Differential Fault Attack on Grain v1, ACORN v3 and Lizard

Differential Fault Attack (DFA) is presently a very well known technique to evaluate security of a stream cipher. This considers that the stream cipher can be weakened by injection of the fault. In this paper we study DFA on three ciphers, namely Grain v1, Lizard and ACORN v3. We show that Grain v1 (an eStream cipher) can be attacked with injection of only 5 faults instead of 10 that has been reported in 2012. For the first time, we have mounted the fault attack on Lizard, a very recent design and show that one requires only 5 faults to obtain the state. ACORN v3 is a third round candidate of CAESAR and there is only one hard fault attack on an earlier version of this cipher. However, the `hard fault\u27 model requires a lot more assumption than the generic DFA. In this paper, we mount a DFA on ACORN v3 that requires 9 faults to obtain the state. In case of Grain v1 and ACORN v3, we can obtain the secret key once the state is known. However, that is not immediate in case of Lizard. While we have used the basic framework of DFA that appears in literature quite frequently, specific tweaks have to be explored to mount the actual attacks that were not used earlier. To the best of our knowledge, these are the best known DFA on these three ciphers

Fault Attack on the Authenticated Cipher ACORN v2

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c·2179.19-1.76N at worst, where N is the number of fault injections such that 31≤N≤88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers

Fault Attack on ACORN v3

Fault attack is one of the most efficient side channel attacks and has attracted much attention in recent public cryptographic literatures. In this work we introduce a fault attack on the authenticated cipher ACORN v3. Our attack is done under the assumption that a fault is injected into an initial state of ACORN v3 randomly, and contains two main steps: fault locating and equation solving. At the first step, we introduce concepts of unique set and non-unique set, where differential strings belonging to unique sets can determine the fault location uniquely. For strings belonging to non-unique sets, we use some strategies to increase the probability of determining the fault location uniquely to almost 1. At the second step, we demonstrate several ways of retrieving equations, and then obtain the initial state by solving equations with the guess-and-determine method. With $n$ fault experiments, we can recover the initial state with time complexity $c \cdot2^{146.5-3.52\cdot n}$, where $c$ is the time complexity of solving linear equations and $26<n<43$. We also apply the attack to ACORN v2, which shows that, comparing with ACORN v2, the tweaked version ACORN v3 is more vulnerable against the fault attack

Analyse et Conception d'Algorithmes de Chiffrement Légers

The work presented in this thesis has been completed as part of the FUI Paclido project, whose aim is to provide new security protocols and algorithms for the Internet of Things, and more specifically wireless sensor networks. As a result, this thesis investigates so-called lightweight authenticated encryption algorithms, which are designed to fit into the limited resources of constrained environments. The first main contribution focuses on the design of a lightweight cipher called Lilliput-AE, which is based on the extended generalized Feistel network (EGFN) structure and was submitted to the Lightweight Cryptography (LWC) standardization project initiated by NIST (National Institute of Standards and Technology). Another part of the work concerns theoretical attacks against existing solutions, including some candidates of the nist lwc standardization process. Therefore, some specific analyses of the Skinny and Spook algorithms are presented, along with a more general study of boomerang attacks against ciphers following a Feistel construction.Les travaux présentés dans cette thèse s’inscrivent dans le cadre du projet FUI Paclido, qui a pour but de définir de nouveaux protocoles et algorithmes de sécurité pour l’Internet des Objets, et plus particulièrement les réseaux de capteurs sans fil. Cette thèse s’intéresse donc aux algorithmes de chiffrements authentifiés dits à bas coût ou également, légers, pouvant être implémentés sur des systèmes très limités en ressources. Une première partie des contributions porte sur la conception de l’algorithme léger Lilliput-AE, basé sur un schéma de Feistel généralisé étendu (EGFN) et soumis au projet de standardisation international Lightweight Cryptography (LWC) organisé par le NIST (National Institute of Standards and Technology). Une autre partie des travaux se concentre sur des attaques théoriques menées contre des solutions déjà existantes, notamment un certain nombre de candidats à la compétition LWC du NIST. Elle présente donc des analyses spécifiques des algorithmes Skinny et Spook ainsi qu’une étude plus générale des attaques de type boomerang contre les schémas de Feistel

Fault Location Identification By Machine Learning

As the fault based analysis techniques are becoming more and more powerful, there is a need to streamline the existing tools for better accuracy and ease of use. In this regard, we propose a machine learning assisted tool that can be used in the context of a differential fault analysis. In particular, finding the exact fault location by analyzing the XORed output of a stream cipher/ stream cipher based design is somewhat non-trivial. Traditionally, Pearson\u27s correlation coefficient is used for this purpose. We show that a machine learning method is more powerful than the existing correlation coefficient, aside from being simpler to implement. As a proof of concept, we take two variants of Grain-128a (namely a stream cipher, and a stream cipher with authentication), and demonstrate that machine learning can outperform correlation with the same training/testing data. Our analysis shows that the machine learning can be considered as a replacement for the correlation in the future research works

Some results on ACORN

In this paper we obtain a weakness in the design specification of ACORN, which is a competitor of CAESAR competition. We show that there exists a probabilistic linear relation between message bits and ciphertext bits, which holds with probability greater than $\frac{1}{2}$. This is the first paper which finds a probabilistic linear relation between message and corresponding ciphertext bits of ACRON, and which holds with probability greater than $\frac{1}{2}$. We also propose a new type of CPA attack on ACORN. By our attack method, it is possible to recover full initial state of the encryption phase of the cipher, and the attack has complexity $\approx 2^{40}$. After obtaining the initial state of the encryption phase, one can invert the associated data loading phase and key-IV initialization phase to recover the secret key bits

