Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)

Blömer, Johannes; Seifert, Jean-Pierre

doi:10.1007/978-3-540-45126-6_12

Cited by 264 publications

(164 citation statements)

References 20 publications

Supporting

Mentioning

157

Contrasting

Unclassified

Order By: Relevance

“…A simple and straightforward attack on the AES cipher has been proposed by Bloemer et al in [41] and aims to change a single bit right after the first key addition. The objective is to reset a single bit in the internal state S (0) (in general, S (i) denotes the state at the beginning of the i-th round) and observe whether the value of the ciphertext has changed.…”

Section: B Attacks On Aesmentioning

confidence: 99%

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

et al. 2012

View full text Add to dashboard Cite

Abstract-Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and software implementations have exhibited vulnerabilities to side channel attacks, e.g., power analysis and fault injection attacks. This paper focuses on fault injection attacks that have been shown to require inexpensive equipment and a short amount of time. The paper provides a comprehensive description of these attacks on cryptographic devices and the countermeasures that have been developed against them.After a brief review of the widely used cryptographic algorithms, we classify the currently known fault injection attacks into low cost ones (which a single attacker with a modest budget can mount) and high cost ones (requiring highly skilled attackers with a large budget). We then list the attacks that have been developed for the important and commonly used ciphers and indicate which ones have been successfully used in practice. The known countermeasures against the previously described fault injection attacks are then presented, including intrusion detection and fault detection. We conclude the survey with a discussion on the interaction between fault injection attacks (and the corresponding countermeasures) and power analysis attacks.

show abstract

Section: B Attacks On Aesmentioning

confidence: 99%

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

et al. 2012

View full text Add to dashboard Cite

show abstract

“…Anderson and Kuhn used two different fault models for microcontroller based smartcards: in the first they assume that the instruction memory of smart cards can be randomly corrupted and in the second they assume that the attacker has the ability to write into specified locations in the memory. These and other fault attacks and associated fault models are summarized in [8,9]. The proposed CED approach is applicable to the practical fault models described.…”

Section: Fault-based Side Channels: the Fault Modelsmentioning

confidence: 99%

Parity-Based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers

Karri¹,

Kuznetsov

Goessel

2003

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. In this paper we will describe parity code based concurrent error detection (CED) approach against such attacks in substitution-permutation network (SPN) symmetric block ciphers [22]. The basic idea compares a carefully modified parity of the input plain text with that of the output cipher text resulting in a simple CED circuitry. An analysis of the SPN symmetric block ciphers reveals that on one hand, permutation of the round outputs does not alter the parity from its input to its output. On the other hand, exclusive-or with the round key and the non-linear substitution function (s-box) modify the parity from their inputs to their outputs. In order to change the parity of the inputs into the parity of outputs of an SPN encryption, we exclusive-or the parity of the SPN round function output with the parity of the round key. We also add to all s-boxes an additional 1-bit binary function that implements the combined parity of the inputs and outputs to the s-box for all its (input, output) pairs. These two modifications are used only by the CED circuitry and do not impact the SPN encryption or decryption. The proposed CED approach is demonstrated on a 16-input, 16-output SPN symmetric block cipher from [1].

show abstract

“…Fault analysis seeks to exploit the effect of a fault inserted into an instance of a cryptographic algorithm [8][9][10]. When implementing a block cipher a simple countermeasure is, as for side-channel analysis, to use time randomization, e.g.…”

Section: Introductionmentioning

confidence: 99%

“…From the resulting difference in the outputs, the secret key or parts of it are derived. In contrast to differential fault analysis, collision fault analysis [8] relies on finding a plaintext that maps to the same output as a faulty encryption of a different plaintext. This technique is often applied to attack early rounds of an algorithm.…”

Section: Introductionmentioning

confidence: 99%

Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output

Gierlichs

Schmidt

Tunstall

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Implementation attacks pose a serious threat for the security of cryptographic devices and there are a multitude of countermeasures that are used to prevent them. Two countermeasures used in implementations of block ciphers to increase the complexity of such attacks are the use of dummy rounds and redundant computation with consistency checks to prevent fault attacks. In this paper we present several countermeasures based on the idea of infective computation. Our countermeasures ensure that a fault injected into a cipher, dummy, or redundant round will infect the ciphertext such that an attacker cannot derive any information on the secret key being used. This has one clear advantage: the propagation of faults prevents an attacker from being able to conduct any fault analysis on any corrupted ciphertexts. As a consequence, there is no need for any test at the end of an implementation to determine if a fault has been injected and a ciphertext can always be returned.

show abstract

Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)

Cited by 264 publications

References 20 publications

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

Parity-Based Concurrent Error Detection of Substitution-Permutation Network Block Ciphers

Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output

Contact Info

Product

Resources

About