2011 Workshop on Fault Diagnosis and Tolerance in Cryptography

A Differential Fault Analysis on AES Key Schedule using Single Fault

Sk. Subidh Ali and Debdeep Mukhopadhyay Dept. of Computer Scienc and Engineering, Indian Institute of Technoloty Kharagpur, Kharagpur, India, {subidh,debdeep}@cse.iitkgp.ernet.in

AbstractLiterature on Differential Fault Analysis (DFA) on AES-128 shows that it is more difcult to attack AES when the fault is induced in the key schedule, than when it is injected in the intermediate states. Recent research shows that DFA on AES key schedule still requires two faulty ciphertexts, while it requires only one faulty ciphertext and a brute-force search of 28 AES-128 keys when the fault is injected inside the round of AES. The present paper proposes a DFA on AES-128 key schedule which requires only one single byte fault and a bruteforce search of 28 keys, showing that a DFA on AES key schedule is equally dangerous as a fault analysis when the fault is injected in the intermediate state of AES. Further, the fault model of the present attack is a single byte fault. This is more realistic than the existing fault model of injecting three byte faults in a column of the AES key which has a less chance of success. To the best of our knowledge the proposed attack is the best known DFA on AES key schedule and requires minimum number of faulty ciphertext. The simulated attack, running on 3GHz IntelCoreT M 2 Duo desktop machine with 2GB RAM, takes around 35 minutes to reveal the secret key. Keywords-AES, AES key schedule, Differential Fault Analysis, Fault Model.

I. I NTRODUCTION Fault attack was rst introduce by D. Boneh et. al. in 1996 [1]. They showed that an induced fault in a smart-card device running RSA can reveal the entire secret key. Subsequently, Biham and Shamir proposed more lethal form of the attack [2] on DES cryptosystem which is known as Differential Fault Analysis. In 2001, NIST accepted Rijndael as the Advanced Encryption Standard (AES) [3] in three different forms AES-128, AES-192, and AES-256 of three different key length 128, 192 and 256-bit respectively. Subsequently, many DFA against AES was proposed [4][8]. In most of these attacks, a single or multi-byte faults are expected to be induced in the intermediate state of AES. The most recent among these type of attack is the attack proposed in [9] where a single byte fault induced at the input of 8th round can retrieve the entire secret key of AES-128 with a bruteforce search of 28 . There is another kind of DFA against AES cryptosystem where the secret key is revealed by inducing faults in the key scheduling algorithm of AES. These kind of attack was rst proposed by C. Giraud in [?] and [10]. The attack was further improved by Chen and Yen in [11] which required less than thirty pair of correct and faulty ciphertexts
978-0-7695-4526-4/11 $26.00 2011 IEEE DOI 10.1109/FDTC.2011.10 35

with single byte fault model. In 2006 Peachan and Thomas proposed a different DFA on AES key scheduling based on multi-byte fault model. The authors assumed that random faults can be injected during the execution of AES key scheduling and the faults propagate to the subsequent round keys. The attack retrieved the 128-bit AES key using no more than 12 pairs of fault-free and faulty ciphertexts. Takahashi et. al. proposed a general form of the attack [12] and showed that their attack retrieved the AES-128 key using two pairs of fault-free and faulty ciphertexts and a bruteforce search of 48-bit. With four pairs the brute-force search reduced to 16-bit and with seven pairs no brute-force search was required. In 2008, Kim et. al. proposed slightly improved DFA on AES-128 key scheduling [13]. In this attack the author assumed a more specic fault model where the induced fault corrupts exactly three bytes of the rst column of ninth round key. The attack can retrieve the AES-128 key using two pairs of fault-free and faulty ciphertexts and a brute force search of 32-bit. With four pairs the attack can uniquely determine the key. In this paper we propose an improved DFA on AES-128 key schedule. Unlike the previous attacks we assume a more realistic single byte fault model. This kind of fault model also assumed in [14], but the attack was specic to AES192 and AES-256. We assume a single byte fault is induced at the rst column of the 8th round key which spreads to subsequent round keys. Our attack requires only one pair fault-free and faulty ciphertexts and a brute-force search of 28 . The fault-free and faulty ciphertext are generated from same plaintext. To the best of authors knowledge this is the rst time a DFA on AES-128 key schedule retrieves the secret key using a single pair of fault-free and faulty ciphertext in practical time. In order to validate the attack we have provided extensive simulation results. The simulated C code running on desktop Intel CoreT M 2 Duo processor of 3GHz speed takes around 35 minutes to generate all 28 possible key hypotheses. The paper is organized as follows: In the next section we briey describes the preliminaries of this paper. In Section III we describe the existing attack on AES-128 key schedule using two faulty ciphertexts. In Section IV

