Algebraic Fault Attack on SHA Hash Functions Using Programmatic SAT Solvers

  • Saeed NejatiEmail author
  • Jan Horáček
  • Catherine Gebotys
  • Vijay Ganesh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11008)


We present an algebraic fault attack (AFA) solver for recovering secret bits from hardware implementations of the SHA family of hash functions. The crucial insight in our method is the use of SHA-based propagation and conflict-analysis methods in the inner-loop of a Boolean conflict-driven clause-learning SAT solver, à la the DPLL(T) paradigm. In our method the fault-injected part of the hash function is translated into a Boolean formula (which is then fed as input to the SAT solver), while the rest is encoded via a programmatic interface as part of the SAT solver’s propagation and conflict analysis routines. Such an approach enables the addition of learnt clauses to the SAT solver in an on-demand and lazy fashion. We evaluated our tool under a variety of fault models, and showed that we can recover the secret bits faster and with far fewer number of injected faults compared to previous best work. AFA is a powerful way of empirically verifying the strength of a cryptographic function’s implementation.



The authors would like to thank Jia Hui Liang for his support with MapleSAT. The second author was financially supported by the DFG project “Algebraische Fehlerangriffe” [KR 1907/6-2].


  1. 1.
    Agoyan, M., Dutertre, J.-M., Naccache, D., Robisson, B., Tria, A.: When clocks fail: on critical paths and clock faults. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 182–193. Springer, Heidelberg (2010). Scholar
  2. 2.
    Ali, S.S., Mukhopadhyay, D., Tunstall, M.: Differential fault analysis of AES: towards reaching its limits. J. Crypt. Eng. 3(2), 73–97 (2013)CrossRefGoogle Scholar
  3. 3.
    Bailleux, O., Boufkhad, Y., Roussel, O.: New encodings of pseudo-boolean constraints into CNF. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 181–194. Springer, Heidelberg (2009). Scholar
  4. 4.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)CrossRefGoogle Scholar
  5. 5.
    Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)CrossRefGoogle Scholar
  6. 6.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). Scholar
  7. 7.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). Scholar
  8. 8.
    Bright, C., Ganesh, V., Heinle, A., Kotsireas, I., Nejati, S., Czarnecki, K.: MathCheck2: A SAT+CAS verifier for combinatorial conjectures. In: Gerdt, V.P., Koepf, W., Seiler, W.M., Vorozhtsov, E.V. (eds.) CASC 2016. LNCS, vol. 9890, pp. 117–133. Springer, Cham (2016). Scholar
  9. 9.
    Bright, C., Kotsireas, I., Ganesh, V.: A SAT+CAS method for enumerating Williamson matrices of even order. In: Proceedings of the Thirty-Second AAAI Conference on Artificial Intelligence, New Orleans, Louisiana, USA, 2–7 February 2018, pp. 6573–6580 (2018)Google Scholar
  10. 10.
    Courtois, N.T., Jackson, K., Ware, D.: Fault-algebraic attacks on inner rounds of DES. In: e-Smart 2010 Proceedings: The Future of Digital Security Technologies. Strategies Telecom and Multimedia (2010)Google Scholar
  11. 11.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015). Scholar
  12. 12.
    Eastlake 3rd, D., Hansen, T.: US secure hash algorithms (SHA and SHA-based HMAC and HKDF). Technical report (2011)Google Scholar
  13. 13.
    Eén, N., Sorensson, N.: Translating pseudo-boolean constraints into SAT. J. Satisf. Boolean Model. Comput. 2, 1–26 (2006)zbMATHGoogle Scholar
  14. 14.
    FIPS Publication: 180–4. Federal Information Processing Standards Publication, Secure Hash (2011)Google Scholar
  15. 15.
    Fischer, W., Reuter, C.A.: Differential fault analysis on Grøstl. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 44–54. IEEE (2012)Google Scholar
  16. 16.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). Scholar
  17. 17.
