EnCounter: On Breaking the Nonce Barrier in Differential Fault Analysis with a Case-Study on PAEQ

This work exploits internal differentials within a cipher in the context of Differential Fault Analysis (DFA). This in turn overcomes the nonce barrier which acts as a natural counter-measure against DFA. We introduce the concept of internal differential fault analysis which requires only one faulty ciphertext. In particular, the analysis is applicable to parallelizable ciphers that use the counter-mode. As a proof of concept we develop an internal differential fault attack called EnCounter on PAEQ which is an AES based parallelizable authenticated cipher presently in the second round of on-going CAESAR competition. The attack is able to uniquely retrieve the key of three versions of full-round PAEQ of key-sizes 64, 80 and 128 bits with complexities of about $2^{16}$, $2^{16}$ and $2^{50}$ respectively. Finally, this work addresses in detail the instance of fault analysis with varying amounts of partial state information and also presents the first analysis of PAEQ

A Diagonal Fault Attack on the Advanced Encryption Standard

The present paper develops an attack on the AES algorithm, exploiting multiple byte faults in the state matrix. The work shows that inducing a random fault anywhere in one of the four diagonals of the state matrix at the input of the eighth round of the cipher leads to the deduction of the entire AES key. We also propose a more generalized fault attack which works if the fault induction does not stay confined to one diagonal. To the best of our knowledge, we present for the first time actual chip results for a fault attack on an iterative AES hardware running on a Xilinx FPGA platform. We show that when the fault stays within a diagonal, the AES key can be deduced with a brute force complexity of approximately $2^{32}$, which was successfully performed in about $400$ seconds on an Intel Xeon Server with $8$ cores. We show further that even if the fault induction corrupts two or three diagonals, $2$ and $4$ faulty ciphertexts are necessary to uniquely identify the correct key

To Infect Or Not To Infect: A Critical Analysis Of Infective Countermeasures In Fault Attacks

As fault based cryptanalysis is becoming more and more of a practical threat, it is imperative to make efforts to devise suitable countermeasures. In this regard, the so-called ``infective countermeasures\u27\u27 have garnered particular attention from the community due to its ability in inhibiting differential fault attacks without explicitly detecting the fault. We observe that despite being adopted over a decade ago, a systematic study of infective countermeasures is missing from the literature. Moreover, there seems to be a lack of proper security analysis of the schemes proposed, as quite a few of them have been broken promptly. Our first contribution comes in the form of a generalization of infective schemes which aids us with a better insight into the vulnerabilities, scopes for cost reduction and possible improvements. This way, we are able to propose lightweight alternatives of two existing schemes. Further we analyze shortcomings of LatinCrypt\u2712 and CHES\u2714 schemes and propose a simple patch for the former

TIDAL: Practical Collisions on State-Reduced Keccak Variants

An important tool that has contributed to collision search on Keccak/SHA3 is the Target Difference Algorithm (TDA) and its inter- nal differential counterpart Target Internal Difference Algorithm (TIDA), which were introduced by Dinur et al. in separate works in FSE 2012 and 2013 respectively. These algorithms provide an ingenious way of extend- ing the differential trails by one round and exploiting the affine subspaces generated due to the low algebraic degree of the Keccak S-box. The cur- rent work introduces TIDAL, which can extend TIDA by one more round capitalizing on linearization techniques introduced by Guo et al. in JoC. This approach requires increment consistency checks, which is also im- proved in this work. The TIDAL strategy, in conjunction with a determin- istic internal differential trail, has been applied to Keccak variants up to 400-bit state-size and leads to practical collision attacks for most of them up to 5 rounds. In particular collisions have been confirmed for 4-round Keccak[136, 64] with a complexity of 220 and on 6-round of Keccak[84,16] with a complexity of 25 . Further, this work completely characterizes all collision attacks on state-reduced variants, showcasing that TIDAL covers most space up to 5 rounds. As state and round-reduced Keccak variants are used to realize the internal states of many crypto primitives, the re- sults presented here generate a significant impact. Finally, it shows new directions for the long-standing problem of state-reduced variants being difficult to be attacked

