Show description

Due to the ShiftRows and MixColumns transformations, 8 8 , M18 , M68 or on M11 (resp. on M88 , we know that if we induce a fault on M12 8 8 8 M13 , M2 or on M7 ), the result of these bytes after M C ◦SR ◦SB will be XORed 9 9 9 to K15 (resp. K89 to K11 ). So, we want a fault to occur on one of these with K12 8 8 bytes of M and to test if this happens, we look at the faulty ciphertext: if only the 4 bytes (D12 , D9 , D6 , D3 ) (resp. (D8 , D5 , D2 , D15 )) differ from (C12 , C9 , C6 , C3 ) (resp. (C8 , C5 , C2 , C15 )) of the correct ciphertext, this shows that 8 8 8 , M18 , M68 , M11 ) (resp.

In that case, two of the last 4 bytes of the faulty ciphertext will be different from those of the correct ciphertext. We must hence check if this condition is true: if it is not, we abandon this faulty ciphertext and we generate another faulty ciphertext with a fault on K 9 and we test it again. Key Scheduling Key Scheduling MC o SR o SB SR o SB Round 9 Round 10 Fig. 3. Fault on the 14th byte of the penultimate round key K 9 Now, we will see that it is possible to identify: – the position j of the byte on which the fault occurred – and the value ej of this fault.

W, ) , (10) for 1 ≤ w ≤ W . Each coordinate of Vw is an element of {0, 1}n \ 0 (recall that n is the s-box input/output size). Lemma 3. Given a, b ∈ {0, 1}N \ 0 that satisfy wt(γa ) + wt(γb ) = Bl , let W = Wl [γa , γb ], f = wt(γa ), = wt(γb ), and let χ(w,i) , υ (w,j) be defined as above. Then for fixed i (1 ≤ i ≤ f ), the values χ(1,i) , . . , χ(W,i) are distinct, and for fixed j (1 ≤ j ≤ ), the values υ (1,j) , . . , υ (W,j) are distinct. In other words, for the set of vectors {Vw }W w=1 , all the values in any one position are distinct.