Scope: On the Side Channel Vulnerability of Releasing Unverified Plaintexts
Abstract
In Asiacrypt 2014, Andreeva et al. proposed an interesting idea of intermittently releasing plaintexts before verifying the tag which was inspired from various practical applications and constraints. In this work we try to asses the idea of releasing unverified plaintexts in the light of side channel attacks like fault attacks. In particular we show that this opens up new avenues of attacking the decryption module. We further show a casestudy on the APE authenticated encryption scheme and reduce its key space from \(2^{160}\) to \(2^{50}\) using 12 faults and to \(2^{24}\) using 16 faults on the decryption module. These results are of particular interest since attacking the decryption enables the attacker to completely bypass the nonce constraint imposed by the encryption. Finally, at the outset this work also addresses a related problem of fault attacks with partial state information.
Keywords
Authenticated encryption Releasing unverified plaintexts APE Differential fault analysis1 Introduction
In conventional security notions of Authenticated Encryption (AE), release of decrypted plaintext is subject to successful verification. In their pioneering paper in Asiacrypt 2014, Andreeva et al. challenged this model by introducing and formalizing the idea of releasing unverified plaintexts (RUP) [5, 6]. The idea was motivated by a lot of practical problems faced by the classical approach like insufficient memory in constrained environments, realtime usage requirements and inefficiency issues. The basic idea is to separate the plaintext computation and verification during AE decryption, so that the plaintexts are always released irrespective of the status of the verification process. In order to assess the security under RUP and to bridge the gap with the classical approach, the authors have introduced two new definitions: INTRUP (for integrity) and plaintext awareness or PA for privacy (in combination with INDCPA).
In this work, we try to answer the question pertaining to RUP that arises from a sidechannel viewpoint: Can the ability to observe unverified plaintexts serve as a source of sidechannel information? Our research reveals that the answer is affirmative with respect to differential fault analysis (DFA) [8, 10, 11, 12, 13, 14, 16] which is known to be one of the most effective sidechannel attacks on symmetrickey constructions. The basic requirement of any form of fault analysis is the ability to induce a fault in the intermediate state of the cipher and consequently observe the faulty output. Our first observation is that in the classical approach where successful verification precedes release of plaintexts, fault attacks are infeasible. This is attributed to the fact that if the attacker induces a fault, the probability of the faulty plaintext to pass the verification is negligible, thereby denying the ability to observe the faulty output. This scenario changes in the presence of unverified plaintexts. So the first scope that RUP provides at the hands of the attacker is the ability to observe faulty unverified plaintexts. Our second observation is in terms of the nonce constraint. In Indocrypt 2014, Saha et al. studied the impact of the nonce constraint in their EscApe fault attack [15] on the authenticated cipher APE [3]. The authors showcased the restriction that the uniqueness of nonces imposes on the replaying criterion^{1} of fault analysis and demonstrated the idea of faulty collisions to overcome it. In this work we argue that ability to attack the decryption, provided by RUP, gives the additional benefit of totally bypassing the nonce constraint. This follows from the very definition of AE decryption which allows an attacker to make multiple queries to the decryption oracle with the same nonce. Thus prospect of nonce bypass makes fault analysis highly feasible.

Scrutinizing the recently introduced RUP model in the light of fault attacks.

Showing that unverified plaintext can be an important source of sidechannel information.

Showing the feasibility of fault induction using nonce bypass.

For the first time attacking the decryption of an AE scheme using DFA.

Presenting Scope attack exploiting: fault diffusion in the last two rounds of the Inverse PRIMATE permutation and the ability to observe faulty unverified plaintexts.

Finally, achieving a key space reduction from \(2^{160}\) to \(2^{50}\) with 12 faults and \(2^{24}\) with 16 faults using the random word fault model.

