Evaluating Differential Fault Analysis of Unknown Cryptosystems

  • Pascal Paillier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1560)


Recently [1], Biham and Shamir announced an attack (Differential Fault Analysis, DFA for short) that recovers keys of arbitrary cryptosystems in polynomial (quadratic) complexity. In this paper, we show that under slightly modified assumptions, DFA is not polynomial and would simply result in the loss of some key-bits. Additionally, we prove the existence of cryptosystems on which DFA cannot reach the announced workfactor.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    E. Biham and A. Shamir, Differential Fault Analysis, LNCS 1294, Advances in Cryptology, Proceedings of Crypto’97, Springer-Verlag, pp. 513–525, 1997.Google Scholar
  2. 2.
    F. Bao, R. Deng, Y. Han, A. Jeng, A. Narasimhalu and T. Ngair, Breaking Public-Key Cryptosystems on Tamper-Resistant Devices in the Presence of Transient Faults, LNCS 1361, Proceedings of Secure Protocal Workshop’ 97, Springer-Verlag, pp. 115–124, 1997.Google Scholar
  3. 3.
    E. Biham and A. Shamir, The next stage of differential fault analysis: How to break completely unknown cryptosystems, Preprint, 1996.Google Scholar
  4. 4.
    E. Biham and A. Shamir, A New Cryptanalytic Attack on DES: Differential Fault Analysis, October 18, 1996.
  5. 5.
    A. Lenstra, Memo on RSA Signature Generation in the Presence of Faults, Sept. 28, 1996.Google Scholar
  6. 6.
    M. Joye, J-J. Quisquater, Attacks on Systems using Chinese Remaindering, Technical Report CG-1996/9 of UCL, 1996.Google Scholar
  7. 7.
    R. Anderson and R. Needham, Robustness Principles for Public-Key Protocols, LNCS 963, Advances in Cryptology, Proceedings of Crypto’95, Springer-Verlag, pp. 236–247, 1995.Google Scholar
  8. 8.
    R. Anderson and S. Vaudenay, Minding your p’s and q’s, LNCS 1163, Advances in Cryptology, Proceedings of Asiacrypt’96, Springer-Verlag, pp. 26–35, 1996.Google Scholar
  9. 9.
    R. Anderson and M. Kuhn, Tamper Resistance-A Cautionary Note, Usenix Workshop on Electronic Commerce, pp. 1–11, Nov. 1996.Google Scholar
  10. 10.
    R. Anderson and M. Kuhn, Low-Cost Attacks on Tamper-Resistant Devices, LNCS 1361, Security Protocol Workshop’ 97, pp. 125–136, April 1997.Google Scholar
  11. 11.
    D. Boneh, R. DeMillo and R. Lipton, On the Importance of Checking Cryptographic Protocols for Faults, LNCS 1233, Advances in Cryptology, Proceedings of Eurocrypt’97, Springer-Verlag, pp. 37–51, 1997.Google Scholar
  12. 12.
    P. Kocher, TimingAttacks on Implementations ofDiffie-Hellman, RSA, DSS, and Other Systems, LNCS 1109, Advances in Cryptology, Proceedings of Crypto’96, Springer-Verlag, pp. 104–113, 1996.Google Scholar
  13. 13.
    Federal Information Processing Standards. Security Requirements for Cryptographic Modules, FIPS Publication 140-1.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Pascal Paillier
    • 1
    • 2
  1. 1.Computer Science DepartmentENSTParis
  2. 2.Cryptography DepartmentGEMPLUSIssy-Les-Moulineaux

Personalised recommendations