we explain the proposed attack on AES-128 key schedule using single faulty ciphertext. In Section V we present the experimental results. In Section VI we compare our results with the existing attacks on AES key schedule. We conclude in Section VII. II. P RELIMINARIES A. AES AES is a 128-bit symmetric key block cipher. It has three different standardised versions named AES-128, AES192, and AES-256. The three standards have three different key length 128, 192 and 256-bit respectively and three different number of rounds 10, 12, and 14 respectively. The intermediate results are represented by 4 4 matrix; called as state. Each element of the matrix is a byte. Each round function except the last round performs the following four basic operations on the input state matrix: SubBytes : It is the only non-linear byte-wise substitution. Each element of the state matrix is replaced by its inverse and followed by an afne mapping. All the operations are under F28 . th ShiftRows : It is a cyclic shift of i row by ith bytes towards left. MixColumns: It is a column level linear transformation of the state matrix. Each column of the state matrix is considered as a polynomial of degree 3 with coefcient in F28 and multiplied with the polynomial {03}x3 + {01}x2 + {01}x + {02}. AddRoundKey : In this transformation the 128-bit round key is bit-wise xor-ed with the 128-bit state. The last round does not have MixColumns operation. At the beginning of rst round an additional AddRoundKey operation is performed, which is known as key whitening phase. The round keys are generated by the key scheduling algorithm. Figure 1 depicts the generation of last three round keys as per the AES-128 key scheduling algorithm. The detailed key scheduling algorithm is given in [3]. It is clear from Figure 1 that one round key is enough to get the master key of AES-128. B. Notation In this section we dene some use in rest of the paper. Ci,j : The {i, j} byte of the Ci,j : The {i, j} byte of the r Ki,j : The {i, j} byte of the where 0 i, j 3. parameters that we will ciphertext C. faulty ciphertext C . rth round key K r

SubWord

RotWord
Rcon8

K8 0,0 K8 1,0 K8 2,0 K8 3,0

K8 0,1 K8 1,1 K8 2,1 K8 3,1

K8 0,2 K8 1,2 K8 2,2 K8 3,2

K8 0,3 K8 1,3 K8 2,3 K8 3,3

SubWord

RotWord
Rcon9

K9 0,0 K9 1,0 K9 2,0 K9 3,0

K9 0,1 K9 1,1 K9 2,1 K9 3,1

K9 0,2 K9 1,2 K9 2,2 K9 3,2

K9 0,3 K9 1,3 K9 2,3 K9 3,3

SubWord

RotWord
Rcon10

K10 0,0 K10 1,0 K10 2,0 K10 3,0

K10 0,1 K10 1,1 K10 2,1 K10 3,1

K10 0,2 K10 1,2 K10 2,2 K10 3,2

K10 0,3 K10 1,3 K10 2,3 K10 3,3

Figure 1.

Last Three Rounds of AES-128 Key Scheduling Algorithm

improved by Kim et. al. in [13]. Kims attack required only 32-bit of brute-force search. In Kims attack, a three byte fault is induced in the rst column of ninth round key while it is being executed. Therefore, the fault is subsequently propagated to the tenth round key. The ow of fault is shown in Figure 2 where m, n, o, x, y, z {1, 2, . . . 255}, represents the fault values.
SubWord

RotWord
Rcon9

m n o

m n o

m n o

m n o

SubWord

1 0 1 0 1 0 1 0 1 0 1 0 1 0
mx ny

1 0 1 0 1 0 1 0 1 0 1 0 1 0
x y

1 0 1 0 1 0 1 0 1 0 1 0 1 0
mx ny o

1 0 1 0 1 0 1 0 1 0 1 0 1 0
x y

RotWord
Rcon10

o z z

Figure 2.

Flow Faults in Last Two Round Keys

The fault value o in the third row of the ninth round key K 9 is rst targeted. The two pairs of fault-free and faulty ciphertexts (C, C1 ) and (C, C2 ) are known to the attacker . Therefore, the values of o at the third row of K 9 can be represented in terms of C, C1 and tenth round key K 10 as follows:
10 10 o = SB 1 (C2,2 K2,2 ) SB 1 (C1(2,2) K2,2 o) 10 10 o = SB 1 (C2,3 K2,3 ) SB 1 (C1(2,3) K2,3 ) 10 10 o = SB 1 (C2,0 K2,0 ) SB 1 (C1(2,0) K2,0 o) 10 10 o = SB 1 (C2,1 K2,1 ) SB 1 (C1(2,1) K2,1 )

III. E XISTING ATTACKS ON AES-128 K EY S CHEDULE W ITH T WO FAULTY C IPHERTEXTS Takahashi et. al. proposed a fault attack on AES-128 key schedule using two faulty ciphertexts [12]. However, their attack required 48-bit of brute-force search. This attack was

(1)

If we recall the analysis in [9, 3.4], we can say 10 10 10 10 that one candidate of quadruple K2,0 , K2,1 , K2,2 , K2,3

36

satises the above system of equations with probability 1 32 possible candidates of the quadruple 224 . There are 2 10 10 10 10 K2,0 , K2,1 , K2,2 , K2,3 . Therefore, the number of can10 10 10 10 didates of the key quartet K2,0 , K2,1 , K2,2 , K2,3 sat232 isfy the above system of equations is 224 = 28 . One faulty ciphertext reduces the possible choices of key quartet to 28 from 232 choices. Therefore, with another faulty ciphertext C2 the quartet of key byte can uniquely be determined. After uniquely determining the values of 10 10 10 10 K2,0 , K2,1 , K2,2 , K2,3 , o the attacker deduce the values x and y as:
9 9 x = S(K1,3 ) S(K1,3 n)

A. Fault Model Like the previous attacks we also consider the fault model where fault is induced in a particular round key while it is being executed so that the fault spreads to subsequent round keys. In our fault model we assume a single byte fault is injected at the rst column of the eighth round key. The ow of fault in the round keys is shown in Figure 3.
111 000 111 000 111 000 p 111 000 111 000

SubWord

= y= =

10 S(K1,3

10 K1,2 )

10 S(K1,3

10 K1,2

RotWord

n)

111 1111 000 0000 p p 111 1111 000 0000 111 1111 000 0000

111 000 p 111 000 111 000

9 9 S(K2,3 ) S(K2,3 10 10 S(K2,3 K2,2 )

