Abstract
Grain-128AEAD is a lightweight authenticated encryption stream cipher and one of the finalists in the National Institute of Standards and Technology (NIST) Lightweight Cryptography (LWC) project. This paper provides an independent third-party analysis of Grain-128AEAD against fault attacks. We investigate the application of three differential fault attack models on Grain-128AEAD. All these attacks can recover the initial state of Grain-128AEAD. First, we demonstrate an attack using a bit-flipping fault that requires access to 27.80 faulty outputs to recover the initial state. Then, we demonstrate an attack with a more relaxed assumption of a random fault with a probabilistic approach. Our probabilistic random fault attack requires access to 211.60 faulty outputs and 210.45 fault injections to recover the initial state with a success rate over 99%. Both of the above two attacks are based on precise control on the fault target. Finally, we apply a random fault attack with a deterministic approach (can conclusively determine the random fault value) and using different precision controls. For the precise control, we use existing approaches that have been applied to other ciphers, such as Tiaoxin-346. We also propose a technique for less stringent precision models, such as moderate control and no control, which are more practical than the precise control. Our result indicates that the deterministic random fault attack with a precise control requires an average of 27.64 fault injections and a data complexity of 28.80. The deterministic random fault attack with moderate control requires a weak assumption on the fault injection and hence, is the best attack presented in this paper; and is expected to require about 29.39 fault injections with a data complexity of about 212.98. All the attacks discussed in this paper are verified experimentally.
Highlights
Lightweight Cryptography (LWC) aims to provide security and privacy for resource-constrained applications, e.g., embedded systems, Internet-of-Things (IoT) devices, radio frequency identification (RFID) systems, industrialThe associate editor coordinating the review of this manuscript and approving it for publication was Wei Huang .controllers, sensor nodes, and smart cards
This paper aims to evaluate the application of fault attacks to Grain-128AEAD [2], a final-round authenticated encryption stream cipher candidate in the National Institute of Standards and Technology (NIST) LWC project
First we present an idea behind the deterministic random fault attack
Summary
Lightweight Cryptography (LWC) aims to provide security and privacy for resource-constrained applications, e.g., embedded systems, Internet-of-Things (IoT) devices, radio frequency identification (RFID) systems, industrial. This paper aims to evaluate the application of fault attacks to Grain-128AEAD [2], a final-round authenticated encryption stream cipher candidate in the NIST LWC project. Successful side-channel attacks, e.g., statistical ineffective fault analysis [18], power analysis [19], side-channel assisted differential-plaintext attack [20], differential no-fault analysis [21], differential fault attacks [22], are demonstrated against several other NIST LWC candidates, including Gimli, SUNDAE-GIFT, GIFT-COFB, ESTATE, HYENA, WAGE, SIV-Rijndael256, TRIAD Recall that these lightweight AE algorithms, including Grain-128AEAD, are expected to be VOLUME 9, 2021 deployed in applications with embedded systems, Internet-ofThings (IoT) devices, radio frequency identification (RFID) systems, sensor nodes. We apply deterministic random fault attacks, where the adversary is not required to inject faults at specific target register(s)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
