Differential Analysis of Round-Reduced AES Faulty Ciphertexts by Mirbaha, Amir-Pasha et al.
Differential Analysis of Round-Reduced AES Faulty
Ciphertexts
Amir-Pasha Mirbaha, Jean-Max Dutertre, Assia Tria
To cite this version:
Amir-Pasha Mirbaha, Jean-Max Dutertre, Assia Tria. Differential Analysis of Round-Reduced
AES Faulty Ciphertexts. Defect and Fault Tolerance in VLSI and Nanotechnology Sys-
tems (DFT), 2013 IEEE International Symposium on, Oct 2013, New York, United States.
<10.1109/DFT.2013.6653607>. <emse-01109144>
HAL Id: emse-01109144
https://hal-emse.ccsd.cnrs.fr/emse-01109144
Submitted on 24 Jan 2015
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Differential Analysis
of Round-Reduced AES Faulty Ciphertexts
Amir-Pasha Mirbaha∗ Jean-Max Dutertre∗ Assia Tria†
∗†Secure Systems and Architectures (SAS) Department
∗E´cole Nationale Supe´rieure des Mines de Saint-E´tienne †CEA-Tech
∗†13541 Gardanne, France
{mirbaha, dutertre}@emse.fr assia.tria@cea.fr
Abstract—This paper describes new RoundReduction analysis
attacks on an Advanced Encryption Standard (AES) implemen-
tation by laser fault injection. The previous round reduction
attacks require both of spatial and temporal accuracies in order
to execute only one, two or nine rounds. We present new attacks
by more ﬂexible fault injection conditions. Our experiments are
carried out on an 8-bit microcontroller which embeds a software
AES with pre-calculated round keys. Faults are injected either into
the round counter itself or into the reference of its total round
number. The attacks may result to the use of a faulty round
key at the last one or two executed rounds. The cryptanalysis
of the obtained round-reduced faulty ciphertexts resorts to the
differentiation techniques used by Differential Fault Analysis.
I. INTRODUCTION
Fault attacks consist in using hardware malfunction to infer
secrets from the target’s faulty behavior or outputs. These
active attacks can be performed in different physical manners
as reported by [1]. Modifying the behavior of a device’s
software refers to algorithm modiﬁcation. This class of active
attacks may consist in replacing instructions executed by a
microcontroller [2] to circumvent its security features, or in
weakening the strength of an encryption algorithm by reducing
the number of its rounds [3], [4], [5] (i.e. Round Reduction
Analysis or RRA). [6] proposed an extension of the latter
analysis to the Round Modiﬁcation Analysis (RMA). The RMA
is based on decreasing or increasing the number of iterative
rounds or on altering them to retrieve information about the
secret key.
In this paper, we focus on any feasible round reduc-
tion analysis of an AES implementation. Altering the round-
controlling stored values by laser fault injection requires accu-
racy on spatial and on temporal positions. Suppose the previous
round reduction attacks may not be achieved by an opponent,
due to the difﬁculty of injecting the required fault value.
Therefore, is there any other threat by round reduction attacks?
We examine these issues in our study. Our experiments are
done on an 8-bit microcontroller which embeds a software AES
with pre-calculated round keys. Round-reduced ciphertexts
are obtained by laser fault injection either into the round
counter itself or into the reference of its total round number.
In our experiments by faulting the round counter, the last 1
or 2 executed rounds (of the shortened encryptions) is/are
xored with faulty round keys. We present a few instances
(including two generalized attacks) with their corresponding
cryptanalysis. Remarkably, the cryptanalysis of the obtained
round-reduced faulty ciphertexts resorts to the differentiation
techniques used by Differential Fault Analysis (DFA).
This article is organized as follows: Some reminders on
the AES and a review of the state-of-the-art of RRA attacks are
given in section II. The theory of RRA by laser fault injection
is described in section III. The practical basics of our attacks
and the experimental setup are presented in section IV. Finally,
our ﬁndings are summarized in the concluding section V with
some perspectives.
II. ROUND REDUCTION ANALYSIS
Many symmetric cryptographic algorithms are based on
the repetition of identical sequences of transformations, called
rounds. A signiﬁcant part of these algorithms’ strength against
cryptanalysis is based on their repeated rounds. Any decrease
in the number of rounds is likely to reduce their security level
[7]. For instance, suppose an attack that induces a jump to
the end of the algorithm after the execution of only a few
instructions (or after one or two rounds). As a result, much
of the encryption process is skipped and the ﬁnal ciphertext
is the product of few algorithm operations that may easily
reveal the key by light cryptanalysis operations and lower
computational complexity. In the following, we ﬁrst remind
the AES’ basics and introduce our software implementation
before going deeper into the state-of-the-art of round reduction
analysis.
A. The Advanced Encryption Standard
1) The AES-128: AES is a Substitution-Permutation Net-
work (SPN) block cipher [8]. AES processes a 128-bit plaintext
and a key of 128, 192 or 256 bits long to produce a 128-bit
ciphertext, by executing 10, 12 or 14 rounds, respectively. For
the sake of simplicity, we will consider hereafter only the 128-
bit AES version: denoted by AES or by AES-128. The algorithm
has two separated processes: One for the KeyExpansion to
derive round keys from the secret key and another one for
the DataEncryption. AES-128 performs encryption in 10
rounds, after a short initial round. Each round has its own
round key which is used in one of the transformation steps.
Hereafter, we use the “K” preﬁx plus the round number to
refer to a round key (e.g. “K9” for the 9
th round key). Solely
use of “K” refers to the secret key (K=K0).
To encrypt a plaintext, denoted by M , the encryption
process considers its 16 bytes as a matrix of 4 × 4 bytes.
Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), 2013 IEEE International Symposium on
http://dx.doi.org/10.1109/DFT.2013.6653607
Each round of the algorithm, except the initial and the ﬁnal
ones, includes 4 transformations: First, the value of each
matrix element, i.e. one byte value, is exchanged with the
corresponding value in a substitution table (SubBytes or SB).
