Advertisement

Differential fault analysis of secret key cryptosystems

  • Eli Biham
  • Adi Shamir
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1294)

Abstract

In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).

In this paper, we describe a related attack, which we call Differential Fault Analysis, or DFA, and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. Our DFA attack can use various fault models and various cryptanalytic techniques to recover the cryptographic secrets hidden in the tarn per-resistant device. In particular, we have demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts.

In the second part of the paper we develop techniques to identify the keys of completely unknown ciphers (such as Skipjack) sealed in tamper-resistant devices, and to reconstruct the complete specification of DES-like unknown ciphers.

In the last part of the paper, we consider a different fault model, based on permanent hardware faults, and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts.

References

  1. [1]
    Ross Anderson, Markus Kuhn, Tamper Resistance — a Cautionary Note, proceedings of the Second Usenix Workshop on Electronic Commerce, pp. 1–11, November 1996.Google Scholar
  2. [2]
    Ross Anderson, Markus Kuhn, Low Cost Attacks on Tamper Resistant Devices, proceedings of the 1997 Security Protocols Workshop, Paris, April 7–9, 1997.Google Scholar
  3. [3]
    Eli Biham, New Types of Cryptanalytic Attacks Using Related Keys, Journal of Cryptology, Vol. 7, No. 4, pp. 229–246, 1994.MATHCrossRefGoogle Scholar
  4. [4]
    Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  5. [5]
    Dan Boneh, Richard A. Demillo, Richard J. Lipton, On the Importance of Checking Cryptographic Protocols for Faults, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT97, pp. 37–51, 1997.Google Scholar
  6. [6]
    Lawrence Brown, Josef Pieprzyk, Jennifer Seberry, LOKI — A Cryptographic Primitive for Authentication and Secrecy Applications, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of AUSCRYPT90, pp. 229–236, 1990.Google Scholar
  7. [7]
    John Kelsey, Bruce Schneier, David Wagner, Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'96, pp. 237–251, 1996.Google Scholar
  8. [8]
    Paul C. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'96, pp. 104–113, 1996.Google Scholar
  9. [9]
    Xuejia Lai, James L. Massey, Sean Murphy, Markov Ciphers and Differential Cryptanalysis, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT91, pp. 17–38, 1991.Google Scholar
  10. [10]
    Susan K. Langford, Martin E. Hellman, Differential-linear cryptanalysis, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'94, pp. 17–25, 1994.Google Scholar
  11. [11]
    John Markoff, Potential Flaw Seen in Cash Card Security, New York Times, September 26, 1996.Google Scholar
  12. [12]
    Mitsuru Matsui, Linear Cryptanalysis Method for DES Cipher, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'93, pp. 386–397, 1993.Google Scholar
  13. [13]
    Ralph C. Merkle, Fast Software Encryption Functions, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 476–501, 1990.Google Scholar
  14. [14]
    Shoji Miyaguchi, FEAL-N specifications, technical note, NTT, 1989.Google Scholar
  15. [15]
    Shoji Miyaguchi, The FEAL cipher family, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'90, pp. 627–638, 1990.Google Scholar
  16. [16]
    Shoji Miyaguchi, Akira Shiraishi, Akihiro Shimizu, Fast Data Encryption Algorithm FEAL-8, Review of electrical communications laboratories, Vol. 36, No. 4, pp. 433–437, 1988.Google Scholar
  17. [17]
    National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FIPS pub. 46, January 1977.Google Scholar
  18. [18]
    Bart Preneel, Marnix Nuttin, Vincent Rijmen, Johan Buelens, Cryptanalysis of the CFB Mode of the DES with a Reduced Number of Rounds, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of CRYPTO'93, pp. 212–223, 1993.Google Scholar
  19. [19]
    Ronald L. Rivest, The RC5 Encryption Algorithm, proceedings of Fast Software Encryption, Leuven, Lecture Notes in Computer Science, pp. 86–96, 1994.Google Scholar
  20. [20]
    Bruce Schneier, Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish), proceedings of Fast Software Encryption, Cambridge, Lecture Notes in Computer Science, pp. 191–204, 1993.Google Scholar
  21. [21]
    Akihiro Shimizu, Shoji Miyaguchi, Fast Data Encryption Algorithm FEAL, Lecture Notes in Computer Science, Advances in Cryptology, proceedings of EUROCRYPT'87, pp. 267–278. 1987.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  • Eli Biham
    • 1
  • Adi Shamir
    • 2
  1. 1.Computer Science DepartmentTechnion - Israel Institute of TechnologyHaifaIsrael
  2. 2.Applied Math. and Comp. Sci. DepartmentThe Weizmann Institute of ScienceRehovotIsrael

Personalised recommendations