Skip to main content
SpringerLink
Log in

Fault Attack on SKINNY Cipher

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present fault attacks (FA) on all SKINNY variants. In the first part of the paper, we propose differential fault analysis (DFA) attacks on SKINNY variants keeping the tweak fixed. The attack model of tweakable block ciphers allows the access and full control of the tweak by the attacker. Respecting this attack model, we assume a fixed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 random nibble fault injections on average for 64-bit versions of the cipher, whereas the 128-bit versions require roughly 21 byte-fault-injections. In the later part of this work, we relax this assumption and perform fault attacks under known but randomly varying tweaks. It is found that pairs of bit faults at the input and output of the S-Boxes allow complete key recovery under random tweak. Moreover, explicit access to ciphertexts is not required in our attack, and key recovery is possible only by knowing if the ciphertext is correct or faulty. This property of the attack allows key recovery even at the presence of simple redundancy-based FA countermeasures. Both the DFA and paired fault-based attacks were validated through extensive simulation. To the best of authors’ knowledge, these are the first instances of FAs reported on SKINNY tweakable block cipher family.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Notes

  1. Throughout this paper, the array/state indices start from 1.

  2. The terms tweakey and key have been used interchangeably throughout this paper, whereas to indicate the public material, we use the term tweak.

  3. Tweakey/key states and tweakey/key arrays have been used interchangeably with the same meaning in this work.

  4. Note that in this paper, we have used both the term difference and differential. Both have the same meaning in the context of this paper.

  5. Actually this claim is not entirely true. In fact, depending on the value of the output differential, only a certain set of input differentials will satisfy the fault difference equation for this case, whose count is expected to be < 2s. However, to exploit this observation a lot of fault injections will be required. As we shall show, that we can perform the attack with much less number of faults.

  6. One important question at this point is that whether Side-Channel Attacks (SCA) also get prevented due to the application of random tweaks. To the best of the authors’ knowledge, the answer is no, simply due to the fact that the tweak is known.

  7. It is worth mentioning that if X = x satisfies (18), so does X = x ⊕ 2i. This happens due to the associative property of the XOR operation.

  8. This is because, with two candidate solutions in \(\mathcal {E}^{i}_{j}\), the remaining entropy of the S-Box input, and that of the key becomes 1 bit. Rest of the 7 bits are exposed.

  9. More precisely, bit flip fault at x0 makes it \({x^{f}_{0}} = x_{0} \oplus 1\), and the same happens for y3 (i.e., \({y^{f}_{3}} = y_{3} \oplus 1\)). Since x0 = y3 happens for certain valuations of x3 and x2, the same should hold for \({x^{f}_{0}}\) and \({y^{f}_{3}}\) as well. As a result, the 1’s in both of these expressions cancel each other, resulting in a non-faulty output.

References

  1. Ali SS, Mukhopadhyay D (2011) A differential fault analysis on aes key schedule using single fault. In: 2011 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 35–42

  2. Ankele R, Banik S, Chakraborti A, List E, Mendel F, Sim SM, Wang G (2017) Related-key impossible-differential attack on reduced-round skinny. Technical report, cryptology eprint archive, report 2016/1127, 2016. http://eprint.iacr.org/2016/1127

  3. Bagheri N, Ebrahimpour R, Ghaedi N (2013) New differential fault analysis on present. EURASIP Journal on Advances in Signal Processing 2013(1):145

    Article  Google Scholar 

  4. Bagheri N, Ghaedi N, Sanadhya SK (2015) Differential fault analysis of SHA-3. In: Biryukov A, Goyal V (eds) Progress in cryptology - INDOCRYPT 2015 - 16th international conference on cryptology in India, Bangalore, India, December 6–9, 2015, proceedings, volume 9462 of lecture notes in computer science. Springer, pp 253–269

