scispace - formally typeset
Search or ask a question
Book ChapterDOI

Differential Fault Analysis of SHA-3

TL;DR: This attack can recover the internal state of two versions of SHA-3 namely, SHA3-512 andSHA3-384 and can be used to forge MAC's which are using these versions ofSHA-3.
Abstract: In this paper we present the first differential fault analysis DFA of SHA-3. This attack can recover the internal state of two versions of SHA-3 namely, SHA3-512 and SHA3-384 and can be used to forge MAC's which are using these versions of SHA-3. Assuming that the attacker can inject a random single bit fault on the intermediate state of the hash computation, and given the output of the SHA-3 version for a correct message and 80 faulty messages, we can extract 1592 out of the 1600 bits of the compression function's internal state. To the best of our knowledge, this is the first public analysis of SHA-3 against DFA. Although our results do not compromise any security claim of SHA-3, it shows the feasibility of DFA on this scheme and possibly other Sponge based MACs and increases our understanding of SHA-3.
Citations
More filters
Proceedings ArticleDOI
01 Aug 2016
TL;DR: This is the first work to conquer SHA3-224 andSHA3-256 using differential fault analysis, and it is proposed to use fault signatures at the observed output for analysis and secret retrieval.
Abstract: The security of SHA-3 against different kinds of attacks are of vital importance for crypto systems with SHA-3 as the security engine. In this paper, we look into the differential fault analysis of SHA-3, and this is the first work to conquer SHA3-224 and SHA3-256 using differential fault analysis. Comparing with one existing related work, we relax the fault models and make them realistic for different implementation architectures. We analyze fault propagation in SHA-3 under such single-byte fault models, and propose to use fault signatures at the observed output for analysis and secret retrieval. Results show that the proposed method can effectively identify the injected single-byte faults, and then recover the whole internal state of the input of last round χ operation (χ22i) for both SHA3-224 and SHA3-256.

22 citations


Cites background or methods from "Differential Fault Analysis of SHA-..."

  • ...In the previous work of DFA on SHA-3 [2], the fault model is single-bit....

    [...]

  • ...While there exists only one previous work of differential fault analysis (DFA) on SHA3384 and SHA3-512 under single-bit fault model [2], SHA3224 and SHA3-256 have not been attacked using DFA yet....

    [...]

  • ...In [2], the comparison point is picked at θ(23) o for SHA3384 and SHA3-512 to identify the single-bit fault injected....

    [...]

  • ...The only existing DFA work on SHA-3 [2] is based on single-bit fault model, and targets two modes of SHA-3, SHA3-512 and SHA3-384....

    [...]

  • ...In this paper, we focus on SHA3-224 and SHA3-256, which have not been targeted by DFA yet, and the method proposed in [2] cannot be applied directly to them because of limited number of observable digest bits....

    [...]

Book ChapterDOI
TL;DR: In this article, the sphincs family of hash-based signatures are implemented on embedded devices such as FPGAs or smart cards, which naturally raises the question of their resistance to implementation attacks.
Abstract: Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the sphincs family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of their resistance to implementation attacks.

20 citations

Journal ArticleDOI
TL;DR: This work, which covers a wide spectrum in the present day research on fault attacks that fall under the purview of the symmetric key cryptography, aims at fulfilling the absence of an up-to-date survey.
Abstract: Fault attacks are among the well-studied topics in the area of cryptography. These attacks constitute a powerful tool to recover the secret key used in the encryption process. Fault attacks work by forcing a device to work under non-ideal environmental conditions (such as high temperature) or external disturbances (such as glitch in the power supply) while performing a cryptographic operation. The recent trend shows that the amount of research in this direction—which ranges from attacking a particular primitive, proposing a fault countermeasure, to attacking countermeasures—has grown up substantially and is going to stay as an active research interest for the foreseeable future. Hence, it becomes apparent to have a comprehensive yet compact study of the (major) works. This work, which covers a wide spectrum in the present-day research on fault attacks that fall under the purview of the symmetric key cryptography, aims at fulfilling the absence of an up-to-date survey. We present mostly all aspects of the topic in a way that is not only understandable for a non-expert reader, but also helpful for an expert as a reference.

18 citations

Proceedings ArticleDOI
18 May 2016
TL;DR: This paper devise different parity checking methods to protect the operations of Keccak system against random errors and fault attacks and shows that this scheme can be easily implemented and can effectively protect Keccack system againstrandom errors and faults.
Abstract: Cryptographic systems are vulnerable to random errors and injected faults. Soft errors can inadvertently happen in critical cryptographic modules and attackers can inject faults into systems to retrieve the embedded secret. Different schemes have been developed to improve the security and reliability of cryptographic systems. As the new SHA-3 standard, Keccak algorithm will be widely used in various cryptographic applications, and its implementation should be protected against random errors and injected faults. In this paper, we devise different parity checking methods to protect the operations of Keccak. Results show that our schemes can be easily implemented and can effectively protect Keccak system against random errors and fault attacks.

