Skip to main content
SpringerLink
Log in

Differential fault attack on SPN-based sponge and SIV-like AE schemes

  • Research Article
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

This paper presents the first instance of a successful differential fault attack (DFA) on the nonce-based authentication scheme PHOTON-BEETLE, which was a finalist but not the winner of the NIST LwC competition. Furthermore, the paper also reveals the first differential fault attacks on several other NIST LwC schemes, including ORANGE, SIV-TEM-PHOTON, and ESTATE, which are based on sponge and SIV techniques. In general, it is a challenging task to perform DFA for any nonce-based sponge/SIV-based AE because of a unique nonce in the encryption query. However, the decryption procedure (with a fixed nonce) is still susceptible to DFA. We propose different fault attack models, and also give theoretical estimates of the number of faulty queries to get multiple forgeries. Our simulated values corroborate closely the theoretical estimates. Finally, we devise an algorithm to recover the state based on the collected forgeries. Under the random fault attack model, to retrieve the secret key, we need approximately \(2^{37.15}\) number of faulty queries. Also, the offline time and memory complexities of this attack are respectively \(2^{16}\) and \(2^{10}\) nibbles. Whereas, under the random bit fault attack model, around \(2^{11.5}\) number of faulty queries are required to retrieve the key for PHOTON-based schemes and \(2^{13.1}\) for AES-based scheme ESTATE. In the known fault attack model, we need around \(2^{11.05}\) number of faulty queries to retrieve the secret key for PHOTON-based schemes and \(2^{13.01}\) for AES-based scheme ESTATE. The time and memory complexities of the state recovery attack (for PHOTON-based schemes) are respectively \(2^{11}\) and \(2^{9}\) nibbles. Further, we have reduced the number of faulty queries to \(2^{9.32}\) under the precise bit-flip fault model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Algorithm 3
Fig. 10
Algorithm 4
Algorithm 5
Fig. 11
Algorithm 6
Fig. 12
Algorithm 7
Algorithm 8

Similar content being viewed by others

Notes

  1. \(\alpha .x\) denotes the \(\alpha \) multiplication of an n-bit string \(x=x_{n-1}\cdots x_{1}x_{0}\). For \(n = 128\), \(\alpha \cdot x\) is defined as \((x\ll 1)\oplus 0^{120}10000111\), if \(x_{127} = 1\) and \((x\ll 1)\), otherwise. Further, \(\alpha ^{\!\delta _{\!A\!}}\cdot x\) denotes \(\delta _{\!A\!}\) times repeated \(\alpha \)-multiplication of x.

  2. Note that the tag difference is the rate difference of the state, but we can always map the tag difference to its corresponding full state difference.

  3. The nibble fault position (ji) is not a fixed position. It can be any position \((j,i), j\in \{0,1,\cdots ,7\}\) in the ith column. For ease of understanding, we specify the fault position.

References

  1. Global Standards Initiative on Internet of Things (IoT-GSI) (2015) TSAG decision to establish the new Study Group 20 on IoT and its applications including smart cities and communities https://www.itu.int/en/ITU-T/gsi/iot/Pages/default.aspx

  2. Agoyan, M., Dutertre, J., Mirbaha, A., et al.: How to flip a bit? In: 16th IEEE International On-Line Testing Symposium (IOLTS 2010), 5–7 July, 2010, Corfu, Greece, pp. 235–239. IEEE Computer Society (2010)

  3. Banik, S., Pandey, S.K., Peyrin, T., et al.: GIFT: a small present—towards reaching the limit of lightweight encryption. In: Cryptographic Hardware and Embedded Systems—CHES 2017, Taipei, Taiwan, September 25–28, 2017, Proceedings, pp. 321–345. Springer, Berlin (2017)

  4. Banik, S., Bogdanov, A., Luykx, A., et al.: SUNDAE: small universal deterministic authenticated encryption for the internet of things. IACR Trans. Symmetr. Cryptol. 2018(3), 1–35 (2018). https://doi.org/10.13154/tosc.v2018.i3.1-35

    Article  MATH  Google Scholar 

  5. Bao, Z., Chakraborti, A., Datta, N., et al.: PHOTON-Beetle: authenticated encryption and hash family. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/photon-beetle-spec-final.pdf, submission to the NIST Lightweight Competition, May 17, 2021

  6. Beierle, C., Jean, J., Kölbl, S., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II, vol. 9815, pp. 123–153. Springer, Berlin (2016)

  7. Bertoni, G., Daemen, J., Peeters, M., et al.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Selected Areas in Cryptography—18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011, Revised Selected Papers. Springer, Berlin (2011)

  8. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology—CRYPTO’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 1997, Proceedings, vol. 1294, pp. 513–525. Springer, Berlin (1997)

