Cryptography Reference
In-Depth Information
fault injection attacks. More details related to robust codes and their application to
the design of cryptographic devices can be found in [9, 10, 155-157, 211, 212, 216,
245].
11.2 Adversarial Fault Model
In order to model the effects of an active fault attack, we need to reflect the effect
of this fault in the circuit parameters. As a result, we model a fault injected into the
circuit as an erroneous result at the output of the device, i.e. the erroneous output
˜
x
e
, where
x
is the expected output.
Fault injection attacks on hardware implementing different cryptographic algo-
rithms are discussed in Sect.
16.2
. In this chapter, we make the following advanced
attacker assumptions as part of our fault model.
=
x
+
1. The structure/function of the device is public and hence known by the attacker.
2. The attacker does not have to use a particular fault injection methodology. He
can inject faults using any method he prefers.
3. The advanced attacker we assume has high temporal and spatial fault injection
capability.
4. The attacker cannot overwrite the output values of the device by injecting faults.
The errors observed at the output of the device are always additive in nature.
5. The attacker cannot observe any existing data on the circuit at the time of fault
injection i.e. in the same clock cycle. This means that the attacker will not be
able to adaptively attack the circuit by first reading the existing data and then
choosing the appropriate error vector.
6. The attacker can reflect any specific error vector he desires at the output, i.e. he
can pick the value of
e
that will be observed at the output of the device.
7. Every error vector (all multiplicities) can be observed at the output of the device.
We assume that the device is disabled or resets the secret information after an
injected fault is detected. Hence, in our detection model, the attacker will not be able
to try many different error vectors until he breaks the device. He has only one chance
to successfully inject a fault.
Obviously, under such an adversarial fault model, protections of cryptographic
devices based on linear error detecting codes will not be sufficient and can be eas-
ily bypassed. For instance, the attacker can break systems protected using double
module redundancy (DMR), which is basically based on linear duplication codes, by
reflecting the same error vectors at the output of both the original and the redundant
devices.