Moreover, this work also brings into focus the idea of fault analysis of AES based constructions with partial state information.
The rest of the work is organized as follows: Sect. 2 gives a brief description of the PRIMATE permutation and its inverse and introduces the notations used in this work. Section 3 looks at the RUP and classical models in the light of sidechannel analysis. Some properties of APE decryption that become relevant in the presence of faults are discussed in Sect. 4. The proposed Scope attack is introduced in Sect. 5. Section 6 furnishes the experimental results with a brief discussion while Sect. 7 gives the concluding remarks.
2 Preliminaries
2.1 The Design of PRIMATE
PRIMATE has two variants in terms of size: PRIMATE80 (200bit permutation) and PRIMATE120 (280bit) which operate on states of \((5 \times 8)\) and \((7 \times 8)\) 5bit elements respectively. The family consists of four permutations \(p_1, p_2, p_3,p_4\) which differ in the round constants used and the number of rounds. All notations introduced in this section are with reference to PRIMATEs80 with the APE mode of operation.
Definition 1
(Word). Let \(\mathbb {T} = \mathbb {F}[x]/(x^5 + x^2 + 1)\) be the field \(\mathbb {F}_{2^5}\) used in the PRIMATE MixColumn operation. Then a word is defined as an element of \(\mathbb {T}\).
Definition 2
The PRIMATE 5bit Sbox
x  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15 
S(x)  1  0  25  26  17  29  21  27  20  5  4  23  14  18  2  28 
x  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31 
S(x)  15  8  6  3  13  7  24  16  30  9  31  10  22  12  11  19 
2.2 Notations
Definition 3
Definition 4
The Hypercolumn helps to capture the candidate words for a column that result due to the fault analysis presented here. Also a hypercolumn is considered to be empty if at least one of its component sets is empty.
Definition 5
The hyperstate has some interesting properties with respect to the component transformations of the PRIMATE permutation and consequently its inverse. For instance all the inverse operations like InverseShiftRow(\(\rho ^{1}\)), InverseSubByte(\(\beta ^{1}\)), InverseAddRoundConstant(\(\alpha ^{1}\)) can be applied on a hyperstate with little technical changes. This is possible since all these operations work wordwise and thus can be applied as a whole to each elementset of a hyperstate too with an equivalent effect. We define the analogs of these operations on a hyperstate as hyperstate\(<\)operation\(>\): \((\rho ^{1})', (\beta ^{1})', (\alpha ^{1}_r)'\). The formal definitions are provided in Appendix A. Another observation of particular interest is that hyperstate\(<\)operation\({>}{(s^h)}\) = (\(<\)operation\({>}{(s))^h}\).
Definition 6
Here, \(w_k^T\) represents the transpose of \(w_k\), thereby implying that \(w_k\) is a column vector. One should note that \(s_{*,j} \in \mathcal {K}^{s^h_{*,j}} \;\forall j\). Thus each column of s is contained in each element of \(\mathcal {K}^{s^h}\). We now define an operation \((\mu ^{1})'\) over the Kernel of a hyperstate which is equivalent to \(\mu ^{1}\) that operates on a state.
Definition 7
An important implication is that \((\mu ^{1})'(\mathcal {K}^{s^h}) = \mathcal {K}^{(\mu ^{1}(s))^h}\). The notion of Hyperstate and Kernel will be used in the Outbound phase of Scope detailed in Subsect. 5.3.
3 RUP in the Light of SideChannels
RUP which has been argued to be a very desirable property can be a major source for side channel information. In this work we try to study how RUP stands out in the light of fault attacks. Our research reveals that RUP opens up an exploitable opportunity with respect to fault analysis which would not have been possible if verification would precede release of the plaintexts. Moreover, attacking the decryption also allows the attacker to bypass the nonce constraint imposed by the encryption. It has been shown that nonce based encryption has an automatic protection against DFA and hence ability to bypass the nonce constraint exposes the AE scheme to fault attacks. In the rest of the paper we refer to the classical model that does not allow RUP as RVP (Release of Verified Plaintexts). We now argue why RVP has an implicit protection against fault attacks which makes attacking the decryption infeasible.
