At ACISP 2004, Giraud and Knudsen presented the first fault analysis of DSA, ECDSA, XTR-DSA, Schnorr and ElGamal signatures schemes that considered faults affecting one byte. They showed that 2304 faulty signatures would be expected to reduce the number of possible keys to 2, allowing a 160-bit private key to be recovered. In this paper we show that Giraud and Knudsen’s fault attack is much mor...

In this paper, we describe our current work on developing tools for experimental evaluation of the efficiency of implemented countermeasures against differential fault attacks on cryptographic cores in the FPGA based systems. The developed fault injection platform enables us to analyze the impact of injected faults at the selected points of the FPGA in its run time operation. In its compact ver...

Abstract. In this paper we describe two differential fault attack techniques against Advanced Encryption Standard (AES). We propose two models for fault occurrence; we could find all 128 bits of key using one of them and only 6 faulty ciphertexts. We need approximately 1500 faulty ciphertexts to discover the key with the other fault model. Union of these models covers all faults that can occur ...

We provide a first security evaluation of LPN-based implementations against fault attacks. Our main result is to show that such implementations inherently have good features to resist these attacks. First, some prominent fault models (e.g. where an adversary flips bits in an implementation) are ineffective against LPN. Second, attacks taking advantage of more advanced fault models (e.g. where a...

Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 2 in time and memory. However, since this attack,...

Implementation attacks such as side channel attacks and fault attacks require triggering mechanisms to activate the acquisition device or fault injection equipment. Most academic works work with a very simple and reliable trigger mechanism where the device under test itself provides a dedicated signal. This however is not possible in real attack scenarios. Here the alternative is to use IO sign...

We present new combined attacks on the AES key schedule based on the work of Roche et al. [16]. The main drawbacks of the original attack are: the need for high repeatability of the fault, a very particular fault model and a very high complexity of the key recovery algorithm. We consider more practical fault models, we obtain improved key recovery algorithms and we present more attack paths for...

Fault Injection Attacks are a powerful form of active attack mechanism which can threaten even the strongest of cryptographic algorithms. This attack vector has become more pertinent with the growing popularity of the Internet of things (IoT), which is based on small omnipresent embedded systems interacting with sensitive data of personal or critical nature. This tutorial addresses this issue o...

We present two architectures for protecting a hardware implementation of AES against side-channel attacks known as Differential Fault Analysis attacks. The first architecture, which is efficient for faults of higher multiplicity, partitions the design into linear (XOR gates only) and nonlinear blocks and uses different protection schemes for these blocks. We protect the linear blocks with linea...

This paper describes a DFA attack on the AES key schedule. This fault model assumes that the attacker can induce a single byte fault on the round key. It efficiently finds the key of AES-128 with feasible computation and less than thirty pairs of correct and faulty ciphertexts. Several countermeasures are also proposed. This weakness can be resolved without modifying the structure of the AES al...