A Differential Faault Analysis on AES Key Schedule Using Single Fault

8/2/2019 A Differential Faault Analysis on AES Key Schedule Using Single Fault

1/8

A Differential Fault Analysis on AES Key Schedule using Single Fault

Sk. Subidh Ali and Debdeep Mukhopadhyay

Dept. of Computer Scienc and Engineering,Indian Institute of Technoloty Kharagpur,

Kharagpur, India,

{subidh,debdeep}@cse.iitkgp.ernet.in

AbstractLiterature on Differential Fault Analysis (DFA) onAES-128 shows that it is more difficult to attack AES when thefault is induced in the key schedule, than when it is injectedin the intermediate states. Recent research shows that DFA onAES key schedule still requires two faulty ciphertexts, while itrequires only one faulty ciphertext and a brute-force search of28 AES-128 keys when the fault is injected inside the roundof AES. The present paper proposes a DFA on AES-128 key

schedule which requires only one single byte fault and a brute-force search of 28 keys, showing that a DFA on AES keyschedule is equally dangerous as a fault analysis when thefault is injected in the intermediate state of AES. Further, thefault model of the present attack is a single byte fault. This ismore realistic than the existing fault model of injecting threebyte faults in a column of the AES key which has a less chanceof success. To the best of our knowledge the proposed attackis the best known DFA on AES key schedule and requiresminimum number of faulty ciphertext. The simulated attack,running on 3GHz IntelCoreTM2 Duo desktop machine with2GB RAM, takes around 35 minutes to reveal the secret key.

Keywords-AES, AES key schedule, Differential Fault Analy-sis, Fault Model.

I. INTRODUCTIONFault attack was first introduce by D. Boneh et. al. in 1996

[1]. They showed that an induced fault in a smart-card device

running RSA can reveal the entire secret key. Subsequently,

Biham and Shamir proposed more lethal form of the attack

[2] on DES cryptosystem which is known as Differential

Fault Analysis. In 2001, NIST accepted Rijndael as the

Advanced Encryption Standard (AES) [3] in three different

forms AES-128, AES-192, and AES-256 of three different

key length 128, 192 and 256-bit respectively. Subsequently,many DFA against AES was proposed [4][8]. In most of

these attacks, a single or multi-byte faults are expected to be

induced in the intermediate state of AES. The most recent

among these type of attack is the attack proposed in [9]where a single byte fault induced at the input of 8th roundcan retrieve the entire secret key of AES-128 with a brute-

force search of 28.There is another kind of DFA against AES cryptosystem

where the secret key is revealed by inducing faults in the

key scheduling algorithm of AES. These kind of attack was

first proposed by C. Giraud in [?] and [10]. The attack

was further improved by Chen and Yen in [11] which

required less than thirty pair of correct and faulty ciphertexts

with single byte fault model. In 2006 Peachan and Thomas

proposed a different DFA on AES key scheduling based on

multi-byte fault model. The authors assumed that random

faults can be injected during the execution of AES key

scheduling and the faults propagate to the subsequent round

keys. The attack retrieved the 128-bit AES key using nomore than 12 pairs of fault-free and faulty ciphertexts.

Takahashi et. al. proposed a general form of the attack [12]and showed that their attack retrieved the AES-128 key using

two pairs of fault-free and faulty ciphertexts and a brute-

force search of48-bit. With four pairs the brute-force searchreduced to 16-bit and with seven pairs no brute-force searchwas required.

In 2008, Kim et. al. proposed slightly improved DFA

on AES-128 key scheduling [13]. In this attack the author

assumed a more specific fault model where the induced

fault corrupts exactly three bytes of the first column of

ninth round key. The attack can retrieve the AES-128 key

using two pairs of fault-free and faulty ciphertexts and a

brute force search of 32-bit. With four pairs the attack can

uniquely determine the key.In this paper we propose an improved DFA on AES-128

key schedule. Unlike the previous attacks we assume a more

realistic single byte fault model. This kind of fault model

also assumed in [14], but the attack was specific to AES-

192 and AES-256. We assume a single byte fault is induced

at the first column of the 8th round key which spreads tosubsequent round keys. Our attack requires only one pair

fault-free and faulty ciphertexts and a brute-force search of

28. The fault-free and faulty ciphertext are generated fromsame plaintext. To the best of authors knowledge this is

the first time a DFA on AES-128 key schedule retrieves

the secret key using a single pair of fault-free and faulty

ciphertext in practical time.In order to validate the attack we have provided exten-

sive simulation results. The simulated C code running on

desktop Intel CoreTM2 Duo processor of 3GHz speedtakes around 35 minutes to generate all 28 possible keyhypotheses.

The paper is organized as follows: In the next section

we briefly describes the preliminaries of this paper. In

Section III we describe the existing attack on AES-128

key schedule using two faulty ciphertexts. In Section IV

2011 Workshop on Fault Diagnosis and Tolerance in Cryptography

978-0-7695-4526-4/11 $26.00 2011 IEEE

DOI 10.1109/FDTC.2011.10

35


2/8

we explain the proposed attack on AES-128 key schedule

using single faulty ciphertext. In Section V we present the

experimental results. In Section VI we compare our results

with the existing attacks on AES key schedule. We conclude

in Section VII.