On the contrary RUP gives the attacker the scope of inducing random faults while decrypting any chosen or known ciphertext and unconditionally observe the corresponding faulty plaintexts (which would never have passed verification in the RVP model). This power opens up the sidechannel for fault analysis and is the basis of the differential fault attack presented in this work. Moreover, the ability to attack the decryption has the additional and important advantage of bypassing the nonce constraint that is imposed while making encryption queries. This magnifies the feasibility of mounting fault attacks.
In the next section, we look at some of the features of APE decryption and the inverse PRIMATE permutation \(p^{1}\) that gain importance from a fault attack perspective. Finally, building upon these observations we introduce the Scope attack where for the first time we show how the decryption can also be attacked under RUP to retrieve the entire internal state of \(p^{1}\) leading to recovery of the key with practical complexities.
4 Analyzing APE Decryption in the Presence of Faults
In this section we look at certain properties of APE decryption that become relevant in the context of RUP and from the prospect of fault induction. We first look at a property which by itself is of no threat to the security of APE but becomes exploitable in the presence of faults in the RUP scenario.
4.1 The Block Inversion Property
The Block Inversion Property is purely attributed to the APE mode of operation. This property allows the attacker to retrieve partial information about the contents of the state matrix after the last round InverseMixColumn operation.
Property 1
Analysis: By virtue of the APE mode of operation and the SPONGE [7] construction it follows, the rate part (top row of the state) after \(\mathcal {R}^{1}_1\) of \(p^{1}\) is released after XORing with the next ciphertext block as the plaintext block (which can be observed unconditionally under RUP). If the state after \(\mathcal {R}^{1}_1\) be \(s = [s_{i,j}]\) then \(p\oplus c\) gives back \(s_{0,*}\). We can now invert this block to get inside \(\mathcal {R}^{1}_1\) despite partial knowledge of the state. This becomes possible since \(\beta \) operates wordwise and \(\rho \) operates rowwise. Moreover, \(\rho \) can be ignored for it has no effect on top row as the shiftoffset is zero. Thus applying \(\beta \) on \(s_{0,*}\) we get the value of \(t_{0,*}\). However, the inversion stops here since \(\mu \) operates columnwise and only word of each column is known. \(\blacksquare \)
Later in this work we show how the Scope attack can exploit the Block Inversion Property along with RUP and use both faulty and faultfree plaintexts to reconstruct differential state after \(\mu ^{1}_2\) in \(\mathcal {R}^{1}_2\). We now study the fault induction and diffusion in the state of \(p^{1}\) which is vital to understanding of the attack presented here.
4.2 Fault Diffusion in the Inverse PRIMATE Permutation
Property 2
If a single column is faulty at the start of \(\mathcal {R}^{1}_{r+1}\) then there are exactly three faultfree words in each row of the differential state after \(\mathcal {R}^{1}_{r}\).
Analysis: This property surfaces because in two rounds the fault does not spread to the entire state matrix. This is primarily attributed to the fact that the state matrix is nonsquare. To visualize this we need to first look at fault diffusion in the \(\mathcal {R}^{1}_{r+1}\) round. Let us denote the differential state at the input of \(\mathcal {R}^{1}_{r+1}\) as \(s= [s_{i,j}]\). This analysis takes into account the structural dispersion of the fault and is independent of the actual value of \(s\). At the beginning of \(\mathcal {R}^{1}_{r+1}\) only one column \(s_{*,j}\) is faulty. The operation \(\alpha ^{1}\) is omitted from analysis since roundconstant addition has no effect on the differential state.
 Fault diffusion in \(\mathcal {R}^{1}_{r+1}\)

