Cryptography Reference
In-Depth Information
implemented than when one is not. Indeed, when such a countermeasure is present
the attack becomes a known plaintext attack instead of a chosen plaintext attack.
2.3 Other Fault Attacks on Block Ciphers
2.3.1 Reducing the Number of Rounds
Most block ciphers are
iterated cryptosystems
, which are families of cryptographi-
cally strong functions that iterate
n
times a weaker round function. As the security of
the block cipher is an increasing function of the number of rounds, an obvious attack
path could be to try to produce a perturbation in the normal sequencing which would
reduce the number of rounds. This idea has originally been formulated in [15], where
the authors suggest corrupting the appropriate loop variable or conditional jump by
means of a glitch in either the clock or the power supply to the chip. In the follow-
ing we give the descriptions of two concrete experiments which put this idea into
practice.
2.3.1.1 Round Reduction Using Faults on AES
Choukri and Tunstall demonstrated in [89] that reducing the number of rounds of a
block cipher is indeed possible. They used glitches on the power supply as the fault
injection media, and conducted the attack on a Silvercard (
PIC16F877
) which
does not contain any senors to protect against this sort of attack. The AES algorithm
implementation used does not contain any countermeasure intended to prevent any
sort of attack. The aim was to show that precise faults can be induced within a chip
that can lead to the desired effect.
After a search among a wide range of combinations of relevant parameters such
as the clock speed, the size of the glitch, the applied voltage and the time position
in the computation of the AES,
14
various different configurations happened to be
successful in inducing a fault that reduced AES computation to only one round.
The exploitation of such a result is trivial and requires only two pairs of known
plaintexts/ciphertexts. For each S-box an exhaustive search for the key byte value
verifying
)
=
MixColumns
−
1
S
(
m
1
⊕
k
)
⊕
S
(
m
2
⊕
k
(
c
1
⊕
c
2
),
leads to two expected hypotheses for each key byte, leading to an overall exhaustive
search amongst 2
16
keys.
14
The identification of the correct time position has been helped by the capture of a power curve
that clearly shows the different rounds.
