How to Bound the Risk of Key Exposure in the Presence of Faults

The manifestation of faults at the user interface of a cryptographic module may jeopardize the security by enabling an opponent to expose the secret key material.

In order to keep the risk of key exposure below a desired boundary epsilon, the use of error detection techniques in fault-tolerant cryptographic modules is necessary but not sufficient. In fact, for standard error-bounds (2^{-40}, or also lower values), with typical fault rates and using fault-tolerant systems with high levels of coverage, the probability of a key exposure may exceed the desired error bound within very short mission times, depending on the number of incorrect cryptographic values necessary to perform the fault attack against a specific cryptographic scheme. This is true also at standard environmental conditions.

In fact, due to the unavoidable occurrence of transient faults or the presence of dormant faults, there will be always a non-zero probability that the system will fail, sooner or later.

Trying to increase further the coverage of fault-tolerant systems is not the most viable solution, since the difficulty of obtaining statistical confidence for extremely low failure-rates would raise the costs of cryptographic modules, by requiring a much larger number of hours during the design and assessment phases. Moreover, modules implemented in software typically need to be executed on different hardware or software platforms, and their testing phases may be iterated, depending on the Software Development Life Cycle (SDLC) in use.

Hence, it is of primary importance to choose key lifetimes so that the key material will no longer be used after the effective reliability of the system falls below the level required to guarantee the accepted negligible risk of key exposure.

The following application, based on [1], enables to limit the risk of key exposure to a desired error-bound in the presence of faults, by relating the failure rates of a cryptographic module, the failure tolerance of the cryptographic keys and mission duration for the required reliability goals, to the lifetime of keys.

Using this application it is possible to:

  1. Compute the reliable lifetime of keys for any cryptographic scheme implemented in generic cryptographic modules (i.e., an upper-bound to the lifetime of keys);
  2. Select cryptographic infrastructures that can provide the required level of reliability, if specific lifetimes and shemes are desired;
  3. Compute the cryptographic key failure tolerance required to guarantee the desired security margin, if a given cryptographic module is in use;
  4. Estimate the risk of key exposure in presence of passive fault attacks.

The user is referred to [1] for more details.


1. Choose the quantity to compute

Cryptographic Key Reliable Lifetime (CKRL)
Required Cryptographic Key Failure Tolerance (CKFT)
Risk of Key Exposure
Required Failure Rate





© 2005  Alfonso De Gregorio - v 1.0 - June 30 2005 Contact: adg (at) crypto (dot) lo (dot) gy

Bibliography [1] Alfonso De Gregorio: Cryptographic Key Reliable Lifetimes: Bounding the Risk of Key Exposure in the Presence of Faults, in proceedings of Fault Diagnosis and Tolerance in Cryptography (FDTC) 2006, Breveglieri L., Koren I., Naccache D., Seifert J.-P. (Eds.), LNCS vol. 4236, pp 144-158, Springer Verlag.
A preliminary version of this paper is available online.

Disclaimer: The information of this website is provided "as is," without warranty of any kind, either expressed or implied, including but not limited to, implied warranties of merchantability, fitness for a particular purpose or non-infringement. Some jurisdictions may not allow the exclusion of these implied warranties in which event the exclusions listed above are limited to those permitted under the law. The material contained on this website is for informational purposes only. The information on the website may contain inaccuracies or errors and may be changed or updated from time to time without notice.