Framework Infective Fault Countermeasure

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.
15, 2020 391
A Framework for Evaluation and Analysis on

Infection Countermeasures Against Fault Attacks
Jingyi Feng , Hua Chen, Yang Li, Zhipeng Jiao, and Wei Xi
Abstract— Infection is a fault attack countermeasure, which threats to cryptographic devices. These vulnerabilities enable
aims to destroy the dependency of the faulty ciphertexts on the adversary to observe the side-channel information leak-
the secret key. However, current security evaluations on infec- age of the devices, perturb their normal behaviors and infer
tion countermeasures are either tailored for the specific attack
scenario or not general enough to apply to various infection the secret intermediates of the cipher. Among the existing
instances. They cannot come to convincing results, let alone implementation attacks, fault attacks (FA) [1] are powerful
make comparisons between different countermeasures. Based ones. By injecting faults into cryptographic devices with
on information theory, this paper presents a generic evaluation clock glitches, electromagnetic radiation or laser radiation,
framework that is feasible for various infection countermeasures the attacks corrupt the normal encryption in the interme-
and attack scenarios. The framework is constructed with the idea
to separate the infection function from the unprotected cipher diate variable or flow sequence. Then, they acquire addi-
yet consider the fault injection effect on the unprotected cipher tional information from the faulty ciphertexts. So far, fault
in the infection function evaluation. First, the security judging attacks have been successfully applied to various cryp-
criteria for the infection function under different attack scenarios tosystems including AES [2]–[4], ECC [5], RC4 [6] and so
are personalized according to the injection-caused security loss on. Though the values of faulty ciphertexts are helpful
of the unprotected cipher. Then, a universal method of security
quantitative analysis on infection function is proposed with two for key retrieval, there still exist attacks that do not use
important steps: the prior knowledge collection and the infection them. For instance, ineffective fault attack (IFA) exploits
operation decomposition analysis. Because the analysis results the non-uniform fault models to reveal the value (dis-
of the simple infection operation can be reused within the tribution) of injected intermediates [7], [8]. Fault sensitiv-
infection function under various attack scenarios, the security ity analysis (FSA) exploits the critical intensity of the
quantifications are efficient. Based on this framework, the paper
also reviews some existing infection countermeasures for their effective injection to identify the value of the processed
fault attack resistances. The result shows that our analysis can data [9]. These attacks are also threatening to cryptographic
expose more infection vulnerabilities than the previous works. devices.
Besides, the security quantification and judgment on these coun- Up to now, there are mainly two kinds of countermeasures
termeasures give us a new insight into their security applicable against fault attacks: detection and infection. Both countermea-
scopes. They are instructive for the countermeasure selection
when the implementation costs are very close. Furthermore, sures can apply to the attacks that rely on the intermediate-
the framework provides an efficient way to evaluate future oriented injection and the faulty ciphertexts exploitation. In the
infection countermeasures. detection countermeasure, the cipher computation is first per-
Index Terms— Fault attack, infection countermeasure, security formed redundantly in the form of space, time or information,
evaluation. followed by a consistency check between the redundant and
original cipher computation results [10]–[12]. If the results
are different, the fault will be detected. Then, the counter-
I. I NTRODUCTION
measure will stop its output to avoid the faulty ciphertext
I N RECENT years, implementation vulnerabilities rather

than mathematical weaknesses have become significant
exploitation in fault attacks. However, if the adversary can
bypass the consistency check with an additional fault injection,
the detection countermeasure will be broken. To avoid the
Manuscript received July 9, 2018; revised December 23, 2018 and
February 24, 2019; accepted February 26, 2019. Date of publication risk, Joye et al. [13] proposed a new defensive strategy called
March 20, 2019; date of current version September 16, 2019. This work infection. By doubling the algorithm and scrambling the data
was supported by the National Key R&D Program of China under Grant paths of the two encryptions, the countermeasure corrupts
2018YFB0904900 and Grant 2018YFB0904901. The associate editor coor-
dinating the review of this manuscript and approving it for publication was the relationship between the secret key and the faulty output.
Prof. Yiorgos Makris. (Corresponding author: Hua Chen.) Finally, it makes the faulty output useless in the original fault
J. Feng and Z. Jiao are with the TCA laboratory, Institute of Software, attack. As a result, there is no need for any consistency check.
Chinese Academy of Sciences, Beijing 100190, China, also with the State
Key Laboratory of Cryptology, Beijing 100878, China, and also with the The ciphertext can always be returned. Infection function is
University of Chinese Academy of Sciences, Beijing 100049, China (e-mail: the core component of the infection countermeasure. It decides
fengjingyi@tca.iscas.ac.cn; jiaozhipeng@tca.iscas.ac.cn). how the data paths are scrambled. The early infection func-
H. Chen is with the TCA laboratory, Institute of Software, Chinese Academy
of Sciences, Beijing 100190, China (e-mail: chenhua@tca.iscas.ac.cn). tions are constructed with deterministic operations. They were
Y. Li is with the Department of Informatics, The University of Electro- soon proved insecure because their scramble effects can be
Communications, Tokyo 182-8585, Japan (e-mail: liyang@ice.uec.ac.jp). easily removed when the construction details are known.
W. Xi is with the Electric Power Research Institute, China Southern Power
Grid, Guangzhou 510663, China (e-mail: xiwei@csg.cn). To address the problem, the later proposed countermeasures
Digital Object Identifier 10.1109/TIFS.2019.2903653 have tried to induce randomness into infection functions in
1556-6013 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Indian Institute of Technology Indore. Downloaded on December 22,2020 at 12:03:36 UTC from IEEE Xplore. Restrictions apply.
392 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 15, 2020
various ways, including multiplicative masking [14], dummy B. Contribution and Organization
computation [15], [16], system configuration parameters [17]
In this paper, we propose the first comprehensive secu-
and so on.
rity evaluation framework for infection countermeasures.
The framework covers a large portion of fault attacks that
A. Motivation and Related Works rely on the exploitation of faulty ciphertexts. It is feasible
for both the existing and future infection functions. It is also
Although random infection countermeasures overcome the
suitable for security comparison between different infections.
weakness of detection countermeasures, their security still
The framework is constructed from the point of information
cannot be evaluated in a general and provable way. Most
theory just as [19] and [21], but with the idea to separate
of the infection countermeasures are first evaluated internally
the security requirement of the infection function from the
by their designers. These evaluations only focus on some
integrated cipher implementation. The main principle is to
particular fault injection scenarios and base on some specific
formalize the fault injection effects on the unprotected cipher
analytical strategies. Yet they ignore the diversity of fault
into the attack scenarios faced by the infection function, and
attacks. As a result, many seemly secure countermeasures
take them into account in the evaluation. Another principle is
are found vulnerable under other attack scenarios in later
to decompose the complicated analysis into multiple simple
researches [18]–[21]. Besides, the evaluation based on ana-
ones, and reuse their results for the efficient evaluation.
lytical strategies can hardly lead to a fair comparison between
different countermeasures. Based on these facts, a natural • Firstly, we construct a security judging criterion for
question is: given an infection countermeasure, whether there infection functions based on the security requirement of
exists a general security evaluation framework that is applica- the integrated cipher implementation and the security loss
ble to various fault injection scenarios and independent of the of unprotected cipher in the given attack scenario. In this
specific analytical strategy. Further, if the answer is yes, can case, the security boundaries are set more precise and
the security be evaluated quantitatively? personalized under different attack scenarios.
Patranabis et al. [19], [21] have tried to make the evaluation • Secondly, we put forward a universal method of security
more general from the perspective of information theory. quantitative analysis with two important steps: the prior
They took the mutual information between the secret key knowledge collection and the simple infection operation
and the difference of the output ciphertexts as the security decomposition analysis. The analysis takes not only the
evaluation metric. Then, they quantified the security of an AES infection output but also the attack-scenario-related infor-
infection implementation [16] formally under three different mation of the infection input as the prior knowledge.
fault injection scenarios. However, their works only focus on Therefore, it enables a thorough exploration of infection
this specific implementation and its specific infection function. vulnerabilities. On the other hand, the analysis decom-
They did not discuss how to generalize their methods to poses the infection function into a series of repetitive and
other infection countermeasures, especially for those with simple infection operations that are related to the random
complicated infection functions. Therefore, gaps still exist in bits. Therefore, the security quantification result of the
the infection countermeasure analysis and mutual informa- infection function can be easily obtained through the
tion quantification. Besides, the evaluation in [19] and [21] information-theoretical analysis of the simple infection
targeted at the integrated cipher implementation. Once the operations.
unprotected cipher or the fault model changes, it always • Finally, we make security judgment on the infection
requires a new security quantification from scratch. There- function under the given attack scenario, according to the
fore, their method may not be the best choice for numer- corresponding judging criterion and quantification result.
ous evaluations under different attack scenarios. Furthermore, To verify the feasibility of the framework, we take
their quantification results reflect the combined effect of the the intermediate-oriented fault injections on AES-128 as
infection together with the other parts of this implementa- the sample attack scenarios and make evaluations on the
tion, including the unprotected cipher algorithm and some existing infection countermeasures. The result shows that
other defensive measures. Therefore, the security compar- most existing countermeasures are not as secure as expected.
ison between different infection countermeasures is still a Through the analysis based on all possible prior knowledge,
problem. we find not only their well-known vulnerabilities, but also new
Ghosh et al. [22] have tried to separate the security analysis flaws that have never been taken as threats. We summarize all
of the infection function from the analysis of the integrated these vulnerabilities in Table I and highlight the new ones
cipher algorithm. They have proved that if the infected faulty in bold. This work confirms the comprehensiveness of our
ciphertexts are totally random, then no secret key can be framework. On the other hand, the quantitative evaluation
retrieved from them. This work provides an identification cri- result gives us a new insight into the application of infec-
terion for the perfect secure infection countermeasure against tion countermeasures. It is instructive for the countermeasure
all the faulty ciphertexts exploitation attacks. However, the cri- selection when the implementation costs are close.
terion is too strict for the evaluation under each specific The paper is organized as follows. Section II provides
attack scenario. It is likely to result in false negative security the necessary preliminaries on fault attacks and infection
judgments. Besides, this work did not mention how to quantify countermeasures. Section III presents the proposed evaluation
the randomness of the infected faulty ciphertexts. framework. Section IV takes the fault injections on AES-128
FENG et al.: FRAMEWORK FOR EVALUATION AND ANALYSIS ON INFECTION COUNTERMEASURES AGAINST FAULT ATTACKS 393
TABLE I
I NFECTION C OUNTERMEASURE AND S ECURITY J UDGMENT ( FOR FA S ON AES-128)
as the sample attack scenarios to demonstrate the security A. Fault Attack

