Improving DFA attacks on AES with unknown and random faults



Differential fault analysis (DFA) aiming at the advanced encryption standard (AES) hardware implementations has become a widely research topic. Unlike theoretical model, in real attack scenarios, popular and practical fault injection methods like supply voltage variation will introduce faults with random locations, unknown values and multibyte. For analyzing this kind of faults, the previous fault model needed six pairs of correct and faulty ciphertexts to recover the secret round-key. In this paper, on the premise of accuracy, a more efficient DFA attack with unknown and random faults is proposed. We introduce the concept of theoretical candidate number in the fault analysis. Based on this concept, the correct round-key can be identified in advance, so the proposed attack method can always use the least pairs of correct and faulty ciphertexts to accomplish the DFA attacks. To further support our opinion, random fault attacks based on voltage violation were taken on an FPGA board. Experiment results showed that about 97.3% of the attacks can be completed within 3 pairs of correct and faulty ciphertexts. Moreover, on average only 2.17 pairs of correct and faulty ciphertexts were needed to find out the correct round-key, showing significant advantage of efficiency compared with previous fault models. On the other hand, less amount of computation in the analyses can be realized with a high probability with our model, which also effectively improves the time efficiency in DFA attacks with unknown and random faults.


在针对AES算法的随机类型故障, 传统的多字节故障模型需要分析6个故障密文才能恢复正确的四字节密钥。为了提高分析效率, 本文提出了一种针对随机类型故障的高效率差分分析算法。在保证分析准确性的前提下, 我们利用理论密钥候选值数量的概念, 设计了一种新的故障分析算法, 该算法能够根据实际的故障注入情况, 用最少的故障密文数提前恢复密钥, 并有效减小计算复杂度。针对AES算法的实际攻击结果表明, 该算法平均只需要分析2.17个故障密文即可恢复密钥, 并且97.3%的故障攻击实例都能在3组故障密文分析内完成攻击, 有效提高了分析效率。

This is a preview of subscription content, access via your institution.


  1. 1

    Oswald E, Mangard S, Herbst C, et al. Practical second-order DPA attacks for masked smart card implementations of block ciphers. In: Topics in Cryptology–CT-RSA 2006. Berlin: Springer-Verlag, 2006. 192–207

    Google Scholar 

  2. 2

    Tiri K, Verbauwhede I. A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation. In: Proceedings of the Conference on Design, Automation and Test in Europe, Washington, 2004. 246–251

    Google Scholar 

  3. 3

    Boneh D, DeMillo R A, Lipton R J. On the importance of checking cryptographic protocols for faults. In: Advances in Cryptology-EUROCRYPT’97. Berlin: Springer-Verlag, 1997. 37–51

    Google Scholar 

  4. 4

    Biham E, Shamir A. Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology-CRYPTO’97. Berlin: Springer-Verlag, 1997. 513–525

    Google Scholar 

  5. 5

    Biehl I, Meyer B, Müller V. Differential fault attacks on elliptic curve cryptosystems. In: Advances in Cryptology- CRYPTO 2000. Berlin: Springer-Verlag, 2000. 131–146

    Google Scholar 

  6. 6

    Daemen J, Rijmen V. The Design of Rijndael: AES - The Advanced Encryption Standard. New York: Springer Science & Business Media, 2013

    Google Scholar 

  7. 7

    Giraud C. DFA on AES. In: Proceedings of the 4th International Conference on Advanced Encryption Standard. Berlin: Springer-Verlag, 2004. 27–41

    Google Scholar 

  8. 8

    Blömer J, Seifert J P. Fault based cryptanalysis of the advanced encryption standard (AES). In: Financial Cryptography. Berlin: Springer-Verlag, 2003. 162–181

    Google Scholar 

  9. 9

    Dusart P, Letourneux G, Vivolo O. Differential fault analysis on A.E.S. In: Applied Cryptography and Network Security. Berlin: Springer-Verlag, 2003. 293–306

    Google Scholar 

  10. 10

    Piret G, Quisquater J J. A differential fault attack technique against SPN structures, with application to the AES and Khazad. In: Cryptographic Hardware and Embedded Systems-CHES 2003. Berlin: Springer-Verlag, 2003. 77–88

    Google Scholar 

  11. 11

    Moradi A, Shalmani M T M, Salmasizadeh M. A generalized method of differential fault attack against AES cryptosystem. In: Cryptographic Hardware and Embedded Systems-CHES 2006. Berlin: Springer-Verlag, 2006. 91–100

    Google Scholar 

  12. 12

    Agoyan M, Dutertre J M, Mirbaha A P, et al. Single-bit DFA using multiple-byte laser fault injection. In: Proceedings of IEEE International Conference on Technologies for Homeland Security, Waltham, 2010. 113–119

    Google Scholar 

  13. 13

    Selmane N, Guilley S, Danger J L. Practical setup time violation attacks on AES. In: Proceedings of the 7th European Dependable Computing Conference, Kaunas, 2008. 91–96

    Google Scholar 

  14. 14

    Barenghi A, Bertoni G, Breveglieri L, et al. Low voltage fault attacks to AES and RSA on general purpose processors. International Association for Cryptologic Research (IACR) ePrint Archive, 2010. 130

    Google Scholar 

Download references


This work was supported by National Natural Science Foundation of China (Grant No. 61306040), National Basic Research Program of China (973) (Grant No. 2015CB057201), Natural Science Foundation of Beijing (Grant No. 4152020), Natural Science Foundation of Guangdong Province (Grant No. 2015A030313147), and R&D Project of Guangdong Government (Grant No. 2014B090913001).

Author information



Corresponding authors

Correspondence to Xiaoxin Cui or Xiaole Cui.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Liao, N., Cui, X., Liao, K. et al. Improving DFA attacks on AES with unknown and random faults. Sci. China Inf. Sci. 60, 042401 (2017).

Download citation


  • AES
  • DFA attacks
  • unknown and random faults
  • efficient
  • theoretical candidate number
  • voltage violation


  • AES算法
  • 差分故障攻击
  • 随机类型故障
  • 高效分析算法
  • 硬件安全