Cryptography Reference
In-Depth Information
4.2.3.5 Conclusion
We have presented here a DFA on the middle rounds of the AES which exploits a
property used by traditional cryptanalysis. This attack is very powerful in the sense
that it efficiently applies even if the last four rounds of the AES are protected against
fault attacks. Moreover this attack can also be mounted if the last five rounds are
protected but it requires four exhaustive searches amongst 2
64
candidates.
4.2.4 A Very Effective DFA on the AES
In 2009, Saha et al. published on ePrint [352] an improved version of Piret and
Quisquater's attack. This very efficient DFA allows the attacker to uniquely identify
a 128-bit AES key by using only four faulty ciphertexts with faults disturbing up to
three diagonals of a State. In the rest of this section we first present an observation
on the AES which is then used in Sect.
4.2.4.2
to mount a one-shot DFA on the AES
by assuming that a single diagonal of the State is disturbed. This fault model is then
relaxed in Sect.
4.2.4.3
.
4.2.4.1 Preliminary Observation
To mount their attack, Saha et al. made the following observation. If a diagonal of
the input of round
r
2 is disturbed then the fault impacts a column at the end of this
round and spreads out to the entire State at the end of round
r
−
1. However, the bytes
of each of the four columns of the matrix which represents the differential between a
correct and a faulty State at the output of round
r
−
1 have some relationship which
can be used to obtain information about the last round key. Such a propagation and
the corresponding relationships are depicted in Fig.
4.8
.
−
4.2.4.2 Description
Let us now explain how an attacker can recover information on the last round key
from a pair
C
)
(
C
,
where the fault has been induced on the first diagonal of the
input of round
r
2. If such a fault is induced, one can observe from Fig.
4.8
that
the following set of equations is valid for a pair
−
C
)
(
C
,
:
(
C
0
(
C
13
⊕
K
13
))
SB
−
1
(
C
0
⊕
K
0
)
⊕
SB
−
1
⊕
K
0
)
=
2
(
SB
−
1
(
C
13
⊕
K
13
)
⊕
SB
−
1
(
C
13
⊕
K
13
)
=
SB
−
1
(
C
10
⊕
K
10
)
SB
−
1
(
C
13
⊕
K
13
)
⊕
SB
−
1
(
C
10
⊕
K
10
)
⊕
SB
−
1
(
C
7
(
C
13
⊕
K
13
))
(4.4)
SB
−
1
(
C
7
⊕
K
7
)
⊕
SB
−
1
⊕
K
7
)
=
(
SB
−
1
(
C
13
⊕
K
13
)
⊕
SB
−
1
3
