Countermeasures for symmetric key ciphers

Abstract

Since a single fault can lead to a recovery of the whole secret key of an AES-128 implementation, protection against fault attacks is vital for security-related devices. Moreover, the fatal impact of undetected faults implies high requirements for such devices: no erroneous result must be revealed with its correct counterpart. Given the fact that secret-key algorithms are not usually based on continuous algebraic structures complicates incorporating redundancy. Designing countermeasures that guarantee this property is a challenging task. As a result, a large number of different countermeasures have been developed. Each of them employs redundancy in a different way, which makes their efficiency heavily dependent on the application scenario and on the assumed adversary. This chapter presents a comprehensive study of fault countermeasures for symmetric key algorithms. It discusses the different levels where countermeasures can be deployed, points out the strengths and weaknesses of the different countermeasures and finally identifies their optimal field of usage.