Advertisement

Journal of Hardware and Systems Security

, Volume 1, Issue 2, pp 156–172 | Cite as

Differential Fault Analysis of SHA-3 Under Relaxed Fault Models

  • Pei Luo
  • Yunsi Fei
  • Liwei Zhang
  • A. Adam Ding
Article
  • 554 Downloads

Abstract

Keccak-based algorithms such as Secure Hash Algorithm-3 (SHA-3) will be widely used in cryptosystems, and evaluating their security against different kinds of attacks is vitally important. This paper presents an efficient differential fault analysis (DFA) method on all four modes of SHA-3 to recover an entire internal state, which leads to message recovery in the regular hashing mode and key retrieval in the message authentication code (MAC) mode. We adopt relaxed fault models in this paper, assuming the attacker can inject random single-byte faults into the penultimate round input of SHA-3. We also propose algorithms to find the lower bound on the number of fault injections needed to recover an entire internal state for the proposed attacks. Results show that on average, the attacker needs about 120 random faults to recover an internal state, while he needs 17 faults at best if he has control of the faults injected. The proposed attack method is further extended for systems with input messages longer than the bitrate.

Keywords

SHA-3 Keccak Differential fault analysis Hardware security 

1 Introduction

Keccak, a family of sponge functions, can be used to build various security modules widely used in cryptosystems, including hash function, symmetric cryptographic function, pseudo-random number generator, and authenticated encryption [1]. The new Secure Hash Algorithm (SHA)-3 standard [2] is based on Keccak. Two candidates for CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness), Ketje and Keyak, are also built upon Keccak. Therefore, the security of Keccak against different kinds of attacks is critical to security system design. In this paper, we use SHA-3 as an example for the security analysis of Keccak and present an efficient differential fault analysis (DFA) method on all four modes of SHA-3 function.

DFA is a powerful and efficient attack method, which utilizes the dependency of the faulty output on the internal intermediate variables to recover the secret. DFA has been used to break many cryptographic algorithms. For example, it has been used to extract the secret key of symmetric ciphers. It was first introduced to conquer the Data Encryption Standard (DES) algorithm [3], and later it was used to break the Advanced Encryption Standard (AES) [4]. Many other ciphers have also been hacked by DFA, including CLEFIA [5], Mickey [6, 7], and Grain [8, 9].

Some existing hash standards have been evaluated against DFA attacks, including SHA-1 [10], Streebog [11], MD5 [12], and GrøStl [13]. For hash functions in general usage, DFA can be used to retrieve the original message. For example, it is found in [12] that on average, 144 random faults are required for MD5 in order to discover the input message block. For GrøStl algorithm, on average, 280 single-bit faults are needed to invert each compression step. When hash functions are used in the message authentication code (MAC) mode with a secret key, DFA also becomes an effective method to recover the key and then generate forgery messages and corresponding MACs against authentication. For example, in [10], the input of SHA-1, including the secret key and message, is fully extracted with about 1000 random faults. For Streebog, an average number of faults that varies between 338 and 1640 is required to recover the secret key for different MAC settings [11]. When GrøStl is used in a keyed hash function, about 300 faults are needed to retrieve the secret key [13].

Previous works on Keccak mainly focus on side-channel power analysis and cryptanalytic collision attacks [14, 15, 16, 17, 18, 19, 20, 21]. To the best of our knowledge, only one work about DFA on SHA-3 has been published before us [22]. In [22], a single-bit fault model is used , and only two modes of SHA-3 with longer digest length, namely SHA3-384 and SHA3-512, have been discussed. Injection of single-bit faults into cryptosystems requires higher control precision and sometimes invasive methods like laser emission, which are costly and also less effective as the technology scales down. Typical non-invasive fault injection methods, such as clock glitches and supply voltage variation, are more general and would affect a group of bits in intermediate states all together, i.e., inducing byte-level faults. Our previous work [23] extends DFA to the other two modes of SHA-3 with shorter digest length, SHA3-224 and SHA3-256, under a relaxed single-byte fault model. It analyzes fault propagation of SHA-3 under byte-level fault injection and proposes two different ways to address the issue of short observable digests in SHA3-224 and SHA3-256.

This paper is an extension of our previous work [23]. In addition to the random fault model, we propose an optimization method with heuristics, so that the DFA can use the least chosen faults to recover the internal state. We also include more substantial discussion on extending the DFA to SHA-3 systems with input messages longer than the bitrate. The contributions of this work are as follows:
  • We introduce the concept of fault propagation into DFA of SHA-3, and this formal method will ensure the extendability of proposed DFA.

  • We extend DFA on SHA-3 from single-bit fault model to more relaxed fault models and from two SHA-3 functions with longer digest to all four of them. For example, we can break all four SHA-3 functions under single-byte fault model and break SHA3-384 and SHA3-512 under 16-bit fault model in this work.

  • An optimization method with heuristics is proposed, and this method can be used to optimize DFA so that the proposed method can use the fewest chosen faults to recover the internal state.

  • Discussion about how variable key and message length will affect DFA is given.

We simulate all the proposed methods for all four modes of SHA-3. Results show that, for SHA3-384 and SHA3-512, about 120 random single-byte faults are needed to recover an entire internal state, while about 500 single-bit random faults are needed in previous work [22]. When the fault injection can be controlled, our simulation results of the heuristics show that only 17 selected single-byte faults and 129 selected single-bit faults are required to recover the internal state, under the two different fault models, respectively. Our attack method can break SHA3-224 and SHA3-256 as well, while the numbers of required random effective faults are about 250 and 150, respectively.

The rest of this paper is organized as follows. In Section 2, we present the basic knowledge of SHA-3 that will be used in this paper and describe the fault models. In Section 3, we analyze the fault propagation process in SHA-3 and construct the fault signatures. In Section 4, we present the attack on SHA3-384 and SHA3-512 using the proposed fault signature method under the relaxed fault models. In Section 5, we extend the attack to SHA3-224 and SHA3-256, and show the method to further improve the attack efficiency. In Section 6, we propose a heuristic algorithm to improve the efficiency of the DFA with more control of the faults injected and derive the lower bound on the number of fault injections needed for the proposed attacks. In Section 7, we discuss attacks on SHA-3 systems with the input message size larger than the bitrate, and the protection of SHA-3 systems against DFAs. Finally, we conclude the paper in Section 8.

2 Preliminaries of SHA-3 and Differential Fault Analysis

2.1 Preliminaries of Keccak Hash Function

The Keccak hash algorithm can work in different modes with variable length. Standardized by NIST, SHA-3 functions operate in modes of Keccak-f[1600, d] [2], where each internal state is 1600-bit organized in a 3D array, as shown in Fig. 1, and d is the output length at choice. Each state bit is addressed by three coordinates, denoted as S(x,y,z), x,y ∈{0,1,...,4}, z ∈{0,1,...,63}. 2D entities, plane, sheet, and slice, and 1D entities, lane, column, and row, are also defined in Keccak and shown in Fig. 1.
Fig. 1

State data structures used in Keccak [1]

We also define vectors X = [0 : 4], Y = [0 : 4], and Z = [0 : 63] to stand for multiple bits in one row, column, and lane, respectively. For example, we can denote the bottom plane of state S (320 bits) as S(X,0,Z). Note that coordinates x and y are modular of 5 while z is modular of 64.

Keccak relies on a sponge architecture to iteratively absorb message inputs and squeeze out digest by an f permutation function. The sponge architecture is shown in Fig. 2, where r is called the bitrate and c is the capacity (r + c = 1600). Here, f 0 to f 5 are all the same f permutation function.
Fig. 2

The sponge construction

The number of f functions in the absorbing phase is determined by the message size, and the digest size (d in Keccak-f[1600, d]) will decide the number of f function in the squeezing phase together with bitrate r. SHA-3 family consists of four digest size (d = 224,256,384,512), namely SHA3-224, SHA3-256, SHA3-384, and SHA3-512 [2]. We will discuss all four SHA-3 functions under relaxed fault models in this paper. Note here that for SHA3-d function, c = 2d and r + c = 1600.

In this paper, we first simplify the setting by assuming that the length of the input message is smaller than the bitrate r, and as r > d holds for all four modes of SHA-3 function, there will be only one f function involved for absorbing and squeezing. In Section 7, we will extend the attacks for input messages with variable length, in which multiple f functions will be involved.

The f function consists of 24 rounds for 1600-bit operations, where each round has five sequential steps:
$$ S_{i+1} = \iota \circ \chi \circ \pi \circ \rho \circ \theta(S_{i}),\ i \in \{0,1,\cdots, 23\} $$
(1)
in which S 0 is the initial input. Details of each step are described below:
  • 𝜃 is a linear operation which involves 11 input bits and outputs a single bit. Each output state bit is the XOR between the input state bit and two neighbor columns. We denote the input of 𝜃 as 𝜃 i while the output as 𝜃 o , and the operation is given as follows:
    $$\begin{array}{@{}rcl@{}} \theta_{o}(x,y,z) = \theta_{i}(x,y,z) & \oplus& (\oplus_{y=0}^{4} \theta_{i}(x-1,y,z))\\ & \oplus& (\oplus_{y=0}^{4} \theta_{i}(x+1,y,z-1)). \end{array} $$
  • ρ is a rotation over the state bits along z-axis.

  • π is a permutation over the state bits within slices.

