Fault attacks and countermeasures on symmetric key cryptographic algorithms

Fault Attacks exploit malicious or accidental faults injected during the computation of a cryptographic algorithm. Combining the seminal idea by Boneh, DeMillo and Lipton with Differential Cryptanalysis, a new field of Differential Fault Attacks (DFA) has emerged. Up to date, DFA has broken all major ciphers including the Advanced Encryption Standard (AES).;We present an overview of fault attacks and concentrate on the fault attacks on AES. We cover the entire range of attacks and show that a single random byte fault can reduce the AES key to 28 values. Further extensions of the fault attack to multiple byte fault models are also presented. These attacks emphasize the requirement of countermeasures to detect the underlying faults and accordingly suppress the invalid output.;Concurrent Error Detection (CED) schemes have been developed to detect natural and malicious faults. We presents a survey of well-known existing CEDs. We propose Recomputing with Permuted Operands (RE PO) for cryptographic algorithms with AES-style substitution and permutation networks structure by utilizing the algorithmic properties within the algorithm. Such a strategy provides near 100% fault coverage. We show that it is provably secure against single bit, single byte, and diagonal fault models used by all the practical fault attacks. We also extend REPO to Grostl hash function.;For lightweight AES implementations, the fault detection capability of REPO is the same as straightforward time redundancy. We developed Normal Basis REPO (NREPO) for lightweight implementations. NREPO has five to 10 times lower fault miss rate than traditional lightweight CEDs.;In many applications, encryption alone does not provide enough security. To enhance security, dedicated authenticated encryption (AE) modes are invented. Galois Counter Mode (GCM) and Counter with CBC-MAC mode (CCM) are the AE modes recommended by the National Institute of Standards and Technology. However, natural faults reduce its reliability and may undermine both its encryption and authentication capability. We present a low-cost CED which explores idle cycles in seven AE architectures. Experimental results shows that the performance overhead can be lower than 100% for all architectures depending on the workload. The underlying block cipher and hash module need not have CED built in. Thus, it allows system designers to integrate block cipher and hash function intellectual property from different vendors. The proposed low-cost CED can be improved when combining with REPO and NREPO.