Differential Fault Analysis of SHA3 Under Relaxed Fault Models
 554 Downloads
Abstract
Keccakbased algorithms such as Secure Hash Algorithm3 (SHA3) will be widely used in cryptosystems, and evaluating their security against different kinds of attacks is vitally important. This paper presents an efficient differential fault analysis (DFA) method on all four modes of SHA3 to recover an entire internal state, which leads to message recovery in the regular hashing mode and key retrieval in the message authentication code (MAC) mode. We adopt relaxed fault models in this paper, assuming the attacker can inject random singlebyte faults into the penultimate round input of SHA3. We also propose algorithms to find the lower bound on the number of fault injections needed to recover an entire internal state for the proposed attacks. Results show that on average, the attacker needs about 120 random faults to recover an internal state, while he needs 17 faults at best if he has control of the faults injected. The proposed attack method is further extended for systems with input messages longer than the bitrate.
Keywords
SHA3 Keccak Differential fault analysis Hardware security1 Introduction
Keccak, a family of sponge functions, can be used to build various security modules widely used in cryptosystems, including hash function, symmetric cryptographic function, pseudorandom number generator, and authenticated encryption [1]. The new Secure Hash Algorithm (SHA)3 standard [2] is based on Keccak. Two candidates for CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness), Ketje and Keyak, are also built upon Keccak. Therefore, the security of Keccak against different kinds of attacks is critical to security system design. In this paper, we use SHA3 as an example for the security analysis of Keccak and present an efficient differential fault analysis (DFA) method on all four modes of SHA3 function.
DFA is a powerful and efficient attack method, which utilizes the dependency of the faulty output on the internal intermediate variables to recover the secret. DFA has been used to break many cryptographic algorithms. For example, it has been used to extract the secret key of symmetric ciphers. It was first introduced to conquer the Data Encryption Standard (DES) algorithm [3], and later it was used to break the Advanced Encryption Standard (AES) [4]. Many other ciphers have also been hacked by DFA, including CLEFIA [5], Mickey [6, 7], and Grain [8, 9].
Some existing hash standards have been evaluated against DFA attacks, including SHA1 [10], Streebog [11], MD5 [12], and GrøStl [13]. For hash functions in general usage, DFA can be used to retrieve the original message. For example, it is found in [12] that on average, 144 random faults are required for MD5 in order to discover the input message block. For GrøStl algorithm, on average, 280 singlebit faults are needed to invert each compression step. When hash functions are used in the message authentication code (MAC) mode with a secret key, DFA also becomes an effective method to recover the key and then generate forgery messages and corresponding MACs against authentication. For example, in [10], the input of SHA1, including the secret key and message, is fully extracted with about 1000 random faults. For Streebog, an average number of faults that varies between 338 and 1640 is required to recover the secret key for different MAC settings [11]. When GrøStl is used in a keyed hash function, about 300 faults are needed to retrieve the secret key [13].
Previous works on Keccak mainly focus on sidechannel power analysis and cryptanalytic collision attacks [14, 15, 16, 17, 18, 19, 20, 21]. To the best of our knowledge, only one work about DFA on SHA3 has been published before us [22]. In [22], a singlebit fault model is used , and only two modes of SHA3 with longer digest length, namely SHA3384 and SHA3512, have been discussed. Injection of singlebit faults into cryptosystems requires higher control precision and sometimes invasive methods like laser emission, which are costly and also less effective as the technology scales down. Typical noninvasive fault injection methods, such as clock glitches and supply voltage variation, are more general and would affect a group of bits in intermediate states all together, i.e., inducing bytelevel faults. Our previous work [23] extends DFA to the other two modes of SHA3 with shorter digest length, SHA3224 and SHA3256, under a relaxed singlebyte fault model. It analyzes fault propagation of SHA3 under bytelevel fault injection and proposes two different ways to address the issue of short observable digests in SHA3224 and SHA3256.

We introduce the concept of fault propagation into DFA of SHA3, and this formal method will ensure the extendability of proposed DFA.

We extend DFA on SHA3 from singlebit fault model to more relaxed fault models and from two SHA3 functions with longer digest to all four of them. For example, we can break all four SHA3 functions under singlebyte fault model and break SHA3384 and SHA3512 under 16bit fault model in this work.

An optimization method with heuristics is proposed, and this method can be used to optimize DFA so that the proposed method can use the fewest chosen faults to recover the internal state.

Discussion about how variable key and message length will affect DFA is given.
We simulate all the proposed methods for all four modes of SHA3. Results show that, for SHA3384 and SHA3512, about 120 random singlebyte faults are needed to recover an entire internal state, while about 500 singlebit random faults are needed in previous work [22]. When the fault injection can be controlled, our simulation results of the heuristics show that only 17 selected singlebyte faults and 129 selected singlebit faults are required to recover the internal state, under the two different fault models, respectively. Our attack method can break SHA3224 and SHA3256 as well, while the numbers of required random effective faults are about 250 and 150, respectively.
The rest of this paper is organized as follows. In Section 2, we present the basic knowledge of SHA3 that will be used in this paper and describe the fault models. In Section 3, we analyze the fault propagation process in SHA3 and construct the fault signatures. In Section 4, we present the attack on SHA3384 and SHA3512 using the proposed fault signature method under the relaxed fault models. In Section 5, we extend the attack to SHA3224 and SHA3256, and show the method to further improve the attack efficiency. In Section 6, we propose a heuristic algorithm to improve the efficiency of the DFA with more control of the faults injected and derive the lower bound on the number of fault injections needed for the proposed attacks. In Section 7, we discuss attacks on SHA3 systems with the input message size larger than the bitrate, and the protection of SHA3 systems against DFAs. Finally, we conclude the paper in Section 8.
2 Preliminaries of SHA3 and Differential Fault Analysis
2.1 Preliminaries of Keccak Hash Function
We also define vectors X = [0 : 4], Y = [0 : 4], and Z = [0 : 63] to stand for multiple bits in one row, column, and lane, respectively. For example, we can denote the bottom plane of state S (320 bits) as S(X,0,Z). Note that coordinates x and y are modular of 5 while z is modular of 64.
The number of f functions in the absorbing phase is determined by the message size, and the digest size (d in Keccakf[1600, d]) will decide the number of f function in the squeezing phase together with bitrate r. SHA3 family consists of four digest size (d = 224,256,384,512), namely SHA3224, SHA3256, SHA3384, and SHA3512 [2]. We will discuss all four SHA3 functions under relaxed fault models in this paper. Note here that for SHA3d function, c = 2d and r + c = 1600.
In this paper, we first simplify the setting by assuming that the length of the input message is smaller than the bitrate r, and as r > d holds for all four modes of SHA3 function, there will be only one f function involved for absorbing and squeezing. In Section 7, we will extend the attacks for input messages with variable length, in which multiple f functions will be involved.
 𝜃 is a linear operation which involves 11 input bits and outputs a single bit. Each output state bit is the XOR between the input state bit and two neighbor columns. We denote the input of 𝜃 as 𝜃 _{ i } while the output as 𝜃 _{ o }, and the operation is given as follows:$$\begin{array}{@{}rcl@{}} \theta_{o}(x,y,z) = \theta_{i}(x,y,z) & \oplus& (\oplus_{y=0}^{4} \theta_{i}(x1,y,z))\\ & \oplus& (\oplus_{y=0}^{4} \theta_{i}(x+1,y,z1)). \end{array} $$

ρ is a rotation over the state bits along zaxis.

