Paper 2021/1374

Information-Combining Differential Fault Attacks on DEFAULT

Marcel Nageler, Graz University of Technology
Christoph Dobraunig, Lamarr Security Research
Maria Eichlseder, Graz University of Technology
Abstract

Differential fault analysis (DFA) is a very powerful attack vector on implementations of symmetric cryptography. Most countermeasures are applied at the implementation level. At ASIACRYPT 2021, Baksi et al. proposed a design strategy that aims to provide inherent cipher level resistance against DFA by using S-boxes with linear structures. They argue that in their instantiation, the block cipher DEFAULT, a DFA adversary can learn at most 64 of the 128 key bits, so the remaining brute-force complexity of $2^{64}$ is impractical. In this paper, we show that a DFA adversary can combine information across rounds to recover the full key, invalidating their security claim. In particular, we observe that such ciphers exhibit large classes of equivalent keys that can be represented efficiently in normalized form using linear equations. We exploit this in combination with the specifics of DEFAULT's strong key schedule to recover the key using less than 100 faulty computation and negligible time complexity. Moreover, we show that even an idealized version of DEFAULT with independent round keys is vulnerable to our information-combining attacks based on normalized keys.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published by the IACR in EUROCRYPT 2022
DOI
10.1007/978-3-031-07082-2_7
Keywords
Differential Fault Attacks (DFA)CryptanalysisLinear structuresDEFAULT
Contact author(s)
marcel nageler @ iaik tugraz at
christoph @ dobraunig com
maria eichlseder @ iaik tugraz at
History
2024-06-07: last of 2 revisions
2021-10-12: received
See all versions
Short URL
https://ia.cr/2021/1374
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/1374,
      author = {Marcel Nageler and Christoph Dobraunig and Maria Eichlseder},
      title = {Information-Combining Differential Fault Attacks on {DEFAULT}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/1374},
      year = {2021},
      doi = {10.1007/978-3-031-07082-2_7},
      url = {https://eprint.iacr.org/2021/1374}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.