Hardware countermeasures against DFA attacks on aes operations
By repeating some operations between the penultimate and final rounds of the AES algorithm and using latches and comparators, the weakness of AES hardware in DFA attacks is addressed, achieving efficient detection and defense against DFA attacks while reducing hardware complexity and energy consumption.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SILICON LABORATORIES INC
- Filing Date
- 2023-03-27
- Publication Date
- 2026-06-19
AI Technical Summary
Existing AES hardware is vulnerable to differential fault analysis (DFA) attacks when performing encryption operations, especially by injecting faults between the penultimate round of column mixing operations and the next round after the last round, which can lead to the determination of the initialization vector key. Existing defense methods increase hardware complexity and energy consumption.
By repeating some operations between the penultimate and final rounds of the AES algorithm and introducing latches and comparators in the hardware to compare the results of the original rounds and the repeated rounds, potential DFA attacks are detected, reducing hardware redundancy and energy consumption.
It effectively detects potential DFA attacks, increases hardware execution time by up to 10% without significantly increasing space and power consumption, and can identify the success rate of DFA attacks, preventing the initialization vector key from being exposed.
Smart Images

Figure CN117272408B_ABST
Abstract
Description
Technical Field
[0001] This invention describes a system for preventing differential fault analysis (DFA) attacks in semiconductor devices that incorporate AES (Advanced Encryption Standard) hardware. Background Technology
[0002] Many semiconductor devices include AES hardware to perform encryption and decryption operations. AES hardware performs a sequence of operations (called a round) and repeats the sequence multiple times.
[0003] It has been found that faults injected during specific intervals in the algorithm's operation can provide information that could allow malicious actors to determine the initialization vector key.
[0004] The AES algorithm operates as follows. It has multiple rounds; AES-128 has 10 rounds, AES-192 has 12 rounds, and AES-256 has 14 rounds. In each round, an operation sequence is executed. Figure 1 The operations performed in each round except the last round are shown. Each operation can be performed by a circuit, the description of which is provided below. Therefore, the terms "circuit," "operation," and "function" can be used interchangeably in this invention.
[0005] like Figure 1 As shown, each round circuit 10 receives input 20, typically from the previous round, and produces output 30, which is provided as the output for the next round. The input 20 of the first round circuit is the plaintext data to be encrypted. Input 20 typically consists of 16 bytes, arranged in a 4x4 array.
[0006] Then, input 20 is processed by byte substitution circuit 11. Byte substitution circuit 11 replaces each byte in input 20 with a different byte determined based on a lookup table. Therefore, the byte substitution operation replaces each byte with other bytes. The output of byte substitution circuit 11 then enters row shifting circuit 12.
[0007] Row shift circuit 12 (i.e., row shift operation) is used to shift the rows of the 4x4 array. For example, the first row of the 4x4 array remains unchanged, while the second row is cyclically shifted one position to the left. The third row is cyclically shifted two positions to the left. The fourth row is cyclically shifted three positions to the left. The output from row shift circuit 12 then enters column mixing circuit 13.
[0008] Note that the byte substitution circuit 11 and the row shifting circuit 12 can be executed in reverse order, wherein the row shifting is performed before the byte substitution operation without affecting the output. In both embodiments, the byte substitution circuit 11 and the row shifting circuit 12 are executed sequentially before the column mixing circuit 13.
[0009] The column mixing circuit 13 performs matrix multiplication on each column of the input array. Specifically, the column mixing circuit 13 performs the following operations:
[0010]
[0011] Therefore, the column mixing operation performs matrix multiplication on each column of the array. The output from column mixing circuit 13 is used as the input to adder 14. Adder 14 (also called adder operation) is used to perform an exclusive OR (XOR) on the byte of round key 15 and the corresponding byte of the 4x4 array output from column mixing circuit 13. The output from adder 14 is output 30, which is also a 4x4 array.
[0012] Round key 15 is generated from the initial vector according to a preset schedule.
[0013] As mentioned above, the final wheel circuit is slightly different from the other wheels. Figure 2 The operations performed in the final round are shown. The final round circuit 50 is similar to... Figure 1 The wheel circuit 10 shown is excluded, but the column mixing circuit 13 is not included. The remainder of the final wheel circuit 50 is the same as the remainder described above. As mentioned above, byte substitution operations and row shift operations can be performed in reverse order without affecting the output.