\(\mu ^{1}_{r+1}:\) Intracolumn diffusion. Fault spreads to entire column \(s_{*,j}\).

\(\rho ^{1}_{r+1}: \) No diffusion, fault shifts to the words \(\{s_{i,(j+\sigma (i))\text { mod }8}\) : \({\scriptstyle 0\le i <\sigma } \}\).
 \(\beta ^{1}_{r+1}: \) No diffusion, fault limited to the same words as after \(\rho ^{1}_{r+1}\).$$\begin{aligned} s_{*,j} \xrightarrow {\mu ^{1}_{r+1}} s_{*,j} \xrightarrow {\beta ^{1}_{r+1} \circ \rho ^{1}_{r+1}} \{s_{i,(j+\sigma (i))\text { mod }{8}}\} \end{aligned}$$(5)

 Fault diffusion in \(\mathcal {R}_{r}\)

\(\mu ^{1}_{r}:\) Fault spreads to each column \(s_{*,(j+\sigma (i))\text { mod }{8}}.\)

\(\rho ^{1}_{r}\) : No diffusion, fault shifts to the words \(\{s_{i,(j+\sigma (i)+\sigma (k))\text { mod }8}\) : \({\scriptstyle 0\le i,k <\sigma }\}\).
 \(\beta ^{1}_{r}: \) No diffusion, fault limited to the same words as after \(\rho ^{1}_{r}\).$$\begin{aligned} \{s_{i,(j+\sigma (i))\text { mod }{8}} \} \xrightarrow {\mu ^{1}_{r}} s_{*,(j+\sigma (i))\text { mod }{8}} \xrightarrow {\beta ^{1}_{r} \circ \rho ^{1}_{r}} \{s_{i,(j+\sigma (i)+\sigma (k))\text { mod }8}\} \end{aligned}$$(6)

