Cryptography Reference
In-Depth Information
3.4 Generalization and Extension to Middle Rounds
We present in this section a generalization of Differential Fault Analysis on DES that
has been introduced by Rivain in [345]. The proposed attack exploits faults which
occur in the middle rounds of DES and which corrupt possibly more that one bit of
the internal state.
3.4.1 Generalized DFA: Basic Principle
The basic principle of the generalized DFA starts from the following relation, which
holds for every target round and for every error vector
ε
L
16
)
⊕
Δ
Δ
R
16
=
f
K
16
(
L
16
)
⊕
f
K
16
(
L
15
.
(3.6)
The attack presented in the previous section uses the fact that, when a fault occurs in
one of the last rounds of the cipher, the adversary knows
Δ
L
15
or a few candidates for
it. For instance,
for the attacks on the 16th and 15th rounds
respectively. Therefore (
3.6
) yields one or a few equations per subkey
K
16
,
i
, which
enables an efficient recovery of the whole
K
16
. However, an attacker may not be able
to retrieve
Δ
L
15
=
0 and
Δ
L
15
=
ε
L
15
when the fault occurs in a previous round and/or when it corrupts
several bits of the DES internal state. In those situations, the attack presented in the
previous section does not apply anymore.
In fact, one does not necessarily need to recover
Δ
L
15
to mount an attack. The most
elementary requirement is that the statistical distribution of
Δ
L
15
be significantly
biased. This distribution actually depends on two main factors: the average number
of bits that are flipped by the fault injection and the number of times the
f
-function
is crossed from the fault location to
L
15
. For instance, if an error
Δ
is induced in
the left half of the DES internal state at the end of the 13th round, then we have
Δ
ε
L
15
=
Δ
L
13
=
ε
. If the error only corrupts a few bits (i.e.
ε
has a small Hamming
weight), then the distribution of
L
15
is strongly biased from the uniformity. More
generally, a fault injection in the left half of the DES internal state skips one round
before propagating through the function
f
. Besides, the error propagation path from
L
r
to
L
15
passes through the function
f
only once for
r
Δ
11
and so on (see Fig.
3.7
). This is quite low considering the slow diffusion of the DES
f
-function. As a result, a fault induced in
L
r
may produce a differential
=
12, twice for
r
=
L
15
with a
distribution that is significantly biased. This bias enables the construction of wrong
key distinguishers.
Δ
