In the 1970s researchers noticed that radioactive particles produced by elements naturally present in packaging material could cause bits to flip in sensitive areas of electronic chips. Research into the effect of cosmic rays on semiconductors, an area of particular interest in the aerospace industry, led to methods of hardening electronic devices designed for harsh environments. Ultimately various mechanisms for fault creation and propagation were discovered, and in particular it was noted that many cryptographic algorithms succumb to so-called fault attacks.

Preventing fault attacks without sacrificing performance is nontrivial and this is the subject of this book. Part I deals with side-channel analysis and its relevance to fault attacks. The chapters in Part II cover fault analysis in secret key cryptography, with chapters on block ciphers, fault analysis of DES and AES, countermeasures for symmetric-key ciphers, and countermeasures against attacks on AES. Part III deals with fault analysis in public key cryptography, with chapters dedicated to classical RSA and RSA-CRT implementations, elliptic curve cryptosystems and countermeasures using fault detection, devices resilient to fault injection attacks, lattice-based fault attacks on signatures, and fault attacks on pairing-based cryptography. Part IV examines fault attacks on stream ciphers and how faults interact with countermeasures used to prevent power analysis attacks. Finally, Part V contains chapters that explain how fault attacks are implemented, with chapters on fault injection technologies for microprocessors, and fault injection and key retrieval experiments on a widely used evaluation board.

This is the first book on this topic and will be of interest to researchers and practitioners engaged with cryptographic engineering.

required with only one plaintext when they are not, one can notice that the attack is more efficient on compressed S-Boxes. As an example, with 512 15 Note that some figures given in [12] happen to be imprecise. The figures we give in the sequel to this section are borrowed from [92], where they have been more rigorously computed. 16 While there are a few other ways in which the S-box data could be compressed, we do not consider this as something an attacker must previously know since he can

protection against fault attacks is vital for security-related devices. Moreover, the fatal impact of undetected faults implies high requirements for such devices: no erroneous result must be revealed with its correct counterpart. Given the fact that secret-key algorithms are not usually based on continuous algebraic structures complicates incorporating redundancy. Designing countermeasures that guarantee this property is a challenging task. As a result, a large number of different

functions MixColumns and inverse MixColumns. This optimization focuses on applications that do not require duplex modes where encryption and decryption are performed at the same time. 94 K. Bousselam et al. Table 6.1 Comparison of area, delay and power between truth-table implementation and mathematical implementation (ASIC) Area [µm2 ] Delay of critical path [ns] Average Dynamic Power [mW] Truth table Mathematical 1993 1.25 (14 logic levels) 0.136 1122 2.45 (25 logic levels) 0.907 6.3

The length of the random value k is a trade-off between security and device capabilities. However, this algorithm has two main drawbacks. First the knowledge of the private exponent d is required to compute d1 and d2 , which is not a CRT secret key. The second one deals with the efficiency, because two modular inverses need to be performed in the precomputation phase (i.e., computation of e1 and e2 ). Wagner found a way to exploit a vulnerability in Algorithm 8.5 [410]. The attack consists in

multiplication. In particular, faults injected into intermediate variables lead to faulty outputs that can be used, along with the correct result, to guess parts of the scalar. The following attack, introduced in [44], illustrates this. 150 A. Alkhoraidly et al. 9.3.3.1 Exploiting Random Faults During the Computation Assume that E is defined over a field Fq , and that the binary algorithm is used to perform the scalar multiplication, as in Algorithm 9.1. Also, assume that the attacker can