Cryptography Reference
In-Depth Information
Fig. 3.4
Error propagation on
round 16
L 16 )
P 1
i
R 16 ) =
S i (
E i (
L 16 )
K 16 , i )
S i (
E i (
K 16 , i ).
(3.2)
6
for K 16 , i and discards those which are not consistent with respect to ( 3.2 ). Note that
if we have
For every i
∈{
1
,...,
8
}
, the attacker then tests all the possible values in
{
0
,
1
}
L 16 )
E i (
L 16 ) =
E i (
E i (ε) =
0
,
namely if the error vector
does not affect the bits entering in the i th S-box, then the
XOR-difference in ( 3.2 ) is 0. In that case, every value in
ε
6 for K 16 , i is consistent
with respect to ( 3.2 ) and no information is inferred about K 16 , i . On the other hand,
if the error affects the bits entering the i th S-box, we shall say that the i th S-box is
active , only a few values for K 16 , i (four on average) are consistent with respect to
( 3.2 ). This way, the subkey K 16 , i is recovered with a few pairs
{
0
,
1
}
C )
(
C
,
for which
the i th S-box is active.
Depending on the flipped bit, one or several S-boxes may be active. Since every
single input bit of the DES f -function enters one or two S-boxes, a single-bit fault in
the right half of the DES internal state activates one or two S-boxes in the following
round (see illustration in Fig. 3.5 ). Note that this attack applies whatever the induced
error
, as long as it only affects R 15 . In that case, the higher the number of flipped bits
(i.e. the higher the Hamming weight of
ε
), the higher the number of active S-boxes
(on average), and the lower the number of pairs
ε
C )
(
C
,
required to recover the full
round key.
3.3.2 Attack on the 15th Round
Let us now assume that the fault corrupts the value R 14 at the beginning of the 15th
round such that R 14 =
R 14 ε
. The error propagation is represented in Fig. 3.6 .In
that case, we have
L 16 ) ε.
Δ
R 16 =
f K 16 (
L 16 )
f K 16 (
(3.3)
Search WWH ::




Custom Search