[0014] In some embodiments, the AES hardware may include multiple wheel circuits 10 and a final wheel circuit 50, such as Figure 3 As shown. Plaintext (typically 128 bits) is provided as input to the first round circuit. An initialization vector is also provided, which is used to generate all round keys. After the AES hardware operation is complete, the output is 128 bits of encrypted data.
[0015] Figure 3 An embodiment of the circuitry for wheel circuit 10 is shown for each round of replication. This results in 9, 11, or 13 wheel circuits 10 and an additional final wheel circuit 50. This can be very dense, requiring a significant amount of space and power. Therefore, to reduce the space requirements, in some embodiments, Figure 1 The wheel circuit shown is used to execute all wheels sequentially. Figure 4 An example of a circuit that can be used to provide this functionality is shown.
[0016] exist Figure 4 middle, Figure 1The circuit shown has been modified to create an integrated wheel circuit 60, which solves... Figure 3 There are three unique aspects to this. First, in all rounds except the first, the input to each round 10 is the output of the previous round 10. Second, each round has a different round key 15. Finally, the final round 50 does not include the column mixing circuit 13.
[0017] These three problems are addressed by incorporating three multiplexers. Controller 65 is used to count the number of rounds being executed. In the case of AES-128, there are 10 rounds; in AES-192, there are 12 rounds, and in AES-256, there are 14 rounds.
[0018] Input multiplexer 61 is used to select between input plaintext data and the current output from integrated wheel circuit 60. When controller 65 indicates that this is the first round, input multiplexer 61 selects plaintext data. If this is not the first round, it selects the output from integrated wheel circuit 60.
[0019] Adder multiplexer 62 is used to select the input of adder 14. As described above, there is column mixing circuit 13 in all rounds except the final round. However, this circuit is omitted in the final round. Therefore, the adder multiplexer selects the output of column mixing circuit 13 for all rounds except the final round. In the final round, the adder multiplexer selects the output from row shift circuit 12. Therefore, adder multiplexer 62 is used to bypass column mixing circuit 13 in the final round.
[0020] The key multiplexer 63 is used to select an appropriate round key based on the round being executed to provide to the adder 14. Therefore, the key multiplexer has N inputs, where N is the number of rounds, and one output, which is the round key currently used by the integrated round circuit 60.
[0021] Note that the byte substitution circuit 11 and the row shift circuit 12 can be arranged in reverse order, such that the output from the row shift circuit 12 serves as the input to the byte substitution circuit 11. Furthermore, these two circuits execute before the column mixing circuit 13, which executes before the adder 14. After describing the architecture of the AES circuit, weaknesses will be described. In some embodiments, if a fault is inserted between the penultimate column mixing circuit 13 (i.e., in the (N-2)th round) and the last column mixing circuit 13 (i.e., in the (N-1)th round), the initialization vector key can be determined. Specifically, the fault introduced at this time will affect four bytes of output encrypted data. Since the faulty output encrypted data differs from the fault-free output encrypted data only in certain bytes, it is easier to detect that the fault has been successfully injected, thus making it easier to determine the initialization vector key.
[0022] To address this issue, replication has been proposed. Figure 3 or Figure 4 The diagram shows an AES circuit that compares the outputs from two AES circuits. Clearly, this method requires a lot of redundant circuitry, which increases space requirements and consumes more power. Another approach is to perform the AES operation at twice the normal frequency using both edges of the clock. While this doesn't cost much in terms of space, it does consume more power. Another method is to use the same hardware (…). Figure 3 or Figure 4 The hardware shown performs two AES operations. This method requires a buffer to store the results and consumes more power because the AES circuit operates at twice the original frequency.
[0023] Clearly, none of these methods are ideal. Therefore, it would be beneficial to have a system and method that ensures the weaknesses of the AES algorithm are not exposed, without requiring a large amount of additional circuitry or significantly reducing performance. Summary of the Invention
[0024] A system and method are disclosed that performs AES encryption while simultaneously determining whether a potentially successful DFA attack is underway. When interim results are not visible, the most likely successful DFA attack is initiated by introducing a fault between the penultimate round of column mixing operations and the round following the final round. To detect this, the system and method execute the round following the final round, and then repeat that round. The results of the original round and the repeated rounds are compared to identify possible DFA attacks. Importantly, the same hardware is used for both the original and repeated rounds. In this way, the amount of additional hardware required to detect potentially successful DFA attacks is minimized. Furthermore, the impact on execution time can be 10% or less.