Second, a rotational operation on the matrix rows is executed
(ShiftRows or SR). Third, a linear transformation is applied
to each element (MixColumns or MC). MC operates column-
by-column and may be written as a matrix multiplication
(which coefﬁcients are 01, 02, or 03) in GF(28). Forth, a
bitwise xor operation is performed between the value of
each element and the corresponding byte of the round key
(AddRoundKey or ARK). Before the 1st round, an ARK is
applied to M and K (i.e. Round 0 or initial round). The MC
transformation is omitted in the ﬁnal round. If the algorithm is
implemented with iterative rounds, a round counter, hereafter
RC, counts the rounds. We use also Rmax as the reference for
total rounds. In a correct typical execution of AES-128, Rmax
is equal 10 and RC is counted from 0 or 1, to 10.
Notation: In the following, we use the “R” preﬁx plus
the round number to refer to the transformations involved
in an AES encryption. Hence, R0-R1-R2-R3-R4-R5-R6-R7-
R8-R9-R10, or shortly R0. . .R10, represents the rounds of
a complete (i.e. unmodiﬁed) AES. R1, R2, ... and R9 are
used to represent unchanged middle rounds, including all the
four transformations. R0 and R10 represent the unchanged
initial and ﬁnal rounds of an AES-128, including only ARK
and ARK◦SR◦SB transformations, respectively. Besides, we
use Rm=i to express that, due to a fault, a round composed of
the ARK◦MC◦SR◦SB transformations (where “m” stands for
middle round) is using an incorrect round key of index i.
Rf=j has the same meaning for a round without the MC
transformation (“f” stands for ﬁnal round). In addition, “Mi”
represents the AES intermediate state at the end of round i.
2) Software implementations of the AES-128: In this work
we consider a software implementation of the AES-128, shown
in algorithm 1. This implementation is embedded in an 8-bit
microcontroller (see section IV). Algorithm 1 is similar to the
proposed implementation in the ofﬁcial NIST publication for
AES[8]. The only difference lies in the last ARK transformation
which uses RC value, as the ﬁnal round key index, instead of
the total round number reference (Rmax).
Algorithm 1 Software implementation of the AES algorithm with pre-
calculated round keys.
C ← M
C ← C ⊕K0
RC = 1
while (RC < Rmax) do
C ← SB(C)
C ← SR(C)
C ← MC(C)
C ← C ⊕KRC
RC ← RC + 1
end while
C ← SB(C)
C ← SR(C)
C ← C ⊕KRC
Where C is an intermediate variable used to memorize
the AES state throughout the encryption process. The round
counter, RC, is used as an index to select the round key
processed during every ARK transformation (except the initial
one). Moreover, RC is compared to the total round number
reference, Rmax, to end the iterative loop preceding the ﬁnal
round. Rmax is not a constant number to permit the use of
different values (10, 12, or 14 rounds).
Note that the initial and ﬁnal rounds (R0 and R10) are
implemented outside the iterative loop. Hence, even with
complete removal of the middle rounds, the initial and the
ﬁnal rounds will still be executed. Moreover, if for any reason
RC takes a value greater than 10, the algorithm will use the
16 bytes stored in the memory that correspond to an address
calculated by the same formula for KRC . Consequently, a
block of unknown and invalid values will be mapped in the
memory and processed by the next ARK transformation.
B. Round Reduction Analysis: State-of-the-Art
1) H. Choukri and M. Tunstall’s attack: The ﬁrst practical
round reduction analysis experiment was introduced by H.
Choukri and M. Tunstall in 2005. [3] shows that a transient
glitch on the power supply of a microcontroller may change
the round counter (RC) value of an iterative AES cipher. They
succeeded in changing the round counter of an AES program at
the beginning of algorithm execution to its ﬁnal value. Hence,
the ciphertext was the product of a single round (plus the initial
round): R0-Rm (according to the notation introduced in II-A).
They also introduced a cryptanalysis technique that makes it
possible to retrieve the secret key: eq. 1 is obtained by xoring
two faulty ciphertexts outputs:Da and Db (Ma andM b, being
the corresponding plaintexts):
MC
−1(Da ⊕Db) = SB(Ma ⊕K)⊕ SB(M b ⊕K) (1)
For every key byte, eq. 1 yields two different hypotheses.
Finally, an exhaustive search over the 216 possible keys is
made to retrieve the secret key. Note that this cryptanalysis
does not require the knowledge of the correct encryptions of
Ma and M b.
2) Y. Monnet et al.’s attack: Y. Monnet et al. reported
in [9] another round reduction attack on two asynchronous
cryptoprocessors running the Data Encryption Standard (DES)
algorithm. The attack was done by laser fault injection. A pool
of over 50 reproducible round-corrupted results was obtained.
Then, the key was retrieved by differential analysis of faulty
encryptions pairs whose round execution sequences have a
difference of one round.
3) J.H. Park et al.’s attack: This attack, reported in [4], is
a laser fault injection into an ATmega128 8-bit microcontroller
with an embedded AES. The AES implementation is compliant
with the algorithm structure proposed in [8]. They reported a
successful attack that consists in jumping from R1 to R10. The
faulty execution path is R0-R1-R10. Therefore, an additional
round is executed in comparison to [3] that included only
R0-Rm. The associated cryptanalysis requires data from ten
different reduced encryptions. Calculations involved four steps
of exhaustive search of 240, 232, 224, and 232 steps respectively.
This has taken approximately ten hours on a PC.
4) K.S. Bae et al.’s attack: K.S. Bae et al. presented in
[5] a successful attack by eliminating the AES penultimate
round. The encryption included R0. . .R8-R10. The attack was
performed on the experimental setup introduced in [4]. The
key was revealed using two pairs of corresponding faulty and
correct ciphertexts and an exhaustive search between the two
candidates for each key byte. This technique is similar to
the reported one by H. Choukri and M. Tunstall in [3]. The
difference is in using ciphertexts instead of plaintexts. Thus,
the cryptanalysis needs ﬁnding a key between 216 candidates.
III. THEORY OF OUR ROUND REDUCTION ANALYSIS
Previous round reduction attacks on AES are based on
the analysis of a round-reduced encryption in one, two or
nine rounds. Their exploitation requires a differential analysis
referring either to the plaintexts or to the correct ciphertexts.
