A Fast-Detection and Fault-Correction Algorithm against Persistent Fault Attack

Persistent Fault Attack (PFA) is a recently proposed Fault Attack (FA) method in CHES 2018. It is able to recover full AES secret key in the Single-Byte-Fault scenario. It is demonstrated that classical FA countermeasures, such as Dual Modular Redundancy (DMR) and mask protection, are unable to thwart PFA. In this paper, we propose a fast-detection and faultcorrection algorithm to prevent PFA. We construct a fixed input and output pair to detect faults rapidly. Then we build two extra redundant tables to store the relationship between the adjacent elements in the S-box, by which the algorithm can correct the faulty elements in the S-box. Our experimental results show that our algorithm can effectively prevent PFA in both Single-ByteFault and Multiple-Bytes-Faults scenarios. Compared with the classical FA countermeasures, our algorithm has a much better effect against PFA. Further, the time cost of our algorithm is 40% lower than the classical FA countermeasures.

💡 Research Summary

This paper proposes a novel algorithm-level countermeasure against the Persistent Fault Attack (PFA), a potent fault attack method introduced at CHES 2018. PFA exploits persistent faults that corrupt lookup tables (e.g., the AES S-box) and remain active across multiple encryptions, enabling full key recovery. The authors highlight that classical fault attack countermeasures like Dual Modular Redundancy (DMR) and masking are ineffective against PFA.

The core contribution is a fast-detection and fault-correction algorithm specifically designed for AES implementations. The algorithm operates in three conceptual stages. First, a fast-detection mechanism checks the integrity of each element in the S-box. It cleverly reuses the existing SubBytes module by applying a fixed sequence of inputs (0-255) and comparing the outputs against known correct values. This allows for rapid identification of any corrupted S-box entries.

Second, if a fault is detected, a fault-correction mechanism is activated. This is the algorithm’s most innovative aspect. Prior to deployment, two extra redundant tables are pre-computed and stored. These tables encode the relationships (e.g., XOR differences) between adjacent elements in the original, correct S-box. When a specific S-box element is identified as faulty, the correction mechanism uses the values of its (assumed to be) correct neighboring elements and the pre-stored relationship data from the redundant tables to deduce and restore the original correct value of the faulty element. This real-time correction ensures the S-box table is repaired.

Finally, with a corrected S-box, all subsequent encryptions produce valid ciphertexts, thereby depriving the PFA adversary of the faulty ciphertexts necessary for statistical analysis and key recovery.

The paper provides a comprehensive evaluation. The algorithm’s effectiveness is demonstrated in both Single-Byte-Fault and Multiple-Bytes-Faults scenarios, showing it successfully prevents PFA key recovery. A comparative performance analysis shows that the proposed algorithm incurs approximately 40% lower time cost than classical DMR countermeasures. This efficiency gain is attributed to the fact that DMR requires two full encryption executions for comparison, while the proposed algorithm primarily performs a fast check and only engages in correction logic when a fault is actually present.

Experiments were conducted on both software (microcontroller) and hardware (FPGA) platforms, validating the algorithm’s practicality. The FPGA implementation further optimized area cost using a “pre-correction” design. Additional discussions explore the relationship between PFA efficacy and the number of faults, compare the algorithm to Triple Modular Redundancy (TMR), and consider its potential extensibility to other block ciphers.

In conclusion, this work presents a significant advancement in fault attack defense by moving beyond mere fault detection to active fault correction within cryptographic tables, offering a robust and efficient algorithmic shield against the emerging threat of Persistent Fault Attacks.