Cryptography Reference
In-Depth Information
3.5.4 Choosing Good Characteristics
In order to maximize the efficiency of the attack described above, it is important
to choose the r -round
-characteristics with probabilities as high as possible. It is
worth noting that the probability p
ε
is the probability that
for a random secret key K and for a random plaintext P , the pair
of a characteristic
Ω ε
Ω ε
(
P
,
P
Ω ε, 0 )
is
a correct pair with respect to
. In the context of a fault attack, the secret key is
unknown and the probability that a pair is a correct pair for a given secret key may
differ from p Ω ε . However, according to [47], such a difference is only slight and p Ω ε
is a good approximation of the real probability.
Let
Ω ε
Ω = 0 1 ,...,Ω r )
be an r -round characteristic. The probability p Ω
of
Ω
satisfies
r
p ( i Ω ,
p Ω =
i
=
1
where p ( i Ω =
Pr
[
L i
R i ) = Ω i |
L i 1
R i 1 ) = Ω i 1 ]
is the probability
propagates well through the i th round. The probabilities p ( i Ω
that
Ω
can be in turn
expressed as products of probabilities p ( i Ω = i = 1 p ( ij )
where p ( ij )
Ω
is the probability
Ω
that
Ω
propagates well through the j th S-box in the i th round which satisfies:
Pr S j (
p ( ij )
Ω
R
P 1
j
L
i
R
=
X
)
S j (
X
E j
1 )) =
1 Ω
)
,
i
i
6 . This probability is given by the
XOR-difference distribution table of S j for the input differential E j
where X is a uniform random variable over
{
0
,
1
}
i
1 )
and the
output differential P 1
j
L
R
i
(see [47]).
Based on these equations, one can easily compute the probability of a characteris-
tic. It is even possible to calculate the r -round
1 Ω
)
i
ε
-characteristics that have the highest
probabilities given r and
using the search algorithm of Matsui [275]. The results
of such a search are given in [178] for 1-, 2- and 3-round
ε
ε
-characteristics for the
set
E 1-bit of error vectors whose Hamming weights equal 1 (i.e. corresponding to a
single-bit fault model).
3.5.5 Attack Results
The results of several attack simulations are reported in [178], where the attacker is
assumed to be able to induce a single-bit fault at a random position in L r (or equiva-
lently R r + 1 ). Table 3.2 summarizes these results which are given in terms of average
number of found pairs (right and possibly wrong) and average number of extracted
key bits (on average) for different numbers of characteristics and faulty/correct DES
encryptions. For a given
ε E 1-bit ,the r -round
ε
-characteristic
Ω ε
is chosen such that
Search WWH ::




Custom Search