16 citations


Cites background from "Differential Fault Analysis of SHA-..."

  • ...A recent work [3] shows that DFA can also be used to attack SHA-3 implementations to recover the internal states....

    [...]

Journal ArticleDOI
TL;DR: This paper proposes efficient algebraic fault analysis (AFA) methods, and for the first time, applies them to all four modes of SHA-3 under relaxed fault models, and demonstrates the vulnerability of Keccak algorithms to fault analysis.
Abstract: As the new hash standard, Keccak-based secure hash function (SHA-3) will be used in various cryptographic applications. Its security will be of paramount importance to the systems built on top of it. This paper proposes efficient algebraic fault analysis (AFA) methods, and for the first time, applies them to all four modes of SHA-3 under relaxed fault models. Our AFA utilizes the clear algebraic properties of Keccak operations and is very suitable for the fault analysis of SHA-3. Both our analysis and experimental results show that the proposed AFA method is more efficient than the traditional differential fault analysis (DFA) under the single-byte fault model, requiring much fewer faults to recover a whole internal state of the hashing computation. Meanwhile, as AFA is able to exploit all the information available, it can be applied to SHA-3 modes with shorter digests and under more relaxed fault models, where often times the DFA method fails. Our results show that AFA can successfully break all the four SHA-3 modes under a 16-bit fault model, and break SHA3-512 under an even more relaxed fault model, 32-bit fault, all within several minutes. The successful AFA on SHA-3 demonstrates the vulnerability of Keccak algorithms to fault analysis, calling for protections against fault injection and fault analysis.

15 citations

References
More filters
Book ChapterDOI
18 Aug 1996
TL;DR: Two new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths.
Abstract: The use of cryptographic hash functions like MD5 or SHA-1 for message authentication has become a standard approach in many applications, particularly Internet security protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitative way, that the schemes retain almost all the security of the underlying hash function. The performance of our schemes is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardwair can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.

1,815 citations

Book ChapterDOI
17 Aug 1997
TL;DR: This work states that this attack is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).
Abstract: In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).

1,662 citations

ReportDOI
04 Aug 2015
TL;DR: This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data, which is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic Hash Al algorithm Competition.
Abstract: This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data. Each of the SHA-3 functions is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic Hash Algorithm Competition. This Standard also specifies the KECCAK-p family of mathematical permutations, including the permutation that underlies KECCAK, in order to facilitate the development of additional permutation-based cryptographic functions. The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3-512, and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256. Hash functions are components for many important information security applications, including 1) the generation and verification of digital signatures, 2) key derivation, and 3) pseudorandom bit generation. The hash functions specified in this Standard supplement the SHA-1 hash function and the SHA-2 family of hash functions that are specified in FIPS 180-4, the Secure Hash Standard. Extendable-output functions are different from hash functions, but it is possible to use them in similar ways, with the flexibility to be adapted directly to the requirements of individual applications, subject to additional security considerations.

795 citations

Book ChapterDOI
08 Sep 2003
TL;DR: The differential fault attack technique is able to break the AES-128 with only 2 faulty ciphertexts, assuming the fault occurs between the antepenultimate and the penultimate MixColumn; this is better than the previous fault attacks against AES.
Abstract: In this paper we describe a differential fault attack technique working against Substitution-Permutation Networks, and requiring very few faulty ciphertexts. The fault model used is realistic, as we consider random faults affecting bytes (faults affecting one only bit are much harder to induce). We implemented our attack on a PC for both the AES and KHAZAD. We are able to break the AES-128 with only 2 faulty ciphertexts, assuming the fault occurs between the antepenultimate and the penultimate MixColumn; this is better than the previous fault attacks against AES(6,10,11). Under similar hypothesis, KHAZAD is breakable with 3 faulty ciphertexts.

623 citations

Book ChapterDOI
16 Oct 2003
TL;DR: In this article, a means of applying DFA to AES that exploits AES internal structure is presented, which can break an AES128 key with ten faulty messages within a few minutes.
Abstract: DFA is no new attack. It was first used by Biham and Shamir who took unfair advantage of DES Feistel structure to carry it out. This structure is not present in AES. Nevertheless, is DFA able to attack AES another way? This article aims at setting out a means of applying DFA to AES that exploits AES internal structure. We can break an AES128 key with ten faulty messages within a few minutes.

348 citations