Information-Combining Differential Fault Attacks on DEFAULT

Nageler, Marcel; Dobraunig, Christoph; Eichlseder, Maria

doi:10.1007/978-3-031-07082-2_7

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13277))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

1307 Accesses
3 Citations

Abstract

Differential fault analysis (DFA) is a very powerful attack vector for implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of \(2^{64}\) is impractical.

In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT’s strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 139.00; Price excludes VAT (USA)

Softcover Book: USD 179.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Baksi, A., Bhasin, S., Breier, J., Khairallah, M., Peyrin, T., Sarkar, S., Sim, S.M.: DEFAULT: Cipher level resistance against differential fault attack. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13091, pp. 124–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92075-3_5
Baksi, A., et al.: DEFAULT: Cipher level resistance against differential fault attack. IACR Cryptology ePrint Archive, Report 2021/712 (2021), https://eprint.iacr.org/2021/712/20210528:092448
Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006). https://doi.org/10.1109/JPROC.2005.862424
Article Google Scholar
Beierle, C., Leander, G., Moradi, A., Rasoolzadeh, S.: CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks. IACR Trans. Symmet. Cryptol. 2019(1), 5–45 (2019). https://doi.org/10.13154/tosc.v2019.i1.5-45
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Berlin (1990). https://doi.org/10.1007/3-540-38424-3_1
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052259
Chapter Google Scholar
Blömer, J., Krummel, V.: Fault based collision attacks on AES. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 106–120. Springer, Berlin (2006). https://doi.org/10.1007/11889700_11
Dobraunig, C., Eichlseder, M., Korak, T., Lomné, V., Mendel, F.: Statistical fault attacks on nonce-based authenticated encryption schemes. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 369–395. Springer, Berlin (2016). https://doi.org/10.1007/978-3-662-53887-6_14
Dobraunig, C., Mennink, B., Primas, R.: Leakage and tamper resilient permutation-based cryptography. IACR Cryptology ePrint Archive, Report 2020/200 (2020). https://ia.cr/2020/200
Gierlichs, B., Schmidt, J.M., Tunstall, M.: Infective computation and dummy rounds: fault protection for block ciphers without check-before-output. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 305–321. Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-33481-8_17
Giraud, C., Thillard, A.: Piret and quisquater’s DFA on AES revisited. IACR Cryptology ePrint Archive, Report 2010/440 (2010). https://ia.cr/2010/440
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Berlin (1994). https://doi.org/10.1007/3-540-60590-8_16
Medwed, M., Standaert, F.X., Großschädl, J., Regazzoni, F.: Fresh re-keying: Security against side-channel and fault attacks for low-cost devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 279–296. Springer, Berlin (2010). https://doi.org/10.1007/978-3-642-12678-9_17
Patranabis, S., Chakraborty, A., Mukhopadhyay, D.: Fault tolerant infective countermeasure for AES. In: Chakraborty, R.S., Schwabe, P., Solworth, J.A. (eds.) SPACE 2015. LNCS, vol. 9354, pp. 190–209. Springer, Berlin (2015). https://doi.org/10.1007/978-3-319-24126-5_12
Piret, G., Quisquater, J.J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_7
Simon, T., Batina, L., Daemen, J., Grosso, V., Massolino, P.M.C., Papagiannopoulos, K., Regazzoni, F., Samwel, N.: Friet: An authenticated encryption scheme with built-in fault detection. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 581–611. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_21
Tupsamudre, H., Bisht, S., Mukhopadhyay, D.: Destroying fault invariant with randomization - A countermeasure for AES against differential fault attacks. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 93–111. Springer, Berlin (2014). https://doi.org/10.1007/978-3-662-44709-3_6

Download references

Acknowledgments

We thank the DEFAULT designers for their comments. Additional funding was provided by a generous gift from Google. Any findings expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties.

Author information

Authors and Affiliations

Graz University of Technology, Graz, Austria
Marcel Nageler & Maria Eichlseder
Lamarr Security Research, Graz, Austria
Christoph Dobraunig

Authors

Marcel Nageler
View author publications
You can also search for this author in PubMed Google Scholar
Christoph Dobraunig
View author publications
You can also search for this author in PubMed Google Scholar
Maria Eichlseder
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marcel Nageler .

Editor information

Editors and Affiliations

University of Haifa, Haifa, Haifa, Israel
Orr Dunkelman
University of Warsaw, Warsaw, Poland
Stefan Dziembowski

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Nageler, M., Dobraunig, C., Eichlseder, M. (2022). Information-Combining Differential Fault Attacks on DEFAULT. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13277. Springer, Cham. https://doi.org/10.1007/978-3-031-07082-2_7

Download citation

DOI: https://doi.org/10.1007/978-3-031-07082-2_7
Published: 25 May 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07081-5
Online ISBN: 978-3-031-07082-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Information-Combining Differential Fault Attacks on DEFAULT