Abstract
SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present fault attacks (FA) on all SKINNY variants. In the first part of the paper, we propose differential fault analysis (DFA) attacks on SKINNY variants keeping the tweak fixed. The attack model of tweakable block ciphers allows the access and full control of the tweak by the attacker. Respecting this attack model, we assume a fixed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 random nibble fault injections on average for 64-bit versions of the cipher, whereas the 128-bit versions require roughly 21 byte-fault-injections. In the later part of this work, we relax this assumption and perform fault attacks under known but randomly varying tweaks. It is found that pairs of bit faults at the input and output of the S-Boxes allow complete key recovery under random tweak. Moreover, explicit access to ciphertexts is not required in our attack, and key recovery is possible only by knowing if the ciphertext is correct or faulty. This property of the attack allows key recovery even at the presence of simple redundancy-based FA countermeasures. Both the DFA and paired fault-based attacks were validated through extensive simulation. To the best of authors’ knowledge, these are the first instances of FAs reported on SKINNY tweakable block cipher family.
Similar content being viewed by others
Notes
Throughout this paper, the array/state indices start from 1.
The terms tweakey and key have been used interchangeably throughout this paper, whereas to indicate the public material, we use the term tweak.
Tweakey/key states and tweakey/key arrays have been used interchangeably with the same meaning in this work.
Note that in this paper, we have used both the term difference and differential. Both have the same meaning in the context of this paper.
Actually this claim is not entirely true. In fact, depending on the value of the output differential, only a certain set of input differentials will satisfy the fault difference equation for this case, whose count is expected to be < 2s. However, to exploit this observation a lot of fault injections will be required. As we shall show, that we can perform the attack with much less number of faults.
One important question at this point is that whether Side-Channel Attacks (SCA) also get prevented due to the application of random tweaks. To the best of the authors’ knowledge, the answer is no, simply due to the fact that the tweak is known.
It is worth mentioning that if X = x satisfies (18), so does X = x ⊕ 2i. This happens due to the associative property of the XOR operation.
This is because, with two candidate solutions in \(\mathcal {E}^{i}_{j}\), the remaining entropy of the S-Box input, and that of the key becomes 1 bit. Rest of the 7 bits are exposed.
More precisely, bit flip fault at x0 makes it \({x^{f}_{0}} = x_{0} \oplus 1\), and the same happens for y3 (i.e., \({y^{f}_{3}} = y_{3} \oplus 1\)). Since x0 = y3 happens for certain valuations of x3 and x2, the same should hold for \({x^{f}_{0}}\) and \({y^{f}_{3}}\) as well. As a result, the 1’s in both of these expressions cancel each other, resulting in a non-faulty output.
References
Ali SS, Mukhopadhyay D (2011) A differential fault analysis on aes key schedule using single fault. In: 2011 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 35–42
Ankele R, Banik S, Chakraborti A, List E, Mendel F, Sim SM, Wang G (2017) Related-key impossible-differential attack on reduced-round skinny. Technical report, cryptology eprint archive, report 2016/1127, 2016. http://eprint.iacr.org/2016/1127
Bagheri N, Ebrahimpour R, Ghaedi N (2013) New differential fault analysis on present. EURASIP Journal on Advances in Signal Processing 2013(1):145
Bagheri N, Ghaedi N, Sanadhya SK (2015) Differential fault analysis of SHA-3. In: Biryukov A, Goyal V (eds) Progress in cryptology - INDOCRYPT 2015 - 16th international conference on cryptology in India, Bangalore, India, December 6–9, 2015, proceedings, volume 9462 of lecture notes in computer science. Springer, pp 253–269
Beierle C, Jean J, Kölbl S, Leander G, Moradi A, Peyrin T, Sasaki Y, Sasdrich P, Sim SM (2016) The skinny family of block ciphers and its low-latency variant mantis. In: Annual cryptology conference. Springer, pp 123–153
Biham E, Shamir A (1997) Differential fault analysis of secret key cryptosystems. Advances in Cryptology—CRYPTO’97 513–525
Blömer J, Seifert J-P (2003) Fault based cryptanalysis of the advanced encryption standard (aes). In: Computer aided verification. Springer, pp 162–181
Boneh D, DeMillo RA, Lipton RJ (1997) On the importance of checking cryptographic protocols for faults. In: International conference on the theory and applications of cryptographic techniques. Springer, pp 37–51
Chen H, Feng J, Rijmen V, Liu Y, Fan L, Li W (2016) Improved fault analysis on simon block cipher family. In: 2016 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 16–24
De Santis F, Guillen OM, Sakic E, Sigl G (2014) Ciphertext-only fault attacks on present. In: International workshop on lightweight cryptography for security and privacy. Springer, pp 85–108
