Abstract
A differential fault attack framework for the Enocoro family of stream ciphers is presented. We only require that the attacker can reset the internal state and inject a random byte-fault, in a random register, during a known time period. For a single fault injection, we develop a differential clocking algorithm that computes a set of linear equations in the in- and output differences of the non-linear parts of the cipher and relates them to the differential keystream. The usage of these equations is two-fold. Firstly, one can determine those differentials that can be computed from the faulty keystream, and secondly they help to pin down the actual location and timing of the fault injection. Combining these results, each fault injection gives us information on specific small parts of the internal state. By encoding the information we gain from several fault injections using the weighted Horn clauses, we construct a guessing path that can be used to quickly retrieve the internal state using a suitable heuristic. Finally, we evaluate our framework with the ISO-standardized and CRYPTREC candidate recommended cipher Enocoro-128v2. Simulations show that, on average, the secret key can be retrieved within 20 min on a standard workstation using less than five fault injections.
Highlights
We only require that the attacker can reset the internal state and inject a random byte-fault, in a random register, during a known time period
Simulations show that, on average, the secret key can be retrieved within 20 min on a standard workstation using less than five fault injections
Every hand-held communication device contains a hardware implementation of one or more stream ciphers. Since these devices are readily available to a potential attacker, there is an urgent need to secure those hardware implementations against side-channel attacks targeting the secret keys stored on the device and the keystream produced from them
Summary
Stream ciphers play a central role in mobile telecommunications. Our attack tries to model and follow the information flow during the execution of the stream cipher, and it tries to optimize the information gain which can be derived from each fault injection When dealing with fault injections, often the acquired information is not exact, i.e., instead of the precise register value, only a small set containing that value can be found As indicated above, this is modelled by assigning a weight to the corresponding Horn clause. Since finding an optimal guessing path is not feasible, we propose a Greedy Marking Algorithm 3 as a heuristic to find a guessing path of small weight
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
