Abstract
Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c·2179.19-1.76N at worst, where N is the number of fault injections such that 31≤N≤88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers.
Highlights
CAESAR [1] is a new competition calling for authenticated encryption schemes
The cipher consists of a simple binary feedback shift register (FSR, for short) of length 293 and aims to protect up to 264 bits of associated data (AD) and up to 264 bits of plaintext and to generate up to a 128-bit authentication tag by using a 128-bit secret key and a 128-bit initial value (IV)
In [14], Hoch and Shamir first introduced the fault attack on stream ciphers. They showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches [15, 16] into a device initialized by a secret key and change one or more bits of its internal state
Summary
CAESAR [1] is a new competition calling for authenticated encryption schemes. Its purpose is to find authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption. In [14], Hoch and Shamir first introduced the fault attack on stream ciphers They showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches [15, 16] into a device initialized by a secret key and change one or more bits of its internal state. Our attack is based on a general fault model where a fault is injected into the initial state of ACORN v2 randomly, and our main idea is based on the observation that the first 99-bit keystream of ACORN v2 can be expressed as linear or quadratic functions of the initial state, which helps us retrieve enough linear equations to recover the initial state. After a fault is injected into the initial state randomly, we can locate it with probability 97.08% by a 99-bit differential string between the error and correct keystream bits.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
