Differential Fault Analysis of the Advanced Encryption Standard - Fault Analysis in Cryptography

Cryptography Reference

In-Depth Information

4.3.1.1 Impact of the Fault

To classify the impact of a fault on a variable, we can use an array whose columns

indicate the numbers of bits affected by the fault:

•

bit : only one bit is affected by the fault,

•

byte : a whole byte of the temporary result is disturbed,

•

word : four bytes are modified by the fault;

and whose rows indicate the kind of modification of these bits:

•

stuck - at : the bits are always set to the same value; typically in this case, the attacker

assumes that the fault sets all the affected bits to 0 or to 1,

•

flip : the bits are complemented,

•

random : after the fault, the value of the disturbed bits is random,

•

uniformly distributed random : after the fault, the value of the n affected bits is

uniformly distributed between 0 and 2 n

−

1.

From a practical point of view, the number of bits affected by the fault mainly depends

on the characteristics of the component under attack. For instance, if the device has

an eight-bit CPU with a 32-bit cryptoprocessor, then if a fault occurs during a CPU

operation, it is probable that a byte of the temporary result will be erroneous, whereas

if a fault disturbs a cryptoprocessor operation, the impact of the fault will probably

affect 32 bits.

Regarding the practicality of the row characteristics, it is quite difficult to pro-

duce a uniformly distributed error. Most of the time, attacks assuming a uniformly

distributed random fault model can also be achieved by using a random fault model

with more faulty ciphertexts.

4.3.1.2 Location of the Fault

This characteristic indicates on which (part of the) State the disturbance must occur.

It mainly corresponds to the ability of the attacker to synchronize the disturbance

during the execution of the algorithm. In the case of the AES, the main fault locations

are the following:

•

Chosen : the bits of the variable disturbed by the fault as well as the variable itself

can be chosen by the attacker,

•

Random on a chosen temporary variable : the attacker can choose only which

variable is affected by the fault,

•

+

Random between MixColumns of round n and round n

1: the attacker knows

only that the fault has occurred on a State between the MixColumns of rounds n

and n

+

1.

Of course, the more precise the attack must be, the more difficult it is to put into

practice.

Fault Analysis in Cryptography

Search WWH ::

Custom Search

Home