Cryptography Reference
In-Depth Information
R
0
)
⊕
P
−
1
i
L
ε,
R
ε,
S
i
(
E
i
(
R
0
)
⊕
k
)
⊕
S
i
(
E
i
(
k
)
=
(Ω
0
⊕
Ω
1
).
(3.10)
If the previous equation holds, then
c
(
k
)
is incremented. Note that if
S
i
is not active
R
0
)
(i.e.
E
i
(
), all the counters are incremented and no information about
K
1
,
i
is inferred (one may equivalently decide to increment no counter when
S
i
is not
active). Therefore, a correct pair is useful for discriminating
K
1
,
i
only if
S
i
is active,
which occurs if and only if
E
i
(Ω
R
0
)
=
E
i
(
R
ε,
0
)
=
0. Consequently, the
ε
-characteristics must
R
ε,
R
ε,
be chosen such that
Ω
is not zero, and, more generally,
Ω
should activate the
0
0
most S-boxes possible.
Let us now assume that
S
i
is active in the first round. If
P
)
is a correct pair,
then a few counters are incremented (four on average) among which one corresponds
to the value of
K
1
,
i
.If
(
P
,
P
)
is a wrong pair, then a few counters are incremented
that correspond to random guesses. Therefore, the correct guess is counted more
frequently on average. The maximal counter is hence expected to be for
k
(
P
,
K
1
,
i
once enough pairs have been analyzed. Assuming that the error probability
p
err
is
negligible compared to the success probability
p
suc
, the number of correct-faulty
DES encryptions required to get an important success rate in recovering
K
1
depends
on the number of correct pairs, i.e. on the success probability
p
suc
. The next section
presents a way to increase this probability.
=
3.5.3 Attack Improvement
A possible improvement of the attack is to use several
r
-round
ε
-characteristics per
error vector
-characteristics.
Given a ciphertext
C
obtained from the faulty encryption of a plaintext
P
,the
attacker tries to encrypt
P
ε
∈
E
. For every
ε
,let
C
ε
denote a set of several
r
-round
ε
=
P
⊕
Ω
ε,
0
for every
Ω
ε
∈
C
ε
, for every
ε
∈
E
.The
resulting probability of getting a correct pair becomes
p
suc
=
Pr
[
ε
=
ε
]
p
Ω
ε
,
ε
∈
E
Ω
ε
∈
C
ε
which is clearly higher than in the original attack. However, the higher the number of
characteristics per
, the higher the number of correct DES encryptions that are
required per faulty encryption. It thus appears that, for any given attack success rate,
there is a trade-off between the number of faulty DES encryptions and the number
of correct DES encryptions (cf. experiments in Sect.
3.5.5
).
ε
∈
E