DFA on AES

In this paper we describe two different DFA attacks on the AES. The first one uses a fault model that induces a fault on only one bit of an intermediate result, hence allowing us to obtain the key by using 50 faulty ciphertexts for an AES-128. The second attack uses a more realistic fault model: we assume that we may induce a fault on a whole byte. For an AES-128, this second attack provides the key by using less than 250 faulty ciphertexts. If we extend our hypothesis by supposing that the attacker can choose the byte affected by the fault, our bit-fault attack requires 35 faulty ciphertexts to obtain the secret key and our byte-fault attack requires only 31 faulty ciphertexts.

[1]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[2]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[3]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[4]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[5]  David Paul Maher Fault Induction Attacks, Tamper Resistance, and Hostile Reverse Engineering in Perspective , 1997, Financial Cryptography.

[6]  Arjen K. Lenstra Memo on RSA signature generation in the presence of faults , 1996 .

[7]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[8]  Marc Joye,et al.  Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis , 2000, IEEE Trans. Computers.

[9]  Robert H. Deng,et al.  Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults , 1997, Security Protocols Workshop.

[10]  Moti Yung,et al.  Observability Analysis - Detecting When Improved Cryptosystems Fail , 2002, CT-RSA.

[11]  Jean-Pierre Seifert,et al.  Fault Based Cryptanalysis of the Advanced Encryption Standard (AES) , 2003, Financial Cryptography.

[12]  Marc Joye,et al.  Chinese Remaindering Based Cryptosystems in the Presence of Faults , 1999, Journal of Cryptology.

[13]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[14]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[15]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[16]  Seungjoo Kim,et al.  A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack , 2001, ICISC.

[17]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[18]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[19]  Seungjoo Kim,et al.  RSA Speedup with Residue Number System Immune against Hardware Fault Cryptanalysis , 2001, ICISC.

[20]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[21]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.