  9. Biryukov, A., Perrin, L.: State of the art in lightweight symmetric cryptography. IACR Cryptol ePrint Arch p 511 (2017). http://eprint.iacr.org/2017/511

  10. Bogdanov, A., Knudsen, L.R., Leander, G., et al.: PRESENT: an ultra-lightweight block cipher. In: Cryptographic Hardware and Embedded Systems—CHES 2007, Vienna, Austria, September 10–13, 2007, Proceedings, vol. 4727, pp. 450–466. Springer, Berlin (2007)

  11. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults (extended abstract). In: Advances in Cryptology—EUROCRYPT’97, International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 11–15, 1997, Proceeding, vol. 1233, pp. 37–51. Springer, Berlin (1997)

  12. Borghoff, J., Canteaut, A., Güneysu, T., et al.: PRINCE—a low-latency block cipher for pervasive computing applications—extended abstract. In: Advances in Cryptology—ASIACRYPT 2012, Beijing, China, December 2–6, 2012. Proceedings, vol. 7658, pp. 208–225. Springer, Berlin (2012)

  13. Cannière, C.D., Dunkelman, O., Knezevic, M.: KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers. In: Cryptographic Hardware and Embedded Systems—CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6–9, 2009, Proceedings, vol. 5747, pp. 272–288. Springer, Berlin (2009)

  14. Chakraborti, A., Datta, N., Nandi, M., et al.: Beetle family of lightweight and secure authenticated encryption ciphers. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(2), 218–241 (2018)

    Article  MATH  Google Scholar 

  15. Chakraborti, A., Datta, N., Jha, A., et al.: ESTATE. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/estate-spec-round2.pdf, submission to the NIST Lightweight Competition, March 29, 2019

  16. Chakraborty, B., Nandi, M.: ORANGE. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/orange-spec-round2.pdf, submission to the NIST Lightweight Competition, September 20, 2019

  17. Dobraunig, C., Eichlseder, M., Groß, H., et al.: Statistical ineffective fault attacks on masked AES with fault countermeasures. In: Advances in Cryptology—ASIACRYPT 2018—24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2–6, 2018, Proceedings, Part II, pp. 315–342. Springer, Berlin (2018)

  18. Dobraunig, C., Eichlseder, M., Korak, T., et al.: SIFA: exploiting ineffective fault inductions on symmetric cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 547–572 (2018)

    Article  MATH  Google Scholar 

  19. Dobraunig, C., Mangard, S., Mendel, F., et al.: Fault attacks on nonce-based authenticated encryption: application to keyak and ketje. In: Selected Areas in Cryptography—SAC 2018—25th International Conference, Calgary, AB, Canada, August 15–17, 2018, Revised Selected Papers, pp. 257–277. Springer, Berlin (2018)

  20. Dobraunig, C., Eichlseder, M., Mendel, F., et al.: Ascon v1.2: lightweight authenticated encryption and hashing. J. Cryptol. 34(3), 33 (2021). https://doi.org/10.1007/s00145-021-09398-9

    Article  MathSciNet  MATH  Google Scholar 

  21. Dutertre, J., Mirbaha, A., Naccache, D., et al.: Fault round modification analysis of the advanced encryption standard. In: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2012, San Francisco, CA, USA, June 3–4, 2012, pp. 140–145. IEEE Computer Society (2012)

  22. Fuhr, T., Jaulmes, É., Lomné, V., et al.: Fault attacks on AES with faulty ciphertexts only. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, August 20, 2013, pp. 108–118. IEEE Computer Society (2013). https://doi.org/10.1109/FDTC.2013.18

  23. Gruber, M., Probst, M., Tempelmeier, M.: Statistical ineffective fault analysis of GIMLI. In: 2020 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2020, San Jose, CA, USA, December 7–11, 2020, pp. 252–261. IEEE (2020)

  24. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2011. Proceedings, pp. 222–239. Springer, Berlin (2011)

  25. Guo, J., Peyrin, T., Poschmann, A., et al.: The LED block cipher. In: Cryptographic Hardware and Embedded Systems—CHES 2011—13th International Workshop, Nara, Japan, September 28–October 1, 2011, Proceedings, pp. 326–341 (2011)

  26. Hatzivasilis, G., Fysarakis, K., Papaefstathiou, I., et al.: A review of lightweight block ciphers. J. Cryptogr. Eng. 8(2), 141–184 (2018)

    Article  Google Scholar 

  27. Iwata, T., Song, L., Bao, Z., et al.: SIV-TEM-PHOTON authenticated encryption and hash family. https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/SIV-TEM-PHOTON-Spec.pdf, submission to the NIST Lightweight Competition, March 28, 2019

  28. Jana, A.: Differential fault attack on feistel-based sponge AE schemes. J. Hardw. Syst. Secur. 6(1–2), 1–16 (2022). https://doi.org/10.1007/s41635-022-00124-w