  • χ is a non-linear step that contains mixed binary operations over state bits in rows. Each bit of the output state is the result of an XOR between the corresponding input state bit and its two successive bits along the x-axis:
    $$\begin{array}{@{}rcl@{}} \chi_{o}(x,y,z) &=& \chi_{i}(x,y,z) \oplus (\overline{\chi_{i}(x+1,y,z)} \\&&\cdot \chi_{i}(x+2,y,z)). \end{array} $$
    The χ operation is reversible, and each χ i bit can be expressed in below formula which involves all five bits of χ o in a row [1, 24]:
    $$\begin{array}{@{}rcl@{}} &&\chi_{i} (x,y,z) = \chi_{o}(x,y,z) \oplus \overline{\chi_{o}(x+1,y,z)} \cdot (\chi_{o}(x\,-\,1,y,z)\!\\ &&\oplus \chi_{o}(x+2,y,z) \oplus \chi_{o}(x-1,y,z) \cdot \chi_{o}(x+3,y,z) ). \end{array} $$
    (2)
  • ι is a binary XOR with a round constant.

Besides the general hash mode, SHA-3 will be widely used for authentication, and MAC-Keccak is the recommended MAC function. It is designed to securely create a MAC by hashing the concatenation of the key and the message [25]:
$$ \text{MAC}(M,K) = \mathrm{H}(K||M). $$
(3)

When SHA-3 is used in general hash mode, the goal is to recover the input message, and when SHA-3 is used in MAC mode, the goal is to recover the authentication key.

2.2 Notations and Data Structure

We annotate the last two rounds of SHA-3 operations and important intermediate states in Fig. 3 and use these notations in the rest of this paper. We pick the penultimate round input (𝜃 i22) as the fault injection point, and the target is to recover the whole internal state of \(\chi ^{22}_{i}\) (1600 bits) with access to the digest H at much shorter length, which is d-bit for SHA3-d function. The key insight of DFA is that the fault injection reveals some internal state bits through the differential digest output (the difference between the correct digest and faulty digest).
Fig. 3

Notations for operations and intermediate states

For one f function, if the whole internal state \(\chi ^{22}_{i}\) is recovered, the input of SHA-3, S 0, can be recovered because all five operations in Keccak are reversible. We will extend the attacks to SHA-3 systems with multiple f functions in Section 7.1.

For commonly used SHA-3 implementations, data structures are organized along each lane [26, 27]. There are two commonly used implementation methods for Keccak, non-interleaved and interleaved implementation [28]. One byte is eight consecutive bits in one lane for non-interleaved implementations. Bit interleaving is a technique to put the bits in even positions and odd positions of one lane into separate words (bytes) for more efficient implementation.

For interleaved and non-interleaved implementations, different bit organization structures in a byte or word will result in different fault propagation characteristics. As bit interleaving technique has been widely used in SHA-3 implementations in embedded cryptographic systems [26, 27], we will evaluate both of these two implementations in our work. We refer to the source code provided online [26] for all implementations and simulations in this paper.

2.3 The Fault Model Used in This Paper

Our DFA is based on byte-level faults. General fault injection methods, including clock glitches and supply voltage variations, will affect multiple bits in a data structure simultaneously. For example, one byte will be affected on 8-bit architectures, and one 16-bit word will be affected on 16-bit architectures. Multiple concurrent bit faults will interfere with each other during operations in the hash algorithm, and considering only individual independent single-bit faults does not address these interactions. To illustrate our proposed method, we use the fault model of single-byte as example:
  • The attacker can inject faults into one byte of the penultimate round input \(\theta _{i}^{22}\).

  • The attacker has no control on either the position (which byte) or the value of the injected faults.

  • The attacker can only observe the correct and faulty SHA-3 digest outputs, H and H , which are d-bit instead of 1600 bits.

  • The attacker can inject multiple random faults into the same input message for different execution runs.

Besides single-byte fault model, we will also check our method under single-word (16-bit) fault model. As the single-bit fault model used in [22] is just a special case of the single-byte fault model, we will also check attack results under that model.

3 Fault Propagation and Fault Signature

Generally, because of confusion and diffusion properties in crypto-operations, any bit flip at the input message will affect all the bits at the output under perfect randomness and the fault analysis would not work. For SHA-3, the path from the fault injection point (𝜃 i22) to the observable output (H) is not very long—only two rounds of operations, and therefore, different faults injected will cause different patterns at the differential output ΔH = HH . We call such differential patterns as fault signature (FS) in this paper. Different fault signatures can be used to identify the injected fault and then recover the internal state bits.

Different from previous cryptosystems like AES and DES, which are organized and operated in several modules (like 8-bit bytes), Keccak is organized at bit level and operations are performed on bits. For block ciphers like AES, the attacker can observe the differential output of 16 bytes to identify the injected fault positions and values. It has been shown in [22] that differential output of SHA-3 has much more complicated characteristics, and therefore, DFA methods for previous block ciphers cannot be applied to Keccak-based functions. In this section, we show the fault propagation process in SHA-3 and extract the fault signature for each possible injected fault.

3.1 Observable Hash Digest

For DFA, the first step is to select a comparison point (intermediate state of the algorithm), where information obtained from the differential outputs is used to match the various patterns of the fault propagation so as to identify the injected fault or recover secret message or key. In [22], the comparison point is picked at \(\theta ^{23}_{o}\) for SHA3-384 and SHA3-512 to identify the single-bit fault injected. For SHA3-384 and SHA3-512, a whole plane of 320 bits (y = 0, the bottom plane) at the output H is observable. Because all the operations ρ,π,χ, and ι are reversible, the attacker can make use of this plane to recover the bottom plane (320 bits) of \(\chi ^{23}_{i}\):
$$\chi^{23}_{i}(X, 0, Z) = \chi^{-1} \circ (\iota^{23})^{-1} \left( H(y=0)\right), $$
and the differential, \({\Delta } \chi ^{23}_{i}(X, 0, Z)\), can be derived. When selecting the comparison point at \(\chi ^{23}_{i}\), we need to construct fault signatures at \(\chi ^{23}_{i}\), \(FS_{\chi ^{23}_{i}}\), for attacks in this paper.

For SHA3-224 and SHA3-256, only a partial bottom plane of the output of the f function is observed, and therefore, χ 23 cannot be inverted directly, according to Eq. 2. For SHA3-224 and SHA3-256, we present corresponding attack methods in Section 5.

3.2 Fault Signature Generation

For single-byte fault model, any internal state of Keccak-f[1600, d] is composed of 200 bytes (0 ≤ P < 200), and the fault value (F, defined as the differential of the state byte of the penultimate round input) ranges from 1 to 255, where for each bit of F, 0 means the corresponding state bit does not change, and 1 means the state bit flips. For example, F = 1 means the lowest bit of the state byte flips. For any possible fault (F) at any one of the 200 positions (P), we denote the corresponding fault signature at \(\chi ^{23}_{i}\) as \(FS_{\chi ^{23}_{i}}[P][F]\). Without further specification, all fault signatures are 1600 bits, standing for the 1600 differential bits of the state caused by the fault F injected at byte P of \(\theta ^{22}_{i}\).

For faults injected at \(\theta ^{22}_{i}\), it will propagate to \(\chi ^{23}_{i}\) through the operations shown in Fig. 3. We separate these operations into two categories:
  • Operations that will not change bit values of fault signatures, including bit rotation operations ρ and π that only change the bit positions, and constant number addition operation ι.

  • Operations that will change the bit values of fault signatures, which involve multiple bits to generate a single output bit, namely 𝜃 and χ. There is also difference between these two operations: 𝜃 is linear (only consisting of XOR operations) while χ is non-linear (consisting of operations AND and NOT).

In the first kind of operations, for ρ and π, faults at the input will go through the operation (position permutation) directly and propagate to the output, i.e., Δρ o = ρρ i ) and Δπ o = ππ i ). For operation ι, the fault does not change at all, i.e., Δι o = Δι i .

For the second kind of operations, one output bit is generated from multiple input bits. For 𝜃 22 operation, one single-bit fault \({\Delta } \theta ^{22}_{i}(x,y,z)\) will propagate to 11 bits of \(\theta ^{22}_{o}\), with their differential denoted as \({\Delta } \theta ^{22}_{o}(x,y,z)\), \({\Delta } \theta ^{22}_{o}(x+1,Y,z)\), and \({\Delta } \theta ^{22}_{o}(x-1,Y,z+1)\), which are on the state bit and its two neighbor columns in different sheets. For the single-byte fault model, all the faulty bits are in the same lane of \(\theta ^{22}_{i}\). With 𝜃 operation, no \(\theta ^{22}_{o}\) bit will involve more than one faulty bit. Thus, for 𝜃 22, we have \({\Delta } \theta ^{22}_{o} = \theta ({\Delta } \theta ^{22}_{i})\).

In this paper, we use a single-bit fault at \(\theta ^{22}_{i}(0,0,0)\)𝜃 i22(0,0,0) = 1 while all other bits of \({\Delta }\theta ^{22}_{i}\) are 0) as an example to demonstrate the fault propagation in SHA-3 and use it to explain the construction of fault signatures. According to the above analysis of fault propagation through different operations, the single-bit fault will be diffused to 11 bits after 𝜃 22 operations and then rotated into different lanes and rows through ρ and π. The fault signature \(FS_{\chi ^{22}_{i}}\) at the input of χ 22 for this single-bit fault is shown in Fig. 4.
Fig. 4

Fault signature at χ i22 for the example single-bit fault injected at 𝜃 i22

Due to the linear properties of 𝜃, ρ, and π operations, each bit of \(FS_{\chi ^{22}_{i}}\) will be either 0 or 1, depending on the value and position of the injected faults only. As the fault keeps propagation, two important processes, χ 22 and 𝜃 23, will determine the fault signature \(FS_{\chi _{i}^{23}}\). If we denote the fault propagation of χ 22 as F P χ , and the fault propagation of 𝜃 23 as F P 𝜃 , the corresponding fault signature at \(\chi ^{23}_{i}\) can be denoted as follows (note that operation ι does not change the propagation of the faults):
$$ FS_{\chi^{23}_{i}} = \pi \circ \rho \circ FP_{\theta} \circ FP_{\chi} ({\Delta} \chi^{22}_{i}). $$
(4)

We next analyze fault propagation of χ 22 and 𝜃 23 in the following section respectively.

