Paper 2019/959

Table Redundancy Method for Protecting against Differential Fault Analysis in the White-box Cryptography

Seungkwang Lee and Myungchul Kim

Abstract

Differential Fault Analysis (DFA) intentionally injects some fault into the encryption process and analyzes a secret key from the mathematical relationship between faulty and fault-free ciphertexts. Even white-box cryptographic implementations are still vulnerable to DFA. A common way to defend DFA is to use some type of redundancy such as time or hardware redundancy. However, previous work on software-based redundancy method can be easily bypassed by white-box attackers, who can access and even modify all resources. In this paper, we propose a secure software redundancy named table redundancy that exploits the characteristic of table diversity in white-box cryptography. We show how to apply this table redundancy technique to a white-box AES implementation with a 128-bit key. To prevent significant degradation of performance, the lookup tables which are not under DFA are shared and table redundancy are applied to the inner rounds under DFA. The outputs of the redundant computations are the SubBytes output multiplied by the MixColumns matrix in the 9-th round and encoded by different transformations. The XOR operation combines those redundant intermediate values and the combined transformation is canceled out in the following shared part of the encryption. Our security analysis shows that a success probability of DFA on our table redundancy is negligible and a brute-force attack becomes too costly. With three redundant computations, the total table size and the number of lookups are less than double compared to a non-protected WB-AES implementation.