We present a study of several fault attacks against the block cipher
. Such a study is particularly interesting because of the target cipher’s specific property to employ operations on three different algebraic groups while not using substitution tables. We observe that the attacks perform very different in terms of efficiency. Although requiring a restrictive fault model, the first attack can not reveal a sufficient amount of key material to pose a real threat, while the second attack requires a large number of faults in the same model to achieve this goal. In the general random fault model,
we assume that the fault has a random and
unknown effect on the target value, the third attack, which is the first Differential Fault Analysis of
to the best of our knowledge, recovers 93 out of 128 key bits exploiting about only 10 faults. For this particular attack, we can also relax the assumption of cycle accurate fault injection to a certain extend.