Cryptography Reference
In-Depth Information
the algorithms for the
ρ
-and
λ
-functions. In the proposed attack, we recover a
part of the buffer used in the
λ
- function using the faults injected into the state
in the
ρ
-function. Then, we consider its propagation in the
λ
-function and we
try to obtain another part of the buffer in the
ρ
-function using the propagated
result. By iterating this process, we can recover all states and buffers to obtain
the secret key.
5 Proposed Attack
In this section, we describe the details of the proposed attack.
5.1
Attack Assumptions
We describe the attack assumptions.
- We consider a transient fault, i.e., the attacker can reset the cryptographic
device to its original state and then inject a fault into the same device during
each new execution.
- An intermediate state is randomly corrupted by the fault injection, i.e., the
attacker does not need to know the faulty value. The faulty value is uniformly
distributed.
- The attacker knows the initial vector and he obtains pairs of correct and
faulty keystreams calculated from the same key and the initial vector.
- The attacker can randomly modify any 8-byte value,
b
(
t
8
,
b
(
t
9
,
...
,
b
(
t
)
13
,
a
(
t
)
0
or
a
(
t
2
during the keystream generation in any round,
t
.Hehasnocontrol
of the timing of the fault injection.
5.2
Attack Procedure
We propose an attack procedure to recover the 128-bit secret key using 12.54
pairs of correct and faulty outputs on average. We note that we know an 8-
byte state,
a
2
, in all rounds because MUGI outputs an 8-byte state,
a
2
,atthe
beginning of each round process.
Step 0: Obtain a Correct Keystream.
The attacker randomly selects an
initial vector and obtains one correct keystream, (the correct keystream,
a
2
,in
each round).
Step 1: Inject Fault into the
ρ
-Function and Obtain a Part of the
Intermediate States of the
-Functions.
The attacker obtains
faulty keystreams by injecting faults during the generation of the keystreams.
As an example, we consider the case that 8 bytes of
a
(
n
2
(
n
=
t,...,t
+5)
are randomly corrupted by the fault injection as shown in Fig. 2 (a). Figure
2 (a) shows the fault propagation when 8 bytes of
a
(
t
2
are corrupted and the
dotted lines indicate the fault propagation in this case. We note that the buffer
ρ
-and
λ
Search WWH ::
Custom Search