This paper introduces Differential Fault Analysis (DFA), a cryptanalytic technique that exploits hardware faults to recover cryptographic secrets in secret key cryptosystems. Unlike previous attacks that targeted public key systems like RSA, DFA applies to a wide range of secret key systems, including DES, IDEA, RC5, and Feal. The attack uses various fault models and cryptanalytic techniques to extract keys from tamper-resistant devices. In particular, the authors demonstrate that under the same hardware fault model used by Bellcore researchers, they can recover the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts. The paper also describes techniques to identify the keys of completely unknown ciphers sealed in tamper-resistant devices and to reconstruct the complete specification of DES-like unknown ciphers. In the last part, the authors consider a different fault model based on permanent hardware faults and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts. The authors describe a new attack on DES, which uses a transient fault model where faults occur in the registers of the smartcard. The attack involves encrypting the same plaintext twice and comparing the results to identify the round in which the fault occurred. By analyzing the differences between the two ciphertexts, the authors can determine the key bits involved in the faulty computation. This attack can be applied to other secret key cryptosystems, including triple DES and DES with independent subkeys. The paper also discusses the application of DFA to unknown ciphers, where the fault model assumes that the cryptographic key is stored in an asymmetric type of memory, where induced faults are more likely to change a one bit into a zero than a zero bit into a one. The authors describe a method to reconstruct the full structure of unknown ciphers hidden in tamper-resistant devices, including identifying the S boxes and subkeys of the cipher. This method involves encrypting a fixed plaintext multiple times and analyzing the resulting ciphertexts to identify the key bits. Finally, the paper discusses additional attacks on iterated implementations of DES, including attacks that ignore the data rather than the key. These attacks involve inducing faults in the subkey registers or the data input of the F-function to extract the key bits. The authors also note that DFA can be applied to chosen plaintext attacks without choosing any plaintext, as the plaintext register can be destroyed to achieve the desired effect. The paper concludes with acknowledgments to the pioneering contributions of Boneh, Demillo, and Lipton, whose ideas were the starting point of the new attack.This paper introduces Differential Fault Analysis (DFA), a cryptanalytic technique that exploits hardware faults to recover cryptographic secrets in secret key cryptosystems. Unlike previous attacks that targeted public key systems like RSA, DFA applies to a wide range of secret key systems, including DES, IDEA, RC5, and Feal. The attack uses various fault models and cryptanalytic techniques to extract keys from tamper-resistant devices. In particular, the authors demonstrate that under the same hardware fault model used by Bellcore researchers, they can recover the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts. The paper also describes techniques to identify the keys of completely unknown ciphers sealed in tamper-resistant devices and to reconstruct the complete specification of DES-like unknown ciphers. In the last part, the authors consider a different fault model based on permanent hardware faults and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts. The authors describe a new attack on DES, which uses a transient fault model where faults occur in the registers of the smartcard. The attack involves encrypting the same plaintext twice and comparing the results to identify the round in which the fault occurred. By analyzing the differences between the two ciphertexts, the authors can determine the key bits involved in the faulty computation. This attack can be applied to other secret key cryptosystems, including triple DES and DES with independent subkeys. The paper also discusses the application of DFA to unknown ciphers, where the fault model assumes that the cryptographic key is stored in an asymmetric type of memory, where induced faults are more likely to change a one bit into a zero than a zero bit into a one. The authors describe a method to reconstruct the full structure of unknown ciphers hidden in tamper-resistant devices, including identifying the S boxes and subkeys of the cipher. This method involves encrypting a fixed plaintext multiple times and analyzing the resulting ciphertexts to identify the key bits. Finally, the paper discusses additional attacks on iterated implementations of DES, including attacks that ignore the data rather than the key. These attacks involve inducing faults in the subkey registers or the data input of the F-function to extract the key bits. The authors also note that DFA can be applied to chosen plaintext attacks without choosing any plaintext, as the plaintext register can be destroyed to achieve the desired effect. The paper concludes with acknowledgments to the pioneering contributions of Boneh, Demillo, and Lipton, whose ideas were the starting point of the new attack.