Differential Fault Analysis on AES Key Schedule and Some Countermeasures

Chen, Chien-Ning; Yen, Sung-Ming

doi:10.1007/3-540-45067-x_11

Cited by 107 publications

(84 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These attacks exploit the highly regular structure of the AES key schedule in order to infer bytes of the key through corrupting one or more bytes during the expansion of the last round key bits. In particular, the attacks proposed by Giraud et al in [42] and by Chen et al in [46] exploit a single byte corruption introduced after the key schedule procedure has been performed, and are thus able to obtain a precise fault that does not propagate to the keys which are derived from it. While this fault model is reasonable whenever the key schedule is precomputed and its result stored in some kind of permanent memory, it is not possible to attack AES implementations which perform key expansion on the fly.…”

Section: B Attacks On Aesmentioning

confidence: 99%

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

et al. 2012

View full text Add to dashboard Cite

Abstract-Implementations of cryptographic algorithms continue to proliferate in consumer products due to the increasing demand for secure transmission of confidential information. Although the current standard cryptographic algorithms proved to withstand exhaustive attacks, their hardware and software implementations have exhibited vulnerabilities to side channel attacks, e.g., power analysis and fault injection attacks. This paper focuses on fault injection attacks that have been shown to require inexpensive equipment and a short amount of time. The paper provides a comprehensive description of these attacks on cryptographic devices and the countermeasures that have been developed against them.After a brief review of the widely used cryptographic algorithms, we classify the currently known fault injection attacks into low cost ones (which a single attacker with a modest budget can mount) and high cost ones (requiring highly skilled attackers with a large budget). We then list the attacks that have been developed for the important and commonly used ciphers and indicate which ones have been successfully used in practice. The known countermeasures against the previously described fault injection attacks are then presented, including intrusion detection and fault detection. We conclude the survey with a discussion on the interaction between fault injection attacks (and the corresponding countermeasures) and power analysis attacks.

show abstract

Section: B Attacks On Aesmentioning

confidence: 99%

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

et al. 2012

View full text Add to dashboard Cite

show abstract

“…In the following, we present a technique that avoids to increase the time complexity too much by using a hash 10 (0), K 10 (7), K 10 (10), K 10 (13), U 9 (0)}. These two hash tables have for input index 5 values of S 8 (0) ⊕S 8 (0) and for output {K 10 (0), K 10 (7), K 10 (10), K 10 (13), U 9 (0)}.…”

Section: Recovery K 10mentioning

confidence: 99%

“…Using many pairs of correct and faulty ciphertexts, we can reduce the possible key space. We reuse four times the no difference computation algorithm for each column of S 10 . In this attack, the attacker does not use fault position to retrieve the last subkey bytes.…”

Section: From Impossible Differential To Inequation Systemmentioning

confidence: 99%

Meet-in-the-Middle and Impossible Differential Fault Analysis on AES

Derbez

Fouque

Leresteux³

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 2 32 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 2 40 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 2 24 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 2 40 in time and memory.

show abstract

“…It was first proposed by E. Biham and A. Shamir on DES 2 in 1997. The similar attacks have been applied to AES [3][4][5][6][7][8] , Triple-DES 9 , RC4 10 , Camellia 11 , ARIA 12 , SMS4 [13][14] , PRESENT 15 and so on. The DFA exploits easily accessible information like input-output behavior under malfunctions, amplifies and evaluates the leaked information with the help of mathematical methods.…”

Section: Introductionmentioning

confidence: 99%

Single Byte Differential Fault Analysis on the LED Lightweight Cipher in the Wireless Sensor Network

Li¹,

Gu²,

Xia³

et al. 2012

IJCIS

View full text Add to dashboard Cite

The LED is a new lightweight cipher, which was published in CHES 2011. This cipher could be applied in the Wireless Sensor Network to provide security. On the basis of the single byte-oriented fault model, we propose a differential fault analysis on the LED cipher. The attack could recover its 64-bit secret key by introducing 4 faulty ciphertexts, and 128-bit secret key by introducing 8 faulty ciphertexts. The results in this study will be beneficial to the analysis of the same type of other iterated lightweight ciphers.

show abstract

Differential Fault Analysis on AES Key Schedule and Some Countermeasures

Cited by 107 publications

References 6 publications

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures

Meet-in-the-Middle and Impossible Differential Fault Analysis on AES

Single Byte Differential Fault Analysis on the LED Lightweight Cipher in the Wireless Sensor Network

Contact Info

Product

Resources

About