Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 232 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 240 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 224 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 240 in time and memory. © 2011 International Association for Cryptologic Research.
CITATION STYLE
Derbez, P., Fouque, P. A., & Leresteux, D. (2011). Meet-in-the-middle and impossible differential fault analysis on AES. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6917 LNCS, pp. 274–291). https://doi.org/10.1007/978-3-642-23951-9_19
Mendeley helps you to discover research relevant for your work.