Improved differential fault analysis of Grain-128AEAD
Abstract
The number of smart devices connected to the Internet has been constantly increasing, and as a result, lightweight cryptography (LWC) has become more important in the past decade. The Lightweight Cryptography (LWC) Project is an initiative taken by the National Institute of Standards and Technology (NIST) to standardize such LWC algorithms. Grain-128AEAD, which was submitted to the NIST LWC project, is an encryption algorithm that provides both confidentiality and integrity assurance. Third-party security analysis of the submitted ciphers is an important aspect of the evaluation of the submission to the NIST LWC project. Although several pieces of existing research, such as the bit-flipping attack, random fault attack, and deterministic random fault attack, have examined the security of Grain-128AEAD, there is still room for improvement in the fault attack models of these studies. This work aims to fill this research gap by analyzing the security margin of Grain-128AEAD against a series of improved differential fault attacks. In this study, we developed a probabilistic random fault attack and applied it to Grain-128AEAD. As an improvement of the existing research, a probabilistic approach can be applied to a more relaxed moderate control attack model. The existing moderate control model assumes the fault to be injected within any bit of a given byte, whereas the faults in our improved approach can be injected within any bits of a two-byte/four-byte segment, thereby relaxing the fault precision. The results indicate that the improved moderate control requires 388 keystreams for the two-byte model and 279 for the four-byte model to identify the target fault locations for implementing a state recovery attack. The relaxed fault attack models presented in this work are more practical to implement; hence, the findings of this research have improved the existing studies and narrowed the current research gap on the fault attack models of Grain-128AEAD.
Keywords
INTRODUCTION
The National Institute of Standards and Technology (NIST) initiated the Lightweight Cryptography (LWC) Project to solicit, test, and standardize lightweight cryptographic algorithms for use in restricted environments [1]. This project aims to standardize the ciphers feasible for resource-constrained applications. After two rounds of evaluation, NIST announced the winner, ASCON, from the ten finalists. Among the finalists, Grain-128AEAD is one of the stream cipher-based algorithms. Several finalists are not fully explored by the third party against various fault attacks. This paper investigates improving the differential fault attacks on Grain-128AEAD.
This work presents a set of fault attacks that successfully recovers the majority of the internal state bits of Grain-128AEAD [2,3]. As an improvement of the research by Salam et al. [4], we have investigated two more relaxed fault attack models–a two-byte moderate control model assuming the injection of a random fault into two consecutive bytes and a four-byte moderate control model assuming the injection of a random fault into four consecutive bytes. This paper shows that the improved attack, a combined probabilistic-deterministic fault attack of more relaxed moderate control models, is feasible to identify all the required target fault registers in the linear feedback shift register (LFSR). In the moderate control models with two or four bytes, we employ a probabilistic approach to recover some of the fault targets when a deterministic approach is not feasible. Table 1 compares the results of this study with those obtained in the work conducted by Salam et al. [4]. Compared to their research, the findings reported in this paper require access to more keystreams and inject more faults; however, the fault attack models of this work are more practical to implement in terms of fault precision.
Summary of required keystreams to determine the faulty register
Ref. | Fault type | Fault precision | Requiredkeystream | Datacomplexity |
[4] | Bit-flipping | Precise | 223 | |
Probabilistic random | Precise | 223 | ||
Deterministic random | Precise | 200 | ||
Moderate | 223 | |||
This work | Probabilistic-Deterministic random | Moderate (Two-byte) | 388 | |
Moderate (Four-byte) | 279 |
We use the term probabilistic-deterministic to refer to the fact that some of the fault target locations are identified using a deterministic signature, while some others are identified with a probabilistic signature. Table 2 shows that with two-byte moderate control precision, 100 target LFSR register locations can be identified using the deterministic method, and the remaining 28 need to be recovered with the probabilistic method. On the other hand, 96 target LFSR register locations can be identified using the deterministic method, and the remaining 32 need to be recovered with the probabilistic method. Comparing these two moderate control models, with the two-byte precision, more target registers have a deterministic signature but require more keystream and have a slightly higher data complexity. The four-byte precision requires using the probabilistic signature for a slightly larger number of target registers and, therefore, requires less keystream and lesser data complexity. The attacks presented in this paper are feasible in identifying the majority of the target registers. The fault precision with moderate control is practical as recent works have shown the practicality of fault injection using laser beams [5,6] and focused flashlights [7]. For a random byte fault model, depending on the target device, the fault may be induced with an optical flashgun or using a voltage glitch. The cost of such attacks ranges from low to 500 EUR, where a low cost refers to only a standard desktop PC (and in some cases, connection wires) to apply the attack [8]. Therefore, we conclude that the attacks presented in this work are practically feasible.
