Meet-in-the-Middle and Impossible Differential Fault Analysis on AES

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6917)


Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 232 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 240 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 224 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 240 in time and memory.


AES Differential Fault Analysis Fault Attack Impossible Differential Attack Meet-in-the-Middle Attack 


  1. 1.
    Anderson, R.J., Kuhn, M.G.: Low Cost Attacks on Tamper Resistant Devices. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 125–136. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Granboulan, L., Nguyen, P.Q.: Impossible fault analysis of RC4 and differential fault analysis of RC4. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 359–367. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Keller, N.: Cryptanalysis of Reduced Variants of Rijndael. In: 3rd AES Conference, New York, USA (2000)Google Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Biryukov, A., Khovratovich, D.: Two New Techniques of Side-Channel Cryptanalysis. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 195–208. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Bloemer, J., Seifert, J.-P.: Fault Based Cryptanalysis of the Advanced Encryption Standard (AES). In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 162–181. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Bogdanov, A.: Improved Side-Channel Collision Attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 84–95. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract). In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Bouillaguet, C., Derbez, P., Fouque, P.-A.: Automatic Search of Attacks on Round-Reduced AES and Applications. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 169–187. Springer, Heidelberg (2011)Google Scholar
  10. 10.
    Chen, C.-N., Yen, S.-M.: Differential Fault Analysis on AES Key Schedule and Some Countermeasures. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 118–129. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Choukri, H., Tunstall, M.: Round Reduction Using Faults. In: Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2005, pp. 13–24 (2005)Google Scholar
  12. 12.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M.: Passive and Active Combined Attacks on AES Combining Fault Attacks and Side Channel Analysis. In: FDTC, pp. 10–19 (2010)Google Scholar
  13. 13.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  14. 14.
    Dusart, P., Letourneux, G., Vivolo, O.: Differential Fault Analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    FIPS. Advanced Encryption Standard (AES). pub-NIST (November 2001)Google Scholar
  16. 16.
    Gilbert, H., Minier, M.: A Collision Attack on 7 Rounds of Rijndael. In: AES Candidate Conference. LNCS, pp. 230–241. Springer, Heidelberg (2000)Google Scholar
  17. 17.
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Hamid, H.B.-E., Choukri, H., Tunstall, D.N.M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks (2004),
  19. 19.
    Kermani, M.M., Reyhani-Masoleh, A.: A Lightweight Concurrent Fault Detection Scheme for the AES S-Boxes Using Normal Basis. In: Oswald and Rohatgi [25], pp. 113–129Google Scholar
  20. 20.
    Kim, C.H.: Differential Fault Analysis against AES-192 and AES-256 with Minimal Faults. In: Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 3–9 (2010)Google Scholar
  21. 21.
    Knudsen, L.R.: DEAL - a 128 bit block cipher. In: Technical report 151, Departement of Informatics, University of Bergen, Norway (1998)Google Scholar
  22. 22.
    Knudsen, L.R.: DEAL - a 128 bit block cipher. In: AES Round 1 Technical Evaluation, NIST (1998)Google Scholar
  23. 23.
    Moradi, A., Shalmani, M.T.M., Salmasizadeh, M.: A Generalized Method of Differential Fault Attack Against AES Cryptosystem. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 91–100. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Mukhopadhyay, D.: An Improved Fault Based Attack of the Advanced Encryption Standard. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 421–434. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Oswald, E., Rohatgi, P. (eds.): CHES 2008. LNCS, vol. 5154. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  26. 26.
    Phan, R.C.-W., Yen, S.-M.: Amplifying Side-Channel Attacks with Techniques from Block Cipher Cryptanalysis. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 135–150. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Piret, G., Quisquater, J.-J.: A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Rivain, M.: Differential Fault Analysis on DES Middle Rounds. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 457–469. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Satoh, A., Sugawara, T., Homma, N., Aoki, T.: High-Performance Concurrent Error Detection Scheme for AES Hardware. In: Oswald and Rohatgi [25], pp. 100–112Google Scholar
  30. 30.
    Schramm, K., Leander, G., Felke, P., Paar, C.: A Collision-Attack on AES: Combining Side Channel- and Differential-Attack. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 163–175. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  31. 31.
    Takahashi, J., Fukunaga, T., Yamakoshi, K.: DFA Mechanism on the AES Key Schedule. In: FDTC 2007: Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 62–74. IEEE Computer Society, Los Alamitos (2007)CrossRefGoogle Scholar
  32. 32.
    Tunstall, M., Mukhopadhyay, D.: Differential Fault Analysis of the Advanced Encryption Standard using a Single Fault. Cryptology ePrint Archive, Report 2009/575 (2009),

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  1. 1.École Normale SupérieureParis CEDEX 05
  2. 2.DGA Information Superiority, BP7Rennes Armées

Personalised recommendations