A Fault Attack Construction Based On Rijmen's Chosen-Text Relations Attack

[Alfonso De Gregorio]

The last Thursday, Vincent Rijmen announced a new clever attack on AES  
(and KASUMI) in a report posted to the Cryptology ePrint Archive:  
Practical-Titled Attack on AES-128 Using Chosen-Text Relations,  
http://eprint.iacr.org/2010/337

I believe the related-subkey model is an interesting model to look at  
and, with this email, I would like to solicit comments from the  
community about chosen-text relations attacks and their implications.

For example, this model might be pretty relevant while attacking  
white-box implementations of the target encryption algorithm with  
embedded secret key, assuming the ability to tamper with at least 1bit  
of the round output (debugging...).

A Fault Attack
In order to further solicit comments, I would like to contribute a  
fault attack construction based on chosen-text relations attack.

First, it is worth to note how the zero-query attack provided by  
chosen-text-relations-in-the-middle can be transformed into an attack  
with a single-query to both the encryption and decryption oracles. It  
is possible to do so by resuming the interrupted encryption after  
applying the specific difference delta to the state (ie, no rollback  
anymore) and querying the decryption oracle.

More specifically:
- halt the computer in the middle of execution of an encryption routine;
- apply the specific difference delta to the state;
- resume the encryption and output the ciphertext c*;
- query the decryption oracle with c* and retrieve the modified plaintext p*---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com