4.3 The Bijection Lemma
This lemma stems out of the property mentioned above and is pivotal in increasing the efficiency of the Scope attack. Again it is a direct consequence of the nonsquare nature of the internal state of \(p^{1}\).
Lemma 1
If fault is induced in the \(j^{th}\) column of the state at the input of \(\mathcal {R}^{1}_{r+1}\), then the faultfree words in the differential plaintext block released after \(\mathcal {R}^{1}_{r}\) are \(((j+3), (j+5), (j+6)) \text { mod }8\).
Proof
This directly follows from relation (7). One can recall that for APE decryption under RUP, the first row of the state is released after XORing with next ciphertext block. However, since we are considering a differential here, the effect of the ciphertext block is nullified. Now, for \(i = 0\), from relation (7) we have \(\{s_{0,(j+\sigma (0)+\sigma (k))\text { mod }8} : {\scriptstyle 0\le k < 5}\} = \{s_{0,j}, s_{0,j+1}, s_{0,j+2}, s_{0,j+4}, s_{0,j+7}\}\) which signifies the set of faulty words in the differential plaintext block. Hence, the complement of this set w.r.t the set of all the words in the plaintext block is \(\{s_{0,j+3}, s_{0,j+5}, s_{0,j+6}\}\), which signify the faultfree words. \(\blacksquare \)
The implication of this lemma is that there exists a bijection between the positions of the faultfree words in the differential plaintext block released after \(\mathcal {R}^{1}_{r}\) and position of the column in which the fault was induced before \(\mathcal {R}^{1}_{r+1}\). This is vital to the analysis presented in this work and shows that by looking at the unverified differential plaintext block the attacker can ascertain the column position of the fault. This makes the attack 8 times faster. However, this information is not sufficient to guess the row position since all faults in the same column will produce the same pattern for the faultfree words.
In case of \(p^{1}, r = 1\) and the Bijection Lemma implies that by looking at the unverified differential block (Fig. 3) released after \(\mathcal {R}^{1}_1\), the attacker can ascertain in which column the fault was induced before \(\mathcal {R}^{1}_2\). With knowledge of all these characteristics of the APE mode of operation as well as \(p^{1}\), we are now in a place to finally introduce the differential fault attack developed in this work: Scope.
5 Scope: Differential Fault Analysis of APE Decryption (Exploiting Release of Unverified Plaintexts)
The first task is to run APE decryption and observe the released unverified plaintexts. Next the attacker queries the decryption with same set of inputs. Recall, that nonce constraint can be bypassed by definition. Every time, while replaying the decryption, he induces a random uniword fault at the input of \(\mathcal {R}^{1}_2\) of \(p^{1}\) during the processing of the same ciphertext block. By RUP principle, the attacker can observe the corresponding faulty plaintext blocks. The faultfree plaintext block (p) along with each corresponding faulty plaintexts block (\(p'_i\)) are stored. Now using the Bijection Lemma every differential plaintext block (\(p \oplus p'_i\)) is analyzed to get the faulty column before \(\mathcal {R}^{1}_2\). The information is stored in the fault count vector (\(\mathcal {F}\)) which is an array keeping count of the number of faults traced back to each column before \(\mathcal {R}^{1}_2\). For each unverified faulty plaintext, the Inbound phase is initiated to get back a set of hypercolumns. The process is detailed in the next subsection.
5.1 The Inbound Phase
The Factor Matrix
6  22  31  *  1  *  *  15 
15  6  22  31  *  1  *  * 
*  15  6  22  31  *  1  * 
*  *  15  6  22  31  *  1 
1  *  *  15  6  22  31  * 
*  1  *  *  15  6  22  31 
31  *  1  *  *  15  6  22 
22  31  *  1  *  *  15  6 
5.2 Noise Handling
Noise Inclusion. When the attacker traces only one fault back to a column, he faces an ambiguity regarding the source row. In this scenario, he has no other option but to include all the hypercolumns for the next phase of the attack. So he includes all the Noise in the final step. So Noise Inclusion corresponds to wordwise union of all hypercolumns as depicted in Fig. 6a. Noise Inclusion, definitely, increases the columnspace, however, computer simulations show that the final cardinality is still much better that brute force.
Noise Reduction. When the attacker traces multiple faults to the same column, he can significantly reduce the column space by eliminating Noisy hypercolumns. For e.g. if two faults are traced back to column x, then the attacker has two sets of hypercolumns. He now takes the crossproduct of these two sets. Every element of the crossproduct is a pair of hypercolumns. He now takes the set intersection between each such pair. The result is again a hypercolumn with the cardinality of its component sets highly reduced. However, if the hypercolumn turns out to be empty^{3}, it is discarded. Experiments show that most of the elements from the crossproduct get eliminated due to this and the attacker is left with a single final hypercolumn. In case multiple hypercolumns remain, a elementwise union is taken to form the final hypercolumn.