Rcon8

o)
10 10 S(K2,3 K2,2 o)
SubWord

Therefore, now the attacker follows the same technique and uniquely determine the values of 10 10 10 10 10 10 10 10 K1,0 , K1,1 , K1,2 , K1,3 , n and K0,0 , K0,1 , K0,2 , K0,3 , m from the relation between the fault values in second and rst row of K 9 respectively. Hence, the attacker retrieves values of the three rows of K 10 . This implies using two faulty ciphertext the attacker can retrieve 96-bit out of the 128-bit of AES key. Comments The existing attack induces three bytes fault at the rst column of ninth round key while it is being executed. The fault model behind this attack is the capability to induce three byte faults. Thus under this model the probability that all the three bytes fault are in one column is 4 C3 = 0.000549. Further, the present attack requires two 16 C 3 fault inductions. Thus the probability of success is even less (0.000549)2 3 107 . Thus the probability of success when the induction of fault is random, is extremely small. For example techniques like variation of input supply voltage or input clock frequency, leads to a random distribution of faults [15][18]. This implies an improvement of the fault attack can be performed in two directions: one in changing the fault model to make the attack more realistic and secondly to reduce the required number of faults keeping the time complexity within practical limits. In the next section we proposed an improved attack using single byte fault model which requires a single fault induction. IV. I MPROVED ATTACK U SING S INGLE FAULTY C IPHERTEXT It is clear from the comments of previous section that the existing attack [13] has a very low chance of getting the faulty ciphertexts of desired fault model. From an attackers perspective he would need an attack which require less number of faulty ciphertext and high success rate. In this section we propose a more practical attack which requires only one faulty ciphertext of single byte fault.

RotWord
Rcon9

111 000 111 000 p 111 000 111 000

111 000 111 000 111 000 q 111 000 111 000 111 000 111 000 111 000 111 000 q 111 000 111 000 111 000

1111 0000 1111 0000 p 1111 0000 1111 0000

1111 0000 1111 0000 1111 0000 q 1111 0000 1111 0000 1111 0000 111 000 111 000 111 000 q 111 000 111 000 111 000

SubWord

RotWord
Rcon10

111 000 p 111 000 111 000 111 000 111 000 r 111 000 111 000 111 000 111 000 111 000
111 000 q 111 000 111 000 111 000

111 000 p 111 000 111 000 111 000 111 000 r 111 000 111 000

1111 0000 1111 0000 r 1111 0000 1111 0000 1111 0000 1111 0000 1111 0000
1111 0000 q 1111 0000 1111 0000 1111 0000

111 000 111 000 r 111 000 111 000

Figure 3. Flow of Single Byte Fault Induced in Ninth Round Key of AES-128 Key Scheduling.

Therefore, the fault model is more practical specially when the fault is injected randomly by cheap means like glitch in the input clock line or uctuation in the voltage line. The chance of getting such a faulty cipher is that of the probability that the faulty byte occurs in the rst column which is 1 = 0.25. This is quite high compared to the 4 existing fault model described in previous section.

B. The Attack Principle In the proposed attack we retrieve the AES-128 key in two phases. In the rst phase we attack nal round key K 10 and reduce it to 240 choices. In the second phase we attack the penultimate round key K 9 and reduce it to 28 choices. Therefore, nally we get 28 choices of master key. We start with the rst phase of the attack. 1) First Phase of the Attack: In this phase of the attack we try to reduce the key space of tenth round key K 10 by using the relation between the fault values at the end of ninth round MixColumns operation. As Figure 3 depicts, the induced fault spreads to the rst row of eighth round key K 8 . In the ninth round key K 9 , the fault spreads to rst and fourth rows with fault values p and q. The relation between

37

8th Round

9th Round

SubByte

11 00 111 000 111 000 11 00 111 000

10th Round

Figure 4.

Last Three Rounds of AES-128 Key Scheduling Algorithm

1 0 1 1111 0 0000 111111111 000000000 1 1111 0 0000 111111111 000000000 111111111 000000000 1111 0000 111111111 000000000 1111 0000 111111111 11 000000000 00 11 00 1 1111 11 0 0000 00 11 00 111111111 11 111 000000000 00 000 1111 11 0000 00 11111111 11 00000000 00 11 00 111 000 1 11 111 0 00 000 11 00 111 000 1 1111 11 0 0000 00 111111111 11 111 000000000 00 000 111 000 11 00 111 000 111 000 1 1111 11 0 0000 00 111111111 11 000000000 00 111111111 000000000 1111 111 0000 000 111111111 000000000 1111 0000 111111111 000000000 1111 0000 111111111 000000000 1111 0000
ShiftRow

p and q is given as: q = = =

9 9 9 9 S[K0,3 K0,2 ] S[K0,3 K0,2 p] 10 10 10 10 S[K0,3 K0,1 ] S[K0,3 K0,1 p] 8 8 S[K0,3 ] S[K0,3 p]

Similarly, the fault value r at the third row of K 10 is given as: r = =

10 10 10 10 S[K3,3 K3,2 ] S[K3,3 K3,2 q] 9 9 S[K3,3 ] S[K3,3 q]

11 00 11 00

1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0

11 00 8 11 00K (Faulty) 1111 0000 11 111 00 000 111 000 1111 0000 11 111 00 000 111 000 11 111 00 000 11 00 111 000 11 111 00 000 11 00 111 000 11 11 00 00 11 00 111 000 11 11 00 00 11 00 111 000 11 11 00 00 11 00 111 000
S1

