Abstract
Differential Fault Attack (DFA) is a very well known technique to evaluate security of a stream cipher. This considers that the stream cipher can be weakened by injection of the fault. In this paper we study DFA on three ciphers, namely Grain v1, Lizard and ACORN v3. We show that Grain v1 (an eStream cipher) can be attacked with injection of only 5 faults instead of 10 that has been reported in 2012. For the first time, we have mounted the fault attack on Lizard, a very recent design and show that one requires only 5 faults to obtain the state. ACORN v3 is a third round candidate of CAESAR and there is only one hard fault attack on an earlier version of this cipher. However, the ‘hard fault’ model requires a lot more assumption than the generic DFA. In this paper, we mount a DFA on ACORN v3 that requires 9 faults to obtain the state. In case of Grain v1 and ACORN v3, we can obtain the secret key once the state is known. However, that is not immediate in case of Lizard. While we have used the basic framework of DFA that appears in literature quite frequently, specific tweaks have to be explored to mount the actual attacks that were not used earlier. To the best of our knowledge, these are the best known DFAs on these three ciphers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Babbage, S., Dodd, M.: The stream cipher MICKEY 2.0. ECRYPT stream cipher project report. http://ecrypt.eu.org/stream/p3ciphers/mickey/mickey_p3.pdf
Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the grain family of stream ciphers. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 122–139. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_8
Banik, S., Maitra, S.: A differential fault attack on MICKEY 2.0. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 215–232. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_13
Banik, S., Maitra, S., Sarkar, S.: Improved differential fault attack on MICKEY 2.0. J. Cryptogr. Eng. 5(1), 13–29 (2015). https://doi.org/10.1007/s13389-014-0083-9
Banik, S., Isobe, T.: Some cryptanalytic results on Lizard. http://eprint.iacr.org/2017/346.pdf
Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault Injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012). https://doi.org/10.1109/JPROC.2012.2188769
De Cannire, C., Preneel, B.: TRIVIUM specifications. eSTREAM, ECRYPT Stream Cipher Project, Report
Dey, P., Rohit, R.S., Adhikari, A.: Full key recovery of ACORN with a single fault. J. Inf. Secur. Appl. 29(C), 57–64 (2016). https://doi.org/10.1016/j.jisa.2016.03.003. Elsevier Science Inc. New York, NY, USA
Hamann, M., Krause, M., Meier, W.: LIZARD - a lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Cryptol. 2017(1), 45–79 (2017). http://tosc.iacr.org/index.php/ToSC/article/view/584
Hell, M., Johansson, T., Meier, W.: Grain - a stream cipher for constrained environments. ECRYPT stream cipher project report 2005/001 (2005). http://www.ecrypt.eu.org/stream
Hojsík, M., Rudolf, B.: Differential fault analysis of Trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_10
Hojsík, M., Rudolf, B.: Floating fault analysis of Trivium. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 239–250. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_19
Hu, Y., Gao, J., Liu, Q., Zhang, Y.: Fault analysis of Trivium. Des. Codes Cryptograph. 62(3), 289–311 (2012)
Maitra, S., Siddhanti, A., Sarkar, S.: A dierential fault attack on plantlet. IEEE Trans. Comput. 66(10), 1804–1808 (2017). https://doi.org/10.1109/TC.2017.2700469. An earlier version is available at Cryptology ePrint Archive: Report 2017/088, 4 February 2017. http://eprint.iacr.org/2017/088
Maitra, S., Sarkar, S., Baksi, A., Dey, P.: Key recovery from state information of sprout: application to cryptanalysis and fault attack (2015). http://eprint.iacr.org/2015/236
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. In: FSE 2017. TOSC, vol. 2016, no. 2, pp. 52–79 (2016). http://tosc.iacr.org/index.php/ToSC/article/view/565/507