I I . PRELIMINARIES

A. AES

AES is a 128-bit symmetric key block cipher. It hasthree different standardised versions named AES-128, AES-

192, and AES-256. The three standards have three different

key length 128, 192 and 256-bit respectively and threedifferent number of rounds 10, 12, and 14 respectively. Theintermediate results are represented by 4 4 matrix; calledas state. Each element of the matrix is a byte. Each round

function except the last round performs the following four

basic operations on the input state matrix:

SubBytes : It is the only non-linear byte-wise sub-

stitution. Each element of the state matrix is replaced

by its inverse and followed by an affine mapping. Allthe operations are under F28 .

ShiftRows : It is a cyclic shift of ith row by ith

bytes towards left.

MixColumns: It is a column level linear transfor-

mation of the state matrix. Each column of the state

matrix is considered as a polynomial of degree 3 withcoefficient in F28 and multiplied with the polynomial

{03}x3 + {01}x2 + {01}x + {02}. AddRoundKey : In this transformation the 128-bit

round key is bit-wise xor-ed with the 128-bit state.

The last round does not have MixColumns operation. At

the beginning of first round an additional AddRoundKey

operation is performed, which is known as key whiteningphase. The round keys are generated by the key scheduling

algorithm. Figure 1 depicts the generation of last three round

keys as per the AES-128 key scheduling algorithm. The

detailed key scheduling algorithm is given in [3]. It is clear

from Figure 1 that one round key is enough to get the master

key of AES-128.

B. Notation

In this section we define some parameters that we will

use in rest of the paper.

Ci,j : The {i, j} byte of the ciphertext C.Ci,j : The {i, j} byte of the faulty ciphertext C

.

Kri,j : The {i, j} byte of the rth round key Kr

where 0 i, j 3.

III. EXISTING ATTACKS ON AES-128 KEY SCHEDULE

WIT H TWO FAULTY CIPHERTEXTS

Takahashi et. al. proposed a fault attack on AES-128 key

schedule using two faulty ciphertexts [12]. However, their

attack required 48-bit of brute-force search. This attack was

SubWord

RotWord

SubWord

RotWord

SubWord

RotWord

K80,1

K81,1

K82,1

K83,1

K80,3

K81,3

K82,3

K83,3

K80,0

K81,0

K82,0

K83,0

K80,2

K81,2

K82,2

K83,2

Rcon8

K90,1

K91,1

K92,1

K93,1

K90,3

K91,3

K92,3

K93,3

K90,0

K91,0

K92,0

K93,0

K90,2

K91,2

K92,2

K93,2

Rcon9

K100,1

K101,1

K102,1

K103,1

K100,3

K101,3

K102,3

K103,3

K100,0

K101,0

K102,0

K103,0

K100,2

K101,2

K102,2

K103,2

Rcon10

Figure 1. Last Three Rounds of AES-128 Key Scheduling Algorithm

improved by Kim et. al. in [13]. Kims attack required only

32-bit of brute-force search. In Kims attack, a three bytefault is induced in the first column of ninth round key while

it is being executed. Therefore, the fault is subsequently

propagated to the tenth round key. The flow of fault is

shown in Figure 2 where m,n,o,x,y,z {1, 2, . . . 255},represents the fault values.

00000001111111000000011111110000000111111100000001111111SubWord

RotWord

SubWord

RotWord

Rcon10

Rcon9

x

y

x

y

o

m m

z z z z

o

n y n y

m xm x

o

n

m

o

n

o

n

o

n

m

Figure 2. Flow Faults in Last Two Round Keys

The fault value o in the third row of the ninth round keyK9 is first targeted. The two pairs of fault-free and faultyciphertexts (C, C1 ) and (C, C

2 ) are known to the attacker

. Therefore, the values of o at the third row of K9 can be

represented in terms of C, C

1 and tenth round key K10

asfollows:

o = SB1(C2,2 K102,2) SB

1(C1(2,2) K102,2 o)

o = SB1(C2,3 K102,3) SB

1(C1(2,3) K102,3)

o = SB1(C2,0 K102,0) SB

1(C1(2,0) K102,0 o)

o = SB1(C2,1 K102,1) SB

1(C1(2,1) K102,1)

(1)

If we recall the analysis in [9, 3.4], we can saythat one candidate of quadruple K102,0, K

102,1, K

102,2, K

102,3

36


3/8

satisfies the above system of equations with probability1

224 . There are 232 possible candidates of the quadruple

K102,0, K102,1, K

102,2, K

102,3 . Therefore, the number of can-

didates of the key quartet K102,0, K102,1, K

102,2, K

102,3 sat-

isfy the above system of equations is 232

224 = 28. One

faulty ciphertext reduces the possible choices of keyquartet to 28 from 232 choices. Therefore, with another

faulty ciphertext C2 the quartet of key byte can uniquelybe determined. After uniquely determining the values ofK102,0, K

102,1, K

102,2, K

102,3, o the attacker deduce the values x

and y as:

x = S(K91,3) S(K91,3 n)

= S(K101,3 K101,2) S(K

101,3 K

101,2 n)

y = S(K92,3) S(K92,3 o)

= S(K102,3 K102,2) S(K

102,3 K

102,2 o)

Therefore, now the attacker follows the same

technique and uniquely determine the values of

K101,0, K101,1, K

101,2, K

101,3, n and K

100,0, K

100,1, K

100,2, K

100,3, m

from the relation between the fault values in second and

first row of K9 respectively. Hence, the attacker retrieves

values of the three rows of K10. This implies using two

faulty ciphertext the attacker can retrieve 96-bit out of the128-bit of AES key.