    Ganesh, V., O’Donnell, C.W., Soos, M., Devadas, S., Rinard, M.C., Solar-Lezama, A.: Lynx: a programmatic SAT solver for the RNA-folding problem. In: Cimatti, A., Sebastiani, R. (eds.) SAT 2012. LNCS, vol. 7317, pp. 143–156. Springer, Heidelberg (2012). Scholar
  18. 18.
    Hao, R., Li, B., Ma, B., Song, L.: Algebraic fault attack on the SHA-256 compression function. Int. J. Res. Comput. Sci. 4(2), 1 (2014)CrossRefGoogle Scholar
  19. 19.
    Hemme, L., Hoffmann, L.: Differential fault analysis on the SHA-1 compression function. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 54–62. IEEE (2011)Google Scholar
  20. 20.
    Hojsík, M., Rudolf, B.: Differential fault analysis of trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008). Scholar
  21. 21.
    Jeong, K., Lee, C.: Differential fault analysis on block cipher LED-64. In: (Jong Hyuk) Park, J.J., Leung, V., Wang, C.L., Shon, T. (eds.) Future Information Technology, Application, and Service. LNEE, vol. 164, pp. 747–755. Springer, Dordrecht (2012). Scholar
  22. 22.
    Jeong, K., Lee, Y., Sung, J., Hong, S.: Security analysis of HMAC/NMAC by using fault injection. J. Appl. Math. 2013, 6 (2013)CrossRefGoogle Scholar
  23. 23.
    Li, R., Li, C., Gong, C.: Differential fault analysis on SHACAL-1. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 120–126. IEEE (2009)Google Scholar
  24. 24.
    Liang, J.H., Ganesh, V., Poupart, P., Czarnecki, K.: Learning rate based branching heuristic for SAT solvers. In: Creignou, N., Le Berre, D. (eds.) SAT 2016. LNCS, vol. 9710, pp. 123–140. Springer, Cham (2016). Scholar
  25. 25.
    Luo, P., Athanasiou, K., Fei, Y., Wahl, T.: Algebraic fault analysis of SHA-3. In: 2017 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 151–156. IEEE (2017)Google Scholar
  26. 26.
    Luo, P., Fei, Y., Zhang, L., Ding, A.A.: Differential fault analysis of SHA3-224 and SHA3-256. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 4–15. IEEE (2016)Google Scholar
  27. 27.
    Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  28. 28.
    Mohamed, M.S.E., Bulygin, S., Buchmann, J.: Improved differential fault analysis of Trivium. In: COSADE 2011, pp. 147–158 (2011)Google Scholar
  29. 29.
    Nejati, S., Liang, J.H., Gebotys, C., Czarnecki, K., Ganesh, V.: Adaptive restart and CEGAR-based solver for inverting cryptographic hash functions. In: Paskevich, A., Wies, T. (eds.) VSTTE 2017. LNCS, vol. 10712, pp. 120–131. Springer, Cham (2017). Scholar
  30. 30.
    Nossum, V.: SAT-based Preimage Attacks on SHA-1 (2012)Google Scholar
  31. 31.
    Opturion: Opturion CPX 1.0.2. Accessed 30 Mar 2018
  32. 32.
    Philipp, T., Steinke, P.: PBLib – a library for encoding pseudo-boolean constraints into CNF. In: Heule, M., Weaver, S. (eds.) SAT 2015. LNCS, vol. 9340, pp. 9–16. Springer, Cham (2015). Scholar
  33. 33.
    Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). Scholar
  34. 34.
    Wang, W., Søndergaard, H., Stuckey, P.J.: A bit-vector solver with word-level propagation. In: Quimper, C.-G. (ed.) CPAIOR 2016. LNCS, vol. 9676, pp. 374–391. Springer, Cham (2016). Scholar
  35. 35.
    Zhang, F., Zhao, X., Guo, S., Wang, T., Shi, Z.: Improved algebraic fault analysis: a case study on piccolo and applications to other lightweight block ciphers. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 62–79. Springer, Heidelberg (2013). Scholar
  36. 36.
    Zhao, X., Guo, S., Zhang, F., Shi, Z., Ma, C., Wang, T.: Improving and evaluating differential fault analysis on LED with algebraic techniques. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 41–51. IEEE (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Saeed Nejati
    • 1
    Email author
  • Jan Horáček
    • 2
  • Catherine Gebotys
    • 1
  • Vijay Ganesh
    • 1
  1. 1.University of WaterlooWaterlooCanada
  2. 2.University of PassauPassauGermany

Personalised recommendations