EnCounter: On Breaking the Nonce Barrier in Differential Fault Analysis with a Case-Study on PAEQ

This work exploits internal differentials within a cipher in the context of Differential Fault Analysis (DFA). This in turn overcomes the nonce barrier which acts as a natural counter-measure against DFA. We introduce the concept of internal differential fault analysis which requires only one faulty ciphertext. In particular, the analysis is applicable to parallelizable ciphers that use the counter-mode. As a proof of concept we develop an internal differential fault attack called EnCounter on PAEQ which is an AES based parallelizable authenticated cipher presently in the second round of on-going CAESAR competition. The attack is able to uniquely retrieve the key of three versions of full-round PAEQ of key-sizes 64, 80 and 128 bits with complexities of about $2^{16}$, $2^{16}$ and $2^{50}$ respectively. Finally, this work addresses in detail the instance of fault analysis with varying amounts of partial state information and also presents the first analysis of PAEQ

A Diagonal Fault Attack on the Advanced Encryption Standard

The present paper develops an attack on the AES algorithm, exploiting multiple byte faults in the state matrix. The work shows that inducing a random fault anywhere in one of the four diagonals of the state matrix at the input of the eighth round of the cipher leads to the deduction of the entire AES key. We also propose a more generalized fault attack which works if the fault induction does not stay confined to one diagonal. To the best of our knowledge, we present for the first time actual chip results for a fault attack on an iterative AES hardware running on a Xilinx FPGA platform. We show that when the fault stays within a diagonal, the AES key can be deduced with a brute force complexity of approximately $2^{32}$, which was successfully performed in about $400$ seconds on an Intel Xeon Server with $8$ cores. We show further that even if the fault induction corrupts two or three diagonals, $2$ and $4$ faulty ciphertexts are necessary to uniquely identify the correct key

To Infect Or Not To Infect: A Critical Analysis Of Infective Countermeasures In Fault Attacks

As fault based cryptanalysis is becoming more and more of a practical threat, it is imperative to make efforts to devise suitable countermeasures. In this regard, the so-called ``infective countermeasures\u27\u27 have garnered particular attention from the community due to its ability in inhibiting differential fault attacks without explicitly detecting the fault. We observe that despite being adopted over a decade ago, a systematic study of infective countermeasures is missing from the literature. Moreover, there seems to be a lack of proper security analysis of the schemes proposed, as quite a few of them have been broken promptly. Our first contribution comes in the form of a generalization of infective schemes which aids us with a better insight into the vulnerabilities, scopes for cost reduction and possible improvements. This way, we are able to propose lightweight alternatives of two existing schemes. Further we analyze shortcomings of LatinCrypt\u2712 and CHES\u2714 schemes and propose a simple patch for the former

TIDAL: Practical Collisions on State-Reduced Keccak Variants

An important tool that has contributed to collision search on Keccak/SHA3 is the Target Difference Algorithm (TDA) and its inter- nal differential counterpart Target Internal Difference Algorithm (TIDA), which were introduced by Dinur et al. in separate works in FSE 2012 and 2013 respectively. These algorithms provide an ingenious way of extend- ing the differential trails by one round and exploiting the affine subspaces generated due to the low algebraic degree of the Keccak S-box. The cur- rent work introduces TIDAL, which can extend TIDA by one more round capitalizing on linearization techniques introduced by Guo et al. in JoC. This approach requires increment consistency checks, which is also im- proved in this work. The TIDAL strategy, in conjunction with a determin- istic internal differential trail, has been applied to Keccak variants up to 400-bit state-size and leads to practical collision attacks for most of them up to 5 rounds. In particular collisions have been confirmed for 4-round Keccak[136, 64] with a complexity of 220 and on 6-round of Keccak[84,16] with a complexity of 25 . Further, this work completely characterizes all collision attacks on state-reduced variants, showcasing that TIDAL covers most space up to 5 rounds. As state and round-reduced Keccak variants are used to realize the internal states of many crypto primitives, the re- sults presented here generate a significant impact. Finally, it shows new directions for the long-standing problem of state-reduced variants being difficult to be attacked

DEEPAND: In-Depth Modeling of Correlated AND Gates for NLFSR-based Lightweight Block Ciphers

Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming (MILP) in solving cryptanalysis problems that otherwise, required significant effort. Since its inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as DEEPAND has been devised to capture the correlation between AND gates in NLFSR-based lightweight block ciphers. DEEPAND builds upon and generalizes the idea of joint propagation of differences through AND gates captured using refined MILP modeling of TinyJAMBU by Saha et al. in FSE 2020. The proposed model has been applied to TinyJAMBU and KATAN and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both ciphers. In particular, a 384-round (full-round as per earlier specification) Type-IV trail is found for TinyJAMBU with 14 active AND gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a full round Type-IV trail of TinyJAMBU keyed permutation $\mathcal{P}_{1024}$ with probability $2^{-108} (\gg 2^{-128})$. This reveals the non-random properties of $\mathcal{P}_{1024}$ thereby showing it to be non-ideal. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of the TinyJAMBU AEAD scheme should be carefully revisited. Similarly, for KATAN 32, DEEPAND modeling improves the 42-round trail with $2^{-11}$ probability to $2^{-7}$. Also, for KATAN 48 and KATAN 64, this model respectively improves the designer\u27s claimed 43-round and 37-round trail probabilities. Moreover, in the related key setting, the DEEPAND model can make a better 140-round boomerang distinguisher (for both the data and time complexity) compared to the previous boomerang attack by Isobe et al. in ACISP 2013. In summary, DEEPAND seems to capture the underlying correlation better when multiple AND gates are at play and can be adapted to other classes of ciphers as well

BIOEQUIVALENCE STUDY OF AZELNIDIPINE 16 MG TABLET TO EVALUATE PHARMACOKINETIC PROFILE OF SINGLE DOSE IN HEALTHY, ADULT, HUMAN VOLUNTEERS UNDER FASTING CONDITION

Objective: The present study's objective is to conduct a comparative bioavailability study with a special emphasis on the test product's bioequivalence using a standard reference product as a comparator. Methods: Before initiating the bioequivalence study, the plasma sample analysis method was developed and validated by using LC-MS/MS method. The entire study was conducted as a single-dose crossover randomized bioequivalence study with open-label, two treatment, two-period, and two sequences on 24 healthy volunteers under fasting condition. With proper informed consent process the oral dose of the Reference product (R) or Test product (T) was administered on healthy volunteers at 0 h during each period of the study. After the drug's oral administration, a certain quantity of blood sample was collected, and the plasma sample was separated using a cold centrifuge. The plasma samples were analysed by using the validated LC-MS/MS method. The pharmacokinetic parameters, statistical data and ANOVA of the test and reference product were evaluated. Results: The Cmax, Auc0-t, AUC0-∞ and tmax of the test product were found to be 6.29 ng/ml, 117.0 ng. h/ml, 161.67 ng. h/ml and 3.33 h. respectively. And the Cmax, Auc0-t, AUC0-∞ and tmax of reference product were found 6.59 ng/ml, 123.21 ng. h./ml, 172.20 ng. h/ml and 3.38 h respectively. Relative bioavailability was found 94.96%. The overall results show that the 90% confidence intervals (Log-Transformed and Untransformed) for Cmax, AUC0-t and AUC0-∞ for Azelnidipine were within the acceptable limit of 80%-125%. Conclusion: The entire study's conclusion can be drawn as the test product was bioequivalence with the reference product's comparator

Switching the Top Slice of the Sandwich with Extra Filling Yields a Stronger Boomerang for NLFSR-based Block Ciphers

The Boomerang attack was one of the first attempts to visualize a cipher ($E$) as a composition of two sub-ciphers ($E_0\circ E_1$) to devise and exploit two high-probability (say $p,q$) shorter trails instead of relying on a single low probability (say $s$) longer trail for differential cryptanalysis. The attack generally works whenever $p^2 \cdot q^2 > s$. However, it was later succeeded by the so-called ``sandwich attack\u27\u27 which essentially splits the cipher in three parts $E\u27_0\circ E_m \circ E\u27_1$ adding an additional middle layer ($E_m$) with distinguishing probability of $p^2\cdot r\cdot q^2$. It is primarily the generalization of a body of research in this direction that investigate what is referred to as the switching activity and capture the dependencies and potential incompatibilities of the layers that the middle layer separates. This work revisits the philosophy of the sandwich attack over multiple rounds for NLFSR-based block ciphers and introduces a new method to find high probability boomerang distinguishers. The approach formalizes boomerang attacks using only ladder, And switches. The cipher is treated as $E = E_m \circ E_1$, a specialized form of a sandwich attack which we called as the ``open-sandwich attack\u27\u27. The distinguishing probability for this attack configuration is $r \cdot q^2$. Using this innovative approach, the study successfully identifies a deterministic boomerang distinguisher for the keyed permutation of the TinyJambu cipher over 320 rounds. Additionally, a 640-round boomerang with a probability of $2^{-22}$ is presented with 95% success rate. In the related-key setting, we unveil full-round boomerangs with probabilities of $2^{-19}$, $2^{-18}$, and $2^{-12}$ for all three variants, demonstrating a 99% success rate. Similarly, for Katan-32, a more effective related-key boomerang spanning 140 rounds with a probability of $2^{-15}$ is uncovered with 70% success rate. Further, in the single-key setting, a 84-round boomerang with probability $2^{-30}$ found with success rate of 60%. This research deepens the understanding of boomerang attacks, enhancing the toolkit for cryptanalysts to develop efficient and impactful attacks on NLFSR-based block ciphers

