In this paper we describe two different DFA attacks on the AES. The first one uses a fault model that induces a fault on only one bit of an intermediate result, hence allowing us to obtain the key by using 50 faulty ciphertexts for an AES-128. The second attack uses a more realistic fault model: we assume that we may induce a fault on a whole byte. For an AES-128, this second attack provides the key by using less than 250 faulty ciphertexts.

If we extend our hypothesis by supposing that the attacker can choose the byte affected by the fault, our bit-fault attack requires 35 faulty ciphertexts to obtain the secret key and our byte-fault attack requires only 31 faulty ciphertexts.


AES DFA side-channel attacks smartcards 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Kuhn, M.: Tamper Resistance - a Cautionary Note. In: Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp. 1–11 (1996)Google Scholar
  2. 2.
    Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices. In: Christianson, B., Crispo, B., Mark, T., Lomas, A., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Analysis on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystem. In: Kalisky Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Blömer, J., Seifert, J.-P.: Fault based cryptanalysis of the Advanced Encryption Standard. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 162–181. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Ciet, M., Joye, M.: Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults. In: Designs, Codes and Cryptography (2004) (to appear)Google Scholar
  8. 8.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  9. 9.
    Lenstra, A.K.: Memo on RSA Signature Generation in the Presence of Faults (manuscript) (1996), Available from the author at, Google Scholar
  10. 10.
    Maher, D.P.: Fault Induction Attacks, Tamper Resistance, and Hostile Reverse Engineering in Perspective. In: Hirschfeld, R. (ed.) Financial Cryptography – FC 1997. LNCS, vol. 1318, pp. 109–121. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. 11.
    National Institute of Standards and Technology. FIPS PUB 197: Advanced Encryption Standard (2001)Google Scholar
  12. 12.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique Against SPN Structures, with Application to the AES and Khazad. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Skorobogatov, S., Anderson, R.: Optical Fault Induction Attack. In: Kaliski Jr., B., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Christophe Giraud
    • 1
  1. 1.Oberthur Card SystemsPuteauxFrance

Personalised recommendations