5.3 The Outbound Phase
The Outbound phase of Scope is inspired from the Outbound phase of the EscApe [15] attack proposed by Saha et al. in Indocrypt 2014 and closely follows it. It borrows the idea of a Hyperstate and Kernel from there. The input to this phase is the set of eight hypercolumns. Since none of the hypercolumns are empty, they can easily be combined structurally to form the hyperstate of the state after \(\mu ^{1}_2\). Let us denote the state by \(s = [s_{i,i}]\) and then the hyperstate is \(s^h\). This hyperstate \(s^h\) captures the reduced statespace for the state s that has been generated using the last two phases. In this phase we want to further reduce the statespace using knowledge of the faultfree plaintext block by again employing the Block Inversion property. This phase is called Outbound since it tries to move outward from \(\mu ^{1}_2\). We start by propagating further into \(\mathcal {R}^{1}_2\) and then move into \(\mathcal {R}^{1}_1\) by applying some hyperstate\(<\)operations\(>\) on \(s^h\). The steps of the Outbound phase are enlisted below.
 1.The attacker starts the Outbound phase by applying Hyperstate InverseShiftRow transformation (Definition 8) on \(s^h\) followed by Hyperstate InverseSubByte (Definition 9) on \(s^h\). This completes \(\mathcal {R}^{1}_2\) propagation.$$\begin{aligned} s^h \xrightarrow {(\rho ^{1})'} (\rho ^{1}_2(s))^h \xrightarrow {(\beta ^{1})'} (\beta ^{1}_2(\rho ^{1}_2(s)))^h \rightarrow v^h (say) \end{aligned}$$
 2.We now move forward into the last round of \(p^{1}\) : \(\mathcal {R}^{1}_1\). Let us denote the state \(\beta ^{1}_2(\rho ^{1}_2(s))\) as v. We now apply Hyperstate InverseAddRoundConstant (Definition 10): \((\alpha ^{1}_1)'\) on the hyperstate \(v^h\). The next step is to compute the Kernel for \((\alpha ^{1}_1(v))^h : \mathcal {K}^{(\alpha ^{1}_1(v))^h}\).$$\begin{aligned} v^h \xrightarrow {(\alpha ^{1}_1)'} (\alpha ^{1}_1(v))^h \xrightarrow {\text{ Compute } \text{ Kernel }} \mathcal {K}^{(\alpha ^{1}_1(v))^h} \end{aligned}$$
 3.Then the attacker applies the KernelInverseMixColumn transformation on the Kernel \(\mathcal {K}^{(\alpha ^{1}_1(v))^h}\)$$\begin{aligned} \mathcal {K}^{(\alpha ^{1}_1(v))^h} \xrightarrow {(\mu ^{1})'} \mathcal {K}^{(\mu ^{1}_1(\alpha ^{1}_1(v)))^h} \end{aligned}$$
 4.
Next comes the reduction step. It can be noted that \(\mathcal {K}^{(\mu ^{1}_1(\alpha ^{1}_1(v)))^h}\) represents the kernel for the hyperstate of \((\mu ^{1}_1(\alpha ^{1}_1(v)))\). i.e., the state just before the application of \(\rho ^{1}_1\). Now let \(t = (\mu ^{1}_1(\alpha ^{1}_1(v)))\). Then by the Block Inversion property, the actual value of \(t_{0,*}\) is known. This knowledge is used to reduce the size of each \(\mathcal {K}^{t^h_{*,j}} \in \mathcal {K}^{t^h}\). This reduction algorithm is almost similar to ReduceKernel given in [15] and is restated in Appendix B for easy reference.
A pictorial description of the Outbound phase is furnished in Fig. 7. Thus, after the Outbound phase we get a reduced Kernel for the state at the end of \(\mu ^{1}_1\). Every element of the crossproduct of Kernels of each column is a candidate state. Finally, applying \(\rho ^{1}_1\) and \(\beta ^{1}_1\) on each candidate state produces the reduced statespace at the end of \(\mathcal {R}^{1}_1\) of \(p^{1}\). This reduced statespace directly corresponds to the keyspace of the state since recovering the internal state implies recovery of the key. The overall Scope attack is summarized by the following algorithm:
6 Experimental Results and Discussion
Scope was verified by extensive computer simulations. The experimental results confirm large scale reduction in the statespace and consequently the keyspace. Average case analysis reveals that with 12 random uniword faults at the input of \(\mathcal {R}^{1}_2\), the statespace at the end of \(\mathcal {R}^{1}_1\) reduces from \(2^{160}\) to \(2^{50}\) while 16 faults give a reduced statespace of \(2^{24}\). It is interesting to note that the fault distribution had a direct impact on state(key)space reduction. To highlight the impact we look at two different fault distributions with 12 faults. Let the fault count vectors be \(\mathcal {F}_1 =\{1,2,3,0,2,2,1,1\}\) and \(\mathcal {F}_2 =\{2,2,2,0,2,2,1,1\}\). The average reduction with these distributions are \(2^{45}\) and \(2^{28}\) respectively. This extreme variance in the reduced keyspaces is attributed firstly to the fact that \(\mathcal {F}_2\) is a more uniform distribution. Secondly, \(\mathcal {F}_1\) has three columns which get just one fault. Thus, Noise reduction cannot be applied to them. While for \(\mathcal {F}_2\) such cases are two which leads to a better Noise reduction in the Noise handling phase and hence the better reduction in overall keyspace. To conclude, it can be said that best results are obtained when fault distribution is such that maximum number of columns receive at least two faults.
