Information-Combining Differential Fault Attacks on DEFAULT

Marcel Nageler; Christoph Erwin Dobraunig; Maria Eichlseder

doi:10.1007/978-3-031-07082-2_7

Information-Combining Differential Fault Attacks on DEFAULT

Marcel Nageler, Christoph Erwin Dobraunig, Maria Eichlseder

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

Differential fault analysis (DFA) is a very powerful attack vector for implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of 2 ⁶⁴ is impractical. In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT’s strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys.

Original language	English
Title of host publication	Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings
Editors	Orr Dunkelman, Stefan Dziembowski
Publisher	Springer
Pages	168-191
Number of pages	24
ISBN (Electronic)	978-3-031-07082-2
ISBN (Print)	978-3-031-07081-5
DOIs	https://doi.org/10.1007/978-3-031-07082-2_7
Publication status	Published - May 2022
Event	41st Annual International Conference on the Theory and Applications of Cryptographic Techniques: EUROCRYPT 2022 - Trondheim, Norway Duration: 30 May 2022 → 3 Jun 2022 https://eurocrypt.iacr.org/2022/

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13277 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	41st Annual International Conference on the Theory and Applications of Cryptographic Techniques
Abbreviated title	EUROCRYPT 2022
Country/Territory	Norway
City	Trondheim
Period	30/05/22 → 3/06/22
Internet address	https://eurocrypt.iacr.org/2022/

Keywords

Differential Fault Attacks (DFA)
Cryptanalysis
Linear structures
DEFAULT

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Fields of Expertise

Information, Communication & Computing

Access to Document

10.1007/978-3-031-07082-2_7

https://eprint.iacr.org/2021/1374Licence: CC BY 4.0

Cite this

Nageler, M., Dobraunig, C. E., & Eichlseder, M. (2022). Information-Combining Differential Fault Attacks on DEFAULT. In O. Dunkelman, & S. Dziembowski (Eds.), Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings (pp. 168-191). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13277 LNCS). Springer. https://doi.org/10.1007/978-3-031-07082-2_7

Information-Combining Differential Fault Attacks on DEFAULT. / Nageler, Marcel; Dobraunig, Christoph Erwin; Eichlseder, Maria.
Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings. ed. / Orr Dunkelman; Stefan Dziembowski. Springer, 2022. p. 168-191 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13277 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Nageler, M, Dobraunig, CE & Eichlseder, M 2022, Information-Combining Differential Fault Attacks on DEFAULT. in O Dunkelman & S Dziembowski (eds), Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13277 LNCS, Springer, pp. 168-191, 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, 30/05/22. https://doi.org/10.1007/978-3-031-07082-2_7

Nageler M, Dobraunig CE, Eichlseder M. Information-Combining Differential Fault Attacks on DEFAULT. In Dunkelman O, Dziembowski S, editors, Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings. Springer. 2022. p. 168-191. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-07082-2_7

Nageler, Marcel ; Dobraunig, Christoph Erwin ; Eichlseder, Maria. / Information-Combining Differential Fault Attacks on DEFAULT. Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings. editor / Orr Dunkelman ; Stefan Dziembowski. Springer, 2022. pp. 168-191 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{0bda43d726904d4b9ec7e5512f8f49cf,

title = "Information-Combining Differential Fault Attacks on DEFAULT",

abstract = "Differential fault analysis (DFA) is a very powerful attack vector for implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of 2 64 is impractical. In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT{\textquoteright}s strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys. ",

keywords = "Differential Fault Attacks (DFA), Cryptanalysis, Linear structures, DEFAULT",

author = "Marcel Nageler and Dobraunig, {Christoph Erwin} and Maria Eichlseder",

year = "2022",

month = may,

doi = "10.1007/978-3-031-07082-2_7",

language = "English",

isbn = "978-3-031-07081-5",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "168--191",

editor = "Orr Dunkelman and Stefan Dziembowski",

booktitle = "Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings",

note = "41st Annual International Conference on the Theory and Applications of Cryptographic Techniques : EUROCRYPT 2022, EUROCRYPT 2022 ; Conference date: 30-05-2022 Through 03-06-2022",

url = "https://eurocrypt.iacr.org/2022/",

}

TY - GEN

T1 - Information-Combining Differential Fault Attacks on DEFAULT

AU - Nageler, Marcel

AU - Dobraunig, Christoph Erwin

AU - Eichlseder, Maria

PY - 2022/5

Y1 - 2022/5

N2 - Differential fault analysis (DFA) is a very powerful attack vector for implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of 2 64 is impractical. In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT’s strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys.

AB - Differential fault analysis (DFA) is a very powerful attack vector for implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of 2 64 is impractical. In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT’s strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys.

KW - Differential Fault Attacks (DFA)

KW - Cryptanalysis

KW - Linear structures

KW - DEFAULT

UR - http://www.scopus.com/inward/record.url?scp=85132101529&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-07082-2_7

DO - 10.1007/978-3-031-07082-2_7

M3 - Conference paper

SN - 978-3-031-07081-5

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 168

EP - 191

BT - Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings

A2 - Dunkelman, Orr

A2 - Dziembowski, Stefan

PB - Springer

T2 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques

Y2 - 30 May 2022 through 3 June 2022

ER -

Information-Combining Differential Fault Attacks on DEFAULT

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Fields of Expertise

Access to Document

Other files and links

Fingerprint