Paper 2013/494

Differential Fault Attack against Grain family with very few faults and minimal assumptions

Santanu Sarkar, Subhadeep Banik, and Subhamoy Maitra

Abstract

The series of published works, related to Differential Fault Attack (DFA) against the Grain family, require (i) quite a large number (hundreds) of faults (around $n \ln n$, where $n = 80$ for Grain v1 and $n = 128$ for Grain-128, Grain-128a) and also (ii) several assumptions on location and timing of the fault injected. In this paper we present a significantly improved scenario from the adversarial point of view for DFA against the Grain family of stream ciphers. Our model is the most realistic one so far as it considers that the cipher to be re-keyed a very few times and fault can be injected at any random location and at any random point of time, i.e., no precise control is needed over the location and timing of fault injections. We construct equations based on the algebraic description of the cipher by introducing new variables so that the degrees of the equations do not increase. In line of algebraic cryptanalysis, we accumulate such equations based on the fault-free and faulty key-stream bits and solve them using the SAT Solver Cryptominisat-2.9.5 installed with SAGE 5.7. In a few minutes we can recover the state of Grain v1, Grain-128 and Grain-128a with as little as 10, 4 and 10 faults respectively (and may be improved further with more computational efforts).

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Differential Fault AttackGrain v1Grain-128Grain-128aLFSRNFSRSAT SolverStream Cipher.
Contact author(s)
subho @ isical ac in
History
2013-08-15: received
Short URL
https://ia.cr/2013/494
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/494,
      author = {Santanu Sarkar and Subhadeep Banik and Subhamoy Maitra},
      title = {Differential Fault Attack against Grain family with very few faults and minimal assumptions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/494},
      year = {2013},
      url = {https://eprint.iacr.org/2013/494}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.