Paper 2003/008

DFA on AES

Christophe Giraud

Abstract

In this paper we describe two different DFA attacks on the AES. The first one uses a fault model that induces a fault on only one bit of an intermediate result, hence allowing us to obtain the key by using 50 faulty ciphertexts for an AES-128. The second attack uses a more realistic fault model: we assume that we may induce a fault on a whole byte. For an AES-128, this second attack provides the key by using less than 250 faulty ciphertexts. Moreover, this attack has been successfully put into practice on a smart card.

Note: The first version of this paper was submitted in April 2002 to CHES'02.

Metadata
Available format(s)
PS
Publication info
Published elsewhere. The first version of this paper was submitted in April 2002 to CHES'02.
Keywords
AESDFAside-channel attackssmartcards.
Contact author(s)
c giraud @ oberthurcs com
History
2003-05-14: last of 3 revisions
2003-01-20: received
See all versions
Short URL
https://ia.cr/2003/008
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2003/008,
      author = {Christophe Giraud},
      title = {DFA on AES},
      howpublished = {Cryptology ePrint Archive, Paper 2003/008},
      year = {2003},
      note = {\url{https://eprint.iacr.org/2003/008}},
      url = {https://eprint.iacr.org/2003/008}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.