  5. Beierle C, Jean J, Kölbl S, Leander G, Moradi A, Peyrin T, Sasaki Y, Sasdrich P, Sim SM (2016) The skinny family of block ciphers and its low-latency variant mantis. In: Annual cryptology conference. Springer, pp 123–153

  6. Biham E, Shamir A (1997) Differential fault analysis of secret key cryptosystems. Advances in Cryptology—CRYPTO’97 513–525

  7. Blömer J, Seifert J-P (2003) Fault based cryptanalysis of the advanced encryption standard (aes). In: Computer aided verification. Springer, pp 162–181

  8. Boneh D, DeMillo RA, Lipton RJ (1997) On the importance of checking cryptographic protocols for faults. In: International conference on the theory and applications of cryptographic techniques. Springer, pp 37–51

  9. Chen H, Feng J, Rijmen V, Liu Y, Fan L, Li W (2016) Improved fault analysis on simon block cipher family. In: 2016 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 16–24

  10. De Santis F, Guillen OM, Sakic E, Sigl G (2014) Ciphertext-only fault attacks on present. In: International workshop on lightweight cryptography for security and privacy. Springer, pp 85–108

  11. Dobraunig C, Eichlseder M, Korak T, Lomné V, Mendel F (2016) Statistical fault attacks on nonce-based authenticated encryption schemes. In: Advances in cryptology–ASIACRYPT 2016: 22nd international conference on the theory and application of cryptology and information security, Hanoi, Vietnam, December 4–8, 2016, proceedings, Part I 22. Springer, pp 369–395

  12. Dobraunig C, Eichlseder M, Korak T, Mangard S, Mendel F, Primas R (2018) Sifa: exploiting ineffective fault inductions on symmetric cryptography. IACR Transactions on Cryptographic Hardware and Embedded Systems 547–572

  13. Fuhr T, Jaulmes E, Lomné V, Thillard A (2013) Fault attacks on aes with faulty ciphertexts only. In: 2013 Workshop on fault diagnosis and tolerance in cryptography. IEEE, pp 108–118

  14. Ghalaty NF, Yuce B, Taha M, Schaumont P (2014) Differential fault intensity analysis. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 49–58

  15. Hajra S, Rebeiro C, Bhasin S, Bajaj G, Sharma S, Guilley S, Mukhopadhyay D (2014) DRECON: DPA resistant encryption by construction. In: International conference on cryptology in Africa. Springer, pp 420–439

  16. Jean J, Moradi A, Peyrin T, Sasdrich P (2017) Bit-sliding: a generic technique for bit-serial implementations of spn-based primitives – applications to aes, present and skinny. Cryptology ePrint Archive Report 2017/600

  17. Jean J, Nikolić I, Peyrin T (2014) Tweaks and keys for block ciphers: the TWEAKEY framework. In: International conference on the theory and application of cryptology and information security. Springer, pp 274–288

  18. Korkikian R, Pelissier S, Naccache D (2014) Blind fault attack against spn ciphers. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 94–103

  19. Kumar R, Jovanovic P, Burleson W, Polian I (2014) Parametric trojans for fault-injection attacks on cryptographic hardware. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 18–28

  20. Li Y, Sakiyama K, Gomisawa S, Fukunaga T, Takahashi J, Ohta K (2010) Fault sensitivity analysis. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 320–334

  21. Liskov M, Rivest RL, Wagner D (2002) Tweakable block ciphers. In: Annual international cryptology conference. Springer, pp 31–46

  22. Liu G, Ghosh M, Ling S (2016) Security analysis of skinny under related-tweakey settings. Technical report, cryptology eprint archive, report 2016/1108, 2016. http://eprint.iacr.org/2016/1108

  23. Patranabis S, Roy DB, Mukhopadhyay D (2016) Using tweaks to design fault resistant ciphers. In: 2016 29th international conference on VLSI design and 2016 15th international conference on embedded systems (VLSID). IEEE, pp 585–586

