Infective Countermeasures Against Fault Analysis

Abstract

The previous discussion has illustrated to the reader the vulnerabilities of classical redundancy based countermeasure techniques, and potential workarounds to avoid the same via fault space transformation. In this chapter, we introduce a different flavor of countermeasures against fault analysis - infective countermeasures. Infective countermeasures are superior to detection based countermeasures in the sense that they avoid the use of explicit comparison steps that are themselves vulnerable to fault attacks. Infective countermeasures can be broadly classified into two categories - deterministic and randomized. Since all deterministic infective countermeasures have been demonstrated to be insecure in principle (Lomné et al, Fault diagnosis and tolerance in Cryptography – FDTC 2012, 2012, [114]), we focus on state-of-the-art randomized infective countermeasures in this chapter. We present to the reader an infective countermeasure for AES-128 proposed by Gierlichs et al. (Progress in cryptology – LATINCRYPT 2012, 2012, [70]), which was the first randomized infective countermeasure to be proposed in the literature. Unfortunately, this countermeasure is found to have certain vulnerabilities against fault attacks (Battistello and Giraud, Fault diagnosis and tolerance in cryptography – FDTC 2013, 2013, [22]), which we subsequently present to the reader. Finally, we present to the reader a second infective countermeasure for AES-128 proposed by Tupsamudre et al. (Cryptographic Hardware and Embedded Systems–CHES 2014, 2014, [173]) that successfully overcomes these vulnerabilities, and is currently the most secure infective countermeasure in the literature.