Design of Cryptographic Devices Resilient to Fault Injection Attacks Using Nonlinear Robust Codes - Fault Analysis in Cryptography

Cryptography Reference

In-Depth Information

start=0

start=1

Idle

Init

Load1

Load2

count 0

≥

count < 0

Result

Square

Multiply

count 0

≥

Fig. 11.10 Fault injection example on the control unit of the Montgomery ladder Algorithm with

Point of Attack indicated by the dashed transition [157]

states in an FSM to conveniently gain access to secret information. Similarly, in a

cryptographic authorization protocol the state which checks the validation of login

information can be skipped with minimal effort. Thereby, the adversary can directly

impersonate a valid user. Such attacks are indeed practical since states in an FSM are

implemented using flip-flops, which can be easily attacked using bit-flips realized

through fault injections. For example, Fig. 11.10 shows an example attack scenario

on the FSM of the Montgomery ladder algorithm [157]. In their paper, Gaubatz et

al. show that the attacker can recover the secret exponent using this attack with mild

effort. As a result, secure FSM design becomes an important problem.

11.7.1 The Error Detection Technique

In this section, we describe how to use the nonlinear error detection codes for securing

the next-state logics of FSMs. In order to achieve this, we first provide the details of

a specific nonlinear coding structure which we propose to use as the main building

block of our security scheme.

The initial version of the robust codes defined in [216] does not preserve arithmetic

and hence cannot be applied to protect arithmetic structures against fault attacks. As

a solution to this problem, Gaubatz et al. proposed a new type of nonlinear arithmetic

codes called “robust quadratic codes” in [156]. The following definition from [156]

rigorously defines this particular class of binary codes.

Definition 11.6

[156] Let C be an arithmetic single residue

(

n

,

k

)

code with

x 2 mod p

r

=

n

−

k redundant bits. Then C p ={ (

x

,

w

) |

x

∈ Z 2 k

,

w

= (

) ∈

GF

(

p

) }

where 2 k

−

p

<

and r

=

k .

In this definition,

is used to represent a relatively small number. As will be explained

in Theorem 11.3,

ε

determines how secure the coding scheme is. As

ε

gets smaller,

the utilized code becomes more secure. In addition, in this definition,

Z 2 k is used

Fault Analysis in Cryptography

Search WWH ::

Custom Search

Home