Cryptography Reference
In-Depth Information
K
r
−2
MC
−1
(
K
r
−1
)
K
r
C
SR
SB
M C
SR
SB
Fig. 4.7
Another view of the last two rounds of the AES
4.2.2.3 A Remark on the Complexity
To improve the timings of the exhaustive search amongst the 2
32
K
i
,
candidates
(
K
j
,
K
k
,
K
l
)
in (
4.1
), Piret and Quisquater noticed that the four equations of (
4.1
)
are independent. Therefore they suggest testing the first two key bytes first in order
to make a list
L
of the candidates which match with the two left most bytes of the
elements of list
. Once this very fast exhaustive search is done, the attacker tries to
extend the value of each element of
D
by one byte by testing the second and the third
key bytes in the same way, the possible values for the second key byte being taken
from
L
. Then the same method is applied by testing the third and fourth key bytes.
Finally we perform the test presented in Sect.
4.2.2.1
by considering the candidates
(
L
K
i
,
K
j
,
K
k
,
K
l
)
in
L
only.
4.2.2.4 Application to AES-192 and AES-256
When attacking the AES-192 or the AES-256, the goal of an attacker is to recover
the last two round keys, from which the entire AES key can be easily computed.
To do so, the attacker first applies the method presented in Sect.
4.2.2.2
to obtain
the last round key
K
r
by using two pairs of correct and faulty ciphertexts where the
faults have been injected between the
MixColumns
of rounds
r
−
3 and
r
−
2.
C
)
of correct and faulty cipher-
texts by injecting random byte faults between the
MixColumns
of rounds
r
Second, the attacker obtains two other pairs
(
C
,
−
4 and
−
r
3. Since
MixColumns
is linear, one can rewrite the last two rounds of the AES
as depicted in Fig.
4.7
.
Therefore for each pair
C
)
(
C
,
, the attacker computes
A
MC
−
1
SR
−
1
SB
−
1
K
r
=
(
(
(
C
⊕
)))
(4.2)
A
=
MC
−
1
SR
−
1
SB
−
1
C
⊕
K
r
(
(
(
)))
and applies the method described in Sect.
4.2.2.2
with
A
(or
A
)) instead of
C
(or
C
) to recover
MC
−
1
K
r
−
1
(
)
. The penultimate round key is then obtained by
computing the image of
MC
−
1
K
r
−
1
(
)
through
MixColumns
. Finally the whole AES
key is computed from the last two round keys.
To conclude, the AES key is obtained by using four faulty ciphertexts in the 192-
and 256-bit cases.