π is a permutation over the state bits within slices.
 χ is a nonlinear step that contains mixed binary operations over state bits in rows. Each bit of the output state is the result of an XOR between the corresponding input state bit and its two successive bits along the xaxis:The χ operation is reversible, and each χ _{ i } bit can be expressed in below formula which involves all five bits of χ _{ o } in a row [1, 24]:$$\begin{array}{@{}rcl@{}} \chi_{o}(x,y,z) &=& \chi_{i}(x,y,z) \oplus (\overline{\chi_{i}(x+1,y,z)} \\&&\cdot \chi_{i}(x+2,y,z)). \end{array} $$$$\begin{array}{@{}rcl@{}} &&\chi_{i} (x,y,z) = \chi_{o}(x,y,z) \oplus \overline{\chi_{o}(x+1,y,z)} \cdot (\chi_{o}(x\,\,1,y,z)\!\\ &&\oplus \chi_{o}(x+2,y,z) \oplus \chi_{o}(x1,y,z) \cdot \chi_{o}(x+3,y,z) ). \end{array} $$(2)

ι is a binary XOR with a round constant.
When SHA3 is used in general hash mode, the goal is to recover the input message, and when SHA3 is used in MAC mode, the goal is to recover the authentication key.
2.2 Notations and Data Structure
For one f function, if the whole internal state \(\chi ^{22}_{i}\) is recovered, the input of SHA3, S _{0}, can be recovered because all five operations in Keccak are reversible. We will extend the attacks to SHA3 systems with multiple f functions in Section 7.1.
For commonly used SHA3 implementations, data structures are organized along each lane [26, 27]. There are two commonly used implementation methods for Keccak, noninterleaved and interleaved implementation [28]. One byte is eight consecutive bits in one lane for noninterleaved implementations. Bit interleaving is a technique to put the bits in even positions and odd positions of one lane into separate words (bytes) for more efficient implementation.
For interleaved and noninterleaved implementations, different bit organization structures in a byte or word will result in different fault propagation characteristics. As bit interleaving technique has been widely used in SHA3 implementations in embedded cryptographic systems [26, 27], we will evaluate both of these two implementations in our work. We refer to the source code provided online [26] for all implementations and simulations in this paper.
2.3 The Fault Model Used in This Paper

The attacker can inject faults into one byte of the penultimate round input \(\theta _{i}^{22}\).

The attacker has no control on either the position (which byte) or the value of the injected faults.

The attacker can only observe the correct and faulty SHA3 digest outputs, H and H ^{′}, which are dbit instead of 1600 bits.

The attacker can inject multiple random faults into the same input message for different execution runs.
Besides singlebyte fault model, we will also check our method under singleword (16bit) fault model. As the singlebit fault model used in [22] is just a special case of the singlebyte fault model, we will also check attack results under that model.
3 Fault Propagation and Fault Signature
Generally, because of confusion and diffusion properties in cryptooperations, any bit flip at the input message will affect all the bits at the output under perfect randomness and the fault analysis would not work. For SHA3, the path from the fault injection point (𝜃 i22) to the observable output (H) is not very long—only two rounds of operations, and therefore, different faults injected will cause different patterns at the differential output ΔH = H ⊕ H ^{′}. We call such differential patterns as fault signature (FS) in this paper. Different fault signatures can be used to identify the injected fault and then recover the internal state bits.
Different from previous cryptosystems like AES and DES, which are organized and operated in several modules (like 8bit bytes), Keccak is organized at bit level and operations are performed on bits. For block ciphers like AES, the attacker can observe the differential output of 16 bytes to identify the injected fault positions and values. It has been shown in [22] that differential output of SHA3 has much more complicated characteristics, and therefore, DFA methods for previous block ciphers cannot be applied to Keccakbased functions. In this section, we show the fault propagation process in SHA3 and extract the fault signature for each possible injected fault.
3.1 Observable Hash Digest
For SHA3224 and SHA3256, only a partial bottom plane of the output of the f function is observed, and therefore, χ ^{23} cannot be inverted directly, according to Eq. 2. For SHA3224 and SHA3256, we present corresponding attack methods in Section 5.
3.2 Fault Signature Generation
For singlebyte fault model, any internal state of Keccakf[1600, d] is composed of 200 bytes (0 ≤ P < 200), and the fault value (F, defined as the differential of the state byte of the penultimate round input) ranges from 1 to 255, where for each bit of F, 0 means the corresponding state bit does not change, and 1 means the state bit flips. For example, F = 1 means the lowest bit of the state byte flips. For any possible fault (F) at any one of the 200 positions (P), we denote the corresponding fault signature at \(\chi ^{23}_{i}\) as \(FS_{\chi ^{23}_{i}}[P][F]\). Without further specification, all fault signatures are 1600 bits, standing for the 1600 differential bits of the state caused by the fault F injected at byte P of \(\theta ^{22}_{i}\).

Operations that will not change bit values of fault signatures, including bit rotation operations ρ and π that only change the bit positions, and constant number addition operation ι.