judging criteria for infection functions. Then, the security
quantification analyses on RIMBEN, ICDR, and LDRNM Fault attacks (FA) are an aggressive secret information
are detailed in Section V to VII, respectively. Section VIII retrieval method. In this attack, the adversary injects faults
generalizes the evaluation and makes comparison between into cryptographic devices and makes the analysis on the faulty
different countermeasures. Section IX concludes the paper and encryptions. The attacks are flexible owing to various injection
highlights the future work. targets, fault models and analytical strategies.
The fault injection can change either the intermediate
variable or the flow sequence of the algorithm. Usually,
II. P RELIMINARIES only one injection is allowed during each encryption. In the
Notations intermediate-oriented injection, the induced fault e is described
with its fault model in terms of width, location and value.
• C: the correct ciphertext The width shows the sphere of influence of the fault, such as
• C: the output difference between the original and the bit-level, byte-level or word-level. The location and the value
redundant cipher computation, which is also the input of explain which part of the intermediate is corrupted and what
the infection function in most countermeasures difference the fault brings about, respectively. Both of them
• I (C): the output of the infection function can either be known to the adversary or random unknown.
• C p : the prior knowledge of infection input C that Compared to the random unknown byte-oriented fault model,
can be derived from the fault injection in the unprotected the specified known bit-oriented one requires more precise
cipher. It records the number and relative location of zero control on the fault injection. However, it allows an easier
(non-zero) bytes in C. It also records whether C is secret information retrieval analysis, especially when the fault
the same in different infections. diffusion in the ciphertext is incomplete.
• F: the difference between the infected and the fault- So far, many traditional cryptanalysis methods have been
free (correct) ciphertext. For a series F derived from borrowed by fault attacks to retrieve the secret key, includ-
the same infection input, Fi denotes the one worked ing differential fault analysis (DFA) [23], algebraic fault
out from the i -th infection analysis [24], integral fault analysis [25] and statistical fault
• e: the induced fault, which is equal to the difference of analysis [26]. All these attacks rely on the exploitation of
the target intermediate before and after the fault injection faulty ciphertexts. Among them, the optimal DFA [27] is the
• K: the distinguishable secret key involved in the fault only one proposed from the information theoretical perspec-
propagation tive. It makes full use of the information leakage about the
• l o : the information leakage of K resulted from each fault model, the correct and faulty ciphertexts. Therefore,
injection it reveals the strongest security threat of each injection. Base
• H (X): the information entropy of X measured in bits on this fact, we take the optimal DFA as a necessary attack
Only a few countermeasures do not take the output dif- scenario in our evaluation framework.
ference C as the infection input. They take a C-related There are also attacks that do not use the values of faulty
variable as their infection input. The prior knowledge of this ciphertexts, such as safe-error attack (SEA) [28], ineffec-
variable can also be derived from the fault injection in the tive fault attack (IFA) [7], [8] and fault sensitivity attack
unprotected cipher. For simplicity, we generally denote C as (FSA) [9]. These attacks rely on the information of the fault
the infection input, C p as the prior knowledge of infection injection and focus on whether the injection has an effect on
input, and I (C) as the infection function output. For the the encryption. They are less efficient than the attacks that
exceptions, We will make another explanation. exploit the values of faulty ciphertexts. However, they could
the entire cipher computation. It enables the loose coupling

between the countermeasure and the cipher algorithm. Because
the built-in infection does not provide more resistance than the
built-out one in terms of the worst case attack (the last round
fault injection), the follow-up evaluations mainly focus on the
cipher implementations with built-out infection.
Fig. 1. Generic construction of infection countermeasures.
III. I NFECTION C OUNTERMEASURE
E VALUATION F RAMEWORK
perform against common countermeasures, such as detection
and infection. In this section, first, we give an intuitive description of our
evaluation framework and explain its application condition via
the terminology definition. Then we detail how to construct
B. Infection Countermeasure
the security judging criteria and how to make the quantitative
Infection is a fault attack countermeasure that aims to render analysis on the infection countermeasure.
the faulty ciphertext useless. The countermeasure consists of
two parts: repetitive encryption and infection function. Fig. 1
illustrates the generic construction of infection countermea- A. Terminology and Design Consideration
sures. The encryption is made twice with the same plaintext 1) Terminology: We show the generic evaluation framework
and the same key. One is called the original cipher computation for infection countermeasures in Fig. 2 and explain it as
and the other one is called the redundant cipher computation. follows. Firstly, as shown in Fig. 1, the integrated cipher
The countermeasure takes their output difference C as the implementation is made up together by the unprotected cipher
input of the infection function I . Then it masks the original and the infection function. The structures of them are open to
cipher computation output with the infection function output the public. The key of the cipher, the output difference of the
I (C). Let C denote the cipher computation output free of original and the redundant cipher computation, and the random
the fault. The infected output will either be C ⊕ I (C) or number of the infection function are kept secret. In this frame-
C ⊕C ⊕ I (C) depending on whether the fault is injected work, the cipher implementation is allowed to encrypt the
in the redundant or the original cipher computation. Infection same plaintext many times. It means the difference between
functions are usually constructed with simple crypto structures the infected and the correct ciphertext, F, is available to
and existing cryptographic modules. For C = 0, I (0) should the adversary. Secondly, the fault injection is characterized
be equal to 0 to ensure the correctness of the fault-free encryp- with the target intermediate and the fault model. Both of
tion output. For C = 0, the infection function introduces a them are open to the public. In this framework, only one
secret random number R to make the fault diffusion in the temporary intermediate-oriented injection is allowed during
infected output unpredictable. In most of the existing infection each encryption. Thirdly, the evaluator for infection counter-
countermeasures, R is updated every encryption. measures consists of two parts: security judging criteria and

