New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough

In this paper we show a new differential fault analysis (DFA) on the AES-128 key scheduling process. We can obtain 96 bits of the key with 2 pairs of correct and faulty ciphertexts enabling an easy exhaustive key search of 2 keys. Furthermore we can retrieve the entire 128 bits with 4 pairs. To the authors’ best knowledge, it is the smallest number of pairs to find the entire AES-128 key with a fault attack on the key scheduling process. Up to now 7 pairs by Takahashi et al. were the best. By corrupting state, not the key schedule, Piret and Quisquater showed 2 pairs are enough to break AES-128 in 2003. The advantage of DFA on the key schedule is that it can defeat some fault-protected AES implementations where the round keys are not rescheduled prior to the check. We implemented our algorithm on a 3.2 GHz Pentium 4 PC. With 4 pairs of correct and faulty ciphertexts, we could find 128 bits less than 2.3 seconds. Index terms Fault attack, Differential Fault Analysis, AES, DFA, AES key schedule