A Comparative Cost/Security Analysis of Fault Attack Countermeasures

  • Tal G. Malkin
  • François-Xavier Standaert
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4236)


Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. To protect cryptographic implementations (e.g. of the recent AES which will be our running example) against these attacks, a number of innovative countermeasures have been proposed, usually based on the use of space and time redundancies (e.g. error detection/correction techniques, repeated computations). In this paper, we take the next natural step in engineering studies where alternative methods exist, namely, we take a comparative perspective. For this purpose, we use unified security and efficiency metrics to evaluate various recent protections against fault attacks. The comparative study reveals security weaknesses in some of the countermeasures (e.g. intentional malicious fault injection that are unrealistically modelled). The study also demonstrates that, if fair performance evaluations are performed, many countermeasures are not better than the naive solutions, namely duplication or repetition. We finally suggest certain design improvements for some countermeasures, and further discuss security/efficiency tradeoffs.


Attacks and countermeasures in hardware and software 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Kuhn, M.: Tamper Resistance - a Cautionary Note. In: The proceedings of the USENIX Workshop on Electronic Commerce, Oakland, CA, USA, November 1996, pp. 1–11 (1996)Google Scholar
  2. 2.
    Anderson, R., Kuhn, M.: Low Cost Attacks on Tamper Resistant Devices. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks, IACR e-print archive 2004/100 (2004), http://eprint.iacr.org
  4. 4.
    Barreto, P., Rijmen, V.: The KHAZAD Legacy-Level Block Cipher, Submission to NESSIE project, Available from: http://www.cosic.esat.kuleuven.ac.be/nessie/
  5. 5.
    Bertoni, G., Breveglieri, L., Koren, I., Maistri, P., Piuri, V.: Error Analysis And Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard. IEEE Transactions on Computers 52(4), 492–505 (2003)CrossRefGoogle Scholar
  6. 6.
    Bertoni, G., Breveglieri, L., Koren, I., Maistri, P.: An Efficient Hardware-Based Fault Diagnosis Scheme for AES: Performance and Cost. In: Proceedings of DFT 2004, Cannes, France, October 2004, p. 9 (2004)Google Scholar
  7. 7.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Analysis on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Boneh, D., DeMillo, R., Lipton, R.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Brier, E., Handschuh, H., Tymen, C.: Fast Primitives for Internal Data Scrambling in Tamper Resistant Hardware. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 16–27. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Daemen, J., Rijmen, V.: The Design of Rijndael. AES – The Advanced Encryption Standard. Springer, Heidelberg (2001)Google Scholar
  12. 12.
    Gennaro, R., Lysyanskaya, A., Malkin, T., Micali, S., Rabin, T.: Algorithmic Tamper-Proof Security: Theoretical Foundations for Security Against Hardware Tampering. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 258–277. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Giraud, C., Thiebauld, H.: A Survey on Fault Attacks. In: Proceedings of CARDIS 2004, Toulouse, France (August 2004)Google Scholar
  14. 14.
    Golic, J.D.: DeKaRT: A New Paradigm for Key-Dependent Reversible Circuits. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 98–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Johansson, K., Ohlsson, M., Blomgren, N., Renberg, P.: Neutron Induced Single-Word Multiple-Bit Upset in SRAM. IEEE Transactions on Nuclear Science 46(7), 1427–1433 (1999)CrossRefGoogle Scholar
  16. 16.
    Joshi, N., Wu, K., Karry, R.: Concurrent Error Detection Schemes for Involution Ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 400–412. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Joye, M., Lenstra, A.K., Quisquater, J.-J.: Chinese Remaindering Based Cryptosystems in the Presence of Faults. Journal of Cryptology 12(4), 241–246 (1999)MATHCrossRefGoogle Scholar
  18. 18.
    Karnik, T., Hazucha, P., Patel, J.: Characterization of Soft Errors Caused by Single Event Upsets in CMOS Processes. IEEE Transactions on Secure and Dependable Computing 1(2) (2004)Google Scholar
  19. 19.
    Karpovsky, M., Kulikowski, K.J., Taubin, A.: Differential Fault Analysis Attack Resistant Architectures For The Advanced Encryption Standard. In: Proceedings of CARDIS 2004, Toulouse, France (August 2004)Google Scholar
  20. 20.
    Karpovsky, M., Kulikowski, K.J., Taubin, A.: Robust Protection against Fault Injection Attacks on Smart Cards Implementing the Advanced Encryption Standard. In: Proceedings of DSN 2004, Florence, Italy, p. 9 (June 2004)Google Scholar
  21. 21.
    Karri, R., Wu, K., Mishra, P., Kim, Y.: Concurrent Error Detection Schemes for Fault-Based Side-Channel Cryptanalysis of Symmetric Block Ciphers. IEEE Transactions on Computer-Aided Design 21(12), 1509–1517 (2002)CrossRefGoogle Scholar
  22. 22.
    Karri, R., Gössel, M.: Parity-Based Concurrent Error Detection in Symmetric Block Ciphers. In: Proceedings of ITC 2003, Charlotte, USA, September 2003, pp. 919–926 (2003)Google Scholar
  23. 23.
    Karri, R., Kuznetsov, G., Gössel, M.: Parity-Based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 113–124. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Kulikowski, K.J., Karpovsky, M., Taubin, A.: Robust Codes for Fault Attack Resistant Cryptographic Hardware. In: The Proceedings of FDTC 2005, Edinburgh, Scotland, September 2005, pp. 2–12 (2005)Google Scholar
  25. 25.
    Mitra, S., McCluskey, E.J.: Which Concurrent Error Detection Scheme ro Choose. In: Proceedings of the International Test Conference 2000, Atlantic City, NJ, USA, October 2000, pp. 985–994 (2000)Google Scholar
  26. 26.
    Moshanin, V., Otscheretnij, V., Dmitriev, A.: The Impact of Logic Optimization on Concurrent Error Detection. In: Proceedings of the 4th IEEE International On-Line Testing Workshop, pp. 81–84 (July 1998)Google Scholar
  27. 27.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique Against SPN Structures, With Applications to the AES and Khazad. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Reed, R.: Heavy Ion and Proton Induced Single Event Multiple Upsets. In: Proceedings of the IEEE Nuclear and Space Radiation Effects Conference (July 1997)Google Scholar
  29. 29.
    Samyde, D., Skorobogatov, S., Anderson, R., Quisquater, J.-J.: On a New Way to Read Data from Memory. In: The proceedings of the IEEE Security in Storage Workshop 2002, pp. 65–69, Greenbelt, Maryland, USA (December 2002)Google Scholar
  30. 30.
    Shirvani, P.: Fault Tolerant Computing for Radiation Environments, Ph.D Thesis, Center for Reliable Computing, Stanford University (June 2001)Google Scholar
  31. 31.
    Skorobogatov, S., Anderson, R.: Optical Fault Induction Attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Wu, K., Karri, R., Kuznetsov, G., Goessel, M.: Low Cost Error Detection for the Advanced Encryption Standard. In: Proceedings of ITC 2004 (October 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Tal G. Malkin
    • 1
  • François-Xavier Standaert
    • 1
    • 2
  • Moti Yung
    • 1
  1. 1.Dept. of Computer ScienceColumbia University 
  2. 2.UCL Crypto GroupUniversité Catholique de Louvain 

Personalised recommendations