Cryptography Reference
In-Depth Information
Table 4.2
Number of faulty ciphertexts required to mount a DFA attack on AES-192 depending
on the impact and the location of the faults
Ref.
Fault
impact
Fault location
Number of faulty
ciphertexts
Number of candi-
dates left
[
324
]
Random
byte
Random between MC of rounds 9
and 10
2
+
2
1
Random between MC
of rounds 8 and 9
+
2
8
[
393
]
Random
byte
Random on a chosen temporary
variables (input of round 10
2
+
1
+
input of round 9)
2
8
[
224
]
Random
byte
Known between MC of rounds 9
and 10
+
Random between MC
of rounds 8 and 9
1
+
1
Table 4.3
Number of faulty ciphertexts required to mount a DFA attack on AES-256 depending
on the impact and the location of the faults
Ref.
Fault
impact
Fault location
Number of faulty
ciphertexts
Number of candi-
dates left
[
324
]
Random
byte
Random between MC of rounds 11
and 12
+
Random between MC
of rounds 10 and 11
2
+
2
1
2
13
[
393
]
Random
byte
Random on a chosen temporary
variable (input of round 12) in
encryption
+
in decryption
2
+
2
2
32
[
]
+
224
Random
byte
Random between MC of rounds 11
and 12
2
1
+
Random between MC
of rounds 10 and 11
2
18
[
164
]
Random
byte
Random between MC of rounds 11
and 12
2
+
1
Random between MC
of rounds 10 and 11
+
4.3.2 Comparative Tables
Based on the classification of the fault models in the previous section, we present
below a table for each AES key size which compares the various DFAs on the AES
published so far. For each attack, we indicate the kind of fault model, the number of
faulty ciphertexts and the number of candidates left for the secret key.
In Tables
4.2
and
4.3
, we present the characteristics of the more efficient DFAs
on AES-192 and AES-256 published so far.
