Fault Attack on SKINNY Cipher

PDF / 2,523,466 Bytes
20 Pages / 595.224 x 790.955 pts Page_size
20 Downloads / 213 Views

Fault Attack on SKINNY Cipher Navid Vafaei1 · Sayandeep Saha2 · Nasour Bagheri1 · Debdeep Mukhopadhyay2 Received: 11 May 2020 / Accepted: 21 August 2020 © Springer Nature Switzerland AG 2020

Abstract SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present fault attacks (FA) on all SKINNY variants. In the first part of the paper, we propose differential fault analysis (DFA) attacks on SKINNY variants keeping the tweak fixed. The attack model of tweakable block ciphers allows the access and full control of the tweak by the attacker. Respecting this attack model, we assume a fixed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 random nibble fault injections on average for 64-bit versions of the cipher, whereas the 128-bit versions require roughly 21 byte-fault-injections. In the later part of this work, we relax this assumption and perform fault attacks under known but randomly varying tweaks. It is found that pairs of bit faults at the input and output of the S-Boxes allow complete key recovery under random tweak. Moreover, explicit access to ciphertexts is not required in our attack, and key recovery is possible only by knowing if the ciphertext is correct or faulty. This property of the attack allows key recovery even at the presence of simple redundancy-based FA countermeasures. Both the DFA and paired fault-based attacks were validated through extensive simulation. To the best of authors’ knowledge, these are the first instances of FAs reported on SKINNY tweakable block cipher family. Keywords Block cipher · Differential fault attack · SKINNY · Random tweak fault attack

1 Introduction Fault analysis attacks are one of the potent practical threats to modern cryptographic implementations. Originally proposed by Boneh et al. [8] in September 1996 in the context of the RSA algorithm, fault attacks were readily extended for symmetric key cryptosystems by Biham and Shamir [6]

Navid Vafaei

[email protected] Sayandeep Saha [email protected] Nasour Bagheri [email protected] Debdeep Mukhopadhyay [email protected] 1

Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran

2

Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India

as Differential Fault Analysis (DFA). The main idea of DFA is to analyze the XOR differential between the correct and the corresponding faulty ciphertexts to extract the secret key. So far, DFAs are the most fundamental classes of fault attacks for symmetric key primitives and have been applied on several block ciphers like AES, PRESENT, PRINCE, SIMON, and Hash algorithms like SHA3 and Grøstl [1, 3, 4, 7, 9, 10, 19, 25, 26, 30, 34]. Even with the discovery of certain other sophisticated classes of fault attacks such as Blind Fault Attack (BFA) [18], Fault sensitivity

Data Loading...

Fault Attack on SKINNY Cipher

Recommend Documents

Preventing Differential Fault Analysis Attack on AEGIS Family of Ciphers

Preventing Fault Attack on Stream Ciphers by Fault Detection and Correction

Cipher

An Improved Adversarial Neural Network Encryption Algorithm Against the Chosen-Cipher Text Attack (CCA)

The Block Cipher Companion

Attack

Research on Differential Power Analysis of Lightweight Block Cipher LED

Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN

A Novel Block Cipher Based on Randomly Shuffled Key Strings

FPGA Implementation of PICO Cipher

A Fault Attack for Scalar Multiplication in Elliptic Curve Digital Signature Algorithm

Compact Implementation of CHAM Block Cipher on Low-End Microcontrollers