1. Field of the Invention
The present invention relates to communication systems and methods for transmitting data as may be used, in particular, in connection with bus systems requiring on-line fault detection.
2. Description of Prior Art
Bus connections are used to interconnect two or several system modules and thus to enable communication between these modules.
For example, two chips may be interconnected via a bus which cannot or need not be physically protected for reasons relating to the system. The chips may be a security controller and an external memory chip which are interconnected. To achieve a high level of security, the connection must be protected against fault attacks. It is not sufficient that the data to be stored be encrypted and decrypted, respectively, on the controller, and be stored in the memory in an encrypted form. This ensures only the privacy of the data, but not the integrity. A bus encryption, for example by means of a streaming cipher, so as to ensure the integrity, is no more helpful. This would only thwart the possibility of a targeted manipulation or a replay attack.
Two chips may also be interconnected using a specific face-to-face technology, for example an F2F technology which is specific to Infineon. Assuming that the face-to-face connection does not physically provide a reliable protection from manipulations of the bit lines of the bus, the same situation arises as in the case of two separate chips.
In addition, two or more hardware modules on a chip may be interconnected via bus lines. In the event that the modules themselves are already protected by certain measures, such as RSA or AES for crypto-coprocessors, measures for providing protection in the transmission must be taken.
So-called fault attacks represent a serious threat to the implementation of cryptographic algorithms or, in general, of systems processing secret data. This is true irrespective of whether the algorithm is implemented in software or as a hardware module. If an attacker is capable of disrupting the algorithm during the processing in such a manner that internal intermediate results, for example keys of rounds or intermediate results of rounds, one-bit faults or multi-bit faults, these faults lead to faulty encryption results or decryption results. The secret key may be calculated, in a cryptographic analysis, from only a small number of such results. It is not even necessary to inject the bit faults at targeted positions. According to C. Giraud, DFA on AES, Oberthur Card Systems, 25, rue Auguste Blanche, 92800 Puteaux, France, for example, as few as 50 faulty results will be sufficient with one-bit faults, or about 250 faulty results will be sufficient with byte faults.
Interspersing faults may immediately disrupt the program flow, so that the program will follow wrong branches at jumps, or the program counter will be modified such that the program is continued at a wrong location.
A measure of protecting the transmission from fault attacks in those cases of connection which have already been described is represented by error-detecting codes (EDC). A check word P is calculated for each block M transmitted via the bus, and said check word P is transmitted along with block M as a so-called code word C=(M, P). To simplify matters, a systematic code will be assumed.
If, for example, a 32-bit data word M is transmitted, and a probability of <=2−32 of non-detection of a fault is called for, the check word P must have a length of >=32 bits. Therefore, this means an overhead of >=100%. With, for example, a data block length of 128 bits and a check word length of 32 bits, the overhead is >=25%. For the bus transmission, this means a bandwidth reduction of 100% and 25%, respectively.
Solutions have been known by means of which faults in circuits may be detected. In this case, fault detection always requires redundancy. Countermeasures against fault attacks have been described, for example, in H. Bar El, H. Choukri, D. Naccache, M. Tunstall, C. Whelan, The Sourcere's Apprentice Guide to Fault Attacks, Eprint IACR 2004-100. Shu Lin, Daniel J. Costello, Fault Control Coding, Second Edition Prentice Hall; 2nd edition (Apr. 1, 2004), ISBN: 0130426725 describes the use of codes which are processed and transmitted along with the payload data. However, a solution to the problem of bandwidth reduction by means of redundancy is not known.