Cryptography Reference
In-Depth Information
provides an attacker with the same information as whether or not the fault corrupted
the ciphertext.
Finally, note that IFA relies on the fact that the attacker can safely decide that a
fault attempt has been ineffective because of the natural value of the targeted data
rather than because the fault did not occur. When performing IFA, it is thus very
important that the fault injection tool be considered highly reliable.
2.2.1.3 Safe-Error Analysis
A third fault analysis method which exploits the identity of outputs of cryptographic
algorithms is the analysis of so-called safe-errors, which we refer to as safe-error
Analysis (SEA). This method was first introduced to break a private exponentiation
of the RSA cryptosystem [204, 427, 429]. The basic principle consists of modifying
some internal data and inferring the value of a private exponent bit from whether
this modification resulted in an identical or a different output. Two examples of such
analysis on a binary square and multiply exponentiation are: (i) the perturbation of
a multiplication in an always multiply version of the left-to-right binary exponenti-
ation algorithm, and (ii) including a dummy register in a right-to-left version of the
algorithm. In both cases, depending on the particular value of the current exponent
bit, the modified data may or may not be used in the sequel of the computation.
The latter case corresponds to a safe-error which results in no modification of the
algorithm output.
At first, ineffective fault analysis and safe-error analysis look quite similar. Indeed,
they both infer information about a secret from whether an induced fault affected
the output or not. Actually, there is a conceptual difference between IFA and SEA.
In safe-error analysis the data that is targeted by the fault is actually modified, and
the output is not modified simply because the modified data is not used. In contrast,
an ineffective fault targets data involved in the computation of the algorithm, but
because of the fault model and the data value, this data is not modified. In summary,
IFA probes a data value while SEA probes a data usage.
A consequence of the difference between these two techniques is that IFA is highly
dependent on the effect a fault has on the data being processed while SEA is not. A
safe-error will be safe whatever the resulting value of the targeted data, so SEA is
applicable in the general random error model. In contrast, ineffective fault analysis
usually requires a more restrictive stuck-at fault model.
In the remainder of this section, we describe a series of research papers which
consider CFA and IFA techniques to recover secret keys of block ciphers. We present
them in the chronological order, which roughly corresponds to a trend of increasing
ability to defeat countermeasures.
Search WWH ::




Custom Search