A Differential Fault Attack on the Grain Family of Stream Ciphers - PowerPoint PPT Presentation

A Differential Fault Attack on the Grain Family of Stream Ciphers Subhadeep Banik , Subhamoy Maitra, Santanu Sarkar Indian Statistical Institute Kolkata September 10, 2012 CHES 2012, Leuven Belgium

GRAIN family of Stream Ciphers 2 of 32

Grain Family • Proposed by Hell et al in 2005 • Part of E-stream’s hardware portfolio • Bit-oriented, Synchronous stream cipher • The first version (v0) of the cipher was cryptanalyzed 1. A Distinguishing attack by Kiaei et. al (Ecrypt : 071). 2. A State Recovery attack by Berbain et.al (FSE 2006). • After this, the versions Grain v1, Grain 128, Grain 128a were proposed. 3 of 32

Motivation • No fault analysis of Grain v1 has been reported. • Existing works (Berzati et. al. HOST 09 , Karmakar et. al. Africacypt 11 ) are on Grain-128. • Grain-128 has a relatively uncomplicated output function h ( s 0 , s 1 , . . . , s 8 ) = s 0 s 1 + s 2 s 3 + s 4 s 5 + s 6 s 7 + s 0 s 4 s 8 • Hence, fault analysis is relatively simpler. 4 of 32

General Structure of the Grain Family g ( X t ) f ( Y t ) � NFSR LFSR / / h ( X t , Y t ) � z t Figure: Structure of Grain v1 5 of 32

Grain v1 In Grain v1 the size of Key n = 80 bits and the IV is of size m = 64 bits. The value of pad used in the KLA is P = 0 xFFFF . The LFSR update rule is given by ∆ y t +80 = f ( Y t ) = y t +62 + y t +51 + y t +38 + y t +23 + y t +13 + y t The NFSR state is updated as follows x t +80 = y t + g ( X t ) where g ( X t ) = x t +62 + x t +60 + x t +52 + x t +45 + x t +37 + x t +33 + x t +28 + x t +21 + x t +14 + x t +9 + x t + x t +63 x t +60 + x t +37 x t +33 + x t +15 x t +9 + x t +60 x t +52 x t +45 + x t +33 x t +28 x t +21 + x t +63 x t +45 x t +28 x t +9 + x t +60 x t +52 x t +37 x t +33 + x t +63 x t +60 x t +21 x t +15 + x t +63 x t +60 x t +52 x t +45 x t +37 + x t +33 x t +28 x t +21 x t +15 x t +9 + x t +52 x t +45 x t +37 x t +33 x t +28 x t +21 6 of 32

Grain v1 The output keystream is produced by combining the LFSR and NFSR bits as follows x t + a + h ( y t +3 , y t +25 , y t +46 , y t +64 , x t +63 ) ∆ � � z t = = x t + a + h ( X t , Y t ) a ∈ A a ∈ A where A = { 1 , 2 , 4 , 10 , 31 , 43 , 56 } and h ( s 0 , s 1 , s 2 , s 3 , s 4 ) = s 1 + s 4 + s 0 s 3 + s 2 s 3 + s 3 s 4 + s 0 s 1 s 2 + s 0 s 2 s 3 + s 0 s 2 s 4 + s 1 s 2 s 4 + s 2 s 3 s 4 . 7 of 32

Keystream generating routines • Key Loading Algorithm (KLA) ◦ n -bit key K → NFSR ◦ m -bit ( m < n ) IV → LFSR[0] . . . LFSR[m-1] ◦ p = n − m bit pad P → LFSR[m] . . . LFSR[n-1] • Key Schedule Algorithm (KSA) ◦ For 2 n clocks, output of h ′ is XOR-ed to the LFSR and NFSR update functions ◦ y t + n = f ( Y t ) + z t and x t + n = y t + z t + g ( X t ) • Pseudo Random bitstream Generation Algorithm (PRGA) ◦ The feedback is discontinued ◦ y t + n = f ( Y t ) and x t + n = y t + g ( X t ) ◦ z t = h ′ ( X t , Y t ) 8 of 32