Round-reduced ciphertext in the previous attacks did not
contain any faulty round key value in their sequences.
In this paper, we study all the feasible attacks by reduc-
ing the number of executed rounds. We examine if an AES
implementation can be considered safe while the opponent
cannot reduce the rounds to one, two or nine. Indeed, is there
still a threat if the opponent may reduce the total rounds to
between 3 and 8 rounds? Our aim is to identify all the round
reduction threats via round controlling operations on an AES
implementation.
A. RRA Scenarios
For reducing the number of total rounds in algorithm 1
by fault injection, two scenarios are conceivable: changing the
Rmax or altering the RC value. We assume in this paper a
bit-ﬂip fault model. We show the injected fault by “e”. Conse-
quently, e is always single-byte and xored either with Rmax or
with RC. Few more potential scenarios exist by ﬁnding some
external targets; for instance, the chip’s program counter.
In this article, we cannot include all the potential targets for
algorithm 1. Thus, we focus only on the fault attacks into
Rmax and into RC values which are more common for an
AES implementation similar to the NIST proposed version [8].
1) Scenario I: Attacks on the round number reference:
Suppose a fault injection into Rmax during AES execution.
Rmax is accessed only once per round, at the beginning of
the while loop in algorithm 1. Depending on the resulting
Rmax ⊕ e value and on the RC value during the attack, an
increase or a decrease may be induced in the total round
number:
Case a: If Rmax⊕e < Rmax and RC < Rmax−1⇒
Round reduction or suppression of one or several rounds to
Max{Rmax ⊕ e, RC+1} rounds. For instance: if e =8 is in-
jected, when RC = 5, then Rmax⊕e =2 and the AES execution
will be: R0. . .R5-Rf=6. Therefore, as Rmax ⊕ e < RC , the
following round after the attack will be executed as the ﬁnal
round and any remaining round will be suppressed.
Case b: If Rmax ⊕ e > Rmax and RC < Rmax ⇒
Round addition or execution of additional rounds. For instance:
if e =4 is injected, when RC < 10, then Rmax ⊕ e =14 and
the AES execution will be: R0. . .R9-Rm=10-Rm=11-Rm=12-
Rm=13-Rf=14. The 10
th round and the additional rounds 11
to 13 will be executed similar to middle rounds (i.e. including
MC step). Then, the ﬁnal round is executed as R14. With pre-
calculated key option, and in absence of countermeasures, the
rounds aboveR10 will use invalid round key valuesK11. . .K14
in their ARK transformation. The total number of executed
rounds will be incremented to 14.
Faulting Rmax when RC < Rmax − 1 results always in
round reduction or addition. A fault in Rmax cannot cause a
redundant execution of any round.
2) Scenario II: Attacks on the round counter value: The
second scenario is like the attacks reported in [3], [4] and [5],
by targeting the round counter, RC, during the AES execution.
The attack alters the index of the current executing round. In
an algorithm similar to algorithm 1, RC is accessed two times
during each middle and ﬁnal round execution. Thus, depending
on the instant of fault injection, various changes can occur
to the encryption process: An RC change before ARK alters
the index of the executing round and thus, the index of the
mapped round key. Besides, RC modiﬁcation during ARK has
not any immediate effect until the next RC incrementation in
the while loop; i.e. beginning of the following round.
An RC variation often leads to a change in the number of
total executing rounds, by adding, by suppressing or even by
repetitively executing of several rounds:
Case a: If RC ⊕ e < RC ⇒Round addition or
repetitive execution of several rounds. For instance: if RC = 7
and e = 2 then RC ⊕ e = 5. If the fault is injected before the
ARK, AES execution will be: R0. . .R5-R6-R5-R6-R7. . .R10.
Thus, R5 and R6 will be executed twice and the total number
of executed rounds will be incremented to 12. An attack during
the ARK affects the encryption on the following round. In
this example, R6 and R7 (instead of R5 and R6) will be
repeated and AES execution will become: R0. . .R5-R6-R7-
R6-R7. . .R10.
Case b: If RC ⊕ e > RC when RC < Rmax −
1 ⇒Round reduction. For example: if RC = 4 and e = 2
(before ARK) then RC ⊕ e = 6 and the faulty AES execution
will be :R0. . .R3-R6. . .R10. Therefore,R4-R5 will be skipped
and the total number of executed rounds will be reduced to 8.
Case c: If RC ⊕ e > RC when RC = Rmax −
1 ⇒Round alteration: the total number of rounds remains
unchanged, but the attack has effects on the following ARK
transformations. For instance: if RC = 9 and e = 2 is injected
before ARK, then RC ⊕ e = 11 and AES execution will be:
R0. . .R8-Rm=11-Rf=12. Consequently, the total number of
executed rounds will remain 10, but the penultimate round and
the ﬁnal round will use invalid round keys values (K ′11 and
K ′12) during their ARK transformations. When the round keys
are pre-calculated, K ′11 and K
′
12 are mapped to the memory
contents which exclude any information about K .
As it is shown, contrary to the attacks on Rmax, faulting
RC may cause redundant execution of one or several rounds.
In this paper, we focus only on the round reduction attacks.
B. Round Reduction Experiments
Now, we examine all the round reduction attack possibil-
ities by the two scenarios on our AES implementation, using
the experimental setup described in section IV-B.
1) Round Reduction to the Initial Round: A round re-
duction attack which reduces AES encryption to only the
initial round transformation, is theoretically, the most optimal
attack. Because, the round-reduced ciphertext (shown as D)
is produced with the minimal transformation on the plaintext
(shown as M ) containing all the key information:
D = M ⊕K (2)
Thus, the attack analysis requires the knowledge of only
one pair of a round-reduced ciphertext and its corresponding
plaintext. The key is revealed by an xor between them. This
attack seems to be infeasible on an AES implementation similar
to algorithm 1.
2) Round Reduction to One Round: Round reduction to
only one round (after the initial round) is maybe the optimal
realistic attack on several AES implementations. Because, the
encryption involves only one round transformations. Thus, the
results can be exploited very fast. The analysis requires two
pairs of corresponding round-reduced ciphertext and plaintext.
