Differential Fault Analysis on Tiaoxin and AEGIS Family of Ciphers
21 Sep 2016-Vol. 625, pp 74-86
TL;DR: In this article, the authors proposed differential fault analysis of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting and showed that the secret key can be recovered with 384 single bit faults.
Abstract: Tiaoxin and AEGIS are two second round candidates of the ongoing CAESAR competition for authenticated encryption. In 2014, Brice Minaud proposed a distinguisher for AEGIS-256 that can be used to recover bits of a partially known message, encrypted \(2^{188}\) times, regardless of the keys used. Also he reported a correlation between AEGIS-128 ciphertexts at rounds i and \(i + 2\), although the biases would require \(2^{140}\) data to be detected. Apart from that, to the best of our knowledge, there is no known cryptanalysis of AEGIS or Tiaoxin. In this paper we propose differential fault analyses of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting. Analysis shows that the secret key of Tiaoxin can be recovered with 384 single bit faults and the states of AEGIS-128, AEGIS-256 and AEGIS-128L can be recovered respectively with 384, 512 and 512 single bit faults. Considering multi byte fault, the number of required faults and re-keying reduces 128 times.
Citations
More filters
TL;DR: This work, which covers a wide spectrum in the present day research on fault attacks that fall under the purview of the symmetric key cryptography, aims at fulfilling the absence of an up-to-date survey.
Abstract: Fault attacks are among the well-studied topics in the area of cryptography. These attacks constitute a powerful tool to recover the secret key used in the encryption process. Fault attacks work by forcing a device to work under non-ideal environmental conditions (such as high temperature) or external disturbances (such as glitch in the power supply) while performing a cryptographic operation. The recent trend shows that the amount of research in this direction—which ranges from attacking a particular primitive, proposing a fault countermeasure, to attacking countermeasures—has grown up substantially and is going to stay as an active research interest for the foreseeable future. Hence, it becomes apparent to have a comprehensive yet compact study of the (major) works. This work, which covers a wide spectrum in the present-day research on fault attacks that fall under the purview of the symmetric key cryptography, aims at fulfilling the absence of an up-to-date survey. We present mostly all aspects of the topic in a way that is not only understandable for a non-expert reader, but also helpful for an expert as a reference.
18 citations
TL;DR: The requirements of the proposed design and the progress of candidate screening in the CAESAR competition are introduced, and the candidate AE schemes in the final round are classified according to their design structures and encryption modes.
Abstract: The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) supported by the National Institute of Standards and Technology (NIST) is an ongoing project calling for submissions of authenticated encryption (AE) schemes. The competition itself aims at enhancing both the design of AE schemes and related analysis. The design goal is to pursue new AE schemes that are more secure than advanced encryption standard with Galois/counter mode (AES-GCM) and can simultaneously achieve three design aspects: security, applicability, and robustness. The competition has a total of three rounds and the last round is approaching the end in 2018. In this survey paper, we first introduce the requirements of the proposed design and the progress of candidate screening in the CAESAR competition. Second, the candidate AE schemes in the final round are classified according to their design structures and encryption modes. Third, comprehensive performance and security evaluations are conducted on these candidates. Finally, the research trends of design and analysis of AE for the future are discussed.
18 citations
TL;DR: This paper shows that stream ciphers with a particular form of ciphertext output function are vulnerable to differential fault attacks using random faults, and shows that their attack can be used to recover the secret key of Tiaoxin-346 and the entire state of AEGIS-128L with practical complexity.
Abstract: In this paper, we show that stream ciphers with a particular form of ciphertext output function are vulnerable to differential fault attacks using random faults. The CAESAR competition candidates Tiaoxin-346 and AEGIS-128L both fall into this category, and we show that our attack can be used to recover the secret key of Tiaoxin-346 and the entire state of AEGIS-128L with practical complexity. In the case of AEGIS-128L, the attack can be applied in a ciphertext-only scenario. Our attacks are more practical than previous fault attacks on these ciphers, which assumed bit-flipping faults. Although we also consider other ways of mitigating our attacks, we recommend that cipher designers avoid the form of ciphertext output function that we have identified.
11 citations
TL;DR: An independent third-party analysis of Grain-128AEAD against fault attacks is provided and it is indicated that the deterministic random fault attack with a precise control requires an average of 27.64 fault injections and a data complexity of 28.80.
Abstract: Grain-128AEAD is a lightweight authenticated encryption stream cipher and one of the finalists in the National Institute of Standards and Technology (NIST) Lightweight Cryptography (LWC) project. This paper provides an independent third-party analysis of Grain-128AEAD against fault attacks. We investigate the application of three differential fault attack models on Grain-128AEAD. All these attacks can recover the initial state of Grain-128AEAD. First, we demonstrate an attack using a bit-flipping fault that requires access to 27.80 faulty outputs to recover the initial state. Then, we demonstrate an attack with a more relaxed assumption of a random fault with a probabilistic approach. Our probabilistic random fault attack requires access to 211.60 faulty outputs and 210.45 fault injections to recover the initial state with a success rate over 99%. Both of the above two attacks are based on precise control on the fault target. Finally, we apply a random fault attack with a deterministic approach (can conclusively determine the random fault value) and using different precision controls. For the precise control, we use existing approaches that have been applied to other ciphers, such as Tiaoxin-346. We also propose a technique for less stringent precision models, such as moderate control and no control, which are more practical than the precise control. Our result indicates that the deterministic random fault attack with a precise control requires an average of 27.64 fault injections and a data complexity of 28.80. The deterministic random fault attack with moderate control requires a weak assumption on the fault injection and hence, is the best attack presented in this paper; and is expected to require about 29.39 fault injections with a data complexity of about 212.98. All the attacks discussed in this paper are verified experimentally.
