Cryptography Reference
In-Depth Information
Table 3.2
Attack results for several simulations
r
Faulty + correct DES
encryptions
No. character-
istics
No. found pairs
No. extracted key
bits
No. simulations
1
100
+
1600
16
9.16
17.46
10000
500
+
8000
16
45.95
41.03
10000
500
+
16000
32
55.43
46.74
10000
1000
+
32000
32
110.92
47.94
10000
1500
+
48000
32
166.46
48.00
10000
10
3
10
4
25
×
+
4
×
8
6.20
17.65
1000
10
4
10
5
1
×
+
1
.
6
×
16
17.67
36.36
1000
5
×
10
4
+
8
×
10
5
16
88.88
45.59
1000
5
×
10
5
+
1
.
6
×
10
7
32
888.11
47.86
1000
1
×
10
6
+
3
.
2
×
10
7
32
1779.18
48.00
1000
35
×
10
6
+
7
×
10
7
14
6.25
34.52
100
1
×
10
7
+
1
.
4
×
10
8
14
13.40
42.42
100
5
×
10
7
+
1
×
10
9
20
67.25
47.30
20
it has the highest probability
p
Ω
ε
. The attacks are also carried out with some subsets
of these 32 characteristics. In that case, each subset is composed of the characteristics
having the highest probabilities among the 32.
Table
3.3
summarizes the simulation results for the improved attack. The used
characteristics are chosen as those having the highest probabilities among all the
r
-round
ε
-characteristics with
ε
∈
E
1-bit
. Therefore, several characteristics are used
ε
ε
for some
's, while no characteristic is used for other
's. Furthermore, the choice of
R
ε,
Ω
0
is made taking care that the most S-boxes possible are active in the first round.
From Table
3.3
, we clearly see that the improved attack requires less faulty DES
encryptions than the original attack. The total number of DES encryptions (faulty
and correct) is also slightly lower.
These results show that about 4
10
8
) DES encryptions
are required for the recovery of the whole round key
K
1
when
L
1
(or
L
2
,
L
3
)is
corrupted. Since a fault injection in
L
r
is equivalent to a fault injection in
R
r
+
1
,
these attacks may be performed by corrupting the right half of DES's internal state
at the beginning of round
r
10
4
10
6
,1
×
(or 1
×
×
+
2. In other words, one can retrieve the first round key
10
4
10
6
,1
10
8
) DES encryptions by attacking the third (or fourth,
in 4
×
(or 1
×
×
or fifth) round.
These attacks may also apply with more general fault models, e.g. where one byte
or one S-box output is randomly corrupted. In [178] it is argued that such attacks
shall only use the
ε
∈
E
1-bit
since they have the
highest probabilities
p
Ω
ε
. Therefore, we expect an increase in the number of DES
encryptions roughly by a factor 1
ε
-characteristics for single-bit errors
p
where
p
is the probability that a single-bit error
occurs. For instance, in a byte error model
p
/
=
8
/
256 (and 1
/
p
=
32), and in an
S-box error model
p
=
4
/
16 (and 1
/
p
=
4).