The ﬁrst realization of this attack is reported by H. Choukri
and M. Tunstall in [3]. We refer the readers to their article for
more details about their technique. This attack seems to be
feasible, only by targeting Rmax on an AES implementation,
similar to algorithm 1.
3) Round Reduction to Two Rounds (Experiment 1): A
round reduction to two rounds (after the initial round) is a
realistic attack (and maybe the optimal one) on the NIST
proposed implementation. This attack is exploitable in a fea-
sible calculation time. J.H. Park et al. reported a successful
realization of this attack in [4]. Their technique requires 10
pairs of corresponding round-reduced ciphertext and plaintext.
Their analysis takes 10 hours on a PC. Here, we report our
round reduction attacks to two rounds as our experiment 1.
Our technique has more performance in comparison to [4].
a) Experiment 1.a Using Scenario I: By injection an
adequate fault value into Rmax, the opponent may reduce the
encryption sequence to 2 rounds, i.e.: R0-R1-Rf=2. [4] can
successfully exploit this attack, even if the encryption sequence
differs at the ﬁnal round. We review a more complex case in
experiment 1.b for scenario II and then present our technique.
b) Experiment 1.b Using Scenario II: We performed
this attack by faulting RC during the execution of R1. If
the fault is injected during ARK of R1, the encryption se-
quence becomes: R0-R1-Rf . [4] may again be used for the
exploitation. Besides, if the fault is injected before ARK of R1,
the encryption sequence becomes R0-Rm-Rf . This is a more
sophisticated case in comparison to J.H. Park et al.’s attack.
We present here a technique exploiting our attack which can
be also applied to J.H. Park et al.’s attack.
This experiment is done by faulting the RC during the ﬁrst
round in order to increment it to 9 or a higher value. This was
achieved with a single-bit or single-byte fault equal to 0x08
or any other value between 0x0a and 0xff. Thus, RC ⊕ e
became bigger than 8 and the next round was performed as
the ﬁnal round. Therefore, the encryption sequence of rounds
was: R0-Rm-Rf with faulty key values for the second and the
ﬁnal rounds. The cryptanalysis of this attack scheme requires
at least three pairs of plaintexts and corresponding faulty
ciphertexts (Ma,Da), (M b,Db) and (M c,Dc). Considering a
plaintext Ma, the corresponding faulty ciphertext is given by
eq. 3:
Da = SR ◦ SB[MC ◦ SR ◦ SB(Ma ⊕K)⊕K ′x]⊕K
′
y (3)
In eq. 3, K ′x and K
′
y are unknown constant values corre-
sponding to invalid round keys, for the rounds Rm and Rf ,
respectively. By xoring eq. 3 and the similar equation for Db,
we discard K ′y values and we obtain eq. 4. We repeat the
xoring for eq. 3 and for Dc equation.
Da ⊕Db = SR ◦ SB[MC ◦ SR ◦ SB(Ma ⊕K)⊕K ′x]
⊕SR ◦ SB[MC ◦ SR ◦ SB(M b ⊕K)⊕K ′x]
(4)
Nevertheless, K ′x remained in eq. 4 and in corresponding
equation for Da⊕Dc. The solution for resolving them consists
in creating hypotheses on both of K and K ′x where M
a,
M b, M c, Da, Db, and Dc are known values. Therefore, a
brute-force search of (28)4× 28× 4 = 242 values is necessary
for each column of SR(K). The search results to only 1, 2
or 3 hypotheses for each corresponding column of SR(K)
and K ′x. At the next step, each combination of key column
hypotheses can be examined by using one of the pairs of
corresponding plaintext and correct ciphertext; e.g. Ma and
Ca. The entire key is discovered after a brute-force search of
242×4 = 244 values. With a PC running with an Intel Core i5-
2410M microprocessor at 2.30GHz (hereafter our PC), the full
attack exploitation takes about 3 hours and 50 minutes. In our
experiment, except the initial round key (i.e. K), any round
key (i.e. Km or K1 and also Kf or K10) may be inexistent or
fully faulty. However, our method is about 2.5 times faster and
needs only 3 encryptions, instead of 10 required encryptions
in Park et al.’s technique.
4) Round Reduction to Three Rounds: Reducing AES ex-
ecution to three rounds (after the initial round) is realistic
in both of our implementations. However, we could not ﬁnd
any differential technique in a relatively calculation time
(<∼ 10 hours).
5) Differential One-Round Analysis of the Round-Reduced
Encryptions (Experiment 2): Suppose an attack that changes
the number of executed rounds during two consecutive en-
cryption of a unique plaintext. If the two obtained round-
reduced encryptions differ in only one round, the correspond-
ing plaintext or correct ciphertext are no longer required for
the exploitation. A differential analysis between the two round-
reduced encryptions may reveal the key.
We assume the ﬁrst attack reduces the number of executed
rounds from Rmax to i+1, as a lesser value. Then, the second
attack reduces a new encryption of the same plaintext to i+2.
The sequences of round-reduced encryptions are:
1st encryption : R0. . .Ri- Rf=i+1
2nd encryption : R0. . .Ri- Ri+1-Rf=i+2
Please note that i is the index of the last executed middle
round in the ﬁrst round-reduced encryption. A differential
cryptanalysis over only the framed part of the round-reduced
encryptions may reveal the key. We denote two consecutive
round-reduced encryptions for a given plaintext Ma by Da1
and Da2 . We show them by eq. 5a and eq. 5b:
Da1 = SR ◦ SB(M
a
i )⊕Ki+1 (5a)
Da2 = SR ◦ SB(M
a
i+1)⊕Ki+2 (5b)
Ki+1 and Ki+2 are unknown values corresponding to valid
round keys for the rounds Ri+1 and Ri+2, respectively. By
using two plaintexts, a xor operation between two D1 and
another xor operation between two D2 equations lead to eq. 6
and eq. 7:
Da1 ⊕D
b
1 = SR ◦ SB(M
a
i )⊕ SR ◦ SB(M
b
i ) (6)
Da2 ⊕D
b
2 = SR ◦ SB(M
a
i+1)⊕ SR ◦ SB(M
b
i+1) (7)
Eq. 8 is obtained by applying a MC transformation to eq. 6
(given the MC distributivity property over ⊕):
M bi+1 = MC(D
a
1 ⊕D
b
1)⊕M
a
i+1 (8)
By replacing M bi+1 from eq. 8 in eq. 7, we obtain eq. 9:
Da2 ⊕D
b
2 = SR ◦ SB(M
a
i+1)⊕
SR ◦ SB[MC(Da1 ⊕D
b
1)⊕M
a
i+1]
(9)
where Da1 , D
b
1, D
a
2 and D
b
2 have known values. Hence, we
perform an exhaustive search over 28 possible values for each
Mai+1 byte. This search leads often to a unique value for each
byte. Then, by using the obtained Mai+1 values and eq. 5b,
we ﬁnd Ki+2. Therefore, K is revealed using the inverse of
KeyExpansion.
