Persistent-Fault Based Differential Analysis and Applications to Masking and Fault Countermeasures

A persistent fault analysis (PFA) can break implementations of the advanced encryption standard (AES) secured by fault attack countermeasures that prevent differential analyses based on transient faults (DFA). When the AES implementation is protected by some higher-order masking countermeasure, the number of required ciphertexts may increase exponentially with the growth of the number of shares. We present a persistent-fault-based differential analysis (PFDA) against AES implementations. Two error patterns are detected by ciphertext pairs. Namely, only one error occurs at a SubBytes operation in round 10, and only one error occurs at a SubBytes operation in round 9. The latter is used to derive a differential characteristic (DC) for the key recovery, and the former is explored to deduce the input difference of the DC. Thus, the computational complexity is reduced compared to DFA. Encrypting a fixed plaintext many times to tolerate errors is utilized in PFDA against RP countermeasures. The number of required encryptions increases linearly with the growth of the number of shares. The simulation results show that PFDA can break unprotected AES implementations and implementations secured by fault attack countermeasures or the above higher-order masking countermeasures. Compared to other analyses based on persistent fault, the required number of ciphertexts of PFDA is the lowest.