  24. Sadeghi S, Mohammadi T, Bagheri N (2018) Cryptanalysis of reduced round SKINNY block cipher. IACR Trans Symmetric Cryptol 2018(3):124–162

    Article  Google Scholar 

  25. Saha D, Chowdhury DR (2015) Diagonal fault analysis of grøstl in dedicated MAC mode. In: IEEE International symposium on hardware oriented security and trust, HOST 2015, washington, DC, USA, 5–7 May, 2015, pp 100–105

  26. Saha D, Mukhopadhyay D, Chowdhury DR (2009) A diagonal fault attack on the advanced encryption standard. IACR cryptology eprint archive, 2009(581)

  27. Saha S, Chakraborty RS, Nuthakki SS, Mukhopadhyay D, et al. (2015) Improved test pattern generation for hardware trojan detection using genetic algorithm and boolean satisfiability. In: International workshop on cryptographic hardware and embedded systems. Springer, pp 577–596

  28. Saha S, Jap D, Breier J, Bhasin S, Mukhopadhyay D, Dasgupta P (2018) Breaking redundancy-based countermeasures with random faults and power side channel. In: 2018 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE , pp 15–22

  29. Selmke B, Heyszl J, Sigl G (2016) Attack on a dfa protected aes by simultaneous laser fault injections. In: 2016 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE , pp 36–46

  30. Song L, Hu L (2013) Differential fault attack on the prince block cipher. In: International workshop on lightweight cryptography for security and privacy. Springer, pp 43–54

  31. Takahashi J, Fukunaga T (2008) Improved differential fault analysis on clefia. In: 5th workshop on fault diagnosis and tolerance in cryptography, 2008. FDTC’08. IEEE, pp 25–34

  32. Tolba M, Abdelkhalek A, Youssef AM (2016) Impossible differential cryptanalysis of skinny. Technical report, cryptology eprint archive, report 2016/1115, 2016. http://eprint.iacr.org/2016/1115

  33. Tunstall M, Mukhopadhyay D, Ali S (2011) Differential fault analysis of the advanced encryption standard using a single fault. In: IFIP international workshop on information security theory and practices. Springer, pp 224–233

  34. Tupsamudre H, Bisht S, Mukhopadhyay D (2014) Differential fault analysis on the families of simon and speck ciphers. In: 2014 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 40–48

  35. Vafaei N, Bagheri N, Saha S, Mukhopadhyay D (2018) Differential fault attack on skinny block cipher. In: International conference on security, privacy, and applied cryptography engineering. Springer, pp 177–197

  36. Zaccaria V, Molteni MC, Melzani F, Bertoni G (2018) Darth’s saber: a key exfiltration attack for symmetric ciphers using laser light. In: 2018 Workshop on fault diagnosis and tolerance in cryptography (FDTC). IEEE, pp 23–26

Download references

Author information

Authors and Affiliations

  1. Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran

    Navid Vafaei & Nasour Bagheri

  2. Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India

    Sayandeep Saha & Debdeep Mukhopadhyay

Authors
  1. Navid Vafaei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sayandeep Saha
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nasour Bagheri
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Debdeep Mukhopadhyay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Navid Vafaei.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix: Additional Fault Patterns for DFA

Appendix: Additional Fault Patterns for DFA

Fig. 15
figure 15

The fault propagation pattern in SKINNY with the fault induced at the 2nd cell in beginning of round (R − 4). Each variable represents a non-zero fault differential and each empty cell specifies a zero differential

Full size image
Fig. 16
figure 16

The fault propagation pattern in SKINNY with the fault induced at the 4th cell in beginning of round (R − 4). Each variable represents a non-zero fault differential and each empty cell specifies a zero differential

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Vafaei, N., Saha, S., Bagheri, N. et al. Fault Attack on SKINNY Cipher. J Hardw Syst Secur 4, 277–296 (2020). https://doi.org/10.1007/s41635-020-00103-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-020-00103-z

Keywords

Search

Navigation