Paper 2012/098

Combined Attacks on the AES Key Schedule

François Dassance and Alexandre Venelli


We present new combined attacks on the AES key schedule based on the work of Roche et al. The main drawbacks of the original attack are: the need for high repeatability of the fault, a very particular fault model and a very high complexity of the key recovery algorithm. We consider more practical fault models, we obtain improved key recovery algorithms and we present more attack paths for combined attacks on AES. We propose to inject faults on the different operations of the key schedule instead of the key state of round 9 or the corresponding data state. We also consider fault injections in AES constants such as the RCON or the affine transformation of the SubWord. By corrupting these constants, the attacker can easily deduce the value of the error. The key recovery complexity can then be greatly improved. Notably, we can obtain a complexity identical to a classical differential side-channel attack. Our attacks defeat most AES implementations secure against both high-order side-channel attacks and fault attacks.

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Side-channel analysisFault analysisCombined attackAES
Contact author(s)
avenelli @ insidefr com
2012-02-29: received
Short URL
Creative Commons Attribution


      author = {François Dassance and Alexandre Venelli},
      title = {Combined Attacks on the {AES} Key Schedule},
      howpublished = {Cryptology ePrint Archive, Paper 2012/098},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.