Internal differential fault analysis of parallelizable ciphers in the counter-mode

Saha, Dhiman; Chowdhury, Debashish

doi:10.1007/s13389-017-0179-0

Cited by 6 publications

(1 citation statement)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of many ways that AE schemes can be classified is based on the use of nonces giving us two types of authenticated ciphers: one that prohibits reusing the nonce and the other that provides some security under noncereuse. In CHES 2016 [27] and later in JCEN'17 [28] Saha and Roy Chowdhury, using a demonstration on nonce-based authenticated cipher PAEQ [14], highlighted the importance of the nonce-barrier in the context of automatic prevention of DFA. The basic problem seems to be the fact that nonce-based schemes inhibit replaying of the algorithm which is a premise to DFA, thereby implicitly thwarting them.…”

mentioning

confidence: 99%

Differential Fault Analysis of NORX

Jana

Saha

Paul

2020

Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security

Self Cite

View full text Add to dashboard Cite

In recent literature, there has been a particular interest in studying nonce-based Authenticated Encryption (AE) schemes in the light of fault-based attacks as they seem to present automatic protection against Differential Fault Attacks (DFA). In this work, we present the first DFA on nonce-based CAESAR scheme NORX (applicable to all the versions v1, v2.0, v3.0). We demonstrate a scenario when faults introduced in NORX in parallel mode can be used to collide the internal branches to produce an all-zero state. We later show how this can be used to replay NORX despite being instantiated by different nonces, messages. Once replayed, we show how the key of NORX can be recovered using secondary faults and using the faulty tags. We use different fault models to showcase the versatility of the attack strategy. A detailed theoretical analysis of the expected number of faults required under various models is also furnished. Under the random bit-flip model, around 1384 faults need to be induced to reduce the key-space from 2 128 to 2 32 while the random byte-flip model requires 332 faults to uniquely identify the key. To the best of our knowledge, this is the first fault attack that uses both internal and classical differentials to mount a DFA on a nonce-based authenticated cipher which is otherwise believed to be immune to DFA.

show abstract

mentioning

confidence: 99%