Cryptography Reference
In-Depth Information
4.5 Conclusion
In this chapter we presented the state of the art of DFA on the AES and we described
in detail three attacks which can be used to recover the AES key with a minimal
number of faulty ciphertexts and a very practical fault model. However, for all the
attacks presented in this chapter to succeed, the attacker must be able to cipher
the same message twice (at least). However, such a condition is not always true in
practice. Therefore, DFA on the AES does not always apply, but when it does, the
various DFAs published on the AES are extremely efficient. This implies that the
corresponding implementations must be protected against fault attacks. However, as
shown in Sect.
4.4
, very few efficient countermeasures have been proposed so far.
Since the last published attacks are very efficient in terms of both fault model and
number of faulty ciphertexts, the proposal of efficient DFA countermeasures for the
AES in terms of performance, memory consumption and detection rate is a future
challenge for cryptologists.
