Cryptography Reference
In-Depth Information
2.3.1.2 A Case Study of Fault Attacks on Asynchronous DES
Cryptoprocessors
Asynchronous circuits represent a class of circuits which are controlled not by a
global clock but by the data. The class of circuit described by Monnet et al. [292]
use so-called Quasi-Delay-Insensitive technology and multi-rail encoding, which are
often thought to offer native resistance against faults. The authors designed two DES
hardware implementations, a reference one and a hardened one, and studied their
susceptibility to fault attacks using round reduction.
The round counter of the reference version is an asynchronous state machine
that uses a 1-out-of-17 code: each round number is coded using one wire. Sixteen
wires are used to encode the 16 rounds. The hardened version implements the same
counter but protected with alarm cells. These cells are able to detect any wrong code
generated in the counter module, i.e. any state using two or more wires is detected.
Alarms inform the environment when a wrong code is detected.
Faults were induced using a laser beam, which offers the advantage of its direc-
tionality that allows the precise targeting of a small circuit area (e.g. 5
m
2
). In a
time and space scan of the counter block which represented over 5
3
shots for each
circuit, about 40 % of the shoots revealed errors. Some of them were identified as
having modified the sequence of rounds.
From the properties of the DES key scheduling, the authors analyzed how a
modification of the sequence of rounds alters the corresponding sequence of round
keys actually used during the encryption. They give an example of the exploitation
of a pair of faulty executions which led to close sequences of round keys. A detailed
analysis of how to exploit these faults is given in [92], where how to recover the
DES key is described for each possible case where the two sequences of round keys
differ from each other by suffixes of length of at most 2. A significant number of
the faulty pairs obtained fell into these exploitable cases. While the alarm cells of
the hardened version actually detected most of the alterations of the counter block,
a few executions with a modification of the round sequence remained undetected.
ยต
2.3.2 Corrupting the Randomization of a DES S-box
Before each execution of a DES protected by Boolean masking, all substitution
tables are first randomized so that they comply with the original S-box tables in an
implementation where all intermediate data are masked. This randomized S-box pre-
computation is typically performed as described in Algorithm 2.2. Assuming that
an attacker is able to modify some S-box entry during this randomization phase, the
subsequent DES execution could then be altered. Amiel et al. [12] precisely studied
