Differential Fault Analysis of SHA-3

  • Nasour BagheriEmail author
  • Navid Ghaedi
  • Somitra Kumar Sanadhya
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9462)


In this paper we present the first differential fault analysis (DFA) of SHA-3. This attack can recover the internal state of two versions of SHA-3 (namely, SHA3-512 and SHA3-384) and can be used to forge MAC’s which are using these versions of SHA-3. Assuming that the attacker can inject a random single bit fault on the intermediate state of the hash computation, and given the output of the SHA-3 version for a correct message and 80 faulty messages, we can extract 1592 out of the 1600 bits of the compression function’s internal state. To the best of our knowledge, this is the first public analysis of SHA-3 against DFA. Although our results do not compromise any security claim of SHA-3, it shows the feasibility of DFA on this scheme and possibly other Sponge based MACs and increases our understanding of SHA-3.


SHA-3 Keccak Differential fault analysis 


  1. 1.
    Ali, S., Mukhopadhyay, D., Tunstall, M.: Differential fault analysis of AES: towards reaching its limits. J. Crypt. Eng. 3(2), 73–97 (2013)CrossRefGoogle Scholar
  2. 2.
    AlTawy, R., Youssef, A.M.: Differential fault analysis of streebog. In: Lopez, J., Wu, Y. (eds.) ISPEC 2015. LNCS, vol. 9065, pp. 35–49. Springer, Heidelberg (2015) CrossRefGoogle Scholar
  3. 3.
    Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. Rump session of Cryptographic Hardware and Embedded Systems-CHES 2009, p. 67 (2009)Google Scholar
  4. 4.
    Banik, S., Maitra, S.: A differential fault attack on MICKEY 2.0. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 215–232. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  5. 5.
    Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the grain family of stream ciphers. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 122–139. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996) Google Scholar
  7. 7.
    Benoît, O., Peyrin, T.: Side-channel analysis of six SHA-3 candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 140–157. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M.: Cryptographic sponge functions. Report, STMicroelectronics, Antwerp, Belgium, January 2011Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission (2009)Google Scholar
  10. 10.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  11. 11.
    Boura, C., Canteaut, A.: A zero-sum property for the Keccak-f permutation with 18 rounds. In: ISIT 2010s, pp. 2488–2492. IEEE (2010)Google Scholar
  12. 12.
    Boura, C., Canteaut, A.: Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 1–17. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  13. 13.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  14. 14.
    Chakraborti, A., Chang, D., Nandi, M.: Fault based forgeries on CLOC and SILC. In: Latincrypt, LNCS. Springer (2015).!topic/crypto-competitions/_qxORmqcSrY
  15. 15.
    Das, S., Meier, W.: Differential biases in reduced-round Keccak. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 69–87. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  16. 16.
    Dey, P., Chakraborty, A., Adhikari, A., Mukhopadhyay, D.: Improved practical differential fault analysis of Grain-128. DATE 2015, 459–464 (2015)Google Scholar
  17. 17.
    Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  18. 18.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 219–240. Springer, Heidelberg (2014) Google Scholar
  19. 19.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved practical attacks on round-reduced Keccak. J. Crypt. 27(2), 183–209 (2014)zbMATHMathSciNetCrossRefGoogle Scholar
  20. 20.
    Dinur, I., Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Cube attacks and cube-attack-like cryptanalysis on the round-reduced Keccak sponge function. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 733–761. Springer, Heidelberg (2015) Google Scholar
  21. 21.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  22. 22.
    Dusart, P., Letourneux, G., Vivolo, O.: Differential fault analysis on A.E.S. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 293–306. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  23. 23.
    FIPS-202. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. National Institute for Standards and Technology, pub-NIST, May 2014Google Scholar
  24. 24.
    Fischer, W., Reuter, C.A.: Differential fault analysis on Grøstl. In: Bertoni, G., Gierlichs, B. (eds.) FDTC 2012, pp. 44–54. IEEE Computer Society (2012)Google Scholar
  25. 25.
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  26. 26.
    Giraud, C., Thillard, A.: Piret and quisquater’s DFA on AES revisited. IACR Cryptology ePrint Archive, 2010:440 (2010)Google Scholar
  27. 27.
    Hemme, L.: A differential fault attack against early rounds of (Triple-)DES. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 254–267. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  28. 28.
    Hemme, L., Hoffmann, L.: Differential fault analysis on the SHA1 compression function. In: Breveglieri, L., Guilley, S., Koren, I., Naccache, D., Takahashi, J. (eds.) FDTC 2011, pp. 54–62. IEEE Computer Society (2011)Google Scholar
  29. 29.
    Jean, J., Nikolic, I.: Internal differential boomerangs: practical analysis of the round-reduced Keccak-f permutation. IACR Cryptology ePrint Archive 2015:244 (2015)Google Scholar
  30. 30.
    Karmakar, S., Chowdhury, D.R.: Differential fault analysis of MICKEY-128 2.0. In: Fischer, W., Schmidt, J. (eds.) FDTC 2013, pp. 52–59. IEEE Computer Society (2013)Google Scholar
  31. 31.
    Kim, C.H.: Differential fault analysis of AES: toward reducing number of faults. Inf. Sci. 199, 43–57 (2012)zbMATHCrossRefGoogle Scholar
  32. 32.
    Kim, C.H., Quisquater, J.-J.: New differential fault analysis on AES key schedule: two faults are enough. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 48–60. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  33. 33.
    Kölbl, S., Mendel, F., Nad, T., Schläffer, M.: Differential cryptanalysis of Keccak variants. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 141–157. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  34. 34.
    Luo, P., Fei, Y., Fang, X., Ding, A.A., Kaeli, D.R., Leeser, M.: Side-channel analysis of MAC-Keccak hardware implementations. Cryptology ePrint Archive, Report 2015/411 (2015).
  35. 35.
    Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced Keccak. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 241–262. Springer, Heidelberg (2014) Google Scholar
  36. 36.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  37. 37.
    Piret, G., Quisquater, J.-J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  38. 38.
    Preneel, B., van Oorschot, P.C.: On the security of iterated message authentication codes. IEEE Trans. Inf. Theory 45(1), 188–199 (1999)zbMATHCrossRefGoogle Scholar
  39. 39.
    Rivain, M.: Differential fault analysis on DES middle rounds. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 457–469. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  40. 40.
    Saha, D., Kuila, S., Chowdhury, D.R.: EscApe: diagonal fault analysis of APE. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 197–216. Springer, Heidelberg (2014)Google Scholar
  41. 41.
    Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential fault analysis of the advanced encryption standard using a single fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Nasour Bagheri
    • 1
    • 2
    Email author
  • Navid Ghaedi
    • 1
  • Somitra Kumar Sanadhya
    • 3
  1. 1.Electrical Engineering DepartmentShahid Rajaee Teacher Training UniversityTehranIran
  2. 2.The School of Computer ScienceInstitute for Research in Fundamental Sciences (IPM)TehranIran
  3. 3.IIIT-DelhiDelhiIndia

Personalised recommendations