0, C = 0 security quantitative analysis. Only if the quantification results
I (C) = (1) satisfy the corresponding judging criteria, the countermeasure
F(C, R), other wi se
is considered secure. The framework currently only covers the
Due to the randomness of infection functions, it is almost attacks that rely on the exploitation of faulty ciphertexts.
impossible to change a faulty ciphertext into the correct one 2) Design Consideration: The framework is constructed
through infection. Infection countermeasures cannot resist the based on entropy analysis. Firstly, the evaluation result should
attacks that do not use the values of faulty ciphertexts. They have the same meaning for any infection countermeasure.
are also vulnerable to the double-fault injections that induce The evaluator has to be independent of analytical strategies.
two identical faults in the original and redundant compu- According to the standard approach in information theory,
tations. Besides, the infection itself cannot resist the flow Shannon’s conditional entropy is a good choice for such eval-
sequence-oriented injections that skip its execution. Therefore, uation metric. Given the attack parameters and the ciphertexts,
the follow-up framework mainly focuses on the intermediate- it reflects the remaining uncertainty of the secret variable. Sec-
oriented single fault injection scenarios. It evaluates how ondly, the entropy analysis is efficient for security quantifica-
well the infections perform against the faulty ciphertexts tions. We can work out the uncertainty loss in the complicated
exploitation attacks. An extended discussion about the eval- infection function easily, by integrating the uncertainty losses
uation under other fault injection scenarios is given briefly in in its more granular infection operations, without constructing
Section VIII-C. a concrete key retrieval strategy. During the entire evaluation,
According to where the infections take place, we divide we only have to analyze one infection operation. Then we
the integrated cipher implementations into two groups: built- can reuse its security quantification results many times, not
in infection and built-out infection. The built-in infections only within the infection function but also under different fault
are inserted between the iterations of the cipher rounds. injection scenarios. Last but not least, the entropy analysis
They infect the subsequent intermediates immediately after the always requires full use of prior knowledge. Therefore, it can
injection. The built-out infection is performed only once after ensure a more accurate security quantification and a more
Fig. 2. Overview of security evaluation and analysis on infection countermeasure.
thorough vulnerability exploration of the infection counter- infection functions are constructed with a series of random-
measure. bit-related infection operations which are simple, identical and
Thanks to the decoupling between the unprotected cipher independent of each other. We put forward a universal security
and the built-out infection function, we can recover the infec- quantification method for the infection function, based on
tion input C and the corresponding secret key in sequence the infection operation decomposition and analysis. Finally,
during the fault attack. It means that the FA-resistance of by integrating the analysis results according to the collected
the integrated cipher implementation is jointly decided by prior knowledge, we can obtain the remaining uncertainty of
the protective effect of the infection function on C and the C efficiently under the given attack scenario.
protective effect of the unprotected cipher on the secret key.
Given F and the prior knowledge of infection input C p , B. Security Judging Criteria
the protective effect of the infection function indicates the
remaining uncertainty of C. Given C and C, the protec- 1) Security Requirement of the Perfect FA-Resistant Cipher
tive effect of the unprotected cipher indicates the remaining Implementation: In the fault attack on the cipher implementa-
uncertainty of the secret key. For simplicity, the framework tion, K denotes the distinguishable secret key bytes involved in
focuses on the evaluation of the infection function rather than the fault propagation. Given C, F and the attack-scenario-
the integrated cipher implementation. The fault injection in the related prior knowledge C p , the remaining uncertainty of
unprotected cipher decides the attack scenario faced by the the secret key can be expressed as H (K|C, F, C p ). For
infection function. the perfect FA-resistant cipher implementation,
The security judging criteria define the lower bounded H (K|C, F, C p ) = H (K). (2)
uncertainty of C that should be maintained by secure
infection functions under the given attack scenario. It is 2) Protective Effect of the Unprotected Cipher on the Secret
developed from the point that the C recovered from a Key With the Known C: Consider the attack on the unpro-
secure infection function cannot lead to an effective secret key tected cipher with the known C and C. The injection-caused
distinguishment. First, we take the security requirement of the information leakage of the secret key can be expressed as
perfect FA-resistant cipher implementation as the principle. l0 = H (K) − H (K|C, C). (3)
Then, we personalize the security requirement of the infection
function according to the protective effect of the unprotected With the knowledge of the fault injection, the uncertainty of
cipher on the secret key with the known C. the secret keys, H (K), can be derived through the fault propa-
As for security quantitative analysis, the goal is to work gation analysis on the unprotected cipher. Then, H (K|C, C)
out the uncertainty of C maintained by the given infection can be worked out from the differential distribution property
function. Different from the existing works which take C of the nonlinear cipher components and the uncertainty of
a totally unknown variable, we conduct the prior knowledge the induced fault e. For instance, for the unprotected ciphers
collection in advance to figure out what can be used in the which adopt the bijective Sboxes as the nonlinear components,
analysis. The collection is independent of the specific opera- H (K|C, C) ≈ H (e) (refer to the information-theoretical
tions in the infection function. It focuses on the information of analysis on the optimal DFA in [27] for details). The leakage
the infection input and output that can be directly derived from l0 reflects the contribution of the unprotected cipher to the
the attack scenario and F. Then, consider the fact that most FA-resistance of the integrated cipher implementation.
3) Judging Criteria for the Secure Infection Function: into the prior knowledge of infection function. Then, we make
The knowledge of C is necessary for the optimal DFA on the infection operation decomposition and analysis based on
the unprotected cipher. So we intuitively believe that, in the all possible prior knowledge.
perfect FA-resistant cipher implementation, the uncertainty of 1) Prior Knowledge Collection:
C guaranteed by the secure infection function has to be no a) Attack-scenario-related prior knowledge of C: C
less than the injection-caused information leakage of K in the is the secret intermediate protected by the infection function,
unprotected cipher. That is, but it is not totally unknown. With the knowledge of the fault
Proposition 1: If H (K) = H (K|C, F, C p ), then injection and the unprotected cipher, its repeatability and the
fault diffusion property can be easily revealed. They form the
H (C|C p , F) ≥ l0 = H (K) − H (K|C, C). (4)
prior knowledge of infection function input, C p .
Because the original proposition is equivalent to its converse- • Repeatability: Consider the case that the cipher imple-
negative proposition, we will prove its converse-negative mentation encrypts the same plaintext many times.
proposition that: If the adversary can inject M identical faults in these
If H (K) > H (K|C, C)+H (C|C p, F), then H (K) > encryptions, then C is repeatable in the correspond-
H (K|C, F, C p ).1 ing infections. In this case, we substitute the F
Proof: in H (K|C, C p ,F) with the infection differences
(F1 , . . . , FM ) derived from the identical C. We can
H (K|C, C p ,F)
also work out the output difference of infection function
= H (K, C, C p ,F) − H (C, C, C p ,F) as Fi ⊕ F j (i = j ).
+H (C, C, C p ,F) − H (C, C p ,F) • Fault diffusion: Fault diffusion describes the number and
= H (K, C, C p ,F) − H (C, C,F) the relative location of the zero and non-zero bytes in C.
For the given unprotected cipher, it could be derived from
+H (C|C, C p ,F) (5)
the target intermediate and the fault model via the fault
Since C contains all the information in C p , then propagation analysis.
H (K, C, C p ,F) ≤ H (K, C, C,F). Although C p does not contribute to the secret key retrieval
directly, it is useful for the retrieval of the exact value of
H (K|C, C p ,F)
C. Moreover, C p has nothing to do with the concrete
≤ H (K|C, C,F) + H (C|C, C p ,F) infection function. It can be reused in the evaluations of
≤ H (K|C, C) + H (C|C p ,F) (6) different infections.
b) F-related prior knowledge of I (C) and C:
Therefore, if H (K) > H (K|C, C) + H (C|C p , F),
In the cipher implementation, F reveals either I (C) or
then H (K) > H (K|C, F, C p ).
C ⊕ I (C). For the second case, it is necessary to check
The converse-negative proposition is proved. The original
whether the distributions of the non-zero bytes in C and
proposition is also true, which confirms our inference. Obvi-
I (C) are consistent, according to the diffusion properties
ously, (4) is a necessary but not sufficient condition for the
of the infection function. If not, the non-zero byte in C (or
secure infection to achieve the perfect cipher implementation.
I (C)) which is XORed with zero byte in I (C) (or C) can
But it offers a precise and flexible criterion to identify the
be revealed directly from F. This operation further expands
insecure infection under each specific attack scenario.
the prior knowledge of C and I (C).
On the other hand, if no information about C except for its
2) Infection Operation Decomposition and Analysis: The
prior knowledge can be retrieved from the infection, the key
core components of the infection function are random-bit-
retrieval attack on the unprotected cipher will be infeasible.
related infection operations. They confuse the relationship
Therefore, (7) is a sufficient condition for the secure infection.
between the infection function input and output. Usually,
H (C|C p , F) = H (C|C p ) (7) these operations appear more than once in each infection
function. Their prior knowledge is of limited types. Therefore,
we suggest to conduct security quantification as follows:
C. Security Quantitative Analysis
• Decompose the infection function into a series of identi-
The security quantitative analysis aims to figure out the
cal random-bit-related operations.
expression of H (C|C p , F) for the given infection func-
• Take one of these operations as the example and enu-
tion under all possible attack scenarios. In this formula, F
merate all the possible types of its prior knowledge. For
can either be I (C) or C ⊕ I (C), depending on where
each type of prior knowledge, quantify the remaining
the fault is injected. When F = I (C), C can only
uncertainty of the operation input (or output). We denote
be retrieved through the infection function inversion. When
the quantification result as the protective effect of the
F = C ⊕ I (C), C can also be retrieved through I (C)
infection operation.
prediction. Taking both cases into account, we first formalize
• Deduce how the prior knowledge of the infection function
the public information, including the attack scenario and F
decides the prior knowledge of the infection operations,
1 Note that H (K|C, F, C ) can be no larger than H (K). H (K) >
p
according to the relationships between their inputs (or
H (K|C, F, C p ) is the negative of H (K) = H (K|C, F, C p ). outputs). Then, integrate the protective effects of all the
infection operations by type to construct the formula So far, the quantification analysis only focuses on the infec-
expression of H (C|C p , F). tion function itself. It involves no concrete attack-scenario-
A proper decomposition of the infection function is the related prior knowledge. Therefore, it can be applied to any
key to efficient analysis. It follows three guidelines. Firstly, attack scenario.
the infection operation should be independent of each other.
Secondly, the operation should be as simple as possible to D. Security Quantification and Judgment
enable an easy quantitative analysis. Last but not least, there
should exist available prior knowledge about this operation to Finally, by configuring (8) with the specific prior knowledge
of C and I (C) collected from the given attack scenario
support the analysis.
According to the prior knowledge of the infection function and F, we get the protective effect of the infection function.
about C and I (C), the prior knowledge of the random-bit- Note that if the prior knowledge of C or I (C) is not
fully utilized in the infection operation analysis, we can take
related infection operation includes three aspects: input value,
output value, and output difference. In the infection function, the unused knowledge to filter the remaining C candidates.
different infection operations are connected with different bits In this case, the uncertainty of C in (8) will be further
reduced.
of C and I (C). Therefore, their prior knowledge may
belong to different types. For instance, if certain bits of For the given attack scenario, if the security quantification
result of H (C|C p , F) does not satisfy the requirement
I (C) are known in advance, then the corresponding infection
operations should be analyzed with the prior knowledge of in (4), the infection function is theoretically insecure under
the output values, while the others should not. For each this scenario. On the other hand, if it satisfies the requirement
in (7), the infection function is secure for the scenario.
infection operation, we take P R I O R to denote one possible
type of its prior knowledge. I N and OU T denote its input
and output to be protected. Then, its protective effect can IV. E VALUATION OF I NFECTION F UNCTIONS AGAINST
be represented as H (I N|P R I O R) (or H (OU T |P R I O R)). THE FAULT ATTACK ON AES-128
Because different infection functions adopt distinct infec- To verify the feasibility of the framework, we take 8 differ-
tion operations, it requires the concrete analysis to work ent fault injections on AES-128 as the sample attack scenarios
out H (I N|P R I O R) (or H (OU T |P R I O R)) for different (refer to Table II) and evaluate several existing infection
countermeasures. functions. In these attacks, the injection target and the width
According to the common construction of infection func- of the faults are referenced from [2]–[4]. The location and
tion, many operations in one infection function share the the value of the faults are chosen according to the common
same type of prior knowledge. The probability distributions settings. In this section, we figure out the judging criteria for
of their prior knowledge are almost the same. Therefore, the secure infection under each attack scenario. We also collect
we can quantify the protective effects of the infection operation the attack-scenario-related prior knowledge of C. In the fol-
based on a few types of prior knowledge and reuse the lowing sections, we make quantification analysis and security
results within the infection function. However, the relation- judgment one by one on each specific infection function. Note
ships between the infection function inputs (or outputs) and the that our evaluation results in Section III to Section VIII-A only
infection operation inputs (or outputs) are distinct in different cover the encryption intermediate-oriented single injection
countermeasures. For each countermeasure, it requires the scenarios.
concrete analysis for a general understanding of how the prior
knowledge of the infection function decides that of infection
operations. To be specific, how many operations can work A. Security Judging Criteria
with type-1 prior knowledge, how many can work with type- According to the differential distribution property of the
2 prior knowledge, etc. Based on this analysis, the security bijective Sbox in AES-128 [27], the lower bounded uncer-
quantification results of the infection operations can be further tainty of C that should be maintained by the secure infection
reused under various attack scenarios. function is
Let num denote the number of independent random infec-
tion operations in the given infection function. P R I O R i H (C|C p , F) ≥ lo ≈ H (K) − H (e). (9)
denotes the prior knowledge of the i -th infection operation
(i = 1, . . . , num). I N i and OU T i denote its input and output, B. Fault Diffusion in C and the Specific Value of l0
respectively. If the relationships between I N i and C, and
the relationships between OU T i and I (C) are deterministic In the attack scenario (1.1) and (1.2), a bit-oriented fault is
and linear, the uncertainty of C maintained by this infection induced into the input of the 10-th round SubBytes (S B) [2].
function can be integrated as Then, one byte in C is corrupted and one key byte is involved
in the fault propagation. It indicates that 15 zero bytes in C
H (C|C p , F) are available for the infection function analysis and one secret
⎧ key byte is distinguishable in the analysis of the unprotected
⎪
⎨ H (I N |P R I O R ),
i i C i nver si on AES-128, H (K) = 8 bits. Since the value of the single bit-
= i (8) oriented fault must be 1, it brings no uncertainty to H (e). The
⎪
⎩ H (OU T |P R I O R ), I (C) pr edi cti on.
i i
i random location of the fault brings about log2 ( 128 1 ) = 7 bits
TABLE II
FAULT D IFFUSION IN C AND S ECURITY J UDGING C RITERIA FOR I NFECTION F UNCTION (A GAINST THE FA S ON AES-128)
Fig. 3. Basic structure of infection function in RIMBEN (N=16). (a) Preprocessing structure. (b) HW balanced network (with 2 random 4-state switches).
(c) Output confusion network (with random 2-state switches in stage 2).
uncertainty to H (e). According to (9), l0 = 8 − 7 = 1 bits in The control bit of the switch decides whether it performs
the attack scenario (1.1) and l0 = 8 bits in the scenario (1.2). straight or cross operation. The other half are OR-enhanced
In the attack scenario (2.1), (2.2) and (2.3), a byte-oriented switches that perform OR operations. They, together with the
fault is induced into the input of the 9-th round MixColumns preprocessing logic, make the input of the switches in stage
(MC) [3]. It results in 4 discrete non-zero bytes in C and log2 N − 1 equal to “101010 . . .” for any C = 0. Therefore,
4 distinguishable key bytes, H (K) = 32 bits. The random the first network is also called HW-balanced network. The
location and the random value of the induced fault bring about subsequent switches in RIMBEN are all 2-state switches. Most
log2 ( 128
8 ) = 4 bits and 8 bits uncertainty to H (e), respectively. of them are configured with the fixed control bits that are
Therefore, l0 = 20, 24 and 32 bits for the scenario (2.1), (2.2) randomly generated in the initialization process, except for
and (2.3), respectively. the switches in one stage. This special stage is randomly
When further increase the width of the fault or bring forward selected from the second benes network in each infection.
the timing of injection, more C bytes will be corrupted, and All the 2-state switches in this stage are configured with
more key bytes will be involved. In the scenario (3.1), (3.2) secret random control bits. This stage-based randomization can
and (3.3), a byte-oriented fault is induced before the 8-th round further confuse the infection output. As an additional option,
MixColumns (MC) [4]. It results in 16 non-zero bytes in C the infection function can upgrade the 2-state switches in the
and makes H (K) = 128 bits. Therefore, l0 = 116, 120 and middle stage of the first network to random 4-state switches,
128 bits for the scenario (3.1), (3.2) and (3.3), respectively. by adding more random control bits to enable the lower/upper
broadcast operations.
V. Q UANTIFICATION A NALYSIS ON RIMBEN
RIMBEN (Random Infection based on Modified Benes A. Analysis on RIMBEN Without 4-State Switches
Network) [17] is a built-out infection countermeasure. 1) F-Related Prior Knowledge: Owing to the
As shown in Fig. 3, it employs a preprocessing OR logic HW-balanced network that results in the identical intermediate,
and 2 modified benes networks in sequence to construct the repeatability of C makes no additional contribution
the infection function. The N × N benes network adopts a to the infection vulnerability analysis. Moreover, it makes
(2 log2 N − 1)-stage symmetrical recursive structure with N2 the infection function non-invertible. C can only be
switches in each stage. In the first network, half of switches in retrieved through I (C) prediction under the condition that
stage 0 to log2 N − 2 are 2-state switches (refer to Fig. 4(a)). F = C ⊕ I (C). When the fault diffusion in C is
random stage. For illustration, we take |C| as the bit length