DEEPAND: In-Depth Modeling of Correlated AND Gates for NLFSR-based Lightweight Block Ciphers

Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming (MILP) in solving cryptanalysis problems that otherwise, required significant effort. Since its inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as DEEPAND has been devised to capture the correlation between AND gates in NLFSR-based lightweight block ciphers. DEEPAND builds upon and generalizes the idea of joint propagation of differences through AND gates captured using refined MILP modeling of TinyJAMBU by Saha et al. in FSE 2020. The proposed model has been applied to TinyJAMBU and KATAN and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both ciphers. In particular, a 384-round (full-round as per earlier specification) Type-IV trail is found for TinyJAMBU with 14 active AND gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a full round Type-IV trail of TinyJAMBU keyed permutation $\mathcal{P}_{1024}$ with probability $2^{-108} (\gg 2^{-128})$. This reveals the non-random properties of $\mathcal{P}_{1024}$ thereby showing it to be non-ideal. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of the TinyJAMBU AEAD scheme should be carefully revisited. Similarly, for KATAN 32, DEEPAND modeling improves the 42-round trail with $2^{-11}$ probability to $2^{-7}$. Also, for KATAN 48 and KATAN 64, this model respectively improves the designer\u27s claimed 43-round and 37-round trail probabilities. Moreover, in the related key setting, the DEEPAND model can make a better 140-round boomerang distinguisher (for both the data and time complexity) compared to the previous boomerang attack by Isobe et al. in ACISP 2013. In summary, DEEPAND seems to capture the underlying correlation better when multiple AND gates are at play and can be adapted to other classes of ciphers as well

SASTA: Ambushing Hybrid Homomorphic Encryption Schemes with a Single Fault

The rising tide of data breaches targeting large data storage centres, and servers has raised serious privacy and security concerns. Homomorphic Encryption schemes offer an effective defence against such attacks, but their adoption is hindered by substantial computational and communication overhead, both on the server and client sides. This challenge led to the development of Hybrid Homomorphic Encryption (HHE) schemes to reduce the cost of client-side computation and communication. Despite the existence of a multitude of HHE schemes in the literature, their security analysis is still in its infancy, especially in the context of physical attacks like Differential Fault Analysis (DFA). This work aims to address this critical gap for HHE schemes defined over prime fields (Fp − HHE) by introducing, implementing and validating SASTA, the first DFA on Fp − HHE and the first nonce-respecting FA over any HHE scheme. In this pursuit, we introduce a new nonce-respecting fault model (all current fault attacks on HHE schemes require a nonce-reuse), which leads to a unique attack that completely exploits both the asymmetric and symmetric facets of HHE. We target Fp − HHE schemes as they offer support for integer or real arithmetic, enabling more versatile applications, like machine learning, and better performance. The fault model benefits from what we call the mirror-effect, which allows the attack to work both on the client and the server. Our analysis reveals a significant vulnerability: a single fault within the Keccak permutation, employed as an extendable output function, results in complete key recovery for the Pasta HHE scheme. Moreover, this vulnerability extends to other HHE schemes, including Rasta, Masta, and Hera, amplifying the scope and impact of SASTA. For experimental validation, we mount an actual fault attack using ChipWhisperer-Lite board on the Keccak permutation. Following this, we also discuss the conventional countermeasures to defend against SASTA. Overall, SASTA constitutes the first nonce-respecting FA of HHE that offers new insights into how server-side or client-side computations can be manipulated for Fp − HHE schemes to recover the entire key with just a single fault. This work reaffirms the orthogonality of convenience and attack vulnerability and should contribute to the landscape of future HHE schemes

BIOEQUIVALENCE STUDY OF AZELNIDIPINE 16 MG TABLET TO EVALUATE PHARMACOKINETIC PROFILE OF SINGLE DOSE IN HEALTHY, ADULT, HUMAN VOLUNTEERS UNDER FASTING CONDITION

