From AES-128 to AES-192 and AES-256, How to Adapt Differential Fault Analysis Attacks on Key Expansion

Abstract

Since its announcement, AES has been subject to different DFA attacks. Most of these attacks target the AES with 128-bit key. However, the two other variants are nowadays deployed in various applications and are also submitted to the same attack path. In this paper, we adapt DFA techniques originally used on AES-128 in order to retrieve the whole keys of AES-192 and AES-256. The two main kinds of injection localization have been analyzed: faults during cipher and during Key Expansion computations. Analysis of this last case highlights different fault diffusion problems requiring to be solved to exploit the differential faults. Finally, we propose the first attack on AES-192 and AES-256 on Key Expansion. This attack leads finding the whole initial key with 16 fault injections in both cases.