[0025] According to one embodiment, a method for detecting Differential Fault Analysis (DFA) attacks during the execution of the AES algorithm is disclosed. The AES algorithm includes executing N rounds, each of the first (N-1) rounds including a byte substitution operation, a row shift operation, a column mixing operation, and an adder operation, and wherein the final round includes a byte substitution operation, a row shift operation, and an adder operation. The method includes providing plaintext data to the AES algorithm; executing the first (N-2) rounds; saving temporary data after completing the column mixing operation in the (N-2)th round; executing at least a portion of the (N-1)th round; saving the result after completing the column mixing operation in the (N-1)th round; repeating a portion of the AES algorithm using the same circuitry used for executing at least a portion of the (N-1)th round and using the temporary data, wherein the repeated portion of the AES algorithm includes all operations that begin after saving the temporary data and end with operations following the storage of the result; comparing the output of the repeated portion of the AES algorithm with the saved result; and marking an error if the output of the repeated portion of the AES algorithm does not match the saved result. In some embodiments, temporary data is saved after the last operation in which the injected fault would affect all bytes of the output. In some embodiments, temporary data is saved after the column mixing operation in round (N-2) and before the adder operation. In some embodiments, temporary data is saved after the adder operation in round (N-2) and before the byte substitution operation in round (N-1). In some embodiments, the result is saved after the column mixing operation in round (N-1) and before the adder operation. In some embodiments, the result is saved after the adder operation in round (N-1) and before the byte substitution operation in round (N). In some embodiments, a random delay is introduced during the execution of the AES algorithm to minimize the probability of a successful DFA attack. In some embodiments, a random delay is introduced after completing round (N-1) and before repeating round (N-1). In some embodiments, the byte substitution operation and the row shift operation are performed in different orders during at least one round in the round to minimize the probability of a successful DFA attack. In some embodiments, an execution dummy round is introduced between completing round (N-1) and completing the repeated round (N-1) to minimize the probability of a successful DFA attack.
[0026] According to another embodiment, an integrated circuit for executing an AES encryption algorithm with N rounds and for detecting DFA attacks is disclosed. The integrated circuit includes an integrated round circuit, at least one latch, a check multiplexer, a comparator, and a controller. A round is defined as the time it takes for an operation within the integrated round circuit to be executed once. The integrated round circuit includes: a byte substitution circuit, a row shifting circuit, a column mixing circuit, an adder, an input multiplexer, and an adder multiplexer. The byte substitution circuit and the row shifting circuit are executed sequentially before the column mixing circuit; the adder is executed after the column mixing circuit; the input multiplexer is used for selection using the output of the adder or plaintext data; and the adder multiplexer is used to bypass the column mixing circuit during the final round. At least one latch is used to store temporary data and results; the check multiplexer has the output of at least one latch as an input; and the comparator is used to compare the output of at least one latch with another value. The controller configures the integrated circuit to: execute the first (N-2) rounds; store temporary data in one of at least one latch after completing the column mixing circuit in the (N-2)th round; execute at least a portion of the (N-1)th round; store the result in one of at least one latch after completing the column mixing circuit in the (N-1)th round; repeat a portion of the AES encryption algorithm using the temporary data, wherein the repeated portion of the AES encryption algorithm includes all operations that begin after the temporary data is stored and end after the operation following the storage of the result; compare the output of the repeated portion of the AES encryption algorithm with the stored result; and mark an error if the output of the repeated portion of the AES encryption algorithm does not match the stored result. In some embodiments, temporary data is stored after the column mixing circuit in the (N-2)th round and before the adder. In some embodiments, the result is stored after the adder in the (N-2)th round and before the adder in the (N-1)th round. In some embodiments, the result is stored after the adder in the (N-1)th round and before the (N)th round. In some embodiments, the controller introduces a random delay during the execution of the AES encryption algorithm to minimize the probability of a successful DFA attack. In some embodiments, a random delay is introduced after the (N-1)th round and before the (N-1)th round is repeated. In some embodiments, the byte substitution circuit and the row shifting circuit are executed in different orders during at least one round to minimize the probability of a successful DFA attack. In some embodiments, a virtual execution round is introduced between the completion of the (N-1)th round and the completion of the repeated (N-1)th round to minimize the probability of a successful DFA attack. In some embodiments, at least one latch includes two latches: a holding latch and a result latch, wherein temporary data is stored in the holding latch and the result is stored in the result latch.
