doi: 10.3850/978-3-9815370-4-8_0921
Improved Practical Differential Fault Analysis of Grain-128
Prakash Dey1,a, Abhishek Chakraborty2,c, Avishek Adhikari1,b and Debdeep Mukhopadhyay2,d
1Department of Pure Mathematics, University of Calcutta, India.
apdprakashdey@gmail.com
bavishek.adh@gmail.com
2Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, India.
cabhishek.chakraborty@cse.iitkgp.ernet.in
ddebdeep.mukhopadhyay@gmail.com
ABSTRACT
Differential Fault Attacks (DFA) on stream ciphers
have been an active field of research. However, their practical
realizations have not been reported in the public literature. Hence,
the assumptions on the fault models made in the context of DFA
for stream ciphers have not been studied. Furthermore, there have
been few efforts reported on the popular stream cipher candidate,
Grain-128. We consider a simple low-cost fault injection set-up,
using clock glitches and show that in stream ciphers the critical
path of the circuit affects few bit positions (the feedback bit
for the Shift Registers in the stream ciphers). Thus the fault is
often localized to single bit position, and because of the absence of
required faulty ciphers makes existing theoretical DFAs invalid. In
order to create multiple instance of faults, we use clock glitches to
induce the fault, and then use the shifting property of the internal
registers of Grain to create multiple instances of contiguously
located faults. In parallel, we also develop a more relaxed DFA
for Grain-128, to show that when the fault is k neighbourhood
bits, k {1,..,5}, the attack is successful to retrieve the key
without knowing the locations or exact number of bits flipped by
the internal fault. We also devise a technique for rejecting the
bad faults with high probabilities, i.e., when the faults are not
in the contiguous location as required in the attack. Combining
the above attacks we demonstrate using a simple set-up via clock
glitches that such faults can be practically obtained and analysed
using the proposed attack algorithm to retrieve the key.
Full Text (PDF)
|