New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough

Authors:
Chong Hee Kim;Jean-Jacques Quisquater
Affiliations:
UCL Crypto Group, Université Catholique de Louvain, Belgium, Louvain-la-Neuve, Belgium 1348;UCL Crypto Group, Université Catholique de Louvain, Belgium, Louvain-la-Neuve, Belgium 1348
Venue:
CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Year:
2008

Citing 4
Cited 12

Differential Fault Analysis of Secret Key Cryptosystems

CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
DFA Mechanism on the AES Key Schedule

FDTC '07 Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography
A generalized method of differential fault attack against AES cryptosystem

CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
DFA on AES

AES'04 Proceedings of the 4th international conference on Advanced Encryption Standard

Differential Fault Analysis on DES Middle Rounds

CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Differential fault analysis of the advanced encryption standard using a single fault

WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
Exploring the feasibility of low cost fault injection attacks on sub-threshold devices through an example of a 65nm AES implementation

RFIDSec'11 Proceedings of the 7th international conference on RFID Security and Privacy
Differential fault analysis of AES-128 key schedule using a single multi-byte fault

CARDIS'11 Proceedings of the 10th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Combined fault and side-channel attack on protected implementations of AES

CARDIS'11 Proceedings of the 10th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Differential fault analysis of AES: Toward reducing number of faults

Information Sciences: an International Journal
Differential fault analysis of ARIA in multi-byte fault models

Journal of Systems and Software
Linear fault analysis of block ciphers

ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Infective computation and dummy rounds: fault protection for block ciphers without check-before-output

LATINCRYPT'12 Proceedings of the 2nd international conference on Cryptology and Information Security in Latin America
Fault analysis study of the block cipher FOX64

Multimedia Tools and Applications
A fault induction technique based on voltage underfeeding with application to attacks against AES and RSA

Journal of Systems and Software
A fault-resistant implementation of AES using differential bytes between input and output

The Journal of Supercomputing

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we show a new differential fault analysis (DFA) on the AES-128 key scheduling process. We can obtain 96 bits of the key with 2 pairs of correct and faulty ciphertexts enabling an easy exhaustive key search of 232keys. Furthermore we can retrieve the entire 128 bits with 4 pairs. To the authors' best knowledge, it is the smallest number of pairs to find the entire AES-128 key with a fault attack on the key scheduling process. Up to now 7 pairs by Takahashi et al. were the best. By corrupting state, not the key schedule, Piret and Quisquater showed 2 pairs are enough to break AES-128 in 2003. The advantage of DFA on the key schedule is that it can defeat some fault-protected AES implementations where the round keys are not rescheduled prior to the check. We implemented our algorithm on a 3.2 GHz Pentium 4 PC. With 4 pairs of correct and faulty ciphertexts, we could find 128 bits less than 2.3 seconds.