Low-Cost Software Countermeasures Against Fault Attacks: Implementation and Performances Trade Offs

In this paper we present software countermeasures specifically designed to counteract fault attacks during the execution of a software implementation of a cryptographic algorithm and analyze their efficiency. We propose two approaches that are based on the insertion of redundant computations and checks, which in their general form, are suitable for any cryptographic algorithm. In particular, we focus on selective instruction duplication, employed to detect single errors, instruction triplication to support also error correction, and parity checking to detect corruption of a stored value. We developed a framework to automatically add the desired countermeasure, and we support the possibility to apply the selected redundancy to either all the instructions of the cryptographic routine or restrict it to the most sensitive ones, such as table lookups and key fetching. Considering an ARM processor as a target platform and AES as a target algorithm, we evaluate the overhead of each proposed countermeasure while keeping the robustness of the implementation high enough to thwart most or all the known fault attacks. Experimental results show that in the considered architecture, the fastest solution is per-instruction selective doubling and checking, and that the instruction triplication is a viable alternative if very high levels of fault resistance are required. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$10.00.