of the non-zero bytes in C. It is equal to the length of the
unknown bits in I (C).
• Consider the case that the unknown bits in I (C) are
continuous between the (i · |C| + 1)-th and the ((i +
1) · |C|)-th bit, where i ∈ [0, |C|
N
]. If the random 2-
state switches are located between the stage log2 |C|
and 2 log2 N − 2 − log2 |C|, then each random switch
has at most one unknown output bit. So, there are
|C| random 2-state switches working with the prior
knowledge (I N1 , I N2 , OU T2 ). (For instance, in Fig. 3c,
the 4 continuous output bits marked in red are derived
Fig. 4. 2-state switch in RIMBEN. (a) Control logic of 2-state switch. from 4 different 3-stage subnetworks highlighted with
(b) Transition probability of random 2-state switch. dash boxes. It indicates that any two output bits marked
in red cannot come from the same random switches in
these 3 stages.)
incomplete, the distributions of non-zero bytes in C and • If the unknown bits in I (C) are not continuous, or the
I (C) are different. Some certain bytes in I (C) can be random switches are located in other stages, there are at
revealed directly from F. most |C|
2 random 2-state switches working with the prior
2) Infection Operation Decomposition and Analysis: knowledge (I N1 , I N2 ) and the unknown outputs.
In RIMBEN without 4-state switches, the random 2-state
In RIMBEN, the random stage configured with random 2-
switches in the random stage are the smallest infection opera-
state switches follows a uniform distribution. According to
tions related to the secret random bits. Fig. 4(b) illustrates the
whether the unknown bits of infection function output are
transition probability between the switch input (I N1 , I N2 ) and
continuous, we summarize the upper bound uncertainty of C
output (OU T1 , OU T2 ) under different cases. Consider the fact
as (11), in which stage denotes the random stage.
that all the control bits in RIMBEN are randomly generated,
the values of the known input and output of the random 2-state H (C|C p , F)
switches obey uniform probability distribution. The protective
= P(stage) H (OU T1 , OU T2 |P R I O R)
effect on its output can be concluded as (10). In this equation, st age N/2
the conditional entropy is smaller than H (OU T1 , OU T2 ) or ⎧
⎪
⎪ 2 log2 |C| |C| 1
H (OU T1), which reveals a new vulnerability of RIMBEN. ⎨ · · + 0, conti nuous
2 log2 N − 1 2 2
≤ 2 log N − 1 |C| (11)
H (OU T1, OU T2 |P
⎧ R I O R) ⎪
⎪ 2 1
⎩ · · , other wi se
⎨1 2 log2 N − 1 2 2
, P R I O R = (I N1 , I N2 )
= 2 (10) b) When the initial configurations of the fixed 2-state
⎩0, P R I O R = (I N , I N , OU T ).
1 2 2 switches are kept secret: we cannot obtain enough prior
Because it is not specified in [17] whether the initial con- knowledge about the random 2-state switches to support the
figurations of the fixed 2-state switches are made public or further analysis. In this case, we decompose the infection
kept secret, we make the analysis under both conditions. function into more coarse-grained operation with clear input
a) When the initial configurations of the fixed 2-state and output characteristics. The operation is the permutation
switches are open to the public: the relationship between the network that consists of all the elements in RIMBEN after
constant intermediate “101010 . . .” of the first network and the HW-balanced process. The operation take “101010 . . .” as
the inputs of the random 2-state switches is clear. The prior input I N. It indicates the Hamming weight of the operation
knowledge of the switch outputs can also be derived from the output OU T is N2 . Then we separate the operation output
recovered bytes in I (C). In this case, the vulnerable random into two parts: OU Tk denotes the recovered bits and OU Tu
2-state switches can lead to a new attack on RIMBEN.2 denotes the others. Let H W (·) denote the Hamming weight
According to the recursive topology of the network, the prior of the variable. The protective effect of the operation can
knowledge of the random 2-state switches changes with the be derived as (12), in which Imax is the maximum value of
H W (OU Tu ) that can be reached.
2 For each random 2-state switch, we first derive all its input bits from
“101010 . . .”, and some of its output bits from the recovered bytes in I (C). H (OU Tu |P R I O R)
Then, we retrieve its unknown output bits based on the non-zero table items
(marked in gray) in Fig. 4(b). To be specific, we select the row index of the ≤ H (OU Tu |H W (OU Tu ))
table according to the derived bits, then find the non-zero table items in this
Imax
row, and finally take the column indexes of these items as the candidates of = P(i )H (OU Tu |H W (OU Tu ) = i ) (12)
the unknown output bits. For instance, if the switch input is“01” and one of
its output bit is “0”, then we find the row “010” in the right table and recover i=0
another output bit as “1”. If the switch input is “01” and there is no prior For RIMBEN, OU Tk and OU Tu in (12) correspond to
knowledge of its output, then the output can either be “01” or “10”, according
to the left table. Finally, we transform the outputs of random 2-state switches the recovered and unrecovered bytes in I (C), respectively.
into the bits in I (C) and work out the candidate of C as I (C) ⊕ F. Imax = min{ N2 , |C|}. Consider the fact that all the control
bits in RIMBEN are randomly generated. Each output bit larger than 1 but smaller than 8. The countermeasure
of RIMBEN obeys the identical probability distribution. Let cannot resist the unrepeatable deterministic fault model.
C(a, b) denote the number of b-combinations in a set of a ele- • For the attack scenario (2.1), (2.2) and (2.3): |C| =
ments. Then, H (OU Tu |H W (OU Tu ) = i ) = log2 C(Imax , i ). 32 bits. H (C|C p , F) ≤ 28.63 bits. It is larger
C( N ,i)C( N ,i)C( N ,Imax −i) than 20 and 24, but smaller than 32. The countermeasure
P(H W (OU Tu ) = i ) = 2 2 2
C(N,Imax ) . The uncer-
tainty of C can be worked out as cannot resist the unrepeatable deterministic fault model.
• For the attack scenario (3.1), (3.2) and (3.3): |C| =
H (C|C p , F) 128 bits. H (C|C p , F) ≤ 60.31 bits. It is far from
= H (OU Tu |P R I O R) the security requirements (116,120 and 128) under the

