] where
the authors propose decomposing the SubBytes operation in
2
2
2
, leading to
an implementation of five cascaded blocks. Each block is implemented in such a
way that any single fault propagates to an odd number of bits on the block's output.
A parity prediction block and a parity calculation block are associated with each
block, guaranteeing thus that any single fault will be detected. The synthesis of this
S-Box (without considering the detection scheme) leads to 258 cells by Synopsys
Design Compiler© and high map effort. Compared to other mathematical descrip-
tions of the S-Box (like SB4 and SB5) the extra area cost is justified by the increased
detection capability (all single faults are detected).
To summarize, for protection against single transient faults, a simple parity scheme
(over 32 and 128 bits) is sufficient for the MixColumns and AddRoundKey modules.
For the protection of S-Boxes, the error detection scheme has to be selected conjunctly
with the actual implementation of the S-Box. For instance, a simple parity scheme
would be sufficient for the SB1 or SB2 designs whereas a more sophisticated error
F
((
)
)
