Advanced Encryption Standard (AES)
JohannesBlomer 1
andJean-PierreSeifert 2
1
UniversityofPaderborn
D-33095 Paderborn,Germany
2
InneonTechnologies,Security&ChipCardICs,CCTICI
D-81609 Munich,Germany
Abstract. In this paper we describe several fault attacks on the Advanced Encryption
Standard(AES).First,usingopticalfaultinductionattacksasrecentlypubliclypresentedby
SkorobogatovandAnderson[SA],wepresentanimplementationindependentfaultattackon
AES.Thisattackisabletodeterminethecomplete128-bitsecretkeyofasealedtamper-proof
smartcardbygenerating128faultyciphertexts.Second,wepresentseveral
implementation-dependentfaultattacksonAES.TheseattacksrelyontheobservationthatduetotheAES's
knowntiminganalysisvulnerability (aspointedoutbyKoeuneandQuisquater[KQ]),any
implementationoftheAESmustensureadataindependenttimingbehaviorforthesocalled
AES'sxtimeoperation.WepresentfaultattacksonAESbasedonvarioustiminganalysis
resistantimplementationsofthextime-operation.Ourstrongestattackinthisdirectionuses
averyliberal faultmodeland requiresonly 256faulty encryptionsto determinea128-bit
key.
Keywords:AES,Cryptanalysis,Faultattacks,Side-channelattacks,Smartcards.
1 Introduction
Recently, Rijndael has been chosen as thewinner of the Advanced Encryption Standard (AES)
contest.ThusRijndaelhasbecometheAES.Withinthenear futureAESwillreplaceDESasthe
worldwidestandardinsymmetrickeyencryption.Notsurprisingly,alotofresearchsofarfocused
onthe mathematicalsecurityof AES.Likewise, thesecurityof AESagainstside-channelattacks
liketiminganalysisandpoweranalysis,hasalsobeenexamined.Ontheotherhand,nofault-based
cryptanalysisofAEShasbeenreportedsofar.Thisissurprisingasthefraudswithsmartcardsby
inducingfaultsarereal,cf.[A ,AK1,AK2],whereasnofraudsviaTimingorPowerAnalysisattacks
havebeenreportedsofar.
Inthispaperwedescribeseveralmethods forafaultbasedcryptanalysisof AES.Wepresent
animplementationindependentattackaswellasattacksonseveralimplementationsofAESaimed
at makingAEStiminganalysis secure.
Severaldierentfaultmodelsareused inourattacks.Therstattackisimplementation
inde-pendentbut uses themost restrictivefault model. Itis aimed at the rsttransformation during
an encryption with AES, the socalled AddRoundKey. In this attack weuse a rather strong but
seemingly realistic fault model. We assume, that an attackercan set a specic memory bit to a
xedvalue,e.g.,tothevalue0.Moreover,weassumethattheattackercandothisataprecisetime
of his choice. The practicality of this model hasrecently beendemonstrated in [SA ]. Using this
modelweshowthatanattackercandeterminethecomplete128-bitsecretkeybycomputing128
encryptionsinducingasinglefaulteachtime.Wealsoshowthatthefaultmodelcanberelaxedin
twoways.First,anattackerneednotbeabletoset axedmemorybitwith probability1tothe
ableto change thebit ataprecise pointin time. Hence,tofend otheattack itisnotsuÆcient
to equipacryptographicdevicewitharandomizedtiming behavior.Wenotethatour
implemen-tation independent attack can also be mounted againstother symmetricencryption ciphers like
IDEA, SAFER, and Blowsh. Infact, likeAES, these ciphershave aninitial keyaddition. This
alonerendersthemimmediatelysusceptibletoourimplementationindependentattack.Moreover,
in aforthcomingpaper[BS02]wearegoing todescribehowopticalattackscanbeusedto break
symmetricorasymmetricciphersinatrivialway,whenimplementedonanunprotectedplatform.
Oursecondclassofattacksareimplementationdependent.Moreprecisely,weconsiderseveral
dierentimplementations for the so called xtime operation that is performed during the
trans-formation MixColumn. As it is well-known, AES is susceptible to timing attacks if xtimeis not
implementedappropriately.Weconsidervarioustimingattackresistantimplementationsandshow
that allof them leadtoasimple faultbased cryptanalysisofAES.The variousimplementations
weconsidervaryfromsoftwaresolutionstohardwarebasedimplementations.Denitely,wedonot
considerallimplementationsofxtimecurrentlyinuse.However,wearecondentthatmostifnot
all implementations are susceptible to the attacks described in this paper. The fault models we
use in theattacks rangefrom veryliberal models(arbitraryfault at aspecic location) to more
restricted models, like the oneweuse in the implementation independent attack. Our strongest
resultshowsthatthemostobvioustimingattackresistantimplementationofxtimeopensthedoor
forasimplefaultbasedattackonAES.Withthisattackthecompletesecretkeycanbedetermined
encrypting roughly256plaintexts.Ineachencryption anattackermustinduce anarbitrary fault
at a specic memory byte. Using the methods we describe for the implementation independent
attack, one can argue, that it is not necessaryfor the attackerto induce the fault at a specic
time.Weliketopointoutthatourimplementationdependentattacksuseatechniqueintroduced
by[KQ]andwereinspiredbyideasin [YJ].
Inallourattacksweassume,thatfrom thebehaviorof acryptographicdevice wecandeduce
whether a fault leadingto a wrong ciphertext has actually occurred during an encryption. If a
faultoccurs,thedevicemaysimplyoutputawrongciphertext.However,anattackercancompute
thecorrectciphertextbyrerunningthedevicewithoutinducingafault,therebydetectingwhether
afault occured duringthe originalencryption.Thedevice may alsocheckitsown result,ormay
evencheckintermediateresultsandanswerwithanerrorwarningincaseafaulthasbeendetected
(see [KWMK]). This clearly tells an attacker that a fault has occurred.Thirdly, the card may
checkwhether afaulthasoccurred,andifso,recomputetheencryption.However,in thiscaseby
measuringthetimebeforethedevice outputstheciphertext,anattackercantellwhetherafault
occurred. To simplify the presentation, weassume that a cryptographicdevice will answerwith
theoutputreset,wheneverafault causedawrongciphertext.
From the results in this paper, it follows that it is absolutely necessary to incorporate both
hardwareandsoftwaremeansintoAESrealizationstoguardagainstfaultattacks.Ofcourse,some
modernhigh-endcryptosmartcardsareprotectedbyvarious sophisticatedhardwaremechanisms
to detectanyintrusionattempt totheirsystembehavior.However,astechniquesto inducefaults
intothecomputationsofsmartcardsbecomemoresophisticated,itismandatorytousealsovarious
softwaremechanismsto fendofault attacks.Weliketo closewithanadvicedue toKaliskiand
Robshaw [KR] from RSA Laboratories that good engineering practices in the design of secure
hardwareareessential, weonlywouldliketoadd,that thesameappliestosecuresoftware.
