Security analysis of concurrent error detection against differential fault analysis

Abstract

Differential fault analysis (DFA) poses a significant threat to advanced encryption standard (AES). Only a single faulty ciphertext is required to extract the secret key. Concurrent error detection (CED) is widely used to protect AES against DFA. Traditionally, these CEDs are evaluated with uniformly distributed faults, the resulting fault coverage indicates the security of CEDs against DFA. However, DFA-exploitable faults, which are a small subspace of the entire fault space, are not uniformly distributed. Therefore, fault coverage does not accurately measure the security of the CEDs against DFA. We provide a systematic study of DFA of AES and show that an attacker can inject biased faults to improve the success rate of the attacks. We propose fault entropy (FE) and fault differential entropy (FDE) to evaluate CEDs. We show that most CEDs with high fault coverage are not secure when evaluated with FE and FDE. This work challenges the traditional use of fault coverage for uniformly distributed faults as a metric for evaluating the security of CEDs against DFA.

Appendix

1.1 AES Algorithm

Advanced Encryption Standard is a block cipher with key lengths of 128, 192, and 256. We consider 128-bit key for AES, but the conclusions apply to the other key sizes. AES encrypts a 128-bit plaintext into a 128-bit ciphertext with a 128-bit user key using 10 nearly identical rounds plus an initial round (round 0). One AES encryption round consists of SubBytes, ShiftRows, MixColumns, and AddRoundKey denoted by \(SB\), \(SR\), \(MC\), and \(AR\), respectively, as shown in Fig. 17. In round 0, only AddRoundKey is used and in round 10, MixColumns is not used. Each operation in every round acts on a 128-bit input state, where each state element is a byte in \(GF(2^{8})\). Each byte is denoted by \({\varvec{st_{r,c}}}\) (\(0 \le r,c \le 3\)) indicating that this byte is in row r and column c in the state matrix.

$$\begin{aligned} \left[ {\begin{array}{llll} x_{0,0} &{} x_{0,1} &{} x_{0,2} &{} x_{0,3} \\ x_{1,0} &{} x_{1,1} &{} x_{1,2} &{} x_{1,3} \\ x_{2,0} &{} x_{2,1} &{} x_{2,2} &{} x_{2,3} \\ x_{3,0} &{} x_{3,1} &{} x_{3,2} &{} x_{3,3} \\ \end{array} } \right] = [x_{r,c}]_{r,c = 0\ldots 3} \end{aligned}$$

(19)

In SubBytes, each byte is processed by an S-box (SB in Fig. 17). Each SB performs a nonlinear transformation of the input byte. If \(X\) is the input, the output is:

$$\begin{aligned} Y = SB(X) = SB([x_{r,c}]_{r,c=0\ldots 3}) = [y_{r,c}]_{r,c=0\ldots 3} \end{aligned}$$

(20)

In ShiftRows, each row of the state is shifted cyclically byte-wise using a different offset. Row 0 is not shifted, while rows 1, 2, and 3 are cyclically shifted to the left by one, two, and three bytes, respectively. The resulting output is:

$$\begin{aligned} Z = SR(Y) = \left[ {\begin{array}{llll} y_{0,0} &{} y_{0,1} &{} y_{0,2} &{} y_{0,3} \\ y_{1,1} &{} y_{1,2} &{} y_{1,3} &{} y_{1,0} \\ y_{2,2} &{} y_{2,3} &{} y_{2,0} &{} y_{2,1} \\ y_{3,3} &{} y_{3,0} &{} y_{3,1} &{} y_{3,2} \\ \end{array} } \right] \end{aligned}$$

$$\begin{aligned} \quad = [y_{r, (r+c) \ mod \ 4}]_{r,c=0\ldots 3} = [z_{r,c}]_{r,c=0\ldots 3} \end{aligned}$$

(21)

