A Note on the Security of CHES 2014 Symmetric Infective Countermeasure

Abstract

Over the years, fault injection has become one of the most dangerous threats for embedded devices such as smartcards. It is thus mandatory for any embedded system to implement efficient protections against this hazard. Among the various countermeasures suggested so far, the idea of infective computation seems fascinating, probably due to its aggressive strategy. Originally conceived to protect asymmetric cryptosystems, infective computation has been recently adapted to symmetric systems. This paper investigates the security of a new symmetric infective countermeasure suggested at CHES 2014. By noticing that the number of executed rounds is not protected, we develop four different attacks that exploit the infection algorithm to disturb the round counter and related variables. Our attacks allow one to efficiently recover the secret key of the underlying cryptosystem by using any of the three most popular fault models used in literature.

Appendices

A Probability of Success of Attack 1

The success of Attack 1 depends on the chances for the attacker to fault the increment of i in the loop corresponding to the last redundant round execution. Let us denote by \(e_1\) the event of faulting the last redundant round during the q-th loop. The probability \(\mathcal {P}(e_1)\) is thus the probability of having a bit-string rstr that contains 20 “1” on the first \(q -1\) positions, one bit set on the q-th position and a last sub-string with only one bit set on the last \(t-q\) positions. The corresponding number of such sub-strings being equal to \(\left( {\begin{array}{c}q-1\\ 20\end{array}}\right) \), \(\left( {\begin{array}{c}1\\ 1\end{array}}\right) \) and \(\left( {\begin{array}{c}t-q\\ 1\end{array}}\right) \) respectively, this leads us to \(\left( {\begin{array}{c}q-1\\ 20\end{array}}\right) \left( {\begin{array}{c}t-q\\ 1\end{array}}\right) \) exploitable rstr strings.

By dividing this value by the number of possible rstr strings, we obtain the probability \(\mathcal {P}(e_1)\):

$$\begin{aligned} \mathcal {P}(e_1) = \frac{\left( {\begin{array}{c}q-1\\ 20\end{array}}\right) \left( {\begin{array}{c}t-q\\ 1\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) }. \end{aligned}$$

(7)

As described in Appendix E, we then compute by using Eq. (20) the probability to obtain at least one useful faulty ciphertext by repeating the fault injection r times.

B Probability of Success of Attack 2

Let us evaluate the probability that the event \(e_2\) of obtaining a useful faulty ciphertext by setting to zero the variable \(\lambda \) at Step 5 of Algorithm 1 happens. The probability \(\mathcal {P}(e_2)\) corresponds to the probability of obtaining a string rstr that has 21 bits set on the first \(q-1\) positions, a “1” on the q-th position and only “0”’s on the last \(t-q\) positions. As we have done in Appendix A, we compute this probability as the number of such strings divided by the total number of possible rstr strings. As there is only one possibility that the last \(t-(q-1)\) bits of rstr are exactly “\(1\,0\cdots 0\)”, we thus obtain:

$$\begin{aligned} \mathcal {P}(e_2) = \frac{ \left( {\begin{array}{c}q - 1\\ 21\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) }, \end{aligned}$$

(8)

As described in Appendix E, we then compute by using Eq. (20) the probability to obtain at least one useful faulty ciphertext by repeating the fault injection r times.

C Probability of Success of Attack 3

Let us denote by \(e_3\) the event that a random byte error disturbs the string rstr such that it contains only 21 or 20 “1”. To evaluate the probability \(\mathcal {P}(e_3)\) that the event \(e_3\) occurs, let us assume for the sake of simplicity that the attacker disturbs the least significant byte B of rstr which corresponds to a random byte fault model. By firstly evaluating the case 21, we observe that the probability that a bit-string has exactly 21 bits set on the first \(t-8\) positions and the remaining “1” in one of the last 8 positions is:

$$\begin{aligned} \mathcal {P}(HW(B) = 1) = \frac{\left( {\begin{array}{c}t-8\\ 21\end{array}}\right) \left( {\begin{array}{c}8\\ 1\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) }, \end{aligned}$$

(9)

where we denote by HW(B) the Hamming weight of the byte B. Equation (9) corresponds to the probability that the last byte of rstr has an Hamming weight equal to 1. By summing the corresponding probabilities for all the Hamming weights between 1 and 8 we obtain the probability that the last byte of rstr has an Hamming weight greater than zero:

$$\begin{aligned} \mathcal {P}(HW(B) > 0) = \sum _{i = 1}^{8}\frac{\left( {\begin{array}{c}t-8\\ 22 -i\end{array}}\right) \left( {\begin{array}{c}8\\ i\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) }. \end{aligned}$$

(10)

Now, let us compute the probability of injecting a random error on a byte of Hamming weight i such that the byte contains only \(i-1\) “1” after the disturbance. We thus count for each possible value of B how many 8-bit values e exist such that \(HW(B \oplus e) = HW(B) - 1\). This corresponds to the number of possible errors setting to “0” j bits “1” while setting to “1” \(j-1\) bits “0”. Afterwards we divide the result by the number of possible values for the error e:

$$\begin{aligned} \begin{array}{rcl} \mathcal {P}(HW(B \oplus e) &{} = &{}HW(B) - 1 | B)\\ {} &{}=&{} \frac{\sum _{j=1}^{HW(B)}\left( {\begin{array}{c}HW(B)\\ j\end{array}}\right) \left( {\begin{array}{c}8 - HW(B)\\ j-1\end{array}}\right) }{255}. \end{array} \end{aligned}$$

(11)

This corresponds to the probability that \(HW(B \oplus e) = HW(B) - 1\) by injecting a random error e on a random 8-bit value B.