Objective: The present study's objective is to conduct a comparative bioavailability study with a special emphasis on the test product's bioequivalence using a standard reference product as a comparator. Methods: Before initiating the bioequivalence study, the plasma sample analysis method was developed and validated by using LC-MS/MS method. The entire study was conducted as a single-dose crossover randomized bioequivalence study with open-label, two treatment, two-period, and two sequences on 24 healthy volunteers under fasting condition. With proper informed consent process the oral dose of the Reference product (R) or Test product (T) was administered on healthy volunteers at 0 h during each period of the study. After the drug's oral administration, a certain quantity of blood sample was collected, and the plasma sample was separated using a cold centrifuge. The plasma samples were analysed by using the validated LC-MS/MS method. The pharmacokinetic parameters, statistical data and ANOVA of the test and reference product were evaluated. Results: The Cmax, Auc0-t, AUC0-∞ and tmax of the test product were found to be 6.29 ng/ml, 117.0 ng. h/ml, 161.67 ng. h/ml and 3.33 h. respectively. And the Cmax, Auc0-t, AUC0-∞ and tmax of reference product were found 6.59 ng/ml, 123.21 ng. h./ml, 172.20 ng. h/ml and 3.38 h respectively. Relative bioavailability was found 94.96%. The overall results show that the 90% confidence intervals (Log-Transformed and Untransformed) for Cmax, AUC0-t and AUC0-∞ for Azelnidipine were within the acceptable limit of 80%-125%. Conclusion: The entire study's conclusion can be drawn as the test product was bioequivalence with the reference product's comparator

Simple Vs Vectorial: Exploiting Structural Symmetry to Beat the ZeroSum Distinguisher Applications to SHA3, Xoodyak and Bash

Higher order differential properties constitute a very insightful tool at the hands of a cryptanalyst allowing for probing a cryptographic primitive from an algebraic perspective. In FSE 2017, Saha et al. reported SymSum (referred to as SymSum_Vec in this paper), a new distinguisher based on higher order vectorial Boolean derivatives of SHA-3, constituting one of the best distinguishers on the latest cryptographic hash standard. SymSum_Vec exploits the difference in the algebraic degree of highest degree monomials in the algebraic normal form of SHA-3 with regards to their dependence on round constants. Later in Africacrypt 2020, Suryawanshi et al. extended SymSum_Vec using linearization techniques and in SSS 2023 also applied it to NIST-LWC finalist Xoodyak. However, a major limitation of SymSum_Vec is the maximum attainable derivative (MAD) which is less than half of the widely studied ZeroSum distinguisher. This is attributed to SymSum_Vec being dependent on m−fold vectorial derivatives while ZeroSum relies on m−fold simple derivatives. In this work we overcome this limitation of SymSum_Vec by developing and validating the theory of computing SymSum_Vec with simple derivatives. This gives us a close to 100% improvement in the MAD that can be computed. The new distinguisher reported in this work can also be combined with one/two-round linearization to penetrate more rounds. Moreover, we identify an issue with the two-round linearization claim made by Suryawanshi et al. which renders it invalid and also furnish an algebraic fix at the cost of some additional constraints. Combining all results we report SymSum_Sim , a new variant of the SymSum_Vec distinguisher based on m−fold simple derivatives that outperforms ZeroSum by a factor of $2^{257}$, $2^{129}$ for 10-round SHA-3-384 and 9-round SHA-3-512 respectively while enjoying the same MAD as ZeroSum. For every other SHA-3 variant, SymSum_Sim maintains an advantage of factor 2. Combined with one/two-round linearization, SymSum_Sim improves upon all existing ZeroSum and SymSum_Vec distinguishers on both SHA-3 and Xoodyak. As regards Keccak-p, the internal permutation of SHA-3, we report the best 15-round distinguisher with a complexity of $2^{256}$ and the first better than birthday-bound 16-round distinguisher with a complexity of $2^{512}$ (improving upon the 15/16-round results by Guo et al. in Asiacrypt 2016). We also devise the best full-round distinguisher on the Xoodoo internal permutation of Xoodyak with a practically verifiable complexity of $2^{32}$ and furnish the first third-party distinguishers on the Belarushian hash function Bash. All distinguishers furnished in this work have been verified through implementations whenever practically viable. Overall, with the MAD barrier broken, SymSum_Sim emerges as a better distinguisher than ZeroSum on all fronts and adds to the state-of-the-art of cryptanalytic tools investigating non-randomness of crypto primitives