[0027] Cross-reference to related applications
[0028] This application claims priority to U.S. Patent Application 17 / 844,817, filed June 21, 2022, the entire disclosure of which is incorporated herein by reference. Attached Figure Description
[0029] For a better understanding of the invention, reference is made to the accompanying drawings, wherein like elements are represented by like numbers, and wherein:
[0030] Figure 1 A circuit for implementing a one-round AES algorithm according to one embodiment is shown;
[0031] Figure 2 A circuit for implementing the final round of the AES algorithm according to one embodiment is shown;
[0032] Figure 3 This is a block diagram of an AES circuit that uses multiple wheel circuits and a final wheel circuit;
[0033] Figure 4 It is a block diagram of an integrated wheel circuit that can be used multiple times to implement the AES algorithm and generate encrypted data;
[0034] Figure 5 A flowchart illustrating the operation of the new AES algorithm is shown;
[0035] Figure 6 This illustrates a combined vulnerability check according to one embodiment. Figure 3 The modified version;
[0036] Figure 7A This illustrates a combined vulnerability check according to one embodiment. Figure 4 The modified version;
[0037] Figure 7B A combined weakness check according to another embodiment is shown. Figure 4 The modified version;
[0038] Figure 7C A combined weakness check according to another embodiment is shown. Figure 4 The modified version; and
[0039] Figure 7D A combined weakness check according to another embodiment is shown. Figure 4 The modified version. Detailed Implementation
[0040] As mentioned above, Differential Fault Analysis (DFA) can be used to attempt to determine the initialization vector (IV) key. Research indicates that if the temporary result is not visible, the most likely successful approach is to introduce a fault after column mixing circuit 13 in the penultimate round (N-2) and before the final column mixing circuit 13, which occurs in the round following the last round (N-1). This is because a fault introduced during this time interval causes the output to differ from the correct output by 4 bytes, instead of all bytes. Furthermore, faults introduced in earlier rounds are ineffective in determining the IV key when the temporary result is not visible. Therefore, in some cases, it may not be necessary to detect whether a DFA attack is being performed, but only whether the DFA attack has a chance of success. In other words, a fault inserted in an early round may result in incorrect output, but incorrect output cannot be simply used to determine the IV key.
[0041] This invention utilizes these observations to create a system and method for detecting whether a DFA attack is executed during an interval in which it has the best chance of success. Specifically, refer to... Figure 1 and Figure 3 If a fault is introduced after the penultimate column mixing circuit 13, the data with the fault will undergo the following set of operations: adder (round N-2); byte substitution (round N-1); byte shift (round N-1); column mixing (round N-1); adder (round N-1); byte substitution (round N); row shift (round N); and adder (round N). Note that all of these operations are byte operations except for column mixing (round N-1), so the fault does not propagate to any other byte. The column mixing operation causes a single byte fault to propagate to exactly 4 bytes (all bytes in that column). Since only 4 bytes of output are affected, this DFA attack has the highest probability of success. Therefore, to prevent this specific type of DFA attack, the system must check whether the data was affected during this interval. Such a system requires less power and space to achieve this result compared to the currently proposed system.
[0042] Figure 5 A flowchart of the system and method described herein is shown. This flowchart can be used with… Figure 3 and Figure 4 The embodiments shown are used together. First, as shown in box 100, plaintext data is provided to the AES algorithm, and the first N-2 rounds of the AES algorithm are performed. Temporary data generated some time after the column mixing operation in the N-2th round is stored, as shown in box 110. Figure 5This illustrates saving temporary data some time after a column blending operation. In some embodiments, temporary data is saved after the last operation where an injected fault would affect all bytes of the output. For example, in the example above, a fault introduced before the penultimate round of column blending would affect all 16 bytes of the output because two column blending operations are performed after the fault injection. Alternatively, temporary data can be saved at a later point in time. Thus, in some embodiments, temporary data is saved immediately after the column blending operation in round N-2 or immediately after the adder operation in round N-2. If performed in a different order... Figure 1 The location where temporary data is saved may differ depending on the operations shown.