Comparison between Two-byte and Four-byte Precision Methods
Precision | Two-byte | Four-byte | |
Method | Deterministic | 100 | 96 |
Probabilistic | 28 | 32 | |
Identified target registers | 128 | 128 | |
Total Required Keystream | 388 | 297 |
Grain-128AEAD SPECIFICATION
Grain-128AEAD [2,3] is a stream cipher-based design suitable for applications requiring authenticated encryption with associated data (AEAD). It is based on the Grain family of stream ciphers that consists of Grain-v1 [9], Grain-128 [10], Grain-128a [11] and Grain-128AEAD, which are known for their high security and efficiency. Grain-128AEAD uses a 128-bit key and operates on blocks of 128 bits [12]. It offers three different operation modes:
1) Grain-Authenticate: This mode provides integrity protection for the associated data and confidentiality for the message.
2) Grain-Encrypt: This mode provides confidentiality for both the associated data and the message.
3) Grain-Seal: This mode combines the features of the previous two modes, providing both confidentiality and integrity protection for the associated data and the message.
Grain-128AEAD is designed from the idea of a nonlinear filter generator. It consists of the
Grain-128AEAD consists of two building blocks: the pre-output generator and the authenticator generator. The former consists of a 128-bit LFSR, 128-bit NFSR, and the output function
Figure 1. General structure of Grain-128AEAD [12].
The 256-bit internal state is made up of the contents of LFSR
The LFSR update function is denoted as
The NFSR function is given by
The update function for NFSR is defined by
The Boolean function
The output generated by the output generator is formulated as
where
During the initialization phase, the 128-bit key fills the NFSR,
During the last 128 rounds of initialization, the states are updated as follows:
During encryption, every even bit of the pre-output generator is used as the keystream bits
FAULT ATTACK
A differential fault analysis (DFA) is a type of side-channel attack. In this attack, an adversary induces faults or errors in the execution of a cryptographic algorithm and observes the differences in the outputs caused by these faults. By analyzing these differences, the attacker aims to gain information about the secret key used in the cryptographic process [13]. Fault attacks can pose a significant threat to a wide range of industries, including banking, defense, and critical infrastructure. They have been shown to be a powerful technique against many modern ciphers; for examples of fault attacks on stream ciphers, refer to the provided references [14,15,15–23]. Fault attacks can be measured by four parameters: the fault type, duration, number, and precision [4,24].
1) The fault type describes how it affects a specific register. The target register bit may become 0 or 1, be flipped, or be a random value by the fault injection. To perform a bit-flipping attack, the attacker is capable of changing the value of the target bit(s) by complementing them. In the event of a random fault, the attacker has no control over its impact; the targeted register bit has an equal chance of flipping or remaining the same.
2) The fault duration determines the period it remains active. A fault can be divided into two types depending on the fault duration: temporary and permanent. For a temporary fault, the error remains active for a short period, such as a single clock cycle, while a permanent fault remains active for the entire duration of the operation.
3) The number of faults indicates the count of bits influenced by the fault injection process. The length of affected bits varies from a single bit to multiple bytes.
4) The precision of fault, indicating the ability to control the timing and the intended target of the fault, can be categorized into three types according to the degree of precision: precise, moderate, and no control. In the first type, the attacker can induce an error into a specific target at a specific time. In the second type, the attacker can moderately control the fault target and timing; e.g., it can inject fault in a specific byte but does not have control over the specific bits in the given byte. In the third type, the attacker cannot control the fault target and timing.
Existing fault attacks on Grain-128AEAD
Several recent studies have performed a series of fault analyses against Grain-128AEAD. In one of these works, a bit-flipping attack, a probabilistic random fault attack, and a deterministic random fault attack were implemented to recover the internal state of the cipher. We discuss these attacks briefly below.