Operations that will change the bit values of fault signatures, which involve multiple bits to generate a single output bit, namely 𝜃 and χ. There is also difference between these two operations: 𝜃 is linear (only consisting of XOR operations) while χ is nonlinear (consisting of operations AND and NOT).
In the first kind of operations, for ρ and π, faults at the input will go through the operation (position permutation) directly and propagate to the output, i.e., Δρ _{ o } = ρ(Δρ _{ i }) and Δπ _{ o } = π(Δπ _{ i }). For operation ι, the fault does not change at all, i.e., Δι _{ o } = Δι _{ i }.
For the second kind of operations, one output bit is generated from multiple input bits. For 𝜃 ^{22} operation, one singlebit fault \({\Delta } \theta ^{22}_{i}(x,y,z)\) will propagate to 11 bits of \(\theta ^{22}_{o}\), with their differential denoted as \({\Delta } \theta ^{22}_{o}(x,y,z)\), \({\Delta } \theta ^{22}_{o}(x+1,Y,z)\), and \({\Delta } \theta ^{22}_{o}(x1,Y,z+1)\), which are on the state bit and its two neighbor columns in different sheets. For the singlebyte fault model, all the faulty bits are in the same lane of \(\theta ^{22}_{i}\). With 𝜃 operation, no \(\theta ^{22}_{o}\) bit will involve more than one faulty bit. Thus, for 𝜃 ^{22}, we have \({\Delta } \theta ^{22}_{o} = \theta ({\Delta } \theta ^{22}_{i})\).
We next analyze fault propagation of χ ^{22} and 𝜃 ^{23} in the following section respectively.
3.2.1 Fault Propagation in χ ^{22}  F P _{ χ }
χ is the only nonlinear operation in Keccak, and its AND operation leaks information of its input state bits with fault(s) on χ _{ i }. Under the singlebit fault model in [22], no more than one bit will be polluted in each row of \(\chi ^{22}_{i}\), as also shown in Fig. 4 for vectors \({\Delta } \chi ^{22}_{i}(X, y, z)\). For the relaxed models used in this paper, multiple bits may be polluted in one row of \(\chi ^{22}_{i}\). In this section, we present the general fault propagation of multibit faults in χ operation.
Denote five bits in one row of χ input as {a _{ i },b _{ i },c _{ i },d _{ i },e _{ i }}, then five bits of corresponding χ _{ o } output row can be denoted as \(a_{o} = a_{i} \oplus (\bar {b_{i}} \cdot c_{i})\), \(b_{o} = b_{i} \oplus (\bar {c_{i}} \cdot d_{i})\), \(c_{o} = c_{i} \oplus (\bar {d_{i}} \cdot e_{i})\), \(d_{o} = d_{i} \oplus (\bar {e_{i}} \cdot a_{i})\), and \(e_{o} = e_{i} \oplus (\bar {a_{i}} \cdot b_{i})\).
 1.
With a singlebit fault on a _{ i } (Δa _{ i } = 1), Δa _{ o } = Δa _{ i } = 1
 2.
With a singlebit fault on b _{ i } (Δb _{ i } = 1), \(a_{o}^{\prime } = a_{i} \oplus (\bar {b_{i}^{\prime }} \cdot c_{i})\), and then Δa _{ o } = Δb _{ i } ⋅ c _{ i } = c _{ i }, which leaks the internal state c _{ i } information
 3.
With a singlebit fault on c _{ i } (Δc _{ i } = 1), \(a_{o}^{\prime } = a_{i} \oplus (\bar {b_{i}} \cdot c_{i}^{\prime })\), and then \({\Delta } a_{o} = (1 \oplus b_{i}) \cdot {\Delta } c_{i} = \overline {b_{i}}\)
 4.
With a twobit fault on a _{ i } and b _{ i } (Δa _{ i } = Δb _{ i } = 1), \(a_{o}^{\prime } = a_{i}^{\prime } \oplus (\bar {b_{i}^{\prime }} \cdot c_{i})\), and then \({\Delta } a_{o} = \overline {c_{i}}\)
 5.
With a twobit fault on b _{ i } and c _{ i } (Δb _{ i } = Δc _{ i } = 1), \(a_{o}^{\prime } = a_{i} \oplus (\bar {b_{i}^{\prime }} \cdot c_{i}^{\prime })\), and then Δa _{ o } = Δb _{ i } ⋅ c _{ i } ⊕ (1 ⊕ b _{ i }) ⋅ Δc _{ i } ⊕ Δb _{ i } ⋅ Δc _{ i } = b _{ i } ⊕ c _{ i }
 6.
With a twobit fault on a _{ i } and c _{ i } (Δa _{ i } = Δc _{ i } = 1), \(a_{o}^{\prime } = a_{i}^{\prime } \oplus (\bar {b_{i}} \cdot c_{i}^{\prime })\), and then Δa _{ o } = Δa _{ i } ⊕ (1 ⊕ b _{ i }) ⋅ Δc _{ i } = b _{ i }
 7.
With a threebit fault (Δc _{ i } = Δb _{ i } = Δc _{ i } = 1), \(a_{o}^{\prime } = a_{i}^{\prime } \oplus (\bar {b_{i}^{\prime }} \cdot c_{i}^{\prime })\), and thus \({\Delta } a_{o} = {\Delta } a_{i} \oplus {\Delta } b_{i} \cdot c_{i} \oplus (1 \oplus b_{i}) \cdot {\Delta } c_{i} \oplus {\Delta } b_{i} \cdot {\Delta } c_{i} = \overline {b_{i} \oplus c_{i}}\)
Fault propagation of operation χ ^{22}
Fault at χ input  Fault signature at χ output 

\({\Delta } \chi ^{22}_{i}([x\):x+ 2],y,z)  \(FS_{\chi ^{22}_{o}}(x, y, z)\) 
[1,0,0]  1 
[0,1,0]  \(\chi ^{22}_{i}(x+2, y, z)\) 
[0,0,1]  \(\overline {\chi ^{22}_{i}(x+1, y, z)}\) 
[1,1,0]  \(\overline {\chi ^{22}_{i}(x+2, y, z)}\) 
[0,1,1]  \(\chi ^{22}_{i}(x+1, y, z) \oplus \chi ^{22}_{i}(x+2, y, z)\) 
[1,0,1]  \(\chi ^{22}_{i}(x+1, y, z)\) 
[1,1,1]  \(\overline {\chi ^{22}_{i}(x+1, y, z) \oplus \chi ^{22}_{i}(x+2, y, z)}\) 
In Fig. 5, each differential bit \({\Delta } \chi ^{22}_{o}(x,y,z)\) takes a value of “0,” “1,” or “x,” in which 1 (0) means this corresponding output bit flips (does not flip) with the specific fault injected, respectively, regardless of the internal states. However, “x” at a bit position means that the corresponding \({\Delta } \chi ^{22}_{o}\) bit value depends on some \(\chi ^{22}_{i}\) bit(s), and it can be “0” or “1.” For example, we denote \({\Delta } \chi ^{22}_{o}(0,0,44)\) as “x,” because \({\Delta } \chi ^{22}_{o}(0,0,44) = \chi ^{22}_{i}(2,0,44)\) under the fault injected (Δ𝜃 i22(0,0,0) = 1), and \(\chi ^{22}_{o}(0,0,44)\) would flip if \(\chi ^{22}_{i}(2,0,44) = 1\), otherwise it remains unchanged if \(\chi ^{22}_{i}(2,0,44) = 0\). Thus, if the attacker has knowledge of \({\Delta } \chi ^{22}_{o}(0,0,44)\) and the injected fault, he can construct the corresponding fault signature and then recover the bit \(\chi ^{22}_{i}(2,0,44)\).
3.2.2 Fault Propagation in 𝜃 ^{23} – F P _{ 𝜃 }
Each bit of \(FS_{\chi ^{22}_{o}}\) can be denoted as 0, 1, or a function of certain \(\chi ^{22}_{i}\) bits. For each bit of \(FS_{\theta ^{23}_{o}}\), some of the corresponding 11 \(FS_{\chi ^{22}_{o}}\) bits may depend on the same \(\chi ^{22}_{i}\) bits, and therefore, some dependencies will be eliminated with the operation of XOR. This is a key insight for our bytelevel (multiple bit) fault propagation analysis. For example, in the interleaved implementation, when fault F = 65 is injected at P = 16, \({\Delta } \theta ^{23}_{i}(4,4,3) = \chi ^{22}_{i}(0,4,3)\) and \({\Delta } \theta ^{23}_{i}(3,4,3) = \chi ^{22}_{i}(0,4,3)\). \({\Delta } \theta ^{23}_{o}(4,4,3)\), which involves the two input bits \(\theta ^{23}_{i}(4,4,3)\) and \(\theta ^{23}_{i}(3,4,3)\), will not depend on \(\chi ^{22}_{i}(0,4,3)\) anymore because the dependencies get canceled out by XOR between the two input bits. Eventually, the fault signature at the 𝜃 ^{23} output, \(FS_{\theta ^{23}_{o}}\), has a similar format as \(FS_{\chi ^{22}_{o}}\), with each bit being 0, 1, or an odd or even function (XOR) over some \(\chi ^{22}_{i}\) bits and constant one.
With the observed bits of \({\Delta } \chi ^{23}_{i}\) and the fault signatures, the attacker can work on equations which involve only one bit of \(\chi ^{22}_{i}\) to recover the \(\chi ^{22}_{i}\) bits, and then plug them back into equations which involve more than one \(\chi ^{22}_{i}\) bit to recover the remaining \(\chi ^{22}_{i}\) bits. For example, as shown in Fig. 6, with the singlebit fault injected at \(\theta ^{22}_{i}(0,0,0)\), the attacker can use \(FS_{\chi ^{23}_{i}}(1,0,24)\) to recover \(\chi ^{22}_{i}(2,0,44)\) first. Then replace \(\chi ^{22}_{i}(2,0,44)\) in \(FS_{\chi ^{23}_{i}}(0,0,44)\) to recover \(\chi ^{22}_{i}(0,0,44)\).
In this section, we showed the fault propagation process in SHA3 and analyzed the composition of fault signatures at \(\chi ^{23}_{i}\). In the next two sections, we will show how to use the constructed fault signatures to conquer all four modes of SHA3.
4 Differential Fault Analysis of SHA3384 and SHA3512
In this section, we use the constructed fault signatures in the previous section to conquer SHA3384 and SHA3512. In Section 4.1, we will present the method to identify the injected fault, including the position P and value F, using the constructed fault signatures. Then we show how to recover some \(\chi ^{22}_{i}\) bits using the identified fault in Section 4.2.
4.1 Fault Position P and Value F Recovery