3.2.1 Fault Propagation in χ 22 - F P χ

χ is the only non-linear operation in Keccak, and its AND operation leaks information of its input state bits with fault(s) on χ i . Under the single-bit fault model in [22], no more than one bit will be polluted in each row of \(\chi ^{22}_{i}\), as also shown in Fig. 4 for vectors \({\Delta } \chi ^{22}_{i}(X, y, z)\). For the relaxed models used in this paper, multiple bits may be polluted in one row of \(\chi ^{22}_{i}\). In this section, we present the general fault propagation of multi-bit faults in χ operation.

Denote five bits in one row of χ input as {a i ,b i ,c i ,d i ,e i }, then five bits of corresponding χ o output row can be denoted as \(a_{o} = a_{i} \oplus (\bar {b_{i}} \cdot c_{i})\), \(b_{o} = b_{i} \oplus (\bar {c_{i}} \cdot d_{i})\), \(c_{o} = c_{i} \oplus (\bar {d_{i}} \cdot e_{i})\), \(d_{o} = d_{i} \oplus (\bar {e_{i}} \cdot a_{i})\), and \(e_{o} = e_{i} \oplus (\bar {a_{i}} \cdot b_{i})\).

We take a o as an example to demonstrate the fault propagation in χ operation. Bit a o is affected by bits a i , b i , and c i :
  1. 1.

    With a single-bit fault on a i a i = 1), Δa o = Δa i = 1

     
  2. 2.

    With a single-bit fault on b i b i = 1), \(a_{o}^{\prime } = a_{i} \oplus (\bar {b_{i}^{\prime }} \cdot c_{i})\), and then Δa o = Δb i c i = c i , which leaks the internal state c i information

     
  3. 3.

    With a single-bit fault on c i c i = 1), \(a_{o}^{\prime } = a_{i} \oplus (\bar {b_{i}} \cdot c_{i}^{\prime })\), and then \({\Delta } a_{o} = (1 \oplus b_{i}) \cdot {\Delta } c_{i} = \overline {b_{i}}\)

     
  4. 4.

    With a two-bit fault on a i and b i a i = Δb i = 1), \(a_{o}^{\prime } = a_{i}^{\prime } \oplus (\bar {b_{i}^{\prime }} \cdot c_{i})\), and then \({\Delta } a_{o} = \overline {c_{i}}\)

     
  5. 5.

    With a two-bit fault on b i and c i b i = Δc i = 1), \(a_{o}^{\prime } = a_{i} \oplus (\bar {b_{i}^{\prime }} \cdot c_{i}^{\prime })\), and then Δa o = Δb i c i ⊕ (1 ⊕ b i ) ⋅ Δc i ⊕ Δb i ⋅ Δc i = b i c i

     
  6. 6.

    With a two-bit fault on a i and c i a i = Δc i = 1), \(a_{o}^{\prime } = a_{i}^{\prime } \oplus (\bar {b_{i}} \cdot c_{i}^{\prime })\), and then Δa o = Δa i ⊕ (1 ⊕ b i ) ⋅ Δc i = b i

     
  7. 7.

    With a three-bit fault (Δc i = Δb i = Δc i = 1), \(a_{o}^{\prime } = a_{i}^{\prime } \oplus (\bar {b_{i}^{\prime }} \cdot c_{i}^{\prime })\), and thus \({\Delta } a_{o} = {\Delta } a_{i} \oplus {\Delta } b_{i} \cdot c_{i} \oplus (1 \oplus b_{i}) \cdot {\Delta } c_{i} \oplus {\Delta } b_{i} \cdot {\Delta } c_{i} = \overline {b_{i} \oplus c_{i}}\)

     
In summary, we can denote the fault signature for bit \(\chi ^{22}_{o}(x,y,z)\) as in Table 1.
Table 1

Fault propagation of operation χ 22

Fault at χ input

Fault signature at χ output

\({\Delta } \chi ^{22}_{i}([x\):x+ 2],y,z)

\(FS_{\chi ^{22}_{o}}(x, y, z)\)

[1,0,0]

1

[0,1,0]

\(\chi ^{22}_{i}(x+2, y, z)\)

[0,0,1]

\(\overline {\chi ^{22}_{i}(x+1, y, z)}\)

[1,1,0]

\(\overline {\chi ^{22}_{i}(x+2, y, z)}\)

[0,1,1]

\(\chi ^{22}_{i}(x+1, y, z) \oplus \chi ^{22}_{i}(x+2, y, z)\)

[1,0,1]

\(\chi ^{22}_{i}(x+1, y, z)\)

[1,1,1]

\(\overline {\chi ^{22}_{i}(x+1, y, z) \oplus \chi ^{22}_{i}(x+2, y, z)}\)

According to the above analysis, we can see that the nonlinear χ operation may cause leakage of some \(\chi ^{22}_{i}\) bits in the differential χ 22 output. We present the whole fault pattern at \(\chi ^{22}_{o}\) as in Fig. 5, in which \({\Delta } \chi ^{22}_{o}(x,y,z)\) is denoted as C(x,y,z) for simplicity, and the same single-bit fault \({\Delta } \theta ^{22}_{i}(0,0,0) = 1\) example is assumed.
Fig. 5

Fault signature at the output of χ 22

In Fig. 5, each differential bit \({\Delta } \chi ^{22}_{o}(x,y,z)\) takes a value of “0,” “1,” or “x,” in which 1 (0) means this corresponding output bit flips (does not flip) with the specific fault injected, respectively, regardless of the internal states. However, “x” at a bit position means that the corresponding \({\Delta } \chi ^{22}_{o}\) bit value depends on some \(\chi ^{22}_{i}\) bit(s), and it can be “0” or “1.” For example, we denote \({\Delta } \chi ^{22}_{o}(0,0,44)\) as “x,” because \({\Delta } \chi ^{22}_{o}(0,0,44) = \chi ^{22}_{i}(2,0,44)\) under the fault injected (Δ𝜃 i22(0,0,0) = 1), and \(\chi ^{22}_{o}(0,0,44)\) would flip if \(\chi ^{22}_{i}(2,0,44) = 1\), otherwise it remains unchanged if \(\chi ^{22}_{i}(2,0,44) = 0\). Thus, if the attacker has knowledge of \({\Delta } \chi ^{22}_{o}(0,0,44)\) and the injected fault, he can construct the corresponding fault signature and then recover the bit \(\chi ^{22}_{i}(2,0,44)\).

3.2.2 Fault Propagation in 𝜃 23F P 𝜃

Each bit of 𝜃 o is the XOR result of 11 input bits: its corresponding input bit with two nearby input columns. We can denote \({\Delta } \theta ^{23}_{o}(x,y,z)\) as follows:
$$\begin{array}{@{}rcl@{}} {\Delta} \theta^{23}_{o}(x,y,z) \!&=&\! {\Delta} \theta^{23}_{i}(x,y,z) \oplus (\oplus_{y=0}^{4} {\Delta} \theta^{23}_{i}(x-1,y,z)) \\ &&\!\oplus (\oplus_{y=0}^{4} {\Delta} \theta^{23}_{i}(x+1,y,z-1)). \end{array} $$
(5)
Thus, the fault propagation function F P 𝜃 can be denoted as follows:
$$ FS_{\theta^{23}_{o}} = \theta(FS_{\chi^{22}_{o}}). $$
(6)

Each bit of \(FS_{\chi ^{22}_{o}}\) can be denoted as 0, 1, or a function of certain \(\chi ^{22}_{i}\) bits. For each bit of \(FS_{\theta ^{23}_{o}}\), some of the corresponding 11 \(FS_{\chi ^{22}_{o}}\) bits may depend on the same \(\chi ^{22}_{i}\) bits, and therefore, some dependencies will be eliminated with the operation of XOR. This is a key insight for our byte-level (multiple bit) fault propagation analysis. For example, in the interleaved implementation, when fault F = 65 is injected at P = 16, \({\Delta } \theta ^{23}_{i}(4,4,3) = \chi ^{22}_{i}(0,4,3)\) and \({\Delta } \theta ^{23}_{i}(3,4,3) = \chi ^{22}_{i}(0,4,3)\). \({\Delta } \theta ^{23}_{o}(4,4,3)\), which involves the two input bits \(\theta ^{23}_{i}(4,4,3)\) and \(\theta ^{23}_{i}(3,4,3)\), will not depend on \(\chi ^{22}_{i}(0,4,3)\) anymore because the dependencies get canceled out by XOR between the two input bits. Eventually, the fault signature at the 𝜃 23 output, \(FS_{\theta ^{23}_{o}}\), has a similar format as \(FS_{\chi ^{22}_{o}}\), with each bit being 0, 1, or an odd or even function (XOR) over some \(\chi ^{22}_{i}\) bits and constant one.

