Differential Fault Analysis of the Advanced Encryption Standard - Fault Analysis in Cryptography

Cryptography Reference

In-Depth Information

r −2 th

r −1 th

round

Round

After

input

B

S

MC

AfterBS

AfterSRAfterMC

F 1

F 2

F 3

F 4

F 1

2 F 1

F 4

3 F 4

2 F 4

F 3

3 F 3

3 F 2

F 2

F 1

2 F 2

F 3

2 F 3

F 2

F 4

3 F 1

F 3

Fig. 4.8 Equivalence of the propagation of different kinds of fault induced on the first diagonal of

the input of round r

−

2

First of all the attacker reduces the space of possible candidates for key bytes K 0

and K 13 by guessing all possible values for them in the first equation and filtering

out all pairs that do not satisfy it. He now has a reduced key space for K 13 which

is used to perform a similar key space reduction with the second equation. Then

the same methodology is applied to the third equation. After this three-step key

space reduction, the number of possible values for

K 0 ,

K 7 ,

K 10 ,

K 13 )

is about 2 8

(

on average.

By observing the differential at the output of the MixColumns of round r

1(cf.

Fig. 4.8 ), one can see that the attacker can obtain similar equations with the last three

columns. These other three sets of three equations are then used to reduce the last

round key space to

−

2 32 possible values.

In the description presented above, we assumed that the position of the faulty

diagonal was known to the attacker. To relax this assumption, the attacker has to

guess the position of the faulty diagonal and repeat the attack four times. In such a

case, the last round key space will be reduced to 2 34 possible values.

In the case of AES-128, the AES key is recovered by using one faulty ciphertext

and by performing an exhaustive search amongst the 2 34

2 8

4

(

)

=

candidates.

4.2.4.3 A Relaxed Fault Model

In the last part of their paper, Saha et al. extend the fault model used in Sect. 4.2.4.2

by assuming that three diagonals of the state array between the MixColumns of round

r

2 are disturbed by the fault. In such a case,

the attacker can obtain a set of equations similar to ( 4.4 ) for each column of the state

array after the MixColumns of round r

−

3 and the ShiftRows of round r

−

1. If the position of the fault-free diagonal

is known, such a set allows the attacker to reduce the number of candidates for the

Fault Analysis in Cryptography

Search WWH ::

Custom Search

Home