\({\Delta } \chi ^{23}_{i}.white\) contains the bits (x,y,z) of \({\Delta } \chi ^{23}_{i}\) with \({\Delta } \chi ^{23}_{i}(x,y,z)=0\), which means that these bits are not flipped under the injected fault.

\({\Delta } \chi ^{23}_{i}.black\) contains the bits (x,y,z) of \({\Delta } \chi ^{23}_{i}\) with \({\Delta } \chi ^{23}_{i}(x,y,z)=1\), which means these bits are flipped under the injected fault.

\(FS_{\chi ^{23}_{i} }[P][F].white\) contains the bits (x,y,z) with \(FS_{\chi ^{23}_{i} }[P][F](x,y,z)=0\), i.e., the injected fault does not affect these state bits.

\(FS_{\chi ^{23}_{i} }[P][F].black\) contains the bits (x,y,z) with \(FS_{\chi ^{23}_{i} }[P][F](x,y,z)=1\), which are for sure to flip when the fault is injected.

\(FS_{\chi ^{23}_{i} }[P][F].grey\) contains the bits (x,y,z) with \(FS_{\chi ^{23}_{i} }[P][F](x,y,z)\) as a function dependent on some bits of \(\chi _{i}^{22}\), i.e., they can leak some internal state bits information, and can be 0 or 1.

For any bit in \(FS_{\chi ^{23}_{i} }[P_{0}][F_{0}].white\), this bit should be in \({\Delta } \chi ^{23}_{i}.white\).

For any bit in \(FS_{\chi ^{23}_{i} }[P_{0}][F_{0}].black\), this bit should be in \({\Delta } \chi ^{23}_{i}.black\).

For any bit in \(FS_{\chi ^{23}_{i} }[P_{0}][F_{0}].grey\), it can be in \({\Delta } \chi ^{23}_{i}.white\) or \({\Delta } \chi ^{23}_{i}.black\), depending on some internal state bits.
By checking relationships in Eq. 7, the attacker can exclude many positions and fault values. If only one position with one fault value satisfies these relationships, the injected fault is discovered. All the \(FS_{\chi ^{23}_{i}}[P_{0}][F_{0}].grey\) bits now are mapped to either zero (white) or one (black) in the observed differentials, and therefore, the internal state bits can be recovered.
We implement the attacks on both interleaved and noninterleaved versions of Keecak implementations in C++ [26] and run all the fault signature generation and mapping between the observed differential and the hypothesized signatures on a workstation, which consists of an Intel(R) Core(TM) i72600 CPU at 3.40 GHz and 8GB memory. Results show that our onetime fault signature generation algorithm takes about 14.5 s for offline execution, and it takes less than 0.3 ms to find the correct injected fault and recover the internal state bits from one fault.
For the noninterleaved version of SHA3, using our algorithm, the attacker can find the unique injected fault with probability 99.13% under singlebyte fault model. For the rest 0.87% probability, more than one fault satisfies the relationships in Eq. 7. For interleaved version, the attacker can find the unique fault with 100% probability under one singlebyte fault injection. We define such unique faults as effective faults. As only effective faults are useful for identifying state bits, the higher percentage of the effective fault, the more efficient the attacks will be.
We also check our algorithms under other fault models. For the singlebit fault model used in [22], our algorithms find the unique faults with 100% probability. For the singleword (16bit) fault model, the effective fault rate is about 40% for both interleaved and noninterleaved implementations. This is because for singleword faults, most bits of the final digest H (and internal state \(\theta ^{23}_{o}\)) will be polluted (more confusion), and therefore, the difference between the signatures of two faults is less distinct.
As the results for noninterleaved and interleaved implementations are similar, and the methods for fault identification and \(\chi ^{22}_{i}\) bits recovery are the same for these two implementations, the rest of this paper presents only results on noninterleaved implementation and focuses on the singlebyte fault model.
4.2 χ i22 Bits Recovery
Previous sections introduce the algorithms to derive fault signatures and use the signatures to infer the injected fault information. In this section, we describe the algorithms to recover bits of the internal state \(\chi ^{22}_{i}\).
As demonstrated in Fig. 6 and Section 3.2.2, each bit of \(FS_{\chi ^{23}_{i}}\) may involve one or several bits of \(\chi ^{22}_{i}\). Once the unique fault value at a certain position is identified, all the “x” bits in the \(FS_{\chi ^{23}_{i}}\) are known to be zero or one. First, those bits that only depend on a single bit of \(\chi ^{22}_{i}\) are checked to recover the corresponding \(\chi ^{22}_{i}\) bits. Then these newly recovered \(\chi ^{22}_{i}\) bits are used in those signature bits that depend on multiple \(\chi ^{22}_{i}\) bits to recover other bits.
Note that for each singlebit fault injected at \(\theta ^{22}_{i}\), 22 bits of \(\chi ^{22}_{i}\) can be recovered. With a multibit fault (nbit) injected at \(\theta ^{22}_{i}\), up to 22 ∗ n bits can be recovered. However, the 𝜃 ^{23} operation may cancel some \(\chi ^{22}_{i}\) bits by the XOR operation, and the number of \(\chi ^{22}_{i}\) bits that can be recovered by an nbit fault is at most 22 ∗ n.
Figure 8 shows that the theoretical result matches the experimental result very well. It also shows that by injecting random errors into \(\theta ^{22}_{i}\), the attacker can recover all the 1600 bits of \(\chi ^{22}_{i}\) using about 120 random faults. Comparing with the attacks on SHA3384/512 proposed in [22], our method needs much smaller number of faults to recover the whole internal state under relaxed fault models. We also test the theoretical model under random singlebit fault model used in [22], and the experimental result and theoretical result match very well, shown in Fig. 14 in Section 6.
5 Differential Fault Analysis of SHA3224 and SHA3256
Section 4 shows the method to identify the injected faults and to recover the internal state \(\chi ^{22}_{i}\) bits for SHA3384 and SHA3512. However, these methods cannot be applied to SHA3224 and SHA3256 directly, where the χ ^{23} operation cannot be inverted to obtain the input rows with each output row only partially known. In this section, we show the method to recover \(\chi ^{23}_{i}\) bits first and then use these intermediate state bits to recover \(\chi _{i}^{22}\) of SHA3224 and SHA3256. We propose two improved attacks, presented in Section 5.2 and Section 5.3 correspondingly.
5.1 Basic Attacks of SHA3224 and SHA3256
For SHA3224 and SHA3256, only partial bottom plane of the hash output is observable, i.e., no more than four bits in each row of \(\chi ^{23}_{o}\) on the bottom plane are known. In Section 5.1.1, we show that with limited information, part of \(\chi ^{23}_{i}\) on the bottom plane can still be recovered from the observable digest. Attack details using the recovered \(\chi ^{23}_{i}\) information will be presented in Section 5.1.2.
5.1.1 χ i23 Bits Recovery from the Observable Digest

