Meet-in-the-middle and impossible differential fault analysis on AES

Abstract

Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 232 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 240 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 224 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 240 in time and memory. © 2011 International Association for Cryptologic Research.