TY - GEN
T1 - SoK
T2 - 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019
AU - Khairallah, Mustafa
AU - Hou, Xiaolu
AU - Najm, Zakaria
AU - Breier, Jakub
AU - Bhasin, Shivam
AU - Peyrin, Thomas
PY - 2019
Y1 - 2019
N2 - Recently, the NIST launched a competition for lightweight cryptography and a large number of ciphers are expected to be studied and analyzed under this competition. Apart from the classical security, the candidates are desired to be analyzed against physical attacks. Differential Fault Analysis (DFA) is an invasive physical attack method for recovering key information from cipher implementations. Up to date, almost all the block ciphers have been shown to be vulnerable against DFA, while following similar attack patterns. However, so far researchers mostly focused on particular ciphers rather than cipher families, resulting in works that reuse the same idea for different ciphers. In this article, we aim at bridging this gap, by providing a generic DFA attack method targeting Substitution-Permutation Network (SPN) based families of symmetric block ciphers. We provide the overview of the state-of-the-art of the fault attacks on SPNs, followed by generalized conditions that hold on all the ciphers of this design family. We show that for any SPN, as long as the fault mask injected before a non-linear layer in the last round follows a non-uniform distribution, the key search space can always be reduced. This shows that it is not possible to design an SPN-based cipher that is completely secure against DFA, without randomization. Furthermore, we propose a novel approach to find good fault masks that can leak the key with a small number of instances. We then developed a tool, called Joint Difference Distribution Table (JDDT) for pre-computing the solutions for the fault equations, which allows us to recover the last round key with a very small number of pairs of faulty and non-faulty ciphertexts. We evaluate our methodology on various block ciphers, including PRESENT-80, PRESENT-128, GIFT-64, GIFT-128, AES-128, LED-64, LED-128, SKINNY-64-64, SKINNY-128-128, PRIDE and PRINCE. The developed technique would allow automated DFA analysis of several candidates in the NIST competition.
AB - Recently, the NIST launched a competition for lightweight cryptography and a large number of ciphers are expected to be studied and analyzed under this competition. Apart from the classical security, the candidates are desired to be analyzed against physical attacks. Differential Fault Analysis (DFA) is an invasive physical attack method for recovering key information from cipher implementations. Up to date, almost all the block ciphers have been shown to be vulnerable against DFA, while following similar attack patterns. However, so far researchers mostly focused on particular ciphers rather than cipher families, resulting in works that reuse the same idea for different ciphers. In this article, we aim at bridging this gap, by providing a generic DFA attack method targeting Substitution-Permutation Network (SPN) based families of symmetric block ciphers. We provide the overview of the state-of-the-art of the fault attacks on SPNs, followed by generalized conditions that hold on all the ciphers of this design family. We show that for any SPN, as long as the fault mask injected before a non-linear layer in the last round follows a non-uniform distribution, the key search space can always be reduced. This shows that it is not possible to design an SPN-based cipher that is completely secure against DFA, without randomization. Furthermore, we propose a novel approach to find good fault masks that can leak the key with a small number of instances. We then developed a tool, called Joint Difference Distribution Table (JDDT) for pre-computing the solutions for the fault equations, which allows us to recover the last round key with a very small number of pairs of faulty and non-faulty ciphertexts. We evaluate our methodology on various block ciphers, including PRESENT-80, PRESENT-128, GIFT-64, GIFT-128, AES-128, LED-64, LED-128, SKINNY-64-64, SKINNY-128-128, PRIDE and PRINCE. The developed technique would allow automated DFA analysis of several candidates in the NIST competition.
KW - differential fault analysis
KW - Fault attack
KW - Substitution-permutation network
UR - http://www.scopus.com/inward/record.url?scp=85069952132&partnerID=8YFLogxK
U2 - 10.1145/3321705.3329810
DO - 10.1145/3321705.3329810
M3 - Conference contribution
T3 - AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
SP - 403
EP - 414
BT - AsiaCCS 2019 - Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery (ACM)
CY - New York
Y2 - 9 July 2019 through 12 July 2019
ER -