Improved Differential Fault Analysis on AES Key Schedule

Abstract

Differential fault analysis (DFA) finds the key of a block cipher using differential information between correct and faulty ciphertexts obtained by inducing faults during the computation of ciphertexts. Among many ciphers, advanced encryption standard (AES) has been the main target of DFA due to its popularity. The naive implementation of AES is known to be vulnerable to DFA, which can be split into two categories depending on the fault location: the DFA on the State and the DFA on the Key Schedule. For the first category, much research has been done and very efficient methods were devised. However, there is still a lack of research in the second category. The advantage of DFA on the Key Schedule is that it can even defeat some fault-protected AES implementations. Research on DFA has been diversified into several directions: reducing the number of required faults, changing fault models (from one-byte fault to multibyte fault and vise versa), extending to AES-192 and AES-256, and exploiting faults induced at an earlier round. This paper deals with all these directions together in DFA on AES Key Schedule. We introduce new attacks that find the AES-128 key with two faults in a one-byte fault model without exhaustive search and the AES-192 and the AES-256 keys with six and four faults, respectively.