[0043] After saving the temporary data, at least a portion of round N-1 (i.e., the round after the last round) is executed, as shown in box 120. The result after the column blending operation in round N-1 is then saved, as shown in box 130. Again, this can immediately follow the column blending operation in round N-1, or the adder operation in round N-1. In some embodiments, the result can be saved as early as after the last operation that injected a single-byte fault, which propagated to exactly four bytes in the output. In other embodiments, the result can be saved as late as after the AES algorithm has finished, although this would require repeating more rounds.
[0044] In some embodiments, a random delay or another modification to the algorithm may be introduced, as shown in box 140. The purpose of such delay or modification will be described below. Although the delay is shown to occur after the result is stored, it should be understood that the delay may be introduced at any point in the algorithm's execution.
[0045] As shown in box 150, a portion of the AES algorithm is repeated using the temporary data stored in box 110. In other words, all operations that begin after storing the temporary data and end after storing the results are repeated. In some embodiments, the (N-1)th round is repeated. In other embodiments, the adder operation of the (N-2)th round, the byte substitution operation of the (N-1)th round, the row shift operation of the (N-1)th round, and the column mixing operation of the (N-1)th round are repeated.
[0046] As shown in box 160, the result of this repeated sequence of operations is then compared with the result stored in box 130. If the results match, the AES operation continues, as shown in box 170. However, if the results differ, an error is marked as shown in box 180.
[0047] Incorrect labeling can lead to various actions. In one embodiment, the device may reset itself. In another embodiment, the error may be passed to a processing unit that determines the appropriate action. In yet another embodiment, the device restarts AES operation and discards all saved data.
[0048] Following the description of the concepts for detecting potentially successful DFA attacks, several embodiments of AES hardware will be disclosed. The operations and components described herein are part of an integrated circuit housed within a semiconductor device and created using transistors. Furthermore, the latches described herein can be triggers or located in a memory storage device. Finally, the controller can be constructed as a state machine, a dedicated processing unit, or a general-purpose processing unit.
[0049] Figure 6 Based on Figure 3 The embodiments, and Figures 7A-7D Based on Figure 4 Examples of implementations.
[0050] exist Figure 6 In, it has the same Figure 3 Components that have the same function as the components in the figure are given the same reference numerals and will not be described again.
[0051] In this embodiment, the wheel circuit 10 remains unchanged; it includes a byte substitution circuit 11, a row shifting circuit 12, a column mixing circuit 13, and an adder 14. Furthermore, the final wheel circuit 50 also remains unchanged; and includes the byte substitution circuit 11, the row shifting circuit 12, and the adder 14.
[0052] Controller 200 is used to monitor the activity of AES hardware and implement Figure 5 The sequence is shown. Specifically, controller 200 asserts a first control signal to hold temporary data, allowing the output from the (N-2)th round circuit to be held in hold latch 210. Hold latch 210 is 128 bits wide, which is the size required to hold a 4x4 array. The AES hardware uses the output from the (N-2)th round circuit as the input to the (N-1)th round circuit by appropriately configuring multiplexer 220. Multiplexer 220 is also 128 bits wide. After the (N-1)th round circuit completes its operation, controller 200 asserts a second control signal to hold the result, allowing the output from the (N-1)th round circuit to be held in result latch 230. Result latch 230 is also 128 bits wide, which is the size required to hold a 4x4 array.
[0053] Then, controller 200 asserts the third control signal, repeating the process. Controller 200 configures repeater multiplexer 220 to allow the temporary data stored from holding latch 210 to be provided as input to the (N-1)th round circuit. The (N-1)th round circuit then executes its sequence of operations. Comparator 240 then compares the output of the (N-1)th round circuit with the result stored in result latch 230. Comparator 240 compares the two 128-bit values. If the values differ, an error is flagged.
[0054] Note that this method adds two latches: a holding latch 210 and a result latch 230, a repeater multiplexer 220, and a comparator 240. Furthermore, this method uses a single-round circuit twice. Therefore, for AES-128 using 10 rounds, using a single-round circuit twice increases the execution time of the AES hardware by 10%. For AES-192 and AES-256, the increase in execution time is even smaller. Moreover, this method detects potentially successful DFA attacks. Therefore, this method represents an optimal combination of DFA detection, power consumption, space, and execution time.
