A Differential Fault Analysis on AES Key Schedule Using Single Fault

Literature on Differential Fault Analysis (DFA) on AES-128 shows that it is more difficult to attack AES when the fault is induced in the key schedule, than when it is injected in the intermediate states. Recent research shows that DFA on AES key schedule still requires two faulty cipher texts, while it requires only one faulty cipher text and a brute-force search of 2⁸ AES-128 keys when the fault is injected inside the round of AES. The present paper proposes a DFA on AES-128 key schedule which requires only one single byte fault and a brute-force search of 2⁸ keys, showing that a DFA on AES key schedule is equally dangerous as a fault analysis when the fault is injected in the intermediate state of AES. Further, the fault model of the present attack is a single byte fault. This is more realistic than the existing fault model of injecting three byte faults in a column of the AES key which has a less chance of success. To the best of our knowledge the proposed attack is the best known DFA on AES key schedule and requires minimum number of faulty cipher text. The simulated attack, running on 3GHz Intel Core 2 Duo desktop machine with 2GB RAM, takes around 35 minutes to reveal the secret key.