As \({\Delta } \chi ^{23}_{i} = \pi \circ \rho ({\Delta } \theta ^{23}_{o})\), it is easy to build the fault signature at \(\chi ^{23}_{i}\) with \(FS_{\theta ^{23}_{o}}\) constructed from the above analysis; thus, we show \(FS_{\chi ^{23}_{i}}\) directly here. We use the same example to show how the single-bit fault at \(\theta ^{22}_{i}(0,0,0)\) propagates to \(\chi ^{23}_{i}\). For SHA3-224 and SHA3-256, only partial bottom plane (less than 320 bits) of the output state H will be observable. Nevertheless, Fig. 6 presents the fault signature in the whole bottom plane of \(FS_{\chi ^{23}_{i}}\), in which we denote \({\Delta } \chi ^{23}_{i}(x,0,z)\) as E(x,z) for simplicity.
Fig. 6

Fault signature at χ i23 (bottom plane)

With the observed bits of \({\Delta } \chi ^{23}_{i}\) and the fault signatures, the attacker can work on equations which involve only one bit of \(\chi ^{22}_{i}\) to recover the \(\chi ^{22}_{i}\) bits, and then plug them back into equations which involve more than one \(\chi ^{22}_{i}\) bit to recover the remaining \(\chi ^{22}_{i}\) bits. For example, as shown in Fig. 6, with the single-bit fault injected at \(\theta ^{22}_{i}(0,0,0)\), the attacker can use \(FS_{\chi ^{23}_{i}}(1,0,24)\) to recover \(\chi ^{22}_{i}(2,0,44)\) first. Then replace \(\chi ^{22}_{i}(2,0,44)\) in \(FS_{\chi ^{23}_{i}}(0,0,44)\) to recover \(\chi ^{22}_{i}(0,0,44)\).

In this section, we showed the fault propagation process in SHA-3 and analyzed the composition of fault signatures at \(\chi ^{23}_{i}\). In the next two sections, we will show how to use the constructed fault signatures to conquer all four modes of SHA-3.

4 Differential Fault Analysis of SHA3-384 and SHA3-512

In this section, we use the constructed fault signatures in the previous section to conquer SHA3-384 and SHA3-512. In Section 4.1, we will present the method to identify the injected fault, including the position P and value F, using the constructed fault signatures. Then we show how to recover some \(\chi ^{22}_{i}\) bits using the identified fault in Section 4.2.

4.1 Fault Position P and Value F Recovery

We separate the 320 observable \({\Delta } \chi ^{23}_{i}\) bits (five lanes) into two groups:
  • \({\Delta } \chi ^{23}_{i}.white\) contains the bits (x,y,z) of \({\Delta } \chi ^{23}_{i}\) with \({\Delta } \chi ^{23}_{i}(x,y,z)=0\), which means that these bits are not flipped under the injected fault.

  • \({\Delta } \chi ^{23}_{i}.black\) contains the bits (x,y,z) of \({\Delta } \chi ^{23}_{i}\) with \({\Delta } \chi ^{23}_{i}(x,y,z)=1\), which means these bits are flipped under the injected fault.

We would like to use the observed \({\Delta } \chi ^{23}_{i}\) to infer the fault injection position (at byte P 0) and the fault value (F 0). For any fault F at position P, the fault signature at the bottom plane of \(\chi ^{23}_{i}\) consists of five lanes, and we can separate the 320 bits of \(FS_{\chi ^{23}_{i}}[P][F](x,y,z)\) (y = 0) into three groups:
  • \(FS_{\chi ^{23}_{i} }[P][F].white\) contains the bits (x,y,z) with \(FS_{\chi ^{23}_{i} }[P][F](x,y,z)=0\), i.e., the injected fault does not affect these state bits.

  • \(FS_{\chi ^{23}_{i} }[P][F].black\) contains the bits (x,y,z) with \(FS_{\chi ^{23}_{i} }[P][F](x,y,z)=1\), which are for sure to flip when the fault is injected.

  • \(FS_{\chi ^{23}_{i} }[P][F].grey\) contains the bits (x,y,z) with \(FS_{\chi ^{23}_{i} }[P][F](x,y,z)\) as a function dependent on some bits of \(\chi _{i}^{22}\), i.e., they can leak some internal state bits information, and can be 0 or 1.

For the correct fault F 0 injected at the correct position P 0, the following relationships should hold:
  • For any bit in \(FS_{\chi ^{23}_{i} }[P_{0}][F_{0}].white\), this bit should be in \({\Delta } \chi ^{23}_{i}.white\).

  • For any bit in \(FS_{\chi ^{23}_{i} }[P_{0}][F_{0}].black\), this bit should be in \({\Delta } \chi ^{23}_{i}.black\).

  • For any bit in \(FS_{\chi ^{23}_{i} }[P_{0}][F_{0}].grey\), it can be in \({\Delta } \chi ^{23}_{i}.white\) or \({\Delta } \chi ^{23}_{i}.black\), depending on some internal state bits.

We summarize the above relationships as the following set relations:
$$ \left\{\! \begin{array}{l} FS_{\chi^{23}_{i} }[P][F].\mathit{white} \subseteq {\Delta} \chi^{23}_{i}.\mathit{white} \\ FS_{\chi^{23}_{i} }[P][F].black \subseteq {\Delta} \chi^{23}_{i}.\mathit{black} \\ {\Delta} \chi^{23}_{i}.\mathit{white} \!\subseteq\! \{ FS_{\chi^{23}_{i} }[P][F].\mathit{white} \cup \mathit{FS}_{ \chi^{23}_{i}}[P][F].\mathit{grey} \} \\ {\Delta} \chi^{23}_{i}.\mathit{black} \!\subseteq\! \{ FS_{\chi^{23}_{i} }[P][F].\mathit{black} \cup \mathit{FS}_{ \chi^{23}_{i}}[P][F].\mathit{grey} \} \end{array} \right. $$
(7)

By checking relationships in Eq. 7, the attacker can exclude many positions and fault values. If only one position with one fault value satisfies these relationships, the injected fault is discovered. All the \(FS_{\chi ^{23}_{i}}[P_{0}][F_{0}].grey\) bits now are mapped to either zero (white) or one (black) in the observed differentials, and therefore, the internal state bits can be recovered.

We implement the attacks on both interleaved and non-interleaved versions of Keecak implementations in C++ [26] and run all the fault signature generation and mapping between the observed differential and the hypothesized signatures on a workstation, which consists of an Intel(R) Core(TM) i7-2600 CPU at 3.40 GHz and 8-GB memory. Results show that our one-time fault signature generation algorithm takes about 14.5 s for offline execution, and it takes less than 0.3 ms to find the correct injected fault and recover the internal state bits from one fault.

For the non-interleaved version of SHA-3, using our algorithm, the attacker can find the unique injected fault with probability 99.13% under single-byte fault model. For the rest 0.87% probability, more than one fault satisfies the relationships in Eq. 7. For interleaved version, the attacker can find the unique fault with 100% probability under one single-byte fault injection. We define such unique faults as effective faults. As only effective faults are useful for identifying state bits, the higher percentage of the effective fault, the more efficient the attacks will be.

We also check our algorithms under other fault models. For the single-bit fault model used in [22], our algorithms find the unique faults with 100% probability. For the single-word (16-bit) fault model, the effective fault rate is about 40% for both interleaved and non-interleaved implementations. This is because for single-word faults, most bits of the final digest H (and internal state \(\theta ^{23}_{o}\)) will be polluted (more confusion), and therefore, the difference between the signatures of two faults is less distinct.

As the results for non-interleaved and interleaved implementations are similar, and the methods for fault identification and \(\chi ^{22}_{i}\) bits recovery are the same for these two implementations, the rest of this paper presents only results on non-interleaved implementation and focuses on the single-byte fault model.

4.2 χ i22 Bits Recovery

Previous sections introduce the algorithms to derive fault signatures and use the signatures to infer the injected fault information. In this section, we describe the algorithms to recover bits of the internal state \(\chi ^{22}_{i}\).

As demonstrated in Fig. 6 and Section 3.2.2, each bit of \(FS_{\chi ^{23}_{i}}\) may involve one or several bits of \(\chi ^{22}_{i}\). Once the unique fault value at a certain position is identified, all the “x” bits in the \(FS_{\chi ^{23}_{i}}\) are known to be zero or one. First, those bits that only depend on a single bit of \(\chi ^{22}_{i}\) are checked to recover the corresponding \(\chi ^{22}_{i}\) bits. Then these newly recovered \(\chi ^{22}_{i}\) bits are used in those signature bits that depend on multiple \(\chi ^{22}_{i}\) bits to recover other bits.

Note that for each single-bit fault injected at \(\theta ^{22}_{i}\), 22 bits of \(\chi ^{22}_{i}\) can be recovered. With a multi-bit fault (n-bit) injected at \(\theta ^{22}_{i}\), up to 22 ∗ n bits can be recovered. However, the 𝜃 23 operation may cancel some \(\chi ^{22}_{i}\) bits by the XOR operation, and the number of \(\chi ^{22}_{i}\) bits that can be recovered by an n-bit fault is at most 22 ∗ n.

