Cryptography Reference
In-Depth Information
produced by the defective device. The fault set induced by fault-based attacks includes
transient faults on combinational gates and bit-flips on memory elements [253].
Several techniques can be used for fault injection. They rely either on perturbation
of the environmental conditions (e.g. power supply, clock), or, with higher cost but
better precision, on injection of transients or bit-flips into targeted signals (e.g. faults
injected through laser beams).
There are two forms of countermeasures against fault-based attacks: sensor-based
and error detection-based countermeasures. The former aim at detecting inappropri-
ate environmental conditions (e.g. unexpected light, clock glitches). This chapter
focuses on the latter and shows how potential faults can be detected through identifi-
cation of erroneous signals during execution. Note that transient single-event upsets
(SEUs) caused by various types of cosmic or terrestrial radiation also manifest them-
selves as bit-flips on storage elements and transient faults on logic gates. As a result,
error detection schemes implemented for preventing fault attacks also detect natural
transient and bit-flip faults.
Section
6.2
details an example of a symmetric block cipher, the Advanced Encryp-
tion Standard (AES), which will be used throughout this chapter as an application
example. Several hardware implementations of this algorithm are presented, allowing
us to trade off area for performance. Section
6.2.2
gives an overview of fault attacks
on AES cryptoprocessors and explains how errors can be exploited for retrieving the
secret encryption key. Section
6.3
presents solutions from the literature for online
error detection on AES. These solutions are compared using common evaluation
criteria such as implementation cost, error detection latency, and error detection rate.
Finally, the quality of these protection mechanisms is also evaluated in terms of their
capacity to detect the most frequent errors (Sect.
6.4.2
).
6.2 Advanced Encryption Standard
Even if the error detection principles described in this chapter are general enough to
be implemented for secure devices implementing many cryptographic algorithms,
we use the AES as a support example. Section
6.2.1
details the AES algorithm, which
was adopted as a symmetric key cryptographic standard by the US Government in
2001, and Sect.
6.2.2
focuses on its hardware implementations.
6.2.1 Algorithm Description
The AES algorithm is a symmetric block cipher using cryptographic keys of 128, 192,
and 256 bits to encrypt and decrypt data in blocks of 128 bits. Symmetric encryption
and decryption are performed by means of the same cryptographic secret key. This
section focuses on the encryption/decryption algorithm for 128-bit cryptographic
keys (details on others key lengths are fully given in [142]).
