Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Differential fault attacks on the lightweight authenticated encryption algorithm CLX-128

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

We investigate a technique that needs to apply multiple random faults to the same target location and compare the impact of these faults on the fault-free and faulty output to recover specific secret variable. A mix of random effective and ineffective faults is considered in our analysis. In this paper, we apply these random faults to CLX-128, a first round candidate in the National Institute of Standards and Technology lightweight cryptography project, to recover the secret key of the cipher. We also investigate the bit-flipping fault applications to CLX-128. We show that both of these fault models can be applied to CLX-128 to recover its internal state. The application of the random fault model to CLX-128 requires 134 faulty queries to recover certain state bits, whereas the bit-flipping fault model requires 54 faulty queries to recover certain state bits. The remaining state bits are recovered by solving a system of linear equations. The complexity of the attacks is \(2^{36}\). In our applications, the random fault model requires comparatively large number of faults, but the underlying assumptions of the random fault model are less strict and hence more practical, as the adversary does not need to have a prior knowledge on the impact of the fault.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Data availability

Data sharing not applicable to this article as no datasets were generated or analysed during the current study.

References

  1. Wu, H., Huang, T.: CLX: a family of lightweight authenticated encryption algorithms. NIST Lightweight Cryptography (LWC) Project (2019). https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/round-1/spec-doc/CLX-spec.pdf

  2. NIST Lightweight Cryptography Project (2019). https://csrc.nist.gov/projects/lightweight-cryptography

  3. Dey, P., Rohit, R.S., Sarkar, S., Adhikari, A.: Differential fault analysis on Tiaoxin and AEGIS family of ciphers. In: Mueller, P., Thampi, S., Alam Bhuiyan, M., Ko, R., Doss, R., Alcaraz Calero, J. (eds) Security in Computing and Communications—SSCC 2016, Communications in Computer and Information Science, vol. 625, pp. 74–86, Springer, Singapore (2016). https://doi.org/10.1007/978-981-10-2738-3

  4. Wong, K., Bartlett, H., Simpson, L., Dawson, E.: Differential random fault attacks on certain CAESAR stream ciphers. In: Seo, J. (eds) Information Security and Cryptology—ICISC 2019. Lecture Notes in Computer Science, vol. 11975, pp. 297–315, Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40921-0

  5. Bartlett, H., Dawson, E., Mahri, H.A., Salam, M.I., Simpson, L., Wong, K.K.-H.: Random fault attacks on a class of stream ciphers. Secur. Commun. Netw. 2019, 12, 1680263 (2019). https://doi.org/10.1155/2019/1680263

    Article  Google Scholar 

  6. Salam, I., Mahri, H.Q., Simpson, L., Bartlett, H., Dawson, E., Wong, K.K.: Fault attacks on Tiaoxin-346. In: Proceedings of the the Australasian Computer Science Week—ASCW 2018, ACM Digital Library, pp. 1–9 (2018). https://doi.org/10.1145/3167918.3167940

  7. Salam, I., Law, K.Y., Xue, L., Yau, W.C.: Differential fault based key recovery attacks on TRIAD. In: Hong, D. (eds.) Information Security and Cryptology—ICISC 2020. Lecture Notes in Computer Science, vol. 12593, pp. 273–287, Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68890-5

  8. CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. https://competitions.cr.yp.to/index.html

  9. Sarkar, S., Dey, P., Adhikari, A., Maitra, S.: Probabilistic signature based generalized framework for differential fault analysis of stream ciphers. Cryptogr. Commun. 9, 523–543 (2017). https://doi.org/10.1007/s12095-016-0197-2

    Article  MathSciNet  MATH  Google Scholar 

  10. Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the grain family of stream ciphers. In: Prouff, E., Schaumont, P. (eds) Cryptographic Hardware and Embedded Systems—CHES 2012. CHES 2012. Lecture Notes in Computer Science, vol. 7428, pp. 122–139, Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-33027-8_8

  11. Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the Grain family under reasonable assumptions. In: Galbraith, S., Nandi, M. (eds.) Progress in Cryptology—INDOCRYPT 2012. Lecture Notes in Computer Science, vol. 7668, pp. 191–208, Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-34931-7

