Differential fault analysis of AES: Toward reducing number of faults

Kim, Chong Hee

doi:10.1016/j.ins.2012.02.028

Cited by 18 publications

(11 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bogdanov et al [55] presented a technique of cryptanalysis with bicliques, also leading to a non-practical complexity recovering the key. Kim [56] explained also theoretically how to apply differential fault analysis to reduce the required number of faults in AES-192 and AES-256.…”

Section: Accessmentioning

confidence: 99%

Cache Misses and the Recovery of the Full AES 256 Key

et al. 2019

View full text Add to dashboard Cite

The CPU cache is a hardware element that leaks significant information about the software running on the CPU. Particularly, any application performing sequences of memory access that depend on sensitive information, such as private keys, is susceptible to suffer a cache attack, which would reveal this information. In most cases, side-channel cache attacks do not require any specific permission and just need access to a shared cache. This fact, combined with the spread of cloud computing, where the infrastructure is shared between different customers, has made these attacks quite popular. Traditionally, cache attacks against AES use the information about the victim to access an address. In contrast, we show that using non-access provides much more information and demonstrate that the power of cache attacks has been underestimated during these last years. This novel approach is applicable to existing attacks: Prime+Probe, Flush+Reload, Flush+Flush and Prime+Abort. In all cases, using cache misses as source of information, we could retrieve the 128-bit AES key with a reduction in the number of samples of between 93% and 98% compared to the traditional approach. Further, this attack was adapted and extended in what we call the encryption-by-decryption cache attack (EBD), to obtain a 256-bit AES key. In the best scenario, our approach obtained the 256 bits of the key of the OpenSSL AES T-table-based implementation using fewer than 10,000 samples, i.e., 135 milliseconds, proving that AES-256 is only about three times more complex to attack than AES-128 via cache attacks. Additionally, the proposed approach was successfully tested in a cross-VM scenario.

show abstract

Section: Accessmentioning

confidence: 99%

Cache Misses and the Recovery of the Full AES 256 Key

et al. 2019

View full text Add to dashboard Cite

show abstract

“…Fault is injected by giving external 2 Mathematical Problems in Engineering impact on a device with voltage variation, glitch, laser, and so forth. Since the first DFA on DES proposed by Biham and Shamir [19], this technique has been successfully applied to many other block ciphers, for example, AES [20][21][22][23], CLEFIA [24,25], SM4 [26], and ARIA [27].…”

Section: Introductionmentioning

confidence: 99%

Differential Fault Attack on KASUMI Cipher Used in GSM Telephony

Wang¹,

Dong²,

Jia

et al. 2014

Mathematical Problems in Engineering

View full text Add to dashboard Cite

The confidentiality of GSM cellular telephony depends on the security of A5 family of cryptosystems. As an algorithm in this family survived from cryptanalysis, A5/3 is based on the block cipher KASUMI. This paper describes a novel differential fault attack on KAUSMI with a 64-bit key. Taking advantage of some mathematical observations on the FL, FO functions, and key schedule, only one 16-bit word fault is required to recover all information of the 64-bit key. The time complexity is only 232encryptions. We have practically simulated the attack on a PC which takes only a few minutes to recover all the key bits. The simulation also experimentally verifies the correctness and complexity.

show abstract

“…This attack is commonly used to analyze the security of cryptosystems. DFA have been employed to attack several block ciphers where DES [3,4], AES [5][6][7][8][9][10][11], PRINTCIPHER [12], Camellia [13], CALEFIA [14,15], RC4 [16], SMS4 [17], and ARIA [18] are examples. In general, there are two techniques to apply a DFA attack on a block cipher.…”

Section: Introductionmentioning

confidence: 99%

New differential fault analysis on PRESENT

Bagheri

Ebrahimpour

Ghaedi

2013

EURASIP J. Adv. Signal Process.

View full text Add to dashboard Cite

In this paper, we present two differential fault analyses on PRESENT-80 which is a lightweight block cipher. The first attack is a basic attack which induces a fault on only one bit of intermediate states, and we can obtain the last subkey of the block cipher, given 48 faulty cipher texts on average. The second attack can retrieve the master key of the block cipher, given 18 faulty cipher texts on average. In the latter attack, we assume that we can induce faults on a single nibble of intermediate states. Given those faulty cipher texts, the computational complexity of attacks is negligible.

show abstract

Differential fault analysis of AES: Toward reducing number of faults

Cited by 18 publications

References 22 publications

Cache Misses and the Recovery of the Full AES 256 Key

Cache Misses and the Recovery of the Full AES 256 Key

Differential Fault Attack on KASUMI Cipher Used in GSM Telephony

New differential fault analysis on PRESENT

Contact Info

Product

Resources

About