[0055] Note that while the inputs of hold latch 210 and result latch 230 communicate with the output of adder 14, other embodiments are possible. For example, the input of hold latch 210 may communicate with the output of column mixing circuit 13 in round (N-2). Similarly, the input of result latch 230 may communicate with the output of column mixing circuit 13 in round (N-1). In other embodiments, the input of result latch 230 may communicate with the output of the circuit in round (N).
[0056] In many embodiments, the AES hardware is configured as follows: Figure 4 As described above, this method utilizes far fewer circuits. The same method applies to this configuration.
[0057] Figure 7A A first embodiment utilizing an integrated wheel circuit is shown. This embodiment will... Figure 4 Integrated wheel circuit 60 and Figure 6 The new components introduced in this paper are combined. Components with the same functions as those mentioned above have the same reference numerals.
[0058] A check multiplexer 220 has been added between the output of adder 14 and the input multiplexer 61. This check multiplexer 220 is used to select the output of adder 14 (which is the normal case) or hold the output of latch 210.
[0059] In addition, a hold latch 210 is included. The input of the hold latch 210 is the output of the adder 14, and the output of the hold latch 210 communicates with the multiplexer 220.
[0060] It also includes a result latch 230. The input of the result latch 230 is also the output of the adder 14, and the output of the result latch 230 communicates with the comparator 240.
[0061] Finally, comparator 240 is used to compare the output of adder 14 with the output of result latch 230, and provides an error indication if the outputs do not match.
[0062] The AES hardware also includes a controller 250 that provides multiple outputs. For example... Figure 3 As shown, there is one or more outputs indicating the wheel being executed. Furthermore, as... Figure 6 As shown, there is a first output called "Hold Temporary Data," which is used to hold temporary data after round (N-2) is completed. There is a second output called "Hold Result," which is used to hold the result after round (N-1) is completed. There is a third output called "Review," which indicates that round (N-2) is being repeated.
[0063] In operation, controller 250 begins by asserting a round value of 1, indicating that this is the first round. This causes input multiplexer 61 to select plaintext data as input to byte substitution circuit 11. The remainder of the round is then executed, including byte substitution circuit 11, row shifting circuit 12, column mixing circuit 13, and adder 14. After completing the first round, controller updates the round value to 2, indicating that the second round is in progress. This causes input multiplexer 61 to select the output of adder 14 as input to byte substitution circuit 11. The second round is then executed as described above.
[0064] The process continues until round (N-2), where N is 10 for AES-128, N is 12 for AES-192, and N is 14 for AES-256. After round (N-2) is completed, controller 250 asserts that the temporary data control signal is held, which causes the output of adder 14 to be stored in hold latch 210.
[0065] Then, controller 250 continues by changing the round value to the value N-1. Then, round (N-1) is executed. Upon completion of round (N-1), controller 250 asserts a hold result control signal, which causes the output of adder 14 to be stored in result latch 230. Then, controller 250 holds the round value at (N-1) and asserts a check control signal. This causes the output of hold latch 210 (which is the output from round (N-2)) to be used as input to byte substitution circuit 11. Furthermore, since the round value is still (N-1), adder 14 uses the round key associated with round (N-1). In other words, the (N-1) phase is repeated. Importantly, the same physical hardware is used for both the initial (N-1) round and the repeated (N-1) round. The output of adder 14 is then compared with the contents of result latch 230. If these results match, controller 250 updates the round value to the value (N) and completes the final round of the AES algorithm. If the result does not match, an error is marked.
[0066] This method adds one or two latches, multiplexers, and comparators. Furthermore, modifications were made. Figure 4 The controller shown is an example. In other words, the increase in the number of transistors is minimal. Furthermore, as mentioned above, since only one round is repeated, the execution time increases by 10% or less.
[0067] Figure 7A An example is shown where the results are latched after rounds (N-2) and (N-1). However, as mentioned above, temporary data and results can be collected at other points in the AES algorithm. Figure 7B Another embodiment is shown. In this embodiment, the hold latch 210, the result latch 230, and the repeater multiplexer are positioned between the column mixing circuit 13 and the adder 14, rather than after the adder 14, as shown below. Figure 7A As shown in the diagram. The rest of the hardware is as described above. Furthermore, the controller 250 operates in the same manner as described above.
[0068] Figures 7A-7B Temporary data and results stored at the same location in the integrated wheel circuit are shown. However, other embodiments are also possible. Figure 7C The diagram shows temporary data saved immediately after column mixing circuit 13 and the result saved and compared after adder 14. Similarly, temporary data can be saved after adder 14, and the result can be saved and compared after column mixing circuit 13. Furthermore, results can be saved after other circuits.