Comments

The existing attack induces three bytes fault at the first

column of ninth round key while it is being executed.

The fault model behind this attack is the capability to

induce three byte faults. Thus under this model the prob-

ability that all the three bytes fault are in one column is4C316C3

= 0.000549. Further, the present attack requires twofault inductions. Thus the probability of success is even less

(0.000549)2

3 107

. Thus the probability of successwhen the induction of fault is random, is extremely small.

For example techniques like variation of input supply voltage

or input clock frequency, leads to a random distribution

of faults [15][18]. This implies an improvement of the

fault attack can be performed in two directions: one in

changing the fault model to make the attack more realistic

and secondly to reduce the required number of faults keeping

the time complexity within practical limits.

In the next section we proposed an improved attack

using single byte fault model which requires a single fault

induction.

IV. IMPROVED ATTACK USING SINGLE FAULTY

CIPHERTEXT

It is clear from the comments of previous section that the

existing attack [13] has a very low chance of getting the

faulty ciphertexts of desired fault model. From an attackers

perspective he would need an attack which require less

number of faulty ciphertext and high success rate. In this

section we propose a more practical attack which requires

only one faulty ciphertext of single byte fault.

A. Fault Model

Like the previous attacks we also consider the fault model

where fault is induced in a particular round key while it is

being executed so that the fault spreads to subsequent round

keys. In our fault model we assume a single byte fault is

injected at the first column of the eighth round key. The

flow of fault in the round keys is shown in Figure 3.

0 0 00 0 00 0 00 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 11 1 11 1 11 1 1 0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 01 1 1 11 1 1 11 1 1 11 1 1 11 1 1 11 1 1 11 1 1 1

0 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 01 1 1 11 1 1 11 1 1 11 1 1 11 1 1 11 1 1 1

0 0 00 0 00 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 11 1 11 1 1

0 0 00 0 00 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 11 1 11 1 1

0 0 00 0 00 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 11 1 11 1 1

0 0 0

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

1 1 1 1

1 1 1 1

0 0 0

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

1 1 1 1

1 1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

1 1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

SubWord

RotWord

SubWord

RotWord

SubWord

RotWordp p p p

p p

p p

q q q q

r r r

q q

r

Rcon10

Rcon9

Rcon8

Figure 3. Flow of Single Byte Fault Induced in Ninth Round Key ofAES-128 Key Scheduling.

Therefore, the fault model is more practical specially

when the fault is injected randomly by cheap means like

glitch in the input clock line or fluctuation in the voltage

line. The chance of getting such a faulty cipher is that ofthe probability that the faulty byte occurs in the first column

which is 14 = 0.25. This is quite high compared to theexisting fault model described in previous section.

B. The Attack Principle

In the proposed attack we retrieve the AES-128 key in

two phases. In the first phase we attack final round key K10

and reduce it to 240 choices. In the second phase we attackthe penultimate round key K9 and reduce it to 28 choices.Therefore, finally we get 28 choices of master key.

We start with the first phase of the attack.

1) First Phase of the Attack: In this phase of the attack

we try to reduce the key space of tenth round key K10 by

using the relation between the fault values at the end of

ninth round MixColumns operation. As Figure 3 depicts, the

induced fault spreads to the first row of eighth round key

K8. In the ninth round key K9, the fault spreads to first and

fourth rows with fault values p and q. The relation between

37


4/8

0 00 00 00 01 11 11 11 10 00 00 00 01 11 11 11 1

0 00 00 01 11 11 1

0 00 00 01 11 11 10 00 00 01 11 11 10 00 00 01 11 11 10 0 00 0 00 0 01 1 11 1 11 1 1 0 00 00 00 01 11 11 11 1 0 00 00 00 01 11 11 11 10 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 10 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 10 00 00 00 01 11 11 11 10 00 00 01 11 11 10 00 00 01 11 11 10 00 00 00 01 11 11 11 10 00 00 00 01 11 11 11 10 00 00 01 11 11 10 00 00 01 11 11 10 00 00 00 01 11 11 11 10 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 10 00 00 00 01 11 11 11 10 00 00 01 11 11 10 00 00 01 11 11 10 00 00 00 01 11 11 11 1 0 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 10 00 00 01 11 11 10 00 00 01 11 11 10 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

1 1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

1 1 1 1

0 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 01 1 11 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 10 0 00 0 01 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 1 0 0 0 00 0 0 00 0 0 01 1 1 11 1 1 11 1 1 10 0 00 0 01 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 10 0 0 00 0 0 01 1 1 11 1 1 1

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

0 0 0

0 0 0

1 1 1

1 1 1

0 0 0

0 0 0

0 0 0

1 1 1

1 1 1

1 1 1

0 0 0 0

0 0 0 0

0 0 0 0

1 1 1 1

1 1 1 1

1 1 1 1

0 00 00 01 11 11 10 00 00 01 11 11 10 00 00 00 01 11 11 11 10 00 00 01 11 11 10 00 00 00 01 11 11 11 10 0 00 0 00 0 00 0 01 1 11 1 11 1 11 1 10 00 00 01 11 11 10 00 00 00 01 11 11 11 1 0 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 10 00 00 00 01 11 11 11 100110 00 01 11 1