a) Experiment 2.a Using Scenario I: By using the
experimental setup reported in section IV-B, we performed
successfully this attack. We reduced Rmax to several values
and obtained K by using the technique explained above.
b) Experiment 2.b Using Scenario II: This attack using
scenario II results to two round-reduced encryptions without
any valid key at the ﬁnal rounds. In order to exploit the
round-reduced encryptions with short cryptanalysis solutions,
the fault must be injected during ARK transformation of the last
middle round (of each round-reduced encryption). Otherwise
(i.e. with an earlier fault, before ARK), the faulty RC alters
key values during two rounds. Therefore, we obtain eq. 10a
and eq. 10b, instead of eq. 5a and eq. 5b, respectively for a
given plaintext Ma:
Da1 = SR ◦ SB(M
a
i )⊕K
′
y1 (10a)
Da2 = SR ◦ SB(M
a
i+1)⊕K
′
y2 (10b)
A differential cryptanalysis between eq. 10a and eq. 10b leads
to ﬁnding Mai+1. However, K
′
y2 is an invalid key, unrelated
to K . Thus the analysis cannot release any information for
ﬁnding K . A solution for exploiting scenario II is to expand
this experiment with a third attack, and thus, obtaining a third
round-reduced encryption to i+ 3 rounds, denoted by eq. 11:
Da3 = SR ◦ SB(M
a
i+2)⊕K
′
y3 (11)
Thus, Mai+2 is revealed by a differential cryptanalysis between
eq. 10b and eq. 11. Consequently, Ki+2 is obtained using
Mai+1 and M
a
i+2 values in eq. 12:
Ki+2 = M
a
i+2 ⊕ MC ◦ SR ◦ SB(M
a
i+1) (12)
Therefore, two separate differential cryptanalyses by using
three round-reduced encryptions ofD1,D2 andD3 for 3 plain-
texts Ma, M b and M c reveal the secret key. The calculation
time is less than one second with our PC.
c) Experiment 2.c Using Scenario II: Another option
exists for this experiment by using only 2 given plaintexts
Ma and M b, instead of 3. In this case, the cryptanalysis
between D1 and D2 (for two corresponding pairs) reveals
often two hypotheses for each pair of correspondingMai+1 and
K ′y2 bytes at the ﬁrst step. Then, the cryptanalysis between
D2 and D3 (for two corresponding pairs) reveals often two
hypotheses for each byte of Mai+2. At the third step, each 2
hypotheses for one byte on Mai+1 creates 2
4 hypotheses for
its corresponding column values. Thus, with 2 hypotheses for
each of corresponding bytes on Mai+2, 2
8 hypotheses are made
for the corresponding bytes on Ki+1. Therefore K is revealed
after testing all the (28)4 hypotheses for entire Ki+1. This
exploitation needs calculation and testing of other round keys
for each of the hypotheses. It needs in average less than 3
hours and 30 minutes with our PC.
d) Experiment 2.d Using Both of the Scenarios I & II:
Another possibility for performing this attack, is using both of
the scenarios I and II, in a manner that the ﬁrst attack targets
the RC and the second attack changes the Rmax. In this case,
eq. 13a and eq. 13b present the faulty encryptions for a given
Ma:
Da1 = SR ◦ SB(M
a
i )⊕K
′
y (13a)
Da2 = SR ◦ SB(M
a
i+1)⊕Ki+2 (13b)
K ′y is an invalid round key. However, this attack exploitation
is similar to experiment 2.a using scenario I. Please refer to
section III-B5 for this attack exploitation. This experiment with
combined scenarios shows the threat of existing ﬂexible targets
for the opponent in order to obtain the required encryption
sequences.
6) Differential Two-Round Analysis of the Round-Reduced
Encryptions (Experiment 3): Another attack possibility is a
differential analysis between round-reduced encryptions which
differ in two rounds. For brevity in this article, we report this
attack only in table I.
7) Round Reduction to Eight Rounds (Experiment 4): Here,
we review round reduction attack to 8 rounds.
a) Experiment 4.a Using Scenarios I: It is possible to
modify Rmax in order to execute 8 rounds. The encryption
includes all the rounds until R7, then it performs R8 as the
ﬁnal round, i.e. without MC: R0. . .R7-Rf=8. The attack can
be exploited as a simple case by our technique for scenario II
(experiment 4.b).
b) Experiment 4.b Using Scenario II: This is a round
reduction experiment by targeting RC during ARK of R7 with
any fault value greater than 0x07, except 0x0f. Due to the
fault, RC was incremented to Rmax or a higher value at
the beginning of following round. Therefore, the encryption
sequence was: R0-R1. . .R7-Rf . This attack exploitation needs
at least three pairs of correct and round-reduced ciphertexts:
(Ca,Da), (Cb,Db) and (Cc,Dc).
Ca = SR ◦ SB[MC ◦ SR ◦ SB(Ma8 )⊕K9]⊕K10 (14)
Da = SR ◦ SB(Ma7 )⊕K
′
y (15)
An xor between Da and Db, followed by a MC gives eq. 16:
MC(Da ⊕Db) = MC ◦ SR ◦ SB(Ma7 )⊕ MC ◦ SR ◦ SB(M
b
7) (16)
Eq. 16 can be also expressed by M8 values, as shown in eq.