By combining the two probabilities above, we obtain the probability that rstr contains 21 “1” after a random error injection on the last byte of rstr:

$$\begin{aligned} \mathcal {P}(HW(B \oplus e) = 21) = \sum _{i = 1}^{8} \frac{\left( {\begin{array}{c}t-8\\ 22-i\end{array}}\right) \left( {\begin{array}{c}8\\ i\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) } \sum _{j=1}^{i}\frac{\left( {\begin{array}{c}i\\ j\end{array}}\right) \left( {\begin{array}{c}8 - i\\ j-1\end{array}}\right) }{255}. \end{aligned}$$

(12)

For the case where rstr contains only 20 “1”, we use the same reasoning and we obtain:

$$\begin{aligned} \mathcal {P}(HW(B \oplus e) = 20) = \sum _{i = 2}^{8} \frac{\left( {\begin{array}{c}t-8\\ 22-i\end{array}}\right) \left( {\begin{array}{c}8\\ i\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) } \sum _{j=2}^{i}\frac{\left( {\begin{array}{c}i\\ j\end{array}}\right) \left( {\begin{array}{c}8 - i\\ j-2\end{array}}\right) }{255}. \end{aligned}$$

(13)

Thus the total probability of disturbing the generation of one byte of rstr such that it contains a total of 21 or 20 “1” is:

$$\begin{aligned} \mathcal {P}( e_3) = \sum _{i = 1}^{8} \frac{\left( {\begin{array}{c}t-8\\ 22-i\end{array}}\right) \left( {\begin{array}{c}8\\ i\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) } \sum _{j=1}^{i}\frac{\left( {\begin{array}{c}i\\ j\end{array}}\right) \left( {\begin{array}{c}8 - i\\ j-1\end{array}}\right) }{255} + \sum _{i = 2}^{8} \frac{\left( {\begin{array}{c}t-8\\ 22-i\end{array}}\right) \left( {\begin{array}{c}8\\ i\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) } \sum _{j=2}^{i}\frac{\left( {\begin{array}{c}i\\ j\end{array}}\right) \left( {\begin{array}{c}8 - i\\ j-2\end{array}}\right) }{255}. \end{aligned}$$

(14)

As described in Appendix E, we then compute by using Eq. (20) the probability to obtain at least one useful faulty ciphertext by repeating the fault injection r times.

D Probability of Success of Attack 4

In the following we denote by \(e_4\) the event that the error e is injected after a cipher round and is such that \(q \oplus e >t\). In order to evaluate the probability \(\mathcal {P}(e_4)\) we need to compute:

• the probability that the error e leads to \(q \oplus e > t\),

• the probability that the attacker disturbs the algorithm after a cipher round and not after a redundant or dummy round.

For the first probability, without loss of generality, we assume that q is coded over one byte which should be the case in practice. We thus obtain that the probability of injecting an 8-bit error e such that \(q \oplus e > t\) depends only on t and is given by:

$$\begin{aligned} \mathcal {P}(q \oplus e > t) = \frac{2^8- t}{2^8}. \end{aligned}$$

(15)

In order to evaluate the second probability we remark that it is equivalent to the probability that the string rstr contains two or three “1” in the first q positions. We recall that rstr is a string with 22 “1” at most. Thus the number of possible strings rstr with only two “1” in the first q positions is:

$$\begin{aligned} \left( {\begin{array}{c}q\\ 2\end{array}}\right) \left( {\begin{array}{c}t-q\\ 20\end{array}}\right) . \end{aligned}$$

(16)

Summing Eq. (16) to the number of possible strings rstr with only three “1” in the first q positions we obtain the number of favorable cases for the attacker:

$$\begin{aligned} \left( {\begin{array}{c}q\\ 2\end{array}}\right) \left( {\begin{array}{c}t-q\\ 20\end{array}}\right) + \left( {\begin{array}{c}q\\ 3\end{array}}\right) \left( {\begin{array}{c}t-q\\ 22 -3\end{array}}\right) . \end{aligned}$$

(17)

By dividing by the total number of possible rstr strings we thus obtain the probability that the algorithm has executed only one cipher round after q rounds:

$$\begin{aligned} \mathcal {P}(HW(rstr[1, \ldots , q]) \in [2,3]) = \frac{\left( {\begin{array}{c}q\\ 2\end{array}}\right) \left( {\begin{array}{c}t-q\\ 20\end{array}}\right) + \left( {\begin{array}{c}q\\ 3\end{array}}\right) \left( {\begin{array}{c}t-q\\ 19\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) }, \end{aligned}$$

(18)

where \(rstr[1, \ldots , q]\) denotes the sub-string of rstr between the first and the q-th position. By combining the two probabilities we obtain:

$$\begin{aligned} \mathcal {P}(e_4) = \frac{2^8- t}{2^8} \sum _{i=2}^{3}\frac{\left( {\begin{array}{c}q\\ i\end{array}}\right) \left( {\begin{array}{c}t-q\\ 22 -i\end{array}}\right) }{\left( {\begin{array}{c}t\\ 22\end{array}}\right) }, \end{aligned}$$

(19)

which corresponds to the probability that the algorithm returns an exploitable faulty ciphertext by injecting a random error after q rounds.

As described in Appendix E, we then compute by using Eq. 20 the probability to obtain at least one useful faulty ciphertext by repeating the fault injection r times.

E Attack Repetition Probability

For each attack, we denote by \(\mathcal {P}(e_i)\) the probability that event \(e_i\) occurs. By assuming that \(\mathcal {P}(e_i)\) is independent for each execution we can compute the probability of getting at least one useful faulty ciphertext by repeating the fault injection r times as:

$$\begin{aligned} \mathcal {P}_r = 1 - (1- \mathcal {P}(e_i))^{r}. \end{aligned}$$

(20)