Differential Fault Analysis on SHACAL-1 - Semantic Scholar
2009 Workshop on Fault Diagnosis and Tolerance in Cryptography
Differential Fault Analysis on SHACAL-1 Ruilin Li∗ , Chao Li∗† and Chunye Gong‡ of Mathematics and System Science, Science College National University of Defense Technology, Changsha, 410073, China Email: [email protected] † State Key Laboratory of Information Security, Institute of Software Chinese Academy of Sciences, Beijing, 100190, China Email: lichao [email protected] ‡ School of Computer, National University of Defense Technology Changsha, 410073, China Email: [email protected] ∗ Department
Fault attack was introduced by Boneh, Demillo, and Lipton from Bellcore in 1996. They proved that in RSA-CRT, any single computational mistake can completely break the scheme by factoring the public key, which shows the incredible fragility of the cryptosystems. At the same year, Biham and Shamir extended this attack to DES-like secret key cryptosystems and call it differential fault analysis (DFA) [9], since the basic idea behind this attack is differential cryptanalysis [10]. Unlike most of classic statistical cryptanalysis on iterated block cipher, which depend on the number of rounds, falutbased attack is a new kind of cryptanalysis against implementation of the algorithm and usually it doesn’t depend on the number of rounds.
Abstract—SHACAL-1, known as one of the finalists of the NESSIE project, originates from the compression component of the widely used hash function SHA-1. The requirements of confusion and diffusion are implemented through mixing operations and rotations other than substitution and permutation, thus there exists little literature on its immunity against fault attacks. In this paper, we apply differential fault analysis on SHACAL-1 in a synthetic approach. We introduce the random word fault model, present some theoretical arguments, and give an efficient fault attack based on the characteristic of the cipher. Both theoretical predications and experimental results demonstrate that, 72 random faults are needed to obtain 512 bits key with successful probability more than 60%, while 120 random faults are enough to obtain 512 bits key with successful probability more than 99%. Keywords-Block Cipher; SHACAL-1; Differential Fault Analysis
B. Related Works Biham and Shamir firstly introduced the idea of DFA to DES-like block ciphers, i.e. the inner structure is Feistel network and the round function contains S-box. Note that in attacking DES, they adopted the random bit fault model. Once obtaining a faulty ciphertext, combined with the right ciphertext, they got to know two inputs and output difference of the S-box layer due to the nature of the Feistel network. Throughout the differential distribution table of the eight Sboxes, some key candidates enter the active S-box can be induced. After injecting appropriate numbers of faults, the secrete key can be distinguished from others. This successful attack shows that those DES-like cryptosystems are not immune against DFA. Besides Feistel network, there are lots of researches focusing on applying DFA against SPN block cipher, especially on AES [11]–[18]. DFA against Lai-Massey scheme like FOX and IDEA were studied in [19], [20]. Former DFA techniques against iterated block ciphers mostly exploit computational errors in the last few rounds of the cipher to extract the secret key. In CHES 2004, Hemme introduced a new DFA [21] on early rounds of a Feistel cipher by inducing faults to force collision with encryption
I. I NTRODUCTION A. Backgrounds SHACAL-1, originated from the compression component of the widely used hash function SHA-1 [1], is one of the candidates block cipher algorithm submitted to NESSIE project by Helena Handschuh and David Naccache [2]. Although accepted as a finalist for the 2nd phase of evaluation, it wasn’t selected for the NESSIE portfolio, due to its weak key schedule. As most other block ciphers, SHACAL-1 iterates a keyparameterized weak round function several times in order to get a strong one. It adopts generalized unbalanced Feistel network [3] and the requirements of confusion and diffusion in the round function are simplely implemented through mixing operations and rotations other than substitution and permutation. Its security against traditional differential and linear cryptanalysis are shown in [4]. The best known attacks at this time are related-key rectangle attack [5], [6] presented in SAC 2006, SAC 2007, and related-key attack [7] presented in CT-RSA 2007. Both can break the full round cipher but require a related-key scenario. 978-0-7695-3824-2/09 $25.00 © 2009 IEEE DOI 10.1109/FDTC.2009.41
120
of another plaintext. This interesting results is that it is not sufficient to protect only the last few rounds of the cipher against DFA. Moreover, Hoch and Shamir applied DFA mechanism to stream cipher [22] in 2004. Later in 2005, Biham etc. invested impossible fault and differential fault analysis of RC4 [23]. Recently an outstanding stream cipher Trivium, known as one of the winners of the eSTREAM project, was also suffered from DFA [24]. Other important issues of DFA include fault models [25], [26] and some countermeasures [29], [30]. To mount a fault attack, one should take into account many ingredients, such as the location and timing of fault injection, and the values of faults. It is well known that fault models always depend on the inner structure, the date register, the implementation of the target cipher, and even the powerful equipments possessed by the adversary. The first model was random bit fault model as shown in [9], but now many DFA adopt random byte fault model, since these ciphers are byteoriented and it is easy to inject random byte faults in them. DFA against the new block cipher CLEFIA [27], [28] is one such good example. Meanwhile, by exposing a chip to a laser beam or the focused light from a flash lamp, Anderson and Skorobogatov [26] demonstrated an “easy implementation” of injecting faults on tamper resistant devices, which may help the adversary to efficiently inject faults during the encryption(decryption) process.