Thepaperisorganizedasfollows.WerstdescribetheAESalgorithm.Inthenextsectionwe
briey turn to the physicsof realizing faults during computations. In particular, we sketch and
characterizethephysicalattacksusedbyus inlatersections.Thefollowingsectionthendescribes
ourgeneralindependentfaultattackonAES.Inthissectionwealsodescribethetwoaforementioned
relaxationsconcerningaprobabilisticfaultmodelandaloosetimecontrolontheinducederror.The
nextsectionstartswiththeexplanationofthebasicideaforallofourimplementationdependent
ontheAES.
2 Preliminaries
2.1 Description ofthe AdvancedEncryption Standard
InthissectionwebrieydescribetheAdvancedEncryptionStandard(AES).Foramoredetailed
descriptionwereferto [DR2].
AES encrypts plaintexts consisting of lb bytes, where lb = 16;24, or 32. The plaintext is
organizedasa(4Nb)array(a
ij
),0i<4;0j<Nb 1,whereNb=4;6;8,dependingonthe
valueoflb.Then-th byte oftheplaintextis storedinbytea
i;j
withi=n mod 4,j=b n
4 c.
AESusesasecretkey, calledcipherkey, consistingoflkbytes,where lk=16;24;or32.Any
combinationof valueslb and lkis allowed. Thecipher keyis organizedin a4Nkarray(k
ij ),
0i<4;0j Nk 1,whereNk=4;6;8,dependingonthevalueof lk. Then-thkeybyte is
storedin bytek
ij
withi=n mod4,j =b n
4 c.
TheAESencryptionprocessiscomposedofrounds.Exceptforthelastround,eachround
con-sistsof fourtransformationscalled ByteSub;ShiftRow;MixColumn,and AddRoundKey.In thelast
roundthetransformationMixColumnisomitted.Thefourtransformationsoperateonintermediate
results, called states. A state is a 4Nbarray(a
ij
)of bytes. Initially, the stateis given bythe
plaintext to beencrypted.The number ofrounds Nr is10;12,or14, depending onmaxfNb;Nkg.
InadditiontothetransformationsperformedintheNrroundsthereisanAddRoundKeyappliedto
theplaintextpriortotherstround.Wecallthistheinitial AddRoundKey.
Next,weare goingto describe the transformationsused in the AES encryption process. We
beginwith AddRoundKey.
The transformation AddRoundKey Theinput tothetransformation AddRoundKeyis astate(a
ij ),
0i<4;0j <Nb,and aroundkey, whichis anarrayof bytes(rk
ij
), 0i<4;0j <Nb.
TheoutputofAddRoundKeyisthestate(b
ij
);0i<4;0j<Nb, where
b
ij =a
ij rk
ij :
Theroundkeysareobtainedfromthecipherkeybyexpandingthecipherkeyarray(k
ij
)intoan
array(k
ij
),0i<4;0jNrNb,calledtheexpandedkey.Theexactprocedure bywhichthe
expandedkeyisobtainedfromthecipherkeyisofnoimportancefortheattacksdescribedinthis
paper.Theround keyfor theinitial applicationof AddRoundKeyisgivenbytherst Nbcolumns
oftheexpandedkey.TheroundkeyfortheapplicationofAddRoundKeyinthem-throundofAES
isgivenbycolumnsmNb;:::;(m+1)Nb 1oftheexpandedkey,1mNr.
The transformation ByteSub Given a state (a
ij
), 0 i < 4;0 j < Nb, the transformation
ByteSubappliesaninvertiblefunction S:f0;1g 8
!f0;1g 8
toeachstatebytea
ij
separately.The
exact nature of S is of no relevance for the attacks described later. We just mention that S is
non-linear,andinfact,itistheonlynon-linearpartoftheAESencryptionprocess.Inpractice,S
isoftenrealizedbyasubstitutiontable orS-box.
The transformation ShiftRow Thetransformation ShiftRowcyclicallyshiftseach rowofastate
(a
ij
) separately to the left. Row 0 is not shifted. Rows 1;2;3 are shifted by C
1 ;C
2 ;C
3 bytes,
respectively,wherethevaluesoftheC
i
The transformationMixColumn operatesonthe columns ofastate separately. Toeach column a
xedlineartransformationisapplied.Todoso,bytesare interpretedaselementsintheeldF
2 8.
As is usually done, we will denote elements in this eld in hexadecimal notation. Hence 01;02
and 03 correspondto the bytes00000001;00000010,and 00000011,respectively. Now MixColumn
appliestoeachrowofastatethelineartransformationdenedbythefollowingmatrix
2
6
6
4
02030101
01020301
01010203
03010102 3
7
7
5
: (1)
Onecompleteround oftheAESencryptionprocedure isschematicallyshownin gure1.
Fig.1.SchematicforoneAESround.
TheoperationxtimeThemultiplicationsinF
2
8 necessarytocomputethetransformationMixColumn
are ofgreatimportanceto someofourattacks.Thereforeweare goingtodescribethem in more
detail.FirstweneedtosayafewwordsabouttherepresentationoftheeldF
2
8.InAEStheeld
F
2
8 isrepresentedas
F
2 8
=F
2 [x]=(x
8
+x 4
+x 3
+x+1): (2)
That is, elements of F
2 8
are polynomials over F
2
of degree at most 7. The addition and
mul-tiplication of two polynomials is done modulo the polynomial x 8
+x 4
+x 3
2
2
a =(a
7 ;:::;a
1 ;a
0
) corresponds to thepolynomiala
7 x
7
+a
1 x+a
0
. The multiplicationof an
element a = (a
7 ;:::;a
1 ;a
0 ) in F
2
8 by 01;02, and 03 is realized by multiplying the polynomial
a
7 x
7
+a
1 x+a
0
withthepolynomials1;x;x+1,respectively,and reducingtheresultmodulo
x 8
+x 4
+x 3
+x+1.Hence
01a=a
03a=02a+a:
Weseethattheonlynon-trivialmultiplicationneededtomultiplyacolumnofastatebythematrix
in (1) is the multiplicationby 02. Followingthe notation in [DR2] wedenote the multiplication
ofbyte aby02byxtime(a). Thecrucialobservationis thatxtime(a)is simplyashiftofbytea,
followedinsomecasesbyanxoroftwobytes. Moreprecisely,fora=(a
7 ;:::;a
0 )
xtime(a)= 8
<
: (a
6 ;:::;a
0
;0) ifa
7 =0
(a
6 ;:::;a
0
;0)(0;0;0;1;1;0;1;1)ifa
7 =1
(3)
Thisnishesourbriefdescriptionof theAESencryptionprocedure.