SubByte ShiftRow MixCol

11 11 00 00 11 00 111 000 11 11 00 00 11 00 111 000 11 11 00 00 11 00 111 000 11 11 00 00 11 00 111 000 11 11 00 00 S2 11 00 111 000 11 11 00 00 11 00 111 000 11 11 11 00 00 009 (Faulty) 11 00 111 000 000 K 11 11 11 00 00 00 11 00 111 000 000 111 11 11 11 00 00 00 11 00 111 000 000 111 11 11 11 00 00 00 11 00 111 000 000 111 111 11 00 111 000 111 111 11 111 000 000 00 000 11 00 11 00 111 000 111 111 11 111 000 000 00 000 11 00 111 000 111 111 11 000 000 00 11 00 11 11 11 111 00 00 00 000 11 11 00 00 S 11 00 111 000 11 11 00 00 3 11 00 111 000 11 11 00 00 11 00 111 000 11 11 00 00 11 00 111 000 11 00 11 00

As per the AES-128 encryption, the fault in the round keys are propagated to the intermediate states through the AddRoundKey operations. Figure 4 shows the propagation of faults. At the input of ninth round only the rst row of the state matrix S1 is corrupted and the fault value in the rst row is {p, p, p, p}. These value spread to the corresponding columns at the end of ninth round MixColumns and form four relations (state matrix S2 ). The relation in the ith column is given as {2fi , fi , fi , 3fi } where 0 i 3 and fi {1, 2, . . . , 255}. After the AddRoundKey operation these relations changed to {p 2f0 , f0 , f0 , q 3f0 }, {2f1 , f1 , f1 , q 3f1 }, {p 2f2 , f2 , f2 , q 3f2 }, {2f3 , f3 , f3 , q 3f3 } (state matrix S3 ). We know the faultfree and faulty ciphertexts (C, C ). Therefore, the fault values in the rst column of the state matrix S3 can be represented in terms of (C, C ) and K 10 as follows:
10 10 p 2f0 = S 1 [K0,0 C0,0 ] S 1 [K0,0 C0,0 p]

(4a) (4b) (4c) (4d)

f0 = f0 = q 3f0 =

10 S [K1,3 1 10 S [K2,2 10 S 1 [K3,1

C1,3 ] C2,2 ] C3,1 ]

10 S [K1,3 1 10 S [K2,2 10 S 1 [K3,1

C1,3 ] C2,2 C3,1 ]

r]

Similarly from the other three columns of the state matrix S3 we have following sets of equations:
10 10 f1 = S 1 [K0,1 C0,1 ] S 1 [K0,1 C0,1 p]

(5a) (5b) (5c) (5d)

f1 = f1 = q 3f1 =

10 S [K1,0 1 10 S [K2,3 10 S 1 [K3,2

C1,0 ] C2,3 ] C3,2 ]

10 S [K1,0 1 10 S [K2,3 10 S 1 [K3,2

C1,0 ] C2,3 C3,2

r] q]

10 10 p 2f2 = S 1 [K0,2 C0,2 ] S 1 [K0,2 C0,2 ] 10 10 f2 = S 1 [K1,1 C1,1 ] S 1 [K1,1 C1,1 ] 10 10 f2 = S 1 [K2,0 C2,0 ] S 1 [K2,0 C2,0 r] 10 10 q 3f2 = S 1 [K3,3 C3,3 ] S 1 [K3,3 C3,3 ]

(6a) (6b) (6c) (6d)

S4

10

(Faulty)

10 10 2f3 = S 1 [K0,3 C0,3 ] S 1 [K0,3 C0,3 ]

(7a) (7b) r] q] (7c) (7d)

f3 = f3 = q 3f3 =

S5

10 S [K1,2 1 10 S [K2,1 10 S 1 [K3,0

C1,2 ] C2,1 ] C3,0 ]

10 S [K1,2 1 10 S [K2,1 10 S 1 [K3,0

C1,2 ] C2,1 C3,0

(2)

(3)

These differential equations are not same as in the attacks on AES states, such as proposed in [8] and [9]. Here, we have 7 unknown variables in each of the above four sets of differential equations. If we try to solve each of the sets of equations, then the reduced search space of the 8 7 ) corresponding key quartets will be (224 = 232 . Therefore, 2 after solving all the four sets of equations the total search space of the nal round key will still remain 2128 . This implies, the equations can not be solved similar to existing attacks [8], [9]. We apply divide and conquer approach to solve the above four sets of equations. We divide each of the above four sets of equations into sub sets and solve them separately. In order to reduce time complexity of the process we use S-Box difference table. For a differential equation like:

38

 = S 1 [X] S 1 [X ]

(8)