For fault 1 ≤ F ≤ 255 on a byte, the distribution of the number of flipped \(\theta ^{22}_{i}\) bits (i.e., n) is shown in Fig. 7a. We conduct an experiment to find the average number of bits recovered by each fault injected. We randomly generate 105 messages, inject random faults at random positions, and count the recovered \(\chi ^{22}_{i}\) bits for each fault injected. The corresponding results are shown in Fig. 7b, in which the x-axis is the number of recovered \(\chi ^{22}_{i}\) bits, and the y-axis is the corresponding ratio of faults among all 255 faults.
Fig. 7

Distribution of the number of recovered χ i22 bits for single-byte faults

We define the average number of recovered bits for each injected fault as α, and the simulation results of Fig. 7b show that α is about 74.97 for randomly injected single-byte faults. We assume the l th fault can recover ω l new bits of \(\chi ^{22}_{i}\) that have not been recovered by the previous l − 1 faults. We denote the total number of \(\chi ^{22}_{i}\) bits recovered by the first l injected faults as Ω l :
$$ {\Omega}_{l} = \sum\limits_{j=1}^{l} \omega_{j}. $$
(8)
For the l th fault, the previous l − 1 faults have already recovered Ω l−1 bits of \(\chi ^{22}_{i}\); thus, the ratio of unrecovered bits can be denoted as \(\frac {1600-{\Omega }_{l-1}}{1600}\). For random messages and randomly injected faults, we can assume that these 1600 −Ω l−1 bits are randomly distributed in the 1600-bit \(\chi ^{22}_{i}\) state. For SHA-3, we can simplify this problem by assuming that the probability for each bit to be recovered is equal. Thus, for the α bits of \(\chi ^{22}_{i}\) recovered by the l th fault, the number of \(\chi ^{22}_{i}\) bits that have not been recovered by previous l − 1 faults can be denoted as follows:
$$ \omega_{l} = \frac{1600-{\Omega}_{l-1}}{1600} \cdot \alpha $$
(9)
For the first injected fault, there will be no collision and thus ω 1 = α, which is 74.97 for randomly injected single-byte fault according to the results in Fig. 7. Thus, we can plug this result into Eqs. 8 and 9 to emulate the attack process and show the theoretical result in Fig. 8, where the x-axis is the number of random faults injected, and the y-axis is the corresponding total number of \(\chi ^{22}_{i}\) bits recovered. To simulate the attacks on SHA-3, we randomly generate 105 messages and inject 200 random faults at random positions for each message. The experimental attack results are also shown in Fig. 8.
Fig. 8

Recover process

Figure 8 shows that the theoretical result matches the experimental result very well. It also shows that by injecting random errors into \(\theta ^{22}_{i}\), the attacker can recover all the 1600 bits of \(\chi ^{22}_{i}\) using about 120 random faults. Comparing with the attacks on SHA3-384/512 proposed in [22], our method needs much smaller number of faults to recover the whole internal state under relaxed fault models. We also test the theoretical model under random single-bit fault model used in [22], and the experimental result and theoretical result match very well, shown in Fig. 14 in Section 6.

5 Differential Fault Analysis of SHA3-224 and SHA3-256

Section 4 shows the method to identify the injected faults and to recover the internal state \(\chi ^{22}_{i}\) bits for SHA3-384 and SHA3-512. However, these methods cannot be applied to SHA3-224 and SHA3-256 directly, where the χ 23 operation cannot be inverted to obtain the input rows with each output row only partially known. In this section, we show the method to recover \(\chi ^{23}_{i}\) bits first and then use these intermediate state bits to recover \(\chi _{i}^{22}\) of SHA3-224 and SHA3-256. We propose two improved attacks, presented in Section 5.2 and Section 5.3 correspondingly.

5.1 Basic Attacks of SHA3-224 and SHA3-256

For SHA3-224 and SHA3-256, only partial bottom plane of the hash output is observable, i.e., no more than four bits in each row of \(\chi ^{23}_{o}\) on the bottom plane are known. In Section 5.1.1, we show that with limited information, part of \(\chi ^{23}_{i}\) on the bottom plane can still be recovered from the observable digest. Attack details using the recovered \(\chi ^{23}_{i}\) information will be presented in Section 5.1.2.

5.1.1 χ i23 Bits Recovery from the Observable Digest

For simplicity, we use one row in χ 23 operation as an example here. We express the input bits (a i ,b i ,c i ,d i ,e i ) as functions over the output bits (a o ,b o ,c o ,d o ,e o ) through χ −1 operation as follows:
$$ \left\{ \begin{array}{l} a_{i}=a_{o} \oplus \overline{b_{o}} \cdot \left( e_{o} \oplus c_{o} \oplus e_{o} \cdot d_{o} \right) \\ b_{i}=b_{o} \oplus \overline{c_{o}} \cdot \left( a_{o} \oplus d_{o} \oplus a_{o} \cdot e_{o} \right) \\ c_{i}=c_{o} \oplus \overline{d_{o}} \cdot \left( b_{o} \oplus e_{o} \oplus b_{o} \cdot a_{o} \right) \\ d_{i}=d_{o} \oplus \overline{e_{o}} \cdot \left( c_{o} \oplus a_{o} \oplus c_{o} \cdot b_{o} \right) \\ e_{i}=e_{o} \oplus \overline{a_{o}} \cdot \left( d_{o} \oplus b_{o} \oplus d_{o} \cdot c_{o} \right) \end{array}. \right. $$
(10)
For SHA3-256, for each row, bit e o is unknown while (a o ,b o ,c o ,d o ) are observable by the attacker; for SHA3-224, bit e o is unknown for the first 32 rows while both d o and e o are unknown for the remaining 32 rows. For the equations in Eq. 10, we identify the cases where the input bits are independent of the unknown output bits, and have the following observations for SHA3-256:
  • For a i , if d o = 1, \(a_{i}=a_{o} \oplus \overline {b_{o}} \cdot c_{o}\); if b o = 1, a i = a o . For both situations, the attacker can retrieve a i without knowledge of e o . The probability of d o = 1 and the probability of b o = 1 are 0.5, respectively, and thus, the total probability of d o = 1 or b o = 1 is 0.75, which means that the value of a i can be recovered with a probability of 0.75.

  • For b i , if a o = 0, \(b_{i}=b_{o} \oplus \overline {c_{o}} \cdot d_{o}\); if c o = 1, b i = b o . Similarly, the probability of recovering b i with unknown e o is also 0.75.

  • For c i , if d o = 1, c i = c o , and the probability of recovering c i is 0.5.

  • For d i , if c o a o c o b o = 0, d i = d o , and the probability of recovering d i is 0.5.

  • The value of e i always depends on e o , and the attacker cannot retrieve e i without knowledge of e o .

In conclusion, for SHA3-256, the attacker can recover the bits in the first and second lanes of the bottom plane of \(\chi ^{23}_{i}\) with 0.75 probability, and the bits in the third and fourth lanes with 0.5 probability. In total, the attacker can recover 160 bits of \(\chi ^{23}_{i}\) theoretically. Similarly, for SHA3-224, the attacker can use the same method to recover 112 bits of \(\chi ^{23}_{i}\) theoretically.

We propose a practical method to recover \(\chi ^{23}_{i}\) bits. For the same example shown in Eq. 10, while a o ,b o ,c o ,d o are observable by the attacker, the unknown e o can only be either 0 or 1, then we can make guesses of both situations and write them as \(ro{w_{o}^{0}}=\{a_{o}, b_{o}, c_{o}, d_{o}, 0\}\) and \(ro{w_{o}^{1}}=\{a_{o}, b_{o}, c_{o}, d_{o}, 1\}\). For both situations, we can calculate the corresponding input \(ro{w_{i}^{0}}\), \(ro{w_{i}^{1}}\) using χ inversion operation:
$$ \left\{ \begin{array}{l} \{{a^{0}_{i}}, {b^{0}_{i}}, {c^{0}_{i}}, {d^{0}_{i}}, {e^{0}_{i}}\} = \chi^{-1}(\{a_{o}, b_{o}, c_{o}, d_{o}, 0\}) \\ \{{a^{1}_{i}}, {b^{1}_{i}}, {c^{1}_{i}}, {d^{1}_{i}}, {e^{1}_{i}}\} = \chi^{-1}(\{a_{o}, b_{o}, c_{o}, d_{o}, 1\}) \end{array}. \right. $$
(11)
Take bit a i as an example here, the value of a i can only be \({a^{0}_{i}}\) or \({a^{1}_{i}}\):
  1. 1.

    If \({a^{0}_{i}} = {a^{1}_{i}}\), then the value of a i does not depend on the value of e o and this is the correct recovered value for a i .

     
  2. 2.

    If \({a^{0}_{i}} \neq {a^{1}_{i}}\), then the value of a i depends on the value of e o , and attacker cannot recover a i without knowing e i .

     

We implement this method for both SHA3-224 and SHA3-256 in C++ and randomly generate 105 input messages for each of them. Results show that the proposed algorithm can correctly recover 160.12 bits of \(\chi ^{23}_{i}\) for SHA3-256 and 111.84 bits of \(\chi ^{23}_{i}\) for SHA3-224 on average for these 105 trials, which conform to the theoretical results given in the previous section.

Using the above method, the attacker can recover part of the \(\chi ^{23}_{i}\) bits in the bottom plane from the original digest H and faulty \(\chi ^{\prime 23}_{i}\) bits for faulty digest H . Using the recovered \(\chi ^{23}_{i}(X,0,Z)\) and \(\chi ^{\prime 23}_{i}(X,0,Z)\) bits, the attacker can calculate the corresponding Δχ i23(X,0,Z) bits. Note that for SHA3-256, the attacker can recover about 160 bits of both \(\chi ^{23}_{i}(X,0,Z)\) and \(\chi ^{\prime 23}_{i}(X,0,Z)\) on average, but the recovered \(\chi ^{23}_{i}\) and \(\chi ^{\prime 23}_{i}\) may have different locations, and therefore, the attacker will recover fewer than 160 differential bits of \({\Delta } \chi ^{23}_{i}(X,0,Z)\). The simulation results show that attacker can recover 136.42 bits of \({\Delta } \chi ^{23}_{i}\) for SHA3-256 and 93.68 bits for SHA3-224 on average for 105 trials, with more details presented in Table 2.
Table 2

Simulation results for SHA3-224 and SHA3-256 with fault injected at 𝜃 i22

 

Bits recovered

Effective fault ratio

 

\(\chi ^{23}_{i}\)

\({\Delta } \chi ^{23}_{i}\)

 

SHA3-224

111.84

93.68

30.67%

SHA3-256

160.12

136.42

66.61%

SHA3-384/512

320

320

99.13%

5.1.2 Injected Fault Identification and χ i22 Bits Recovery

Using the algorithms in Section 5.1.1, the attacker recovers some bits of \({\Delta } \chi ^{23}_{i}(X,0,Z)\) from the observable output, instead of 320 bits as in other two modes, SHA3-384 and SHA4-512. We use the same method presented before in Section 4.1 to match the recovered \({\Delta } \chi ^{23}_{i}(X,0,Z)\) bits against the fault signatures, and apply the same constraints of Eq. 7 to identify the injected fault. Results show that for SHA3-256, the attacker can uniquely identify the fault with a probability 66.61%. For SHA3-224, the effective fault ratio is 30.67% instead. The results are shown in Table 2.

