Jacob Alperin-Sheriff writes:
> Is there a good survey of fault injections (and similar) in the wild
> and how to defend against them?
Here's the basic story: Take any unprotected implementation of any
cryptographic primitive, and it won't be secure against fault attacks.
The literature on fault attacks is mostly evaluating the difference
between low-cost attacks and very-low-cost attacks against unprotected
implementations.
There's also some constructive literature. The basic algorithmic
countermeasures are what you'd expect:
* Apply an error-detecting code to your computation, such as
running twice and raising alarms if there's a mismatch.
* Apply an error-correcting code to your computation, such as
running three times and taking the majority vote.
Both of these are most effective if they're done at each step of the
computation. They're cheaper for linear steps than for nonlinear steps,
cheaper for algebraic steps than for nonalgebraic steps, etc.; there
seems to be some correlation between algorithmic features reducing the
costs of fault attacks and algorithmic features reducing the costs of
countermeasures. Of course there are also physical countermeasures such
as keeping the attacker far away, monitoring temperatures, etc.
It's relatively difficult to find literature studying the security of
implementations that use the obvious countermeasures. One can easily
write down an extreme attack model that theoretically breaks every
circuit (the attacker observes the result of a fault in the last bit
operation, then induces repetitions of the computation and works
backwards through previous bit operations), but this doesn't seem to
shed any light on the question of how expensive a real attack is.
---Dan