3 Physical faults attacks
Although there are lots of possibilitiesto introducean error during thecryptographicoperation
ofanunprotectedsmartcardIC, wewill onlybrieyexplainsocalled spikeattacks,glitchattacks
and the recently developed optical attacks. Weselected these attacks, as theyare so called non
invasiveattacks or at least only semi-invasive, meaning that these methods require no physical
opening,nochemicalpreparationnoranelectricalcontacttothechip'smetalsurface.Therefore,
these attacks are the most obvious methods for attacking smartcard ICs by fault attacks. For
a thorough treatment of tamper-resistance and especially on methods how to enforce erroneous
computationsofmicrocontrollerchipswereferto[A ,AK1,AK2,Gu1,Gu2,Koca,SA,KK,Ma].
Moreover,althoughtheeectsofapplyingphysicalstressviatheabovementionedmethodstoa
smartcardICcanbecompletelyexplainedbynumerousphysicalandtechnicalconsiderations,these
explanations are clearlybeyond thescopeof this paper,meaning that ourphysical explanations
willbeprettyrough.
3.1 Spikeattacks
Asrequiredby[ISO],asmartcardICmustbeabletotolerateonthecontactV
CC
asupplyvoltage
between 4;5V and 5;5V, where the standard voltage is specied at 5V. Within this range the
smartcard must be able to work properly. However, a deviation of the external power supply,
called spike, of much more than the specied 10%tolerance might cause problems for aproper
functionalityofthesmartcardIC.Indeed,itwillmostprobablyleadtoawrongcomputationresult,
providedthatthesmartcardICisstillableto nishitscomputation completely.
Althoughaspikeseemsfromtheaboveexplanationverysimple,aspecictypeofapowerspike
is determined byaltogether nine dierentparameters. These nine parametersaredetermined by
acombinationof time,voltagevalues,andtheshapeofthevoltage transition.This indicatesthe
rangeofdierentparameterswhichanattackercantrytomodifyinorder toinduceafault.
As spike attacks are non-invasive attacks, they are the most obvious method for inducing
computationalfaultsonsmartcardICs.Inparticular,theyrequirenophysicalopening,nochemical
preparationofthesmartcardICanddonotrequiremakinganelectricalcontacttotheIC'smetal
Similartoabove,[ISO]prescribesthatasmartcardICmustbeabletotolerateontheclockcontact
CLK avoltageforV
IH
of 0;7V
CC ;:::;V
CC
andforV
IL of 0V
CC
;:::;0;5V
CC
. Moreover,itmust
be also ableto tolerate clock riseand clock fall times of 9% from the period cycle. Within this
range thesmartcard must be ableto workproperly. However,adeviation of the externalCLK,
mostoftencalledglitch,ofmuchmorethanthespeciedtolerancesclearlywillcauseproblemsfor
aproperfunctionalityofthesmartcardIC.Again,similartovoltagespikesthereishugerangeof
dierentparametersdetermining aglitch,whichcanbealteredbyanattackerto induce afaulty
computationonadeviceperformingaencryption.
Interestingly,anelytunedclockglitchisabletocompletelychangeaCPU'sexecutionbehavior
includingtheomittingofinstructionsduringtheexecutionsofprograms.Forphysicalexplanations
ofthisniceeectwerefertheinterestedreaderto[AK1,AK2,KK].Accordingto[KK],around1999
clockglitchattackshavebeenthesimplestand mostpracticalattacks.
3.3 Optical attacks
Without doubt, light attacks now belong to the classical non invasive methods to realizefaulty
computations onsmartcardsbymanipulating theirnon-volatilememory,i.e., theirEEPROM,cf.
[A,AK1,AK2,BS99,KK,Koca,NR,Ma,Pe]. Unfortunately, such light attacks could be used so far
only in an unsystematic way, fore.g. ippingrandomly selectedbits from 1 to 0with somenon
zeroprobability.
However,recently it was demonstrated by [SA] that by using focussed camera ash-lighton
the right places of amicrocontroller itis indeed possibleto set orresetanyindividual bit of its
memoryatatimespeciedbytheattacker.Suchanattackenablesaverytiming-precisecontrolled
transientfaultonagivenindividualbit.Moreover,itisclaimedby[SA]tobepracticalandseems
to requireonlyverycheapand simplepublicavailablephoto equipment.Therefore, [SA]calledit
opticalattackinsteadoflightattack,asitmainlyrelies onusingopticalequipment.
3.4 Dierentiatingthe physical attacks
Inorderto sortthezooofpossibleeects byphysicallystressingachip,wewillnowcharacterize
theaboveattacksconcerning:
{ Controlonfaultlocation.
{ Precisionoftiming.
{ Faultmodel.
{ Numberoffaultybitsinduced.
Controlonfaultlocation Fortheissueofthecontrolontheresultingfaultlocation,onecanclearly
denethreenaturalclasses:nocontrol,loosecontrolandcompletecontrol.Thedenitionofthem
isself contained.
Precision of timing As with the former issue it is obvious to dene three naturalclasses whose
denition speaksforthemselves:nocontrol onthefaultoccurencetime,loosecontrolonthefault
occurencetimeandveryprecisecontrolonthefaultoccurencetime.
Fault model Although there are usually only three fault models specied, cf.
[BDL,BDHJNT,BS97,YJ,YKLM1,YKLM2,ZM], we will introduce a new fault model. This
modelreectsthe poweroftheoptical inducedfault modelsas developedin [SA].Inaddition to
theclassicalfaultmodels,whicharegivenbythestuckatfaultsmodel(saf),bitipmodel(bf)or
randomfaultmodel(rf)),wewilldenethebitsetorresetmodel (bsr).Inthismodeltheattacker
isabletosetorresetthevalueofanytargetbitatanytimespeciedbyhimself,regardlessofits
veryimportant for a fault basedcryptanalysis. Here one usually makesthe distinction between
singlefaultybit,fewfaultybitsandrandomnumberoffaultybits.
Wepresentthecharacterizationofthedierentphysicalattackspresentedpreviouslybyatable.
Controlonfaultloc.Prec.oftimingFaultmodel#(faultybitsinduc.)
Spike no precise random random
Glitch depending precise depending depending
Optical complete precise bsrandbf asrequired
4 A general fault attack on AES
Firstwewillshowhowto computethecomplete cipherkeyunder theassumptionthat NkNb,
that is,theblocklengthisgreaterorequalthanthekeysize.Inthiscasethecompletecipherkey
isusedin theinitialAddRoundKey.Wewillshowhowto computethecipherkeybitbybit.
Asdescribedin Section2.1thecipherkeyisstoredina4Nrarrayofbytes(k
ij
).Wedenote
the l-th bit in byte k
ij byk
l
ij
;0l<7.Similarly,the l-thbit in state byte a
ij
will be denoted
by a l
ij
. We will show how an attackercan determine k l
ij
by inducing a single fault during one
encryption.Considertheplaintext0=0 8lb
, i.e.,each bitof0hasvalue0.Theattackerencrypts
0.DuringtheinitialtransformationAddRoundKeytheoperation
a
ij :=0
8
k
ij
will beperformed.Of course,after this operationhas beenperformed,wehavea
ij =k
ij
.Before
thenext transformationis performed, theattackertries to set a l
ij
to0. Afterthis fault hasbeen
induced,theencryptionproceedswithoutfurtherfaultsbeinginduced.