0

0

1

1

0 0 00 0 00 0 01 1 11 1 11 1 1

0

0

0

0

0

00000

1

1

1

1

1

11111000000

0

0

0

0

111111

1

1

1

1

0

0

1

1

00000000001111111111

0

0

0

0

0

0

0

1

1

1

1

1

1

1

01

0 0 0 0 0 0 01 1 1 1 1 1 100

0

11

1

000111

0

0

0

1

1

1

0 00 00 01 11 11 1 0 0 00 0 00 0 01 1 11 1 11 1 10 00 00 01 11 11 10 00 00 01 11 11 10 0 00 0 00 0 01 1 11 1 11 1 10 0 00 0 00 0 01 1 11 1 11 1 1

0 00 00 01 11 11 1

SubByte

ShiftRow

MixCol

K8 (Faulty)

SubByte

ShiftRow

K9 (Faulty)

K10 (Faulty)

8th Round

9th Round

10th Round

S1

S2

S3

S4

S5

Figure 4. Last Three Rounds of AES-128 Key Scheduling Algorithm

p and q is given as:

q = S[K80,3] S[K80,3 p]

= S[K90,3 K90,2] S[K90,3 K90,2 p] (2)

= S[K100,3 K100,1] S[K

100,3 K

100,1 p]

Similarly, the fault value r at the third row of K10 is given

as:

r = S[K93,3] S[K93,3 q]

= S[K103,3 K103,2] S[K

103,3 K

103,2 q] (3)

As per the AES-128 encryption, the fault in the roundkeys are propagated to the intermediate states through the

AddRoundKey operations. Figure 4 shows the propagationof faults. At the input of ninth round only the first rowof the state matrix S1 is corrupted and the fault valuein the first row is {p, p, p, p}. These value spread to thecorresponding columns at the end of ninth round Mix-Columns and form four relations (state matrix S2). The

relation in the ith column is given as {2fi, fi, fi, 3fi} where0 i 3 and fi {1, 2, . . . , 255}. After the AddRoundKeyoperation these relations changed to {p 2f0, f0, f0, q 3f0}, {2f1, f1, f1, q 3f1}, {p 2f2, f2, f2, q 3f2},{2f3, f3, f3, q 3f3} (state matrix S3). We know the fault-free and faulty ciphertexts (C, C). Therefore, the faultvalues in the first column of the state matrix S3 can berepresented in terms of (C, C) and K10 as follows:

p 2f0 = S1[K100,0 C0,0] S

1[K100,0 C

0,0 p] (4a)

f0 = S1[K101,3 C1,3] S

1[K101,3 C

1,3] (4b)

f0 = S1[K102,2 C2,2] S

1[K102,2 C

2,2 r] (4c)

q 3f0 = S1[K103,1 C3,1] S

1[K103,1 C

3,1] (4d)

Similarly from the other three columns of the state matrix

S3 we have following sets of equations:

f1 = S1[K100,1 C0,1] S

1[K100,1 C

0,1 p] (5a)

f1 = S1[K101,0 C1,0] S

1[K101,0 C

1,0] (5b)

f1 = S1[K102,3 C2,3] S

1[K102,3 C

2,3 r] (5c)

q 3f1 = S1[K103,2 C3,2] S

1[K103,2 C

3,2 q] (5d)

p 2f2 = S1[K100,2 C0,2] S

1[K100,2 C

0,2] (6a)

f2 = S1[K101,1 C1,1] S

1[K101,1 C

1,1] (6b)

f2 = S1[K102,0 C2,0] S

1[K102,0 C

2,0 r] (6c)

q 3f2 = S1[K103,3 C3,3] S

1[K103,3 C

3,3] (6d)

2f3 = S1[K100,3 C0,3] S

1[K100,3 C

0,3] (7a)

f3 = S1[K101,2 C1,2] S

1[K101,2 C

1,2] (7b)

f3 = S1[K102,1 C2,1] S

1[K102,1 C

2,1 r] (7c)

q 3f3 = S1[K103,0 C3,0] S

1[K103,0 C

3,0 q] (7d)

These differential equations are not same as in the attacks

on AES states, such as proposed in [8] and [9]. Here,

we have 7 unknown variables in each of the above foursets of differential equations. If we try to solve each of

the sets of equations, then the reduced search space of the

corresponding key quartets will be(28)7

224 = 232. Therefore,

after solving all the four sets of equations the total search

space of the final round key will still remain 2128. Thisimplies, the equations can not be solved similar to existing

attacks [8], [9].

We apply divide and conquer approach to solve the above

four sets of equations. We divide each of the above four

sets of equations into sub sets and solve them separately.

In order to reduce time complexity of the process we use

S-Box difference table. For a differential equation like:

38


5/8

= S1[X] S1[X ] (8)

we can have 0, 2, 4 solution of X, given a single value of(, ) where , F28 . In case of AES S-Box, the aboveequation gives 4 solutions of X when S[] = 0x06;else it has 0 or 2 solutions. For a fixed value of , the aboveequation produces 4 solution ofX only once and 2 solutionsfor 126 times out of 255 choices of . Rest of the choicesof produce no solution of X. For more details the reader

can refer [19]. We maintain a table SD, which contain the

solutions of X for , where 1 , 255. Therefore,using this S-Box difference table and given values of p , q , r,

we can solve any one of the above four sets of equations

with time complexity 28.Following this technique, for a given value of p

and q we deduce 28 choices of {K100,1, K101,0, K

103,2}

from three equations (5a), (5b), and (5d). Similarly,

we can deduce 28 choices of {K100,3, K101,2, K

103,0}

from equations (7a), (7b), (7d). Therefore, we

have 216 possible choices of the six key bytes{K100,1, K101,0, K103,2, K100,3, K101,2, K103,0}.