Sugawara, T., Suzuki, D., Fujii, R., Tawa, S., Hori, R., Shiozaki, M., Fujino, T.: Reversing stealthy dopant-level circuits. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 112–126. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_7
Sarkar, S., Banik, S., Maitra, S.: Dierential fault attack against grain family with very few faults and minimal assumptions. IEEE Trans. Comput. 64(6), 1647–1657 (2015)
Stein, W.: Sage Mathematics Software. Free Software Foundation, Inc., (2009). http://www.sagemath.org. (Open source project initiated by W. Stein and contributed by many)
The ECRYPT stream cipher project. eSTREAM portfolio of stream ciphers. http://www.ecrypt.eu.org/stream/
The project CAESAR on authenticated ciphers. http://competitions.cr.yp.to/caesar.html
Wu, H.: ACORN: a lightweight authenticated cipher (v3) (2016). https://competitions.cr.yp.to/round3/acornv3.pdf
Acknowledgements
The first author would like to thank Department of Science and Technology DST-FIST Level-1 Program Grant No. SR/FST/MSI-092/2013 for providing the computational facilities.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix: Description of the ciphers
Appendix: Description of the ciphers
1.1 A1: Grain v1
Grain v1 has two registers, LFSR and NFSR of 80 bits each and we use the notation \(s_i, s_{1+i}, \ldots ,s_{79+i} \) and \(b_i, b_{1+i}, \ldots , b_{79+i}\) for state bits of LFSR and NFSR respectively. The output function calculates the key stream bit and then the LFSR and NFSR states are updated. The output function is given by:
where \(h(x_0,x_1,x_2,x_3,x_4)\) is given by:
The LFSR feedback bit \(s_{i+80}\) is calculated as:
and the NFSR feedback bit is calculated as:
The cipher is initialized using the key and IV bits as per the following:
After initialization, the cipher is clocked 160 times without producing any key stream bit. In fact, the key stream bit is XOR’d with the feedback bit during the KSA. After 160 rounds, we get our first key stream bit.
1.2 A2: ACORN v3
We briefly state here the description of ACORN v3 relevant to our work, i.e. we assume the plaintext message to be a stream of 0’s and are concerned only about the key stream generation process (PRGA), hence initialization of the cipher has been omitted. As stated before, ACORN v3 has 6 LFSRs concatenated to form a 293 bit state. We denote the state of the cipher by \(S^t\) and its respective bits as: \(S^t_0 \ldots S^t_{292}\). The cipher has the following three functions:
-
1.
Output Function. The output bit \(z_t\) for any state t is generated as:
$$\begin{aligned} z_t&= S^t_{12} \oplus S^t_{154} \oplus \nonumber maj(S^t_{235},S^t_{61},S^t_{193}) \\ {}&\oplus ch(S^t_{230}, S^t_{111}, S^t_{66}), \end{aligned}$$(5)where \(maj(x,y,z)=xy \oplus xz \oplus yz\) and \(ch(x,y,z)=xy \oplus (\sim x)z \).
-
2.
Feedback Function. The feedback bit \(f_{t}\) for any state t is generated as:
$$ \begin{aligned} f_t&= S^{t}_{0} \oplus ( \sim S^{t}_{107}) \oplus maj(S^t_{244}, S^t_{23}, S^t_{160}) \nonumber \\ {}&\oplus (ca_t \, \& S^t_{196}) \oplus ( cb_t \& z_t), \end{aligned}$$(6)where \(ca_t\) and \(cb_t\) are binary values based on the length of the message.
-
3.
State Update Function. Before performing the shift, the bits \(S^t_{289},S^t_{230},\) \(S^t_{193},S^t_{154},S^t_{107},S^t_{61}\) are updated as follows:
$$\begin{aligned} S^t_{289}&= S^t_{289} \oplus S^t_{235} \oplus S^t_{230}\\ S^t_{230}&= S^t_{230} \oplus S^t_{196} \oplus S^t_{193}\\ S^t_{193}&= S^t_{193} \oplus S^t_{160} \oplus S^t_{154}\\ S^t_{154}&= S^t_{154} \oplus S^t_{111} \oplus S^t_{107}\\ S^t_{107}&= S^t_{107} \oplus S^t_{66} \oplus S^t_{61}\\ S^t_{61}&= S^t_{61} \oplus S^t_{23} \oplus S^t_{0} \end{aligned}$$
And then the bits are shifted in the following manner:
with the last bit initialized with the feedback bit is
when all bits of the pliantext are zero.
