Cryptography Reference
In-Depth Information
Table 11.2
Comparison of protection architectures of the linear block of AES based on different
alternatives
Code
1
2
Q
m
Number of 2-input gates
Overhead (%)
|
K
d
|
Predictor
EDN
2
32
Linear parity
31
32
30
0
Robust parity
185
32
100
0
0
.
5
Min. dist. robust [245]
196
64
120
0
0
.
5
2
32
Hamming
253
80
153
0
2
6
Gen. Vasil'ev [245]
292
116
188
0
.
5
3
2
26
2
−
5
(
x
,(
Px
)
)
[245]
432
266
322
1
2
3
All codes have 32 information bits
|
K
d
|
is the number of undetectable errors
Q
m
is the
maximum error masking probability of detectable errors
11.6.2.1 Protection of the Linear Block of AES Based on Minimum Distance
Robust and Partially Robust Codes
Protection architectures for the linear block of AES based on minimum distance
robust and partially robust codes can be found in [245]. It was shown that for slow
fault injection mechanisms, where the attacker cannot change the injected faults at
every clock cycle, minimum distance robust and partially robust codes can provide
better fault detection capabilities than linear codes and traditional robust codes.
The hardware overhead in terms of the number of two-input gates required for the
implementation of the predictor and the EDN for different alternatives are compared
in Table
11.2
. Compared to architectures based on linear codes, architectures based
on robust or partially robust codes have better protection against strong fault injection
attacks at the cost of higher hardware overhead. The architecture based on
3
)
partially robust codes requires more than 300 % hardware overhead for the protection
of a linear block. Since the nonlinear block of AES is much larger than its linear block,
the overall percentage hardware overhead of architectures based on robust or partially
robust codes is much smaller than that in the data presented in Table
11.2
. In [335],
it was shown that architectures based on
(
x
,(
Px
)
3
partially robust codes require
less than 80 % overhead to protect the whole AES device. For more information
about minimum distance robust codes and their applications, please refer to [245,
414, 415].
(
x
,(
Px
)
)
11.7 Secure FSM Design Based on Nonlinear Codes
Protecting the data path of cryptographic algorithms is the focus of existing counter-
measures against active fault attacks. However, even if the data path is protected with
the most secure scheme, the unprotected control unit may create a serious vulnera-
bility in the system. For instance, by injecting specifically chosen errors into the part
of the IC that implements the control units, the adversary may bypass the encryption
