Persistent-Fault Based Differential Analysis and Applications to Masking and Fault Countermeasures

IF 1.6 4区计算机科学 Q3 ENGINEERING, ELECTRICAL & ELECTRONIC

Chinese Journal of Electronics Pub Date : 2025-03-01 DOI:10.23919/cje.2023.00.381

Shihui Zheng;Shoujin Zang;Ruihao Xing;Jiayu Zhang;Changhai Ou

{"title":"Persistent-Fault Based Differential Analysis and Applications to Masking and Fault Countermeasures","authors":"Shihui Zheng;Shoujin Zang;Ruihao Xing;Jiayu Zhang;Changhai Ou","doi":"10.23919/cje.2023.00.381","DOIUrl":null,"url":null,"abstract":"A persistent fault analysis (PFA) can break implementations of the advanced encryption standard (AES) secured by fault attack countermeasures that prevent differential analyses based on transient faults (DFA). When the AES implementation is protected by some higher-order masking countermeasure, the number of required ciphertexts may increase exponentially with the growth of the number of shares. We present a persistent-fault-based differential analysis (PFDA) against AES implementations. Two error patterns are detected by ciphertext pairs. Namely, only one error occurs at a SubBytes operation in round 10, and only one error occurs at a SubBytes operation in round 9. The latter is used to derive a differential characteristic (DC) for the key recovery, and the former is explored to deduce the input difference of the DC. Thus, the computational complexity is reduced compared to DFA. Encrypting a fixed plaintext many times to tolerate errors is utilized in PFDA against RP countermeasures. The number of required encryptions increases linearly with the growth of the number of shares. The simulation results show that PFDA can break unprotected AES implementations and implementations secured by fault attack counter-measures or the above higher-order masking countermeasures. Compared to other analyses based on persistent fault, the required number of ciphertexts of PFDA is the lowest.","PeriodicalId":50701,"journal":{"name":"Chinese Journal of Electronics","volume":"34 2","pages":"548-562"},"PeriodicalIF":1.6000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10982070","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Chinese Journal of Electronics","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10982070/","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

A persistent fault analysis (PFA) can break implementations of the advanced encryption standard (AES) secured by fault attack countermeasures that prevent differential analyses based on transient faults (DFA). When the AES implementation is protected by some higher-order masking countermeasure, the number of required ciphertexts may increase exponentially with the growth of the number of shares. We present a persistent-fault-based differential analysis (PFDA) against AES implementations. Two error patterns are detected by ciphertext pairs. Namely, only one error occurs at a SubBytes operation in round 10, and only one error occurs at a SubBytes operation in round 9. The latter is used to derive a differential characteristic (DC) for the key recovery, and the former is explored to deduce the input difference of the DC. Thus, the computational complexity is reduced compared to DFA. Encrypting a fixed plaintext many times to tolerate errors is utilized in PFDA against RP countermeasures. The number of required encryptions increases linearly with the growth of the number of shares. The simulation results show that PFDA can break unprotected AES implementations and implementations secured by fault attack counter-measures or the above higher-order masking countermeasures. Compared to other analyses based on persistent fault, the required number of ciphertexts of PFDA is the lowest.

查看原文本刊更多论文

基于持续故障的差分分析及其在屏蔽和故障对策中的应用

持久故障分析（PFA）可以破坏由故障攻击对策保护的高级加密标准（AES）的实现，这些对策阻止基于瞬态故障（DFA）的差分分析。当AES实现受到一些高阶屏蔽对策的保护时，所需的密文数量可能会随着共享数量的增加而呈指数增长。我们提出了一种针对AES实现的基于持续故障的差分分析（PFDA）。通过密文对检测两种错误模式。也就是说，在第10轮的SubBytes操作中只发生一次错误，在第9轮的SubBytes操作中只发生一次错误。后者用于导出密钥恢复的差分特性（DC），前者用于推导DC的输入差分。因此，与DFA相比，降低了计算复杂度。PFDA针对RP反措施使用多次加密固定明文以容忍错误。所需加密的数量随着共享数量的增加而线性增加。仿真结果表明，PFDA可以破解未受保护的AES实现，也可以破解由故障攻击对策或上述高阶屏蔽对策保护的AES实现。与其他基于持续故障的分析相比，PFDA所需的密文数量最少。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Chinese Journal of Electronics 工程技术-工程：电子与电气

CiteScore

3.70

自引率

16.70%

发文量

342

审稿时长

12.0 months

期刊介绍： CJE focuses on the emerging fields of electronics, publishing innovative and transformative research papers. Most of the papers published in CJE are from universities and research institutes, presenting their innovative research results. Both theoretical and practical contributions are encouraged, and original research papers reporting novel solutions to the hot topics in electronics are strongly recommended.