Bit-flipping fault attack
A bit-flipping fault attack is a side-channel attack that complements the target register bit by injecting a fault. Salam et al. [4] applied a bit-flipping fault attack on Grain-128AEAD. This aspect of their work investigated the existence of unique quadratic terms in the keystream outputs. Consider the output function
where the monomial
Probabilistic random fault attack
A probabilistic random fault attack is applied when the attacker cannot conclusively determine whether the value of the faulty register has been complimented, i.e., the effect of the fault is random. In the research by Salam et al. [4], several distinct cases are considered when a register
By observing the output differential
Deterministic random fault attack
The deterministic random fault attack [4] is carried out on attack models with three different levels of control precision. A simple example is used to illustrate the idea. Notice that
Then, the value of the fault
The unique linear term in the equation is targeted by the fault model and can be determined by calculating the first-order derivative of the keystream equations with respect to the LFSR register
With this approach, a list of the output indices can be generated and used to compute the value of the random fault for Grain-128AEAD. Accordingly, once the fault is determined to complement the target register, the corresponding equations with the unique quadratic terms (bit-flipping) are used to recover specific state bit(s).
As previously stated, three varying degrees of precision control are considered in these attacks: precise, moderate, and no control. From the results of precise control, it was concluded that an average of two faults is needed to complement a specific target register. The average number of required faults for this approach is 200, with a data complexity of
IMPROVED FAULT ATTACKS ON Grain-128AEAD
We consider possible extensions and improvements for the differential fault attacks based on the research by Salam et al. [4]. We investigated and implemented a moderate control model to a more relaxed degree. Moderate control refers to the assumption in which an attacker can introduce the error in a particular byte array, where the error can affect any of the bits in that byte array. We considered two scenarios: i) injecting faults within a two-byte array and ii) injecting faults within a four-byte array.
Inject a fault within two consecutive bytes
Instead of focusing on a single byte, this study first assumes the injection of a random fault to two consecutive bytes. The 128-bit LFSR and NFSR are grouped into eight arrays, each consisting of sixteen register bits. For example,
List of keystream indices required and the number of output indices for each two-byte array
Two-byte | Output indices | Quantity |
34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100 | 34 | |
44, 46, 48, 52, 54, 56, 58, 60, 66, 68, 70, 72, 74, 78, 80, 82, 86, 90, 94, 96, 98, 100, 102, 104, 106, 108, 114, 116 | 28 | |
34, 36, 38, 40, 42, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 130, 132, 134, 136, 138 | 42 | |
44, 46, 48, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 104, 106, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154 | 41 | |
36, 40, 64, 82, 84, 86, 88, 90, 94, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 152, 154, 156, 158, 160, 162 | 40 | |
0, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 156, 158, 160, 162, 164, 166, 168, 170, 172, 174, 176, 178 | 68 | |
2, 6, 10, 14, 34, 38, 42, 46, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 78, 92, 96, 98, 100, 102, 104, 106, 108, 110, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 136, 154, 158, 160, 162, 164, 166, 168, 170, 172, 174, 182, 186, 190, 194 | 56 | |
18, 20, 22, 24, 26, 28, 30, 32, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 84, 86, 88, 92, 94, 96, 108, 110, 128, 130, 132, 138, 146, 150, 152, 154, 170, 172, 174, 192, 198, 200, 202, 204, 206, 208, 210, 212 | 52 |
Determining required single output index to confirm the effect of random fault
To further reduce the data complexity, this study obtains single or multiple output keystream bits that may be used to conclusively determine the impact on the fault for any target register. The first step is eliminating the duplicated output indices in two bytes because observing output indices with duplicated values can only conclude an ambiguous result. In Figure 2, all the output indices that output a differential of 1 for each register in
Figure 2. Output indices to determine the target registers in
Algorithm 1: Determining the number of times when Require: Target register For
As an example, Figure 3 shows the result obtained from Algorithm 1 using registers in
Figure 3. Number of times
Then, attempting to gain a clearer conclusion, the experiment is extended by not removing the duplicated values in Figure 2 and using Algorithm 1. The results obtained are shown in Figure 4. We observe that although the output differential injected with a fault may be applied to only two registers, it is still impossible to indicate the fault location conclusively. For example, when
Determining required pairs of keystream indices to confirm the effect of random fault
Another experiment was conducted to determine the unique pairs of output keystream bits that can conclusively establish if the injected fault affects a target register. For this, in each register of the two-byte array, all the possible pairs of keystream indices were generated first. For example, pairs of differentials can be formed from the output indices array of register
The pair combination of output indices for each register in
Figure 5. Pairs of output keystream indices to determine the target registers in
Figure 6 presents the results obtained from the experiment with differential pairs of output indices for the target register
