Cryptography Reference
In-Depth Information
P
−
1
i
(
Y
)
=
S
i
(
E
i
(
X
)
⊕
K
r
,
i
),
for
i
∈{
1
,...,
8
}
.
3.3 Basic Attack
Differential Fault Analysis exploits errors occurring during the encryption of several
plaintexts under the same secret key to recover the latter. The attacker is assumed
to observe several pairs of ciphertexts
C
)
, each corresponding to a plaintext
P
which is correctly encrypted (yielding
C
) and erroneously encrypted (yielding
C
).
DFA exploits the difference between
C
and
C
in order to infer information on the
secret key.
The original attack described by Biham and Shamir in [49] assumes that one bit
of the right half of the DES internal state is flipped at a random position during some
round in the faulty encryption. We detail hereafter this attack when the fault occurs
at the beginning of either the 16th or the 15th round.
Notation
: In the following,
L
r
and
R
r
will respectively denote the corrupted value of
the left part
L
r
and the right part
R
r
at the end of the
r
th round and
C
=
(
(
C
,
L
16
,
R
16
)
32
the induced
error. For instance, if the error is induced in the right part of the DES internal state
at the end of the
r
th round, we have
R
r
will denote the faulty ciphertext. We shall further denote by
ε
∈{
0
,
1
}
shall
denote the XOR-difference between the correct and faulty DES internal states at the
end of the
r
th round and
=
R
r
⊕
ε
. Eventually,
(Δ
L
r
,Δ
R
r
)
f
r
shall denote the XOR-difference between the correct
and faulty outputs of the
f
-function at round
r
.
Δ
3.3.1 Attack on the 16th Round
Let us assume that some bit of
R
15
is flipped at the beginning of the 16th round,
which yields
R
15
=
R
15
⊕
ε
. The error propagation is represented in Fig.
3.4
. Then,
the XOR-difference between
R
16
and
R
16
, satisfies
L
16
).
Δ
R
16
=
f
K
16
(
L
16
)
⊕
f
K
16
(
(3.1)
This equation is used by the attacker to find the value of the last round key
K
16
. With
a few pairs
C
)
can be uniquely determined.
Let us now explain how to solve such an equation. As illustrated in Fig.
3.3
,the
structure of the
f
-function implies that (
3.1
) holds for every S-box independently.
More precisely, every six-bit coordinate
K
16
,
i
of the round key enters in separate
S-box and satisfies
(
C
,
