DFA Mechanism on the AES Key Schedule

Takahashi, Daisuke; Fukunaga,; Yamakoshi,

doi:10.1109/fdtc.2007.13

Cited by 53 publications

(31 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are many descriptions of a fault-based differential cryptanalysis of AES that could be prevented by repeating the last two or three rounds of an implementation of AES, to verify that no exploitable fault has been inserted [5,9,11,25,30]. However, to prevent the attack described in this paper the last four rounds would need to be repeated to check no fault was injected.…”

Section: Resultsmentioning

confidence: 99%

“…The former fault would require 6 faulty ciphertexts to deriver the secret key, while the latter would require around 1500 faulty ciphertexts to derive the key. Other authors have considered faults in the key schedule [29,30], where the most recent publication has demonstrated that the secret key can be derived with two faulty ciphertexts [13].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault

Tunstall

Mukhopadhyay

Ali

2011

Lecture Notes in Computer Science

221

147

View full text Add to dashboard Cite

Abstract. In this paper we present a differential fault attack that can be applied to the AES using a single fault. We demonstrate that when a single random byte fault is induced at the input of the eighth round, the AES key can be deduced using a two stage algorithm. The first step has a statistical expectation of reducing the possible key hypotheses to 2 32 , and the second step to a mere 2 8 . Furthermore, we show that, with certain faults, this can be reduced to two key hypothesis.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault

Tunstall

Mukhopadhyay

Ali

2011

Lecture Notes in Computer Science

221

147

View full text Add to dashboard Cite

show abstract

“…Peacham's attack required only 12 faulty ciphertexts to retrieve the AES-128 secret key. Takahashi et al [28], proposed a generalized attack that required only two faulty ciphertexts to reduce the number of key hypotheses for a AES-128 secret key to 2 48 . Other variants of this attack were presented that, using four faulty ciphertexts, reduce the number of hypotheses to 2 16 or, using seven faulty ciphertexts, determine the secret key.…”

Section: Introductionmentioning

confidence: 99%

Differential fault analysis of AES: towards reaching its limits

2012

View full text Add to dashboard Cite

Abstract. In this paper we present a theoretical analysis of the limits of the Differential Fault Analysis (DFA) of AES by developing an interrelationship between conventional cryptanalysis of AES and DFAs. We show that the existing attacks have not reached these limits and present techniques to reach these. More specifically, we propose optimal DFA on states of AES-128 and AES-256. We also propose attacks on the key schedule of the three versions of AES, and demonstrate that these are some of the most efficient attacks on AES to date. Our attack on AES-128 key schedule is optimal, and the attacks on AES-192 and AES-256 key schedule are very close to optimal. Detailed experimental results have been provided for the developed attacks. The work has been compared to other works and also the optimal limits of Differential Fault Analysis of AES.

show abstract

“…Even if the round function block works correctly, the key scheduler can also be attacked [11,12,13], or malfunction in a control counter may output intermediate data soon after the first round key is XORed without waiting for the completion of 10-round operations [3]. In order to prevent this, the key scheduler in Fig.…”

Section: Aes Circuit With the Proposed Schemementioning

confidence: 99%

“…In 1996, Boneh, Demillo, and Lipton [1] proposed a fault injection attack against public key cryptosystems, and Biham and Shamir [2] extended this attack to symmetric key cryptosystems. Since then, research on the fault injection attack has been rapidly evolved [3][4][5], and several papers have proposed attacks on the standard block cipher AES [7][8][9][10][11][12][13].…”

Section: Introductionmentioning

confidence: 99%

High-Performance Concurrent Error Detection Scheme for AES Hardware

Satoh

Sugawara

Homma

et al.

Cryptographic Hardware and Embedded Systems – CHES 2008

View full text Add to dashboard Cite

Abstract. This paper proposes an efficient concurrent error detection scheme for hardware implementation of the block cipher AES. The proposed scheme does not require an additional arithmetic unit, but simply divides the round function block into two sub-blocks and uses the subblocks alternately for encryption (or decryption) and error detection. The number of clock cycles is doubled, but the maximum operating frequency is increased owing to the shortened critical path of the sub-block. Therefore, the proposed scheme has a limited impact on hardware performance with respect to size and speed. AES hardware with the proposed scheme was designed and synthesized using a 90-nm CMOS standard cell library with size and speed optimization options. The compact and high-speed implementations achieved performances of 2.21 Gbps @ 16.1 Kgates and 3.21 Gbps @ 24.1 Kgates, respectively. In contrast, the performances of AES hardware without error detection were 1.66 Gbps @ 12.9 Kgates for the compact version and 4.22 Gbps @ 30.7 Kgates for the high-speed version. There is only a slight difference between the performances with and without error detection. The performance overhead caused by the error detection is evaluated at the optimal balance between size and speed and was estimated to be 14.5% at maximum. Conversely, the AES hardware with the proposed scheme had better performance in some cases. If pipeline operation is allowed, as in the CTR mode, throughputs can easily be boosted by further dividing the sub-blocks. Although the proposed error detection scheme was applied to AES in the present study, it can also be applied to other algorithms efficiently.

show abstract

DFA Mechanism on the AES Key Schedule

Cited by 53 publications

References 6 publications

Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault

Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault

Differential fault analysis of AES: towards reaching its limits

High-Performance Concurrent Error Detection Scheme for AES Hardware

Contact Info

Product

Resources

About