Imax unrepeatable fault model.
C( N2 , i )C( N2 , Imax − i )
≤ log2 C(Imax , i ) (13) Above all, RIMBEN with public initial configurations does
C(N, Imax )
i=0 little to the security enhancement. It cannot reach the security
To sum up, the random 2-state switch is not a good choice requirements under the unrepeatable fault model, let alone the
for infection operation, especially when its inputs are known. repeatable fault model. RIMBEN with secret initial config-
Its predictable outputs can lead to a great uncertainty loss urations shows better resistance than the former one, espe-
to C. Besides, the predictable Hamming weight of the cially for the scenarios with small |C| and the random
unknown bytes in I (C) is another significant vulnerability fault model. However, it cannot resist the deterministic fault.
of the countermeasure. However, the internal evaluation by the Since H (C|C p , F) is always smaller than H (C|C p ),
designers ignored all the prior knowledge about the random RIMBEN can hardly resist the repeatable fault injections.
infection operations. It leads to an overestimation of the
security of RIMBEN. C. Discussion
So far, our analysis is all based on the single infection.
C p does not contain the knowledge of the repeatability of The case study on RIMBEN shows that different from the
C. For the repeatable infections with the identical C, existing evaluations, the framework can apply to almost all the
the protective effect of the infection function can be derived intermediate-oriented attack scenarios. Firstly, the comprehen-
from (11) and (13) as sive collection and utilization of the prior knowledge make
the evaluation result much closer to the real FA-resistance of
H (C|C p ) − H (C|C p , F1 , . . . , FM ) the countermeasure. Then, the infection operation is analyzed
= M · (H (C|C p ) − H (C|C p , F)) (14) based on all possible forms of prior knowledge. It enables effi-
cient security quantifications under different attack scenarios.
Besides, the analysis is helpful to construct efficient analytical
strategies. For instance, in (12), H (OU Tu |H W (OU Tu ) =
B. Security Quantification and Judgment 0) ≤ H (OU Tu |H W (OU Tu ) = i, i = 0). By selecting the
According to the prior knowledge of C and the security case that the Hamming weight of the unknown bytes in I (C)
judging criteria in Section IV, the security of RIMBEN without is 0, we can recover C more efficiently than in other cases.
4-state switches is quantified and judged as follows. Consider the RIMBEN with 4-state switches. The random
1) When the Initial Configurations of the Fixed Switches 4-state switch only takes “10” as the input. Then, it outputs
Are Open to the Public: “00”, “01”, “10” and “11” with the equal probabilities. There-
fore, t such switches will result in 2t unknown input bits for
• For the scenario (1.1) and (1.2) with 1 non-zero byte
random 2-state switches, and 2t +1 possible Hamming weight
in C: |C| = 8 bits and the unknown bits in I (C)
of I (C). They reduce the available prior knowledge for the
are continuous. According to (11), H (C|C p , F) ≤
analysis. Given the information above, the FA-resistance of
0.92 bits. It is far from the security requirements (1 and
such RIMBEN can also be quantified under our framework.
8) under the unrepeatable fault model.
• For the attack scenario (2.1), (2.2) and (2.3) with 4 non-
zero bytes in C: |C| = 32 bits and the unknown VI. Q UANTIFICATION A NALYSIS ON ICDR
bits in I (C) are not continuous. H (C|C p , F) ≤ ICDR (Infective Computation and Dummy Rounds) is a
16 bits. It is not enough for the security requirements (20, built-in infection countermeasure [15]. It consists of three
24 and 32) under the unrepeatable fault model. different kinds of round computations: the original cipher
• For the attack scenario (3.1), (3.2) and (3.3) with 16 non-
computations, the redundant cipher computations and the
zero bytes in C: |C| = 128 bits and the unknown dummy computations. The dummy computations are randomly
bits in I (C) are continuous. H (C|C p , F) ≤ inserted between the others except the one in the last round.
34.47 bits. It is far from the security requirements Let (R0 , R1 , R2 ) and (C0 , C1 , C2 ) denote the corresponding
(116,120 and 128) under the unrepeatable fault model. round states and round intermediates, respectively. RF denotes
2) When the Initial Configurations of the Fixed Switches the round function of the cipher. Algorithm 1 shows how ICDR
Are Kept Secret: is applied to an S-P network.
• For the attack scenario (1.1) and (1.2): |C| = 8 bits. ICDR is not in accordance with the general construction
According to (13), H (C|C p , F) ≤ 5.49 bits. It is in Fig. 1 strictly. When the fault is injected between the

