Michael Goessel

Bio: Michael Goessel is an academic researcher from University of Potsdam. The author has contributed to research in topics: Combinational logic & Error detection and correction. The author has an hindex of 13, co-authored 45 publications receiving 755 citations. Previous affiliations of Michael Goessel include Infineon Technologies.

Low cost concurrent error detection for the advanced encryption standard

Abstract: We present a new low-cost concurrent checking method for the advanced encryption standard (AES) encryption algorithm. In this method, the parity of the 128-bit input is determined and modified step-by-step into the parity of the 128-bit output according to the processing steps of the AES encryption. For the parity-preserving AES steps shift-rows and mix-column no parity modifications are necessary. The modified parity is compared in any round with the actual parity of the outputs of the round. To obtain the hardware costs we implemented this method on a Xilinx Virtex 1000 FPGA. For this implementation, the hardware overhead is about 8% and the additional time delay is about 5%. The method detects technical faults and deliberately injected faults during normal operation.

Parity-based concurrent error detection of substitution-permutation network block ciphers

Abstract: Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. In this paper we will describe parity code based concurrent error detection (CED) approach against such attacks in substitution-permutation network (SPN) symmetric block ciphers [22]. The basic idea compares a carefully modified parity of the input plain text with that of the output cipher text resulting in a simple CED circuitry. An analysis of the SPN symmetric block ciphers reveals that on one hand, permutation of the round outputs does not alter the parity from its input to its output. On the other hand, exclusive-or with the round key and the non-linear substitution function (s-box) modify the parity from their inputs to their outputs. In order to change the parity of the inputs into the parity of outputs of an SPN encryption, we exclusive-or the parity of the SPN round function output with the parity of the round key. We also add to all s-boxes an additional 1-bit binary function that implements the combined parity of the inputs and outputs to the s-box for all its (input, output) pairs. These two modifications are used only by the CED circuitry and do not impact the SPN encryption or decryption. The proposed CED approach is demonstrated on a 16-input, 16-output SPN symmetric block cipher from [1].

Parity-Based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers

Abstract: Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. In this paper we will describe parity code based concurrent error detection (CED) approach against such attacks in substitution-permutation network (SPN) symmetric block ciphers [22]. The basic idea compares a carefully modified parity of the input plain text with that of the output cipher text resulting in a simple CED circuitry. An analysis of the SPN symmetric block ciphers reveals that on one hand, permutation of the round outputs does not alter the parity from its input to its output. On the other hand, exclusive-or with the round key and the non-linear substitution function (s-box) modify the parity from their inputs to their outputs. In order to change the parity of the inputs into the parity of outputs of an SPN encryption, we exclusive-or the parity of the SPN round function output with the parity of the round key. We also add to all s-boxes an additional 1-bit binary function that implements the combined parity of the inputs and outputs to the s-box for all its (input, output) pairs. These two modifications are used only by the CED circuitry and do not impact the SPN encryption or decryption. The proposed CED approach is demonstrated on a 16-input, 16-output SPN symmetric block cipher from [1].

Self-Checking Combinational Circuits with Unidirectionally Independent Outputs

Abstract: In this paper we propose a structure dependent method for the systematic design of a self-checking circuit which is well adapted to the fault model of single gate faults and which can be used in test mode.

New Linear SEC-DED Codes with Reduced Triple Bit Error Miscorrection Probability

Abstract: This paper solves the problem of minimizing triple bit error miscorrection for single-error-correcting, double-error-detecting codes (SEC-DED codes) which are used to protect all kinds of memory against errors. A lower bound for triple bit error miscorrection for the widely used class of odd-weight column codes is derived and actual codes which are very close to that theoretical bound are presented. Surprisingly, significantly better results are obtained with shortened generalized Hamming codes. An optimal (39,32)-SEC-DED code with 32 information bits and 7 control bits is determined which has the lowest risk of triple bit miscorrection of any possible linear (39,32)-code. It is shown how codes with 64 and 128 information bits with significantly lower triple bit miscorrection probability than currently used codes can be derived from that code.The new codes also feature adjacent double bit error correction capabilities (SEC-DED-DAEC codes). Employing them in a SEC-DED-DAEC checker reduces the risk of miscorrecting non-adjacent double bit errors by 27-34% compared to the best codes known.

