Further Improved Differential Fault Analysis on Camellia by Exploring Fault Width and Depth.

In this paper, we present two further improved differential fault analysis methods on Camellia by exploring fault width and depth. Our first method broadens the fault width of previous Camellia attacks, injects multiple byte faults into the r round left register to recover multiple bytes of the r round equivalent key, and obtains Camellia-128,192/256 key with at least 8 and 12 faulty ciphertexts respectively; our second method extends fault depth of previous Camellia attacks, injects one byte fault into the r-2 round left register to recover full 8 bytes of the r round equivalent key, 5-6 bytes of the r-1 round equivalent key, 1 byte of the r-2 round equivalent key, and obtains Camellia-128,192/256 key with 4 and 6 faulty ciphertexts respectively. Simulation experiments demonstrate: due to its reversible permutation function, Camellia is vulnerable to multiple bytes fault attack, the attack efficiency is increased with fault width, this feature greatly improves fault attack’s practicalities; and due to its Feistel structure, Camellia is also vulnerable to deep single byte fault attack, 4 and 6 faulty ciphertexts are enough to reduce Camellia-128 and Camellia-192/256 key hypotheses to 2 and 2 respectively.