17:
MC(Da ⊕Db) = Ma8 ⊕M
b
8 (17)
By xoring eq. 14 with similar eq. for Cb, and reversing
ShiftRows operations, we obtain eq. 18:
SR
−1(Ca ⊕ Cb) = SB(Ma9 )⊕ SB(M
b
9) (18)
By replacing Ma9 and M
b
9 from eq. 17 in eq. 18, we obtain
eq. 19:
SR
−1(Ca ⊕ Cb) = SB[MC ◦ SR ◦ SB(Ma8 )⊕K9]⊕
SB{MC ◦ SR ◦ SB[MC(Da ⊕Db)⊕Ma8 ]⊕K9}
(19)
In eq. 19, Ca, Cb, Da and Db have known values. We
perform an exhaustive search among (28)4 possible values for
each SR(Ma8 ) column and its corresponding column of K9
values. By using three corresponding pairs of round-reduced
ciphertexts, in average, two column values for each column
of K9 can be found. Then, K9 and consequently K can be
found by testing all the 24 column hypotheses. This attack
exploitation is similar to the experiment 3, reported in table I.
The complete cryptanalysis takes about 4 hours and 10 minutes
with our PC.
8) Round Reduction to Nine Rounds: A round reduction
to nine rounds (after the initial round) can be considered as
a similar attack of round reduction to one round, reported in
[3].A successful experiment of this attack is reported by K.S.
Bae et al. in [5].
IV. LASER INDUCED RRA ON THE MICROCONTROLLER
A. Laser fault injection
The use of a laser to inject faults into the calculations of a
secure circuit was introduced by S. Skorobogatov and R. An-
derson in 2002 [10]. Laser faults arise from the photoelectric
effect caused by a laser beam passing through silicon provided
that its photon energy is greater than the silicon bandgap
[11]. This effect generates electron-hole pairs in silicon. These
charges may create a transient current when exposed to the
strong electric ﬁelds found in the PN junctions of CMOS
transistors. Then, this transient current turns into a voltage
transient that may travel through the circuit’s logic. It may
affect the computations of the target circuit or some of its
memory elements. Hence, SRAMs are subject to bit-ﬂip when
exposed to a laser beam [10], [12]. We have reported in [13]
experiments showing our ability to inject single byte and even
single bit faults in the SRAM of the same device. We took
advantage of the knowledge acquired during this previous work
to realize the experiments reported in this section.
B. Experimental Setup for laser induced RRA
Target: We used a device communicating with smart card
standards as our target. It is an 8-bit 0.35µm RISC micro-
controller with an integrated 128KB ﬂash program memory,
4KB EEPROM and 4KB SRAM. It should be noted that this
microcontroller does not embed any countermeasure against
fault injection. The device runs the Simple Operating System
for Smartcard Education [14] for simulating the smart card
environment. The microcontroller operates at a frequency of
3.59 MHz. It runs the software AES described in algorithm 1
(in section II-A2) which uses pre-calculated round-keys. In our
implementation, the AES secret key is embedded in the code.
After each circuit reset, the AES’ round keys are derived and
stored in the microcontroller’s SRAM.
RC and Rmax are also stored in the circuit’s SRAM. That
is the entry point we have used to modify the AES behaviour
by laser fault injection. We have already reported ([13], [15])
bytewise and bitwise fault injection experiments in this SRAM.
As a consequence, laser proved to be a suitable fault injection
means in order to corrupt RC and Rmax for the purpose of
carrying out RRA. Figure 1 highlights the chip’s SRAM area.
Bench: Our experiments were conducted with green
(532nm) or infrared (1064nm) wavelengths, through the front
and rear sides of the chip respectively (obviously after a proper
decapsulation). The laser beam for injecting single-bit faults
was about ∅4µm with ≃ 10pJ energy per shot (before passing
through the lens). The laser pulse duration was set to 5ns. The
target was mount on an XY motorized stage with a 0.1µm
resolution. It makes it possible to scan the target’s SRAM with
high accuracy. Figure 1 shows the circuit installed on the laser
bench. A synchronization card provides a jitter of 10ns at
Fig. 1. On the left: View of the 8-bit microcontroller and of its SRAM area.
Right: The target circuit, installed on the laser bench for front side injection.
the instant of injection. Hence, given the clock period of the
device, 280ns, a very precise timing is achieved.
C. Realizations
One key point in performing RRA is to ﬁnd out the kind
of round modiﬁcation induced by the fault injection (i.e. the
number of rounds actually processed). It was achieved by
precisely measuring the time elapsed between the end of the
encryption command (sent by our communication interface)
and the beginning of the card status answered by the test chip.
Each encryption command includes a plaintext. The card’s
chip receives the command and then encrypts the plaintext. As
soon as the encryption ﬁnishes, the card’s chip sends the status
“61 10” to the reader. This status means that the encryption
was normally completed and that 0x10 bytes of extra data
are available (this number of bytes refers to the ciphertext’s
length).
In our implementation and experiments, any change in
the total number of rounds is related only to a decrease
(or eventually an increase) of the middle rounds number.
Therefore, the time elapsed between the end of the encryption
command and the beginning of the status on the I/O signal is
a function of the number of middle rounds actually processed.
Figure 2 shows the differences between the duration of the
circuit’s I/O and power consumption signals for a normal AES
encryption, for one shortened encryption to only two rounds
(after the initial round), and for a round-reduced encryption
to 8 rounds. The I/O signal remains constantly high for about
2.20ms during the AES encryption. Before this interval, the last
byte of plaintext has been sent to the circuit (from the reader).
Then, just after the AES encryption, the ﬁrst byte of the card
status is sent to the reader (from the circuit). The observed
time difference between the correct encryption and the reduced
ones is denoted by ∆t. For a decrease of 8 middle rounds, ∆t
is about 1.48ms. When the encryption skips two rounds, ∆t
is about 0.37ms. Thus, we were always able to discover any
decrease (or even increase) in the round number by comparison
with an unmodiﬁed encryption. We also monitored the chip’s
power consumption for checkout purposes.