  12. Banik, S., Maitra, S.: A differential fault attack on MICKEY 2.0. In: Bertoni, G., Coron, JS. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2013. Lecture Notes in Computer Science, vol. 8086, pp. 215–232, Springer, Berlin. https://doi.org/10.1007/978-3-642-40349-1

  13. Banik, S., Maitra, S., Sarkar, S.: Improved differential fault attack on MICKEY 2.0. J. Cryptogr. Eng. 5, 13–29 (2015). https://doi.org/10.1007/s13389-014-0083-9

    Article  Google Scholar 

  14. Dey, P., Chakraborty, A., Adhikari, A., Mukhopadhyay, D.: Improved practical differential fault analysis of Grain-128. In: 2015 Design, Automation & Test in Europe Conference & Exhibition—DATE 2015. pp. 459–464, IEEE (2015). https://doi.org/10.7873/DATE.2015.0921

  15. Sarkar, S., Banik, S., Maitra, S.: Differential fault attack against Grain family with very few faults and minimal assumptions. IEEE Trans. Comput. 64(6), 1647–1657 (2015). https://doi.org/10.1109/TC.2014.2339854

    Article  MathSciNet  MATH  Google Scholar 

  16. Salam, I., Simpson, L., Bartlett, H., Dawson, E., Wong, K.K.-H.: Fault attacks on the authenticated encryption stream cipher MORUS. Cryptography 2(1), 4 (2018). https://doi.org/10.3390/cryptography2010004

    Article  Google Scholar 

  17. Mége, A.: Slide attack on CLX-128. NIST Lightweight Cryptography Workshop (2019). https://csrc.nist.gov/CSRC/media/Events/lightweight-cryptography-workshop-2019/documents/papers/slide-attack-on-clx-128-lwc2019.pdf

  18. Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski, B.S., Ko,ç ç.K., Paar, C. (eds) Cryptographic Hardware and Embedded Systems—CHES 2002. Lecture Notes in Computer Science, vol. 2523, pp. 2–12, Springer, Berlin (2003). https://doi.org/10.1007/3-540-36400-5

  19. Schmidt, J., Herbst, C.: A practical fault attack on square and multiply. In: 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 53–58 (2008). https://doi.org/10.1109/FDTC.2008.10

  20. Hutter, M., Schmidt, J.: The temperature side channel and heating fault attacks. In: Francillon, A., Rohatgi, P. (eds.) Smart Card Research and Advanced Applications—CARDIS 2013. Lecture Notes in Computer Science, vol. 8419, pp. 219–235 Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08302-5

  21. Barenghi, A., Breveglieri, L., Koren, I., Naccache, D.: Fault injection attacks on cryptographic devices: theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012). https://doi.org/10.1109/JPROC.2012.2188769

    Article  Google Scholar 

  22. Clavier, C.: Secret external encodings do not prevent transient fault analysis. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2007. Lecture Notes in Computer Science, vol. 4727, pp. 181–194, Springer, Berlin (2007). https://doi.org/10.1007/978-3-540-74735-2

  23. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the Sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds) Selected Areas in Cryptography—SAC 2011. Lecture Notes in Computer Science, vol. 7118, pp. 320–337, Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-28496-0

  24. Stein, W. et al.: Sage Mathematics Software. The Sage Development Team (2019). http://www.sagemath.org

  25. Salam, I., Ooi, T.H., Xue, L., Yau, W.-C., Pieprzyk, J., Phan, R.C.-W.: Random differential fault Attacks on the lightweight authenticated encryption stream cipher Grain-128AEAD. IEEE Access 9, 72568–72586 (2021). https://doi.org/10.1109/ACCESS.2021.3078845

  26. Wu, H., Huang, T.: TinyJAMBU: a family of lightweight authenticated encryption algorithms. NIST Lightweight Cryptography (LWC) Project (2019). https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/TinyJAMBU-spec-round2.pdf

Download references

Acknowledgements

This work is supported by the Ministry of Higher Education Malaysia (MOHE) through the Fundamental Research Grant Scheme (FRGS), Project No. FRGS/1/2021/ICT07/XMU/02/1, as well as the Xiamen University Malaysia Research Fund under Grants XMUMRF/2019-C3/IECE/0005, XMUMRF/2019-C4/IECE/0011, and XMUMRF/2022-C9/IECE/0032. Josef Pieprzyk has been supported by the Australian Research Council Grant DP180102199 and the Polish National Science Center (NCN) Grant 2018/31/B/ST6/03003.