Figure 6. Number of times where
Generally, these conclusive pairs of output differentials can be obtained by examining the table columns where no other faulty target results in
Required output differential pairs (
Target register | Pairs of output differentials ( |
(34, 38), (34, 54), (54, 66) | |
No unique output differential pair | |
(36, 40), (36, 56), (56, 68) | |
No unique output differential pair | |
(38, 42), (38, 58) | |
No unique output differential pair | |
(40, 44), (40, 60) | |
No unique output differential pair | |
(42, 46), (42, 62) | |
No unique output differential pair | |
(44, 48), (44, 64) | |
No unique output differential pair | |
(46, 50) | |
No unique output differential pair | |
(48, 52) | |
No unique output differential pair |
Table 4 indicates that it is infeasible to obtain conclusive pairs of output differentials for registers
Figure 7. Number of times where
Determining required conditions to confirm the effect of random fault
After conducting the above-mentioned set of experiments for all the registers in
Required output differential pairs (
Target register | Keystream condition |
After implementing this experiment on all eight two-byte arrays, the conditions required to confirm the target registers are determined for
Determining required combinations of output indices to confirm the effect of random fault
To further investigate the conditions used to confirm all the registers in the remaining six two-byte arrays, instead of using pairs, a combination of all the unique output indices of the corresponding register is generated and used to further determine the faulty register. The process is similar to Algorithm 1, but the output pairs are replaced with a list of all unique output differentials of the register. As determined by Algorithm 2, arrays are declared to store the result of all the registers in the two-byte array of the 100-round tests. The experiment is carried out on every two consecutive bytes of LFSR.
For example, Figure 8 presents the results of the experiment conducted using all the combinations of output indices for register
Figure 8. All unique output indices for register
Figure 9. All unique output indices for register
Figure 10 demonstrates that for the target register
Figure 10. Number of counts for which all the combinations of unique differentials are one for each register in
Algorithm 2: Determine the number of times when combined unique output indices result in a differential of one for each register in Grain-128AEAD Require: Register For
Figure 11 shows the number of times where the differentials
Figure 11. Number of counts for which all the combinations of unique differentials are one for each register in
After conducting the above approach to all the registers in the last six two-byte arrays, the injected faulty target can be located for the majority of the registers. However, there still exists a situation where a few target registers cannot be determined due to insufficient conditions. Then, the probability of successfully determining the remaining faulty register is calculated based on the experiment results of the combined output indices, as given in
where
Summarizing required conditions to confirm the effect of random fault
The method employed in this work reduces the number of output indices that need to be observed to identify the target register in the LFSR. For example, based on earlier observations, the output differentials required to be observed for identifying the fault targets in
List of keystream indices required for the attack and the number of output indices for two-byte arrays
Two-byte | Output indices |
34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 64, 68, 82, 84, 86, 92, 94, 96 | |
44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 80, 82, 84, 98, 100, 108, 110, 112 | |
38, 40, 42, 60, 62, 66, 67, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 130, 132, 134, 136, 138 | |
48, 50, 52, 54, 56, 58, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 104, 106, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154 | |
34, 36, 38, 40, 42, 60, 62, 64, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 103, 104, 106, 108, 110, 112, 114, 116, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 152, 154, 156, 158, 160 | |
0, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 156, 158, 160, 162, 164, 166, 168, 170, 172, 174, 176, 178, 180 | |
2, 4, 6, 8, 10, 12, 14, 16, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 92, 94, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 154, 156, 158, 160, 162, 164, 166, 168, 170, 172, 174, 176, 182, 184, 186, 188, 190, 192, 194, 196 | |
18, 20, 22, 24, 26, 28, 30, 32, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 170, 172, 174, 176, 178, 180, 182, 184, 186, 188, 190, 192, 198, 200, 202, 204, 206, 208, 210, 212 |
Inject a fault within four consecutive bytes
To further relax the moderate control precision, instead of focusing on two consecutive bytes, we also investigated the injection of a random fault that affects a randomly chosen single register from a collection of thirty-two registers, i.e., four consecutive bytes:
1. Confirming the required single output indices, to eliminate the duplicated output indices in four bytes to avoid ambiguous results;
2. Confirming the required pairs of output indices, where duplicated pairs will be removed to further determine the fault location;
3. Determining the required combinations of output indices to confirm the effect of the random injected fault. To further investigate the conditions used to confirm all the registers in the four-byte arrays, a combination of all the unique output indices is used instead of pairs. The probabilistic approach is used to identify the fault target registers that cannot be determined using deterministic signatures.