Algorithm 1 ICDR in LatinCrypt 2012 [15] construction (Fig. 1). It takes = i SNLF(C i ) rather
Input: Plaintext P, round key ki for i ∈ {1, . . . , n}, than C = C n ⊕SNLF(C n ) as input. Because SNLF does
dummy round parameters (β,k0) not change the fault diffusion, the prior knowledge of C
Output: Ciphertext C =BlockCipher(P, K ) is consistent with the study in Section IV. On the other
1 Original cipher state R0 ← P, Redundant cipher state hand, C i is the difference between the original and the
R1 ← P, Dummy state R2 ← β; redundant cipher intermediate of the i -th round. The prior
2 C0 ← 0, C1 ← 0, C2 ← β, i ← 1; knowledge of in terms of zero (non-zero) bytes can
3 while i ≤ 2n do also be worked out through the fault propagation analysis on
4 λ ←RandmBit() ; /* λ = 0 implies a dummy round */ AES-128. We collectively denote the prior knowledge of C
5 κ ← (i ∧ λ) ⊕ 2(¬λ); and as C p .
6 ζ ← i /2 λ ; /* ζ is actual round counter, 0 for dummy round 2) F-Related Prior Knowledge: When the fault diffusion
*/ in C is incomplete, the number of non-zero bytes in is
7 Rκ ←RF(Rκ , kζ ); no smaller than that in C. Besides, RI inherits the diffusion
8 Cκ ← Rκ ⊕ (C2 ⊕ β) ; /* infect Cκ to propagate a fault */ property of the original round function. It further makes the
9 μ ← λ(¬(i ∧ 1)·SNLF(C0 ⊕ C1 ) ; /* check if i is even */ distributions of non-zero bytes in C and RI( ) different.
10 R2 ← R2 ⊕ μ; As a result, some bytes in C and RI( ) can be revealed
11 R0 ← R0 ⊕ μ; directly from F = C⊕RI( ). The number of known
12 i ← i + λ; bytes in RI( ) is equal to the number of zero bytes in C.
3) Infection Operation Decomposition and Analysis: The
13 R0 ← R0 ⊕RF(R2 , k0 ) ⊕ β;
construction of the random infection function is completely
14 return R0
decided by the cipher algorithm. For AES-128, RI( ) =
MC(S R(S B(β) ⊕ S B(β ⊕ ))). The differential SubBytes
S B(β)⊕S B(β ⊕ ) works directly on the random number β.
penultimate and the last dummy computations, the infection It can be decomposed into 16 independent random-bit-related
effect of ICDR can be classified into two types: infection operations, which are represented as S X (I N) =
1) The first one is the deterministic and non-diffused infec- S(X) ⊕ S(I N ⊕ X). In this operation, S is the Sbox. I N is
tion shown in step 9-11. It takes the deterministic nonlinear a secret input byte in . X is a secret random byte in β
function SNLF in finite field GF(28 ) as the infection function. that changes with infections. Obviously, the operation with
Once the fault is injected, the deterministic infections will be zero input has no protective effect on its output. When the
executed in the subsequent original cipher rounds. Let C i operation input and output are both non-zero and unknown,
denote the difference between the original and the redundant its protective effect can be concluded as:
cipher intermediates in the i -th round. Then, SNLF(C i ) is • Based on a single infection, no prior knowledge of this
the deterministic mask of the i -th original cipher state. It also operation can be obtained for the further analysis.
masks the current dummy state. • Based on M infections with the identical , we denote
2) The second one is the random and diffused infection the output difference of this operation between the 1-
shown in step 13. It takes the difference between the dummy st and the j -th infection as OU T1 j = S X 1 (I N) ⊕
computation result and its reference value β as the infection S X j (I N) ( j = 2, . . . , M). It can be obtained from
output. In this infection, the variables β and k0 are randomly F1 ⊕ F j , through the inversion of MC and S R.
selected and kept secret. They satisfy β = RF(β, k0 ). There- According to the non-uniform differential distribution
fore, the infection function can be represented as RI( ) = of the AES Sbox, a random candidate combination of
RF(β, k0 )⊕ RF(β ⊕ , k0 ), where is the sum of the (X 1 , I N) can result in the given difference OU T1 j with
deterministic
masks of different original cipher states. = a probability3 of 127255 . Therefore, the prior knowledge
i ).
i SNLF(C of OU T1 j can be used to distinguish the (X 1 , I N)
Above all, the ciphertext is masked with SNLF(C n )⊕ candidates.4 The non-uniform differential distribution of
RI( ). The deterministic infection does not introduce ran- 3 To study the dependence between the prior knowledge OU T
domness into the cipher state. Therefore, SNLF(C n ) can be 1 j and the
infection operation input (X 1 , I N ), we construct an advanced differential
taken as a part of the output difference between the original distribution table for the 8-bit Sbox in AES. The table has 256∗ 255 rows and
and the redundant cipher computation, C. The security of 256 columns. Each row corresponds to a possible combination of (X 1 , I N ).
We denote it as (x, in), where in = 0. Each column corresponds to a possible
the countermeasure relies on the random infection. Because value of Sx (in) ⊕ Sx (in) for any x, x and in = 0. We denote it as out.
the random infection is executed only once at the end of the The cell in row (x, in), column out records the amount of different x that
countermeasure, the built-in infection degrades into the built- satisfies out = Sx (in) ⊕ Sx (in). It has been worked out in the previous
research that, for every non-zero in, the 256 possible values of x can only
out one. In this case, the difference between the correct and result in 127 different values of Sx (in) = S(x) ⊕ S(in ⊕ x). Therefore,
the infected ciphertext is F = C⊕ RI( ). for every (x, in = 0), we can get no more than 127 different out from
256 possible values of x . It means half of cells in each row of the table are
non-zero. A random candidate of (X 1 , I N ) can result in the given OU T1 j
A. Analysis on ICDR With One Built-Out Random Infection with a probability no larger than 127
255 .
4 For the attack with M repeatable injections, if all the cells in row (x, in),
1) Attack-Scenario-Related Prior Knowledge: RI corre- column OU T1 j ( j = 2, . . . , M) are non-zero, then (x, in) can be taken as a
sponds to the infection function I in the generic infection candidate of (X 1 , I N ).
the Sbox exposes a new vulnerability of ICDR under H (C|C p , F) = 0 bit. The infection function is of
the repeatable fault model. It can lead to the retrieval no protective effect on C.
of S X 1 (I N), RI( ) and finally C. Here we derive • For the attack scenario (2.1), (2.2) and (2.3) with 4 non-
the remaining uncertainty of S X 1 (I N) as zero bytes in C: there are at least 3 known bytes in
each column of RI( ) and at most 2 non-zero bytes in
H (S X 1 (I N)|P R I O R) that are related to this column. According to (16),
≤ H (X 1, I N|OU T12 , . . . , OU T1M ) H (C|C p , F) = 0 bit. The infection function is of
127 no protective effect on C.
≤ 8 + (M − 1) log2 . (15)
255 • For the attack scenario (3.1), (3.2) and (3.3) with 16 non-
zero bytes in C: the fault diffusion in C is complete.
MixColumns (MC) connects the infection operation outputs
There is no known byte in each column of RI( ) and
with the infection function output. It consists of 4 independent
there are 4 non-zero bytes in related to this column.
mc operations. Each mc takes the outputs of 4 infection
According to (16), H (C|C p , F) = 128 bits. It is not
operations as its input. Then, it outputs 4 linearly dependent
smaller than 116, 120 and 128. The countermeasure may
bytes and reserves them in the same column of RI( ). For
be secure for the unrepeatable fault injection. However,
the i -th mc related to the i -th column. let O i denote its known
C can be uniquely identified when the fault injections
output bytes in RI( ). Let I i denote the non-zero bytes in
can be repeated for 17 times.
that form its input. |O i | and |I i | denote the byte length of
O i and I i , respectively. According to the diffusion property of Above all, ICDR with a built-out random infection can resist
mc, |O i | and |I i | decide how many infection operations can neither the attack with incomplete fault diffusion nor the one
work with the above mentioned prior knowledge. For instance, with repeatable injections in theory. However, thanks to the
if |I i | < |O i |, we can recover the non-zero input bytes of the randomly inserted dummy rounds, it reduces the success rate
i -th mc from its known output bytes. It means no infection of the repeatable fault injections. The attack based on the
operation works without the prior knowledge of the output repeatable C is sometimes infeasible in practice.
value. For general cases, given |O i | and |I i |, there are at
most max{|I i | − |O i |, 0} infection operations working with
the non-zero inputs and unknown outputs. The other infection C. Discussion
operations do not contribute to the security of the infection Things are complex when the fault is injected before the
function. penultimate dummy computation. The deterministic and the
For ICDR based on AES-128, the remaining uncertainty of additional random infections (refer to Algorithm 1, step 7-8)
RI( ) is the sum of the uncertainty of S X (I N) in each appear alternately. The built-in infection countermeasure is no
infection operation. Since C = F⊕RI( ), the protective longer equivalent to the built-out one. The built-in random
effect of the infection function can be worked out as infections make C n and change under the repeatable
H (C|C p , F1 , . . . , FM ) fault injections. They destroy the prior knowledge in (15).
Therefore, the cipher implementation requires at least 2 ran-

4
127 dom infections to resist the attack based on the repeatable
≤ max{|I i | − |O i |, 0} · (8 + (M − 1) log2 ). (16)
255 injections.
i=1
To sum up, when the fault diffusion in C is incomplete,

the diffusion property of MixColumns leads to the major VII. Q UANTIFICATION A NALYSIS ON LDRNM
uncertainty loss of C. It is consistent with the studies in [16]
and [18]. Meanwhile, the non-uniform differential distribution LDRNM (Linear Diffusion and Randomized Nonlinear
of Sbox is another significant vulnerability. It is first found in Mixing) is a built-out infection countermeasure proposed in
this paper. It provides evidence that even if the fault diffusion ACISP 2015 for AES-128 [22]. The infection function first
in C is complete, the countermeasure is still not as secure employs a deterministic linear diffusion function D to disperse
as expected for the repeatable fault model. the fault into most output bits. Then, it modifies a bent function
called NIMX to construct the nonlinear mixing function S.
Let X = (x 127, . . . , x 0 ) denote the output of the diffusion
B. Security Quantification and Judgment function. R = (r 127 , . . . , r 0 ) denotes the random string.
The output of the nonlinear mixing S = S(D(C), R) =
For the speciality of ICDR infection input, we reanalyze
the fault propagation in AES-128 to work out the number of S(X, R) = (s 127 , . . . , s 0 ) is represented as follows. For 1 ≤
i ≤ 128,
non-zero bytes in . We also work out the number of known
bytes in RI( ) according to the knowledge of zero bytes in i−1
C. Then, we make the security quantification and judgment. s =
i
x j r j ⊕ x i−2 x i−1 ⊕ x i (17)
• For the attack scenario (1.1) and (1.2) with 1 non-zero j =0
byte in C: there are at least 3 known bytes in each
column of RI( ) and at most 1 non-zero bytes in where x i , r i and s i denote the i -th bit of X, R and S,
that are related to this column. According to (16), respectively. s 0 = s 128 , x 0 = x 128 and x −1 = 0.
A. Analysis on LDRNM • For the attack scenario (3.1), (3.2) and (3.3): the fault
Infection Operation Decomposition and Analysis: In diffusion in C is complete. H (C|C p , F) =
LDRNM, x i r i is the smallest random-bit-related infection H (C|C p ). It satisfies the security requirement in (7).
operation. Its protective effect can be concluded as: H (C|C p , F1, F2 ) = 88.15 bits, which is smaller
than 116, 120 and 128. The countermeasure is insecure
• Based on a single infection, we find from (17) that the
when the identical injection can be repeated twice.
input and the output of x i r i are both related to the
unknown bits in X. There is no prior knowledge for Above all, LDRNM shows strong resistance to the attack
further analysis. with unrepeatable fault injection. However, it cannot resist the
• Based on M infections with the repeatable C and X,
repeatable fault injection attack.
we denote the output difference of x i r i in the 1-st and j -
th infection as OU T1i j = x i r1i ⊕ x i r ij ( j = 2, . . . , M). VIII. E XTENDED D ISCUSSION AND C OMPARISON
It can be obtained from the output difference of the In this section, we first evaluate two other infection coun-
infection function as termeasures briefly. Then, we discuss the evaluation metrics

s 1 ⊕s 1 , i =0 for the practical security. We also extend the framework to
OU T1i j = 1 i j i+1 i+1 (18) other attack scenarios. Finally, we make a comparison between
(s1 ⊕s1 )⊕(s j ⊕s j ), 1 ≤ i ≤ 127.
i
different countermeasures.
Let eM denote the event that OU T1i j = 0 for j =
2, . . . , M. It means x i r ij keeps same in all these infec- A. Quantification Analysis on Other Infections
tions. Obviously, P(eM|x i = 0) = 1 and P(eM|x i = 1) Multiplicative Masking (MM): Multiplicative masking is
1) = 2 M−1 1
. With enough OU T1i j , the value of x i can a random infection countermeasure. It multiplies the N-bit C
be determined. According to the diffusion function D, by a fresh N-bit random number R in G F(2 N ). Then, it masks
P(x i = 0) = P(x i = 1) = 21 . Then, (P(eM), P(eM)) the final ciphertext with RC. In this countermeasure, RC is
and (P(x i |eM), P(x i |eM)) can be respectively derived also the smallest random-bit-related infection operation. When
from total probability formula and Bayes formula. The C = 0, it generates every element in the finite field with
remaining uncertainty of x i can be estimated as an equal probability. Therefore, the countermeasure is secure
under all the scenarios listed in Table II, no matter the fault
H (x i |P R I O R i ) model is repeatable or not. However, when R = 0, the power
= H (x i |OU T12
i
, . . . , OU T1M
i
) consumption of the multiplication RC is significantly lower
= P(eM)H (x i |eM) + P(eM)H (x i |eM) than when R = 0. This phenomenon enables the identification
2 M−1 + 1 M −1 of R = 0 and leads to a straightforward recovery of C from
= log2 (2 M−1 + 1) − . (19) F = C ⊕ 0.
2M 2
2) Random Replacement (RR): Different from the generic
In LDRNM, all 128 infection operations are working with infection construction in Fig. 1, [16] proposed a new structure
the above-mentioned type of prior knowledge. Consider the based on replacement. The countermeasure adopts a boolean
fact that the fault diffusion in C (about the zero bytes) has function BLFN that maps C = 0 to 0 and C = 0 to 1,
not been taken into account in infection operation analysis. to decide whether replacing the original cipher output C0 with
We derive the protective effect of the countermeasure as a random number R. The output of the cipher implementation
H (C|C p , F1 , . . . , FM ) is presented as (¬BLFN(C)·C0 )⊕(BLFN(C)· R). Because
BLFN is not invertible for the non-zero C, and R is irrelevant