[0069] Figures 7A-7CIt is shown that the holding latch 210 and the result latch 230 are different components. However, in some embodiments, these latches can be the same physical device. For example, as Figure 7D As shown, temporary data from latch 270 can be timed into byte substitution circuit 11 simultaneously with the result being timed into latch 27. Therefore, latch 270 is used to store data twice during the execution of the AES algorithm: first, temporary data, and then the result. In this embodiment, the output of latch 270 is used to provide temporary data to multiplexer 220 and also to provide the result to comparator 240. Note that although... Figure 7D The input of latch 270, which communicates with the output of adder 14, is shown, but other embodiments are also possible. For example, with... Figure 7B The configuration shown is similar, with the input of latch 270 communicating with the output of adder multiplexer 62. In this embodiment, the output of multiplexer 220 communicates with the input of adder 14. Alternatively, the input of latch 270 can communicate with the output of column mixing circuit 13. In this embodiment, the output of multiplexer 220 communicates with the input of adder multiplexer 62.
[0070] The above embodiments can successfully determine when a DFA attack occurs, after the column mixing operation in round (N-2) and before the column mixing operation in round (N-1). In almost all cases, this method will successfully detect such an attack. However, if a malicious actor is able to inject the same error twice at exactly the same point in the sequence, then... Figure 6 and Figures 7A to 7D The embodiments shown may not detect this attack.
[0071] Therefore, in some embodiments, further countermeasures are taken. These countermeasures are... Figure 5The reference is made in box 140. Specifically, a malicious actor can measure the time taken to complete the AES algorithm in the semiconductor device. Based on this, the malicious actor may be able to determine the time required for each round and the exact time to execute rounds (N-2) and (N-1). To counteract this, controller 250 can introduce a random delay in the AES algorithm. In some embodiments, this delay can be introduced between the first completion of round (N-1) and the second completion of round (N-1). This can be achieved by introducing a delay between the end of the first round (N-1) and the beginning of the second round (N-1). In other embodiments, a delay can be introduced between two operations within round (N-1). In yet another embodiment, “virtual” rounds can be executed, in which the results are not captured or used later. For example, after storing temporary data, the controller can execute one or more virtual rounds in which no data is stored. After the virtual rounds have been completed, controller 250 can assert a review of the control signal t to allow the use of the output of hold latch 210.
[0072] Alternatively, the AES algorithm can be modified to minimize the chance of a second failure occurring at exactly the same point in the AES algorithm. For example, in one embodiment, the modification could include switching the execution order of byte substitution operations and row shift operations in at least one round. Another modification could be adding a specific value to each number in the array before an operation in a round or within a round, and then subtracting that value after the round or operation.
[0073] This system and method offer numerous advantages. The AES hardware in this invention identifies when a DFA attack with the potential to successfully determine the IV key is detected. To perform this detection, the system requires only one or two latches, a multiplexer, a comparator, and some control logic.
[0074] The scope of this invention is not limited to the specific embodiments described herein. In fact, various other embodiments and modifications of the invention, besides those described herein, will be apparent to those skilled in the art from the foregoing description and drawings. Therefore, such other embodiments and modifications are intended to fall within the scope of this invention. Furthermore, although the invention has been described herein in the context of specific implementations in specific environments for specific purposes, those skilled in the art will recognize that its usefulness is not limited thereto, and that the invention can be advantageously practiced in any number of environments for any number of purposes. Therefore, the claims stated below should be interpreted in light of the full breadth and spirit of the invention as described herein.
Claims
1. A method for detecting Differential Fault Analysis (DFA) attacks during the execution of the AES algorithm, wherein, The AES algorithm requires N rounds of execution. Each of the first N-1 rounds includes a byte substitution operation, a row shift operation, a column mixing operation, and an adder operation. The last round includes the byte substitution operation, the row shift operation, and the adder operation. The method includes: Provide plaintext data to the AES algorithm; Execute the first N-2 rounds; Save temporary data after completing the column mixing operation in round N-2; Execute at least a portion of round N-1; Save the results after completing the column mixing operation in the (N-1)th round; A portion of the AES algorithm is repeated using at least a portion of the same circuitry used to perform the (N-1)th round and with the temporary data, wherein the repeated portion of the AES algorithm includes all operations that begin after the temporary data is saved and end with the operation following the storage of the result; Compare the output of the repeated portion of the AES algorithm with the saved results; and If the output of the repeated part of the AES algorithm does not match the saved result, an error is marked.