Author information

Authors and Affiliations

  1. School of Computing and Data Science, Xiamen University Malaysia, Selangor, Malaysia

    Iftekhar Salam & Wei-Chuen Yau

  2. School of IT, Monash University, Selangor, Malaysia

    Raphaël C.-W. Phan

  3. Department of Software Systems and Cybersecurity, Faculty of IT, Monash University, Melbourne, Australia

    Raphaël C.-W. Phan

  4. Data61, Commonwealth Scientific and Industrial Research Organisation, Marsfield, NSW, 2122, Australia

    Josef Pieprzyk

  5. Institute of Computer Science, Polish Academy of Sciences, 01-248, Warsaw, Poland

    Josef Pieprzyk

Authors
  1. Iftekhar Salam
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei-Chuen Yau
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raphaël C.-W. Phan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Josef Pieprzyk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei-Chuen Yau.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A Additional low degree equations

Additional low-degree equations obtained by injecting faults at \(s_{127}\) to \(s_{138}\) and \(s_{147}\) to \(s_{159}\). The equations are then simplified by substituting the known register values. Here \(\varDelta _{1, i}^{1, j}\) represents the XOR differential of the \(i{\text {th}}\) keystream bit when fault is injected at \(s_{j}\); \(7 \le i \le 31\) and \(j = 127, \ldots , 138, 147, \ldots , 159\). The variable \(c_{i}^{j}\) refers to a constant value corresponding to \(\varDelta _{1, i}^{1, j}\)

