Fault attacks on authenticated encryption modes for GIFT

Abstract

There are several authenticated encryption modes for block cipher GIFT in the NIST lightweight cryptography standardisation process. In this study, the authors research on the fault attacks on this kind of authenticated encryption modes and mainly complete two tasks. First, the fault attack on the nonce-based authenticated encryption mode LOTUS/LOCUS is presented. At Asiacrypt2016, Dobraunig et al. showed the first fault attacks on several nonce-based authenticated encryption modes. Because LOTUS/LOCUS adopts the structure similar to XEX with secret nonce-dependent masks, their work is not applicable to LOTUS/LOCUS. A new fault attack is launched on LOTUS/LOCUS assuming that two bits can be made to reset in the fixed location during the encryption process. In this attack, neither plaintext nor ciphertext of the underlying block cipher is necessary to be known. To recover the correct key, a few hundred faulty ciphertexts are needed when transient faults are injected, while just one faulty ciphertext is sufficient for a permanent fault. Second, the Collision Fault Attack on GIFT is shown, in which 64 faulty ciphertexts are needed to recover the correct key. Based on this attack, authenticated encryption modes ESTATE_TweGIFT-128, GIFT-COFB and SUNDAE-GIFT are analysed and their keys are efficiently obtained with chosen nonce.