These values are tested by equation (2), which reduces the

possible choices of the six key bytes to 216

28 = 28. For each

of such choices we deduce 28 choices of{K100,2, K101,1, K

103,3}

from equations (6a), (6b), (6d). So, now we have 216 choicesof {K100,1, K

101,0, K

103,2, K

100,3, K

101,2, K

103,0, K

100,2, K

101,1, K

103,3}.

These include the values of K103,3, and K103,2. We use these

values and deduce the corresponding values of r from

equation (3). Subsequently, we deduce the corresponding

values of{K102,3, K102,0, K

102,1} from equations (5c), (6c), (7c),

using the values of f1, f2, f3 from the previous iterations.

Therefore, upto this point we have 216 possible choices of{K100,1, K

101,0, K

102,3, K

103,2, K

100,3, K

101,2, K

102,1, K

103,0, K

100,2,

K101,1, K102,0, K

103,3}. For each of these 216 candidates

we get corresponding 28 candidates of four key bytes{K100,0, K

101,3, K

102,2, K

103,1} from the set of four equations (4).

Therefore, finally we have 224 choices of the tenth roundkey K10 for fixed values of p and q. Hence for all possible

216 values of p and q we get 240 possible candidates ofK40.

We verified the result by performing simulation in our

laboratory. The simulated attack is written in C, compiled

using gcc-4.4.3, and run on desktop Intel CoreTM2 Duoprocessor of 3GHz speed. It takes around 18 hours toproduce all the possible 240 candidates of K10.

In the next section we describe the second phase of the

attack which further reduces the possible choices of the tenth

round key to 28 from 240.

2) Second Phase of the Attack: In this phase of the attack

we use the relations between the faulty bytes in the ninth

round input. As shown in Figure 4, the induced single byte

fault spreads to all the four bytes in the first row of the

eighth round key K8. At AddRoundKey, these fault values

subsequently corrupt the four bytes of the first row of the

ninth round input state matrix S1. The values of the fault in

S1 is same as in K8. Therefore, the fault value in the first

row is {p, p, p, p}. The fault value p at location (0, 0) in S1can be represented as :

p = S

114(S

1

[K

10

0,0 C0,0]K

9

0,0)11(S1[K101,3 C1,3]K

91,0)

13(S1[K102,2 C2,2]K92,0)

9(S1[K103,1 C3,1]K93,0)

S1

14(S1[K100,0 C

0,0 p] (K90,0 p))

11(S1[K101,3 C

1,3]K91,0)

13(S1[K102,2 C

2,2 r]K92,0)

9(S1[K103,1 C

3,1] (K93,0 q))

(9)

Similarly, the other three faulty bytes can be expressed bythe following equations:

p = S114(S1[K100,1 C0,1]K

90,1)

11(S

1[K101,0 C1,0]K91,1)

13(S1[K102,3 C2,3]K92,1)

9(S1[K103,2 C3,2]K93,1)

S1

14(S1[K100,1 C

0,1 p] (K90,1))

11(S1[K101,0 C

1,0]K91,1)

13(S1[K102,3 C

2,3 r]K92,1)

9(S1[K103,2 C

3,2 q] (K93,1 q))

(10)

p = S114(S1[K100,2 C0,2]K

90,2)

11(S1[K101,1 C1,1]K91,2)

13(S1[K102,0 C2,0]K92,2)

9(S1[K103,3 C3,3]K93,2)

S1

14(S1[K100,2 C

0,2] (K90,2)p)

11(S1[K101,1 C

1,1]K91,2)

13(S1[K102,0 C

2,0 r]K92,2)

9(S1[K103,3 C

3,3] (K93,2 q))

(11)

p = S114(S1[K100,3 C0,3]K

90,3)

11(S1[K101,3 C1,3]K91,3)

13(S1[K102,1 C2,1]K92,3)

9(S1[K103,0 C3,0]K93,3)

S1

14(S1[K100,3 C0,3] (K

90,3)

11(S

1[K101,3 C1,3]K91,3)

13(S1[K102,1 C2,1 r]K92,3)

9(S1[K103,0 C3,0 q] (K93,3 q))

(12)

AES-128 key scheduling is invertible, that mean only one

round key is enough to get all other round keys or the actual

master key. The ninth round key K9 can be represented by

tenth round key K10 as follows:

39


6/8

(K100,0 S[K101,3 K

101,2] K

100,1 K

100,0 K

100,2 K

100,1 K

100,3 K

100,2

h10)

(K101,0 S[K102,3 K

102,2]) K

101,1 K

101,0 K

101,2 K

101,1 K

101,3 K

101,2

(K102,0 S[K103,3 K

103,2]) K

102,1 K

102,0 K

102,2 K

102,1 K

102,3 K

102,2

(K103,0 S[K100,3 K

100,2]) K

103,1 K

103,0 K

103,2 K

103,1 K

103,3 K

103,2

.

where h10 is Rcon10.

The fault-free and faulty ciphertexts (C, C) is known to

us and we have 240 possible candidates of K10 from the firstphase of the attack as described in previous Section IV-B1.