With the injected fault identified, we use the same method to recover the internal state bits of SHA3-224/256. Simulation results are in Fig. 9. It shows that attacks on SHA3-224 and SHA3-256 are much less efficient than attacks on the other two modes with the digest length higher than 320. The shorter the digest length, the fewer bits of \(FS_{\chi ^{23}_{i}}\) and \({\Delta } \chi ^{23}_{i}\) are available for internal bits recovery, and therefore, each effective fault injection recovers fewer bits of \(\chi ^{22}_{i}\). Nevertheless, with more effective faults injected to recover groups of bits one by one, these two modes are also susceptible to DFA.
Fig. 9

Number of recovered χ i22 bits for different numbers of effective faults

In the next sections, we propose two methods to improve the fault analysis attacks of SHA3-224 and SHA3-256.

5.2 Improve the Attacks by Using both F S χ i23 and F S χ o23

Previous methods all select \(\chi ^{23}_{i}\) as the comparison point for fault signatures and observable differential digest. However, for SHA3-224 and SHA3-256 (d = 224 and 256, respectively), fewer than d bits of \({\Delta } \chi ^{23}_{i}\) are available to the attacker and this will cause information loss in attacks. We find that the fault signature at \(\chi _{o}^{23}\), \(FS_{\chi _{o}^{23}}\), if used, can help to extract extra \(\chi ^{22}_{i}\) bits. This is because all d bits of \({\Delta } \chi ^{23}_{o}\) are available for SHA3-d function; \(FS_{\chi _{o}^{23}}\) can be used with \({\Delta } \chi ^{23}_{o}\) to build constraints similar as in Eq. 7. We show in this section that with the introduction of \(FS_{\chi _{o}^{23}}\) into attacks, both the effective fault ratio and the number of \(\chi ^{22}_{i}\) bits recovered by each effective fault increase.

We first present the construction of \(FS_{\chi ^{23}_{o}}\) in Section 5.2.1 and then give the results of fault identification and internal state recovery in Section 5.2.2.

5.2.1 Fault Signature F S χ o23 Construction

We have known that the fault propagation at \(\chi ^{23}_{i}\), \(FS_{\chi ^{23}_{i}}\), are dependent on both the fault and internal state bits. Through one more step of χ 23 operation on rows, \(a_{o} = a_{i} \oplus (\bar {b_{i}} \cdot c_{i})\), the fault propagation function is as follows:
$$ {\Delta} a_{o} = {\Delta} a_{i} \oplus {\Delta} b_{i} \cdot c_{i} \oplus (1 \oplus b_{i}) \cdot {\Delta} c_{i} \oplus {\Delta} b_{i} \cdot {\Delta} c_{i}. $$
Thus, \(FS_{\chi ^{23}_{o}}(x,y,z)\) can be denoted as Eq. 12, which involves \(\chi ^{23}_{i}\) bits in addition to fault signature bits \(FS_{\chi _{i}^{23}}\).
$$\begin{array}{@{}rcl@{}} FS_{\chi^{23}_{o}}(x,y,z) \!&=&\! FS_{\chi^{23}_{i}}(x,y,z)\ \oplus FS_{\chi^{23}_{i}}(x+1,y,z)\\ &&\!\cdot \chi^{23}_{i}(x+2,y,z) \oplus (1 \oplus \chi^{23}_{i}(x+1,y,z))\\ &&\!\cdot FS_{\chi^{23}_{i}}(x+2,y,z)\\ &&\!\oplus FS_{\chi^{23}_{i}}(x+1,y,z) \cdot FS_{\chi^{23}_{i}}(x+2,y,z) \end{array} $$
(12)

Bits in \(FS_{\chi ^{23}_{o}}\) can be 0, 1, or a function over \(\chi ^{22}_{i}\) and \(\chi ^{23}_{i}\) bits. When comparing \({\Delta } \chi ^{23}_{o}\) (d-bits) against \(FS_{\chi ^{23}_{o}}\), more constraints are considered so as to help identify the fault and recover the internal bits. This improves the attacks in two ways. First, some faults that cannot be identified by the basic attack before can now be uniquely identified, i.e., the effective fault rate increases. Second, with a certain effective fault, more \(\chi ^{22}_{i}\) bits can be recovered because \({\Delta } \chi ^{23}_{o}\) and \(FS_{\chi ^{23}_{o}}\) are used.

Note here we cannot use \({\Delta } \chi ^{23}_{o}\) and \(FS_{\chi ^{23}_{o}}\) only for attacks while excluding using \({\Delta } \chi ^{23}_{i}\) and \(FS_{\chi ^{23}_{i}}\), this is because only part of \(FS_{\chi ^{23}_{o}}\) bits (instead of d bits) are available. The construction of \(FS_{\chi ^{23}_{o}}\) requires knowledge of \(\chi ^{23}_{i}(x,y,z)\) bits which are only partially known. Thus, attacker should combine information at \(\chi ^{23}_{i}\)χ i23, \(FS_{\chi ^{23}_{i}}\)) and \(\chi ^{23}_{o}\)χ o23, \(FS_{\chi ^{23}_{o}}\)) together for analysis.

5.2.2 Simulation Results

We construct the fault signature \(FS_{\chi ^{23}_{o}}\) and run simulations of the improved attacks. Simulation results show that the effective fault rate rises from 30.67 to 49.12% for SHA3-224, and from 53.28 to 78.73% for SHA3-256. The results of internal state recovery for SHA3-224 and SHA3-256 are shown in Fig. 10.
Fig. 10

Number of recovered χ i22 bits for different numbers of effective faults

After involving \(FS_{\chi ^{23}_{o}}\) for attacks, the attack efficiency is improved significantly for both SHA3-224 and SHA3-256. For example, for SHA3-224, the results in Fig. 9 show that the original attack method needs about 200 faults to recover 1300 bits of \(\chi ^{22}_{i}\), while the improved method in this section needs only 82 faults to recover the same number of \(\chi ^{22}_{i}\) bits. It is worth noting that the proposed improved attack does not need any extra knowledge of the target platform, and the generation of fault signature \(FS_{\chi ^{23}_{o}}\) does not need much computation.

5.3 Further Improvement by Injecting Faults at 𝜃 i23

If the attacker can inject faults at multiple points, the attack will achieve higher efficiency. In the previous sections, we assume that the attacker injects only faults at \(\theta ^{22}_{i}\). In this section, we explore another fault injection point, the last round input \(\theta ^{23}_{i}\), and use more faults to recover internal state bits more efficiently.

For the method proposed in Section 5.2, the effective fault ratio and the number of recovered \(\chi ^{22}_{i}\) bits by using the same number of effective injected faults are still lower than attacks on SHA3-384/512. The reason lies in the fact that the attacker can recover fewer bits of \(\chi ^{23}_{i}\) and \({\Delta } \chi ^{23}_{i}\) for SHA3-224 and SHA3-256 than SHA3-384/512 (320 bits). To improve the attack efficiency, we propose to recover more \(\chi ^{23}_{i}\) bits first, by injecting faults at the last round input \(\theta ^{23}_{i}\) of SHA3-224 and SHA3-256.

We first present the details of recovering \(\chi ^{23}_{i}\) bits in Section 5.3.1 and then present the recovery of \(\chi ^{22}_{i}\) bits for this improved attack in Section 5.3.2.

5.3.1 Recovering More χ i23 by Injecting Faults at 𝜃 i23

To recover \(\chi ^{23}_{i}\) bits by injecting faults at \(\theta ^{23}_{i}\) and comparing fault signature and differential fault at \(\chi ^{23}_{o}\), we need to calculate the fault propagation from \(\theta ^{23}_{i}\) to \(\chi ^{23}_{o}\). These faults will propagate through 𝜃, ρ, π, and χ operations. The fault propagation process is exactly the same as in the penultimate round (from \(\theta ^{22}_{i}\) to \(\chi ^{22}_{o}\)) as presented in Section 3.2.1. We denote the fault signature at \(\chi ^{23}_{o}\) for faults injected at \(\theta ^{23}_{i}\) as \(FS^{*}_{\chi ^{23}_{o}}\) in this section.

Using the faults injected at \(\theta ^{23}_{i}\), the attacker can recover some remaining bits of \(\chi ^{23}_{i}\) on the bottom plane that have not been recovered using the algorithm in Section 5.1.1. Note here that for SHA3-256 and the first 32 rows of SHA3-224 (with four bits out of five bits of each output row on the bottom plane known and some input bits (not all the five) recovered), if the attacker recovers one bit \(\chi ^{23}_{i}(x,0,z)\) that has not been recovered using the algorithm in Section 5.1.1, he can recover all the other unknown bits in this input row. For example, we assume \({a^{0}_{i}} \neq {a^{1}_{i}}\) in Eq. 11 and this bit has been recovered by injecting faults at \(\theta ^{23}_{i}\), then the attacker can know which assumption of e o is correct and then recover all the five bits in this row. This method can be used for all 64 rows in the bottom plane of SHA3-256 and the first 32 rows of SHA3-224. In SHA3-224, the remaining rows (χ i23(X,0,z), 32 ≤ z < 63) have two bits unknown, and these two bits can only be recovered by injecting faults at \(\theta ^{23}_{i}\) separately.

