To infect or not to infect: a critical analysis of infective countermeasures in fault attacks
- PDF / 1,618,633 Bytes
- 20 Pages / 595.276 x 790.866 pts Page_size
- 47 Downloads / 167 Views
REGULAR PAPER
To infect or not to infect: a critical analysis of infective countermeasures in fault attacks Anubhab Baksi1 · Dhiman Saha2 · Sumanta Sarkar3 Received: 27 June 2019 / Accepted: 22 March 2020 © Springer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract As fault-based cryptanalysis is becoming more and more of a practical threat, it is imperative to make efforts to devise suitable countermeasures. In this regard, the so-called “infective countermeasures” have garnered particular attention from the community due to its ability in inhibiting differential fault attacks without explicitly detecting the fault. We observe that despite being adopted over a decade ago, a systematic study of infective countermeasures is missing from the literature. Moreover, there seems to be a lack of proper security analysis of the schemes proposed, as quite a few of them have been broken promptly. Our first contribution comes in the form of a generalization of infective schemes which aids us with a better insight into the vulnerabilities, scopes for cost reduction and possible improvements. This way, we are able to propose lightweight alternatives of two existing schemes. Further, we analyze shortcomings of LatinCrypt’12 and CHES’14 schemes and propose a simple patch for the former. Keywords Fault countermeasure · Infection · Differential fault analysis
1 Introduction Fault attacks are becoming a real threat particularly to small scale devices performing a cryptographic operation. This type of attack forces a certain device to work under suboptimal condition resulting in erroneous calculations, which is then exploited. Differential Fault Analysis or Differential Fault Attack (DFA) [11], one type of fault attack, is predominantly used against symmetric key ciphers. Most, if not all, ciphers which are considered secure against classical attacks are shown to have severe weaknesses against DFA. This attack works by injecting a difference (fault) during the cipher execution, which normally results in flipping one or
B
Anubhab Baksi [email protected] Dhiman Saha [email protected] Sumanta Sarkar [email protected]
1
School of Computer Science and Engineering, Nanyang Technological University, Singapore, Singapore
2
Department of Electrical Engineering and Computer Science, IIT Bhilai, Raipur, India
3
TCS Innovation Labs, Hyderabad, India
more bits of a register. Then, after analyzing the output difference of the non-faulty and the faulty outputs of the cipher computations; the attacker, Eve, is often able to deduce information on the secret key. Success of DFA also gave rise to a series of works attempting to protect ciphers from this attack. Various types of countermeasures are proposed in the literature. All of these countermeasures rely on full or partial redundancy either in device, cipher implementation or the protocol. Broadly, the state-of-the-art schemes can be classified into three categories: (i) Using a separate, dedicated device. They can be either active which uses a sensor to detect
Data Loading...
