Paper 2025/1320

Picking up the Fallen Mask: Breaking and Fixing the RS-Mask Countermeasure

Dilara Toprakhisar, KU Leuven
Svetla Nikova, KU Leuven
Ventzislav Nikov, NXP (Belgium)
Abstract

Physical attacks pose a major challenge to the secure implementation of cryptographic algorithms. Although significant progress has been made in countering passive attacks such as side-channel analysis (SCA), protection against fault attacks is still less developed. One reason for this is the broader and more complex nature of fault attacks, which makes it difficult to create standardized fault evaluation methodologies for countermeasures like those used for SCA. This makes it easier to overlook potential vulnerabilities that attackers could exploit. RS-Mask, published at HOST 2020, is such a countermeasure that has been affected by the absence of a systematic analysis method. The fundamental concept behind the countermeasure is to maintain a uniform distribution of variables, regardless of whether they are faulty or correct. This property is particularly effective against Statistical Ineffective Fault Attacks (SIFA), which exploit the dependency between fault propagation and the secret data. In this work, we present several fault scenarios involving single fault injections on the AES implementation protected with RS-Mask, where the fault propagation depends on the secret data. This happens because the random space mapping used in RS-Mask countermeasure retains a dependency on the secret data, as it is derived based on the S-box input. To address this, we propose a new countermeasure based on the core concept of RS-Mask, implementing a single mapping for all S-box inputs, involving an intrinsic duplication. Next, we evaluate the effectiveness of the new countermeasure against fault attacks by comparing the fault detection rate across all possible fault locations and values for every input. Additionally, we examine the output differences between faulty and correct outputs for each input. Our results show that the detection rate is uniform for each input, which ensures security against statistical attacks utilizing both effective and ineffective faults. Moreover, the output differences being uniform for each input ensures security against differential fault attacks.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. SAC'25
Keywords
Fault AttacksSIFAAES
Contact author(s)
dilara toprakhisar @ esat kuleuven be
svetla nikova @ esat kuleuven be
venci nikov @ gmail com
History
2025-07-19: approved
2025-07-18: received
See all versions
Short URL
https://ia.cr/2025/1320
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/1320,
      author = {Dilara Toprakhisar and Svetla Nikova and Ventzislav Nikov},
      title = {Picking up the Fallen Mask: Breaking and Fixing the {RS}-Mask Countermeasure},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1320},
      year = {2025},
      url = {https://eprint.iacr.org/2025/1320}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.