Differential Fault Analysis of the Advanced Encryption Standard - Fault Analysis in Cryptography

Cryptography Reference

In-Depth Information

4.2.2.5 Conclusion

This attack combines a very relaxed fault model with very good efficiency in terms

of faulty ciphertexts. Indeed, by using a random byte fault on any temporary variable

between the MixColumns of rounds r

2, a whole 128-bit AES key van

be uniquely identified using two faulty ciphertexts. The same result can be achieved

with only one faulty ciphertext and an exhaustive search amongst 2 40 candidates.

Moreover, this attack can be easily extended to the 192- and 256-bit key length

cases. These different points make this attack a reference, used as a basis by many

variants published afterwards.

−

3 and r

−

4.2.3 A DFA on the Middle Rounds of the AES

At CARDIS 2006, Phan and Yen presented new DFAs on the AES which exploit

techniques from block cipher cryptanalysis [323]. In this paper, they show in par-

ticular how by combining fault attacks and the Square distinguisher presented by

Daemon et al. in [111], one can recover the AES key by using faults induced in the

AES middle rounds. In this section, we first recall an AES property, before presenting

the corresponding DFA on the AES.

4.2.3.1 Square Distinguisher

In the paper introducing the block cipher Square [111], a dedicated attack on reduced

versions of Square is described which also applies to reduced versions of Rijndael.

It exploits the following property of AES:

Property 1 By taking a set of 256 plaintexts identical to each other except for one

byte in which they take all the possible values, after three rounds the XOR of the 256

values results in a State containing 0 in all byte positions.

Phan and Yen exploited this property to mount a DFA on the AES middle rounds.

Let us present their attack in the following sections.

4.2.3.2 Basic Square-DFA

The principle of this attack is the following: the attacker always encrypts the same

plaintext and he injects 255 uniformly distributed random byte faults into the same

byte of the input of round r

j , j

3. Let us denote by C

, the 255

corresponding faulty ciphertexts and by C the correct ciphertext. From Property 1,

the XOR of the 256 corresponding inputs of the last round must be equal to zero.

Therefore, to recover the i th byte of the last round key, the attacker tests for each

−

∈{

1

, ··· ,

255

}

Fault Analysis in Cryptography

Search WWH ::

Custom Search

Home