Skip to main content
SpringerLink
Log in

Using linear codes as a fault countermeasure for nonlinear operations: application to AES and formal verification

  • Special Section On Proofs 2015
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Recently, Bringer et al. [10] introduced a new countermeasure based on linear codes. This elegant design aims at protecting advanced encryption standard against both side-channel attacks and fault attacks (FA). However, the fault detection during nonlinear operations (for example SubBytes operation) was left as an open question. The present work studies how linear systematic error correcting codes can simply be used to detect fault injections during nonlinear operations in a symmetric block cipher. In particular, for the faults that cause errors with limited Hamming weight, this method can lead to interesting detection capabilities. Considering this way of protecting AES encryption against FA, a concrete implementation is presented. For a given fault model, a methodology of formal verification is applied to some parts of this implementation, assessing the fault resistance of one linear operation AddRoundKey and one nonlinear operation SubBytes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. A list and analysis of existing CED techniques can be found in [20].

  2. known as CIS code [11].

References

  1. ACSL. http://frama-c.com/acsl.html

  2. Anderson, R., Kuhn, M.: Low cost attacks on tamper-resistant devices. In: Security Protocols 5th International Workshop, pp. 125–136 (1997)

  3. Barthe, G., Belaïd, S., Dupressoir, F., Fouque, P., Grégoire, B., Strub, P.: Verified proofs of higher-order masking. In: Advances in Cryptology—EUROCRYPT 2015, 457–485 (2015)

  4. Berthomé, P., Heydemann, K., Kauffmann-Tourkestansky, X., Lalande, J.F.: High level model of control flow attacks for smart card functional security. In: 7th International Conference on Availability, Reliability and Security, pp. 224–229. IEEE Computer Society (2012). doi:10.1109/ARES.2012.79. http://hal.archives-ouvertes.fr/hal-00721111

  5. Betsumiya, K., Harada, M.: Binary optimal odd formally self-dual codes. Des. Codes Cryptogr. 23(1), 11–22 (2001). doi:10.1023/A:1011203416769

  6. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: CRYPTO ’97, pp. 513–525 (1997)

  7. Blöemer, J., Seifert, J.P.: Fault based cryptanalysis of the aes. Cryptology ePrint Archive, Report 2002/075 (2002). http://eprint.iacr.org/

  8. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  9. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Cryptographic Hardware and Embedded Systems—CHES 2004, CHES ’04, pp. 16–29 (2004)

  10. Bringer, J., Carlet, C., Chabanne, H., Guilley, S., Maghrebi, H.: Orthogonal direct sum masking—a smartcard friendly computation paradigm in a code, with builtin protection against side-channel and fa. In: Information Security Theory and Practice. Securing the Internet of Things, pp. 40–56 (2014)

  11. Carlet, C., Gaborit, P., Kim, J., Solé, P.: A new class of codes for boolean masking of cryptographic computations. IEEE Trans. Inf. Theory 58(9), 6000–6011 (2012)

    Article  MathSciNet  Google Scholar 

  12. Christofi, M.: Security proofs of cryptographic implementations. Thesis report (2013)

  13. Christofi, M., Chetali, B., Goubin, L., Vigilant, D.: Formal verification of a CRT-RSA implementation against fault attacks. J. Cryptogr. Eng. 3(3), 157–167 (2013). doi:10.1007/s13389-013-0049-3

    Article  Google Scholar 

  14. Coron, J.S., Roy, A., Vivek, S.: Fast evaluation of polynomials over binary finite fields and application to side-channel countermeasures. In: Cryptographic Hardware and Embedded Systems—CHES 2014, pp. 170–187 (2014)

  15. Courbon, F., Loubet-Moundi, P., Fournier, J., Tria, A.: Adjusting laser injections for fully controlled faults. In: COSADE 2014, Lecture Notes in Computer Science, vol. 8622, pp. 229–242. Springer International Publishing (2014)

  16. Floissac, N., L’Hyver, Y.: From aes-128 to aes-192 and aes-256, how to adapt DFA attacks. Cryptology ePrint Archive, Report 2010/396 (2010). http://eprint.iacr.org/

  17. frama-c. http://frama-c.com/

  18. Gierlichs, B., Schmidt, J.M., Tunstall, M.: Infective computation and dummy rounds: fault protection for block ciphers without check-before-output. Cryptology ePrint Archive, Report 2012/678 (2012)

  19. Giraud, C., Thillard, A.: Piret and quisquater’s DFA on AES revisited. Cryptology ePrint Archive, Report 2010/440 (2010). http://eprint.iacr.org/

  20. Guo, X., Mukhopadhyay, D., Karri, K.: Provably secure concurrent error detection against differential fault analysis. Cryptology ePrint Archive, Report 2012/552 (2012). http://eprint.iacr.org/

  21. H.-K., C.: Improved DFA on AES key schedule. IEEE Trans. Inf. Forensics Secur. 7(1), 41–50 (2012). doi:10.1109/TIFS.2011.2161289

  22. Heydemann, K., Moro, N., Encrenaz, E., Robisson, B.: Formal verification of a software countermeasure against instruction skip attacks. IACR Cryptology ePrint Archive 2013, 679 (2013). http://eprint.iacr.org/2013/679

