1 Introduction

Fault attack was first introduced by Boneh et al in [3]. They used hardware faults that occurred during the execution of a cryptographic algorithm for recovering a secret key and succeeded in breaking an CRT-RSA with both a correct and a faulty signature of the same message. Shortly after, an adaptation of this idea on block ciphers was proposed by Biham et al. [1]. The proposed attack was called by Differential Fault Analysis(DFA) and applied to secret key cryptosystem such as DES [9]. Their attack exploits computational errors induced during the last few rounds of DES to extract the secret key of the last round.

Afterward, DFAs on SPN block ciphers such as AES and KHAZAD [2,6,11], and DFAs on the keyschedule of AES [4,8] were proposed. In these attacks, faults are induced during the last few rounds. On the other hand, Hemme proposed DFA on DES and Triple-DES by inducing faults to early rounds [7J. These attacks can be applied only in the hardware environments. To the best of our knowledge, none of DFAs applicable to software environments was proposed.

In this paper, we propose a new DFA applicable to software environments. Although our attack is not applicable to hardware environments, this attack can be applied to any software implemented block cipher with S-box. In the existing DFAs (used in hardware environments), an attacker induces faults to registers in a particular round of a block cipher. The induction of faults in software environments means that the erroneous code is introduced to a block cipher by him. He modifies some entries of the S-box table which is obtained by using the reverse engineering technique. And then he generates two ciphertexts by using two block ciphers(the original block cipher...