Divide and Rule: DiFA - Division Property Based Fault Attacks on PRESENT and GIFT

The division property introduced by Todo in Crypto 2015 is one of the most versatile tools in the arsenal of a cryptanalyst which has given new insights into many ciphers primarily from an algebraic perspective. On the other end of the spectrum we have fault attacks which have evolved into the deadliest of all physical attacks on cryptosystems. The current work aims to combine these seemingly distant tools to come up with a new type of fault attack. We show how fault invariants are formed under special input division multi-sets and are independent of the fault injection location. It is further shown that the same division trail can be exploited as a multi-round Zero-Sum distinguisher to reduce the key-space to practical limits. As a proof of concept division trails of PRESENT and GIFT are exploited to mount practical key-recovery attacks based on the random nibble fault model. For GIFT-64, we are able to recover the unique master-key with 30 nibble faults with faults injected at rounds 21 and 19. For PRESENT-80, DiFA reduces the key-space from $2^{80}$ to $2^{16}$ with 15 faults in round 25 while for PRESENT-128, the unique key is recovered with 30 faults in rounds 25 and 24. This constitutes the best fault attacks on these ciphers in terms of fault injection rounds. We also report an interesting property pertaining to fault induced division trails which shows its inapplicability to attack GIFT-128. Overall, the usage of division trails in fault based cryptanalysis showcases new possibilities and reiterates the applicability of classical cryptanalytic tools in physical attacks

DETERMINATION OF METFORMIN AND SITAGLIPTIN IN HEALTHY HUMAN VOLUNTEERS' BLOOD PLASMA AND ITS BIOEQUIVALENCE STUDY UNDER FASTING CONDITION

Objective: Metformin hydrochloride and sitagliptin are the oral anti-hyperglycemic medications used to treat type 2 diabetes and are used in combination to treat patients. In this work, we have developed a bioanalytical method for simultaneous estimation of both the drugs form some formulation and subsequently the validation of the developed method metformin and sitagliptin in human plasma. Methods: The stability studies were done as per USFDA and EMA guidelines. The sample extraction approach presented here was a straightforward liquid extraction. The linearity range of metformin was 11.72 ng/ml to 3000 ng/ml, and sitagliptin was 4.68 ng/ml. to 1200 ng/ml. For metformin, the LOD was 1.0 ng/ml, and LLOQ was 11.72 ng/ml. and for sitagliptin, the LOD was 0.75 ng/ml, and LLOQ was 4.68 ng/ml. LC-ESI-MS/MS was used to develop and validate this method using the Phenomenex Kinetex C18 column. Milli-Q water containing 10 mmol Ammonium Acetate (pH =3.6) and Acetonitrile containing 0.1% Formic Acid (pH =2.4) as solvent systems for the estimation of Sitagliptin in a single dose. Metoprolol is used as an Internal Standard. Results: The total chromatographic run time was only 7.0 min, and the elute time of metformin and sitagliptin was 3.94 min and 3.97 min, respectively. Relative Bioavailability was found at 101.14% for Metformin and 96.96% for Sitagliptin. The overall results show that the Cmax, AUC0-t, and AUC0-∞ for metformin and sitagliptin were within the acceptable limit of 80%-125%. Conclusion: This bioanalytical method was successfully applied in the bioequivalence study. The study design was a randomized, open-label, two treatment, two-period, two sequences, single-dose, crossover bioequivalence study under fasting conditions

Finding Desirable Substitution Box with SASQUATCH

This paper presents ``SASQUATCH\u27\u27, an open-source tool, that aids in finding an unknown substitution box (SBox) given its properties. The inspiration of our work can be directly attributed to the DCC 2022 paper by Lu, Mesnager, Cui, Fan and Wang. Taking their work as the foundation (i.e., converting the problem of SBox search to a satisfiability modulo theory instance and then invoking a solver), we extend in multiple directions (including -- but not limiting to -- coverage of more options, imposing time limit, parallel execution for multiple SBoxes, non-bijective SBox), and package everything within an easy-to-use interface. We also present ASIC benchmarks for some of the SBoxes