A differential fault attack on the WG family of stream ciphers

Abstract

WG-l ($$l=7,8,16,29$$) are the well-known Welch–Gong (WG) stream cipher family with different key length bits. The first version named WG (WG-29) stream cipher was introduced in eSTREAM project as a cipher suitable for hardware implementations. The other variants are proposed for different applications from RFID to fast communications. This paper presents an extensive fault analysis on the WG family. Fault attacks are powerful cryptanalytic tools to analyse cryptosystems, which are not vulnerable to other known cryptographic attacks. The security model used to analyse the WG ciphers applies random faults, which are allowed to be injected by an adversary. The adversary has no control over the fault locations and their values. For each WG-l stream cipher, an adversary needs to observe a specific number of keystream bits before they are able to recover the secret key. To recover the secret key of WG-8, the adversary needs to inject about six random faults and compute the secret key with data and time complexities about $$2^{15.78}$$ bits and $$2^{24}$$, respectively. The adversary can recover the secret key of WG-7, WG-16 and WG-29 ciphers with time complexities $$2^{22}$$, $$2^{42}$$ and $$2^{64}$$, respectively. The attacks have been verified experimentally.