Automated Deployment of Software Encoding Countermeasure

Abstract

In this chapter, we provide insights on automated generation of an encoding-based software countermeasure against both fault and side-channel attacks. First, we outline the fault resistance properties that are necessary to design an encoding scheme designed to protect cryptographic software implementations against faults. We define theoretical bounds that clearly show the possibilities and limitations of encoding-based countermeasures, together with trade-offs between side-channel and fault resistance. Later, we detail the algorithm that automatically constructs a code according to pre-defined user criteria w.r.t. fault resistance and takes the stochastic device leakage into account to minimize the leaked side-channel information. As a result, we are able to design a code by using automated methods that can provide the optimal trade-off between side-channel and fault resistance. We simulate several codes with respect to most popular fault models, using a general-purpose microcontroller assembly implementation.

This research was conducted when author “J. Breier” was with Temasek Laboratories, NTU.

This research was conducted when author “X. Hou” was with Nanyang Technological University.

Appendices

Appendix 1: Generated Codes

In this section, we state the remaining codes generated by Algorithm 1, for M = 16 and n = 8, 9, 10 (Tables 7.4 and 7.5).

Appendix 2: Fault Resistance Probabilities

In this section, we show the detailed theoretical calculations of fault resistance probabilities and the overall resistance index (with error) for some specific examples.

Equidistant Detection Scheme

Using Lemma 7.1, we list the values of p _ms and p _rand in Table 7.6 for (8, 4, 2) and (8, 4, 4) equidistant binary codes.

Table 7.6 Theoretical values of p _m for (n, M, d)-equidistant binary code

Detection Scheme

Since we require that \({\mathrm {dis}}\left ({{\mathcal C}}\right )\geq 2\) for Detection Scheme, for 1-bit fault, we expect the results to be Null, which means p ₁ = 1. Now we give a theoretical calculation for the (8, 4, 4)-binary code \({{\mathcal C}}_{8,4,min4}=\{00011001,00100111,10001010, 10110100\}\). We first list the distance between every pair of codewords in Table 7.7.

Table 7.7 Distance between each pair of codewords in the (8, 4, 4)-binary code \({{\mathcal C}}_{8,4,min4}\)

By Eq. (7.3), we can then calculate the m-bit fault resistance probabilities and the overall resistance index for \({{\mathcal C}}\):

$$\displaystyle \begin{aligned} p_2&=p_3=1-\frac{1}{4}(0+0+0+0)=1,\\ p_4&=1-\frac{1}{4\binom{8}{4}}(2+0+1+1)=\frac{69}{70}\approx0.9857, \end{aligned} $$

$$\displaystyle \begin{aligned} p_5&=1-\frac{1}{4\binom{8}{5}}(2+2+2+2)=\frac{27}{28}\approx0.9643,\\ p_6&=p_7=p_8=1-\frac{1}{4}(0+0+0+0)=1, \quad p_{{\mbox{rand}}}=\sum_{m=1}^8\frac{1}{8}p_m=0.9938.\\ \end{aligned} $$

Correction Scheme

m-bit fault resistance probabilities with error correction for the same (8, 4, 4)-binary code \({{\mathcal C}}_{8,4,min4}=\{00011001, 00100111,10001010,10110100\}\). As \({\mathrm {dis}}\left ({{\mathcal C}}\right )=4\), by Remark 7.1 it is an 1-error-correcting code. By Eq. (7.2), p _m,(e) = 1 for m = 1. To calculate p _m,(e) for m ≥ 2, we first list the table of cardinalities of F _c,m for \({\boldsymbol c}\in {{\mathcal C}}\) and m = 2, 3, …, 8 in Table 7.8.

Table 7.8 Cardinality of F _c,m for m = 2, 3, …, 8 and \({ \boldsymbol c}\in {{\mathcal C}}_{8,4,min4}\)

By Eq. (7.2), we can then calculate the m-bit fault resistance probabilities with error correction as well as the overall resistance index with error correction for \({{\mathcal C}}\).

$$\displaystyle \begin{aligned} \begin{array}{rcl} p_{2,(e)}&\displaystyle =&\displaystyle 1-\frac{1}{4\binom{8}{2}}(0+0+0+0)=1,\\ p_{3,(e)}&\displaystyle =&\displaystyle 1-\frac{1}{4\binom{8}{3}}(4+4+4+4)=\frac{13}{14}\approx0.9286,\\ p_{4,(e)}&\displaystyle =&\displaystyle 1-\frac{1}{4\binom{8}{4}}(11+11+11+11)=\frac{59}{70}\approx0.8429,\\ p_{5,(e)}&\displaystyle =&\displaystyle 1-\frac{1}{4\binom{8}{5}}(6+6+6+6)=\frac{25}{28}\approx0.8929,\\ p_{6,(e)}&\displaystyle =&\displaystyle 1-\frac{1}{4\binom{8}{6}}(6+6+6+6)=\frac{11}{14}\approx0.7857,\\ p_{7,(e)}&\displaystyle =&\displaystyle p_{8,(e)}=1-\frac{1}{4}(0+0+0+0)=1,\\ p_{{\mbox{rand}},(e)}&\displaystyle =&\displaystyle \sum_{m-1}^8\frac{1}{8}p_{m,(e)}=0.9313.\end{array} \end{aligned} $$