128
to both C and C, then H (C|C p , F) = H (C|C p )
= max{ H (x i |P R I O R i ) − H (C p ), 0}. (20)
under all the scenarios listed in Table II. Therefore, the coun-
i=1
termeasure is theoretical secure against the intermediate-
To sum up, the differential distribution of x i r i under the oriented single fault attacks. It is consistent with the evaluation
repeatable fault model results in the major security loss. It is in [19] and [21]. However, similar to the consistency check
consistent with the study in [29]. However, [29] ignores the in the detection countermeasure, BLFN brings about a 1-bit
prior knowledge of C under the incomplete fault diffusion. judgment condition. Therefore, the malicious modification on
It leads to an overestimation of security. the result of BLFN may lead to infection failure.
B. Security Quantification and Judgment B. Practical Security Evaluation

• For the attack scenario (1.1), (1.2), (2.1), (2.2) and An effective countermeasure should render the fault attack
(2.3): the fault diffusion in C is incomplete. According infeasible in practice. The attack complexities, including the
to (19) and (20), H (C|C p , F) = H (C|C p ). number of fault injections and the computation complexity,
The countermeasure is secure under the unrepeatable fault are candidates for the practical security metrics. For the fault
model. Whereas, H (C|C p , F1 , F2 ) = 0 bit. It is injection, the security judging criterion is determined by the
of no protective effect as long as the identical injection lifetime of the cipher implementation and the adversary’s abil-
can be repeated twice. ity to monitor it. For the computation complexity, the judging
criterion is decided by the present computer technologies. The it is equivalent to injecting a byte-oriented fault e with the
complexity quantification results are greatly affected by the known location and unknown value, which is the same as
analytical strategy adopted in the attack. Therefore, they are scenario (3.2) in Table II. H (e) = 8 bits, H (K) = 128 bits
more like the evaluation metrics for different adversaries than and l0 ≈ H (K)− H (e) = 120 bits. If it takes the input byte of
the unified metrics for infection countermeasures. ADK as the faulty output byte, then e is equal to the first byte
Compared to the complexities of the concrete attack, of the 8-th round key. Since e is available for the key retrieval,
the minimum attack complexities are better choices for the H (e) can be taken as 0. H (K) = 128 bits and l0 ≈ 128 bits.
countermeasure evaluation. The minimum number of injec- On the other hand, the injection decides whether the infec-
tions α and the minimum computation complexity η are related tion will be executed or not. It affects the security quan-
to the conditional entropy of C and K. If each fault model tification on infection functions. If the infection is skipped,
can be repeated for M times in the retrieval of a N-bit secret the equivalent uncertainty of C maintained by the infection
key, function is 0 bit. If it is not skipped, the remaining uncertainty
MN of C can be worked out in the same way as the current
α= (21) framework. Finally, with the security judging criteria and
H (K) − H (K|C, C p , F1 . . . FM )
quantification results, we can make security judgments on
αto H (C|C p ,F1 ,...,FM )
η= ·2 + αt (22) infection countermeasures in the same way as the current
M framework.
where to denotes the computation complexity for the retrieval 2) Intermediate-Oriented Double-Fault Injections: The
of K with the known C. t denotes the computation complex- injections also affect the integrated cipher implementation at
ity for the retrieval of C with the known F. According to two levels. On the one hand, they corrupt the original and
the infection operation decomposition and analysis, if C can redundant intermediates of the unprotected cipher in pairs with
H (C)
be retrieved in γ separate parts, then t = γ · 2 γ . two identical faults. Therefore, the equivalent security judging
The countermeasures proved secure in theory according criteria for infection function about C can be worked out
to (7) must be secure in practice. The ones proved insecure with either of these faults, according to the current framework.
according to (4) are always insecure in practice, especially On the other hand, the double-fault injections make the infec-
when the fault diffusion is incomplete and the C can be tion input equal to zero. In this case, the equivalent uncertainty
retrieved in separate parts. In other cases, it requires specific of C maintained by the infection function can only be 0 bit.
attack strategies to figure out whether the key could be
retrieved within the complexity restrictions.
D. Comparison
For all the infection countermeasures analyzed in this
C. Evaluation Under Other Attack Scenarios paper, Table III summarizes their security quantification results
The extension of the current framework to other fault attack under the attack scenarios in Table II. It also summa-
scenarios is discussed briefly. rizes their requirements for random bits. From the table,
1) Flow Sequence-Oriented Injection With Instruction Skip H (C|C p , F1 , . . . , FM ) grows with the rising fault
Fault Model: The injection skips some procedures of the diffusion in C, which leads to an exponential increment
encryption. It has both the numerical and logical effects on in the computation complexity of the attack (refer to (22)).
the integrated cipher implementation. It indicates that the infections are effective countermeasures
On the one hand, the instruction skip injection can lead to especially for the attack scenarios with complete fault diffusion
the faulty inputs of the following procedures. It corrupts the in C. In this table, we highlight the remaining uncertainty of
intermediate (or ciphertext) of the unprotected cipher. There- C that is no larger than the lower bound security requirement
fore, by transforming its numerical effect into an equivalent l0 in bold. It indicates that the countermeasure is theoretically
intermediate-oriented fault model, we can work out the secu- infeasible for the specific attack scenario.
rity judging criteria for the infection function with the current The evaluation results are instructive in countermeasure
framework. For instance, if the last cipher round encryption selection. To be specific, RIMBEN with public initial config-
of AES-128 and the following infection are all skipped by the urations is never recommended. RIMBEN with secret initial
injection [19], [21], the 9-th cipher round result will become configurations, ICDR and LDRNM are applicable in some
the ciphertext of the unprotected cipher. It is equivalent to unrepeatable injection scenarios. Among them, RIMBEN
injecting a 128-bit fault e in the 10-th round before SubBytes requires the least number of random bits. It is a cost-effective
(S B) with the known location and the known value, H (e) = choice against the scenarios with the random fault model and
0 bit. The key bytes involved in fault propagation can be the incomplete fault diffusion. ICDR and LDRNM require
approximately represented with the last round key, H (K) = the same amount of random bits in each infection. Because
128 bits. Then, the equivalent uncertainty of C that should be LDRNM ensures a more comprehensive fault attack resistance,
maintained by the secure infection is l0 ≈ H (K)− H (e) = 128 it is a better choice than ICDR. However, all of them are
bits. In another instance, the injection targets at the 8-th cipher theoretically infeasible in the repeatable fault injection sce-
round and only skips its AddRoundKey (ADK) operation on narios, even if C can only be repeated for a few times.
the first byte. The following encryption will be executed with a Thanks to the existence of the random fault model, it makes
faulty ADK output. If the faulty output byte is totally random, injecting identical faults difficult. The repetitive infections on
TABLE III
C OMPARISON OF I NFECTION C OUNTERMEASURES IN S ECURITY AND C OST (BASED ON ATTACK S CENARIOS IN TABLE II)
the identical C can seldom happen in practice. Multiplicative [2] C. Giraud, “Dfa on aes,” in Advanced Encryption Standard – AES,
masking and random replacement have the widest security H. Dobbertin, V. Rijmen, and A. Sowa, Eds. Berlin, Germany: Springer,
2005, pp. 27–41.
applicable scopes. Random replacement is more cost-effective [3] P. Dusart, G. Letourneux, and O. Vivolo, “Differential fault analy-
because the random bits can be reused in different infections. sis on A.E.S,” in Applied Cryptography and Network Security,
Nevertheless, their enhancements of FA-resistance are at the J. Zhou, M. Yung, and Y. Han, Eds. Berlin, Germany: Springer, 2003,
pp. 293–306.
expense of introducing new vulnerabilities under other imple- [4] G. Piret and J.-J. Quisquater, “A differential fault attack tech-
mentation attack conditions. They are still not the best choice nique against spn structures, with application to the aes and
for cipher protection. khazad,” in Cryptographic Hardware and Embedded Systems—CHES,
C. D. Walter, Ç. K. Koç, and C. Paar, Eds. Berlin, Germany: Springer,
2003, pp. 77–88.
IX. C ONCLUSION AND F UTURE W ORK [5] I. Biehl, B. Meyer, and V. Müller, “Differential fault attacks on
elliptic curve cryptosystems,” in Advances in Cryptology—CRYPTO,
The paper proposes a framework for security evaluation M. Bellare, Ed. Berlin, Germany: Springer, 2000, pp. 131–146.
[6] E. Biham, L. Granboulan, and P. Q. Nguy ên, “Impossible fault analysis