Themainobservationisthat ifk l
ij
=0,then settingthevalueofa l
ij
to 0,didnotchangethe
valueofthisbitandwestillgetacorrectencryptionof0=0 8lb
.However,ifk l
ij
=1,thensetting
the value of a l
ij
to 0results in an incorrectciphertext and the cryptographicdevice will answer
withreset.Hence,fromthebehaviorofthedevicetheattackercandeducethevalueofk l
ij .
Altogether,weseethatincaseNkNbwecandeterminethecompletecipherkeybyencrypting
8lktimesthemessage0,eachtimeinducingasinglefault.
Next weconsider thecase Nk >Nb. In caseNk >Nb, an attacker candetermine the rstNb
bytes of the cipher key using the attack described above. Once the attacker knows the rst Nb
blocks of the cipher key, he can simulate the AES encryption process up to the AddRoundKey
transformation inround 1.Moreimportantly, theattackercancomputeaplaintextP, such that
during the encryption of P the state (a
ij
) prior to the application of AddRoundKey in round 1
consistsofzerobytesonly,i.e.,a
ij =0
8
foralli;j.
Todetermine a l
ij
forj Nk, theattackerencrypts theplaintext P. After thetransformation
AddRoundKeyhas been performed in the rstround, the attackerresets a l
ij
to 0.After that, the
encryption procedure proceeds without further faults. As before and by choice of P, if k l
ij = 0
resettingthe valueof a l
ij
hasno eectand the correctencryption of P is computed.However,if
k l
ij
=1,theciphertextwillnotbecorrect.Asbefore,theattackercandeterminethevalueofk l
ij .
Recall that wealwayshave Nk 2Nb (see Section 2.1). Hence in the wayjust described the
attackercandeterminethe completecipher key. Overall,to computethe cipherkey, anattacker
needstocomputetheencryptionof8lkplaintexts,eachtimeinducingasinglefault.
4.1 A probabilistic faultmodel
Inspiredbytechnologicalconsiderationswewillnowconsideraslightlyrelaxedfaultmodel.Namely,
resolution to exactlyattack singlebitsin the desiredway. Inthebest caseanoptical attackwill
approximatelyhitthecorrectphysicallocationto setorresetaspecic bit.Wemodel thisinthe
following way. If the value of the bit an attacker tries to reset is 1, then we assume that with
probabilityp
1 >
1
2
theattackersuccessfullyresetsthevalueofthat bitto0.Ifthevalueofthebit
the attacker tries to reset is 0, thenweassume that the value will change to 1 with probability
p
0 <
1
2
.Wecanassumethattheprobabilitiesp
0 ;p
1
areknowntotheattacker.
Weonlydescribehowtodeterminethevalueof k 0
00
withthis fault model. Thegeneralization
to arbitrarybits of the cipher keyis straightforward.Tocompute k 0
00
the attackerencrypts the
message 0m-times, where m is aparameter to be specied later. Ineach encryption of 0, after
theoperation a 00 =0 8 k 00
has been performed in the initial AddRoundKey, the attackertries to reset thevalue of a 0
00 . For
eachencryptiontheattackercandeducefrom thebehaviorofthecryptographicdevicewhetherit
yieldedacorrectoranincorrectciphertext.Ifthenumberofincorrectciphertextsisatleast
m p 1 +p 0 2
theattackerguessesk 0
00
=1.Otherwise,theattackerguessesk 0
00 =1.
Letusanalyzetheprobabilitythat theattackerguessesk 0
00
correctly. Ifk 0
00
=1,then ineach
encryption of 0 thevalue of a 0
00
will beset to 0 withprobability p
1
. Hence in the casek 0
00 =1,
each encryption of0 resultsin an incorrectciphertextwith probabilityp
1
. Therefore, we expect
p
1
mincorrectciphertexts.ByBernstein'sinequality(seeforexample[GS ]),theprobabilitythatin
this casefewerthanm p1+p0
2
ciphertextsareincorrectis bounded from aboveby exp( m(p
1 p 0 ) 2 =16).
Similarly, one can show that in case k 0
00
= 0, the probability that the number of incorrect
ciphertextsislargerthanm p
1 +p
0
2
isalsoboundedfromabovebyexp( m(p
1 p 0 ) 2 =16).Altogether
weobtainthattheattackerguessesbit k 0
00
correctlywithprobabilityat least
1 exp m (p 1 p 0 ) 2 16 :
Onechecksthatwiththechoice
m= 176 (p 1 p 0 ) 2
the attacker correctly guesses k 0
00
with probability 1 2 15
. Analogously, the other cipher key
bits canbedetermined. Iffor everycipherkeybitwechoosem=176=(p
1 p 0 ) 2 plaintexts,the
probabilitythateverycipherkeybit keyisguessedcorrectlyis1 2 8
.
For example,if p
1 = 3 4 , p 0 = 1 4
and lk= 16, then with the choice m = 90112 theattacker
guessesthecompletecipherkeycorrectlywithprobability1 2 8
.
Wenotethat thebounds ontheprobabilitythat theattackerguessesabit incorrectlycanbe
reducedsomewhatbyusingChernobounds insteadofBernstein'sbound(see [GS]).
4.2 Relaxing the timingconstraint
In the basic fault model as well as in the probabilistic fault model, we always assumed that
the attackeris ableto exactly determine the time when he resets the value of a memory bit b.
Unfortunately, asdescribed in [CCD], somemodern secure microcontrollersare equipped with a
randomizedtimingbehaviortocounteractstatisticalside-channelattacks.However,inthissection
wewill showthat under someveryplausibleassumptionsthis hardwaremechanismdoesn'tyield
within thetime window thereareonly coperationsperformedby theAESencryption procedure
that involvebit b.Theattackerknowsc.Furthermore weassume thatthe timeat whichbit b is
resetisrandomlydistributed.Thatis,foreacht=0;:::;ctheprobabilitythat bisresetafterthe
execution of the t-th operation involving b,but before the following operation involving b,is 1
c .
Wedescribethemodicationsthat havetoappliedto thebasicattackto takecareofthis weaker
assumption.Similarmodicationscanbecarriedoutfortheattackintheprobabilisticfaultmodel.
We only describe how to determine the rst cipher key bit k 0
00
. Instead of encrypting the
plaintext 0, the attacker encrypts several plaintexts P
1 ;:::;P
m
. In all these plaintexts P
i the
leftmostbithasvalue0.Theremainingbitsoftheplaintextsarechosenuniformlyatrandom.As
beforetheattackertriestoresetthevalueofa 0
00
aftertheinitialAddRoundKeyhasbeenperformed.