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
−100
−50
0
50
100
150
10 rounds
Time (ms)
V
o
lt
a
g
e
 (
m
V
)
 
 
IO
Power consumption
BEGINNING OF THE STATUS
END OF THE ENCRYPTION
COMMAND
UNMODIFIED AES
ENCRYPTION (10 ROUNDS)
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
−100
−50
0
50
100
150
2 rounds
Time (ms)
V
o
lt
a
g
e
 (
m
V
)
 
 
IO
Power consumption2 ROUNDS ∆t
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
−100
−50
0
50
100
150
8 rounds
Time (ms)
V
o
lt
a
g
e
 (
m
V
)
 
 
IO 
Power consumption
8 ROUNDS ∆t
Fig. 2. The I/O and power consumption signals for three encryptions of a
same plaintext, given from top to bottom for a correct, a 2-rounds and an
8-rounds encryptions.
Target points: Finding Rmax and RC on the circuit is a
sensitive step for carrying out the experiments. We realized
during our previous experiments that this SRAM is imple-
mented by blocks of 512 bytes. In each block of bytes, the
bits of same index are implemented together for all the bytes.
Thus, for each byte, the corresponding bits are distributed in 8
blocks of bits on the Y-axis with a ﬁxed distance between
them. Besides, each line on the Y-axis contained the bits
of several bytes. We refer our reader to [10] for a detailed
experiment reported by S. Skorobogatov on the SRAM of
another microcontroller.
For ﬁnding the target points, we scanned the spatial coor-
dinates for high value bits (i.e. bits 4, 5, 6 and 7 for the faults
equal to 24, 25, 26 or 27, respectively) by laser fault injection in
the middle of AES encryption (preferably R4. . .R6). As soon
as a fault was injected either into the Rmax or into the RC,
a signiﬁcant round modiﬁcation was induced. If the RC was
faulted, the encryption was stopped one round later. Otherwise,
if the fault was injected into the Rmax, the encryption was
increased to 26 rounds or more. Therefore, we found the spatial
coordinates of both of the targets on the X-axis. For ﬁnding
the other bits of RC and Rmax, we displaced the laser spot on
the Y-axis and found their coordinates. Please refer to ﬁgure 3.
We needed to enlarge the beam on the Y-axis to ∼ 45µm (or
respectively to ∼ 90µm) in order to inject faults on 2 (or 3
resp.) neighboring bits. No additional opening above the initial
4µm on the X-axis was necessary.
bit7
bit6
bit5
bit4
bit3
bit2
bit1
bit0
Fig. 3. A SRAM block of 512 bytes on our circuit. The bits of each byte are
implemented on distinct rows.
Another key point in performing RRA is the ability to
induce several times the same fault (what we shall call fault re-
peatability). Indeed, the RRA schemes introduced in section III
require to gather faulty ciphertexts obtained from an identically
modiﬁed sequence of rounds but with a different plaintext. To
ascertain the fault repeatability rate we were able to obtain, we
have run several fault injections with the same experimental
settings (including the data: plaintext and key). When the laser
was positioned at correct coordinates of our target (either
Rmax or RC) thanks to the accurate X-Ystage, faults are
injected into the target itself and often a very limited set of few
neighboring bytes without any effect on the encryption. In at
least 30% of irradiations, a fault is injected into the target. By
using the above-mentioned laser spot (and even larger spots up
to 10 times greater), all the injected faults were only single-
bit faults. Thus, they were identical, as required in our attacks.
Therefore, in almost all the successful single-bit fault injection
into the target at a ﬁxed X-Y stage coordinates, the fault value
was repeated. According to several SRAM architectures (e.g. in
our microcontroller), the bits of a unique value are designed
and built close together for a block of bytes in the memory
array. In theses implementations, usually the distance of two bit
cells of same index in a block of bytes (e.g. 256 or 512 bytes)
is much closer than the distance of a bit with its neighbor
bits of the same byte. This is a weakness for the security of
SRAM contents against single-bit fault injection. Please refer
to our results reported in [15] for more details. Among various
modiﬁcations of the AES algorithm obtained by laser fault
injection, we have chosen to report the 4 most signiﬁcant
round reduction attacks (including two generalized analyses).
All these experiments were realized by single-bit laser fault
injection and accurate time-tuning of the laser irradiations.
However, they can be extended to multiple-bit faults.
V. CONCLUSION AND PERSPECTIVES
In this paper we introduced some new round reduction
analysis attacks on an AES implementation, similar to the
proposed one by NIST in [8]. Our experiments were carried on
TABLE I. COMPARISON BETWEEN PREVIOUS WORKS AND OUR MOST SIGNIFICANT EXPERIMENTS.