Differential Fault Attack 9 of 32

Fault Model • The attacker is able to reset the system with the original Key-IV and start the cipher operations again. • The attacker can inject a fault at any one random bit location of the LFSR or NFSR. • The fault in any bit may be reproduced at any later stage of operation, once injected.(Berzati et. al. HOST 09 ) • The attacker has full control over the timing of fault injection, i.e., it is possible to inject the fault precisely at any stage of the cipher operation. 10 of 32

Identifying Fault Location 11 of 32

Location Identification • Apply a fault at a random LFSR location: imperative to determine fault location before proceeding. • This is done by comparing the fault-free and faulty Key-streams. • More than one fault at same location may be required to conclusively identify the location. 12 of 32

The Idea • Consider 2 initial states S 0 , S 0 , ∆ 79 such that S 0 ⊕ S 0 , ∆ 79 = s 79 In all rounds k ∈ [0 , 79] \ { 15 , 33 , 44 , 51 , 54 , 57 , 62 , 69 , 72 , 73 , 75 , 76 } , the difference does not affect output keystream bit. At all these rounds output of S 0 , S 0 , ∆ 79 guaranteed to be equal. Hence formulate signature vector Sgn 79 = FFFE FFFF BFF7 EDBD FB27 . • Idea is to match the sum of faultless and faulty keystream bits with all Sgn φ for φ ∈ [0 , 79] 13 of 32

Notations • S 0 is the initial state of the Grain v1 PRGA. • S 0 , ∆ φ is the initial state after faulting LFSR location φ ∈ [0 , 79] • Z = [ z 0 , z 1 , . . . , z l ] ⇒ first l fault-less keystream bits. • Z φ = [ z φ 0 , z φ 1 , . . . , z φ l ] ⇒ first l faulty keystream bits. Define l bit vectors E φ , Sgn φ ⇒ E φ ( i ) = 1 + z i + z φ i ⇒ Sgn φ ( i ) = � S 0 E φ ( i ) 14 of 32

More Definitions For any element V ∈ { 0 , 1 } l • Define support of V → B V = { i : 0 ≤ i < l , V ( i ) = 1 } • Define a relation � in { 0 , 1 } l s.t. ∀ V 1 , V 2 ∈ { 0 , 1 } l , V 1 � V 2 if B V 1 ⊆ B V 2 1. � is a partial order in { 0 , 1 } l 15 of 32

The Task • Given E φ : Find φ • Elements in B E φ → PRGA rounds i during which z i = z φ i . • For the correct value of φ : B Sgn φ ⊆ B E φ ⇒ Sgn φ � E φ • Strategy : Formulate the candidate set Ψ 0 = { ψ : 0 ≤ ψ ≤ 79 , Sgn ψ � E φ } • If | Ψ 0 | = 1 then the element in Ψ 0 is surely φ . 16 of 32

If | Ψ 0 | � = 1 • Reset the cipher. Go to PRGA round l and fault the same location φ . • Recalculate E φ . Re-employ strategy Ψ 1 = { ψ : ψ ∈ Ψ 0 , Sgn ψ � E φ } • If | Ψ 1 | = 1, then the single element in this set is surely φ . • Else Re-employ previous strategy for PRGA rounds 2 l , 3 l , . . . 17 of 32

Optimizations on l • If l ≤ 44, the scheme trivially fails. ◦ Sgn 40 � Sgn 79 → if φ = 79 conclusive identification impossible. • If l > 44, the scheme works. ◦ Sgn i 1 � Sgn i 2 ∀ i 1 , i 2 ∈ [0 , 79] • Smaller value of l implies more faults for identification. • Computer simulations over 2 20 random Key-IV pairs : l = 80 is optimal. 18 of 32

Average no of faults vs l 1 . 3 Average no. of Faults µ l 1 . 25 1 . 2 1 . 15 1 . 1 50 60 70 80 90 100 Signature length l Figure: Average number of faults vs Length of Signature. 19 of 32

