1. Technical Field
The present disclosure relates to a method and system for detecting fault attacks, such as a method and system for detecting fault attacks during cryptographic operations.
2. Description of the Related Art
Encryption and decryption according to the Advanced Encryption Standard (AES) is used for the transmission and/or storage of sensitive data in a wide range of systems to ensure data privacy. For this, the data is encrypted and decrypted based on the secret key known to the transmitting and receiving circuits, in other words the encryption and decryption is symmetrical.
Fault attacks are a type of attack often employed by pirates wishing to discover encryption keys to obtain the sensitive information protected by the keys. Faults are injected while a cryptographic operation is being performed by a computing device. Faults may be injected for example by under-powering the device, injecting power or clock glitches, or using a laser. Laser attacks involve sweeping the surface of the integrated circuit with a laser to inject faults, such that a bit of data is altered from a “0” bit to a “1” bit or vice versa. By analyzing the outputs of the circuit when faults are injected, the pirate can obtain information relating to the key, for example using differential fault analysis (DFA).
One solution for protecting circuits against fault attacks involves the duplication of processing circuits, each circuit operating in parallel to generate the same output data based on the same input data. The parallel outputs are then compared, and if the results do not match, this implies the presence of a fault. This duplication can also be performed in software, by executing a same operation twice using the same circuitry, and then comparing the results.
Other solutions involve performing additional operations to check that there are no faults, such as performing decryption directly after encryption, and comparing the output data with the original data. Furthermore, the use of error detection and error correction codes has also been proposed.
A problem with these existing solutions is that they rely on the duplication of circuitry, which is costly in terms of chip area, or they cause a substantial increase in computation time and/or they are complex to implement.