Cryptography Reference
In-Depth Information
The results for all AES modules are shown in Fig.
18.5
, and for other block cipher
modules in Fig.
18.6
. Each line in both graphs represents the average of 5,000 samples
in steps of 0.2 ns. Each sample is encrypted with a random plaintext and key.
The results support the idea that the cause of the fault injection is a set-up time
violation as explained in Sect.
18.2
. In particular, both the number of error bytes and
the error starting time show this characteristic. When we gradually shorten
T
g
,the
number of error bytes increases as
T
g
decreases.
The error starting time for each module is somewhat shorter than each of their
respective maximum path delays,
T
d
, and the order of modules sorted by their
error starting time is the same as that sorted by
T
d
. For example, the results of the
AES_SSS1 module, which has the longest
T
d
of 30.884 ns of all evaluated AES mod-
ules, indicates that the error starting time is approximately 26 ns, which is the longest
in all the evaluated AES modules. The results of the AES_TBL module, which has
the shortest
T
d
of 7.409 ns of all evaluated AES modules, indicates that the error
starting time is approximately 3.5 ns in the last round. As is shown in Fig.
18.5
b,
AES_SSS1 module has a very steep slope; then, compared to other AES modules,
it is difficult to set
T
g
in the experiments as only one byte of the intermediate states
is corrupted. As shown in Fig.
18.6
, the results of the MISTY1 module, which has
the longest
T
d
of the evaluated modules, indicate that the error byte starting time is
approximately 13.5 ns, which is the largest in the evaluated modules. The results for
the DES module, which has the shortest
T
d
indicate that the error byte starting time
is approximately 3.0 ns which is the shortest in the evaluated modules. In Fig.
18.6
,
when the faults are injected into the penultimate round (or last round), the number
of error bytes is all (or half) the bytes of the register, caused by the characteristics of
the Feistel structure when we use the shortest
T
g
.
The results in Fig.
18.7
show the probability of the number of error bytes for the
AES_PPRM1 module as an example when the fault is injected into the last round.
Each color of bar in the graph indicates the number of the error bytes. As
T
g
is
decreased, the probability of the number of bytes affected increases and the expected
number of bytes affected increases from one to 16. This figure shows that the one-byte
error starts to appear at approximately
T
g
=
8
.
5 ns, and all 16 bytes are corrupted at
approximately
T
g
=
5 ns. This result also shows that we can inject a one-byte fault
when we set
T
g
to the absolute edge, i.e., 8.5 ns in this example. The fact that we can
inject a one-byte fault is useful because some theoretical fault analyses use this as
a fault model, that is, a model where one byte of an intermediate state is randomly
corrupted. The results also indicate that the position of the error byte is the same
when we change the fault injection round while maintaining the same
T
g
. Therefore,
we can also inject a one-byte fault in an arbitrary round in the same way as we do in
the last round.
From the above fact, a one-byte fault can be injected into only one round at any
time of the encryption. Even when the target device does not output the intermediate
state, we can calculate the value of the faults injected into the intermediate state
from the correct and faulty ciphertexts by computing the inverse operations of AES
to determine how the fault was propagated, given that we know the correct and
faulty ciphertexts and the secret key we set. Specifically, we compute the difference
2
.
