Differential Fault Analysis of AES-128 Key Schedule Using a Single Multi-byte Fault

Abstract: Abstract. In this paper we propose an improved multi-byte differential fault analysis of AES-128 key schedule using a single pair of fault-free and faulty ciphertexts. We propose a four byte fault model where the fault is induced at ninth round key. The induced fault corrupts all the four bytes of the first column of the ninth round key which subsequently propagates to the entire tenth round key. The elegance of the proposed attack is that it requires only a single faulty ciphertext and reduce the search space… Show more

“…The same analysis also true for two diagonal and three diagonal attacks. The optimal attacks complexities are mentioned in Table 2, and it shows that the improvement in [1] indeed achieves the optimal complexities of the Diagonal attacks published in [24].…”

“…They do not use the inter-relationships of the faults at the output of the eighth round MixColumns and hence can be further optimized depending on the number of bytes corrupted in the diagonals. These optimized attacks are presented in [1], and their optimality can be argued in a similar fashion. According to our analysis, if the induced fault infects i bytes in the required state matrix, then the optimal attack result is given by K s · P (∆S), where ∆S is the required difference which can be of i bytes.…”

“…If we consider the ninth round differential equations in the first phase of the attack, each of which can be represented as equation (1). In that case p 0 corresponds to α.…”

“…7(b)) can be represented in terms of X and ε by four equations similar to equation (1). In that case ε 0,0 , ε 1,0 , ε 2,0 , and ε 3,0 are the values corresponding β and 2p are the values corresponding to α in the four equations respectively.…”

“…For the first fault model the attack required around four faulty ciphertexts whereas in the second fault model the attack requires around 1500 faulty ciphertexts. Beside these DFA attacks there were some practical results [1,2,13,25,26], where the authors have shown that the required fault induction is indeed possible by inexpensive devices.…”

Differential fault analysis of AES: towards reaching its limits

“…The same analysis also true for two diagonal and three diagonal attacks. The optimal attacks complexities are mentioned in Table 2, and it shows that the improvement in [1] indeed achieves the optimal complexities of the Diagonal attacks published in [24].…”

“…They do not use the inter-relationships of the faults at the output of the eighth round MixColumns and hence can be further optimized depending on the number of bytes corrupted in the diagonals. These optimized attacks are presented in [1], and their optimality can be argued in a similar fashion. According to our analysis, if the induced fault infects i bytes in the required state matrix, then the optimal attack result is given by K s · P (∆S), where ∆S is the required difference which can be of i bytes.…”

“…If we consider the ninth round differential equations in the first phase of the attack, each of which can be represented as equation (1). In that case p 0 corresponds to α.…”

“…7(b)) can be represented in terms of X and ε by four equations similar to equation (1). In that case ε 0,0 , ε 1,0 , ε 2,0 , and ε 3,0 are the values corresponding β and 2p are the values corresponding to α in the four equations respectively.…”

“…For the first fault model the attack required around four faulty ciphertexts whereas in the second fault model the attack requires around 1500 faulty ciphertexts. Beside these DFA attacks there were some practical results [1,2,13,25,26], where the authors have shown that the required fault induction is indeed possible by inexpensive devices.…”

Differential fault analysis of AES: towards reaching its limits

Differential Fault Attacks on KLEIN

Differential Fault Analysis of Twofish