Cryptography Reference
In-Depth Information
have been added. Considered are the basic parity check, double parity, residue checks
modulo 3 and 7, complementary parity and a Hamming error correcting code. For
all the considered error detection or correction circuits, we analyze the effects that
the redundant check bits may have on power analysis attacks using different metrics.
These include an information theory-based metric, the success rate of power analysis
attacks based on correlation, and the effectiveness of the most common attacks based
on difference of means and Hamming weights.
The effects that a specific countermeasure against fault attacks can have on the
resistance to power analysis attacks was studied in very few previous publications.
Maingot and Leveugle [261, 262] analyzed the impact of four different error detec-
tion and correction schemes on power analysis resistance. Their study focused on
a register storing the state of the AES encryption, which was enlarged to support
the information redundancy necessary for each considered scheme. Using gate-level
simulations, they showed how the correlation between the value guessed by the adver-
sary and the value of the register varies depending on the particular error detection
code employed. They compared four different error detection codes in search for
the best code of secure chips, and based on the correlation, concluded that a com-
plementary parity scheme can improve the circuit's robustness against power-based
side-channel attacks as well.
Transistor level-simulations were performed by Regazzoni et al. [339, 338] to
compare different error detection codes, including parity codes and residue codes
(e.g., mod 3 and 7) using a 180 nm technology. As was done in [261], the authors
focused on the output register of the S-box transformation in AES, and they analyzed
the impact that the considered codes could have on the resistance against power-based
attacks and the role played by measurement noise. Furthermore, they discussed the
questions of whether the knowledge of the particular error detection code used in the
circuit affects the resistance against power-based side-channel attacks and whether
the redundancy helps the attacker even if he is unaware of its presence.
Dual studies concerning the interaction between countermeasures against power
analysis attacks and vulnerability to fault attacks were also carried out. Boscher and
Handschuh [60] discussed the resistance of masking (randomizing the computation)
against fault injection attacks, and concluded that masking does not reduce the effec-
tiveness of differential fault attacks. Selemane et al. [368] and Guilley et al. [171]
showed, on the other hand, that WDDL (a dual rail circuit implementations that
attempts to make the power consumption uniform and independent of the secret key
bits) is intrinsically immune to setup violation fault attacks.
15.2 Considered Error Detection and Correction Circuits
Although we focus in this chapter on the Rijndael [112] block cipher (selected to be
the Advanced Encryption Standard [142]), our conclusions are general and applicable
to other block ciphers. We concentrate on the S-box step because the output of this
non-linear transformation is where the difference between the correct key hypothesis
