Improving DFA attacks on AES with unknown and random faults

作     者：Nan LIAO Xiaoxin CUI Kai LIAO Tian WANG Dunshan YU Xiaole CUI 

作者机构：Institute of Microelectronics Peking University Key Lab of Integrated Microsystems Peking University Shenzhen Graduate School 

出 版 物：《Science China(Information Sciences)》 (中国科学:信息科学(英文版))

年 卷 期：2017年第60卷第4期

页      面：166-179页

核心收录：

学科分类：0839[工学-网络空间安全] 08[工学] 081201[工学-计算机系统结构] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：supported by National Natural Science Foundation of China (Grant No. 61306040) National Basic Research Program of China (973) (Grant No. 2015CB057201) Natural Science Foundation of Beijing (Grant No. 4152020) Natural Science Foundation of Guangdong Province (Grant No. 2015A030313147) R&D Project of Guangdong Government (Grant No. 2014B090913001) 

主　　题：AES DFA attacks unknown and random faults efficient theoretical candidate number voltage violation 

摘      要：Differential fault analysis(DFA) aiming at the advanced encryption standard(AES) hardware implementations has become a widely research topic. Unlike theoretical model, in real attack scenarios, popular and practical fault injection methods like supply voltage variation will introduce faults with random locations,unknown values and multibyte. For analyzing this kind of faults, the previous fault model needed six pairs of correct and faulty ciphertexts to recover the secret round-key. In this paper, on the premise of accuracy, a more efficient DFA attack with unknown and random faults is proposed. We introduce the concept of theoretical candidate number in the fault analysis. Based on this concept, the correct round-key can be identified in advance, so the proposed attack method can always use the least pairs of correct and faulty ciphertexts to accomplish the DFA attacks. To further support our opinion, random fault attacks based on voltage violation were taken on an FPGA board. Experiment results showed that about 97.3% of the attacks can be completed within 3 pairs of correct and faulty ciphertexts. Moreover, on average only 2.17 pairs of correct and faulty ciphertexts were needed to find out the correct round-key, showing significant advantage of efficiency compared with previous fault models. On the other hand, less amount of computation in the analyses can be realized with a high probability with our model, which also effectively improves the time efficiency in DFA attacks with unknown and random faults.