Cryptology ePrint Archive: Report 2014/654

Multi-Bit Differential Fault Analysis of Grain-128 with Very Weak Assumptions

Prakash Dey and Abhishek Chakraborty and Avishek Adhikari and Debdeep Mukhopadhyay

Abstract: Very few differential fault attacks (DFA) were reported on {\em Grain-128} so far. In this paper we present a generic attack strategy that allows the adversary to challenge the cipher under different multi-bit fault models with faults at a targeted keystream generation round even if bit arrangement of the actual cipher device is unknown. Also unique identification of fault locations is not necessary. To the best of our knowledge, this paper assumes the weakest adversarial power ever considered in the open literature for DFA on {\em Grain-128} and develops the most realistic attack strategy so far on {\em Grain-128}. In particular, when a random area within $k \in \{1,2,3,4,5\}$ neighbourhood bits can only be disturbed by a single fault injection at the first keystream generation round ($k$-neighbourhood bit fault), without knowing the locations or the exact number of bits the injected fault has altered, our attack strategy always breaks the cipher with $5$ faults. In a weaker setup even if bit arrangement of the cipher device is unknown, bad-faults (at the first keystream generation round) are rejected with probabilities $0.999993$, $0.999979$, $0.999963$, $0.999946$ and $0.999921$ assuming that the adversary will use only 1, 2, 3, 4 and 5 neighbourhood bit faults respectively for {\em key-IV} recovery.

Category / Keywords: secret-key cryptography / Stream Cipher, Differential Fault Attack, Multi-Bit Fault, SAT Solver

Date: received 22 Aug 2014, last revised 25 Aug 2014

Contact author: pdprakashdey at gmail com; avishek adh@gmail com

Available format(s): PDF | BibTeX Citation

Version: 20140827:074110 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]