Cryptography Reference
In-Depth Information
Fig. 3.4
Error propagation on
round 16
L
16
)
⊕
P
−
1
i
(Δ
R
16
)
=
S
i
(
E
i
(
L
16
)
⊕
K
16
,
i
)
⊕
S
i
(
E
i
(
K
16
,
i
).
(3.2)
6
for
K
16
,
i
and discards those which are not consistent with respect to (
3.2
). Note that
if we have
For every
i
∈{
1
,...,
8
}
, the attacker then tests all the possible values in
{
0
,
1
}
L
16
)
E
i
(
L
16
)
=
E
i
(
⇔
E
i
(ε)
=
0
,
namely if the error vector
does not affect the bits entering in the
i
th S-box, then the
XOR-difference in (
3.2
) is 0. In that case, every value in
ε
6
for
K
16
,
i
is consistent
with respect to (
3.2
) and no information is inferred about
K
16
,
i
. On the other hand,
if the error affects the bits entering the
i
th S-box, we shall say that the
i
th S-box is
active
, only a few values for
K
16
,
i
(four on average) are consistent with respect to
(
3.2
). This way, the subkey
K
16
,
i
is recovered with a few pairs
{
0
,
1
}
C
)
(
C
,
for which
the
i
th S-box is active.
Depending on the flipped bit, one or several S-boxes may be active. Since every
single input bit of the DES
f
-function enters one or two S-boxes, a single-bit fault in
the right half of the DES internal state activates one or two S-boxes in the following
round (see illustration in Fig.
3.5
). Note that this attack applies whatever the induced
error
, as long as it only affects
R
15
. In that case, the higher the number of flipped bits
(i.e. the higher the Hamming weight of
ε
), the higher the number of active S-boxes
(on average), and the lower the number of pairs
ε
C
)
(
C
,
required to recover the full
round key.
3.3.2 Attack on the 15th Round
Let us now assume that the fault corrupts the value
R
14
at the beginning of the 15th
round such that
R
14
=
R
14
⊕
ε
. The error propagation is represented in Fig.
3.6
.In
that case, we have
L
16
)
⊕
ε.
Δ
R
16
=
f
K
16
(
L
16
)
⊕
f
K
16
(
(3.3)