In order to further reduce the possible choices K10 we

convert each of the tenth round key K10 from the first phase

of the attack to the corresponding ninth round key K9, and

test it by the four differential equations (9), (10), (11), and

(12). Those which satisfy the test are considered, rest are

discarded.

There are 28 candidates out of240 which satisfy the abovefour equations. However, the attack time complexity remains

240 as we have to test all the possible tenth round key K10

by the above four equations. We have evaluated this two

phase attack on a Desktop Core 2 Duo processor of 3 GHz

speed and 2 GB RAM. It takes around 26 hours to generateall the possible 28 final round keys. The time consumedby the attack is still quite high. In a practical scenario,

the induced fault is uncertain and random in nature unless

it is being injected by sophisticated and precision based

devices [20]. Therefore, ideally an attacker would want to

develop a DFA which can reveal the secret within minutes

instead of hours under an ideal condition under the fault

model. In the real scenario, the attacker has to repeat the

attack more number of times with faulty ciphertexts, so that

he obtains the required nature of fault and hence the secret

key in one of the attempts. Hence, a further reduction of

time complexity is desired.

In the next section we propose a technique which canfurther reduce the time complexity of the attack so that the

attack can be performed within an hour.

3) Time Complexity Reduction: In the second phase of the

attack we have four equations (9), (10), (11), and (12). Each

of the 240 possible tenth round keys from the first phase ofthe attack are tested by these four equations. However, each

of these four equations does not require all the 16 bytes ofthe tenth round key K10. For, example the first equation (9)

requires only 13 bytes of K10: K100,0, K101,3, K

102,2, K

103,1, and

another 9 bytes for K90,0, K91,0, K

92,0, K

93,0. The last three

equations require 10 key bytes each. We also need toconsider the dependency between key bytes K100,3 and K

100,1

in equation (2) , and K103,3 and K103,2 in equation (3).Therefore, to further reduce the time complexity of

the attack, we can consider one of the four equations

at a time [21]. We choose equation (11), as it requires

10 key bytes plus K100,3 (dependency with K100,1 in equa-

tion (2)), which is the least number of key bytes required

among all four equations. In this case, we only need

the possible choices of required 11 key bytes from thefirst phase of the attack and rest of the five key bytes

{K100,0, K101,0, K

103,0, K

101,3, K

102,3} can be fixed.

From the differential equation (8) we know that for a

fixed value of , X has 2 solutions in 126 cases and 4solutions in one case out of256 possible choices of . Now,if we consider the set of equations (4), we have 28 choicesof quartet of key bytes {K100,0, K

101,3, K

102,2, K

103,1} for given

values of p, q, and r. If (a1, b1, c1, d1) be one solution ofthe set of equations (4) then there is another solution say

(a2, b1, c1, d1) with same value of K101,3, K

102,2, K

103,1. This is

true in 126 out of 127 cases. This implies, a unique valueof {K101,3, K

102,2, K

103,1} corresponds to two values of K

100,0.

Therefore, if we fix K100,0 we will have 27 choices of rest

of the three key bytes {K101,3, K102,2, K

103,1}. There are 2

40

possible choices of 16 byte key K10. If we fix the five keybytes K100,0, K

101,0, K

103,0, K

101,3, K

102,3 then there will be

240

25 =235 choices of rest of the 11 key bytes.

These 235 possible candidates are tested by equation (11),those which satisfy are combined with 25 possible choicesof K100,0, K

101,0, K

103,0, K

101,3, K

102,3 and subsequently tested by

rest of the three equations (9), (10), and (12). So, now the

complexity of the attack reduces to 235 from 240. Therefore,finally the four equations (9), (10), (11), and (12) reduce

the possible choices ofK10 to 28 candidates. Thus, this timecomplexity reduction technique reduces the required time of

the attack by 25. In actual experiments the two phase attackwith reduced time complexity takes around 35 minutes toreveal all the possible 28 keys.

The summary of the two phase attack is given in Algo-

rithm 1.

C. Analysis of the Attack

A differential equation like (8), reduces 216 candidates inthe right hand side to 28 candidates in the left hand side.The search space reduction in such equation is given by

28

216 =1

28 . If we have N such equations then the reduction

is given by ( 128 )N. If N equations contain M byte unknown

variables i.e. 8M-bit search space, then the reduced searchspace is given as: ( 128 )

N 2M.There are seven equations (5a), (5b), (5d), (7a), (7b), (7d)

and (2) up to line number 7 in Algorithm 1, which contains

ten variables. Therefore, the reduced search space is given

by ( 128 )7 (28)10 = 224. This implies 224 candidates will

satisfy the if block at line 7.

Inside the first if block and upto line number 13,

we have eleven equations (6a), (6b) (6d), (5c),

(6c) (7c), (4a), (4b) (7c), (4d), and (3), and corresponding

thirteen unknown variables. It may be noted that variables

f1, f4,p,q are already considered in the previous equations.

So, the eleven equations reduce the search space of the

thirteen variables to ( 128 )11 (28)13 = 216.

Therefore, each of the possible candidates satisfying the

first if condition will combine with 216 candidates inside the

40


7/8

Algorithm 1: DFA on AES-128 Key Scheduling using

Single Faulty Ciphertexts

Input: C,C

Output: List Lk of tenth round key K10

for Each candidates of { p, q} do1for Each candidates off1 do2

Get {K100,1, K101,0, K

103,2} from equations (5a), (5b), and (5d).3

for Each candidates of f3 do4

Get {K100,3, K101,2, K

103,0} from the equations (7a), (7b),5

and (7d).Test equation (2)6if Satisfied then7


Get {K100,2, K101,1, K

103,3} from9

equations (6a), (6b), and (6d).