2. The method according to claim 1, wherein, The temporary data is saved after the last operation in which the injected fault would affect all bytes of the output.
3. The method according to claim 2, wherein, The temporary data is saved before the adder operation in the (N-2)th round and after the column mixing operation.
4. The method according to claim 2, wherein, The temporary data is saved after the adder operation in the (N-2)th round and before the byte substitution operation in the (N-1)th round.
5. The method according to claim 1, wherein, The results are saved before the adder operation in the (N-1)th round and after the column mixing operation.
6. The method according to claim 1, wherein, The result is saved after the adder operation in the (N-1)th round and before the byte substitution operation in the Nth round.
7. The method according to claim 1, wherein, Random delays are introduced during the execution of the AES algorithm to minimize the probability of a successful DFA attack.
8. The method according to claim 7, wherein, The random delay is introduced after the (N-1)th round is completed and before the (N-1)th round is repeated.
9. The method according to claim 1, wherein, The byte substitution operation and the row shift operation are performed in different orders during at least one round of the round to minimize the probability of a successful DFA attack.
10. The method according to claim 1, wherein, A virtual execution round is introduced between the completion of the (N-1)th round and the completion of the repeated (N-1)th round to minimize the probability of a successful DFA attack.
11. An integrated circuit for executing an AES encryption algorithm with N rounds and for detecting DFA attacks, comprising: An integrated wheel circuit, wherein a wheel is defined as the time it takes for an operation within the integrated wheel circuit to be performed once, wherein the integrated wheel circuit includes: The system includes a byte replacement circuit, a row shifting circuit, a column mixing circuit, an adder, an input multiplexer, and an adder multiplexer; wherein the byte replacement circuit and the row shifting circuit are executed sequentially before the column mixing circuit; the adder is executed after the column mixing circuit; the input multiplexer is used to select using the output of the adder or plaintext data; and the adder multiplexer is used to bypass the column mixing circuit during the final round. At least one latch is used to hold temporary data and results; The multiplexer is re-examined, with the output of one of the at least one latch as the input; A comparator for comparing the output of one of the at least one latches with another value; and Controller, wherein the controller configures the integrated circuit to: Execute the first N-2 rounds; After the column mixing circuit in round N-2 is completed, the temporary data is stored in one of the at least one latch; Execute at least a portion of round N-1; After completing the column mixing circuit in the (N-1)th round, the result is stored in one of the at least one latch; The temporary data is used to repeat a portion of the AES encryption algorithm, wherein the repeated portion of the AES encryption algorithm includes all operations that begin after the temporary data is saved and end with the operation following the storage of the result; Compare the output of the repeated portion of the AES encryption algorithm with the saved result; and If the output of the repeated portion of the AES encryption algorithm does not match the saved result, an error is marked.
12. The integrated circuit according to claim 11, wherein, The temporary data is stored before the adder in the (N-2)th round and after the column mixing circuit.
13. The integrated circuit according to claim 11, wherein, The temporary data is saved after the adder in the (N-2)th round and before the (N-1)th round.
14. The integrated circuit according to claim 11, wherein, The result is saved before the adder in the (N-1)th round and after the column mixing circuit.
15. The integrated circuit according to claim 11, wherein, The result is saved after the adder in the (N-1)th round and before the Nth round.
16. The integrated circuit according to claim 11, wherein, The controller introduces random delays during the execution of the AES encryption algorithm to minimize the probability of a successful DFA attack.
17. The integrated circuit according to claim 16, wherein, The random delay is introduced after the (N-1)th round is completed and before the (N-1)th round is repeated.
18. The integrated circuit according to claim 11, wherein, The byte substitution circuit and the row shifting circuit are executed in different orders during at least one round of the round to minimize the probability of a successful DFA attack.
19. The integrated circuit according to claim 11, wherein, A virtual execution round is introduced between the completion of the (N-1)th round and the completion of the repeated (N-1)th round to minimize the probability of a successful DFA attack.
20. The integrated circuit according to claim 11, wherein, The at least one latch includes two latches: a hold latch and a result latch, wherein temporary data is stored in the hold latch and the result is stored in the result latch.