Fault Diagnosis and Tolerance in Cryptography

Volume 4236 of the series Lecture Notes in Computer Science pp 159-172

A Comparative Cost/Security Analysis of Fault Attack Countermeasures

  • Tal G. MalkinAffiliated withDept. of Computer Science, Columbia University
  • , François-Xavier StandaertAffiliated withDept. of Computer Science, Columbia UniversityUCL Crypto Group, Université Catholique de Louvain
  • , Moti YungAffiliated withDept. of Computer Science, Columbia University

* Final gross prices may vary according to local VAT.

Get Access


Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. To protect cryptographic implementations (e.g. of the recent AES which will be our running example) against these attacks, a number of innovative countermeasures have been proposed, usually based on the use of space and time redundancies (e.g. error detection/correction techniques, repeated computations). In this paper, we take the next natural step in engineering studies where alternative methods exist, namely, we take a comparative perspective. For this purpose, we use unified security and efficiency metrics to evaluate various recent protections against fault attacks. The comparative study reveals security weaknesses in some of the countermeasures (e.g. intentional malicious fault injection that are unrealistically modelled). The study also demonstrates that, if fair performance evaluations are performed, many countermeasures are not better than the naive solutions, namely duplication or repetition. We finally suggest certain design improvements for some countermeasures, and further discuss security/efficiency tradeoffs.


Attacks and countermeasures in hardware and software