It might be argued that in comparison to EscApe attack by Saha et al. Scope requires more faults. However, it must be kept in mind that Scope works with only partial state information while EscApe has the full state at its disposal. Moreover, since Scope attacks APE decryption it can bypass the nonce constraint and hence also avoid the need of faulty collisions which are inevitable for EscApe. Overall, Scope shows an interesting casestudy where an AESlike construction is analyzed using faults with partial state information available to the attacker.
7 Conclusion
In this work we explore the scope provided by the RUP model with regards to fault analysis. We argue that ability to observe unverified plaintext opens up the fault side channel to attackers which is otherwise unavailable or available with negligible probability. In this work for the first time we show how the decryption of APE, an AE scheme that supports RUP, becomes vulnerable to DFA. Experiments reveal that using the random word fault model the keyspace can be reduced from \(2^{160}\) to \(2^{50}\) using 12 faults while 16 faults reduce it to \(2^{24}\). An important implication of the ability to attack the decryption using RUP is that the attacker can totally bypass the nonce constraint imposed by the encryption. Finally, this work shows that though RUP is a desirable property addressing a lot of practical problems, it provides a unique scope to the attacker for mounting the Scope fault attack.
Footnotes
 1.
The replaying criterion in differential fault analysis states that the attacker must be able to induce faults while replaying a previous fault free run of the algorithm.
 2.
A discussion on the generation and nature of the fault invariants is furnished in Appendix C.
 3.
Recall, that by Definition 4, a hypercolumn is empty if any of its components is empty.
Supplementary material
References
 1.CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
 2.Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Wang, Q., Yasuda, K.: PRIMATEs v1 (2014). http://competitions.cr.yp.to/round1/primatesv1.pdf
 3.Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Wang, Q., Yasuda, K.: PRIMATEs v1.01 (2014). http://primates.ae/wpcontent/uploads/primatesv1.01.pdf
 4.Andreeva, E., Bilgin, B., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: APE: Authenticated PermutationBased Encryption for Lightweight Cryptography. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 168–186. Springer, Heidelberg (2015). https://lirias.kuleuven.be/handle/123456789/450105 Google Scholar
 5.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to Securely Release Unverified Plaintext in Authenticated Encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014)Google Scholar
 6.Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. Cryptology ePrint Archive, Report 2014/144 (2014). http://eprint.iacr.org/
 7.Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: Cryptographic sponge functions. http://sponge.noekeon.org/CSF0.1.pdf
 8.Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 9.Daemen, J., Rijmen, V.: The Design of Rijndael: AES  The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
 10.Dusart, P., Letourneux, G., Vivolo, O.: Differential Fault Analysis on A.E.S. IACR Cryptology ePrint Archive 2003, 10 (2003). http://eprint.iacr.org/2003/010
 11.Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 12.Moradi, A., Shalmani, M.T.M., Salmasizadeh, M.: A Generalized Method of Differential Fault Attack Against AES Cryptosystem. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 91–100. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 13.Mukhopadhyay, D.: An Improved Fault Based Attack of the Advanced Encryption Standard. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 421–434. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 14.Piret, G., Quisquater, J.J.: A Differential Fault Attack Technique Against SPN Structures, with Application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 15.Saha, D., Kuila, S., Chowdhury, D.R.: EscApe: Diagonal Fault Analysis of APE. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 197–216. Springer, Heidelberg (2014)Google Scholar
 16.Saha, D., Mukhopadhyay, D., RoyChowdhury, D.: A Diagonal Fault Attack on the Advanced Encryption Standard. Cryptology ePrint Archive, Report 2009/581 (2009). http://eprint.iacr.org/