    Article  MATH  Google Scholar 

  29. Jana, A.: Unoptimized C-implementation of ESTATE state recovery under different fault models (2023). https://github.com/janaamit001/ESTATE.git

  30. Jana, A.: Unoptimized C-implementation of faulty forgery simulation of PHOTON-BEETLE and ESTATE (2023b). https://github.com/janaamit001/Faulty_Forgery_Simulation.git

  31. Jana, A.: Unoptimized C-implementation of ORANGE state recovery under different fault models (2023). https://github.com/janaamit001/ORANGE.git

  32. Jana, A.: Unoptimized C-implementation of PHOTON-BEETLE state recovery under different fault models (2023d). https://github.com/janaamit001/PHOTON-BEETLE.git

  33. Jana, A.: Unoptimized C-implementation of PHOTON-BEETLE state recovery under random fault model (2023). https://github.com/janaamit001/PhotonBeetle_state_recovery_under_RfaultModel.git

  34. Jana, A.: Unoptimized C-implementation of SIV-TEM-PHOTON state recovery under different fault models (2023). https://github.com/janaamit001/SIV-TEM-PHOTON.git

  35. Jana, A., Paul, G.: Differential fault attack on photon-beetle. In: Chang, C., Rührmair, U., Mukhopadhyay, D., et al. (Eds.) Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security, ASHES 2022, Los Angeles, CA, USA, 11 November 2022, pp. 25–34. ACM (2022). https://doi.org/10.1145/3560834.3563824

  36. Jana, A., Nath, A., Paul, G., et al.: Differential fault analysis of NORX using variants of coupon collector problem. J. Cryptogr. Eng. 12(4), 433–459 (2022). https://doi.org/10.1007/s13389-022-00285-y

    Article  MATH  Google Scholar 

  37. McKay, K.A., Bassham, L.E., Turan, M.S., et al.: Report on lightweight cryptography. NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online] (2017). https://doi.org/10.6028/NIST.IR.8114

  38. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (Ed.) Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings, Lecture Notes in Computer Science, vol. 4004, pp. 373–390. Springer, Berlin (2006). https://doi.org/10.1007/11761679_23

  39. Saha, S., Chakraborty, R.S., Nuthakki, S.S., et al.: Improved test pattern generation for hardware trojan detection using genetic algorithm and Boolean satisfiability. In: Cryptographic Hardware and Embedded Systems—CHES 2015—17th International Workshop, Saint-Malo, France, September 13–16, 2015, Proceedings, pp. 577–596. Springer, Berlin (2015)

  40. Selmke, B., Brummer, S., Heyszl, J., et al.: Precise laser fault injections into 90 nm and 45 nm sram-cells. In: Smart Card Research and Advanced Applications—14th International Conference, CARDIS 2015, Bochum, Germany, November 4–6, 2015. Revised Selected Papers, pp. 193–205. Springer, Berlin (2015)

Download references

Author information

Authors and Affiliations

  1. Cryptology and Security Research Unit, Indian Statistical Institute, 203 B.T Road, Kolkata, West Bengal, 700108, India

    Amit Jana & Goutam Paul

Authors
  1. Amit Jana
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Goutam Paul
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

A.J. performed all theoretical calculations as well as detailed implementation and wrote the first draft of this manuscript. G.P. supervised the development of the attack model, attack strategies, theoretical analysis of the attacks and presentation of the results. Both the authors contributed towards revising and polishing the manuscript to its final shape.

Corresponding author

Correspondence to Goutam Paul.

Ethics declarations

Conflict of interest

The authors declare no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This paper represents a thoroughly revised and significantly expanded version of the previous work [35], originally published in the Proceedings of the 6th ACM Workshop on Attacks and Solutions in Hardware Security, ASHES@CCS 2022, held in Los Angeles, CA, USA, on November 11, 2022. The earlier work primarily focused on analyzing the cipher PHOTON-BEETLE. In contrast, the current research presents attacks on additional ciphers, including ORANGE, SIV-TEM-PHOTON, and ESTATE, which are extensively discussed in Sects. 45, and 6. Notably, Sect. 5 is a completely new addition to this work. Moreover, Sects. 4 and 6, which correspond to Section 3.2 and Section 3.3 respectively in [35], have been significantly updated. These revisions include detailed comparisons between theoretical estimates and simulation results to provide more comprehensive insights. Additionally, Sect. 8 also went through slight updates in this revised version of the paper.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jana, A., Paul, G. Differential fault attack on SPN-based sponge and SIV-like AE schemes. J Cryptogr Eng 14, 363–381 (2024). https://doi.org/10.1007/s13389-024-00354-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-024-00354-4

Keywords

Search

Navigation