Abstract:In light of the structural characteristics of the displacement layer and the basic idea of differential fault, this study proposes a differential fault attack method for the eight-sided fortress (ESF) algorithm. In the 30^th round, a 1-bit fault is injected multiple times. Various input and output differential pairs are used to obtain different input sets for the S-box according to the differential characteristics of the S-box. Taking the intersection of the sets is a quick way to determine the only possible inputs for the S-box. The round key of the last round can then be obtained through analysis. Similarly, a 1-bit fault is injected in the 29^th and 28^th rounds many times. With the round key of the last round, the differential characteristics of the S-box are leveraged again to obtain the round keys of the last but one and last but two rounds. About 10 fault ciphertexts are required. After the round keys of three rounds are recovered, the computational complexity of recovering the master key is reduced to 2²².