we can have 0, 2, 4 solution of X, given a single value of (, ) where , F28 . In case of AES S-Box, the above equation gives 4 solutions of X when S[] = 0x06; else it has 0 or 2 solutions. For a xed value of , the above equation produces 4 solution of X only once and 2 solutions for 126 times out of 255 choices of . Rest of the choices of produce no solution of X. For more details the reader can refer [19]. We maintain a table SD, which contain the solutions of X for , where 1 , 255. Therefore, using this S-Box difference table and given values of p, q, r, we can solve any one of the above four sets of equations with time complexity 28 . Following this technique, for a given value of p 10 10 10 and q we deduce 28 choices of {K0,1 , K1,0 , K3,2 } from three equations (5a), (5b), and (5d). Similarly, 10 10 10 we can deduce 28 choices of {K0,3 , K1,2 , K3,0 } from equations (7a), (7b), (7d). Therefore, we have 216 possible choices of the six key bytes 10 10 10 10 10 10 {K0,1 , K1,0 , K3,2 , K0,3 , K1,2 , K3,0 }. These values are tested by equation (2), which reduces the 16 possible choices of the six key bytes to 2 8 = 28 . For each 2 10 10 10 of such choices we deduce 28 choices of {K0,2 , K1,1 , K3,3 } 16 from equations (6a), (6b), (6d). So, now we have 2 choices 10 10 10 10 10 10 10 10 10 of {K0,1 , K1,0 , K3,2 , K0,3 , K1,2 , K3,0 , K0,2 , K1,1 , K3,3 }. 10 10 These include the values of K3,3 , and K3,2 . We use these values and deduce the corresponding values of r from equation (3). Subsequently, we deduce the corresponding 10 10 10 values of {K2,3 , K2,0 , K2,1 } from equations (5c), (6c), (7c), using the values of f1 , f2 , f3 from the previous iterations. Therefore, upto this point we have 216 possible choices of 10 10 10 10 10 10 10 10 10 {K0,1 , K1,0 , K2,3 , K3,2 , K0,3 , K1,2 , K2,1 , K3,0 , K0,2 , 10 10 10 16 K1,1 , K2,0 , K3,3 }. For each of these 2 candidates we get corresponding 28 candidates of four key bytes 10 10 10 10 {K0,0 , K1,3 , K2,2 , K3,1 } from the set of four equations (4). Therefore, nally we have 224 choices of the tenth round key K 10 for xed values of p and q. Hence for all possible 216 values of p and q we get 240 possible candidates of K 40 . We veried the result by performing simulation in our laboratory. The simulated attack is written in C, compiled using gcc-4.4.3, and run on desktop Intel CoreT M 2 Duo processor of 3GHz speed. It takes around 18 hours to produce all the possible 240 candidates of K 10 . In the next section we describe the second phase of the attack which further reduces the possible choices of the tenth round key to 28 from 240 . 2) Second Phase of the Attack: In this phase of the attack we use the relations between the faulty bytes in the ninth round input. As shown in Figure 4, the induced single byte fault spreads to all the four bytes in the rst row of the eighth round key K 8 . At AddRoundKey, these fault values

subsequently corrupt the four bytes of the rst row of the ninth round input state matrix S1 . The values of the fault in S1 is same as in K 8 . Therefore, the fault value in the rst row is {p, p, p, p}. The fault value p at location (0, 0) in S1 can be represented as :
10 9 p = S 1 14(S 1 [K0,0 C0,0 ] K0,0 ) 10 9 11(S 1 [K1,3 C1,3 ] K1,0 ) 10 9 13(S 1 [K2,2 C2,2 ] K2,0 ) 10 9 9(S 1 [K3,1 C3,1 ] K3,0 ) 1 10 9 14(S 1 [K0,0 C0,0 p] (K0,0 p)) 10 9 11(S 1 [K1,3 C1,3 ] K1,0 ) 10 9 13(S 1 [K2,2 C2,2 r] K2,0 ) 10 9 9(S 1 [K3,1 C3,1 ] (K3,0 q))

(9)

Similarly, the other three faulty bytes can be expressed by the following equations:
10 9 p = S 1 14(S 1 [K0,1 C0,1 ] K0,1 ) 10 9 11(S 1 [K1,0 C1,0 ] K1,1 ) 9 10 13(S 1 [K2,3 C2,3 ] K2,1 ) 10 9 9(S 1 [K3,2 C3,2 ] K3,1 ) 10 9 S 1 14(S 1 [K0,1 C0,1 p] (K0,1 )) 10 9 11(S 1 [K1,0 C1,0 ] K1,1 ) 10 9 13(S 1 [K2,3 C2,3 r] K2,1 ) 10 9 9(S 1 [K3,2 C3,2 q] (K3,1 q)) 10 9 p = S 1 14(S 1 [K0,2 C0,2 ] K0,2 ) 10 9 11(S 1 [K1,1 C1,1 ] K1,2 ) 10 9 13(S 1 [K2,0 C2,0 ] K2,2 ) 10 9 9(S 1 [K3,3 C3,3 ] K3,2 ) 1 10 9 14(S 1 [K0,2 C0,2 ] (K0,2 ) p) 10 9 11(S 1 [K1,1 C1,1 ] K1,2 ) 10 9 13(S 1 [K2,0 C2,0 r] K2,2 ) 10 9 9(S 1 [K3,3 C3,3 ] (K3,2 q))

(10)

(11)

10 9 p = S 1 14(S 1 [K0,3 C0,3 ] K0,3 ) 10 9 11(S 1 [K1,3 C1,3 ] K1,3 ) 10 9 13(S 1 [K2,1 C2,1 ] K2,3 ) 10 9 9(S 1 [K3,0 C3,0 ] K3,3 ) 10 9 S 1 14(S 1 [K0,3 C0,3 ] (K0,3 ) 10 9 11(S 1 [K1,3 C1,3 ] K1,3 ) 10 9 13(S 1 [K2,1 C2,1 r] K2,3 ) 10 9 9(S 1 [K3,0 C3,0 q] (K3,3 q))

(12)

AES-128 key scheduling is invertible, that mean only one round key is enough to get all other round keys or the actual master key. The ninth round key K 9 can be represented by tenth round key K 10 as follows:

39

10 10 10 (K0,0 S[K1,3 K1,2 ] h10 ) 10 S[K 10 K 10 ]) (K1,0 2,3 2,2 (K 10 S[K 10 K 10 ]) 2,0 3,3 3,2 10 S[K 10 K 10 ]) (K3,0 0,3 0,2