$$\begin{aligned}&\varDelta _{1, 20}^{1, 127} = s_{13} + s_{48} + c_{20}^{127} + 1\end{aligned}$$
(44)
$$\begin{aligned}&\varDelta _{1, 21}^{1, 128} = s_{14} + s_{49} + c_{21}^{128} + 1\end{aligned}$$
(45)
$$\begin{aligned}&\varDelta _{1, 22}^{1, 129} = s_{15} + s_{50} + c_{22}^{129} + 1\end{aligned}$$
(46)
$$\begin{aligned}&\varDelta _{1, 23}^{1, 130} = s_{16} + s_{51} + c_{23}^{130} + 1\end{aligned}$$
(47)
$$\begin{aligned}&\varDelta _{1, 24}^{1, 131} = s_{17} + s_{52} + c_{24}^{131} + 1\end{aligned}$$
(48)
$$\begin{aligned}&\varDelta _{1, 25}^{1, 132} = s_{18} + s_{53} + c_{25}^{132} + 1\end{aligned}$$
(49)
$$\begin{aligned}&\varDelta _{1, 26}^{1, 133} = s_{19} + s_{54} + c_{26}^{133} + 1\end{aligned}$$
(50)
$$\begin{aligned}&\varDelta _{1, 27}^{1, 134} = s_{20} + s_{55} + c_{27}^{134} + 1\end{aligned}$$
(51)
$$\begin{aligned}&\varDelta _{1, 28}^{1, 135} = s_{21} + s_{56} + c_{28}^{135} +1\end{aligned}$$
(52)
$$\begin{aligned}&\varDelta _{1, 29}^{1, 136} = s_{22} + s_{57} + c_{29}^{136} +1\end{aligned}$$
(53)
$$\begin{aligned}&\varDelta _{1, 30}^{1, 137} = s_{23} + s_{58} + c_{30}^{137} +1\end{aligned}$$
(54)
$$\begin{aligned}&\varDelta _{1, 31}^{1, 138} = s_{24} + s_{59} + c_{31}^{138} + 1\end{aligned}$$
(55)
$$\begin{aligned}&\varDelta _{1, 7}^{1, 147} = s_{0} + s_{35} + c_{7}^{147} +1\end{aligned}$$
(56)
$$\begin{aligned}&\varDelta _{1, 8}^{1, 148} = s_{1} + s_{36} + c_{8}^{148} +1\end{aligned}$$
(57)
$$\begin{aligned}&\varDelta _{1, 9}^{1, 149} = s_{2} + s_{37} + c_{9}^{149} +1\end{aligned}$$
(58)
$$\begin{aligned}&\varDelta _{1, 10}^{1, 150} = s_{3} + s_{38} + c_{10}^{150} +1\end{aligned}$$
(59)
$$\begin{aligned}&\varDelta _{1, 11}^{1, 151} = s_{4} + s_{39} + c_{11}^{151} +1\end{aligned}$$
(60)
$$\begin{aligned}&\varDelta _{1, 12}^{1, 152} = s_{5} + s_{40} + c_{12}^{152} +1\end{aligned}$$
(61)
$$\begin{aligned}&\varDelta _{1, 13}^{1, 153} = s_{6} + s_{41} + c_{13}^{153} +1\end{aligned}$$
(62)
$$\begin{aligned}&\varDelta _{1, 14}^{1, 154} = s_{7} + s_{42} + c_{14}^{154} +1\end{aligned}$$
(63)
$$\begin{aligned}&\varDelta _{1, 15}^{1, 155} = s_{8} + s_{43} + c_{15}^{155} +1\end{aligned}$$
(64)
$$\begin{aligned}&\varDelta _{1, 16}^{1, 156} = s_{9} + s_{44} + c_{16}^{156} +1\end{aligned}$$
(65)
$$\begin{aligned}&\varDelta _{1, 17}^{1, 157} = s_{10} + s_{45} + c_{17}^{157} +1\end{aligned}$$
(66)
$$\begin{aligned}&\varDelta _{1, 18}^{1, 158} = s_{11} + s_{46} + c_{18}^{158} +1\end{aligned}$$
(67)
$$\begin{aligned}&\varDelta _{1, 19}^{1, 159} = s_{12} + s_{47} + c_{19}^{159} +1 \end{aligned}$$
(68)

Appendix B Simplified linear equations

These equations are obtained by substituting the known register bits and equations obtained through fault injections in Eqs. (10) to (41). The variable \(c_{i}\) refers to a constant obtained by substituting known values in the \(i{\text {th}}\) keystream equation; \(0 \le i \le 31\).

