Guest Editors' Introduction: Special Section on Fault Diagnosis and Tolerance in Cryptography

Abstract

VARIOUS information technology disciplines such as telecommunication, networking, data base systems, and mobile applications have developed increasingly strict security requirements over the years, leading to a surge of research and development activity in the field of applied cryptography. Crypto-systems are inherently computationally complex: In order to satisfy the high throughput requirements of many applications, they are often implemented by means of either VLSI devices or highly optimized software routines. The high complexity of such implementations makes reliability a challenge. Moreover, attacks on crypto-systems based on malicious injection of faults (for the purpose of extracting the secret key) have unfortunately proven to be very successful, making their own security another challenge. New methodologies are therefore needed in designing robust cryptographic systems, both hardware and software, in order to protect them against both accidental and malicious faults. The objective of this special section is to present some of the state-of-the-art developments in the analysis of fault attacks and the techniques to protect crypto-systems from such attacks. The papers included in this special section were selected from 12 manuscripts submitted in response to the call for papers. Submissions were also solicited from the authors of papers presented at the Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC ’04), held in Florence, Italy, in June 2004. This workshop has, since then, become an annual meeting with FDTC ’05 in Edinburgh, UK, in September 2005 and the next one, FDTC ’06, to be held in Yokohama, Japan on 10 October 2006 (http://www.elet.polimi.it/conferences/FDTC06/). As a result of the review process, five papers were selected to be included in this special section. Two of these papers are extensions of papers presented at FDTC ’04 and the rest have originated from the open call for papers. The first paper in this special section, “A Fault Attack on Pairing-Based Cryptography” by D. Page and F. Vercauteren, deals with Tate pairing, a new cryptographic primitive that allows the design of public-key systems that do not use certificates, a desirable characteristic for mobile systems. The authors analyze the mathematical foundation of Tate pairing algorithms, identify the vulnerabilities of these algorithms to fault attacks and propose some countermeasures. This paper demonstrates the mathematical complexity of studying fault attacks on cryptographic systems. The second paper, “Combining Crypto with Biometrics Effectively” by F. Hao, R. Anderson, and J. Daugman, does not deal with malicious faults, but, instead, with the unavoidable errors due to the measurement procedure for an iris scan. The authors combine error diagnosis and correction techniques with cryptography in order to be able to derive a key from given biometric data. The paper also discusses the technological difficulties one faces when implementing the proposed technique in a secure way. The third paper, “Fault Detection Architectures for Field Multiplication Using Polynomial Bases” by A. ReyhaniMasoleh and M.A. Hasan, focuses on one of the basic building blocks of most cryptographic devices: the finite field multiplier. The authors describe techniques based on error detecting codes for detecting faults in these frequently used circuits. The fourth paper, “Designing Resistant Circuits against Malicious Faults Injection Using Asynchronous Logic” by Y. Monnet, M. Renaudin, and R. Leveugle, deals with circuit techniques that are available for protection against fault injection-based attacks, namely, the use of dual-rail logic. This is an alternative to implementing countermeasures at a higher, algorithmic level. The authors present methods for analyzing the sensitivity to faults of cryptographic devices and use them to evaluate (through simulation) the efficiency of dual-rail logic for preventing fault-based attacks. The analysis results are then compared to real fault injection experiments where laser pulses are used to inject temporary faults into a DES device. Finally, the Brief Contribution, “An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis” by C. Giraud, focuses on the classical public-key RSA cryptosystem. The practical importance of RSA justifies a careful analysis of its already known and new fault attacks and their corresponding countermeasures. This paper demonstrates that, even for established and extensively studied systems, it is possible to find new aspects which require reexamination and new designs. The papers included in this special section illustrate the interaction among classical fault diagnosis techniques, cryptography and fault injection-based attacks. The interested reader may wish to refer to a recently published survey paper: “The Sorcerer’s Apprentice Guide to Fault IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 9, SEPTEMBER 2006 1073