For a _{ i }, if d _{ o } = 1, \(a_{i}=a_{o} \oplus \overline {b_{o}} \cdot c_{o}\); if b _{ o } = 1, a _{ i } = a _{ o }. For both situations, the attacker can retrieve a _{ i } without knowledge of e _{ o }. The probability of d _{ o } = 1 and the probability of b _{ o } = 1 are 0.5, respectively, and thus, the total probability of d _{ o } = 1 or b _{ o } = 1 is 0.75, which means that the value of a _{ i } can be recovered with a probability of 0.75.

For b _{ i }, if a _{ o } = 0, \(b_{i}=b_{o} \oplus \overline {c_{o}} \cdot d_{o}\); if c _{ o } = 1, b _{ i } = b _{ o }. Similarly, the probability of recovering b _{ i } with unknown e _{ o } is also 0.75.

For c _{ i }, if d _{ o } = 1, c _{ i } = c _{ o }, and the probability of recovering c _{ i } is 0.5.

For d _{ i }, if c _{ o } ⊕ a _{ o } ⊕ c _{ o } ⋅ b _{ o } = 0, d _{ i } = d _{ o }, and the probability of recovering d _{ i } is 0.5.

The value of e _{ i } always depends on e _{ o }, and the attacker cannot retrieve e _{ i } without knowledge of e _{ o }.
In conclusion, for SHA3256, the attacker can recover the bits in the first and second lanes of the bottom plane of \(\chi ^{23}_{i}\) with 0.75 probability, and the bits in the third and fourth lanes with 0.5 probability. In total, the attacker can recover 160 bits of \(\chi ^{23}_{i}\) theoretically. Similarly, for SHA3224, the attacker can use the same method to recover 112 bits of \(\chi ^{23}_{i}\) theoretically.
 1.
If \({a^{0}_{i}} = {a^{1}_{i}}\), then the value of a _{ i } does not depend on the value of e _{ o } and this is the correct recovered value for a _{ i }.
 2.
If \({a^{0}_{i}} \neq {a^{1}_{i}}\), then the value of a _{ i } depends on the value of e _{ o }, and attacker cannot recover a _{ i } without knowing e _{ i }.
We implement this method for both SHA3224 and SHA3256 in C++ and randomly generate 10^{5} input messages for each of them. Results show that the proposed algorithm can correctly recover 160.12 bits of \(\chi ^{23}_{i}\) for SHA3256 and 111.84 bits of \(\chi ^{23}_{i}\) for SHA3224 on average for these 10^{5} trials, which conform to the theoretical results given in the previous section.
Simulation results for SHA3224 and SHA3256 with fault injected at 𝜃 i22
Bits recovered  Effective fault ratio  

