Cryptography Reference
In-Depth Information
(typically considered to be zero), whatever the input values.
1
When produced at
the very beginning of the algorithm a fault will typically corrupt an intermediate
value that only depends on one bit or one byte of the input. As the remainder of the
intermediate value is not modified, the attacker just has to change that precise bit
or byte until a collision with the corrupted value occurs. All other intermediate data
being uncorrupted, this local collision propagates to the ciphertexts.
2.2.1.2 Ineffective Fault Analysis
As described above, a CFA attack consists of searching for a plaintext whose corre-
sponding ciphertext collides with some corrupted ciphertext. IFA is slightly different,
and applies where an attacker tries to find an input
M
with the property that when a
fault is induced on some precise operation during the encryption process, the interme-
diate data targeted by the fault is not corrupted, resulting in an identical ciphertext.
This kind of analysis gains information from faults which do not locally modify
the intermediate result, so-called ineffective faults from which the analysis name is
derived.
While usually relying on the same kind of fault model, CFA and IFA differ in many
respects. While CFA recovers some piece of information about the key with only one
fault, IFA needs to compare pairs of ciphertexts
C
=
E
(
(
C
=
E
(
M
),
M
))
until
C
, so many faults
2
are required before an ineffective one is obtained. On the
other hand, the higher complexity of IFA in terms of the number of required fault
injections is compensated for by the property that the operation targeted by IFA does
not need to occur near the beginning of the algorithm. Since the attacker compares
pairs of executions with the same input, any operation during the encryption process
can be targeted to identify an ineffective fault. In light of the fact that a fault appears
to be ineffective if and only if the natural
3
result of the targeted operation is zero,
under the previously described fault model, it is clear that IFA can be considered as a
kind of probing tool. Indeed, for any given plaintext it is possible to decide whether
the result of any arbitrary targeted operation
4
is zero or not.
Another property specific to IFA is that an attacker does not actually require the
value of any faulty ciphertext. The only information that is required is whether the
fault had an effect or not. As a consequence, IFA is not thwarted by the classical
countermeasure against DFA, which consists in checking the computation and with-
holding the output if a fault is detected. Indeed, whether a fault is detected or not
C
=
1
An exception to this usually adopted fault model for CFA is given by the collision/differential
fault attack from Hemme in the first rounds of DES, described in Sects.
2.2.3
and
3.5
. This attack
is applicable even if the fault produces a random modification of an S-box output.
2
For instance, under a byte-oriented fault model, 128 (or 256) faults are required on average per
ineffective fault event when the input of the targeted operation is chosen (or not chosen).
3
I.e. without fault.
4
Provided that this operation is susceptible to the considered faults.
