摘要： 描述了一种对AES-128的差分错误分析原理，给出了攻击的算法，分析了算法成功的概率。该算法可以得到AES-128的中间加密结果M9，利用M9和一组正确密文可以推出AES-128的最后一轮轮密钥，从而恢复AES-128的初始密钥。软件模拟结果表明，在物理技术达到的情况下，如果能向M9中反复随机地引入140个比特错误，那么找到初始密钥的可能性将超过90%。最后指出以密文分组链模式工作的AES可以抵抗以上提到的攻击。

关键词: AES, 侧信道攻击, 差分错误分析, 智能卡

Abstract: The principle of a kind of differential fault analysis on AES-128 is described. The attacking algorithm is given. The probability of accomplishing the algorithm is analyzed. The intermediate encrypted result M9 is obtained by the algorithm, the last round key of AES-128 can be deduced from M9 and a correct cipher text, the initial key of AES-128 is then recovered. The result of software emulation shows that if one induces 140 bit faults into M9 repeatedly and randomly, the probability of recovering the initial key is more than 90%, when physical techniques are available. It is presented that AES with CBC mode can counter the attack mentioned above.

Key words: AES, Side channel attack, Differential fault analysis, Smart card