Cryptography Reference
In-Depth Information
K
r
−2
MC
SB
SR
MC
Fig. 4.6
Propagation of the differential by assuming a random byte fault at the input of
MixColumns
of round
r
−
2
injected into the second column, then
C
will differ from
C
in bytes at positions 1, 4,
11 and 14. Similarly for the next two columns. For the sake of simplicity, we assume
that the fault implies a difference between
C
and
C
on the four bytes at positions
i
,
j
,
k
,
l
(one per row). The attacker then considers the four key bytes
K
i
,
K
j
,
K
k
,
K
l
of the last round key, and for each of the 2
32
candidates he computes
C
i
SB
−
1
K
i
)
⊕
SB
−
1
K
i
),
i
=
(
C
i
⊕
(
⊕
C
j
SB
−
1
K
j
)
⊕
SB
−
1
K
j
),
j
=
(
C
j
⊕
(
⊕
C
k
SB
−
1
K
k
)
⊕
SB
−
1
K
k
),
k
=
(
C
k
⊕
(
⊕
C
l
SB
−
1
K
l
)
⊕
SB
−
1
K
l
).
l
=
(
C
l
⊕
(
⊕
(4.1)
The four-byte result (
i
,
j
,
k
,
l
) is then compared with the 1,020 elements
K
i
,
K
j
,
K
k
,
K
l
)
contained in the list
D
. The candidates
(
for which a match is
found are gathered in a list
L
.
C
)
With one pair
(
C
,
, the list
L
contains 1,036 elements on average. By using
C
)
another pair
with a fault injected into the same column, the corresponding
four bytes of the last round key are uniquely determined with a 98 % probability.
Therefore the last round key can be recovered by using eight faulty ciphertexts
with faults induced at chosen locations.
(
C
,
4.2.2.2 Improved Attack
To extend the attack described in Sect.
4.2.2.1
, Piret and Quisquater noticed that if
a random byte fault is induced between the
MixColumns
of rounds
r
−
3 and
r
−
2,
the corresponding differential at the input of the
MixColumns
of round
r
1 has
four non-zero bytes, one per column of the State array (cf. Fig.
4.6
) [324]. Each
of them can thus be exploited by using the method described in Sect.
4.2.2.1
and
releases information about different parts of the last round key. By using such a fault,
one pair of correct and faulty ciphertexts allows the attacker to reduce the number
of possible values for the last round key to 1036
4
−
2
40
, from which an exhaustive
search to recover a 128-bit AES key can be done. With two pairs of correct and faulty
ciphertexts, the last round key is uniquely identified with a 92 % probability.
≈