10 10 K0,1 K0,0 10 10 K1,1 K1,0 10 10 K2,1 K2,0 10 10 K3,1 K3,0

10 10 K0,2 K0,1 10 10 K1,2 K1,1 10 10 K2,2 K2,1 10 10 K3,2 K3,1

10 10 K0,3 K0,2 10 10 K1,3 K1,2 . 10 K 10 K2,3 2,2 10 K 10 K3,3 3,2

where h10 is Rcon10 . The fault-free and faulty ciphertexts (C, C ) is known to us and we have 240 possible candidates of K 10 from the rst phase of the attack as described in previous Section IV-B1. In order to further reduce the possible choices K 10 we convert each of the tenth round key K 10 from the rst phase of the attack to the corresponding ninth round key K 9 , and test it by the four differential equations (9), (10), (11), and (12). Those which satisfy the test are considered, rest are discarded. There are 28 candidates out of 240 which satisfy the above four equations. However, the attack time complexity remains 240 as we have to test all the possible tenth round key K 10 by the above four equations. We have evaluated this two phase attack on a Desktop Core 2 Duo processor of 3 GHz speed and 2 GB RAM. It takes around 26 hours to generate all the possible 28 nal round keys. The time consumed by the attack is still quite high. In a practical scenario, the induced fault is uncertain and random in nature unless it is being injected by sophisticated and precision based devices [20]. Therefore, ideally an attacker would want to develop a DFA which can reveal the secret within minutes instead of hours under an ideal condition under the fault model. In the real scenario, the attacker has to repeat the attack more number of times with faulty ciphertexts, so that he obtains the required nature of fault and hence the secret key in one of the attempts. Hence, a further reduction of time complexity is desired. In the next section we propose a technique which can further reduce the time complexity of the attack so that the attack can be performed within an hour. 3) Time Complexity Reduction: In the second phase of the attack we have four equations (9), (10), (11), and (12). Each of the 240 possible tenth round keys from the rst phase of the attack are tested by these four equations. However, each of these four equations does not require all the 16 bytes of the tenth round key K 10 . For, example the rst equation (9) 10 10 10 10 requires only 13 bytes of K 10 : K0,0 , K1,3 , K2,2 , K3,1 , and 9 9 9 9 another 9 bytes for K0,0 , K1,0 , K2,0 , K3,0 . The last three equations require 10 key bytes each. We also need to 10 10 consider the dependency between key bytes K0,3 and K0,1 10 10 in equation (2) , and K3,3 and K3,2 in equation (3). Therefore, to further reduce the time complexity of the attack, we can consider one of the four equations at a time [21]. We choose equation (11), as it requires 10 10 10 key bytes plus K0,3 (dependency with K0,1 in equation (2)), which is the least number of key bytes required among all four equations. In this case, we only need

the possible choices of required 11 key bytes from the rst phase of the attack and rest of the ve key bytes 10 10 10 10 10 {K0,0 , K1,0 , K3,0 , K1,3 , K2,3 } can be xed. From the differential equation (8) we know that for a xed value of , X has 2 solutions in 126 cases and 4 solutions in one case out of 256 possible choices of . Now, if we consider the set of equations (4), we have 28 choices 10 10 10 10 of quartet of key bytes {K0,0 , K1,3 , K2,2 , K3,1 } for given values of p, q, and r. If (a1 , b1 , c1 , d1 ) be one solution of the set of equations (4) then there is another solution say 10 10 10 (a2 , b1 , c1 , d1 ) with same value of K1,3 , K2,2 , K3,1 . This is true in 126 out of 127 cases. This implies, a unique value 10 10 10 10 of {K1,3 , K2,2 , K3,1 } corresponds to two values of K0,0 . 10 7 Therefore, if we x K0,0 we will have 2 choices of rest 10 10 10 of the three key bytes {K1,3 , K2,2 , K3,1 }. There are 240 possible choices of 16 byte key K 10 . If we x the ve key 40 10 10 10 10 10 bytes K0,0 , K1,0 , K3,0 , K1,3 , K2,3 then there will be 2 5 = 2 35 2 choices of rest of the 11 key bytes. These 235 possible candidates are tested by equation (11), those which satisfy are combined with 25 possible choices 10 10 10 10 10 of K0,0 , K1,0 , K3,0 , K1,3 , K2,3 and subsequently tested by rest of the three equations (9), (10), and (12). So, now the complexity of the attack reduces to 235 from 240 . Therefore, nally the four equations (9), (10), (11), and (12) reduce the possible choices of K 10 to 28 candidates. Thus, this time complexity reduction technique reduces the required time of the attack by 25 . In actual experiments the two phase attack with reduced time complexity takes around 35 minutes to reveal all the possible 28 keys. The summary of the two phase attack is given in Algorithm 1. C. Analysis of the Attack A differential equation like (8), reduces 216 candidates in the right hand side to 28 candidates in the left hand side. The search space reduction in such equation is given by 28 1 216 = 28 . If we have N such equations then the reduction 1 is given by ( 28 )N . If N equations contain M byte unknown variables i.e. 8M -bit search space, then the reduced search 1 space is given as: ( 28 )N 2M . There are seven equations (5a), (5b), (5d), (7a), (7b), (7d) and (2) up to line number 7 in Algorithm 1, which contains ten variables. Therefore, the reduced search space is given 1 by ( 28 )7 (28 )10 = 224 . This implies 224 candidates will satisfy the if block at line 7. Inside the rst if block and upto line number 13, we have eleven equations (6a), (6b) (6d), (5c), (6c) (7c), (4a), (4b) (7c), (4d), and (3), and corresponding thirteen unknown variables. It may be noted that variables f1 , f4 , p,q are already considered in the previous equations. So, the eleven equations reduce the search space of the 1 thirteen variables to ( 28 )11 (28 )13 = 216 . Therefore, each of the possible candidates satisfying the rst if condition will combine with 216 candidates inside the