Get r from equation (3).10

Get K102,3, K102,0, K

102,1 from equations (5c), (6c),11

and (7c).


Get {K100,0, K101,3, K

102,2,K

103,1} from13

equations (4).Get K9 from K10 using AES-128 Key14

Scheduling.Test equation (11) [as mentioned in15

Section IV-B3].if Satisfied then16

for Each values of17

{K100,0, K101,0, K103,0, K101,3, K102,3} doGet K

9 from K10 using AES-12818

Key Scheduling.

Test equations (9), (10), and (12).19

if Satisfied then20

Save K10 to Lk .21

if blocks. Hence, the total search space upto line number 13

is 216 224 = 240. It may be noted that upto line number 13of Algorithm 1 correspond to the first phase of the attack.

Therefore, in first phase of the attack the search space isreduced to 240. Out of this 240 candidates we consideronly 235 candidates which correspond to fixed values ofK100,0, K

101,0, K

103,0, K

101,3, K

102,3 as mentioned in Section IV-B3.

In the second phase of the attack, which is after line

number 13 of Algorithm 1, we first test 235 candidates byequation (11). Equation (11) reduces the possible candidates

to 235

28 = 227. These 227 candidates are again combined

with 25 choices of K100,0, K101,0, K

103,0, K

101,3, K

102,3 and subse-

quently tested by three equations (9), (10), and (12). These

three equations further reduce the possible candidates to

( 128 )3 232 = 28. Thus, in the second phase of the attack

we have 28 choices of K10.

V. EXPERIMENTAL RESULTS

A 3GHz Intel Core 2 Duo processor with 2GB RAM wasused to perform the simulated attack. The code was written

in C programing language and compiled using gcc-4.4.3

running on Ubuntu 10.4 operating system. The simulation

was performed on several test cases where a single byte fault

is induced at first column of eighth round key. The simulated

attack was performed on 100 random keys. On an average

the simulated attack required around 35 minutes to generateall the 28 possible candidates of final round key. Table Ishows some of the keys which were attacked.

Table IEXPERIMENTAL RESULTS

Random 128-bit Number of Number of Running

AES key Keys in Keys in TimeFirst Phase Second Phase (minutes)

6f6cd764b8ab8f18 32725026784 253 27.98 33.677

b8a86764237147cd 234.92

9c1933a4f7238613 32347445504 272 28.08 35.716

f85db821f4e49e65 234.912

f0003d186fd9c128 31626833792 262 28.03 35.291

2c2c7b3f578f39e8 234.88

d4e278834cfe9197 31977681408 281 28.13 36.716

0bcb5eaf2317623a 234.89

71d1e622409256bb 31622202880 266 28.05 35.516

dade1874f57bd79c 234.88

9c1b15b1b49d76ad 32685884800 264 28.04 36.666

9dc359d265b52c84 234.92

VI. COMPARISON

In this section we compare some of the previous research

with our work in Table II. The attack proposed in [11]

required around thirty pair of faulty and fault free cipher-

texts. The attack proposed by Peacham and Thomas in [22]

required twelve pairs of fault-free and faulty ciphertexts.

The assumed fault model was muli-byte. Takahashi et. al.

in [12], assumed a slightly general fault model but still

most optimized form of their attack required two pairs of

fault-free and faulty ciphertexts and a brute-force search of

248. Compared to that, Kim et. al. proposed in [13] a littleimproved multi-byte attack. But still the attack required two

pairs of fault-free and faulty ciphertexts and a brute-forcesearch of 232.Compared to these attacks we proposed a more general

and a more realistic single byte fault model. Our attack

requires only one pair fault-free and faulty ciphertexts and a

brute-force search of 28. Hence, based on existing literature,this is the first DFA of AES-128 key schedule which requires

only one instance of a fault. According to information

theoretic perspective a single byte fault in known location

should be able to retrieve 120-bit of the key [23]. Therefore,information theoretically our attack is the most optimized

attack.

VII. CONCLUSIONS

We proposed an improved differential fault attack on

AES-128 key schedule. The attack takes one pair of fault-

free and faulty ciphertexts which is minimal among the

existing attacks. The proposed DFA requires a one byte

fault at the input of eighth round key and reduces the

AES-128 key to 28 values. The time complexity of theattack is 235 and requires around 35 minutes of simulationon a standard Intel CoreTM2 Duo platform. We present

41


8/8

Table IICOMPARISON WITH EXISTING ATTACK ON AES-128 KEY SCHEDULE

Reference Fault Model Number Exhaustive

of Faults Search

[11] Single byte fault 22 to 44 1

[22] Multi byte fault 12 1



Our Attack Single byte fault 1 28

extensive simulation results to support our claims. To the

best of our knowledge the proposed attack is the most

efficient DFA reported on AES-128 key schedule.

REFERENCES

[1] D. Boneh, R. A. DeMillo, and R. J. Lipton, On the Im-portance of Checking Cryptographic Protocols for Faults(Extended Abstract), in EUROCRYPT, 1997, pp. 3751.