Ai
Bi
Ci
Di
Ei Ki fi
Differential Fault Analysis on SHACAL-1 Ruilin Li∗ , Chao Li∗† and Chunye Gong‡ of Mathematics and System Science, Science College National University of Defense Technology, Changsha, 410073, China Email: [email protected] † State Key Laboratory of Information Security, Institute of Software Chinese Academy of Sciences, Beijing, 100190, China Email: lichao [email protected] ‡ School of Computer, National University of Defense Technology Changsha, 410073, China Email: [email protected] ∗ Department
Fault attack was introduced by Boneh, Demillo, and Lipton from Bellcore in 1996. They proved that in RSA-CRT, any single computational mistake can completely break the scheme by factoring the public key, which shows the incredible fragility of the cryptosystems. At the same year, Biham and Shamir extended this attack to DES-like secret key cryptosystems and call it differential fault analysis (DFA) [9], since the basic idea behind this attack is differential cryptanalysis [10]. Unlike most of classic statistical cryptanalysis on iterated block cipher, which depend on the number of rounds, falutbased attack is a new kind of cryptanalysis against implementation of the algorithm and usually it doesn’t depend on the number of rounds.
Abstract—SHACAL-1, known as one of the finalists of the NESSIE project, originates from the compression component of the widely used hash function SHA-1. The requirements of confusion and diffusion are implemented through mixing operations and rotations other than substitution and permutation, thus there exists little literature on its immunity against fault attacks. In this paper, we apply differential fault analysis on SHACAL-1 in a synthetic approach. We introduce the random word fault model, present some theoretical arguments, and give an efficient fault attack based on the characteristic of the cipher. Both theoretical predications and experimental results demonstrate that, 72 random faults are needed to obtain 512 bits key with successful probability more than 60%, while 120 random faults are enough to obtain 512 bits key with successful probability more than 99%. Keywords-Block Cipher; SHACAL-1; Differential Fault Analysis
B. Related Works Biham and Shamir firstly introduced the idea of DFA to DES-like block ciphers, i.e. the inner structure is Feistel network and the round function contains S-box. Note that in attacking DES, they adopted the random bit fault model. Once obtaining a faulty ciphertext, combined with the right ciphertext, they got to know two inputs and output difference of the S-box layer due to the nature of the Feistel network. Throughout the differential distribution table of the eight Sboxes, some key candidates enter the active S-box can be induced. After injecting appropriate numbers of faults, the secrete key can be distinguished from others. This successful attack shows that those DES-like cryptosystems are not immune against DFA. Besides Feistel network, there are lots of researches focusing on applying DFA against SPN block cipher, especially on AES [11]–[18]. DFA against Lai-Massey scheme like FOX and IDEA were studied in [19], [20]. Former DFA techniques against iterated block ciphers mostly exploit computational errors in the last few rounds of the cipher to extract the secret key. In CHES 2004, Hemme introduced a new DFA [21] on early rounds of a Feistel cipher by inducing faults to force collision with encryption
I. I NTRODUCTION A. Backgrounds SHACAL-1, originated from the compression component of the widely used hash function SHA-1 [1], is one of the candidates block cipher algorithm submitted to NESSIE project by Helena Handschuh and David Naccache [2]. Although accepted as a finalist for the 2nd phase of evaluation, it wasn’t selected for the NESSIE portfolio, due to its weak key schedule. As most other block ciphers, SHACAL-1 iterates a keyparameterized weak round function several times in order to get a strong one. It adopts generalized unbalanced Feistel network [3] and the requirements of confusion and diffusion in the round function are simplely implemented through mixing operations and rotations other than substitution and permutation. Its security against traditional differential and linear cryptanalysis are shown in [4]. The best known attacks at this time are related-key rectangle attack [5], [6] presented in SAC 2006, SAC 2007, and related-key attack [7] presented in CT-RSA 2007. Both can break the full round cipher but require a related-key scenario. 978-0-7695-3824-2/09 $25.00 © 2009 IEEE DOI 10.1109/FDTC.2009.41
120
of another plaintext. This interesting results is that it is not sufficient to protect only the last few rounds of the cipher against DFA. Moreover, Hoch and Shamir applied DFA mechanism to stream cipher [22] in 2004. Later in 2005, Biham etc. invested impossible fault and differential fault analysis of RC4 [23]. Recently an outstanding stream cipher Trivium, known as one of the winners of the eSTREAM project, was also suffered from DFA [24]. Other important issues of DFA include fault models [25], [26] and some countermeasures [29], [30]. To mount a fault attack, one should take into account many ingredients, such as the location and timing of fault injection, and the values of faults. It is well known that fault models always depend on the inner structure, the date register, the implementation of the target cipher, and even the powerful equipments possessed by the adversary. The first model was random bit fault model as shown in [9], but now many DFA adopt random byte fault model, since these ciphers are byteoriented and it is easy to inject random byte faults in them. DFA against the new block cipher CLEFIA [27], [28] is one such good example. Meanwhile, by exposing a chip to a laser beam or the focused light from a flash lamp, Anderson and Skorobogatov [26] demonstrated an “easy implementation” of injecting faults on tamper resistant devices, which may help the adversary to efficiently inject faults during the encryption(decryption) process.
Ai
Bi
Ci
Di
Ei Ki fi