1.3 A3: Lizard
The 121-bit inner state of Lizard is divided into two NFSRs namely NFSR1 and NFSR2. At time t, the first NFSR, NFSR1 is denoted by \((S_0^t,\ldots , S_{30}^t)\) and the second NFSR, NFSR2 by \((B_0^t , \ldots , B_{89}^t)\). NFSR1 is of 31 bit and the update rule of this NFSR is
The second register NFSR2 is of 90 bit and the update rule of this NFSR is
Output bit \(z_t\) is a function from \(\{0,1\}^{53}\) to \(\{0,1\}.\) At time t,
where
-
\( \mathcal {L}_t=B_7^t \oplus B_{11}^t \oplus B_{30}^t \oplus B_{40}^t \oplus B_{45}^t \oplus B_{54}^t \oplus B_{71}^t\)
-
\( \mathcal {Q}_t=B_{4}^t B_{21}^t \oplus B_{9}^t B_{52}^t \oplus B_{18}^t B_{37}^t \oplus B_{44}^t B_{76}^t\)
-
\(\mathcal {T}_t=B_5^t\oplus B_8^t B_{82}^t \oplus B_{34}^t B_{67}^t B_{73}^t \oplus B_{2}^t B_{28}^t B_{41}^t B_{65}^t \oplus B_{13}^t B_{29}^t B_{50}^t B_{64}^t B_{75}^t \oplus \) \(B_6^t B_{14}^t B_{26}^t B_{32}^t B_{47}^t B_{61}^t \oplus B_1^t B_{19}^tB_{27}^t B_{43}^t B_{57}^t B_{66}^t B_{78}^t\)
-
\(\mathcal {\overline{T}}_t=S_{23}^t \oplus S_{3}^t S_{16}^t \oplus S_{9}^t S_{13}^t B_{48}^t \oplus S_{1}^t S_{24}^t B_{38}^t B_{63}^t\)
The state initialization process is divided into 4 phases.
Phase 1: Key and IV Loading. Let \(K = (K_0,\ldots ,K_{119} ) \) be the 120-bit key and \(IV = (IV_0,\ldots ,\) \(IV_{63} )\) the 64-bit public IV. The state is initialized as follows:
Phase 2: Grain-like Mixing. In this phase the output bit \(z_t\) is fed back into both NFSRs for \(0 \le t \le 127\). This type of approach is used in Grain family.
Phase 3: Second Key Addition. In this phase, the 120-bit key is XORed to both NFSRs as follows:
Phase 4: Final Diffusion. This phase is exactly similar to phase 2 except \(z_t\) is not fed back into the NFSRs. In this phase, one has to run both NFSRs 128 rounds. So after this phase, registers are \((S_0^{257},\ldots , S_{30}^{257})\) and \((B_0^{257} , \ldots , B_{89}^{257})\). Now Lizard is ready to produce output key stream bits. The first keystream bit that is used for encryption is \(z_{257}\). For \(t\ge 257\), the states \((S_0^{t+1},\ldots , S_{30}^{t+1})\) and \((B_0^{t+1} , \ldots , B_{89}^{t+1})\) and the output bit \(z_t\) are computed using Eqs. (7), (8) and (9) respectively.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Siddhanti, A., Sarkar, S., Maitra, S., Chattopadhyay, A. (2017). Differential Fault Attack on Grain v1, ACORN v3 and Lizard. In: Ali, S., Danger, JL., Eisenbarth, T. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2017. Lecture Notes in Computer Science(), vol 10662. Springer, Cham. https://doi.org/10.1007/978-3-319-71501-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-71501-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71500-1
Online ISBN: 978-3-319-71501-8
eBook Packages: Computer ScienceComputer Science (R0)