Tiaoxin and AEGIS are two second round candidates of the ongoing CAESAR competition for authenticated encryption. In 2014, Brice Minaud proposed a distinguisher for AEGIS-256 that can be used to recover bits of a partially known message, encrypted 2188 times, regardless of the keys used. Also he reported a correlation between AEGIS-128 ciphertexts at rounds i and i + 2, although the biases would require 2140 data to be detected. Apart from that, to the best of our knowledge, there is no known cryptanalysis of AEGIS or Tiaoxin. In this paper we propose differential fault analyses of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting. Analysis shows that the secret key of Tiaoxin can be recovered with 384 single bit faults and the states of AEGIS-128, AEGIS-256 and AEGIS-128L can be recovered respectively with 384, 512 and 512 single bit faults. Considering multi byte fault, the number of required faults and re-keying reduces 128 times. © Springer Nature Singapore Pte Ltd. 2016.

Santanu Sarkar

Department of Mathematics

Authentication

Cryptography

Recovery

AEAD

AUTHENTICATED ENCRYPTION

CIPHERTEXTS

DISTINGUISHERS

RECOVER BITS

Secret key

Single-bit

Stream ciphers

Side channel attack

IIT Madras is a public technical and research university located in Chennai, Tamil Nadu. Founded in 1959, it is recognised as an Institute of National Importance.

IIT Madras has been ranked as the top engineering institute in India for four years in a row by the National Institutional Ranking Framework of the MHRD

It currently offers undergraduate, postgraduate and research degrees across 16 disciplines in Engineering, Sciences, Humanities and Management. About 596 faculty belonging to science and engineering departments and centres of the Institute are engaged in teaching, research and industrial consultancy.

IIT Madras

Differential Fault Analysis on Tiaoxin and AEGIS Family of Ciphers

Communications in Computer and Information Science

Differential Fault Attack (DFA) considers injection of faults and the most general set-up should take care of faults at random location and random time. Then one should be able to identify the exact location as well as the exact timing of the fault (including the multi bit ones) with the help of fault signatures. In this paper we solve the problem of DFA under a general frame-work, introducing the idea of probabilistic signatures. The method considers the Maximum Likelihood approach related to probability distributions. Our techniques subsume all the existing DFAs against the Grain family, MICKEY 2.0 and Trivium. In the process we provide improved fault attacks for all the versions of Grain family and also for MICKEY 2.0. Our generalized method successfully takes care of the cases where certain parts of the keystream bits are missing (this situation may arise for authentication purpose). In particular, we show that the unsolved problem of identifying the faults in random time for Grain 128a can be solved in this manner. Moreover, for MICKEY 2.0, our method not only provides improvement in fault identification probability but also reduces the required faults by 60 %, compared to the best known result. © 2016, Springer Science+Business Media New York.

Cryptography and Communications

Probabilistic signature based generalized framework for differential fault analysis of stream ciphers

The ongoing CAESAR competition launched in 2013, aimed to design authenticated encryption schemes for different applications and environments, attracted 57 submissions as candidates. Out of the 57 round 1 submissions, only 29 candidates were selected for round 2. Each of these candidates is to be analyzed carefully. Among these 29 candidates, ACORN is a family of Lightweight Authenticated Ciphers with Associated Data (AEAD). In this paper we propose a hard fault attack on both the versions of ACORN in a nonce-respecting scenario whereby a random bit of the fifth LFSR is permanently stuck at the value '1' before the driving procedure of the encryption device. Without the repetition of the same key-IV pair, this is the first work that we are aware of, where the secret key can be recovered fully with a computational complexity well below the limit of brute force search. With hard fault at a certain position the attack complexity reduces to 255.85. © 2016 Elsevier Ltd. All rights reserved.

Journal of Information Security and Applications

Full key recovery of ACORN with a single fault

IEEE Transactions on Computers

Differential Fault Attack against Grain Family with Very Few Faults and Minimal Assumptions

Design, Automation & Test in Europe Conference & Exhibition (DATE), 2015

Improved Practical Differential Fault Analysis of Grain-128

Very few differential fault attacks (DFA) were reported on Trivium so far. In 2012, Yupu Hu et al. [4] relaxed adversarial power and allowed faults in random area within eight neighbouring bits at random time but with the major limitation that after each fault injection, the fault positions must not be from different registers. In this paper we present a generic attack strategy that allows the adversary to challenge the cipher under different multi-bit fault models with faults at any unknown random keystream generation round even if bit arrangement of the actual cipher device is unknown and thereby removing the limitation of Yupu Hu et al. To the best of our knowledge, this paper assumes the weakest adversarial power ever considered in the open literature for DFA on Trivium. In particular, if faults are allowed in random area within nine neighbouring bits at random time anywhere in the three registers and the fault injection (at keystream generation) rounds are uniformly distributed over {t,..., t+49}, for any unknown t ≥ 1, then 4 faults always break the cipher, which is a significant improvement over Yupu Hu et al. © Springer International Publishing Switzerland 2014.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Improved multi-bit differential fault analysis of trivium

Differential fault analysis on Tiaoxin and AEGIS family of ciphers

Journal	Data powered by TypesetCommunications in Computer and Information Science
Publisher	Data powered by TypesetSpringer Verlag
ISSN	18650929
Open Access	No