We use both fault signatures at \(\chi ^{23}_{i}\) (F S χ i23∗) and \(\chi ^{23}_{o}\) (F S χ o23∗) to identify the faults injected at \(\theta ^{23}_{i}\). Results show that for both SHA3-224 and SHA3-256, we can identify the correct fault injected at \(\theta ^{23}_{i}\) with about 20% probability. After identifying the correct faults injected at \(\theta ^{23}_{i}\), we can recover all 320 bits in the bottom plane of \(\chi ^{23}_{i}\) with multiple faults, and we present the recovery process in Fig. 11.
Fig. 11

Recovery of χ i23 bits in the bottom plane by injecting faults at 𝜃 i23

Figure 11 shows that for SHA3-256, the attacker can recover about 244 bits of \(\chi ^{23}_{i}\) using only five effective faults, compared with 160 bits when no faults injected at \(\theta ^{23}_{i}\) (Table 2). Similar results for SHA3-224 are also presented in Fig. 11. Note that the attacker does not need to recover all the bits of \(\chi ^{23}_{i}\) in the bottom plane, he can recover part of \(\chi ^{23}_{i}\) to improve the efficiency of recovering \(\chi ^{22}_{i}\). We will show how the recovery of \(\chi ^{22}_{i}\) changes with the number of \(\chi ^{23}_{i}\) bits recovered in the next section.

5.3.2 Simulation Results

With more \(\chi ^{23}_{i}\) bits recovered, the attacker can recover and construct more bits of \({\Delta } \chi ^{23}_{i}\) and \(FS_{\chi ^{23}_{o}}\), and use them for attacks. For simplicity, we make the following assumptions for the attacker:
  • The attacker first recovers part of \(\chi ^{23}_{i}\) bits using algorithm presented in Section 5.1.1 (with no fault injected at \(\theta ^{23}_{i}\)).

  • The attacker then injects faults at \(\theta ^{23}_{i}\) to recover the remaining bits of \(\chi ^{23}_{i}\).

For simplicity, we assume the attacker can randomly recover from 0 to 64 rows of \(\chi ^{23}_{i}\) using the algorithm in Section 5.1.1. For each number of recovered rows, we inject random faults at \(\theta ^{22}_{i}\) to calculate the effective fault ratio and show the results in Fig. 12.
Fig. 12

Effective fault ratio with different numbers of χ i23 rows recovered

Figure 12 shows that with more rows of \(\chi ^{23}_{i}\) recovered, the attacker can identify the faults injected at \(\theta ^{22}_{i}\) with higher rate. For example, for SHA3-224, the effective fault ratio is 53.28% when only part of \(\chi ^{23}_{i}\) bottom plane has been recovered using the algorithm in Section 5.1.1, and this ratio rises to 88.34% when all 64 rows (320 bits) of \(\chi ^{23}_{i}\) bottom plane are recovered. Therefore, by recovering more bits of \(\chi ^{23}_{i}\) in the bottom plane, the effective fault ratio will increase for both SHA3-224 and SHA3-256.

With knowledge of more \(\chi ^{23}_{i}\) bits, the attacker can build more equations for \(\chi ^{22}_{i}\) bits like in Fig. 6, then the attacker can recover more \(\chi ^{22}_{i}\) bits for each injected fault on average. To verify the assumption, we assume the attacker can recover from 0 to 64 rows of \(\chi ^{23}_{i}\), and we run attacks on SHA3-224 and SHA3-256 to recover all the bits of \(\chi ^{22}_{i}\). We present the attack results on SHA3-224 with different numbers of rows recovered in Fig. 13. For SHA3-256, the results are similar, and we will not present the details here.
Fig. 13

Number of recovered χ i22 bits for different numbers of effective faults with a number of χ i23 rows recovered, SHA3-224

Figure 13 shows that the attacker needs smaller number of effective faults to recover all the bits of \(\chi ^{22}_{i}\) if he has recovered more rows of \(\chi ^{23}_{i}\). For example, if he has knowledge of the whole bottom plane of \(\chi ^{23}_{i}\), he can recover 1590 bits of \(\chi ^{22}_{i}\) using 110 effective random faults on average. For attacker who cannot inject fault into the last round input, using the improved method in Section 5.2.1, he can only recover about 1412 bits (using 110 effective faults) instead.

In conclusion, by injecting faults at \(\theta ^{23}_{i}\) to recover more state bits of \(\chi ^{23}_{i}\), the attacker can identify the faults injected at \(\theta ^{22}_{i}\) with a higher rate. Consequently, the attacker needs a smaller number of effective faults to recover the same number of \(\chi ^{22}_{i}\) bits.

As the improved attack method in Section 5.2 does not require extra knowledge of the target system, it should be applied to DFA directly, while the improvement proposed in this section can be applied if the attacker has the ability to inject extra faults at \(\theta ^{23}_{i}\).

6 Optimized Attacks with Chosen Faults

In this section, we show an algorithm to optimize the attack if the injected faults (in terms of faulty byte location and fault value) can be controlled.

As shown in the previous sections, injecting an n-bit fault into \(\theta ^{22}_{i}\) can recover up to 22 ∗ n bits of \(\chi _{i}^{22}\), and different faults may have overlapping \(\chi _{i}^{22}\) bits. The most efficient attack method should avoid such overlap and use the smallest number of faults to recover the entire internal state. In this section, we show an optimized attack with the smallest number of faults into \(\theta ^{22}_{i}\) to recover all the bits of \(\chi _{i}^{22}\). This optimization is based on SHA3-384/512 for simplicity, and it can be easily extended to SHA3-224 and SHA3-256.

We formulate this problem into a set covering problem [29]. We assume the attacker can inject n different faults into \(\theta ^{22}_{i}\), denote them as F = {f 1,f 2,⋯ ,f n }, and the bits to recover is a universe U for all the \(\chi _{i}^{22}\) bits. For each fault f i , it can be used to recover a subset of U and we denote it as U i , where U 1,U 2,⋯ ⊆ U, and we denote the cost to inject fault f i as c i . The problem is to find a set of I ⊆{1,2,⋯ ,n} that minimize the total cost Σ iI c i and ∪ iI U i = U. The set covering problem is an NP-hard problem. We adopt a greedy heuristic to find solutions, given in Algorithm 1.
Each time, the algorithm chooses a set that gives the highest gain (number of new bits), and we assume that the cost for each set/fault injection is the same (all c i = 1). We use this algorithm to find the “best” fault injection solutions under our byte-level fault model, and the result is shown in Fig. 14a. It demonstrates that for DFA with byte-level faults, the attacker needs to inject at least 17 faults to recover all the 1600 bits of \(\chi ^{22}_{i}\), while random fault injection attacks require about 120 faults to retrieve all the bits for SHA3-384/512.
Fig. 14

Optimized fault injection attacks at byte level

We also use the method and algorithm to analyze the DFA on SHA-3 under single-bit fault model used in [22]. Three curves are presented in Fig. 14b: the random fault injection experimental result, the random fault injection theoretical prediction, and the optimized attack using the greedy heuristic. Under the single-bit fault model, each fault injected at \(\theta ^{22}_{i}\) can be used to recover 22 bits of \(\chi ^{22}_{i}\), and thus, α = 22 for the theoretical result. Figure 14b shows that the theoretical result matches the simulation result for random fault injection very well. It also shows that the attacker needs to inject at least 129 single-bit selected faults to recover all the 1600 bits of \(\chi ^{22}_{i}\), while he needs about 500 single-bit random faults to recover the state.

The optimized attack we present in this section is the lower bound of the proposed differential fault attacks. For SHA3-224 and SHA3-256, similar method can be used to find the lower bound of the attacks.

7 Discussions

7.1 SHA-3 Systems with Long Input Message

In the previous sections, we simplify the analysis by assuming that only one f function is involved for absorbing and squeezing. In this section, we extend the proposed attack by assuming that the size of the input message can be larger than the bitrate r. Meanwhile, we assume that the digest size can be larger than r, instead of just d bits for SHA3-d function. Therefore, multiple f functions may be involved for absorbing and squeezing.

First of all, we assume that the digest size is still d-bit for SHA3-d function:
  • There are n (n ≥ 1) f functions (f 0f n−1) involved for absorbing.

  • There are m (m ≥ 0) f functions (f n f n + m−1) involved for squeezing, as r > d for all four SHA3-d functions, no extra f function will be involved for squeezing (m = 0).

  • The attacker has control of the input message part of P 0P n−1 in MAC mode, while he has no access to the messages when SHA-3 is used in hash mode.

  • The attacker can observe the digest z 0z m in both hash and MAC modes.

For MAC-Keccak system, the attacker can inject faults into the penultimate round input of the last permutation f n−1 and use the proposed method in this paper to recover the input of f n−1, f n−1(i n). Combining with P n−1, the attacker can recover f n−2(i n). There are two possible situations for the key length l k here:
  • If l k r, the attacker can iteratively recover P 0 which contains the key used for MAC and, therefore, recover the secret key.

  • If l k > r, for example, all the bits of P 0 and part of P 1 bits are key bits, then the attacker can recover f 1(i n), which is
    $$ f_{1}(in) = f(P_{0} || 0^{c}) \oplus (P_{1} || 0^{c}), $$
    (13)
    then the attacker will be unable to recover the key bits contained in P 0 and P 1 directly. The attacker needs to make assumption of the key bits in P 1 so as to recover the key bits in P 0. The difficulty increases rapidly with the number of the key bits in P 1.

As the key size in MAC system is usually much smaller than r (for example, 128 bits or 256 bits), the proposed DFA is a great threat for SHA-3-based MAC systems. We propose to increase the length of MAC key for higher resilience against fault injection attacks.

For SHA-3 system in general hash mode, the attacker will have no access to the input message P 0P n−1. Therefore, after recovering f n−1(i n), he will be unable to further recover f n−2(o u t) without knowledge of P n−1. Thus, the attacker will be unable to recover the original input message in hash mode directly if the message length is greater than bitrate r.

