Cryptography Reference
In-Depth Information
18.5.1 Differential Fault Analysis Attack Against AES
In this section, we describe an implementation of the well-known fault attack against
AES proposed by Piret and Quisquater [324], which uses a random fault model. An
attacker can recover a 128-bit key using one pair of correct and faulty ciphertexts
with a brute-force search when a one-byte random error occurs in the intermediate
state of the output of round 7.
The experimental results of the fault injection in Sect.
18.4.1.1
in Fig.
18.5
show
that we can inject a one-byte error into a part of the intermediate state with a success
rate of almost 100 % when
T
g
is set appropriately. Then, we assume that we can inject
a one-byte fault into the intermediate state at the end of round 7 with the same glitch
characteristics. We attempted retrieving the secret key using Piret and Quisquater's
attack with one pair of correct and faulty ciphertexts. If the faults are appropriately
injected into the intermediate state, we can retrieve the secret key using a brute-force
search with an expected 2
32
candidate secret key values. The details of the attempt
of the key retrievals are given hereafter.
1. We execute normal encryption using a randomly selected plaintext and record the
correct ciphertext.
2. We generate a clock glitch into the last round (round 10) with the plaintext selected
above. Then, we maximize
T
g
in the region in which the fault is injected into the
ciphertext by controlling the phase difference of the two clock sources. This cause
corruption in one byte in the ciphertext. We note the position of the error byte,
which can easily be obtained from the faulty ciphertext.
3. We change the glitch position to round 7 while maintaining
T
g
as set above.
2
This
can be easily done by changing the trigger delay of the oscilloscope. We record
the faulty ciphertext.
4. We reduce the key candidate space using Piret and Quisquater's attack with one
pair of correct and faulty ciphertexts recorded above. Subsequently, we execute
a brute-force attack on the reduced key space. These attacks were implemented
in C code and executed on a Core2 Duo 3.0 GHz PC.
We succeeded in retrieving the key set in the LSI from all AES modules (the
retrieved key is the same as the key set in the LSI). The results agree fairly well with
the theoretical results that the average reduced key candidate space is 2
32
, and show,
with high probability, that in a practical application the one-byte error position is
the same, regardless of the round in which the clock glitch was generated, when we
maintain the same
T
g
.
2
In the case of the AES_SSS1 module, we change the glitch position to round 8 to inject the fault
into the output of round 8 because of the characteristics of implementation with the side-channel
countermeasure.