In MixColumns, the output state is obtained by multiplying the output of ShiftRows by a constant matrix. The resulting output is:

$$\begin{aligned} U = MC(Z) = [u_{r,c}]_{r,c=0\ldots 3} \end{aligned}$$

$$\begin{aligned} \quad = \left[ {\begin{array}{llll} 02 &{} 03 &{} 01 &{} 01 \\ 01 &{} 02 &{} 03 &{} 01 \\ 01 &{} 01 &{} 02 &{} 03 \\ 03 &{} 01 &{} 01 &{} 02 \\ \end{array} } \right] \left[ {\begin{array}{llll} z_{0,0} &{} z_{0,1} &{} z_{0,2} &{} z_{0,3} \\ z_{1,0} &{} z_{1,1} &{} z_{1,2} &{} z_{1,3} \\ z_{2,0} &{} z_{2,1} &{} z_{2,2} &{} z_{2,3} \\ z_{3,0} &{} z_{3,1} &{} z_{3,2} &{} z_{3,3} \\ \end{array}} \right] \end{aligned}$$

(22)

In AddRoundKey, the round key \(K = [k_{r,c}]_{r,c=0\ldots 3}\) is added (modulo-2) to the 128-bit state \(U\). The resulting round output is:

$$\begin{aligned} V \!=\! AR(K,U) \!=\! [k_{r,c}]_{r,c=0..3} + [u_{r,c}]_{r,c=0\ldots 3} \!=\! [v_{r,c}]_{r,c = 0..3}\nonumber \\ \end{aligned}$$

(23)

1.2 Example of computing FE and FDE

We would like to show a concrete example that illustrates how FE and FDE are calculated. We assume the attacker performs two fault injections in an AES circuit. Let \(X_{i, j}\) be the input of the 9th round. In both fault injections, byte with index (0,0) is faulty and its fault-free value is 0 \(\times \) 00.¹² In the first fault injection, the fault is 0 \(\times \) 80 (0\(\times \)80 \(\oplus \) 0 \(\times \) 00 = 0\(\times \)80) as shown in Fig. 16a. In the second fault injection, the fault is 0 \(\times \) 40 (0\(\times \)40 \(\oplus \) 0 \(\times \) 00 = 0\(\times \)40) as shown in Fig. 16b.

Fig. 16

A simple two fault injection experiment of computing FE and FDE. The faults are injected in the 9th round input byte with index (0,0). The fault-free byte value is 0x00. a The fault is injected at bit 7. b The fault is injected at bit 6

Fig. 17

One typical AES encryption round (The last round does not have MixColumns)

First of all, we compute the FE. We assume the attacker knows that byte (0,0) is faulty at the beginning of the 9th round. Therefore, he needs to invert both the 10th and 9th rounds. It requires him to guess 32 bits of the 10th round key and 32 bits of the 9th round key to compute the difference between the fault-free and faulty input of the 9th round. For the fault-free ciphertext, the correct key will recover the 9th round input byte value 0 \(\times \) 00. For the first fault injection, the correct key will recover the 9th round input faulty byte value 0 \(\times \) 80. The evaluator then computes the difference between the fault-free and faulty byte and gets 0 \(\times \) 80 which is the fault. The wrong key hypothesis will not recover the correct fault since the AES round function is a bijective mapping. The evaluator repeats the above procedure for the second fault injection experiment and the correct key will recover the fault 0 \(\times \) 40. He computes the entropy of tuple {0 \(\times \) 80, 0\(\times \)40}. Then, he repeats this procedure for all possible key candidates. As the number of fault injection increases, the FE of the wrong key candidates will increase.

Alternatively, we can compute FDE. In this case, the evaluator knows that the relationship of the faults¹³ between the first column bytes, i.e., (0,0), (0,1), (0,2), and (0,3), has certain relationship as shown in Fig. 16 due to the MixColumns operation 9th round regardless of the actually fault value injected on byte (0,0) at the beginning of the 9th round, i.e., both the first fault injection and the second fault injection will give the same relationship between the bytes in the first column. The evaluator then only guesses 32 bits of the 10th round key and inverts the 10th round. The correct key will give him the relationship that the faults in byte (0,0) are two times of that in byte (0,1). Similarly, he can derive the interrelationship between these four bytes shown in Eqs. (7), (8), and (9). He assumes that such relationship is true for all key hypothesis and computes the difference (fault differential) between the fault-free input to the 10th round and the faulty input for the bytes in the first column using equation Eqs. (10), (11) and (12). Then, he computes the entropy of the fault differential for all key hypotheses. Obviously, the difference will be all 0s for the correct key hypothesis and the entropy will be the lowest.