1
Abstract —This paper proposes a systematic security evaluation of cryptographic hardware against C safe-error attacks. Using the graph representation of a design, we provide a simple and efficient method to detect possible C safe-errors. Exposing possible vulnerabilities at an early stage of a design process, this method avoids costly design re-spins and reduces time-to-market.
As a proof of concept, we apply the method to two well-known exponentiation algorithms: square-and-multiply-always and the
Montgomery ladder.
Index Terms —Safe-error attacks, Data Flow Graph, Control
Flow Graph, Square-and-multiply-always, Montgomery Ladder.
I. I NTRODUCTION
In 1997, Boneh et al. [2] discovered that faults, which normally lead to erroneous results, can be used to recover the secret of a cryptographic implementation. It is later discovered that a safe-error [14], [13], i.e. an error that does not affect the final results, can also be exploited to reveal the key. Safe-
Error Attacks (SEA) have been successfully applied to RSA
[5], [14], [13] and AES [1]. What makes SEA special is that the adversary is not interested in the erroneous results, but simply the fact that the output is affected or not. As such, common countermeasures for fault attacks such as ”checkbefore-output” can not prevent SEA. Besides, SEA have a relatively low time complexity and extremely simple key recovery algorithm, making it a serious threat to cryptographic systems.
There are two types of SEA: the computational SEA
(CSEA) [14] and the memory SEA (MSEA) [13]. This paper proposes a systematic security evaluation of a design against
SEA. In contrast to ad hoc fault detection methods based on a designer’s inspection, we propose a systematic security evaluation procedure that can be performed on both algorithmic level and register-transfer level of abstraction. Using a graph representation of a design, which is also exploited for performance optimizations, we provide a simple way to detect possible vunlerablilities at an early stage of a design process.
While we only focus on CSEA in this paper, we believe the proposed method can be easily extended to detect memory safe-errors.
The rest of the paper is organized as follows. The next section gives the necessary background. Section III explains the proposed security evaluation method in general and Section
IV gives two examples. In Section V, we discuss the applicability and the efficiency of the presented procedure. Finally, we conclude in Section VI.
II. P RELIMINARIES
In this section we introduce the necessary background and the notations. We first recap the safe-error attacks, and then describe the basic concept of control and data flow graphs.
A. Safe error attacks
The CSEA are developed by inducing any temporary random computational fault(s) inside an Arithmetic Logic Unit
(ALU) of a device. A CSEA adversary is supposedly capable of injecting a temporary fault in an ALU during a specific operation. The adversary should also be able to tell the fault leads to a faulty results or not, while the output, faulty or fault-free, is not required for the attack. The operations being disturbed are normally dummy operations introduced to achieve Timing analysis [6] and Simple Power Analysis (SPA) resistance [7]. Depending on the key bit, faults induced during that operation may lead to faulty or a fault-free results. The adversary uses this information to derive one or more bits of the secret.
While the CSEA explore the weakness of an algorithm, the
MSEA explore possible safe-errors in an actual implementation. The basic idea of MSEA is that, depending on the key bit, faults in some memory blocks will be cleared. A CSEA adversary is supposedly capable of injecting a temporary fault at a specific register or a memory location. Like a CSEA adversary, a MSEA adversary is only interested in the fact that fault leads to a faulty results or not. Joye and Yen showed that a software implementation of a Montgomery powering ladder
(MPL) [9], an algorithm commonly used for an exponentiation in cryptographic applications, is vulnerable to MSEA. In addition, Kim et al. [5] showed that a hardware implementation of the protected MPL [9] can also be vulnerable to MSEA.
B. Control and data flow graphs
In most high level synthesis systems, a design, usually described using high level hardware description languages, is first translated into a graph representation. This representation contains the control and data flow information present in the description [8]. By representing computations graphically, natural parallelism of the computation can be easily identified and exploited.

2
A control flow graph is a directed graph CFG(V, E) where vertices V correspond to operation or decision nodes and edges
E represent the flow-control between the nodes [10]. CFG is transformed from the control structures in a code, such as ifelse and for-loop control statements and is used for describing the execution order.
