Cryptology ePrint Archive: Report 2013/494

Differential Fault Attack against Grain family with very few faults and minimal assumptions

Santanu Sarkar and Subhadeep Banik and Subhamoy Maitra

Abstract: The series of published works, related to Differential Fault Attack (DFA) against the Grain family, require (i) quite a large number (hundreds) of faults (around $n \ln n$, where $n = 80$ for Grain v1 and $n = 128$ for Grain-128, Grain-128a) and also (ii) several assumptions on location and timing of the fault injected. In this paper we present a significantly improved scenario from the adversarial point of view for DFA against the Grain family of stream ciphers. Our model is the most realistic one so far as it considers that the cipher to be re-keyed a very few times and fault can be injected at any random location and at any random point of time, i.e., no precise control is needed over the location and timing of fault injections. We construct equations based on the algebraic description of the cipher by introducing new variables so that the degrees of the equations do not increase. In line of algebraic cryptanalysis, we accumulate such equations based on the fault-free and faulty key-stream bits and solve them using the SAT Solver Cryptominisat-2.9.5 installed with SAGE 5.7. In a few minutes we can recover the state of Grain v1, Grain-128 and Grain-128a with as little as 10, 4 and 10 faults respectively (and may be improved further with more computational efforts).

Category / Keywords: secret-key cryptography / Differential Fault Attack, Grain v1, Grain-128, Grain-128a, LFSR, NFSR, SAT Solver, Stream Cipher.

Date: received 13 Aug 2013

Contact author: subho at isical ac in

Available format(s): PDF | BibTeX Citation

Version: 20130815:072414 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]