Cryptography Reference
In-Depth Information
One may note that this attack can be easily adapted when the fault is induced after
any
AddRoundsKey
transformation, i.e. this attack is effective at each round of the
AES.
4.2.5.2 Adaptation of Attacks Exploiting Faults on the Last Rounds
Another way to attack the first rounds by using DFA is to adapt attacks exploiting
faults on the last rounds. In this section we give an example by using Piret and
Quisquater's attack (cf. Sect.
4.2.2
).
Let us assume that a fault has disturbed one byte of the State at the beginning of
the second round when encrypting a message
M
, leading to a faulty ciphertext
C
.
If we denote by
M
the message whose encryption corresponds to
C
, then
M
differs from
M
on four bytes since the fault has been induced after the first
Mix-
Columns
transformation. Therefore, the attacker can recover the message
M
by
performing a fast 32-bit exhaustive search. In a second step the attacker applies Piret
and Quisquater's basic attack (cf. Sect.
4.2.2.1
)to
M
)
C
)
(
,
(
,
,
allowing him to obtain information on four bytes of the first round key. Iterating
this attack, the attacker can recover the first round key by using the same number of
faulty ciphertexts as in Piret and Quisquater's attack, with an overhead of a 32-bit
exhaustive search per faulty ciphertext.
M
instead of
C
4.3 Comparison of DFAs on the AES
Over the last ten years, many DFAs on the AES have been published. Due to the
various fault models which have been used, it is difficult to compare the efficiency
of these attacks. In this section, we present such a comparison. To do so, we first
present a way of classifying the different fault models that have been used in previous
publications, before presenting the characteristics of each and every DFA on the AES.
4.3.1 Fault Models
The efficiency of a fault attack does not depend only on the number of faulty cipher-
texts required to recover the secret key; it depends also on the practicality of the
corresponding fault model. In order to compare the various fault models used in the
attacks published so far, we present a way of characterizing a fault which depends on
its impact and its location. The impact of a fault corresponds to the effect a fault has
on the variable which is affected and the location of a fault indicates where the fault
must be performed during the execution of the algorithm. These two characteristics
are detailed below.