For modified SHA-3 system which allows the digest size larger than d, there may be extra f functions involved for squeezing, and the digest comes from multiple z i . As all the z i are observable, z 0 will be used to attack f n−1. The length of z 0 will be r-bit, which is 1152-, 1088-, 832-, and 576-bit for SHA3-224, SHA3-256, SHA3-384, and SHA3-512, respectively. More bits than original (224-, 256-, 384-, and 512-bit) are available, and the attacks become easier. In conclusion, the proposed DFA method is still applicable for SHA-3 systems which involve extra f functions for squeezing.

7.2 Countermeasure Against Differential Fault Analysis

As unprotected SHA-3 systems are vulnerable to DFAs, countermeasures should be added into SHA-3 systems to improve their resilience against DFA.

One method is to implement detection of system disturbance which are used to inject faults. For example, a clock glitch and power supply disturbance detection module [30, 31] can be inserted into SHA-3 implementations to detect fault injections.

Another kind of widely used countermeasures relies on some redundancy to check the integrity of the intermediate results, such that errors caused by injected faults will be detected. For example, parity checking codes are used to detect the injected faults in SHA-3 [32]. Similarly, another copy of modified Keccak implementation can be introduced into the system for error detection [33, 34]. Such schemes can detect errors in the system caused by injected faults, and thus, the attacker will have no access to the faulty results to conduct DFA.

8 Conclusion and Future Work

In this paper, we propose efficient DFA methods for all four modes of SHA-3 functions under relaxed single-byte fault models. Results show that our method can effectively identify the injected faults and then recover the corresponding internal state bits for all four SHA-3 functions. Meanwhile, we also present the lower bound of the proposed attacks and extend the attacks to systems with input message longer than bitrate r.

The proposed method can possibly be applied to other relaxed fault models. Under the word (16-bit) fault model, the effective fault ratio is much lower for SHA3-384/512, but the attacks can still work, while it cannot identify any effective fault for SHA3-224 and SHA3-256. Our future work will address attacks on SHA3-224 and SHA3-256 under more relaxed 16-bit and 32-bit fault models. Another line of future work would include more efficient and effective methods to protect SHA-3 platforms against fault injection attacks.

Notes

Acknowledgements

This work was supported in part by the National Science Foundation under grants SaTC-1314655 and MRI-1337854. Simulation code used in this paper is available at http://tescase.coe.neu.edu/.

References

  1. 1.
    Bertoni G, Daemen J, Peeters M, Assche G (2011) The Keccak reference. Submission to NIST (Round 3) JanuaryGoogle Scholar
  2. 2.
    Pub NF, FIPS PUB (2015) 202. SHA-3 standard: permutation-based hash and extendable-output functions Federal Information Processing Standards PublicationGoogle Scholar
  3. 3.
    Biham E, Shamir A (1997) Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology – CRYPTO, pp 513–525Google Scholar
  4. 4.
    Piret G, Quisquater J-J (2003) A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: 5th International Wkshp on Cryptographic Hardware and Embedded Systems, Cologne, Germany, pp 77–88Google Scholar
  5. 5.
    Chen H, Wu W, Feng D (2007) Differential fault analysis on CLEFIA. In: 9th International Conference on Information and Communications Security, Zhengzhou, China, pp 284–295Google Scholar
  6. 6.
    Karmakar S, Chowdhury DR (2013) Differential fault analysis of MICKEY-128 2.0. In: Wkshp on Fault Diagnosis and Tolerance in Cryptography, pp 52–59Google Scholar
  7. 7.
    Banik S, Maitra S (2013) A differential fault attack on MICKEY 2.0. In: 15th International Wkshp on Cryptographic Hardware and Embedded Systems, Santa Barbara, CA, USA, pp 215–232Google Scholar
  8. 8.
    Banik S, Maitra S, Sarkar S (2012) A differential fault attack on the Grain family of stream ciphers. In: 14th International Wkshp on Cryptographic Hardware and Embedded Systems, Leuven, Belgium, pp 122–139Google Scholar
  9. 9.
    Dey P, Chakraborty A, Adhikari A, Mukhopadhyay D (2015) Improved practical differential fault analysis of Grain-128. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp 459–464Google Scholar
  10. 10.
    Hemme L, Hoffmann L (2011) Differential fault analysis on the SHA1 compression function. In: Wkshp on Fault Diagnosis and Tolerance in Cryptography, pp 54–62Google Scholar
  11. 11.
    Altawy R, Youssef AM (2015) Differential fault analysis of Streebog. In: 11th International Conference on Information Security Practice and Experience, Beijing, China, pp 35–49Google Scholar
  12. 12.
    Li W, Tao Z, Gu D, Wang Y, Liu Z, Liu Y (2013) Differential fault analysis on the MD5 compression function. J Comput 8(11):2888–2894Google Scholar
  13. 13.
    Fischer W, Reuter CA (2012) Differential fault analysis on Grøstl. In: Wkshp on Fault Diagnosis and Tolerance in Cryptography, pp 44–54Google Scholar
  14. 14.
    Boura C, Canteaut A (2010) A zero-sum property for the KECCAK-f permutation with 18 rounds. In: IEEE International Symposium on Information Theory, pp 2488–2492Google Scholar
  15. 15.
    Das S, Meier W (2014) Differential biases in reduced-round Keccak. In: Progress in Cryptology – AFRICACRYPT 2014: 7th International Conference on Cryptology in Africa, Marrakesh, Morocco, pp 69–87Google Scholar
  16. 16.
    Dinur I, Dunkelman O, Shamir A (2013) Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: 20th International Workshop on Fast Software Encryption, Singapore, pp 219–240Google Scholar
  17. 17.
    Dinur I, Morawiecki P, Pieprzyk J, Srebrny M, Straus M (2015) Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Advances in Cryptology – EUROCRYPT: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, pp 733–761Google Scholar
  18. 18.
    Luo P, Fei Y, Fang X, Ding A, Kaeli DR, Leeser M (2015) Side-channel analysis of MAC-Keccak hardware implementations. In: Proceedings of the Fourth Wkshp on Hardware and Architectural Support for Security and PrivacyGoogle Scholar
  19. 19.
    Morawiecki P, Pieprzyk J, Srebrny M (2013) Rotational cryptanalysis of round-reduced Keccak. In: 20th International Wkshp on Fast Software Encryption, Singapore, pp 241–262Google Scholar
  20. 20.
    Naya-Plasencia M, Röck A, Meier W (2011) Practical analysis of reduced-round Keccak. In: Progress in Cryptology – INDOCRYPT 2011: 12th International Conference on Cryptology in India, Chennai, India, pp 236–254Google Scholar
  21. 21.
    Taha M, Schaumont P (2013) Side-channel analysis of MAC-Keccak. In: IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp 125–130Google Scholar
  22. 22.
    Bagheri N, Ghaedi N, Sanadhya S (2015) Differential fault analysis of SHA-3. In: Progress in Cryptology – INDOCRYPT 2015: 16th International Conference on Cryptology in India, Bangalore, India, pp 253–269Google Scholar
  23. 23.
    Luo P, Fei Y, Zhang L, Ding A (2016) Differential fault analysis of SHA3-224 and SHA3-256. In: Thirteenth Wkshp on Fault Diagnosis and Tolerance in CryptographyGoogle Scholar
  24. 24.
    Daemen J (1995) Cipher and hash function design strategies based on linear and differential cryptanalysis, Ph.D. dissertation, Doctoral Dissertation, March 1995 KU LeuvenGoogle Scholar
  25. 25.
    Bertoni G, Daemen J, Peeters M, Van Assche G (2011) Cryptographic sponge functions, Submission to NIST (Round 3)Google Scholar
  26. 26.
  27. 27.
    Pessl P, Hutter M (2013) Pushing the limits of SHA-3 hardware implementations to fit on RFID. In: 15th International Wkshp on Cryptographic Hardware and Embedded Systems, Santa Barbara, CA, USA, pp 126–141Google Scholar
  28. 28.
    Bertoni G, Daemen J, Peeters M, Van Assche G, Van Keer R (2012) Keccak implementation overview, Report, STMicroelectronics. Antwerp, BelgiumGoogle Scholar
  29. 29.
    Karpinski M, Zelikovsky A (1998) Approximating dense cases of covering problems. In: DIMACS Wkshp on Network Design: Connectivity and Facilites Location, pp 169–178Google Scholar
  30. 30.
    Bowman KA, Tokunaga C, Tschanz JW, Raychowdhury A, Khellah MM, Geuskens BM, Lu S-LL, Aseron PA, Karnik T, De VK (2011) All-digital circuit-level dynamic variation monitor for silicon debug and adaptive clock control. IEEE Trans Circuits Syst Regul Pap 58(9):2017–2025CrossRefMathSciNetGoogle Scholar
  31. 31.
    Luo P, Luo C, Fei Y (2016) System clock and power supply cross-checking for glitch detection, Cryptology ePrint Archive Report 2016/968Google Scholar
  32. 32.
    Luo P, Li C, Fei Y (2016) Concurrent error detection for reliable SHA-3 design. In: 26th edition on Great Lakes Symposium on VLSI, pp 39–44Google Scholar
  33. 33.
    Luo P, Zhang L, Fei Y, Ding A (2016) An improvement of both security and reliability for Keccak implementations on smart card, Cryptology ePrint Archive Report 2016/214Google Scholar
  34. 34.
    Bayat-Sarmadi S, Mozaffari-Kermani M, Reyhani-Masoleh A (2014) Efficient and concurrent reliable realization of the secure cryptographic SHA-3 algorithm. IEEE Trans Comput Aided Des Integr Circuits Syst 33 (7):1105–1109CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Electrical and Computer EngineeringNortheastern UniversityBostonUSA
  2. 2.Department of MathematicsNortheastern UniversityBostonUSA

Personalised recommendations