\(\chi ^{23}_{i}\)  \({\Delta } \chi ^{23}_{i}\)  
SHA3224  111.84  93.68  30.67% 
SHA3256  160.12  136.42  66.61% 
SHA3384/512  320  320  99.13% 
5.1.2 Injected Fault Identification and χ i22 Bits Recovery
Using the algorithms in Section 5.1.1, the attacker recovers some bits of \({\Delta } \chi ^{23}_{i}(X,0,Z)\) from the observable output, instead of 320 bits as in other two modes, SHA3384 and SHA4512. We use the same method presented before in Section 4.1 to match the recovered \({\Delta } \chi ^{23}_{i}(X,0,Z)\) bits against the fault signatures, and apply the same constraints of Eq. 7 to identify the injected fault. Results show that for SHA3256, the attacker can uniquely identify the fault with a probability 66.61%. For SHA3224, the effective fault ratio is 30.67% instead. The results are shown in Table 2.
In the next sections, we propose two methods to improve the fault analysis attacks of SHA3224 and SHA3256.
5.2 Improve the Attacks by Using both F S _{ χ i23} and F S _{ χ o23}
Previous methods all select \(\chi ^{23}_{i}\) as the comparison point for fault signatures and observable differential digest. However, for SHA3224 and SHA3256 (d = 224 and 256, respectively), fewer than d bits of \({\Delta } \chi ^{23}_{i}\) are available to the attacker and this will cause information loss in attacks. We find that the fault signature at \(\chi _{o}^{23}\), \(FS_{\chi _{o}^{23}}\), if used, can help to extract extra \(\chi ^{22}_{i}\) bits. This is because all d bits of \({\Delta } \chi ^{23}_{o}\) are available for SHA3d function; \(FS_{\chi _{o}^{23}}\) can be used with \({\Delta } \chi ^{23}_{o}\) to build constraints similar as in Eq. 7. We show in this section that with the introduction of \(FS_{\chi _{o}^{23}}\) into attacks, both the effective fault ratio and the number of \(\chi ^{22}_{i}\) bits recovered by each effective fault increase.
We first present the construction of \(FS_{\chi ^{23}_{o}}\) in Section 5.2.1 and then give the results of fault identification and internal state recovery in Section 5.2.2.
5.2.1 Fault Signature F S _{ χ o23} Construction
Bits in \(FS_{\chi ^{23}_{o}}\) can be 0, 1, or a function over \(\chi ^{22}_{i}\) and \(\chi ^{23}_{i}\) bits. When comparing \({\Delta } \chi ^{23}_{o}\) (dbits) against \(FS_{\chi ^{23}_{o}}\), more constraints are considered so as to help identify the fault and recover the internal bits. This improves the attacks in two ways. First, some faults that cannot be identified by the basic attack before can now be uniquely identified, i.e., the effective fault rate increases. Second, with a certain effective fault, more \(\chi ^{22}_{i}\) bits can be recovered because \({\Delta } \chi ^{23}_{o}\) and \(FS_{\chi ^{23}_{o}}\) are used.
Note here we cannot use \({\Delta } \chi ^{23}_{o}\) and \(FS_{\chi ^{23}_{o}}\) only for attacks while excluding using \({\Delta } \chi ^{23}_{i}\) and \(FS_{\chi ^{23}_{i}}\), this is because only part of \(FS_{\chi ^{23}_{o}}\) bits (instead of d bits) are available. The construction of \(FS_{\chi ^{23}_{o}}\) requires knowledge of \(\chi ^{23}_{i}(x,y,z)\) bits which are only partially known. Thus, attacker should combine information at \(\chi ^{23}_{i}\) (Δχ i23, \(FS_{\chi ^{23}_{i}}\)) and \(\chi ^{23}_{o}\) (Δχ o23, \(FS_{\chi ^{23}_{o}}\)) together for analysis.
5.2.2 Simulation Results
After involving \(FS_{\chi ^{23}_{o}}\) for attacks, the attack efficiency is improved significantly for both SHA3224 and SHA3256. For example, for SHA3224, the results in Fig. 9 show that the original attack method needs about 200 faults to recover 1300 bits of \(\chi ^{22}_{i}\), while the improved method in this section needs only 82 faults to recover the same number of \(\chi ^{22}_{i}\) bits. It is worth noting that the proposed improved attack does not need any extra knowledge of the target platform, and the generation of fault signature \(FS_{\chi ^{23}_{o}}\) does not need much computation.
5.3 Further Improvement by Injecting Faults at 𝜃 i23
If the attacker can inject faults at multiple points, the attack will achieve higher efficiency. In the previous sections, we assume that the attacker injects only faults at \(\theta ^{22}_{i}\). In this section, we explore another fault injection point, the last round input \(\theta ^{23}_{i}\), and use more faults to recover internal state bits more efficiently.
For the method proposed in Section 5.2, the effective fault ratio and the number of recovered \(\chi ^{22}_{i}\) bits by using the same number of effective injected faults are still lower than attacks on SHA3384/512. The reason lies in the fact that the attacker can recover fewer bits of \(\chi ^{23}_{i}\) and \({\Delta } \chi ^{23}_{i}\) for SHA3224 and SHA3256 than SHA3384/512 (320 bits). To improve the attack efficiency, we propose to recover more \(\chi ^{23}_{i}\) bits first, by injecting faults at the last round input \(\theta ^{23}_{i}\) of SHA3224 and SHA3256.
We first present the details of recovering \(\chi ^{23}_{i}\) bits in Section 5.3.1 and then present the recovery of \(\chi ^{22}_{i}\) bits for this improved attack in Section 5.3.2.
5.3.1 Recovering More χ i23 by Injecting Faults at 𝜃 i23
To recover \(\chi ^{23}_{i}\) bits by injecting faults at \(\theta ^{23}_{i}\) and comparing fault signature and differential fault at \(\chi ^{23}_{o}\), we need to calculate the fault propagation from \(\theta ^{23}_{i}\) to \(\chi ^{23}_{o}\). These faults will propagate through 𝜃, ρ, π, and χ operations. The fault propagation process is exactly the same as in the penultimate round (from \(\theta ^{22}_{i}\) to \(\chi ^{22}_{o}\)) as presented in Section 3.2.1. We denote the fault signature at \(\chi ^{23}_{o}\) for faults injected at \(\theta ^{23}_{i}\) as \(FS^{*}_{\chi ^{23}_{o}}\) in this section.
Using the faults injected at \(\theta ^{23}_{i}\), the attacker can recover some remaining bits of \(\chi ^{23}_{i}\) on the bottom plane that have not been recovered using the algorithm in Section 5.1.1. Note here that for SHA3256 and the first 32 rows of SHA3224 (with four bits out of five bits of each output row on the bottom plane known and some input bits (not all the five) recovered), if the attacker recovers one bit \(\chi ^{23}_{i}(x,0,z)\) that has not been recovered using the algorithm in Section 5.1.1, he can recover all the other unknown bits in this input row. For example, we assume \({a^{0}_{i}} \neq {a^{1}_{i}}\) in Eq. 11 and this bit has been recovered by injecting faults at \(\theta ^{23}_{i}\), then the attacker can know which assumption of e _{ o } is correct and then recover all the five bits in this row. This method can be used for all 64 rows in the bottom plane of SHA3256 and the first 32 rows of SHA3224. In SHA3224, the remaining rows (χ i23(X,0,z), 32 ≤ z < 63) have two bits unknown, and these two bits can only be recovered by injecting faults at \(\theta ^{23}_{i}\) separately.
Figure 11 shows that for SHA3256, the attacker can recover about 244 bits of \(\chi ^{23}_{i}\) using only five effective faults, compared with 160 bits when no faults injected at \(\theta ^{23}_{i}\) (Table 2). Similar results for SHA3224 are also presented in Fig. 11. Note that the attacker does not need to recover all the bits of \(\chi ^{23}_{i}\) in the bottom plane, he can recover part of \(\chi ^{23}_{i}\) to improve the efficiency of recovering \(\chi ^{22}_{i}\). We will show how the recovery of \(\chi ^{22}_{i}\) changes with the number of \(\chi ^{23}_{i}\) bits recovered in the next section.
5.3.2 Simulation Results

The attacker first recovers part of \(\chi ^{23}_{i}\) bits using algorithm presented in Section 5.1.1 (with no fault injected at \(\theta ^{23}_{i}\)).

