Differential fault analysis of NORX using variants of coupon collector problem

Abstract

In this paper, we report the first DFA on nonce-based CAESAR scheme NORX (applicable to all the versions v1, v2.0, v3.0). This demonstrates a scenario when faults introduced in NORX in parallel mode can be used to collide the internal branches to produce an all-zero state. Later, this fault is used to replay on NORX despite being instantiated by different nonces and messages. Once replayed, the secret key of NORX can be recovered using secondary faults and using the faulty tags. The attack presents a case where for the first time both internal and classical differentials are used to mount a DFA on a nonce-based authenticated cipher. Different fault models are used to showcase the versatility of the attack strategy. A detailed theoretical analysis of the expected number of faults is furnished under various models. Under the random bit-flip model, around 1384 faults need to be induced to reduce the key-space from \(2^{128}\) to \(2^{32}\), while the random byte-flip model requires 332 faults to uniquely identify the key. Moreover, we have identified and solved a new theoretical problem for the consecutive bit-flip fault model that is a special variant of the generalized coupon collector problem. We refer to the new problem as the consecutive coupon collector problem. We also present a mathematical proof to this problem for the first time in the literature. Additionally, we corroborate that our theoretical values are matched very closely to the simulated values. Further, we show the validation of our calculations of the problem using hypothesis testing. Finally, we furnish a discussion to assess the DFA vulnerability of FORK-256 based on a strategy similar to the one used for NORX.

Appendices

Appendix A: Alternative solution to a boundary case of consecutive coupon collector problem

Problem statement Suppose an attacker targets to inject consecutive bits fault in a register containing n number of bits. In each trial, the attacker randomly chooses a bit from the register and then flips l bits (for some pre-defined number \(l \le n\)) from the flipped one to the right and marks them as flipped. Then, what is the expected number of trials so that all the n bits get flipped?

Table 11 Theoretical values for the boundary case

Table 12 Simulated values for the boundary case

Exact theoretical solution For a fixed n, l, let us define the random variable \(X_i\) as

$$\begin{aligned} X_i := \text { No. of trials required for the bit position } i\text { to be flipped} \end{aligned}$$

Now, observe that, if we want bit position i to be flipped, then there exists some fixed bit positions which need to be flipped in the trials that makes our concerned position checked.

We want the expected number of trials so that all the positions gets checked. So, we need to find the expectation of the maximum number of trials required for n number of bits to get checked. Let us define a new random variable X as

$$\begin{aligned} X := \max _{i} X_i \end{aligned}$$

and we want to calculate \({\mathbb {E}}(X)\).

Before proceeding into mathematical details, let us first fix some notations.

• 1. Distance between node i and node j is

  $$\begin{aligned} d_{ij} := |i-j|. \end{aligned}$$

• 2. WLOG, let \(i<j\). Then, the number of joint favorable hitting positions contributed by j given i is

  $$\begin{aligned} v_{ij} := \min (d_{ij},l). \end{aligned}$$

Then, WLOG given \(A = \left\{ i_1, i_2, \dots i_p \right\} \subset \{1,2,\dots ,n\)}, where \(i_1< i_2< \ldots < i_p\) the total number of favorable hitting positions such that at least one of them is flipped is given by

$$\begin{aligned} h\left( i_1, i_2, \dots i_p \right) := v_{0i_1} + v_{i_1i_2} + v_{i_2i_3} + \dots + v_{i_{p-1}i_p} \end{aligned}$$

where, following our definition above,

$$\begin{aligned} v_{0i_1} = \min (d_{0i_1},l) = \min (|0 - i_1|,l) = \min (i_1,l). \end{aligned}$$

Thus, we can write down the joint probability as

$$\begin{aligned} \Pr (X_{i_1}>r,X_{i_2}>r,\dots ,X_{i_p}>r) = \left[ 1 - \frac{h\left( i_1, i_2, \dots i_p \right) }{n} \right] ^r. \end{aligned}$$

Due to the independence of the trials, we will get by using Principle of inclusion and exclusion,

$$\begin{aligned} \Pr (X>r)&= \Pr (\max _i X_i> r) \\&= \sum _i \Pr (X_i>r) - \sum _{i_1 < i_2} \Pr (X_{i_1}>r, X_{i_2}>r) \\& + \ldots +(-1)^{n+1} \Pr \Big (X_1> r, X_2> r, \dots ,\\& X_n > r\Big ). \end{aligned}$$

As the last term will be 0 for all \(r\ge 1\). Then, we have,

$$\begin{aligned} \Pr (X>r)&= \sum _i \left[ 1 - \frac{k}{n}\right] ^r - \sum _{i_1< i_2} \left[ 1 - \frac{h\left( i_1, i_2\right) }{n} \right] ^r + \dots \\& + (-1)^{n} \sum _{i_1< \dots < i_{n-1}} \left[ 1 - \frac{h\left( i_1, i_2, \dots i_{n-1} \right) }{n} \right] ^r. \end{aligned}$$