Instead he only manages to reset a 0
00
within a time window that besides the initial operation
a 00 :=a 00 k 00
includes c 1other operationsinvolvinga 0
00
. However,theinitial AddRoundKey
isthersttransformationinvolvinga 0
00
.Thenextoperationinvolvinga 0
00
istheByteSubofround
1.Wenowmakethefollowingheuristicassumption:
Assumethatbit a 0
00
hasaxedvalueb,whiletheremainingbitsofa
00
arechosen uniformlyat
random.Then the leftmost bitof ByteSub(a
00
)isdistributeduniformly atrandom.
Fromthisitfollowsthatunlesstheattackermanagestoreseta 0
00
immediatelyaftertheinitial
AddRoundKey has been performed, the attacker tries to reset a bit whose value is distributed
uniformlyat random.
Nextwecomputetheprobabilitythatthefaultinducedbytheattackerduringtheencryptionof
plaintextP
i
leadstoanincorrectciphertext.Withprobability 1
c
theattackerresetsa 0
00
immediately
aftertheinitialAddRoundKey.Inthiscase,theciphertextwillnotbecorrectifandonlyifk 0
00 =1.
Withprobability1 1
c =
c 1
c
theattackerresetsbita 0
00
followingtheByteSubofround1orlater.
Fromthe assumption statedabove, it followsthat in this casethe attackerresets thevalue of a
bit whose valueisdistributed uniformly atrandom. Thereforetheensuing ciphertextwill notbe
correctwithprobability 1
2 .
Weconclude that forall plaintexts P
i , ifk
0
00
=0the encryption of P
i
will be incorrectwith
probability
c 1
2c :
Ontheotherhand,ifk 0
00
=1thentheciphertextforP
i
willnotbecorrectwithprobability
c 1 2c + 1 c :
Asintheprobabilisticfaultmodel,thisdierenceinprobabilitycanbeexploitedtoguessthevalue
ofk 0
00
correctlywithhighprobability.Theattackersimplychoosesmlargeenoughanddepending
on the number of incorrect ciphertexts he sets k 0
00
to 0 or 1. The details are exactly as in the
previoussection,soweomitthem.
5 Implementation specic fault attacks
Sinceafault-basedcryptanalysis(actuallyanengineeringtypeofattack)mightalsoexploit some
peculiar implementation properties, we now take a closer look at some particular
implementa-tiondetails to understandthefault-based vulnerability ofAES.Wewill rstpresenttheideafor
ourimplementation specic fault attacks.Then wewewill applythis ideato several conceivable
implementations of the xtime operation. Nevertheless, it should be clear that also other
imple-mentations of xtime might be suspectible to the kind of attack described below. Moreover, we
wouldliketostressthattheideasdevelopedwithinSections4.1and4.2alsoapplytothefollowing
Combininganideaof[YJ]togetherwithideasfromtheTimingAnalysisoftheAES,wewillturn
theattackof[KQ]intoafaultbasedcryptanalysisoftheAES.Dependingontheactualrealization
ofthextimeoperation,dierentattackscenarioswillfollow.
TablebasedfaultattacksoftheAES Firstwedescribehowtodeterminetherstbyteofthecipher
key,whengiventheinformationthataspecicxtimeoperationreducesitsresultbyxoringitwith
thebyte(0;0;0;1;1;0;1;1)(see(3)).But,incontrastto[KQ]wewillgetthisinformationby
induc-ingacomputationalerrorduring thatspecicxtimeoperation.Theinformationretrievalprocess
itself istheimplementationdespendentpartoftheattack.Forsomeconceivableimplementations
itwillbedescribedlater.
Firsta256N tableT issetup.HereN256issomeparametertobespeciedlater.Every
rowinthistablecorrespondstoapossiblevaluefortherstcipherkeybytek
00
,whilethecolumns
correspondto possible valuesfor therst plaintext byte a
00
. Thetable entries T[k;m];0 k<
256;0m<N aredened asfollows
T[k;m]= 8
<
:
1iftheleftmostbitofByteSub(km)is1
0iftheleftmostbitofByteSub(km)is0
(4)
NexttheattackerconstructsNplaintextsm
0 ;:::;m
N 1
.Therstbyteoftheplaintextm
i isi.
Theremainingtextbytesarechosenuniformlyatrandom.Nowanattackerencryptsthemessages
m
i
andforeachiheenforcesanerrorduringtheencryptionoftheplaintext.Asalreadysaid,the
actualtime andkindoferrorwill bespeciedbelowdependingonthespecicimplementationof
thextimeoperation.AtthispointitsuÆcestonotethatduringtheencryptionofplaintextm
i the
transformationMixColumnin round1multiplies thebyteByteSub(k
00
i)by02,orequivalently
MixColumnappliesxtime(ByteSub(k
00
i)).Thisoperationwillbeshowntobehighlyvulnerable
toafaultattackrevealingwhethertheleftmostbitofByteSub(k
00
i)is1or0.Hence,theattacker
isthenabletopredicttheleftmostbit ofByteSub(k
00 i).
Then the attacker compares his predictions for the leftmost bits of ByteSub(k
00
i);i =
0;:::;N 1,withtheentriesin tableT.IftheattackerchoosesN =256andhispredecitionsare
correct,thiscomparisonrevealstherstcipherkeybyte.However,weexpectthatfewerthan256
plaintexts P
i
will suÆce to determine the rstcipher keybyte. Infact, Koeune and Quisquater
observedthat intheirtiming attackN =20 alreadysuÆces.Sinceafaultattackwill yieldmuch
morereliablepredictionsfortheleftmostbitsofByteSub(k
00
i)weexpectthatinourcaseN 16
willsuÆce.
Notethatthemain diagonalofthematrixin(1) consistsof02only. Henceduring MixColumn
everystatebytegetsmultipliedby02once.Fromthis,oneconcludesthatthemethodtocompute
thecipherkeybytek 0
00
canbeusedtocomputetheothercipherkeybytesaswell.DuetotheAES's
keyschedule asdescribedinsection2.1,thecipherisbrokenonce theattackerhasdeterminedNk
consecutivebytesoftheroundkey.Thus,forNkNbtheabovemethodsbreaksAES.Forsmaller
blocksizes,similiarideasaspresentedinsection4apply.
Basedonthistable approachwenowpresentin gure2theresultingcommonskeletonforall
ofourfollowingimplementationspecic faultattacks.