Attack Target Attack time Execution(s)
Required Key search
texts average runtime
H. Choukri et al. [3] RC Beginning of R1 R0-Rm 2 ≃ 1 second
J.H. Park et al. [4] RC During R1 R0-R1-R10 10 ≃ 10 hours
K.S. Bae et al. [5] RC During R8 R0. . .R8-R10 2 ≃ 1 second
Experiment 1.a Rmax During R0-R1 , if e=0x08; during R1 , if e ∈ {0x0a, 0x0b} R0-R1-Rf=2 3 ≃ 3 hours and 55 minutes
Experiment 1.b RC During R1 R0-Rm-Rf 3 ≃ 3 hours and 55 minutes
Experiment 2.a Rmax
During R0. . .Ri or only Ri, according to e1 (for D1) R0 . . .Ri-Rf=i+1 & 2 ≃ 1 second
During R0. . .Ri+1 or only Ri+1, according to e2 (for D2) R0 . . .Ri+1-Rf=i+2
Experiment 2.b RC
During ARK of Ri (for D1) R0. . .Ri-Rf=y1 &
3 ≃ 1 secondDuring ARK of Ri+1 (for D2) R0 . . .Ri+1-Rf=y2&
During ARK of Ri+2 (for D3) R0. . .Ri+2-Rf=y3
Experiment 2.c RC
During ARK of Ri (for D1) R0. . .Ri-Rf=y1 &
2 ≃ 3 hours and 30 minutesDuring ARK of Ri+1 (for D2) R0 . . .Ri+1-Rf=y2&
During ARK of Ri+2 (for D3) R0. . .Ri+2-Rf=y3
Experiment 2.d
RC During ARK of Ri (for D1) R0. . .Ri-Rf=y & 2 ≃ 1 second
& Rmax During R0. . .Ri+1 or only Ri+1, according to e2 (for D2) R0 . . .Ri+1-Rf=i+2
Experiment 3
Rmax, RC or According to target and e1 (for D1) R0. . .Ri-Rf=y1 & 3 ≃ 4 hours and 10 minutes
Rmax & RC According to target and e2 (for D2) R0. . .Ri+2-Rf=y2
Experiment 4.a Rmax During R0 . . .R7, if e=0x02; during R7, if 0x08≤e≤0x0f R0 . . .R7-Rf=8 3 ≃ 4 hours and 10 minutes
Experiment 4.b RC During ARK of R7 R0. . .R7-Rf 3 ≃ 4 hours and 10 minutes
by laser fault injection. Round Reduction analysis techniques
based on reducing the AES round number to 1, 2 or 9 were
previously proposed. However, it may be a difﬁcult task for
an attacker to successfully induce faults that make possible
RRA by jumping directly to the AES end from its very
beginning. This may lead secure designers to underestimate
the risk of such an algorithm modiﬁcation attack or to setup
incomplete countermeasures. We intend in this article to issue
a warning by reporting different round reduction cases. Many
cryptanalysis techniques exist (sometimes relatively easy to
set up) which makes it possible to retrieve the AES key
from erroneous outputs of a round-modiﬁed execution. Table
I shows a comparison between previous works and our most
signiﬁcant experiments reported in this paper.
It should be noted that most of the results we have obtained
depend on the AES implementation we used: KeyExpansion
performed once prior to the encryptions (in order to save
both computation time and power consumption). However,
even if some of the scenarios we have presented may be-
come impracticable, similar cryptanalysis may be derived for
an AES implementation using on-the-ﬂy key scheduling (to
save memory consumption). Besides, if a fully unrolled AES
(i.e. without any loop) is immune to RRA through RC or
Rmax modiﬁcation, RRA should still be performed by faulting
the program counter of the microcontroller. Moreover, the
KeyExpansion iterative process is also a potential target.
Further work has to be done based on these ﬁndings in order
to propose countermeasures against RRA.
REFERENCES
[1] A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache, “Fault injection
attacks on cryptographic devices: Theory, practice, and countermea-
sures,” Proceedings of the IEEE, 2012.
[2] J. Balasch, B. Gierlichs, and I. Verbauwhede, “An in-depth and black-
box characterization of the effects of clock glitches on 8-bit MCUs,”
in Fault Diagnosis and Tolerance in Cryptography – Proceedings of
FDTC’2011. IEEE, 2011, pp. 105–114.
[3] H. Choukri and M. Tunstall, “Round reduction using faults,” Fault
Diagnosis an Tolerance in Cryptography FDTC 2005, pp. 13–24, 2005.
[4] J. Park, S. Moon, D. Choi, Y. Kang, and J. Ha, “Differential fault
analysis for round-reduced AES by fault injection,” in ETRI Journal,
vol. 33. ETRI, pp. 434–442.
[5] K. Bae, S. Moon, D. Choi, Y. Choi, D. Choi, and J. Ha, “Differential
fault analysis on AES by round reduction,” in Computer Sciences and
Convergence Information Technology – Proceedings of ICCIT’2011.
IEEE, pp. 607–612.
[6] J.-M. Dutertre, A.-P. Mirbaha, D. Naccache, A.-L. Ribotta, A. Tria,
and T. Vaschalde, “Fault round modiﬁcation analysis of the Advanced
encryption standard,” in Hardware-Oriented Security and Trust – Pro-
ceedings of HOST’2012. IEEE, 2012, pp. 140–145.
[7] R. Anderson and M. Kuhn, “Low cost attacks on tamper resistant
devices,” in Security Protocols – Proceedings of SPW’1998, ser. LNCS.
Springer-Verlag, 1998, vol. 1361, pp. 125–136.
[8] NIST, “Announcing the Advanced Encryption Standard (AES),” Federal
Information Processing Standards Publication, n. 197, nov 2001.
[9] Y. Monnet, M. Renaudin, R. Leveugle, C. Clavier, and P. Moitrel,
“Case study of a fault attack on asynchronous DES crypto-processors,”
in Fault Diagnosis and Tolerance in Cryptography – Proceedings of
FDTC’2006, ser. LNCS, vol. 4236. Springer-Verlag, 2006, pp. 88–97.
[10] S. P. Skorobogatov and R. J. Anderson, “Optical fault induction attacks,”
Cryptographic Hardware and Embedded Systems – Proceedings of
CHES 2002, vol. 2523.
[11] D. H. Habing, “The use of lasers to simulate radiation-induced tran-
sients in semiconductor devices and circuits,” in IEEE Transactions on
Nuclear Science, vol. 12, no. 5, 1965.
[12] F. Darracq, T. Beauchene, V. Pouget, H. Lapuyade, D. Lewis, P. Fouillat,
and A. Touboul, “Single-event sensitivity of a single SRAM cell,” in
Radiation and Its Effects on Components and Systems – Proceedings
of RADECS’2001, 2001, pp. 387–391.
[13] M. Agoyan, J.-M. Dutertre, A.-P. Mirbaha, D. Naccache, A.-L. Ribotta,
and A. Tria, “How to ﬂip a bit?” in On-Line Testing – Proceedings of
IOLTS’2010. IEEE, 2010, pp. 235–239.
[14] M. Bruestle, “SOSSE - simple operating system for smartcard educa-
tion,” http://www.mbsks.franken.de/sosse/index.html, 2002.
[15] M. Agoyan, J.-M. Dutertre, A.-P. Mirbaha, D. Naccache, A.-L. Ribotta,
and A. Tria, “Single-bit DFA using multiple-byte laser fault injection,”
in Technologies for Homeland Security – Proceedings of HST’2010.
IEEE, 2010, pp. 113–119.