40

Algorithm 1: DFA on AES-128 Key Scheduling using Single Faulty Ciphertexts

Input: C, C Output: List Lk of tenth round key K 10 1 for Each candidates of { p, q} do 2 for Each candidates of f1 do 10 10 10 Get {K0,1 , K1,0 , K3,2 } from equations (5a), (5b), and (5d). 3 4 for Each candidates of f3 do 10 10 10 Get {K0,3 , K1,2 , K3,0 } from the equations (7a), (7b), 5 and (7d). 6 Test equation (2) 7 if Satised then 8 for Each candidates of f2 do 10 10 10 Get {K0,2 , K1,1 , K3,3 } from 9 equations (6a), (6b), and (6d). 10 Get r from equation (3). 10 10 10 Get K2,3 , K2,0 , K2,1 from equations (5c), (6c), 11 and (7c). 12 for Each candidates of f0 do 10 10 10 10 Get {K0,0 , K1,3 , K2,2 , K3,1 } from 13 equations (4). 14 Get K 9 from K 10 using AES-128 Key Scheduling. 15 Test equation (11) [as mentioned in Section IV-B3]. 16 if Satised then 17 for Each values of 10 10 10 10 10 {K0,0 , K1,0 , K3,0 , K1,3 , K2,3 } do 18 Get K 9 from K 10 using AES-128 Key Scheduling. 19 Test equations (9), (10), and (12). 20 if Satised then 21 Save K 10 to Lk .

the simulated attack required around 35 minutes to generate all the 28 possible candidates of nal round key. Table I shows some of the keys which were attacked.
Table I E XPERIMENTAL R ESULTS
Random 128-bit AES key 6f6cd764b8ab8f18 b8a86764237147cd 9c1933a4f7238613 f85db821f4e49e65 f0003d186fd9c128 2c2c7b3f578f39e8 d4e278834cfe9197 0bcb5eaf2317623a 71d1e622409256bb dade1874f57bd79c 9c1b15b1b49d76ad 9dc359d265b52c84 Number of Keys in First Phase 32725026784 234.92 32347445504 234.912 31626833792 234.88 31977681408 234.89 31622202880 234.88 32685884800 234.92 Number of Keys in Second Phase 253 27.98 272 28.08 262 28.03 281 28.13 266 28.05 264 28.04 Running Time (minutes) 33.677 35.716 35.291 36.716 35.516 36.666

VI. C OMPARISON In this section we compare some of the previous research with our work in Table II. The attack proposed in [11] required around thirty pair of faulty and fault free ciphertexts. The attack proposed by Peacham and Thomas in [22] required twelve pairs of fault-free and faulty ciphertexts. The assumed fault model was muli-byte. Takahashi et. al. in [12], assumed a slightly general fault model but still most optimized form of their attack required two pairs of fault-free and faulty ciphertexts and a brute-force search of 248 . Compared to that, Kim et. al. proposed in [13] a little improved multi-byte attack. But still the attack required two pairs of fault-free and faulty ciphertexts and a brute-force search of 232 . Compared to these attacks we proposed a more general and a more realistic single byte fault model. Our attack requires only one pair fault-free and faulty ciphertexts and a brute-force search of 28 . Hence, based on existing literature, this is the rst DFA of AES-128 key schedule which requires only one instance of a fault. According to information theoretic perspective a single byte fault in known location should be able to retrieve 120-bit of the key [23]. Therefore, information theoretically our attack is the most optimized attack. VII. C ONCLUSIONS We proposed an improved differential fault attack on AES-128 key schedule. The attack takes one pair of faultfree and faulty ciphertexts which is minimal among the existing attacks. The proposed DFA requires a one byte fault at the input of eighth round key and reduces the AES-128 key to 28 values. The time complexity of the attack is 235 and requires around 35 minutes of simulation on a standard Intel CoreT M 2 Duo platform. We present

if blocks. Hence, the total search space upto line number 13 is 216 224 = 240 . It may be noted that upto line number 13 of Algorithm 1 correspond to the rst phase of the attack. Therefore, in rst phase of the attack the search space is reduced to 240 . Out of this 240 candidates we consider only 235 candidates which correspond to xed values of 10 10 10 10 10 K0,0 , K1,0 , K3,0 , K1,3 , K2,3 as mentioned in Section IV-B3. In the second phase of the attack, which is after line number 13 of Algorithm 1, we rst test 235 candidates by equation (11). Equation (11) reduces the possible candidates 35 to 2 8 = 227 . These 227 candidates are again combined 2 10 10 10 10 10 with 25 choices of K0,0 , K1,0 , K3,0 , K1,3 , K2,3 and subsequently tested by three equations (9), (10), and (12). These three equations further reduce the possible candidates to 1 ( 28 )3 232 = 28 . Thus, in the second phase of the attack we have 28 choices of K 10 . V. E XPERIMENTAL R ESULTS A 3GHz Intel Core 2 Duo processor with 2GB RAM was used to perform the simulated attack. The code was written in C programing language and compiled using gcc-4.4.3 running on Ubuntu 10.4 operating system. The simulation was performed on several test cases where a single byte fault is induced at rst column of eighth round key. The simulated attack was performed on 100 random keys. On an average

