Abstract
This work analyzes the strength of NIST Lightweight Cryptography (LWC) Round 1 Candidate SIV-Rijndael256 in light of Differential Fault Attacks (DFA). It is observed that SIV-Rijndael256 presents an interesting case for DFA due to its large state-size which has been capitalized in this work to contribute to the state-of-the-art in DFA on AES-like ciphers. We first study the differential properties over three rounds of the cipher and then use it to mount a DFA that uses a classical strategy in conjunction with the properties of the key-schedule. The nonce-misuse property of SIV-Rijndael256 facilitates the use of DFA and is exploited to reduce the key-space from 2128 to just one using only a single random byte fault in the internal state. Moreover, the support for the release of unverified plaintexts which have been shown in literature as a vulnerability to DFA, makes the decryption also vulnerable to the same attack. Finally, the ability to uniquely retrieve the key using just a single fault makes the attack, reported here, an optimal DFA. To the best of our knowledge, this is the first differential fault analysis of any candidate in the NIST LWC competition.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
