Practical fault attacks on minalpher: How to recover key with minimum faults?

Document Type

Conference Article

Publication Title

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)


This work presents two differential fault attacks (or DFA) on Minalpher, a second round CAESAR candidate under practical fault model with as few faults as possible. Minalpher uses a new primitive called tweakable Even-Mansour, based on a permutation-based block-cipher proposed by Even and Mansour and to the best of our knowledge, no practical DFA has yet been reported on it. In the first DFA, only two random faults have been injected on two consecutive 4-bit nibbles (i.e. within total 8 bits) of a specific internal state. We show that (i) if both the faults are injected at the same nibble the key-space for the intermediate key can be reduced significantly from 2 256 to 2 32 and (ii) if the faults are injected at different positions, the key-space for the intermediate key can be reduced further to only 2 16. In the second DFA, we first consider two faults into a single nibble, which reduces the keyspace from 2 256 to 2 48. Moreover, we show that one additional fault (i.e. total three faults) helps to reduce the key-space significantly to 2 8. We can compute the correct intermediate key by observing a few more plain-text, cipher-text pairs, which helps in computing valid cipher-text, tag pairs for any message and associated data under a fixed nonce.

First Page


Last Page




Publication Date


This document is currently not available here.