Differential fault attack on SPN-based sponge and SIV-like AE schemes

Article Type

Research Article

Publication Title

Journal of Cryptographic Engineering

Abstract

This paper presents the first instance of a successful differential fault attack (DFA) on the nonce-based authentication scheme PHOTON-BEETLE, which was a finalist but not the winner of the NISTLwC competition. Furthermore, the paper also reveals the first differential fault attacks on several other NISTLwC schemes, including ORANGE, SIV-TEM-PHOTON, and ESTATE, which are based on sponge and SIV techniques. In general, it is a challenging task to perform DFA for any nonce-based sponge/SIV-based AE because of a unique nonce in the encryption query. However, the decryption procedure (with a fixed nonce) is still susceptible to DFA. We propose different fault attack models, and also give theoretical estimates of the number of faulty queries to get multiple forgeries. Our simulated values corroborate closely the theoretical estimates. Finally, we devise an algorithm to recover the state based on the collected forgeries. Under the random fault attack model, to retrieve the secret key, we need approximately 237.15 number of faulty queries. Also, the offline time and memory complexities of this attack are respectively 216 and 210 nibbles. Whereas, under the random bit fault attack model, around 211.5 number of faulty queries are required to retrieve the key for PHOTON-based schemes and 213.1 for AES-based scheme ESTATE. In the known fault attack model, we need around 211.05 number of faulty queries to retrieve the secret key for PHOTON-based schemes and 213.01 for AES-based scheme ESTATE. The time and memory complexities of the state recovery attack (for PHOTON-based schemes) are respectively 211 and 29 nibbles. Further, we have reduced the number of faulty queries to 29.32 under the precise bit-flip fault model.

First Page

363

Last Page

381

DOI

10.1007/s13389-024-00354-4

Publication Date

6-1-2024

Link to Full Text

Share

COinS