Cryptography Reference
In-Depth Information
9.5 Fault Attacks on Dummy and Validation Operations
9.5.1 Safe-Error Fault Attacks
A common countermeasure against simple power and timing analysis attacks is the
use of dummy operations and variables, e.g., a double-and-add-always algorithm
like Algorithm 9.2. When a fault is injected into a dummy variable or during a
dummy operation, it results in a safe-error, i.e., an error that does not affect the final
result. A safe-error fault attack, as presented in [427, 429], works by injecting a fault
resulting in a potential safe-error during an iteration of the scalar multiplication and
observing the resulting output. A correct output confirms that the targeted operation
or variable was a dummy, while a faulty output indicates the opposite. In both cases,
the corresponding bit of the scalar is exposed. Note that input or output validation
does not help in countering this attack.
9.5.1.1 Countermeasures
To counter a safe-error fault attack, it is essential to eliminate the potential of safe-
errors. In particular, it should be possible to detect errors resulting from any injected
fault even when they do not affect the final result. As an example, Algorithm 9.4,
which employs coherency checking, allows for the detection of safe-error attacks by
validating the dummy intermediate variable.
9.5.2 Double-Fault Attacks
Most countermeasures for fault attacks, e.g., point validation, integrity checking and
coherency checking, are based on invariants that are assumed to hold in an error-free
computation. As such, they are commonly implemented as logical tests that indicate
whether the final output is faulty or not. It is possible, however, for an attacker to
influence the result of such a test by injecting a fault in the testing hardware or the
status register [430]. This leads to these validation tests becoming a single point of
failure.
9.5.2.1 Countermeasures
This can be avoided using infective computation, presented originally in [430] and
adapted for elliptic curves in [124]. In essence, the validation test is replaced by a
computation that allows the correct result to pass through unchanged and masks any
faulty results randomly. For example, instead of testing whether
a
=
b
and returning
a
if the equality holds, the algorithm returns
(
a
−
b
)
r
+
a
for a random
r
,sothe
