Countermeasures against fault attacks on software implemented AES: effectiveness and cost

WESS '10 Pub Date : 2010-10-24 DOI:10.1145/1873548.1873555

Alessandro Barenghi, L. Breveglieri, I. Koren, Gerardo Pelosi, F. Regazzoni

{"title":"Countermeasures against fault attacks on software implemented AES: effectiveness and cost","authors":"Alessandro Barenghi, L. Breveglieri, I. Koren, Gerardo Pelosi, F. Regazzoni","doi":"10.1145/1873548.1873555","DOIUrl":null,"url":null,"abstract":"In this paper we present software countermeasures specifically designed to counteract fault injection attacks during the execution of a software implementation of a cryptographic algorithm and analyze the efficiency of these countermeasures. We propose two approaches based on the insertion of redundant computations and checks, which in their general form are suitable for any cryptographic algorithm. In particular, we focus on selective instruction duplication to detect single errors, instruction triplication to support error correction, and parity checking to detect corruption of a stored value. We developed a framework to automatically add the desired countermeasure, and we support the possibility to apply the selected redundancy to either all the instructions of the cryptographic routine or restrict it to the most sensitive ones, such as table lookups and key fetching. Considering an ARM processor as a target platform and AES as a target algorithm, we evaluate the overhead of the proposed countermeasures while keeping the robustness of the implementation high enough to thwart most or all of the known fault attacks. Experimental results show that in the considered architecture, the solution with the smallest overhead is per-instruction selective doubling and checking, and that the instruction triplication scheme is a viable alternative if very high levels of injected fault resistance are required.","PeriodicalId":114446,"journal":{"name":"WESS '10","volume":"19 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"89","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"WESS '10","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1873548.1873555","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 89

Abstract

In this paper we present software countermeasures specifically designed to counteract fault injection attacks during the execution of a software implementation of a cryptographic algorithm and analyze the efficiency of these countermeasures. We propose two approaches based on the insertion of redundant computations and checks, which in their general form are suitable for any cryptographic algorithm. In particular, we focus on selective instruction duplication to detect single errors, instruction triplication to support error correction, and parity checking to detect corruption of a stored value. We developed a framework to automatically add the desired countermeasure, and we support the possibility to apply the selected redundancy to either all the instructions of the cryptographic routine or restrict it to the most sensitive ones, such as table lookups and key fetching. Considering an ARM processor as a target platform and AES as a target algorithm, we evaluate the overhead of the proposed countermeasures while keeping the robustness of the implementation high enough to thwart most or all of the known fault attacks. Experimental results show that in the considered architecture, the solution with the smallest overhead is per-instruction selective doubling and checking, and that the instruction triplication scheme is a viable alternative if very high levels of injected fault resistance are required.

查看原文本刊更多论文

针对基于AES的软件故障攻击的对策:有效性和成本

在本文中，我们提出了专门设计用于在执行加密算法的软件实现期间抵消故障注入攻击的软件对策，并分析了这些对策的效率。我们提出了两种基于插入冗余计算和检查的方法，它们的一般形式适用于任何密码算法。我们特别关注选择性指令复制以检测单个错误，指令复制以支持错误纠正，以及奇偶校验以检测存储值的损坏。我们开发了一个框架来自动添加所需的对策，并且我们支持将选择的冗余应用于加密例程的所有指令或将其限制为最敏感的指令，例如表查找和密钥获取。考虑到ARM处理器作为目标平台，AES作为目标算法，我们评估了所提出的对策的开销，同时保持实现的鲁棒性足够高，以阻止大多数或所有已知的故障攻击。实验结果表明，在所考虑的体系结构中，开销最小的解决方案是每条指令选择性加倍和检查，如果需要很高的注入故障抗力，则指令三倍方案是可行的替代方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

WESS '10

自引率

0.00%

发文量