TY - JOUR
T1 - Security analysis of concurrent error detection against differential fault analysis
AU - Guo, Xiaofei
AU - Mukhopadhyay, Debdeep
AU - Jin, Chenglu
AU - Karri, Ramesh
N1 - Funding Information:
This material is based upon work supported by the NSF CNS program under grant 0831349 and the Center for Interdisciplinary Studies in Security and Privacy (CRISSP). Debdeep Mukhopadhyay would like to acknowledge Indo-US S&T Forum for providing fellowship to support the above collaboration and to support his visit as a researcher under the Indo-USSTF Fellowship to NYU School of Engineering, USA in 2012.
Publisher Copyright:
© 2014, Springer-Verlag Berlin Heidelberg.
PY - 2015/9/10
Y1 - 2015/9/10
N2 - Differential fault analysis (DFA) poses a significant threat to advanced encryption standard (AES). Only a single faulty ciphertext is required to extract the secret key. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, the resulting fault coverage indicates the security of CEDs against DFA. However, DFA-exploitable faults, which are a small subspace of the entire fault space, are not uniformly distributed. Therefore, fault coverage does not accurately measure the security of the CEDs against DFA. We provide a systematic study of DFA of AES and show that an attacker can inject biased faults to improve the success rate of the attacks. We propose fault entropy (FE) and fault differential entropy (FDE) to evaluate CEDs. We show that most CEDs with high fault coverage are not secure when evaluated with FE and FDE. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating the security of CEDs against DFA.
AB - Differential fault analysis (DFA) poses a significant threat to advanced encryption standard (AES). Only a single faulty ciphertext is required to extract the secret key. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, the resulting fault coverage indicates the security of CEDs against DFA. However, DFA-exploitable faults, which are a small subspace of the entire fault space, are not uniformly distributed. Therefore, fault coverage does not accurately measure the security of the CEDs against DFA. We provide a systematic study of DFA of AES and show that an attacker can inject biased faults to improve the success rate of the attacks. We propose fault entropy (FE) and fault differential entropy (FDE) to evaluate CEDs. We show that most CEDs with high fault coverage are not secure when evaluated with FE and FDE. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating the security of CEDs against DFA.
KW - Advanced encryption standard
KW - Block cipher
KW - Concurrent error detection
KW - Differential fault analysis
KW - Fault attack
UR - http://www.scopus.com/inward/record.url?scp=84938772552&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84938772552&partnerID=8YFLogxK
U2 - 10.1007/s13389-014-0092-8
DO - 10.1007/s13389-014-0092-8
M3 - Article
AN - SCOPUS:84938772552
SN - 2190-8508
VL - 5
SP - 153
EP - 169
JO - Journal of Cryptographic Engineering
JF - Journal of Cryptographic Engineering
IS - 3
ER -