Paper 2024/1005

Differential Fault Attack on HE-Friendly Stream Ciphers: Masta, Pasta and Elisabeth

Weizhe Wang, Shanghai Jiao Tong University
Deng Tang, Shanghai Jiao Tong University
Abstract

In this paper, we propose the Differential Fault Attack (DFA) on three Homomorphic Encryption (HE) friendly stream ciphers \textsf{Masta}, \textsf{Pasta}, and \textsf{Elisabeth}. Both \textsf{Masta} and \textsf{Pasta} are \textsf{Rasta}-like ciphers with publicly derived and pseudorandom affine layers. The design of \textsf{Elisabeth} is an extension of \textsf{FLIP} and \textsf{FiLIP}, following the group filter permutator paradigm. All these three ciphers operate on elements over $\mathbb{Z}_p$ or $\mathbb{Z}_{2^n}$, rather than $\mathbb{Z}_2$. We can recover the secret keys of all the targeted ciphers through DFA. In particular, for \textsf{Elisabeth}, we present a new method to determine the filtering path, which is vital to make the attack practical. Our attacks on various instances of \textsf{Masta} are practical and require only one block of keystream and a single word-based fault. By injecting three word-based faults, we can theoretically mount DFA on two instances of \textsf{Pasta}, \textsf{Pasta}-3 and \textsf{Pasta}-4. For \textsf{Elisabeth}-4, the only instance of the \textsf{Elisabeth} family, we present two DFAs in which we inject four bit-based faults or a single word-based fault. With 15000 normal and faulty keystream words, the DFA on \textsf{Elisabeth}-4 can be completed in just a few minutes.

Note: The DFA on Elisabeth has been revised, with the single-bit fault now limited to the Most Significant Bit (MSB) of a word. Additionally, we have supplemented the analysis with a DFA on Elisabeth under the random word error model.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
Differential fault attackMastaPastaElisabeth
Contact author(s)
SJTUwwz @ sjtu edu cn
dengtang @ sjtu edu cn
History
2024-07-29: revised
2024-06-21: received
See all versions
Short URL
https://ia.cr/2024/1005
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1005,
      author = {Weizhe Wang and Deng Tang},
      title = {Differential Fault Attack on {HE}-Friendly Stream Ciphers: Masta, Pasta and Elisabeth},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1005},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1005}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.