Cryptography Reference
In-Depth Information
Chapter 5
Countermeasures for Symmetric Key Ciphers
Jörn-Marc Schmidt and Marcel Medwed
Abstract
Since a single fault can lead to a recovery of the whole secret key of an
AES-128 implementation, protection against fault attacks is vital for security-related
devices. Moreover, the fatal impact of undetected faults implies high requirements
for such devices: no erroneous result must be revealed with its correct counterpart.
Given the fact that secret-key algorithms are not usually based on continuous alge-
braic structures complicates incorporating redundancy. Designing countermeasures
that guarantee this property is a challenging task. As a result, a large number of
different countermeasures have been developed. Each of them employs redundancy
in a different way, which makes their efficiency heavily dependent on the application
scenario and on the assumed adversary. This chapter presents a comprehensive study
of fault countermeasures for symmetric key algorithms. It discusses the different
levels where countermeasures can be deployed, points out the strengths and weak-
nesses of the different countermeasures and finally identifies their optimal field of
usage.
5.1 Introduction
Compared to algorithms like RSA or elliptic curve-based algorithms, block ciphers
usually have little or no algebraic structure. This makes their protection against
fault attacks much harder as it is difficult to introduce redundancy in an efficient
and yet secure way. Several approaches to tackle this problem have been proposed.
Figure
5.1
categorizes the different approaches to protect symmetric ciphers from
malicious adversaries. The two main topics of this chapter are Dual Modular
Redundancy (DMR) and coding-theoretical approaches. These countermeasures can
