Cryptography Reference
In-Depth Information
possible value for
K
i
if the following equality holds:
255
j
C
i
SB
−
1
SB
−
1
K
i
)
⊕
K
i
)
=
(
C
i
⊕
(
⊕
0
.
(4.3)
j
=
1
If so, the attacker has recovered the value of the
i
th byte of the last round key with
high probability. He then repeats this search for the remaining 15 bytes of
K
r
by
using the same 256 ciphertexts.
One may note that this attack applies not only if the fault is injected into the input
of round
r
3 but also if the fault is injected into any temporary variable between
the
MixColumns
of rounds
r
−
−
4 and
r
−
3.
4.2.3.3 Extended Square-DFA
Phan and Yen noticed that it is possible to attack one round before, i.e. between the
MixColumns
of rounds
r
−
−
5 and
r
4. In this case, Property 1 implies that the XOR
−
of the inputs of round
r
1 must result in zero. To exploit this property, the attacker
must decrypt the ciphertexts by the last two rounds and perform an exhaustive search
similar to the one described in Sect.
4.2.3.2
. To do so, he has to guess a column of
K
r
−
1
and the corresponding four bytes of
K
r
.
By repeating this four times, the attacker obtains both
K
r
−
1
and
K
r
, i.e. he
recovers the AES key whatever its length. However, the complexity of such an attack
is much higher that the one of Sect.
4.2.3.2
since we need to guess eight four-byte
variables and not only 16 times a one-byte variable (i.e. we need to perform an
exhaustive search amongst 2
66
candidates instead of 2
12
). Therefore, such an attack
is very difficult to put into practice.
4.2.3.4 Application of Basic Square-DFA to AES-192 and AES-256
In the case of AES-192 and AES-256, the attack of Sect.
4.2.3.2
can be extended
to recover the penultimate round key
K
r
−
1
by using 255 extra faulty ciphertexts
obtained from a uniformly distributed random byte fault induced on the State between
MixColumns
of rounds
r
4. By guessing a column of
K
r
−
1
and by using the
knowledge of
K
r
, the attacker decrypts the corresponding four bytes of the faulty
ciphertexts by the last two rounds. Then he tests whether the corresponding four
bytes of the XOR of the corresponding 256 States are equal to zero or not. Finally,
the attacker iterates this search on the three other columns with the same ciphertexts
until the penultimate round key is recovered.
−
5 and
r
−