A Covert Encryption Method for Applications in Electronic Data Interchange

A principal weakness of all encryption systems is that the output data can be ‘seen’ to be encrypted. In other words, encrypted data provides a ‘flag’ on the potential value of the information that has been encrypted. In this paper, we provide a new approach to ‘hiding’ encrypted data in a digital image. In conventional (symmetric) encryption, the plaintext is usually represented as a binary stream and encrypted using an XOR type operation with a binary cipher. The algorithm used is ideally designed to: (i) generate a maximum entropy cipher so that there is no bias with regard to any bit; (ii) maximize diffusion in terms of key dependency so that a change in any bit of the key can effect any, and potentially all, bits of the cipher. In the work reported here, we consider an approach in which a binary or low-bit plaintext image is encrypted with a decimal integer or floating point cipher using a convolution operation and the output quantized into a 1-bit array generating a binary image ciphertext. This output is then ‘embedded’ in a host image to hide the encrypted information. Embedding is undertaken either in the lowest 1-bit layer or multiple 1-bit layers. Decryption is accomplished by: (i) extracting the binary image from the host image; (ii) correlating the result with the original cipher. In principle, any cipher generator can be used for this purpose and the method has been designed to operate with 24-bit colour images. The approach has a variety of applications and, in this paper, we focus on the authentication and self-authentication of e-documents (letters and certificates, for example) that are communicated over the Internet and are thereby vulnerable to attack (e.g. modification, editing, counterfeiting etc.). In addition to document authentication, the approach considered provides a way of propagating disinformation and a solution to scenarios that require ‘plausible deniability’

Differential Fault Attack on Rasta and FiLIP-DSM

In this paper we propose Differential Fault Attack (DFA) on two Fully Homomorphic Encryption (FHE) friendly stream ciphers Rasta and . Design criteria of Rasta rely on affine layers and nonlinear layers, whereas relies on permutations and a nonlinear fil- ter function. Here we show that the secret key of these two ciphers can be recovered by injecting only 1 bit fault in the initial state. Our DFA on full round (# rounds = 6) Rasta with 219 block size requires only one block (i.e., 219 bits) of normal and faulty keystream bits. In the case of our DFA on FiLIP-430 (one instance of ), we need 30000 normal and faulty keystream bits

Design and Cryptanalysis of Lightweight Symmetric Key Primitives

The need for lightweight cryptographic primitives to replace the traditional standardized primitives such as AES, SHA-2 and SHA-3, which are unrealistic in constrained environments, has been anticipated by the cryptographic community for over a decade and half. Such an anticipation came to reality by the apparent proliferation of Radio Frequency Identifiers (RFIDs), Internet of Things (IoT), smart devices and sensor networks in our daily lives. All these devices operate in constrained environments and require reasonable efficiency with low implementation costs and sufficient security. Accordingly, designing lightweight symmetric key cryptographic primitives and analyzing the state-of-the-art algorithms is an active area of research for both academia and industry, which is directly followed by the ongoing National Institute of Standards and Technology’s lightweight cryptography (NIST LWC) standardization project. In this thesis, we focus on the design and security analysis of such primitives. First, we present the design of four lightweight cryptographic permutations, namely sLiSCP, sLiSCP-light, ACE and WAGE. At a high level, these permutations adopt a Nonlinear Feedback Shift Register (NLFSR) based design paradigm. sLiSCP, sLiSCP-light and ACE use reduced-round Simeck block cipher, while WAGE employs Welch-Gong (WG) permutation and two 7-bit sboxes over the finite field $F_{2^7}$ as their underlying nonlinear components. We discuss their design rationale and analyze the security with respect to differential and linear, integral and symmetry based distinguishers using automated tools such as Mixed Integer Linear Programming (MILP) and SAT/SMT solvers. Second, we show the applications of these permutations to achieve Authenticated Encryption with Associated Data (AEAD), Message Authentication Code (MAC), Pseudorandom Bit Generator (PRBG) and Hash functionalities. We introduce the idea of the unified round function, which, when combined in a sponge mode can provide all the aforementioned functionalities with the same circuitry. We give concrete instantiations of several AEAD and hash schemes with varying security levels, e.g., 80, 96, 112 and 128 bits. Next, we present Spoc, a new AEAD mode of operation which offers higher security guarantees compared to traditional sponge-based AEAD schemes with smaller states. We instantiate Spoc with sLiSCP-light permutation and propose another two lightweight AEAD algorithms. Notably, 4 of our proposed schemes, namely ACE, Spix, Spoc and WAGE are round 2 candidates of NIST’s LWC project. Finally, we present cryptanalytic results on some lightweight ciphers. We first analyze the nonlinear initialization phase of WG-5 stream cipher using the division property based cube attack, and give a key recovery attack on 24 (out of 64) rounds with data and time complexities $2^{6.32}$ and $2^{76:81}$, respectively. Next, we propose a novel property of block ciphers called correlated sequences and show its applications to meet-in-the-middle attack. Consequently, we give the best key recovery attacks (up to 27 out of 32 rounds in a single key setting) on Simon and Simeck ciphers with block and key sizes 32 and 64 bits, respectively. The attack requires 3 known plaintext-ciphertext pairs and has a time complexity close to average exhaustive search. It is worth noting that variants of WG-5 and Simeck are the core components of aforementioned AEAD and hash schemes. Lastly, we present practical forgery attacks on Limdolen and HERN which are round 1 candidates of NIST LWC project. We show the existence of structural weaknesses which could be exploited to forge any message with success probability of 1. For Limdolen, we require the output of a single encryption query while for HERN we need at most 4 encryption queries for a valid forgery. Following our attack, both designs are eliminated from second round