5.2 The simplestattack against anunskilled textbook-securedimplementation
ThesimplestandalsomostobviouswayforaTimingAnalysis(andSPA)resistantimplementation
of the xtimeoperation seems to be given by the following. Savethe most signicant bit of the
inputbyte, shiftthe bytebyonebit to theleft,performtwoxor'swiththe shiftedbyte. Finally,
accordingtothemostsignicantbitoftheinputbyte,returnoneofthetwopreviouslycomputed
buildplaintextsm
0 ;:::;m
N
for i:=0toN do
encryptthemessagemi and
disturbtheoperationxtime (ByteSub (k00i)) withinMixColumn
ofround1byanappropriatephysicalattackasdescribedlater
ifoutputrefusedorincorrectthen
~
T[i]issetto0or1dependingonthextimerealization
od
bycomparingthetablesT and ~
T determinetherstkeybytek
00
output: k
00
Fig.2.Commonfaultattackskeleton,revealingtherstkeybyte.
input: a=(a
7 ;a
6 ;a
5 ;a
4 ;a
3 ;a
2 ;a
1 ;a
0 )
f:=a
7
a:=(a6;a5;a4;a3;a2;a1;0)
xtime[0]:=a(0;0;0;0;0;0;0;0)
xtime[1]:=a(0;0;0;1;1;0;1;1)
return(xtime[f])
output: xtime (a)
Fig.3.TimingAnalysissecuredxtime(a)realization.
Letusnowanalyzewhat happens,ifanattackerusesthefaultattackskeletonoutlinedabove.
That is, the attacker encrypts N plaintexts m
i
, i =1;:::;N. Moreover, in each encryption the
attackerdisturbsthe computationof xtime[0].Here wecanapply averyliberal faultmodel.We
assumethattheattackerisableto enforceanarbitrarywrongvalue
xtime[0] 0
6=xtime[0]:
Then,dependingonbita
7
oftheoriginalbytea,thefollowingwillresult.Ifa
7
=1,duetothe
fact thatxtime[1]will bereturned,thewrongresultxtime[0] 0
isofnofurtherinterestandwillbe
therefore discarded.Thereforetheencryption yieldsacorrectciphertext. However,ifa
7
=0,the
wrong result xtime[0] 0
will leadto awrong ciphertext andthe cryptographicdevice will answer
with reset. Hence,from thebehaviorof thedevice, the attackercandeterminethe bit a
7 . Now
theattackercanproceedasdescribedinSection 5.1tocompletelybreakthecipher.
Note, thatwedidnotmakeanyassumptionon thekindof introduced errorduring the
com-putationofxtime[0].Wesimplyneedawrongresult.Thus itisindeedeasytorealizebyanyone
ofthemethodspresentedin 3,indicatingthatthis attackisactuallydevestating.
5.3 An attack against a possible realimplementation
After we have seen an unskilled textbook implementation of the xtime operation, we will now
consider a slow but real implementation written in an extended 8051 assembler language. We
selected anextended 8051microcontrollerasit is themost commonlyused controller in todays'
smartcards.Considerthefollowingxtimerealization,which isobviouslysecureagainstaTiming
; parameters: "a" in accu
; return value: "xtime(a)" in accu
xtime:
MOV B, A ; B:=a
SLL B ; B:=(a6,a 5,...,a1,0)
DIV A, #10000000b ; A:=(0,0,...,0,a 7)
MUL A, #00011011b ; A:=a7*(0,0,0,1,1,0,1,1)
XRL A, B ; A:=A(a6,a5,...,a 1,0)
RET
Fig.4.TimingAnalysissecuredxtime(a)realization.
Asabove,letusanalyzewhathappens,ifanattackerappliesthefaultattackskeleton,i.e.,he
encryptsN plaintextsm
i
,i=1;:::;N.However,thistimetheattackerwillapplyaglitchattack,
cf. Section3.2,toomittheexecutionoftheMUL A, #00011011binstruction.
Then,depending onbita
7
oftheinputbyte a,thefollowingwill result.Ifa
7
=0,theregister
Awill bezeroaftertheinstructionDIV A, #10000000b.Thus,omittingviaaglitchthefollowing
MUL A, #00011011binstructiondoesnotmatter,asitwould writebackto registerAazero,still
guaranteeingacorrectencryptionofm
i
.Hence,incasea
7
=0,theencryptionprocessesendswith
acorrectciphertext.However,inthecaseofa
7
=1,omittingtheMUL A, #00011011binstruction,
will resultin avalue1in registerA,whereas(0;0;0;1;1;0;1;1)wouldbethecorrectvalue.Thus,
thecryptographicdevice willdetectacomputationalerrorand willanswerwith reset, resulting
inananswerwhichindicatesthatawrongcomputationhappenedwhichwillactuallybeobserved
bytheattacker.Therefore,fromthebehaviorofthecryptographicdevice,theattackercandeduce
thevalueofbita
7
.Asbefore,applyinginthisfashionthefaultattackskeletontoeveryoneofthe
32keybyteswillcompletely breakthecipher.
5.4 An attack against a suggestedimplementation
Now,that wehaveseensomevulnerable xtimerealizationswewill consider theimplementation
actuallysuggestedbytheinventorsoftheAES,asproposed in[DR2]. Inspiredbytheknowledge
aboutthetiminganalysisvulnerabilityoftheAES,theyproposedtoimplementxtimeasanarray
T consistingof256bytes,where
T[b]:=xtime(b):
Asabove, anattackerapplies thefault attackskeletonas described in Section 5.1.This time
the attackerwill apply anoptical attack, cf. Section 3.3. Clearly it is most conceivablethat the
tableTwillbestoredinROMandthereforeisofnousetoanattacker.However,thewholecurrent
stateoftheAESencryptionclearlymustbestoredinRAM.Therefore,thistimetheattackerwill
resetviaanopticalattackontheRAMthebita
7
ofthestatebyte a.
Although theanalysis is verysimiliar to theformer twocases, for completeness sakewe will
include it.Dependingonthebit a
7
oftheinputbytea,theopticalattackwillhavethefollowing
eect. If a
7
= 0, trying to reset it via optical attacks has no eect. Therefore, the table T is
consultedforthecorrectvalueandthecryptographicdevicewillanswerwithacorrectciphertext.
However,incasea
7
=1,resettingthisbit to0mustresultinawrongencryption,sincethetable
T isconsultedforawrongvalue.Hence,fromthebehaviorofthecryptographicdeviceanattacker
candeterminethevalueofbita
7
.AsbeforedescribedinSection5.1thiscanbeusedtocompletely
aDierentialPowerAnalysisby[YJ].Givenallthis, onecandenitely saythatthesuggestionof
[DR2]iscompletely insecureagainstphysicalside-channelattacks.
5.5 An attack against a hardware implementation
Sofarwehaveonlyconsideredsoftwarerealizationsofxtime,eventuallywewillbrieystriveover
apossiblehardwarerealization.However,asacompletehardwaredescriptionevenifonlyforthe
MixColumn transformation is clearly out of the present papers scope, we will concentrate again
onthextimecircuit.Inthisveinofbuilding adedicated AEScircuit,itis widelyanticipated, cf.
[Wo],thatxtimeshouldberealizedbythefollowingverysimplecircuit,beingbesideclearlysecure
againstaTiming Analysis.
a
0
a
4
a
5
a
2
a
6
a
3
a
1
a
7
b
0
b
4
b
5
b
2
b
6
b
3
b
1
b
7
Fig.5.Circuitforb:=xtime (a).