Finally, we can conclude that,

$$\begin{aligned} {\mathbb {E}}(X)&= \sum _{r\ge 0} \Pr (X > r) \\&= \sum _{r\ge 0} \sum _i \left[ 1 - \frac{k}{n}\right] ^r - \sum _{r\ge 0}\sum _{i_1< i_2} \left[ 1 - \frac{h\left( i_1, i_2\right) }{n} \right] ^r + \dots \\& + (-1)^{n} \sum _{r\ge 0} \sum _{i_1< \dots< i_{n-1}} \left[ 1 - \frac{h\left( i_1, i_2, \dots i_{n-1} \right) }{n} \right] ^r \\&= \sum _i \sum _{r\ge 0} \left[ 1 - \frac{k}{n}\right] ^r - \sum _{i_1< i_2} \sum _{r\ge 0} \left[ 1 - \frac{h\left( i_1, i_2\right) }{n} \right] ^r + \dots \\& + (-1)^{n} \sum \limits _{i_1< \dots< i_{n-1}} \sum \limits _{r\ge 0} \left[ 1 - \frac{h\left( i_1, i_2, \dots i_{n-1} \right) }{n} \right] ^r \\&= \sum _i \frac{n}{k} - \sum _{i_1< i_2} \frac{n}{h\left( i_1, i_2\right) } + \ldots \\& +(-1)^{n}\sum \limits _{i_1< \dots< i_{n-1}} \frac{n}{h\left( i_1, i_2, \dots i_{n-1} \right) } \\&= n \; \left[ \sum _i \frac{1}{k} - \sum _{i_1< i_2} \frac{1}{h\left( i_1, i_2\right) } + \ldots \right. \\& + (-1)^{n} \sum _{i_1< \dots < i_{n-1}} \frac{1}{h\left( i_1, i_2, \dots i_{n-1} \right) } \biggr ]. \end{aligned}$$

Empirical validation We simulate the procedure for 100,000 times for each value of n and l and take averages over those values to compare it with the theoretical values. Both the theoretical and the simulated values are given in Tables 11 and 12, respectively. It is clear that our theoretical result is very close to the simulated one.

Counting observations beyond \(3\sigma \) limits. The corrplot in Figure 16 of the difference matrix obtained from the theoretical and the simulated values shows an idea about how close the values are.

Fig. 16

Corrplot of the difference matrix between theoretical and simulated values

Also, we plot the \(3\sigma \) limits in Figure 17 around the mean differences to see how many of the observations fall beyond \(3\sigma \) limit.

Fig. 17

Mean differences with \(3\sigma \) limit

Notice that, out of the 300 observations, only 3 of them are not significantly close which is \(\frac{3}{300} = 1\%\) of the total number of observations. Hence, there is clear evidence that our calculations are correct.

Now, to make things more rigorous, we can do some hypothesis testing, which results into an interesting observation.

Hypothesis testing For each fixed n and l, let, \(Y_{n,l}^1, Y_{n,l}^2, \dots Y_{n,l}^m\) be m observations coming from some distribution with mean \(\mu _{nl}\). Then, we can frame our hypothesis as:

$$\begin{aligned} {\mathscr {H}}_0 : \mu _{nl} = t(n,l) \quad \quad {\mathscr {H}}_A : \mu _{nl} \ne t(n,l) \end{aligned}$$

where, t(n, l) is our calculated theoretical value. For our purpose, \(m = 100{,}000\). So, we can do large sample approximation here. We want to test at \(5\%\) level of significance. Then, the test statistic will be,

$$\begin{aligned} T = \frac{\sqrt{m} \; (\overline{Y_{n,l}} - \mu _{nl})}{s_{nl}} \end{aligned}$$

where,

$$\begin{aligned} \overline{Y_{n,l}} = \frac{1}{m} \sum _{i=1}^{m} Y_{n,l}^i \quad \text {and} \quad s_{nl} = \frac{1}{m-1} \sum _{i=1}^m (Y_{n,l}^i - \overline{Y_{n,l}})^2 \end{aligned}$$

Since we are doing a both-sided test, our decision rule will be,

Now, we are doing \(\frac{25\times 24}{2} = 300\) many testings. Out of them 17 was rejected which is \(\frac{17}{300} \times 100 \% = 5.67 \%\) of the total values.