Dobraunig C, Eichlseder M, Korak T, Lomné V, Mendel F (2016) Statistical fault attacks on nonce-based authenticated encryption schemes. In: Advances in cryptology–ASIACRYPT 2016: 22nd international conference on the theory and application of cryptology and information security, Hanoi, Vietnam, December 4–8, 2016, proceedings, Part I 22. Springer, pp 369–395
Dobraunig C, Eichlseder M, Korak T, Mangard S, Mendel F, Primas R (2018) Sifa: exploiting ineffective fault inductions on symmetric cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 547–572
Fuhr T, Jaulmes E, Lomné V, Thillard A (2013) Fault attacks on aes with faulty ciphertexts only. In: 2013 Workshop on fault diagnosis and tolerance in cryptography. IEEE, pp 108–118
Ghalaty NF, Yuce B, Taha M, Schaumont P (2014) Differential fault intensity analysis. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 49–58
Hajra S, Rebeiro C, Bhasin S, Bajaj G, Sharma S, Guilley S, Mukhopadhyay D (2014) DRECON: DPA resistant encryption by construction. In: International conference on cryptology in Africa. Springer, pp 420–439
Jean J, Moradi A, Peyrin T, Sasdrich P (2017) Bit-sliding: a generic technique for bit-serial implementations of spn-based primitives – applications to aes, present and skinny. Cryptology ePrint Archive Report 2017/600
Jean J, Nikolić I, Peyrin T (2014) Tweaks and keys for block ciphers: the TWEAKEY framework. In: International conference on the theory and application of cryptology and information security. Springer, pp 274–288
Korkikian R, Pelissier S, Naccache D (2014) Blind fault attack against spn ciphers. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 94–103
Kumar R, Jovanovic P, Burleson W, Polian I (2014) Parametric trojans for fault-injection attacks on cryptographic hardware. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 18–28
Li Y, Sakiyama K, Gomisawa S, Fukunaga T, Takahashi J, Ohta K (2010) Fault sensitivity analysis. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 320–334
Liskov M, Rivest RL, Wagner D (2002) Tweakable block ciphers. In: Annual international cryptology conference. Springer, pp 31–46
Liu G, Ghosh M, Ling S (2016) Security analysis of skinny under related-tweakey settings. Technical report, cryptology eprint archive, report 2016/1108, 2016. http://eprint.iacr.org/2016/1108
Patranabis S, Roy DB, Mukhopadhyay D (2016) Using tweaks to design fault resistant ciphers. In: 2016 29th international conference on VLSI design and 2016 15th international conference on embedded systems (VLSID). IEEE, pp 585–586
Sadeghi S, Mohammadi T, Bagheri N (2018) Cryptanalysis of reduced round SKINNY block cipher. IACR Trans Symmetric Cryptol 2018(3):124–162
Saha D, Chowdhury DR (2015) Diagonal fault analysis of grøstl in dedicated MAC mode. In: IEEE International symposium on hardware oriented security and trust, HOST 2015, washington, DC, USA, 5–7 May, 2015, pp 100–105
Saha D, Mukhopadhyay D, Chowdhury DR (2009) A diagonal fault attack on the advanced encryption standard. IACR cryptology eprint archive, 2009(581)
Saha S, Chakraborty RS, Nuthakki SS, Mukhopadhyay D, et al. (2015) Improved test pattern generation for hardware trojan detection using genetic algorithm and boolean satisfiability. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 577–596
Saha S, Jap D, Breier J, Bhasin S, Mukhopadhyay D, Dasgupta P (2018) Breaking redundancy-based countermeasures with random faults and power side channel. In: 2018 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE , pp 15–22
Selmke B, Heyszl J, Sigl G (2016) Attack on a dfa protected aes by simultaneous laser fault injections. In: 2016 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE , pp 36–46
Song L, Hu L (2013) Differential fault attack on the prince block cipher. In: International workshop on lightweight cryptography for security and privacy. Springer, pp 43–54
Takahashi J, Fukunaga T (2008) Improved differential fault analysis on clefia. In: 5th workshop on fault diagnosis and tolerance in cryptography, 2008. FDTC’08. IEEE, pp 25–34
Tolba M, Abdelkhalek A, Youssef AM (2016) Impossible differential cryptanalysis of skinny. Technical report, cryptology eprint archive, report 2016/1115, 2016. http://eprint.iacr.org/2016/1115
Tunstall M, Mukhopadhyay D, Ali S (2011) Differential fault analysis of the advanced encryption standard using a single fault. In: IFIP international workshop on information security theory and practices. Springer, pp 224–233
Tupsamudre H, Bisht S, Mukhopadhyay D (2014) Differential fault analysis on the families of simon and speck ciphers. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 40–48
Vafaei N, Bagheri N, Saha S, Mukhopadhyay D (2018) Differential fault attack on skinny block cipher. In: International conference on security, privacy, and applied cryptography engineering. Springer, pp 177–197
Zaccaria V, Molteni MC, Melzani F, Bertoni G (2018) Darth’s saber: a key exfiltration attack for symmetric ciphers using laser light. In: 2018 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 23–26
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix: Additional Fault Patterns for DFA
Appendix: Additional Fault Patterns for DFA
Rights and permissions
About this article
Cite this article
Vafaei, N., Saha, S., Bagheri, N. et al. Fault Attack on SKINNY Cipher. J Hardw Syst Secur 4, 277–296 (2020). https://doi.org/10.1007/s41635-020-00103-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-020-00103-z