A data-flow graph is a directed graph DFG(V, E) containing vertices and edges. Vertices correspond to actors representing inputs, outputs, storages and operations, while edges represent data dependencies between the nodes. DFG maintains the data dependence between the operations [10].
the total number of nodes in the corresponding DFG. An entry j in M i
, j ∈ { 1 , . . . , N } has a value ”1” if there is a path from the node j to the output node. Otherwise, the entry is
”0”. Having both M
0 vector D = M
0 and M
1
, we can construct a differential
⊕ M
1
, which exposes all possible key-related data dependencies. Namely, if D [ j ] is ”1”, operation j only affects the output when the processed key bit is either 1 or 0, and hence an error in that operation can be exploited as a safe error. Otherwise, the operation j is balanced and can not be used to leak information about the key bit.
III. S ECURITY EVALUATION PROCEDURE
As explained in Section II-A, SEA exploit the fact that a fault injected in a certain operation or a memory location has, depending on a key bit, different impact on the final result. Such impact can be modeled by data dependencies between the operations, which are graphically described by data flow graphs (DFG). Since it is important to detect keyrelated data dependencies, we use control flow graphs (CFG) to expose how a key bit affect a control flow of a design.
Combining the information gained from the DFG and the
CFG, it is possible to determine if a design is vulnerable to
SEA. Figure 1a presents a flow chart of the proposed security evaluation procedure.
It is assumed that a design description is firstly translated into a hardware oriented language, such as System C or
VHDL. The next step is the extraction of a control flow information and the construction of a CFG. Figure 1b depicts a typical control flow graph of an exponentiation, a frequently used operation in public-key cryptographic algorithm. Note that the exponentiation is computed with repeated multiplications.
Suppose the exponent, k , is key (or a secret) of the cryptosystem, and the exponentiation is performed with a loop where each iteration is corresponding to a key bit k i
. Sets of operations OP k i
, k i
∈ { 0 , 1 } are denoted as a key dependent and executed only for the corresponding value of k i
. Since the goal is to detect a key-related impact of the operations in the
CFG on the final result, we now detach it into two parts which correspond to different key bit values ( CF G
0 and
Fig. 1a). The derived CFGs are depicted in Fig. 1c.
CF G
1 in
In order to explore how certain operations affect a round output for both key bits, we need to construct the corresponding DFGs and analyze data dependencies in both cases. Given the CFG, the DFG can be constructed using the following procedure [11]:
•
•
•
Select a node in a CFG where a variable is used as an operand in an expression and mark that node as a readnode.
Find the CFG nodes that assign that variable.
If there exists a direct control path from a write-node into a read node that does not pass through another writenode, the data edge directed from a write-node to a readnode is identified.
Repeat previous steps for all read-nodes.
•
Let us now, for both DF G
0 and DF G
1
(Fig. 1a) construct a binary vector M i
, i ∈ { 0 , 1 } of the length N , where N is
IV. A PPLICATIONS
This section is meant to describe the application of the presented security evaluation procedure to two well known exponentiation algorithms: square-and-multiply-always [3] and
Montgomery powering ladder [9]. Since the resistance of these algorithms to CSEA is already examined [14], [4], we evaluate them with the proposed procedure as a proof of concept only.
A. Square-and-multiply-always
Algorithm 1 is the square-and-multiply-always, the SPA resistant version of the classical square-and-multiply exponentiation algorithm. If we assume that an adversary is able to inject a fault in every single operation , we can evaluate the security of the algorithm against C safe-error attacks using our method.
Algorithm 1 Square-and-multiply-always algorithm [3]
Require: g , k = ( k t − 1
Ensure: y = g k = kP .
, . . . , k
0
)
2
1: R
0
← 1 , R
2
← g .
2:
3:
4:
5: for j from t − 1 downto 0 do b
R
←
0 k
←
˜ j
;
R 2
0
; R b
← R
0
R
2
; end for
6: Return R
0
.
Let us first construct the control flow graph of the algorithm
(Fig. 2). Detaching the CFG into two parts corresponding to k j
= 0 and k j
= 1 , we obtain
According to the general procedure described in Section III, the operations 1 and 2 represent the round inputs, and the operation 5 is the round output. Using the operations defined in the CFG, we construct DF G
0 the transformation procedure.
and DF G
1
(Figure 3) following
Symbols R i
, i ∈ { 0 , 1 , 2 } denote the operands consumed and produced by the nodes. Looking at the DFGs, it is now trivial to examine the path existence between every node and the output node and construct M i
, i ∈ { 0 , 1 } .