8 citations
Cites background or methods from "Differential Fault Analysis on Tiao..."
...For instance, fault attacks are applied to several stream ciphers [8]–[16] submitted to the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) [7]....
[...]
...[8] uses a differential bit-flipping fault model against the CAESAR candidates Tiaoxin-346 and AEGIS....
[...]
29 Jan 2018
TL;DR: In this paper, two different fault injection attacks on the authenticated encryption stream cipher Tiaoxin-346, a third round candidate in the CAESAR cryptographic competition, were described.
Abstract: This paper describes two different fault injection attacks on the authenticated encryption stream cipher Tiaoxin-346, a third round candidate in the CAESAR cryptographic competition. The first type of fault injection uses a bit-flipping fault model to conduct a forgery attack. The number of faulty bits required for this forgery attack is twice the number of bit modifications made in the input message. The second type of fault injection uses a random fault model in a differential fault attack to recover the secret key of the cipher. A successful attack can be performed with 36 random multi-byte faults and a computational complexity of 236. This second attack improves on the previous key recovery attack of Dey et. al., as the random fault model we use is more practical than the bit flipping model used in their attack.Ed Dawson
6 citations
References
More filters
17 Aug 1997
TL;DR: This work states that this attack is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).
Abstract: In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES).
1,662 citations
01 Jun 2011
TL;DR: In this paper, the AES key can be deduced using a single random byte fault at the input of the eighth round using a two-stage algorithm, with a statistical expectation of reducing the possible key hypotheses to 232 and a mere 28.
Abstract: In this paper we present a differential fault attack that can be applied to the AES using a single fault. We demonstrate that when a single random byte fault is induced at the input of the eighth round, the AES key can be deduced using a two stage algorithm. The first step has a statistical expectation of reducing the possible key hypotheses to 232, and the second step to a mere 28.
274 citations
Posted Content•
TL;DR: A differential fault attack that can be applied to the AES using a single fault, which demonstrates that when a single random byte fault is induced at the input of the eighth round, the AES key can be deduced using a two stage algorithm.
Abstract: In this paper we present a differential fault attack that can be applied to the AES using a single fault. We demonstrate that when a single random byte fault is induced at the input of the eighth round, the AES key can be deduced using a two stage algorithm. The first step has a statistical expectation of reducing the possible key hypotheses to 2, and the second step to a mere 2. Furthermore, we show that, with certain faults, this can be reduced to two key hypothesis.
273 citations
Journal Article•
TL;DR: Differential Fault Analysis (DFA) as discussed by the authors is a cryptanalytic attack that can be applied to almost any secret key cryptosystem proposed so far in the open literature.
Abstract: In September 1996 Boneh, Demillo, and Lipton from Bellcore announced a new type of cryptanalytic attack which exploits computational errors to find cryptographic keys. Their attack is based on algebraic properties of modular arithmetic, and thus it is applicable only to public key cryptosystems such as RSA, and not to secret key algorithms such as the Data Encryption Standard (DES). In this paper, we describe a related attack, which we call Differential Fault Analysis, or DFA, and show that it is applicable to almost any secret key cryptosystem proposed so far in the open literature. Our DFA attack can use various fault models and various cryptanalytic techniques to recover the cryptographic secrets hidden in the tamper-resistant device. In particular, we have demonstrated that under the same hardware fault model used by the Bellcore researchers, we can extract the full DES key from a sealed tamper-resistant DES encryptor by analyzing between 50 and 200 ciphertexts generated from unknown but related plaintexts. In the second part of the paper we develop techniques to identify the keys of completely unknown ciphers (such as SkipJack) sealed in tamper-resistant devices, and to reconstruct the complete specification of DES-like unknown ciphers. In the last part of the paper, we consider a different fault model, based on permanent hardware faults, and show that it can be used to break DES by analyzing a small number of ciphertexts generated from completely unknown and unrelated plaintexts.
219 citations
19 Jun 2009
TL;DR: Simulations show that inducing a single random byte fault at the input of the eighth round of the AES algorithm the block cipher key can be deduced without any brute-force search.
Abstract: In the present paper a new fault based attack has been proposed against AES-Rijndael. The paper shows that inducing a single random byte fault at the input of the eighth round of the AES algorithm the block cipher key can be deduced. Simulations show that when two faulty ciphertext pairs are generated, the key can be exactly deduced without any brute-force search. Further results show that with one single faulty ciphertext pair, the AES key can be ascertained with a brute-force search of 232.
166 citations