Cryptography Reference
In-Depth Information
Fig. 5.7
Fresh re-keying
r
g
k
k
m
c
encryption
5.6 Conclusion
This chapter discusses different ways to protect structures of block ciphers against
malicious adversaries. We presented general methods that can be applied to an arbi-
trary algorithm. These methods are very expensive and/or provide only limited pro-
tection against strong adversaries. Therefore, we looked at ways to optimize DMR
approaches for block ciphers. Thereby, specific structures of the ciphers are used to
decrease the costs, and to increase the effort of an adversary to inject an undetected
fault.
A different approach to protect ciphers is to use coding-theoretic methods. They
have to be tailored to the algorithm used. Since it is the current NIST standard for
symmetric encryption, we put the emphasis for countermeasures based on coding
theory on AES. On the hardware side we looked at parity schemes. It can be observed
that most parity schemes are cheaper than DMR approaches but often provide less
security when assuming a strong adversary. The discussed software countermeasures
on the other hand can thwart rather strong adversaries. The cost for this benefit is the
significantly higher execution time.
Another way to protect ciphers is to shift the protection mechanisms from the
algorithmic level to the protocol level. By randomizing the message or the key prior
to each encryption, an adversary is not able to obtain the same ciphertext twice,
which is (at the least) required for the known fault attacks on block ciphers.
We can conclude that fault countermeasures for symmetric encryption are much
more expensive than those for public key algorithms. Therefore, low-cost devices
should be protected by protocol-level countermeasures whenever possible. For all
other applications strong coding-theoretic countermeasures should be implemented
if sufficient computational power is available. For a good security/performance trade-
off we suggest DMR schemes. Finally, parity schemes can be used if precise attacks
are not a threat and performance is important.
