Cryptography Reference
In-Depth Information
corresponding four bytes of the last round key to 2
24
on average. By using such a
fault model and four faulty ciphertexts, the last round key is uniquely identified.
4.2.4.4 An Improvement for AES-128
In [403], Tunstall and Mukhopadhyay published a one-shot attack specific to AES-
128. The first step of their attack is very similar to the one presented in Sect.
4.2.4.2
,
with a more restricted fault model (i.e. a random byte fault between the
MixColumns
of the seventh and eighth round). In the second step of their attack, they exploit
the relationships between the bytes of
K
9
and
K
10
to analyse the differential at the
output of the
MixColumns
of round 8. Their attack reduces the number of candidates
for the last round key to 2
12
by using only one faulty ciphertext.
4.2.4.5 Conclusion
The fault attack presented in this section is one of the most efficient published so far
since only one random diagonal fault between the
MixColumns
of round
r
−
3 and
the
ShiftRows
of round
r
2 reduces the number of possible values of the last round
key to 2
34
. Moreover, if three out of four diagonals of the State are disturbed, this
attack makes it possible to uniquely identify the last round key by using four faulty
ciphertexts.
−
4.2.5 Attacking the First Rounds
Previous sections dealt with attacks exploiting faults induced on the last rounds.
However, it is also possible to mount DFA on the AES when faults have been induced
on the first rounds. We present in this section two such attacks.
4.2.5.1 Attacking the Key Addition
The first attack exploiting faults induced on the first round was presented by Blömer
and Seifert in 2003 [55]. Even if the fault model is rather strong, it allows one to
attack the beginning of the AES.
The principle of their attack is quite simple. The attacker encrypts a null message
twice, the first time without any disturbance; the second time the attacker forces
the first bit of the State to 0 after the first
AddRoundsKey
transformation. If the two
ciphertexts are equals then it means that the first bit of the first round key is equal to 0;
otherwise it means that this bit is equal to 1. Therefore, the attacker can recover the
value of the first round key by iterating this attack on the other 127 bits.