$$\begin{aligned}&z_{1, 0} = s_{47} + s_{82} + c_{0}\end{aligned}$$
(69)
$$\begin{aligned}&z_{1, 1} = s_{48} + s_{83} + c_{1}\end{aligned}$$
(70)
$$\begin{aligned}&z_{1, 2} = s_{49} + s_{84} + c_{2}\end{aligned}$$
(71)
$$\begin{aligned}&z_{1, 3} = s_{50} + s_{85} + c_{3}\end{aligned}$$
(72)
$$\begin{aligned}&z_{1, 4} = s_{51} + s_{86} + c_{4}\end{aligned}$$
(73)
$$\begin{aligned}&z_{1, 5} = s_{52} + s_{87} + c_{5}\end{aligned}$$
(74)
$$\begin{aligned}&z_{1, 6} = s_{53} + s_{88} + c_{6}\end{aligned}$$
(75)
$$\begin{aligned}&z_{1, 7} = s_{54} + s_{89} + c_{7}\end{aligned}$$
(76)
$$\begin{aligned}&z_{1, 8} = s_{55} + s_{90} + c_{8}\end{aligned}$$
(77)
$$\begin{aligned}&z_{1, 9} = s_{56} + s_{91} + c_{9}\end{aligned}$$
(78)
$$\begin{aligned}&z_{1, 10} = s_{57} + s_{92} + c_{10}\end{aligned}$$
(79)
$$\begin{aligned}&z_{1, 11} = s_{25} + s_{58} + s_{60} + c_{11}\end{aligned}$$
(80)
$$\begin{aligned}&z_{1, 12} = s_{26} + s_{59} + s_{61} + c_{12}\end{aligned}$$
(81)
$$\begin{aligned}&z_{1, 13} = s_{27} + s_{60} + s_{62} + c_{13}\end{aligned}$$
(82)
$$\begin{aligned}&z_{1, 14} = s_{28} + s_{61} + s_{63} + c_{14}\end{aligned}$$
(83)
$$\begin{aligned}&z_{1, 15} = s_{29} + s_{62} + s_{64} + c_{15}\end{aligned}$$
(84)
$$\begin{aligned}&z_{1, 16} = s_{30} + s_{63} + s_{65} + c_{16}\end{aligned}$$
(85)
$$\begin{aligned}&z_{1, 17} = s_{31} + s_{64} + s_{66} + c_{17}\end{aligned}$$
(86)
$$\begin{aligned}&z_{1, 18} = s_{32} + s_{65} + s_{67} + c_{18}\end{aligned}$$
(87)
$$\begin{aligned}&z_{1, 19} = s_{33} + s_{66} + s_{68} + c_{19}\end{aligned}$$
(88)
$$\begin{aligned}&z_{1, 20} = s_{34} + s_{67} + s_{69} + c_{20}\end{aligned}$$
(89)
$$\begin{aligned}&z_{1, 21} = s_{35} + s_{68} + s_{70} + c_{21}\end{aligned}$$
(90)
$$\begin{aligned}&z_{1, 22} = s_{36} + s_{69} + s_{71} + c_{22}\end{aligned}$$
(91)
$$\begin{aligned}&z_{1, 23} = s_{37} + s_{70} + s_{72} + c_{23}\end{aligned}$$
(92)
$$\begin{aligned}&z_{1, 24} = s_{38} + s_{71} + s_{73} + c_{24}\end{aligned}$$
(93)
$$\begin{aligned}&z_{1, 25} = s_{39} + s_{72} + s_{74} + c_{25}\end{aligned}$$
(94)
$$\begin{aligned}&z_{1, 26} = s_{40} + s_{73} + s_{75} + c_{26}\end{aligned}$$
(95)
$$\begin{aligned}&z_{1, 27} = s_{41} + s_{74} + s_{76} + c_{27}\end{aligned}$$
(96)
$$\begin{aligned}&z_{1, 28} = s_{42} + s_{75} + s_{77} + c_{28}\end{aligned}$$
(97)
$$\begin{aligned}&z_{1, 29} = s_{43} + s_{76} + s_{78} + c_{29}\end{aligned}$$
(98)
$$\begin{aligned}&z_{1, 30} = s_{44} + s_{77} + s_{79} + c_{30}\end{aligned}$$
(99)
$$\begin{aligned}&z_{1, 31} = s_{45} + s_{78} + s_{80} + c_{31} \end{aligned}$$
(100)

Appendix C Signatures for fault targets

We list the signatures for identifying fault location under moderate precision model (See Tables 7, 8, 10, 11, 12, 13). Note that there are other fault targets that may be identified through this method; however, here we only list targets that are required for our attack.

Table 7 Signature for \(s_{byte_{5}}\)
Full size table
Table 8 Signature for \(s_{byte_{11}}\)
Full size table
Table 9 Signature for \(s_{byte_{12}}\)
Full size table
Table 10 Signature for \(s_{byte_{13}}\)
Full size table
Table 11 Signature for \(s_{byte_{16}}\)
Full size table
Table 12 Signature for \(s_{byte_{17}}\)
Full size table
Table 13 Signature for \(s_{byte_{18}}\)
Full size table

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Salam, I., Yau, WC., Phan, R.CW. et al. Differential fault attacks on the lightweight authenticated encryption algorithm CLX-128. J Cryptogr Eng 13, 265–281 (2023). https://doi.org/10.1007/s13389-023-00326-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-023-00326-0

Keywords

Search

Navigation