41

Table II C OMPARISON WITH EXISTING ATTACK ON AES-128 Reference Fault Model Number of Faults [11] [22] [12] [13] Our Attack Single byte fault Multi byte fault Multi byte fault Multi byte fault Single byte fault 22 to 44 12 2 2 1

KEY SCHEDULE

Exhaustive Search 1 1 248 232 28

[11] C.-N. Chen and S.-M. Yen, Differential Fault Analysis on AES Key Schedule and Some Coutnermeasures, in ACISP, 2003, pp. 118129. [12] J. Takahashi, T. Fukunaga, and K. Yamakoshi, DFA Mechanism on the AES Key Schedule, in FDTC, L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds. IEEE Computer Society, 2007, pp. 6274. [13] C. H. Kim and J.-J. Quisquater, New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough, in CARDIS, 2008, pp. 4860. [14] N. Floissac and Y. LHyver, From aes-128 to aes-192 and aes-256, how to adapt differential fault analysis attacks, Cryptology ePrint Archive, Report 2010/396, 2010, http: //eprint.iacr.org/. [15] N. Selmane, S. Guilley, and J.-L. Danger, Practical Setup Time Violation Attacks on AES, in EDCC, 2008, pp. 91 96. [16] A. Barenghi, G. Bertoni, E. Parrinello, and G. Pelosi, Low Voltage Fault Attacks on the RSA Cryptosystem, in FDTC, L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds. IEEE Computer Society, 2009, pp. 2331. [17] T. Fukunaga and J. Takahashi, Practical Fault Attack on a Cryptographic LSI with ISO/IEC 18033-3 Block Ciphers, in FDTC, L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds. IEEE Computer Society, 2009, pp. 8492. [18] S. Ali, D. Mukhopadhyay, and M. Tunstall, Differential Fault Analysis of AES using a Single Multiple-Byte Fault, Cryptology ePrint Archive, Report 2010/636, 2010, http: //eprint.iacr.org/. [19] K. Nyberg, Differentially uniform mappings for cryptography, in EUROCRYPT, 1993, pp. 5564. [20] S. P. Skorobogatov and R. J. Anderson, Optical Fault Induction Attacks, in CHES, ser. Lecture Notes in Computer Science, B. S. K. Jr., Cetin Kaya Koc, and C. Paar, Eds., vol. 2523. Springer, 2002, pp. 212. [21] S. Ali and D. Mukhopadhyay, Acceleration of Differential Fault Analysis of the Advanced Encryption Standard Using Single Fault, Cryptology ePrint Archive, Report 2010/451, 2010, http://eprint.iacr.org/. [22] D. Peacham and B. Thomas, A DFA attack against the AES key schedule, SiVenture White Paper 001, 26 October, 2006. [23] Y. Li, S. Gomisawa, K. Sakiyama, and K. Ohta, An Information Theoretic Perspective on the Differential Fault Analysis against AES, Cryptology ePrint Archive, Report 2010/032, 2010, http://eprint.iacr.org/. [24] L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds., Sixth International Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2009, Lausanne, Switzerland, 6 September 2009. IEEE Computer Society, 2009.

extensive simulation results to support our claims. To the best of our knowledge the proposed attack is the most efcient DFA reported on AES-128 key schedule. R EFERENCES
[1] D. Boneh, R. A. DeMillo, and R. J. Lipton, On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract), in EUROCRYPT, 1997, pp. 3751. [2] E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Cryptosystems, in CRYPTO, ser. Lecture Notes in Computer Science, B. S. K. Jr., Ed., vol. 1294. Springer, 1997, pp. 513525. [3] National Institute of Standards and Technology, Advanced Encryption Standard, NIST FIPS PUB 197, 2001. [4] J. Bl mer and J.-P. Seifert, Fault based cryptanalysis of the o advanced encryption standard (aes), in Financial Cryptography, ser. Lecture Notes in Computer Science, R. N. Wright, Ed., vol. 2742. Springer, 2003, pp. 162181. [5] P. Dusart, G. Letourneux, and O. Vivolo, Differential Fault Analysis on A.E.S. Cryptology ePrint Archive, Report 2003/010, 2003, http://eprint.iacr.org/. [6] G. Piret and J.-J. Quisquater, A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD, in CHES, ser. Lecture Notes in Computer Science, C. D. Walter, Cetin Kaya Koc, and C. Paar, Eds., vol. 2779. Springer, 2003, pp. 7788. [7] A. Moradi, M. T. M. Shalmani, and M. Salmasizadeh, A Generalized Method of Differential Fault Attack Against AES Cryptosystem, in CHES, 2006, pp. 91100. [8] D. Mukhopadhyay, An Improved Fault Based Attack of the Advanced Encryption Standard, in AFRICACRYPT, ser. Lecture Notes in Computer Science, B. Preneel, Ed., vol. 5580. Springer, 2009, pp. 421434. [9] M. Tunstall and D. Mukhopadhyay, Differential Fault Analysis of the Advanced Encryption Standard using a Single Fault, Cryptology ePrint Archive, Report 2009/575, 2009, http://eprint.iacr.org/. [10] Christophe Giraud, DFA on AES, in AES Conference, ser. Lecture Notes in Computer Science, H. Dobbertin, V. Rijmen, and A. Sowa, Eds., vol. 3373. Springer, 2004, pp. 2741.

42