# Differential fault analysis of secret key cryptosystems

## Abstract

In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).

In this paper, we describe a related attack, which we call *Differential Fault Analysis*, or *DFA*, and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. Our DFA attack can use various fault models and various cryptanalytic techniques to recover the cryptographic secrets hidden in the tarn per-resistant device. In particular, we have demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts.

In the second part of the paper we develop techniques to identify the keys of completely unknown ciphers (such as Skipjack) sealed in tamper-resistant devices, and to reconstruct the complete specification of DES-like unknown ciphers.

In the last part of the paper, we consider a different fault model, based on permanent hardware faults, and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts.

## References

- [1]Ross Anderson, Markus Kuhn,
*Tamper Resistance — a Cautionary Note*, proceedings of the Second Usenix Workshop on Electronic Commerce, pp. 1–11, November 1996.Google Scholar - [2]Ross Anderson, Markus Kuhn,
*Low Cost Attacks on Tamper Resistant Devices*, proceedings of the 1997 Security Protocols Workshop, Paris, April 7–9, 1997.Google Scholar - [3]Eli Biham,
*New Types of Cryptanalytic Attacks Using Related Keys*, Journal of Cryptology, Vol. 7, No. 4, pp. 229–246, 1994.MATHCrossRefGoogle Scholar - [4]Eli Biham, Adi Shamir,
*Differential Cryptanalysis of the Data Encryption Standard*, Springer-Verlag, 1993.Google Scholar - [5]Dan Boneh, Richard A. Demillo, Richard J. Lipton,
*On the Importance of Checking Cryptographic Protocols for Faults*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT97, pp. 37–51, 1997.Google Scholar - [6]Lawrence Brown, Josef Pieprzyk, Jennifer Seberry,
*LOKI — A Cryptographic Primitive for Authentication and Secrecy Applications*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of AUSCRYPT90, pp. 229–236, 1990.Google Scholar - [7]John Kelsey, Bruce Schneier, David Wagner,
*Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'96, pp. 237–251, 1996.Google Scholar - [8]Paul C. Kocher,
*Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'96, pp. 104–113, 1996.Google Scholar - [9]Xuejia Lai, James L. Massey, Sean Murphy,
*Markov Ciphers and Differential Cryptanalysis*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT91, pp. 17–38, 1991.Google Scholar - [10]Susan K. Langford, Martin E. Hellman,
*Differential-linear cryptanalysis*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'94, pp. 17–25, 1994.Google Scholar - [11]John Markoff,
*Potential Flaw Seen in Cash Card Security*, New York Times, September 26, 1996.Google Scholar - [12]Mitsuru Matsui,
*Linear Cryptanalysis Method for DES Cipher*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'93, pp. 386–397, 1993.Google Scholar - [13]Ralph C. Merkle,
*Fast Software Encryption Functions*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 476–501, 1990.Google Scholar - [14]Shoji Miyaguchi,
*FEAL-N specifications*, technical note, NTT, 1989.Google Scholar - [15]Shoji Miyaguchi,
*The FEAL cipher family*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627–638, 1990.Google Scholar - [16]Shoji Miyaguchi, Akira Shiraishi, Akihiro Shimizu,
*Fast Data Encryption Algorithm FEAL-8*, Review of electrical communications laboratories, Vol. 36, No. 4, pp. 433–437, 1988.Google Scholar - [17]National Bureau of Standards,
*Data Encryption Standard*, U.S. Department of Commerce, FIPS pub. 46, January 1977.Google Scholar - [18]Bart Preneel, Marnix Nuttin, Vincent Rijmen, Johan Buelens,
*Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'93, pp. 212–223, 1993.Google Scholar - [19]Ronald L. Rivest,
*The RC5 Encryption Algorithm*, proceedings of Fast Software Encryption, Leuven, Lecture Notes in Computer Science, pp. 86–96, 1994.Google Scholar - [20]Bruce Schneier,
*Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish)*, proceedings of Fast Software Encryption, Cambridge, Lecture Notes in Computer Science, pp. 191–204, 1993.Google Scholar - [21]Akihiro Shimizu, Shoji Miyaguchi,
*Fast Data Encryption Algorithm FEAL*, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'87, pp. 267–278. 1987.Google Scholar