Since M
1
= [1 1 1 1 1] and M
0
= [1 1 1 0 1] , we have differential vector D = [0 0 0 1 0] . This means that an error in the operations 4 is a safe error. Indeed, as shown in [14], operation 4 is a dummy operation and enables CSEA.
B. Montgomery Powering Ladder
CF G
0 and CF G
1
The second example presents the application of the security evaluation procedure to the Montgomery powering ladder. It
.

SystemC, VHDL
CFG
Round
In
Round
In
IN OP
A
OP
A
CFG
0
CFG
1
DFG
0
DFG
1
OP
A
K i
=0 K i
=1
OP
0
OP
1
M
0
M
1
OP
0
OP
1
OP
B
OP
B
FAIL
D
CHECK
OP
B
Round
Out
Round
Out
PASS
(a) The flow chart of the security evaluation procedure.
OUT
(b) CF G of an exponentiation algorithm
(c) CF G
0 and CF G
1
Fig. 1: The security evaluation procedure and the control flow graph of a cryptographic algorithm
R
0
=R
0
R
2
R
0
=1
R
2
=g
R
0
=R
0
2 k i
R
1
=R
0
R
2
R
0
R
2
=>
R
0
=R
0
2
R
0
=R
0
R
2
R
0,
R
2
R
0
1
R
2
2
R
0
=R
0
2 3
R
1
=R
0
R
2
4
R
0,
R
2
5
R
0
1
3
R
0
R
2
2
R
0
1
3
R
0
R
2
2
4
R
0
R
2
R
0
4
5
5
Fig. 3: Square-and-multiply always algorithm: DF G
1 and DF G
0
(right).
(left)
R
0,
R
2
Fig. 2: Square-and-multiply always-algorithm:
CF G
1
(mid.) and CF G
0
(right).
CF G (left), is initially proposed for fast scalar multiplication on elliptic curves [9], but its scope is extended to any exponentiation in an abelian group.
Following the same procedure as in the first example,
CF Gs and DF Gs for the Montgomery ladder are given in
Figures 4 and 5, respectively.
Since M
0
= M
1
= [1 1 1 1 1] , the differential vector is D = [0 0 0 0 0] . This means that there are no keyrelated differences in data dependencies and that the algorithm is prone to CSEA. Indeed, since it contains no dummy operations, the Montgomery powering ladder is known to be secure against C safe-error attacks [4].
Algorithm 2 Montgomery Powering Ladder [9]
Require: g, k = ( k t − 1
Ensure: y = g k = kP
, . . . , k
.
0
)
2
1:
2:
R
0
← 1 , R
1
← g .
for j from t − 2 downto 0 do
3:
4:
5:
6:
7: if ( k j
R
1 else
= 0 ) then
← R
0
R
1
; R
0
R
0 end if
← R
0
R
1
; R
1
←
←
(
(
R
R
0
1
)
2
)
2
8:
9: end for
Return R
0
.
.
.
V. D ISCUSSION
Not relying on an algorithm-specific properties but just exploiting the data dependencies present in a given design, the proposed security evaluation procedure can be extended and applied to a wide range of algorithms. Since most of the public-key cryptographic algorithms have a simple control
3

R
1
=R
0
R
1
R
0
=1
R
1
=g k i
R
0
=R
0
R
1
=>
R
0
R
1
R
1
=R
0
R
1
R
0
=R
0
2
R
0
R
1
1
2
R
0
=R
0
R
1
3
R
1
=R
1
2 4
VI. C ONCLUSION
In this paper we present a new systematic method to detect vulnerabilities against C safe-error attacks. Using the graph representation of a design which is available at an early stage of a design process, the presented method provides a systematic and an efficient detection. As a proof of concept, we presented the application of the security evaluation method to two well-known exponentiation algorithms.
For the future work, we plan to explore the possibilities of applying this method to model M safe-errors. Also, we would also like to extend the procedure to check safe-errors in symmetric key cryptograpy and it’s implementations.
R
0
=R
0
2 R
1
=R
1
2
R
0
, R
1
R
0
, R
1
R
0
, R
1
5
Fig. 4: The Montgomery powering ladder: CF G (left), CF G
0
(mid.) and CF G
1
(right).
A CKNOWLEDGMENT
This work was supported in part by K.U.Leuven-
DBOF/08/047, by the Research Council K.U. Leuven: GOA
TENSE (GOA/11/007), by the European Commission under contract number ICT-2007-216676 ECRYPT NoE phase II and FP7-238811 UNIQUE Project, by IAP Programme P6/26
BCRYPT of the Belgian State (Belgian Science Policy).