Switching the Top Slice of the Sandwich with Extra Filling Yields a Stronger Boomerang for NLFSR-based Block Ciphers

The Boomerang attack was one of the first attempts to visualize a cipher ($E$) as a composition of two sub-ciphers ($E_0\circ E_1$) to devise and exploit two high-probability (say $p,q$) shorter trails instead of relying on a single low probability (say $s$) longer trail for differential cryptanalysis. The attack generally works whenever $p^2 \cdot q^2 > s$. However, it was later succeeded by the so-called ``sandwich attack\u27\u27 which essentially splits the cipher in three parts $E\u27_0\circ E_m \circ E\u27_1$ adding an additional middle layer ($E_m$) with distinguishing probability of $p^2\cdot r\cdot q^2$. It is primarily the generalization of a body of research in this direction that investigate what is referred to as the switching activity and capture the dependencies and potential incompatibilities of the layers that the middle layer separates. This work revisits the philosophy of the sandwich attack over multiple rounds for NLFSR-based block ciphers and introduces a new method to find high probability boomerang distinguishers. The approach formalizes boomerang attacks using only ladder, And switches. The cipher is treated as $E = E_m \circ E_1$, a specialized form of a sandwich attack which we called as the ``open-sandwich attack\u27\u27. The distinguishing probability for this attack configuration is $r \cdot q^2$. Using this innovative approach, the study successfully identifies a deterministic boomerang distinguisher for the keyed permutation of the TinyJambu cipher over 320 rounds. Additionally, a 640-round boomerang with a probability of $2^{-22}$ is presented with 95% success rate. In the related-key setting, we unveil full-round boomerangs with probabilities of $2^{-19}$, $2^{-18}$, and $2^{-12}$ for all three variants, demonstrating a 99% success rate. Similarly, for Katan-32, a more effective related-key boomerang spanning 140 rounds with a probability of $2^{-15}$ is uncovered with 70% success rate. Further, in the single-key setting, a 84-round boomerang with probability $2^{-30}$ found with success rate of 60%. This research deepens the understanding of boomerang attacks, enhancing the toolkit for cryptanalysts to develop efficient and impactful attacks on NLFSR-based block ciphers

Divide and Rule: DiFA - Division Property Based Fault Attacks on PRESENT and GIFT

The division property introduced by Todo in Crypto 2015 is one of the most versatile tools in the arsenal of a cryptanalyst which has given new insights into many ciphers primarily from an algebraic perspective. On the other end of the spectrum we have fault attacks which have evolved into the deadliest of all physical attacks on cryptosystems. The current work aims to combine these seemingly distant tools to come up with a new type of fault attack. We show how fault invariants are formed under special input division multi-sets and are independent of the fault injection location. It is further shown that the same division trail can be exploited as a multi-round Zero-Sum distinguisher to reduce the key-space to practical limits. As a proof of concept division trails of PRESENT and GIFT are exploited to mount practical key-recovery attacks based on the random nibble fault model. For GIFT-64, we are able to recover the unique master-key with 30 nibble faults with faults injected at rounds 21 and 19. For PRESENT-80, DiFA reduces the key-space from $2^{80}$ to $2^{16}$ with 15 faults in round 25 while for PRESENT-128, the unique key is recovered with 30 faults in rounds 25 and 24. This constitutes the best fault attacks on these ciphers in terms of fault injection rounds. We also report an interesting property pertaining to fault induced division trails which shows its inapplicability to attack GIFT-128. Overall, the usage of division trails in fault based cryptanalysis showcases new possibilities and reiterates the applicability of classical cryptanalytic tools in physical attacks