Abstract
Cryptographic implementations on embedded systems need to be protected against physical attacks. Today, this means that apart from incorporating countermeasures against side-channel analysis, implementations must also withstand fault attacks and combined attacks. Recent proposals in this area have shown that there is a big tradeoff between the implementation cost and the strength of the adversary model. In this work, we introduce a new combined countermeasure M&M that combines Masking with information-theoretic MAC tags and infective computation. It works in a stronger adversary model than the existing scheme ParTI, yet is a lot less costly to implement than the provably secure MPC-based scheme CAPA. We demonstrate M&M with a SCA- and DFA-secure implementation of the AES block cipher. We evaluate the side-channel leakage of the second-order secure design with a non-specific t-test and use simulation to validate the fault resistance.
Highlights
The implementation of cryptographic algorithms in embedded systems should be done with extreme care
The most important physical attacks are Side-Channel Analysis (SCA), a non-invasive attack that exploits the physical leakages emanating from the device and Fault Attacks (FA), in which an adversary induces and exploits logical errors in the computation
Our Contribution In this work, we describe M&M, a new family of countermeasures that extends any SCA-secure masking scheme with information-theoretic MAC tags against differential fault analysis (DFA) (i.e. Masks & MACs) and combines them with an infective computation mechanism
Summary
The implementation of cryptographic algorithms in embedded systems should be done with extreme care. The most important physical attacks are Side-Channel Analysis (SCA), a non-invasive attack that exploits the physical leakages emanating from the device (power consumption or electromagnetic radiation among others) and Fault Attacks (FA), in which an adversary induces and exploits logical errors in the computation These attacks are commonly used to retrieve secret data from the embedded device and can be executed either separately or combined. Our Contribution In this work, we describe M&M, a new family of countermeasures that extends any SCA-secure masking scheme with information-theoretic MAC tags against DFA (i.e. Masks & MACs) and combines them with an infective computation mechanism. Instead of using redundancy, which is vulnerable to the injection of identical faults, we replace the second instantiation of the cipher with a computation on information-theoretic MAC tags of the plaintext.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
