doi: 10.3850/978-3-9815370-4-8_0921


Improved Practical Differential Fault Analysis of Grain-128


Prakash Dey1,a, Abhishek Chakraborty2,c, Avishek Adhikari1,b and Debdeep Mukhopadhyay2,d

1Department of Pure Mathematics, University of Calcutta, India.

apdprakashdey@gmail.com
bavishek.adh@gmail.com

2Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, India.

cabhishek.chakraborty@cse.iitkgp.ernet.in
ddebdeep.mukhopadhyay@gmail.com

ABSTRACT

Differential Fault Attacks (DFA) on stream ciphers have been an active field of research. However, their practical realizations have not been reported in the public literature. Hence, the assumptions on the fault models made in the context of DFA for stream ciphers have not been studied. Furthermore, there have been few efforts reported on the popular stream cipher candidate, Grain-128. We consider a simple low-cost fault injection set-up, using clock glitches and show that in stream ciphers the critical path of the circuit affects few bit positions (the feedback bit for the Shift Registers in the stream ciphers). Thus the fault is often localized to single bit position, and because of the absence of required faulty ciphers makes existing theoretical DFAs invalid. In order to create multiple instance of faults, we use clock glitches to induce the fault, and then use the shifting property of the internal registers of Grain to create multiple instances of contiguously located faults. In parallel, we also develop a more relaxed DFA for Grain-128, to show that when the fault is k neighbourhood bits, k € {1,..,5}, the attack is successful to retrieve the key without knowing the locations or exact number of bits flipped by the internal fault. We also devise a technique for rejecting the bad faults with high probabilities, i.e., when the faults are not in the contiguous location as required in the attack. Combining the above attacks we demonstrate using a simple set-up via clock glitches that such faults can be practically obtained and analysed using the proposed attack algorithm to retrieve the key.



Full Text (PDF)