[2] E. Biham and A. Shamir, Differential Fault Analysis ofSecret Key Cryptosystems, in CRYPTO, ser. Lecture Notesin Computer Science, B. S. K. Jr., Ed., vol. 1294. Springer,1997, pp. 513525.

[3] National Institute of Standards and Technology, AdvancedEncryption Standard, NIST FIPS PUB 197, 2001.

[4] J. Blomer and J.-P. Seifert, Fault based cryptanalysis of theadvanced encryption standard (aes), in Financial Cryptogra-

phy, ser. Lecture Notes in Computer Science, R. N. Wright,Ed., vol. 2742. Springer, 2003, pp. 162181.

[5] P. Dusart, G. Letourneux, and O. Vivolo, Differential Fault

Analysis on A.E.S. Cryptology ePrint Archive, Report2003/010, 2003, http://eprint.iacr.org/.

[6] G. Piret and J.-J. Quisquater, A Differential Fault AttackTechnique against SPN Structures, with Application to theAES and KHAZAD, in CHES, ser. Lecture Notes in Com-puter Science, C. D. Walter, Cetin Kaya Koc, and C. Paar,Eds., vol. 2779. Springer, 2003, pp. 7788.

[7] A. Moradi, M. T. M. Shalmani, and M. Salmasizadeh, AGeneralized Method of Differential Fault Attack Against AESCryptosystem, in CHES, 2006, pp. 91100.

[8] D. Mukhopadhyay, An Improved Fault Based Attack ofthe Advanced Encryption Standard, in AFRICACRYPT, ser.Lecture Notes in Computer Science, B. Preneel, Ed., vol.5580. Springer, 2009, pp. 421434.

[9] M. Tunstall and D. Mukhopadhyay, Differential Fault Anal-ysis of the Advanced Encryption Standard using a SingleFault, Cryptology ePrint Archive, Report 2009/575, 2009,http://eprint.iacr.org/.

[10] Christophe Giraud, DFA on AES, in AES Conference, ser.Lecture Notes in Computer Science, H. Dobbertin, V. Rijmen,and A. Sowa, Eds., vol. 3373. Springer, 2004, pp. 2741.

[11] C.-N. Chen and S.-M. Yen, Differential Fault Analysis onAES Key Schedule and Some Coutnermeasures, in ACISP,2003, pp. 118129.

[12] J. Takahashi, T. Fukunaga, and K. Yamakoshi, DFA Mech-anism on the AES Key Schedule, in FDTC, L. Breveglieri,S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds.IEEE Computer Society, 2007, pp. 6274.

[13] C. H. Kim and J.-J. Quisquater, New Differential FaultAnalysis on AES Key Schedule: Two Faults Are Enough,in CARDIS, 2008, pp. 4860.

[14] N. Floissac and Y. LHyver, From aes-128 to aes-192 andaes-256, how to adapt differential fault analysis attacks,Cryptology ePrint Archive, Report 2010/396, 2010, http:

//eprint.iacr.org/.

[15] N. Selmane, S. Guilley, and J.-L. Danger, Practical SetupTime Violation Attacks on AES, in EDCC, 2008, pp. 9196.

[16] A. Barenghi, G. Bertoni, E. Parrinello, and G. Pelosi, LowVoltage Fault Attacks on the RSA Cryptosystem, in FDTC,L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P.Seifert, Eds. IEEE Computer Society, 2009, pp. 2331.

[17] T. Fukunaga and J. Takahashi, Practical Fault Attack on aCryptographic LSI with ISO/IEC 18033-3 Block Ciphers, inFDTC, L. Breveglieri, S. Gueron, I. Koren, D. Naccache, andJ.-P. Seifert, Eds. IEEE Computer Society, 2009, pp. 8492.

[18] S. Ali, D. Mukhopadhyay, and M. Tunstall, DifferentialFault Analysis of AES using a Single Multiple-Byte Fault,Cryptology ePrint Archive, Report 2010/636, 2010, http:

//eprint.iacr.org/.

[19] K. Nyberg, Differentially uniform mappings for cryptogra-phy, in EUROCRYPT, 1993, pp. 5564.

[20] S. P. Skorobogatov and R. J. Anderson, Optical Fault In-duction Attacks, in CHES, ser. Lecture Notes in ComputerScience, B. S. K. Jr., Cetin Kaya Koc, and C. Paar, Eds., vol.2523. Springer, 2002, pp. 212.

[21] S. Ali and D. Mukhopadhyay, Acceleration of DifferentialFault Analysis of the Advanced Encryption Standard UsingSingle Fault, Cryptology ePrint Archive, Report 2010/451,2010, http://eprint.iacr.org/.

[22] D. Peacham and B. Thomas, A DFA attack against the AESkey schedule, SiVenture White Paper 001, 26 October, 2006.

[23] Y. Li, S. Gomisawa, K. Sakiyama, and K. Ohta, An Informa-tion Theoretic Perspective on the Differential Fault Analysis

against AES, Cryptology ePrint Archive, Report 2010/032,2010, http://eprint.iacr.org/.

[24] L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P.Seifert, Eds., Sixth International Workshop on Fault Diagno-sis and Tolerance in Cryptography, FDTC 2009, Lausanne,Switzerland, 6 September 2009. IEEE Computer Society,2009.

42

A Differential Faault Analysis on AES Key Schedule Using Single Fault

Documents

Transcript of A Differential Faault Analysis on AES Key Schedule Using Single Fault