Applying this method to all the four-byte arrays, we obtained the total output indices required to be observed for identifying the fault targets. The probability is calculated for the target registers that cannot be directly determined. If the probability is greater than 95%, we consider the inaccuracy to be negligible, and the target register can be determined in such a case with high probability. If the probability is less than 95%, the probability is used to represent the chances of targeting the register. Table 7 shows the output indices required to be observed and the number of output indices for each four-byte array. The complete tables of the required keystream bits to be observed and the conditions to be satisfied for fault injection for the four-byte precision model are listed in tables in Appendix B.
List of keystream indices required for the attack and the number of output indices for each four-byte array
Four-byte | Output indices |
34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 104, 106, 110, 112 | |
38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154 | |
0, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 156, 158, 160, 162, 164, 166, 168, 170, 172, 174, 176, 178, 180 | |
2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 123, 124, 126, 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 156, 158, 160, 162, 164, 166, 168, 170, 172, 174, 176, 178, 180, 182, 184, 186, 188, 190, 192, 194, 196, 198, 200, 202, 204, 206, 208, 210, 212 |
Based on the experimental results, 96 target registers can be determined using the deterministic method, and the rest 32 can be probabilistically represented. Hence, the faults injected into the LFSR can be determined, and we conclude that a fault attack on Grain-128AED can also be applied with the four-byte moderate control model.
CONCLUSION
In this work, we extended the DFA on Grain-128AEAD with two relaxed fault attack models: a two-byte moderate control model and a four-byte moderate control model. Unlike the previous work, instead of every single byte, the two-byte model focuses on every two consecutive bytes, and the four-byte model focuses on every four consecutive bytes. The results of these attacks are promising and suggest that moderate control models are feasible to identify the majority of the target registers with a high probability. The models used in this paper are more practical to implement as they have more relaxed assumptions. The previous experimental results show that Grain-128AEAD is vulnerable to a state recovery attack if an adversary can successfully inject fault in the LFSR registers–therefore, the results reported in this work can be used to perform a fault-based state recovery attack on Grain-128AEAD with a more relaxed fault model.
We note that the fault model used in this work may require more keystream bits compared to the single-byte moderate control; however, the two models used in this work have a more relaxed assumption and, hence, are more practical in implementation. It is worth noting that the designers of Grain-128AEAD did not claim security against fault attacks, so the results reported in this article do not violate their security claims. These findings highlight the importance of implementing proper physical protections to prevent fault attacks on Grain-128AEAD.
We also note that when the control is relaxed even further to no control, it appears infeasible to recover any bits, suggesting that additional investigation is needed. Therefore, future research could focus on applying moderate control models to explore the feasibility of differential fault attacks using no control models. These experiments could be conducted using a probabilistic approach, such as determining the likelihood that a register is affected by fault injection based on output differentials. Additionally, since our experiments could only recover the initial states of the cipher, future work could focus on investigating approaches for recovering the secret key.
DECLARATIONS
Authors' contributions
Made substantial contributions to the conception and design of the study and performed data analysis and interpretation: Fang T, Salam I, Yau WC
Availability of data and materials
Not applicable.
Financial support and sponsorship
This work is supported by the Xiamen University Malaysia Research Fund under Grant XMUMRF/2022-C9/IECE/0032.
Conflicts of interest
All authors declared that there are no conflicts of interest.
Ethical approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Copyright
© The Author(s) 2024.
REFERENCES
1. NIST Lightweight Cryptography Project. Available from: https://csrc.nist.gov/Projects/lightweight-cryptography.
2. Hell M, Johansson T, Meier W, Sönnerup J, Yoshida H. An AEAD variant of the grain stream cipher. In: Carlet C, Guilley S, Nitaj A, Souidi EM, editors. Codes, Cryptology and Information Security. Cham: Springer International Publishing; 2019. pp. 55–71.
3. Hell M, Johansson T, Maximov A, Meier W, Yoshida H. Grain-128AEADv2: strengthening the initialization against key reconstruction. In: Conti M, Stevens M, Krenn S, editors. Cryptology and Network Security. Cham: Springer International Publishing; 2021. pp. 24–41.
4. Salam I, Ooi TH, Xue L, Yau WC, Pieprzyk J, et al. Random differential fault attacks on the lightweight authenticated encryption stream cipher Grain-128AEAD. IEEE Access 2021;9:72568-86.
5. Selmke B, Heyszl J, Sigl G. Attack on a DFA protected AES by simultaneous laser fault injections. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE; 2016. pp. 36–46.
6. Trichina E, Korkikyan R. Multi fault laser attacks on protected CRT-RSA. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE; 2010. pp. 75–86.
