Cryptography Reference
In-Depth Information
Chapter 4
Differential Fault Analysis of the Advanced
Encryption Standard
Christophe Giraud
Abstract
In October 2000, Rijndael was selected as the Advanced Encryption Stan-
dard (AES). Since then, this cryptosystem has been widely used to ensure the confi-
dentiality of information stored in embedded devices. Therefore, over the last decade
many researchers have studied this algorithm, leading to the publication of many Dif-
ferential Fault Analyses (DFAs) on the AES. In this chapter, we present the state of
the art of DFA of the AES. After describing the AES, we present in detail three of
the most efficient DFAs on this cryptosystem. These attacks have different charac-
teristics, allowing an attacker to recover the secret key from one faulty ciphertext or
if faults have been induced in the middle rounds of the AES. We then present a table
summarizing the characteristics of each and every DFA on the AES published so
far. Finally, we present the main countermeasures proposed to counter fault injection
attacks on the AES.
4.1 Introduction
Due to the very short DES key size to the increasing computational power of com-
puters, NIST launched in September 1997 a call to find candidates for a successor to
DES [310]. This algorithm, called the Advanced Encryption Standard (AES), had to
be able to encrypt 128-bit blocks and be available in three different key sizes: 128,
192 and 256 bits. From amongst the fifteen submissions, five finalist algorithms were
selected in August 1999: MARS [76], RC6 [348], Rijndael [112], Serpent [13] and
Twofish [363]. In October 2000, the algorithm Rijndael proposed by Daemen and
Rijmen was chosen to be the DES successor [209].
One of the particularities of the AES [142] is representing the intermediate cipher
result, called the State, as a two-dimensional byte array with four rows and four