  23. Jessie. http://krakatoa.lri.fr/#jessie

  24. Karpovsky, M., Kulikowski, K., Taubin, A.: Robust protection against fault-injection attacks on smart cards implementing the aes. In: 2004 International Conference on Dependable Systems and Networks, pp. 93–101 (2004). doi:10.1109/DSN.2004.1311880

  25. Karri, R., Wu, K., Mishra, P., Kim, Y.: Concurrent error detection schemes for fault-based side-channel cryptanalysis of symmetric block ciphers. IEEE Trans. CAD Integr. Circuits Syst. 21(12), 1509–1517 (2002). doi:10.1109/TCAD.2002.804378

    Article  Google Scholar 

  26. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Conference on Advances in Cryptology, CRYPTO ’99, pp. 388–397. Springer-Verlag, London, UK (1999). http://portal.acm.org/citation.cfm?id=646764.703989

  27. Leveugle, R., Ammari, A., Maingot, V., Teyssou, E., Moitrel, P., Mourtel, C., Feyt, N., Rigaud, J.B., Tria, A.: Experimental evaluation of protections against laser-induced faults and consequences on fault modeling. In: Design, Automation Test in Europe Conference Exhibition, 2007. DATE ’07, pp. 1–6 (2007)

  28. Malkin, T., Standaert, F.X., Yung, M.: A comparative cost/security analysis of fa countermeasures. In: Workshop FDTC 2006. Lecture Notes in Computer Science, vol. 4236, pp. 159–172. Springer, Berlin Heidelberg (2006)

  29. Mayer-Sommer, R.: Smartly analyzing the simplicity and the power of simple power analysis on smartcards. In: Cryptographic Hardware and Embedded Systems—CHES 2000, CHES ’00, pp. 78–92. Springer-Verlag, London, UK (2000). http://portal.acm.org/citation.cfm?id=648253.752540

  30. Meola, M.L., Walker, D.: Faulty logic: Reasoning about fault tolerant programs. In: Programming Languages and Systems, ESOP 2010, Lecture Notes in Computer Science, vol. 6012, pp. 468–487. Springer (2010)

  31. Moradi, A., Shalmani, M., Salmasizadeh, M.: A generalized method of DFA against AES cryptosystem. In: Cryptographic Hardware and Embedded Systems—CHES 2006, pp. 91–100 (2006)

  32. Mukhopadhyay, D.: An improved fault based attack of the advanced encryption standard. In: AFRICACRYPT 2009. Lecture Notes in Computer Science, vol. 5580, pp. 421–434. Springer, Berlin Heidelberg (2009)

  33. NIST: FIPS 197. National Institute of Standards and Technology, November pp. 1–51 (2001). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

  34. P. Dusart, G.L., Vivolo, O.: Differential fault analysis on a.e.s. Cryptology ePrint Archive, Report 2003/010 (2003). http://eprint.iacr.org/

  35. Piret, G., Quisquater, J.J.: A differential fault attack technique against spn structures, with application to the aes and khazad. In: Cryptographic Hardware and Embedded Systems—CHES 2003. Lecture Notes in Computer Science, vol. 2779, pp. 77–88. Springer, Berlin Heidelberg (2003)

  36. Rauzy, P., Guilley, S.: A formal proof of countermeasures against fault injection attacks on CRT-RSA. J. Cryptogr. Eng. 4(3), 173–185 (2014). doi:10.1007/s13389-013-0065-3

    Article  Google Scholar 

  37. Rivain, M., Prouff, E.: Provably secure higher-order masking of aes. Cryptology ePrint Archive, Report 2010/441 (2010). http://eprint.iacr.org/

  38. Tunstall, M., Whitnall, C., Oswald, E.: Masking tables - an underestimated security risk. In: Fast Software Encryption—FSE 2013, 425–444 (2013)

  39. Tupsamudre, H., Bisht, S., Mukhopadhyay, D.: Destroying fault invariant with randomization - A countermeasure for AES againstDFA. In: Cryptographic Hardware and Embedded Systems—CHES 2014, 93–111 (2014)

  40. Why3. http://why3.lri.fr/

Download references

Author information

Authors and Affiliations

  1. Gemalto, 6 rue de la Verrerie, 92447, Meudon sur Seine, France

    Sabine Azzi & David Vigilant

  2. Trusted Labs SAS - 6, rue de la Verrerie, 92447, Meudon sur Seine, France

    Bruno Barras & Maria Christofi

Authors
  1. Sabine Azzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bruno Barras
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Christofi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David Vigilant
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maria Christofi.

Additional information

This work has been partially funded by the ANR project PRINCE. Authors would also like to thank Jean-Henri Granarolo for his help in the development of the TL-FACE tool.

Appendix: Example of verification report

Appendix: Example of verification report

figure e

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Azzi, S., Barras, B., Christofi, M. et al. Using linear codes as a fault countermeasure for nonlinear operations: application to AES and formal verification. J Cryptogr Eng 7, 75–85 (2017). https://doi.org/10.1007/s13389-016-0138-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-016-0138-1

Keywords

Search

Navigation