Beginning the Attack 20 of 32

More Notations • S t = [ x t 0 , x t 1 , . . . , x t 79 y t 0 , y t 1 , . . . , y t 79 ] state at round t of the PRGA. i ) → i th NFSR (LFSR) bit at t th round of the PRGA. x t i ( y t • When t = 0, S 0 = [ x 0 , x 1 , . . . , x 79 y 0 , y 1 , . . . , y 79 ] for convenience. • S φ t ( t 1 , t 2 ) state round t of the PRGA, when a fault at LFSR location φ at t = t 1 , t 2 . t ( t 1 , t 2 ) t th faulty keystream bit, when a fault at LFSR location φ • z φ at t = t 1 , t 2 . • z t is the fault-free t th keystream bit. 21 of 32

Affine Differential Resistance Definition Consider a q -variable Boolean function F . A non-zero vector α ∈ { 0 , 1 } q is said to be an affine differential of the function F if F ( x ) + F ( x + α ) is an affine function. A Boolean function is said to be affine differential resistant if it does not have any affine differential. In Grain v1 h ( s 0 , s 1 , s 2 , s 3 , s 4 ) + h (1 + s 0 , 1 + s 1 , s 2 , s 3 , 1 + s 4 ) = s 2 Therefore h is not affine differential resistant. 22 of 32

Fault attack on Grain v1: Getting the LFSR Lemma Fault in LFSR location 38 + r ∀ r ∈ [0 , 41] , at rounds λ and λ + 20 for λ = 0 , 1 , . . . ⇒ In Round t = 55 + λ + r, S 38+ r 55+ λ + r ( λ, λ + 20) ⊕ S 55+ λ + r = [ y 3 , y 25 , x 63 ] 55+ λ + r No difference in other 9 locations that contributes to the output keystream bit. Therefore z t + z φ t ( λ, λ + 20) = y t 46 where t = 55 + λ + r ⇒ y t 46 is a linear function in [ y 0 , y 1 , . . . , y 79 ] i.e. the LFSR bits of S 0 . ⇒ Gives one linear equation in initial LFSR bits. ⇒ Use this to get 80 linearly independent equations and solve to get all LFSR bits of S 0 . 23 of 32

Fault attack on Grain v1: LFSR recovery 24 of 32 Figure: LFSR recovery

Fault attack on Grain v1: Getting the NFSR In Grain v1 we have h = s 4 · u ( s 0 , s 1 , s 2 , s 3 ) + v ( s 0 , s 1 , s 2 , s 3 ) u ( s 0 , s 1 , s 2 , s 3 ) + u ( s 0 , 1 + s 1 , s 2 , 1 + s 3 ) = 1 Lemma Fault in LFSR location φ at 0 , 20 PRGA rounds, then at round t S t + S φ t (0 , 20) = [ y 25 , y 64 ] t (i) φ = 51 + r, t = 91 + r for 0 ≤ r ≤ 28 , (ii) φ = 62 + r, t = 55 + r for 0 ≤ r ≤ 17 , (iii) φ = 62 + r, t = 75 + r for 0 ≤ r ≤ 15 . ⇒ z t + z φ t (0 , 20) = x t 63 + v ([ y 3 , y 25 , y 46 , y 64 ] t ) + v ([ y 3 , 1 + y 25 , y 46 , 1 + y 64 ] t ) 25 of 32

Fault attack on Grain v1: NFSR recovery 26 of 32

Getting the NFSR • Using above technique 63 NFSR bits of S 103 are recovered. • LFSR bits of S 103 already known(during PRGA LFSR evolution is autonomous). • Not recovered ⇒ [ x 0 , x 1 , . . . , x 14 , x 33 , x 34 ] 103 • Solve the following equations to find the remaining bits z 102+ γ = x 103 0+ γ + x 103 1+ γ + x 103 3+ γ + x 103 9+ γ + x 103 30+ γ + x 103 42+ γ + x 103 55+ γ + u 102+ γ x 103 62+ γ + v 102+ γ for γ = 0 , 1 , . . . , 14. Given u i = u ( y i 3 , y i 25 , y i 46 , y i 64 ) and v i = v ( y i 3 , y i 25 , y i 46 , y i 64 ). • KSA and PRGA operations are easily invertible in Grain. PRGA − 1 KSA − 1 → → S 103 103 times S 0 SecretKey 27 of 32