The attacker then injects faults at \(\theta ^{23}_{i}\) to recover the remaining bits of \(\chi ^{23}_{i}\).
Figure 12 shows that with more rows of \(\chi ^{23}_{i}\) recovered, the attacker can identify the faults injected at \(\theta ^{22}_{i}\) with higher rate. For example, for SHA3224, the effective fault ratio is 53.28% when only part of \(\chi ^{23}_{i}\) bottom plane has been recovered using the algorithm in Section 5.1.1, and this ratio rises to 88.34% when all 64 rows (320 bits) of \(\chi ^{23}_{i}\) bottom plane are recovered. Therefore, by recovering more bits of \(\chi ^{23}_{i}\) in the bottom plane, the effective fault ratio will increase for both SHA3224 and SHA3256.
Figure 13 shows that the attacker needs smaller number of effective faults to recover all the bits of \(\chi ^{22}_{i}\) if he has recovered more rows of \(\chi ^{23}_{i}\). For example, if he has knowledge of the whole bottom plane of \(\chi ^{23}_{i}\), he can recover 1590 bits of \(\chi ^{22}_{i}\) using 110 effective random faults on average. For attacker who cannot inject fault into the last round input, using the improved method in Section 5.2.1, he can only recover about 1412 bits (using 110 effective faults) instead.
In conclusion, by injecting faults at \(\theta ^{23}_{i}\) to recover more state bits of \(\chi ^{23}_{i}\), the attacker can identify the faults injected at \(\theta ^{22}_{i}\) with a higher rate. Consequently, the attacker needs a smaller number of effective faults to recover the same number of \(\chi ^{22}_{i}\) bits.
As the improved attack method in Section 5.2 does not require extra knowledge of the target system, it should be applied to DFA directly, while the improvement proposed in this section can be applied if the attacker has the ability to inject extra faults at \(\theta ^{23}_{i}\).
6 Optimized Attacks with Chosen Faults
In this section, we show an algorithm to optimize the attack if the injected faults (in terms of faulty byte location and fault value) can be controlled.
As shown in the previous sections, injecting an nbit fault into \(\theta ^{22}_{i}\) can recover up to 22 ∗ n bits of \(\chi _{i}^{22}\), and different faults may have overlapping \(\chi _{i}^{22}\) bits. The most efficient attack method should avoid such overlap and use the smallest number of faults to recover the entire internal state. In this section, we show an optimized attack with the smallest number of faults into \(\theta ^{22}_{i}\) to recover all the bits of \(\chi _{i}^{22}\). This optimization is based on SHA3384/512 for simplicity, and it can be easily extended to SHA3224 and SHA3256.
We also use the method and algorithm to analyze the DFA on SHA3 under singlebit fault model used in [22]. Three curves are presented in Fig. 14b: the random fault injection experimental result, the random fault injection theoretical prediction, and the optimized attack using the greedy heuristic. Under the singlebit fault model, each fault injected at \(\theta ^{22}_{i}\) can be used to recover 22 bits of \(\chi ^{22}_{i}\), and thus, α = 22 for the theoretical result. Figure 14b shows that the theoretical result matches the simulation result for random fault injection very well. It also shows that the attacker needs to inject at least 129 singlebit selected faults to recover all the 1600 bits of \(\chi ^{22}_{i}\), while he needs about 500 singlebit random faults to recover the state.
The optimized attack we present in this section is the lower bound of the proposed differential fault attacks. For SHA3224 and SHA3256, similar method can be used to find the lower bound of the attacks.
7 Discussions
7.1 SHA3 Systems with Long Input Message
In the previous sections, we simplify the analysis by assuming that only one f function is involved for absorbing and squeezing. In this section, we extend the proposed attack by assuming that the size of the input message can be larger than the bitrate r. Meanwhile, we assume that the digest size can be larger than r, instead of just d bits for SHA3d function. Therefore, multiple f functions may be involved for absorbing and squeezing.

There are n (n ≥ 1) f functions (f _{0}⋯f _{ n−1}) involved for absorbing.

There are m (m ≥ 0) f functions (f _{ n }⋯f _{ n + m−1}) involved for squeezing, as r > d for all four SHA3d functions, no extra f function will be involved for squeezing (m = 0).

The attacker has control of the input message part of P _{0}⋯P _{ n−1} in MAC mode, while he has no access to the messages when SHA3 is used in hash mode.

The attacker can observe the digest z _{0}⋯z _{ m } in both hash and MAC modes.