7. Skorobogatov S. Optical fault masking attacks. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE; 2010. pp. 23–29.
8. Breier J, Hou X. How practical are fault injection attacks, really? IEEE Access 2022;10:113122-30.
9. Hell M, Johansson T, Meier W. Grain: a stream cipher for constrained environments. Int J Wirel Mob Comput 2007;2:86-93.
10. Hell M, Johansson T, Maximov A, Meier W. A stream cipher proposal: Grain-128. In: 2006 IEEE International Symposium on Information Theory. IEEE; 2006. pp. 1614–18.
11. Ågren M, Hell M, Johansson T, Meier W. Grain-128a: a new version of Grain-128 with optional authentication. Int J Wirel Mob Comput 2011;5:48-59.
12. Hell M, Johansson T, Maximov A, Meier W, Sönnerup J, et al. Grain-128AEADv2-A lightweight AEAD stream cipher. Available from: https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/finalist-round/updated-spec-doc/grain-128aead-spec-final.pdf.
13. Biham E, Shamir A. Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology—CRYPTO'97: 17th Annual International Cryptology Conference Santa Barbara, California, USA August 17–21, 1997 Proceedings 17. Springer; 1997. pp. 513–25.
14. Dey P, Rohit RS, Sarkar S, Adhikari A. Differential fault analysis on Tiaoxin and AEGIS family of ciphers. In: International Symposium on Security in Computing and Communication. Springer; 2016. pp. 74–86.
15. Salam I, Mahri HQA, Simpson L, Bartlett H, Dawson E, et al. Fault attacks on Tiaoxin-346. In: Proceedings of the Australasian Computer Science Week Multiconference. Association for Computing Machinery; 2018. pp. 1–9.
16. Bartlett H, Dawson E, Qahur Al Mahri H, Salam MI, Simpson L, et al. Random fault attacks on a class of stream ciphers. Secur Commun Netw 2019:2019.
17. Wong KKH, Bartlett H, Simpson L, Dawson E. Differential random fault attacks on certain CAESAR stream ciphers. In: International Conference on Information Security and Cryptology. Springer; 2019. pp. 297–315.
18. Dey P, Rohit RS, Adhikari A. Full key recovery of ACORN with a single fault. J Inf Secur Appl 2016;29:57-64.
19. Salam I, Law KY, Xue L, Yau WC. Differential fault based key recovery attacks on TRIAD. In: International Conference on Information Security and Cryptology. Springer; 2020. pp. 273–87.
20. Karmakar S, Roy Chowdhury D. Fault analysis of Grain-128 by targeting NFSR. In: Progress in Cryptology–AFRICACRYPT 2011: 4th International Conference on Cryptology in Africa, Dakar, Senegal, July 5-7, 2011. Proceedings 4. Springer; 2011. pp. 298–315.
21. Sarkar S, Banik S, Maitra S. Differential fault attack against grain family with very few faults and minimal assumptions. IEEE Trans Comput 2014;64:1647-57.
22. Banik S, Maitra S, Sarkar S. A differential fault attack on the grain family under reasonable assumptions. In: Progress in Cryptology-INDOCRYPT 2012: 13th International Conference on Cryptology in India, Kolkata, India, December 9-12, 2012. Proceedings 13. Springer; 2012. pp. 191–208.
23. Dey P, Chakraborty A, Adhikari A, Mukhopadhyay D. Improved practical differential fault analysis of Grain-128. In: 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE; 2015. pp. 459–64.
Cite This Article
How to Cite
Fang, T.; Salam, I.; Yau, W. C. Improved differential fault analysis of Grain-128AEAD. J. Surveill. Secur. Saf. 2024, 5, 62-79. http://dx.doi.org/10.20517/jsss.2023.42
Download Citation
Export Citation File:
Type of Import
Tips on Downloading Citation
Citation Manager File Format
Type of Import
Direct Import: When the Direct Import option is selected (the default state), a dialogue box will give you the option to Save or Open the downloaded citation data. Choosing Open will either launch your citation manager or give you a choice of applications with which to use the metadata. The Save option saves the file locally for later use.
Indirect Import: When the Indirect Import option is selected, the metadata is displayed and may be copied and pasted as needed.
Comments
Comments must be written in English. Spam, offensive content, impersonation, and private information will not be permitted. If any comment is reported and identified as inappropriate content by OAE staff, the comment will be removed without notice. If you have any queries or need any help, please contact us at support@oaepublish.com.