Cryptography Reference
In-Depth Information
These results show that one should at least protect the last six rounds of DES
against DFA. To resist a powerful adversary (precise fault model, high number of
correct-faulty ciphertext pairs), it seems prudent to protect the last eight rounds.
3.4.4 Extension to Early Rounds Based on a Decryption Oracle
If an attacker has access to a decryption oracle then the attacks presented so far can
be employed to exploit errors occurring in the early rounds of the cipher. In fact, the
attacker may obtain a faulty ciphertext
C
from a plaintext
P
by inducing a fault
at the end of the first round. The plaintext
P
can then be viewed as the faulty result
of a decryption of
C
for which a fault has been induced at the beginning of the
last round. The attacker then asks for the decryption of
C
that provides him with
a plaintext
P
,
. The pair
P
thus constitutes a pair of correct-faulty results of
the decryption algorithm with respect to an error induced at the beginning of the last
round. According to this principle, any fault attack on round
r
of an encryption can
be transposed to a fault attack on round 16
P
)
−
r
of a decryption. For instance, the
attack presented in this section, which exploits faults occurring in rounds
r
≥
9, can
be applied to exploit faults on rounds
r
7, provided that the attacker has access to
a decryption oracle. In that case, the same number of rounds should be protected at
the beginning and at the end of the cipher in order to obtain a homogenous security
level.
When no decryption oracle is available, it is still possible to attack the early rounds
of DES. This is the subject of the next section.
≤
3.5 Attack on Early Rounds Based on Internal Collisions
In the previous section, we presented a DFA technique able to exploit faults occurring
in the middle rounds of DES. We now present an attack against early rounds of DES
that was introduced by Hemme in [178].
3.5.1 Notations and Definitions
P
)
In the following we shall denote by
(
P
,
a pair of plaintexts, and by
(
L
r
,
R
r
)
L
r
,
R
r
)
(
and
the underlying intermediate values of the DES internal state. We shall
also denote by
R
r
) the XOR-difference between
L
r
and
L
r
(or
R
r
and
R
r
). Note that this notation differs from the previous sections where it is used for the
XOR-difference between
L
r
(or
R
r
) and its faulty counterpart
L
r
Δ
Δ
L
r
(or
(or
R
r
)forthe
same plaintext.