If l _{ k } ≤ r, the attacker can iteratively recover P _{0} which contains the key used for MAC and, therefore, recover the secret key.
 If l _{ k } > r, for example, all the bits of P _{0} and part of P _{1} bits are key bits, then the attacker can recover f _{1}(i n), which isthen the attacker will be unable to recover the key bits contained in P _{0} and P _{1} directly. The attacker needs to make assumption of the key bits in P _{1} so as to recover the key bits in P _{0}. The difficulty increases rapidly with the number of the key bits in P _{1}.$$ f_{1}(in) = f(P_{0}  0^{c}) \oplus (P_{1}  0^{c}), $$(13)
As the key size in MAC system is usually much smaller than r (for example, 128 bits or 256 bits), the proposed DFA is a great threat for SHA3based MAC systems. We propose to increase the length of MAC key for higher resilience against fault injection attacks.
For SHA3 system in general hash mode, the attacker will have no access to the input message P _{0}⋯P _{ n−1}. Therefore, after recovering f _{ n−1}(i n), he will be unable to further recover f _{ n−2}(o u t) without knowledge of P _{ n−1}. Thus, the attacker will be unable to recover the original input message in hash mode directly if the message length is greater than bitrate r.
For modified SHA3 system which allows the digest size larger than d, there may be extra f functions involved for squeezing, and the digest comes from multiple z _{ i }. As all the z _{ i } are observable, z _{0} will be used to attack f _{ n−1}. The length of z _{0} will be rbit, which is 1152, 1088, 832, and 576bit for SHA3224, SHA3256, SHA3384, and SHA3512, respectively. More bits than original (224, 256, 384, and 512bit) are available, and the attacks become easier. In conclusion, the proposed DFA method is still applicable for SHA3 systems which involve extra f functions for squeezing.
7.2 Countermeasure Against Differential Fault Analysis
As unprotected SHA3 systems are vulnerable to DFAs, countermeasures should be added into SHA3 systems to improve their resilience against DFA.
One method is to implement detection of system disturbance which are used to inject faults. For example, a clock glitch and power supply disturbance detection module [30, 31] can be inserted into SHA3 implementations to detect fault injections.
Another kind of widely used countermeasures relies on some redundancy to check the integrity of the intermediate results, such that errors caused by injected faults will be detected. For example, parity checking codes are used to detect the injected faults in SHA3 [32]. Similarly, another copy of modified Keccak implementation can be introduced into the system for error detection [33, 34]. Such schemes can detect errors in the system caused by injected faults, and thus, the attacker will have no access to the faulty results to conduct DFA.
8 Conclusion and Future Work
In this paper, we propose efficient DFA methods for all four modes of SHA3 functions under relaxed singlebyte fault models. Results show that our method can effectively identify the injected faults and then recover the corresponding internal state bits for all four SHA3 functions. Meanwhile, we also present the lower bound of the proposed attacks and extend the attacks to systems with input message longer than bitrate r.
The proposed method can possibly be applied to other relaxed fault models. Under the word (16bit) fault model, the effective fault ratio is much lower for SHA3384/512, but the attacks can still work, while it cannot identify any effective fault for SHA3224 and SHA3256. Our future work will address attacks on SHA3224 and SHA3256 under more relaxed 16bit and 32bit fault models. Another line of future work would include more efficient and effective methods to protect SHA3 platforms against fault injection attacks.
Notes
Acknowledgements
This work was supported in part by the National Science Foundation under grants SaTC1314655 and MRI1337854. Simulation code used in this paper is available at http://tescase.coe.neu.edu/.
References
 1.Bertoni G, Daemen J, Peeters M, Assche G (2011) The Keccak reference. Submission to NIST (Round 3) JanuaryGoogle Scholar
 2.Pub NF, FIPS PUB (2015) 202. SHA3 standard: permutationbased hash and extendableoutput functions Federal Information Processing Standards PublicationGoogle Scholar
 3.Biham E, Shamir A (1997) Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology – CRYPTO, pp 513–525Google Scholar
 4.Piret G, Quisquater JJ (2003) A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: 5th International Wkshp on Cryptographic Hardware and Embedded Systems, Cologne, Germany, pp 77–88Google Scholar
 5.Chen H, Wu W, Feng D (2007) Differential fault analysis on CLEFIA. In: 9th International Conference on Information and Communications Security, Zhengzhou, China, pp 284–295Google Scholar
 6.Karmakar S, Chowdhury DR (2013) Differential fault analysis of MICKEY128 2.0. In: Wkshp on Fault Diagnosis and Tolerance in Cryptography, pp 52–59Google Scholar
 7.Banik S, Maitra S (2013) A differential fault attack on MICKEY 2.0. In: 15th International Wkshp on Cryptographic Hardware and Embedded Systems, Santa Barbara, CA, USA, pp 215–232Google Scholar
 8.Banik S, Maitra S, Sarkar S (2012) A differential fault attack on the Grain family of stream ciphers. In: 14th International Wkshp on Cryptographic Hardware and Embedded Systems, Leuven, Belgium, pp 122–139Google Scholar
 9.Dey P, Chakraborty A, Adhikari A, Mukhopadhyay D (2015) Improved practical differential fault analysis of Grain128. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp 459–464Google Scholar
 10.Hemme L, Hoffmann L (2011) Differential fault analysis on the SHA1 compression function. In: Wkshp on Fault Diagnosis and Tolerance in Cryptography, pp 54–62Google Scholar
 11.Altawy R, Youssef AM (2015) Differential fault analysis of Streebog. In: 11th International Conference on Information Security Practice and Experience, Beijing, China, pp 35–49Google Scholar
 12.Li W, Tao Z, Gu D, Wang Y, Liu Z, Liu Y (2013) Differential fault analysis on the MD5 compression function. J Comput 8(11):2888–2894Google Scholar
 13.Fischer W, Reuter CA (2012) Differential fault analysis on Grøstl. In: Wkshp on Fault Diagnosis and Tolerance in Cryptography, pp 44–54Google Scholar
 14.Boura C, Canteaut A (2010) A zerosum property for the KECCAKf permutation with 18 rounds. In: IEEE International Symposium on Information Theory, pp 2488–2492Google Scholar
 15.Das S, Meier W (2014) Differential biases in reducedround Keccak. In: Progress in Cryptology – AFRICACRYPT 2014: 7th International Conference on Cryptology in Africa, Marrakesh, Morocco, pp 69–87Google Scholar
 16.Dinur I, Dunkelman O, Shamir A (2013) Collision attacks on up to 5 rounds of SHA3 using generalized internal differentials. In: 20th International Workshop on Fast Software Encryption, Singapore, pp 219–240Google Scholar
 17.Dinur I, Morawiecki P, Pieprzyk J, Srebrny M, Straus M (2015) Cube attacks and cubeattacklike cryptanalysis on the roundreduced Keccak sponge function. In: Advances in Cryptology – EUROCRYPT: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, pp 733–761Google Scholar
 18.Luo P, Fei Y, Fang X, Ding A, Kaeli DR, Leeser M (2015) Sidechannel analysis of MACKeccak hardware implementations. In: Proceedings of the Fourth Wkshp on Hardware and Architectural Support for Security and PrivacyGoogle Scholar
 19.Morawiecki P, Pieprzyk J, Srebrny M (2013) Rotational cryptanalysis of roundreduced Keccak. In: 20th International Wkshp on Fast Software Encryption, Singapore, pp 241–262Google Scholar
 20.NayaPlasencia M, Röck A, Meier W (2011) Practical analysis of reducedround Keccak. In: Progress in Cryptology – INDOCRYPT 2011: 12th International Conference on Cryptology in India, Chennai, India, pp 236–254Google Scholar
 21.Taha M, Schaumont P (2013) Sidechannel analysis of MACKeccak. In: IEEE International Symposium on HardwareOriented Security and Trust (HOST), pp 125–130Google Scholar
 22.Bagheri N, Ghaedi N, Sanadhya S (2015) Differential fault analysis of SHA3. In: Progress in Cryptology – INDOCRYPT 2015: 16th International Conference on Cryptology in India, Bangalore, India, pp 253–269Google Scholar
 23.Luo P, Fei Y, Zhang L, Ding A (2016) Differential fault analysis of SHA3224 and SHA3256. In: Thirteenth Wkshp on Fault Diagnosis and Tolerance in CryptographyGoogle Scholar
 24.Daemen J (1995) Cipher and hash function design strategies based on linear and differential cryptanalysis, Ph.D. dissertation, Doctoral Dissertation, March 1995 KU LeuvenGoogle Scholar
 25.Bertoni G, Daemen J, Peeters M, Van Assche G (2011) Cryptographic sponge functions, Submission to NIST (Round 3)Google Scholar
 26.Reference and optimized code in C, http://keccak.noekeon.org/KeccakReferenceAndOptimized3.2.zip
 27.Pessl P, Hutter M (2013) Pushing the limits of SHA3 hardware implementations to fit on RFID. In: 15th International Wkshp on Cryptographic Hardware and Embedded Systems, Santa Barbara, CA, USA, pp 126–141Google Scholar
 28.Bertoni G, Daemen J, Peeters M, Van Assche G, Van Keer R (2012) Keccak implementation overview, Report, STMicroelectronics. Antwerp, BelgiumGoogle Scholar
 29.Karpinski M, Zelikovsky A (1998) Approximating dense cases of covering problems. In: DIMACS Wkshp on Network Design: Connectivity and Facilites Location, pp 169–178Google Scholar
 30.Bowman KA, Tokunaga C, Tschanz JW, Raychowdhury A, Khellah MM, Geuskens BM, Lu SLL, Aseron PA, Karnik T, De VK (2011) Alldigital circuitlevel dynamic variation monitor for silicon debug and adaptive clock control. IEEE Trans Circuits Syst Regul Pap 58(9):2017–2025CrossRefMathSciNetGoogle Scholar
 31.Luo P, Luo C, Fei Y (2016) System clock and power supply crosschecking for glitch detection, Cryptology ePrint Archive Report 2016/968Google Scholar
 32.Luo P, Li C, Fei Y (2016) Concurrent error detection for reliable SHA3 design. In: 26th edition on Great Lakes Symposium on VLSI, pp 39–44Google Scholar
 33.Luo P, Zhang L, Fei Y, Ding A (2016) An improvement of both security and reliability for Keccak implementations on smart card, Cryptology ePrint Archive Report 2016/214Google Scholar
 34.BayatSarmadi S, MozaffariKermani M, ReyhaniMasoleh A (2014) Efficient and concurrent reliable realization of the secure cryptographic SHA3 algorithm. IEEE Trans Comput Aided Des Integr Circuits Syst 33 (7):1105–1109CrossRefGoogle Scholar