R
0
1
4
R
0
5
R
0
R
1
3
2
R
1
R
0
1
R
1
4
R
0
R
1
R
0
3
2
5
Fig. 5: The Montgomery powering ladder: DF G
0
DF G
1
(right).
(left) and flow as depicted in Fig. 1b, their security against C safe-error attacks can be analyzed using the described evaluation procedure. Note that the procedure has a linear time complexity.
The problem of generating vectors M
0 and M
1 can be reduced to a directed graph connectivity problem [12] with a time complexity of O ( N ) , where N is the number of vertices in a graph.
The presented procedure can be extended and applied for
M safe-error detection. By modeling the faults on memory or registers as an extra opration in the DFGs, we can check if the faults lead to a safe-error or not. However, since M safe-error attacks exploit the vulnerabilities of the actual implementation, the control and data flow graphs should be generated from a specific design instead of a high level algorithm. Furthermore, the M safe-error detection method must also consider the capabilities of an attacker. If he is capable of affect just a single-bit of a register, then the DFGs should treat each bit as a variable, and should be precise enough to model bit-wise operations. Finally, the timing of fault induction in MSEA is essential, while CSEA always inject faults during a specific operation. As such, CF Gs and DF Gs have to be extended to model an faults at different moments, which also increase the complexity of the evaluation.
R EFERENCES
[1] Johannes Bl¨omer and Jean-Pierre Seifert. Fault based cryptanalysis of the advanced encryption standard (aes).
In Financial Cryptography , pages 162–181, 2003.
[2] Dan Boneh, Richard A. Demillo, and Richard J. Lipton.
On the importance of checking cryptographic protocols for faults. pages 37–51.
1997.
[3] Jean-S´ebastien Coron. Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems ,
CHES ’99, pages 292–302, London, UK, 1999.
[4] Marc Joye and Sung-Ming Yen.
The montgomery powering ladder.
In Proceedings of the 4th International Workshop on Cryptographic
Hardware and Embedded Systems , CHES’02, pages 291–302, London,
UK, 2002.
[5] Chong Hee Kim, Jong Hoon Shin, Jean-Jacques Quisquater, and
Pil Joong Lee.
Safe-error attack on spa-fa resistant exponentiations using a hw modular multiplier. In ICISC , pages 273–281, 2007.
[6] Paul Kocher.
Timing Attacks on Implementations of Diffie-
Hellman, RSA, DSS, and Other Systems.
In Neal Koblitz, editor,
CRYPTO’96:Advances in Cryptology , volume 1109 of Lecture Notes in Computer Science , pages 104–113. Springer, 1996.
[7] Paul Kocher, Joshua Jaffe, and Benjamin Jun.
Differential Power
Analysis.
In CRYPTO , volume 1666 of Lecture Notes in Computer
Science , pages 388–397. Springer, 1999.
[8] Jean P. Mermet.
Fundamentals and Standards in Hardware Description
Languages: Proceedings of the NATO Advanced Study Institute . Kluwer
Academic Publishers, Norwell, MA, USA, 1993.
[9] Peter L. Montgomery. Speeding the Pollard and Elliptic Curve Methods of Factorization.
Mathematics of Computation , 48:pp. 243–264, 1987.
[10] Ralf Niemann.
Hardware/Software CO-Design for Data Flow Dominated Embedded Systems . Kluwer Academic Publishers, Norwell, MA,
USA, 1998.
[11] Patrick Schaumont.
A Practical Introduction to Hardware/Software
Codesign . Springer, 2010.
[12] Avi Wigderson. The complexity of graph connectivity. In Proceedings of the 17th International Symposium on Mathematical Foundations of
Computer Science , MFCS ’92, pages 112–132, London, UK, 1992.
[13] Sung-Ming Yen and Marc Joye.
Checking Before Output May Not
Be Enough Against Fault-Based Cryptanalysis.
IEEE Trans. Comput.
,
49:967–970, September 2000.
[14] Sung-Ming Yen, Seungjoo Kim, Seongan Lim, and SangJae Moon.
A Countermeasure against One Physical Cryptanalysis May Benefit
Another Attack. In Proceedings of the 4th International Conference
Seoul on Information Security and Cryptology , ICISC ’01, pages 414–
427, London, UK, UK, 2002.
4