2026-03-14
For the output of the last round, let's say we had 10 rounds and used those. We have the ciphertext, that is the XOR of the 10th round key and the input from the previous stages. We can do a fault here, and see the output. It will contain the key.
Similarly, we can do it in the first round as well. If the final ciphertexts in the glitched and non-glitched versions match, then the plaintext's bit was the same as the bit of the key, else, it was the not of the key.