Algebraic Fault Analysis of SHA-256 Compression Function and Its Application

Kazuki Nakamura,Koji Hori,Shoichi Hirose

doi:10.3390/info12100433

Kazuki Nakamura, Koji Hori + Show 1 more

Open Access

https://doi.org/10.3390/info12100433

Copy DOI

Journal: Information	Publication Date: Oct 19, 2021
Citations: 2	License type: CC BY 4.0

Affiliation: University of Fukui, Tokai Rika (Japan)

Abstract

Cryptographic hash functions play an essential role in various aspects of cryptography, such as message authentication codes, pseudorandom number generation, digital signatures, and so on. Thus, the security of their hardware implementations is an important research topic. Hao et al. proposed an algebraic fault analysis (AFA) for the SHA-256 compression function in 2014. They showed that one could recover the whole of an unknown input of the SHA-256 compression function by injecting 65 faults and analyzing the outputs under normal and fault injection conditions. They also presented an almost universal forgery attack on HMAC-SHA-256 using this result. In our work, we conducted computer experiments for various fault-injection conditions in the AFA for the SHA-256 compression function. As a result, we found that one can recover the whole of an unknown input of the SHA-256 compression function by injecting an average of only 18 faults on average. We also conducted an AFA for the SHACAL-2 block cipher and an AFA for the SHA-256 compression function, enabling almost universal forgery of the chopMD-MAC function.

Highlights

We review the algebraic fault analysis (AFA) for the SHA-256 compression function of Hao et al In Section 3, we first describe the results of computer experiments on the AFA of Hao et al and show that the number of injected faults can be greatly reduced
The results show that the fault injections into e60 can recover more chaining values than the fault injections into other positions
Since we found that the SHA-256 compression function does not propagate the faults to Yh, we excluded the cases that the chop function outputs Yh

Summary

Introduction

Fault attacks (FAs) are side-channel attacks that intentionally cause faults in the cryptographic process on a hardware device and try to recover the secret information from internal information that is not usually output. They can cause faults, for example, by irradiating electromagnetic waves, such as lasers, or by manipulating the device’s voltage. Hemme et al proposed a DFA against the SHA-1 compression function using a 32-bit random fault model [7] Based on this attack, DFAs were applied to the HAS-160 [8] and MD5 [9] compression functions. AFAs were applied to other ciphers [11,12]

Methods

Results

Conclusion