Simple error detection methods for hardware implementation of Advanced Encryption Standard

Abstract: In order to prevent the Advanced Encryption Standard (AES) from suffering from differential fault attacks, the technique of error detection can be adopted to detect the errors during encryption or decryption and then to provide the information for taking further action, such as interrupting the AES process or redoing the process. Because errors occur within a function, it is not easy to predict the output. Therefore, general error control codes are not suited for AES operations. In this work, several error-detection schemes have been proposed. These schemes are based on the (n+1, n) cyclic redundancy check (CRC) over GF(28), where nisin{4,8,16}. Because of the good algebraic properties of AES, specifically the MixColumns operation, these error detection schemes are suitable for AES and efficient for the hardware implementation; they may be designed using round-level, operation-level, or algorithm-level detection. The proposed schemes have high fault coverage. In addition, the schemes proposed are scalable and symmetrical. The scalability makes these schemes suitable for an AES circuit implemented in 8-bit, 32-bit, or 128-bit architecture. Symmetry also benefits the implementation of the proposed schemes to achieve that the encryption process and the decryption process can share the same error detection hardware. These schemes are also suitable for encryption-only or decryption-only cases. Error detection for the key schedule in AES is also proposed and is based on the derived results in the data procedure of AES

Low cost concurrent error detection for the advanced encryption standard

Abstract: We present a new low-cost concurrent checking method for the advanced encryption standard (AES) encryption algorithm. In this method, the parity of the 128-bit input is determined and modified step-by-step into the parity of the 128-bit output according to the processing steps of the AES encryption. For the parity-preserving AES steps shift-rows and mix-column no parity modifications are necessary. The modified parity is compared in any round with the actual parity of the outputs of the round. To obtain the hardware costs we implemented this method on a Xilinx Virtex 1000 FPGA. For this implementation, the hardware overhead is about 8% and the additional time delay is about 5%. The method detects technical faults and deliberately injected faults during normal operation.

A comparative cost/security analysis of fault attack countermeasures

Abstract: Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. To protect cryptographic implementations (e.g. of the recent AES which will be our running example) against these attacks, a number of innovative countermeasures have been proposed, usually based on the use of space and time redundancies (e.g. error detection/correction techniques, repeated computations). In this paper, we take the next natural step in engineering studies where alternative methods exist, namely, we take a comparative perspective. For this purpose, we use unified security and efficiency metrics to evaluate various recent protections against fault attacks. The comparative study reveals security weaknesses in some of the countermeasures (e.g. intentional malicious fault injection that are unrealistically modelled). The study also demonstrates that, if fair performance evaluations are performed, many countermeasures are not better than the naive solutions, namely duplication or repetition. We finally suggest certain design improvements for some countermeasures, and further discuss security/efficiency tradeoffs.

Concurrent Structure-Independent Fault Detection Schemes for the Advanced Encryption Standard

Abstract: The Advanced Encryption Standard (AES) has been lately accepted as the symmetric cryptography standard for confidential data transmission. However, the natural and malicious injected faults reduce its reliability and may cause confidential information leakage. In this paper, we study concurrent fault detection schemes for reaching a reliable AES architecture. Specifically, we propose low-cost structure-independent fault detection schemes for the AES encryption and decryption. We have obtained new formulations for the fault detection of SubBytes and inverse SubBytes using the relation between the input and the output of the S-box and the inverse S-box. The proposed schemes are independent of the way the S-box and the inverse S-box are constructed. Therefore, they can be used for both the S-boxes and the inverse S-boxes using lookup tables and those utilizing logic gates based on composite fields. Our simulation results show the error coverage of greater than 99 percent for the proposed schemes. Moreover, the proposed and the previously reported fault detection schemes have been implemented on the most recent Xilinx Virtex FPGAs. Their area and delay overheads have been compared and it is shown that the proposed schemes outperform the previously reported ones.

Parity-based concurrent error detection of substitution-permutation network block ciphers

Abstract: Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. In this paper we will describe parity code based concurrent error detection (CED) approach against such attacks in substitution-permutation network (SPN) symmetric block ciphers [22]. The basic idea compares a carefully modified parity of the input plain text with that of the output cipher text resulting in a simple CED circuitry. An analysis of the SPN symmetric block ciphers reveals that on one hand, permutation of the round outputs does not alter the parity from its input to its output. On the other hand, exclusive-or with the round key and the non-linear substitution function (s-box) modify the parity from their inputs to their outputs. In order to change the parity of the inputs into the parity of outputs of an SPN encryption, we exclusive-or the parity of the SPN round function output with the parity of the round key. We also add to all s-boxes an additional 1-bit binary function that implements the combined parity of the inputs and outputs to the s-box for all its (input, output) pairs. These two modifications are used only by the CED circuitry and do not impact the SPN encryption or decryption. The proposed CED approach is demonstrated on a 16-input, 16-output SPN symmetric block cipher from [1].