Wewill now elaborate this situation abit morein depth. Forced by the tough area
require-ments for a chipcard IC, most AES hardware architecture proposals are silicon size optimized.
This means in particular, that such AEShardware modules really compute the AESoperations
ByteSub, MixColumn and of course xtime, instead of using large ROM based lookup tables to
compute the corresponding transformations, cf. [SMTM ,Wo,WOL]. However, due to the logical
depthofthecorrespondingcomputations,thosearchitectureshavetotakeintoaccountthatevery
single transformation needs at least oneclock cycle, and most oftenit will requiremore cycles.
Thus,betweendierenttransformationsthewholeAESencryptionstateisstoredwithinaregister
bank, whichis actuallyrealizedbyalargenumberofip-ops,cf.[WE]. Inparticular, thewhole
encryption stateprior to the execution of MixColumn must be stored within ip-ops, cf. [WE].
Indeed,theinputs(a
7 ;:::;a
0
)to acorrespondingxtimecircuitareactuallyip-ops,storingthe
resultsfromthepreviousShiftRowtransformation.Butthisinturn meansthatagainwecanuse
anopticalattack,cf.Section3.3,againsttheseip-ops,exactlyasdescribedin[SA].Indeed,this
timetheattackerwillreset(duringthetimeperiodwhentheresultsfrom thepreviousShiftRow
arestoredwithintheip-ops)thebita
7
ofthestatebyteaviaanopticalattackontheaforesaid
ip-op.Therestoftheanalysisiscompletelyanalogto thetablebasedxtimerealization.
6 Countermeasures
Wewouldliketopointoutthatsomemodernhigh-endcryptosmartcardsareprotectedbyvarious
and numerous means of sophisticated hardware mechanisms to detect any intrusion attempt to
their system behavior, cf. [Ma,MACMT,MAK,NR ]. Various but not all hardware manufacturers
attacks,etc.Todosotheyusecarefullydevelopedlogicfamilies,sensors,lters,regulators,etc.
Andindeed,onlythisspecialhardwarecountermeasuresmightgiverisetoatrustworthy
func-tionalityof thechip.Thereasonisthatonlythose proprietaryand secretlykepthardware
mech-anisms are indeed designed to counteract the source of a physical attack and not to counteract
their eect oncomputations. Counteracting eects rather thansources is usually doneby naive
softwarecountermeasuresorsomeproposedhardwarearchitectures[KWMK].Namely,thelatter
ones simply checkthecomputed ciphertext for correctnessand will causethe chip to reactwith
somekindof alarmifanerroneousciphertexthasbeendetected. Unfortunately, asshownin the
presentpaper,this isobviouslydetectableandexploitabletomountourfaultattacks.
Anotherpossibilitycould be acomplete and good randomizationof the AES's computation,
i.e., randomizingtheplaintext andthecipherkey. Arst stepin thisdirection wasrecentlydone
by[AG]andmightbehelpfulto developappropriatesoftwarecountermeasures.
7 Acknowledgments
WewouldliketothankAlexanderMayforcarefulreadingofourpaper.
References
[A] R.Anderson,SecurityEngineering,JohnWiley&Sons,NewYork,2001.
[AG] M.L.Akkar,C.Giraud,\AnimplementationofDESandAES,secureagainstsomeattacks",
Proc.ofCHES'01,SpringerLNCSvol.2162,pp.315-324,2001.
[AK1] R. Anderson, M. Kuhn, \Tamper Resistance { a cautionary note", Proc. of 2nd USENIX
WorkshoponElectronicCommerce,pp.1-11,1996.
[AK2] R.Anderson,M.Kuhn,\Lowcostattacksattacksontamperresistantdevices",Proc.of1997
SecurityProtocolsWorkshop,SpringerLNCSvol. 1361,pp.125-136,1997.
[BDL] D. Boneh,R. A. DeMillo, R.Lipton, \On the Importance of EliminatingErrors in
Crypto-graphicComputations"JournalofCryptology14(2):101-120,2001.
[BDHJNT] F. Bao, R. H. Deng, Y. Han, A. Jeng,A. D. Narasimbalu, T. Ngair, \Breaking public key
cryptosystemson tamperresistant dives inthe presenceof transient faults", Proc. of 1997
SecurityProtocolsWorkshop,SpringerLNCSvol. 1361,pp.115-124,1997.
[BS97] E. Biham, A. Shamir, \Dierential fault analysis of secret key cryptosystems", Proc. of
CRYPTO'97,SpringerLNCSvol.1294,pp.513-525,1997.
[BS99] E.Biham,A.Shamir,\PoweranalysisofthekeyschedulingoftheAEScandidates",Proc.of
thesecondAESconference,pp.115-121,1999.
[BS02] J.Blomer,J.-P.Seifert,\Onthepowerofopticalattackstoinducefaults oncryptosystems".
[BMM] I.Biehl,B.Meyer,V.Muller,\Dierentialfaultattacksonellipticcurvecryptosystems",Proc.
ofCRYPTO'00,SpringerLNCSvol. 1880,pp.131-146,2000.
[CCD] C.Clavier,J.-S.Coron,N.Dabbous,\DierentialPowerAnalysisinthepresenceofHardware
Countermeasures",Proc.ofCHES'00,SpringerLNCSvol.1965,pp.252-263,2000.
[CJRR] S.Chari,C.Jutla,J.R.Rao,P.J.Rohatgi,\AcautionarynoteregardingevaluationofAES
candidatesonsmartcards",Proc.ofthesecondAESconference,pp.135-150,1999.
[CKN] J.-S.Coron,P.KocherD.Naccache,\StatisticsandSecretLeakage",Proc.ofFinancial
Cryp-tography,SpringerLNCS, 2000.
[DR1] J. Daemen,V. Rijmen,\Resistance against implementationattacks:a comparative study",
Proc.ofthesecondAESconference,pp.122-132,1999.
[DR2] J.Daemen,V.Rijmen,TheDesignofRijndael,Springer-Verlag,Berlin, 2002.
[DPV] J.Daemen,M.Peeters, G.VanAssche,\Bitsliceciphers andimplementationattacks",Proc.
ofFastSoftwareEncryption2000,SpringerLNCSvol.1978,pp.134-149,2001.
[GS] G.R.Grimmett,D. R.Stirzaker,Probability andrandomprocesses, OxfordScience
Publica-tions,Oxford,1992.
[Gu1] P.Gutmann,\Secure deletionofdatafrom magneticandsolid-state memory",Proc. of6th
Symposium,pp.?-?,1998.
[ISO] InternationalOrganizationforStandardization,\ISO/IEC7816-3:Electronicsignalsand
trans-missionprotocols",http://www.iso.ch, 2002.