on infection countermeasures. It makes the evaluation not of rc4 and differential fault analysis of rc4,” in Fast Software Encryption,
only generic for different countermeasures but also efficient H. Gilbert and H. Handschuh, Eds. Berlin, Germany: Springer, 2005,
under various attack scenarios. The framework is constructed pp. 359–367.
[7] C. Clavier, “Secret external encodings do not prevent transient fault
with the idea to separate the infection function from the analysis,” in Cryptographic Hardware and Embedded Systems—CHES,
integrated cipher implementation. Firstly, we personalize the P. Paillier and I. Verbauwhede, Eds. Berlin, Germany: Springer, 2007,
security judging criteria for infection functions according to pp. 181–194.
[8] C. Dobraunig, M. Eichlseder, T. Korak, S. Mangard, F. Mendel,
the fault injection effects on the unprotected cipher. The and R. Primas, “Sifa: Exploiting ineffective fault inductions on sym-
criteria enable precise and individual security judgments under metric cryptography,” IACR Trans. Cryptograph. Hardw. Embedded
different attack scenarios. Secondly, based on the fact that the Syst., vol. 2018, no. 3, pp. 547–572, Aug. 2018. [Online]. Available:
https://tches.iacr.org/index.php/TCHES/article/view/7286
infection function usually consists of a series of simple and [9] Y. Li, K. Sakiyama, S. Gomisawa, T. Fukunaga, J. Takahashi, and
identical infection operations, we propose a universal security K. Ohta, “Fault sensitivity analysis,” in Cryptographic Hardware and
quantification method through infection operation analysis. Embedded Systems, CHES, S. Mangard and F.-X. Standaert, Eds. Berlin,
The analysis enables a thorough vulnerability exploration and Germany: Springer, 2010, pp. 320–334.
[10] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Concurrent error detection
an efficient security quantification of the infection function. schemes for fault-based side-channel cryptanalysis of symmetric block
The current framework mainly focuses on the evaluation ciphers,” IEEE Trans. Comput.-Aided Des. Integr., vol. 21, no. 12,
against the intermediate-oriented single injection and the DFA- pp. 1509–1517, Dec. 2002.
[11] K. Wu, R. Karri, G. Kuznetsov, and M. Goessel, “Low cost concurrent
like attacks. So one possible future work is to extend the error detection for the advanced encryption standard,” in Proc. Int.
framework to cover more fault injection models and more Conferce Test, Oct. 2004, pp. 1242–1248.
attack scenarios. Moreover, as mentioned in Section VIII, [12] M. Karpovsky, K. J. Kulikowski, and A. Taubin, “Robust protection
against fault-injection attacks on smart cards implementing the advanced
a FA-resistant infection construction may result in new vul- encryption standard,” in Proc. Int. Conf. Dependable Syst. Netw.,
nerabilities in terms of other implementation attacks. Hence, Jun. 2004, pp. 93–101.
how to involve other side-channel information leakages into [13] M. Joye, P. Manet, and J. B. Rigaud, “Strengthening hardware AES
implementations against fault attacks,” IET Inf. Secur., vol. 1, no. 3,
the security evaluation on infection countermeasure is another pp. 106–110, Sep. 2007.
problem to be solved. [14] V. Lomnè, T. Roche, and A. Thillard, “On the need of ran-
domness in fault attack countermeasures—Application to AES,” in
Proc. Workshop Fault Diagnosis Tolerance Cryptogr., Sep. 2012,
R EFERENCES pp. 85–94.
[15] B. Gierlichs, J.-M. Schmidt, and M. Tunstall, “Infective computa-
[1] D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance tion and dummy rounds: Fault protection for block ciphers with-
of checking cryptographic protocols for faults,” in Advances in out check-before-output,” in Progress in Cryptology—LATINCRYPT,
Cryptology—EUROCRYPT, W. Fumy, Ed. Berlin, Germany: Springer, A. Hevia and G. Neven, Eds. Berlin, Germany: Springer, 2012,
1997, pp. 37–51. pp. 305–321.
[16] H. Tupsamudre, S. Bisht, and D. Mukhopadhyay, “Destroying fault Hua Chen received the Ph.D. degree from the
invariant with randomization,” in Cryptographic Hardware and Embed- Institute of Software, Chinese Academy of Sciences,
ded Systems—CHES, L. Batina and M. Robshaw, Eds. Berlin, Germany: Beijing, China, in 2005.
Springer, 2014, pp. 93–111. She is currently a Research Professor with the
[17] B. Wang et al., “Exploration of benes network in cryptographic proces- Trusted Computing and Information Assurance Lab-
sors: A random infection countermeasure for block ciphers against fault oratory, Institute of Software, Chinese Academy
attacks,” IEEE Trans. Inf. Forensics Security, vol. 12, no. 2, pp. 309–322, of Sciences. She is also a Senior Member of the
Feb. 2017. Chinese Association for Cryptologic Research. Her
[18] A. Battistello and C. Giraud, “Fault analysis of infective AES computa- research interests include side-channel cryptanalysis,
tions,” in Proc. Workshop Fault Diagnosis Tolerance Cryptogr. (FDTC), automatic cryptanalysis, and randomness test.
Aug. 2013, pp. 101–107.
[19] S. Patranabis, A. Chakraborty, and D. Mukhopadhyay, “Fault tol-
erant infective countermeasure for AES,” in Security, Privacy, and
Applied Cryptography Engineering, R. S. Chakraborty, P. Schwabe, and
J. Solworth, Eds. Cham, Switzerland:: Springer, 2015, pp. 190–209.
[20] A. Battistello and C. Giraud, “A note on the security of CHES 2014
symmetric infective countermeasure,” in Constructive Side-Channel
Analysis and Secure Design, F.-X. Standaert and E. Oswald, Eds. Cham,
Switzerland: Springer, 2016, pp. 144–159. Yang Li received the Ph.D. degree in engineering
[21] S. Patranabis, A. Chakraborty, and D. Mukhopadhyay, “Fault from The University of Electro-Communications,
tolerant infective countermeasure for AES,” J. Hardw. Syst. Tokyo, Japan, in 2012.
Secur., vol. 1, no. 1, pp. 3–17, Mar. 2017. [Online]. Available: He is currently an Associate Professor with
https://doi.org/10.1007/s41635-017-0006-1 the Department of Informatics, The University of
[22] S. Ghosh, D. Saha, A. Sengupta, and D. R. Chowdhury, “Preventing Electro-Communications. His main research inter-
fault attacks using fault randomization with a case study on AES,” in ests include security evaluation and improvement for
Information Security and Privacy, E. Foo and D. Stebila, Eds. Cham, cryptographic hardware and the IoT devices.
Switzerland: Springer, 2015, pp. 343–355.
[23] E. Biham and A. Shamir, “Differential fault analysis of secret key
cryptosystems,” in Advances in Cryptology—CRYPTO, B. S. Kaliski,
Ed. Berlin, Germany: Springer, 1997, pp. 513–525.
[24] N. T. Courtois, D. Ware, and K. M. Jackson, “Fault-algebraic attacks on
inner rounds of des,” in Proc. Future Digital Secur. Technol. Strategies
Telecom Multimedia, vol. 2010, pp. 22–24.
[25] R. C. W. Phan and S.-M. Yen, “Amplifying side-channel attacks
with techniques from block cipher cryptanalysis,” in Smart Card
Research and Advanced Applications, J. Domingo-Ferrer, J. Posegga,
and D. Schreckling, Eds. Berlin, Germany: Springer, 2006, pp. 135–150. Zhipeng Jiao received the B.S. degree in computer
[26] M. Rivain, “Differential fault analysis on DES middle rounds,” in science from Zhengzhou University, Zhengzhou,
Cryptographic Hardware and Embedded Systems—CHES, C. Clavier China, in 2014. He is currently pursuing the Ph.D.
and K. Gaj, Eds. Berlin, Germany: Springer, 2009, pp. 457–469. degree with the Institute of Software, Chinese Acad-
[27] K. Sakiyama, Y. Li, M. Iwamoto, and K. Ohta, “Information-theoretic emy of Sciences.
approach to optimal differential fault analysis,” IEEE Trans. Inf. His current research interests include side-channel
Forensics Security, vol. 7, no. 1, pp. 109–120, Feb. 2012. attack and protection.
[28] J. Blòmer and J.-P. Seifert, “Fault based cryptanalysis of the advanced
encryption standard (AES),” in Financial Cryptography, R. N. Wright,
Ed. Berlin, Germany: Springer, 2003, pp. 162–181.
[29] S. Banik and A. Bogdanov, “Cryptanalysis of two fault countermeasure
schemes,” in Progress in Cryptology—INDOCRYPT, A. Biryukov and
V. Goyal, Eds. Cham, Switzerland: Springer, 2015, pp. 241–252.
Jingyi Feng received the B.S. and M.S. degrees Wei Xi received the M.S. degree in electrical and
in electronic engineering from the University of electronic engineering from the Huazhong Univer-
Science and Technology of China, Hefei, China, sity of Science and Technology, Wuhan, China,
in 2013 and 2016, respectively. She is currently pur- in 2003.
suing the Ph.D. degree with the Institute of Software, He is currently a Senior Engineer with the Electric
Chinese Academy of Sciences. Power Research Institute, China Southern Power
Her major research interests include security eval- Grid. His research interests include smart grid and
uation and improvement for cryptographic devices. electric power chip development.

Framework Infective Fault Countermeasure

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Framework Infective Fault Countermeasure

Uploaded by

Copyright:

Available Formats

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.

15, 2020 391

A Framework for Evaluation and Analysis on

I N RECENT years, implementation vulnerabilities rather

as the sample attack scenarios to demonstrate the security A. Fault Attack

the entire cipher computation. It enables the loose coupling

Fig. 2. Overview of security evaluation and analysis on infection countermeasure.

random stage. For illustration, we take |C| as the bit length

To sum up, when the fault diffusion in C is incomplete,

B. Security Quantification and Judgment B. Practical Security Evaluation

You might also like