Meet-in-the-middle and impossible differential fault analysis on AES

Authors:
Patrick Derbez;Pierre-Alain Fouque;Delphine Leresteux
Affiliations:
École Normale Supérieure, Paris Cedex;École Normale Supérieure, Paris Cedex;DGA Information Superiority, Rennes Armées
Venue:
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Year:
2011

Citing 19
Cited 4

The Design of Rijndael

The Design of Rijndael
Differential Fault Analysis of Secret Key Cryptosystems

CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Low Cost Attacks on Tamper Resistant Devices

Proceedings of the 5th International Workshop on Security Protocols
DFA Mechanism on the AES Key Schedule

FDTC '07 Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography
Two New Techniques of Side-Channel Cryptanalysis

CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
High-Performance Concurrent Error Detection Scheme for AES Hardware

CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis

CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
An Improved Fault Based Attack of the Advanced Encryption Standard

AFRICACRYPT '09 Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology
Differential Fault Analysis on DES Middle Rounds

CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
On the importance of checking cryptographic protocols for faults

EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Differential fault analysis on AES key schedule and some countermeasures

ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Improved side-channel collision attacks on AES

SAC'07 Proceedings of the 14th international conference on Selected areas in cryptography
Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults

FDTC '10 Proceedings of the 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography
Passive and Active Combined Attacks on AES Combining Fault Attacks and Side Channel Analysis

FDTC '10 Proceedings of the 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography
Automatic search of attacks on round-reduced AES and applications

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Amplifying side-channel attacks with techniques from block cipher cryptanalysis

CARDIS'06 Proceedings of the 7th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
Impossible fault analysis of RC4 and differential fault analysis of RC4

FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
A generalized method of differential fault attack against AES cryptosystem

CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
DFA on AES

AES'04 Proceedings of the 4th international conference on Advanced Encryption Standard

Differential fault analysis of full LBlock

COSADE'12 Proceedings of the Third international conference on Constructive Side-Channel Analysis and Secure Design
Linear fault analysis of block ciphers

ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Infective computation and dummy rounds: fault protection for block ciphers without check-before-output

LATINCRYPT'12 Proceedings of the 2nd international conference on Cryptology and Information Security in Latin America
Improved algebraic fault analysis: a case study on piccolo and applications to other lightweight block ciphers

COSADE'13 Proceedings of the 4th international conference on Constructive Side-Channel Analysis and Secure Design

Quantified Score

Hi-index	0.00

Visualization

Abstract

Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 232 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 240 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 2224 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 2240 in time and memory.