Appendix B: Proof of Theorem 1

Theorem 2

(The Principle of Inclusion and Exclusion) Suppose, we have n number of finite sets as \(A_1,\ldots ,A_n\). Then, the cardinality of their unions can be calculated using the following formula:

$$\begin{aligned}\Big \vert \bigcup _{1\le i\le n} A_i \Big \vert = \sum \limits _{1\le i_1\le n}\big \vert A_{i_1} \big \vert - \sum \limits _{1\le i_1\le i_2 \le n}\big \vert A_{i_1}\cap A_{i_2}\big \vert +\\\sum \limits _{1\le i_1\le i_2 \le i_3\le n}\big \vert A_{i_1}\cap A_{i_2}\cap A_{i_3} \big \vert -\ldots +(-1)^{n+1}\big \vert \cap _{i = 1}^{n} A_{i} \big \vert .\end{aligned}$$

Let us prove Theorem 1 by using principle of mathematical induction. For \(m = 1\), the equality in Theorem 1 holds by using principle of inclusion and exclusion (Theorem 2). Let us assume that Theorem 2 is true for m. Now, we have to prove whether it is true for \(m+1\) or not. Therefore, we have to show that

$$\begin{aligned} \left| B_{m+1}\right| = \sum \limits _{h=0}^{n-m-1}(-1)^{h}{m+h\atopwithdelims ()m}S_{m+h+1}. \end{aligned}$$

Let C(k, m) denote the number of times an element x belonging to exactly k sets out of \(A_1, A_2,\ldots ,A_n\) which is actually counted on the right hand of the expression \(\mid B_m\mid \). So, by induction hypothesis, we can write

$$\begin{aligned} C(k,m) = \left\{ \begin{array}{ll} 1, &{} \text{ if }\ k\ge m;\\ 0, &{} \hbox {otherwise}. \end{array} \right. \end{aligned}$$

Let us assume that an element x belonging to exactly k sets out of the given n sets \(A_1,A_2,\ldots ,A_n\). Then, we have to show that,

$$\begin{aligned} C(k,m+1) = \left\{ \begin{array}{ll} 1, &{} \text{ if }\ k\ge m+1;\\ 0, &{} \hbox {otherwise}. \end{array} \right. \end{aligned}$$

Now, for \(k\ge m+1\), \(C(k, m + 1)\) denote the number of times x belonging to exactly k sets of n sets. This number is actually counted on the RHS of the expression \(\mid B_{m+1}\mid \). Therefore, we can write,

$$\begin{aligned} C(k,m+1) = \sum \limits _{i=0}^{n-m-1}(-1)^{i}{m+i\atopwithdelims ()m}{k \atopwithdelims ()m+i+1}. \\ (As\; S_{m+i+1} = \sum \mid A_{j_1}\cap A_{j_2}\cap \ldots \cap A_{j_{m+i+1}}\mid ) \end{aligned}$$

Now, by putting \(h = i + 1\) in the above expression, we get

$$\begin{aligned} C(k,m+1) = \sum \limits _{h=1}^{n-m}(-1)^{h-1}{m+h-1\atopwithdelims ()m}{k \atopwithdelims ()m+h}. \end{aligned}$$

Further, we have

$$\begin{aligned} C(k,m) = \sum \limits _{h=0}^{n-m}(-1)^{h}{m+h-1\atopwithdelims ()m-1}{k \atopwithdelims ()m+h} = 1. \end{aligned}$$

Therefore, we have

$$\begin{aligned}&C(k,m)-C(k,m+1) \\&= \sum \limits _{h=0}^{n-m}(-1)^{h}{m+h-1\atopwithdelims ()m-1}{k \atopwithdelims ()m+h} \\&\quad - \sum \limits _{h=1}^{n-m}(-1)^{h-1}{m+h-1\atopwithdelims ()m}{k \atopwithdelims ()m+h} \\&= {k \atopwithdelims ()m} + \sum \limits _{h=1}^{n-m}(-1)^{h}\Bigg [{m+h-1\atopwithdelims ()m-1} + {m+h-1\atopwithdelims ()m}\Bigg ]\\&\qquad \times {k \atopwithdelims ()m+h}\\&= {k \atopwithdelims ()m} + \sum \limits _{h=1}^{n-m}(-1)^{h}{m+h\atopwithdelims ()m}{k \atopwithdelims ()m+h}\\&= {k \atopwithdelims ()m} + {k \atopwithdelims ()m}\sum \limits _{h=1}^{n-m}(-1)^{h}{k-m\atopwithdelims ()h}\\&= {k \atopwithdelims ()m}\sum \limits _{h=0}^{n-m}(-1)^{h}{k-m\atopwithdelims ()h}\\&= {k \atopwithdelims ()m}\sum \limits _{h=0}^{k-m}(-1)^{h}{k-m\atopwithdelims ()h} = {k \atopwithdelims ()m}(1-1)^{k-m} = 0.\\ \end{aligned}$$

Hence, \(C(k,m+1) = C(k,m) = 1\). Again, for \(k \le m\), we have \(C(k,m+1) = 0\) as

$$\begin{aligned} \left| B_{m+1}\right| = \sum \limits _{h=0}^{n-m-1}(-1)^{h}{m+h\atopwithdelims ()m}S_{m+h+1}. \end{aligned}$$