Fault Attack on SKINNY Cipher

Abstract

SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present fault attacks (FA) on all SKINNY variants. In the first part of the paper, we propose differential fault analysis (DFA) attacks on SKINNY variants keeping the tweak fixed. The attack model of tweakable block ciphers allows the access and full control of the tweak by the attacker. Respecting this attack model, we assume a fixed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 random nibble fault injections on average for 64-bit versions of the cipher, whereas the 128-bit versions require roughly 21 byte-fault-injections. In the later part of this work, we relax this assumption and perform fault attacks under known but randomly varying tweaks. It is found that pairs of bit faults at the input and output of the S-Boxes allow complete key recovery under random tweak. Moreover, explicit access to ciphertexts is not required in our attack, and key recovery is possible only by knowing if the ciphertext is correct or faulty. This property of the attack allows key recovery even at the presence of simple redundancy-based FA countermeasures. Both the DFA and paired fault-based attacks were validated through extensive simulation. To the best of authors’ knowledge, these are the first instances of FAs reported on SKINNY tweakable block cipher family.