[JLQ] M. Joye, A.K.Lenstra, J.-J. Quisquater, \Chineseremainderingbased cryptosysteminthe
presenceoffaults",JournalofCryptology12(4):241-245,1999.
[JPY] M. Joye, P. Pailler, S.-M. Yen, \Secure Evaluation of Modular Functions", Proc. of 2001
InternationalWorkshoponCryptologyandNetworkSecurity,pp.227-229,2001.
[JQBD] M.Joye,J.-J.Quisquater,F.Bao,R.H.Deng,\RSA-typesignaturesinthepresenceof
tran-sient faults",CryptographyandCoding,SpringerLNCSvol.1335,pp.155-160,1997.
[JQYY] M. Joye, J.-J. Quisquater, S.M. Yen, M. Yung, \Observability analysis | detecting when
improvedcryptosystemsfail",Proc. ofCT-RSAConference 2002, SpringerLNCSvol. 2271,
pp.17-29,2002.
[KR] B. Kaliski,M. J. B. Robshaw,\Commentsonsome newattacks oncryptographic devices",
RSALaboratoriesBulletin5,July1997.
[Kn] D.E.Knuth,The ArtofComputer Programming,Vol.2:SeminumericalAlgorithms,3rded.,
Addison-Wesley,ReadingMA,1999.
[KK] O.Kommerling,M. Kuhn,\Design Principles for Tamper-Resistant SmartcardProcessors",
Proc.oftheUSENIXWorkshoponSmartcardTechnologies,pp.9-20,1999.
[KQ] F. Koeune, J.-J. Quisquater, \A timing attack against Rijndael", Universite catholique de
Louvain,TRCG-1999/1, 6pages,1999.
[Koca] O.Kocar,\HardwaresicherheitvonMikrochipsinChipkarten",Datenschutzund
Datensicher-heit20(7):421-424,1996.
[Koch] P. Kocher, \Timing attacks on implementations of DiÆe-Hellmann, RSA, DSS and other
systems",Proc.ofCYRPTO'97,SpringerLNCSvol.1109,pp.104-113,1997.
[KJJ] P. Kocher, J.Jae, J. Jun, \DierentialPowerAnalysis", Proc. of CYRPTO '99, Springer
LNCSvol.1666,pp.388-397,1999.
[KWMK] R.Karri,K.Wu,P.Mishra,Y.Kim,\Concurrenterrordetectionoffault-based side-channel
cryptanalysisof128-bitsymmetricblockciphers",Proc.ofIEEEDesignAutomation
Confer-ence,pp.579-585,2001.
[Ma] D. P.Maher, \Faultinductionattacks,tamperresistance, andhostile reverseengineering in
perspective",Proc.ofFinancialCryptography,SpringerLNCSvol.1318,pp.109-121,1997.
[MvOV] A.J.Menezes,P.vanOorschot,S.Vanstone,Handbook ofAppliedCryptography,CRCPress,
NewYork,1997.
[Me] T.Messerges,\SecuringtheAESnalistsagainstpoweranalysisattacks",Proc.ofFast
Soft-ware Encryption2000,SpringerLNCSvol.1978,pp.150-164,2001.
[MAK] S.W.Moore,R.J.Anderson,M.G.Kuhn,\ImprovingSmartcardSecurityusingSelf-Timed
CircuitTechnology",FourthAciD-WGWorkshop,Grenoble,ISBN2-913329-44-6,2000.
[MACMT] S.W.Moore, R.J.Anderson,P.Cunningham,R.Mullins,G.Taylor,\ImprovingSmartcard
SecurityusingSelf-TimedCircuitTechnology",Proc.ofAsynch2002,IEEEComputerSociety
Press,pp.?-?,2002.
[NR] D.Naccache,D.M'Raihi,\Cryptographicsmartcards",IEEEMicro,pp.14-24,1996.
[Pai] P.Pailler,\Evaluatingdierentialfaultanalysisofunknowncryptosystems",Gemplus
Corpo-rateProductR&DDivision,TRAP05-1998, 8pages,1999.
[Pe] I.Petersen,\Chinksindigitalarmor|Exploitingfaultstobreaksmartcardcryptosystems",
ScienceNews151(5):78-79,1997.
[RSA] R.Rivest,A.Shamir,L.Adleman,\Amethodforobtainingdigitalsignaturesandpublic-key
cryptosystems",Comm.oftheACM21:120-126,1978.
[SQ] D.Samyde,J.-J.Quisquater, \ElectroMagneticAnalysis(EMA):Measuresand
Countermea-suresforSmartCards",Proc.ofInt.Conf.onResearchinSmartCards,E-Smart2001,Springer
LNCSvol.2140,pp.200-210,2001.
[SMTM] A. Satoh, S.Morioka, K.Takano, S.Munetoh, \A compactRijndael hardware architecture
withS-Boxoptimization",Proc.ofASIACRYPT'01,SpringerLNCS,pp.241-256,2001.
[SA] S.Skorobogatov,R.Anderson,\OpticalFaultInductionAttacks",Proc.of2002 IEEE
Sym-posiumonSecurityandPrivacy,2002.
[Sh] A.Shamir,\MethodandApparatusfor protectingpublickeyschemesfromtimingandfault
attacks",U.S.PatentNumber5,991,415, November1999; alsopresentedattherumpsession
ReadingMA,1994.
[Wo] J. Wolkerstorfer, \An ASIC implementationof the AES MixColumn-operation",Graz
Uni-versity of Technology, Institute for Applied Information Processing and Communications,
Manuscript,4pages,2001.
[WOL] J.Wolkerstorfer,E.Oswald,M.Lamberger,\AnASICimplementationoftheAESS-Boxes",
Proc.ofCT-RSAConference2002,SpringerLNCSvol. 2271,2002.
[YJ] S.-M.Yen,M. Joye, \Checkingbeforeoutputmaynotbeenoughagainst fault-based
crypt-analysis",IEEETrans.onComputers 49:967-970,2000.
[YKLM1] S.-M.Yen,S.-J. Kim,S.-G. Lim,S.-J.Moon, \RSA Speedupwith ResidueNumberSystem
immunefromHardwarefaultcryptanalysis",Proc.oftheICISC2001,SpringerLNCS,2001.
[YKLM2] S.-M.Yen,S.-J.Kim,S.-G.Lim,S.-J.Moon,\A countermeasureagainstonephysical
crypt-analysismaybenetanotherattack",Proc.oftheICISC2001,SpringerLNCS,2001.
[YT] S.-M.Yen,S.Y.Tseng,\DierentialpowercryptanalysisofaRijndaelimplementation",LCIS
Technical Report TR-2K1-9, Dept.of Computer Science and Information Engineering,
Na-tionalCentral University,Taiwan,2001.
[ZM] Y.Zheng,T.Matsumoto,\Breakingreal-worldimplementationsofcryptosystemsby
manipu-latingtheirrandomnumbergeneration",Proc.ofthe1997SymposiumonCryptographyand
