Cryptography Reference
In-Depth Information
The most commonly used fault detection technique is concurrent error detection
(CED), which employs circuit-level coding techniques, e.g. parity schemes, modular
redundancy, etc., to produce and verify check digits after each computation. In [34], a
secure AES architecture based on linear parity codes was proposed. The method can
detect all errors of odd multiplicities with reasonable hardware overhead. In [155],
an approach to fault-tolerant public key cryptography based on redundant arithmetic
in finite rings was presented. The method is closely related to cyclic binary and
arithmetic codes. In [218], the authors proposed a CED technique that exploits the
inverse relationships existing between encryption and decryption at various levels.
A decryption is immediately conducted to verify the correctness of the encryption
operation. A lightweight concurrent fault detection scheme for the S-Boxof AES was
proposed in [221]. The structure of the S-Boxis divided into blocks and the predicted
parities for these blocks are obtained and used for the fault detection. Various fault
attack countermeasures were compared in terms of the hardware overhead and the
fault detection capabilities in [266].
Error detecting codes [260] are often used in cryptographic devices to detect
errors caused by injected faults and prevent the leakage of useful information to
attackers. Most of the proposed error detecting codes are linear codes like parity
codes, Hamming codes and AN codes [335]. Protection architectures based on linear
codes concentrate their error detecting abilities on errors with small multiplicities or
errors of particular types, e.g. errors with odd multiplicities or byte errors. However, in
the presence of unanticipated types of errors, linear codes can provide little protection.
Linear parity codes, for example, can detect no errors with even multiplicities.
In [63], the author compared several concurrent fault detection schemes for the
Advanced Encryption Standard based on linear codes. As expected, the simulation
results showed that the error detecting capabilities of systems protected by linear
codes largely depend on the error profiles at the output of the device due to the
injected faults. The spectrum of available fault injection methods and the adaptive
nature of an attacker suggest that it would be possible to bypass such protection by
injecting a class of faults or errors which the cryptographic device does not anticipate.
Considering even only inexpensive noninvasive or semi-invasive fault attacks, there
is a wide spectrum of the types of faults and injection methods an attacker has at his
disposal [21].
Robust codes have been proposed as a solution to the limitation of linear error
detecting codes for detection of fault injection attacks [212]. These nonlinear codes
are designed to provide equal protection against all errors, thereby eliminating possi-
ble weak areas in the protection that can be exploited by an attacker. Several variants
of robust codes have been used to protect both private and public cryptographic
algorithms. These variants allow several trade offs between robustness and hardware
overhead for many architectures. Robust and partially robust codes have been used
for the protection of both private [211, 212] and public key cryptosystems [156].
In this chapter we will present the basic constructions of robust codes and their
application to the design of secure cryptographic devices. As case studies, we dis-
cuss secure AES, secure Elliptic Curve Cryptography (ECC) and secure Finite State
Machine (FSM) architectures based on robust codes, which are resilient to strong
