Fault Analysis on Stream Cipher MUGI

Cryptography Reference

In-Depth Information

solution for the byte of the S-box equation (2) into which a fault is not injected.

Then, in the case that a fault with fewer than 8 bytes is injected into each state,

we need to inject faults until all bytes are corrupted. However, in the case that

a fault with fewer than 8 bytes is injected into the buffer, we only need to inject

faults into at least 1 byte in the lower 4 bytes of the buffer and in the upper 4

bytes of the buffer because 1-byte fault diffuses into 4 bytes based on the matrix

M in the F-function.

6.3

Attacker's Ability to Control Fault Injection

We find that the attacker can verify a fault is injected into the desired location

and timing from faulty outputs in the same way as other stream ciphers. There-

fore, the attacker does not need to control the fault injection area and timing

precisely. This fact makes the attack more practical.

Table 1 shows the number of rounds until the faulty output first appears due

to fault injection, and patterns of the differences between the correct and faulty

outputs when a fault is injected into each state or buffer. In the table, A and B

denote kinds of the faulty patterns that are represented by the differences be-

tween the correct and faulty outputs in each round. T denotes a output without

fault and F denotes that with fault. As an example, in the case that a fault is

injected into b ( t 0 , the faulty output first appears after iterating the λ -function

four times and iterating the ρ -function twice because b ( t )

4 and b ( t +4 4 are

used in the ρ -function. Therefore, the number of rounds until the faulty output

first appears after the fault injection is 6(= 4 + 2). As another example, in the

case that a fault is injected into b ( t )

= b ( t +4)

11 , the faulty output first appears after iterat-

ing the λ -function three times and iterating the ρ -function once because b ( t +4)

is affected by b ( t +2)

(= b ( t )

11 )and b ( t +4)

10 used in the ρ -function. Therefore, the

number of rounds until the faulty output first appears after the fault injection is

4(= 3 + 1). For a successful attack, the attacker needs to inject a fault as pattern

A. Then, the attacker needs to inject a fault into a 0 , a 2 , b 8 ,

,or b 13 as shown

in Table 1. Therefore, the attacker can verify whether or not a fault is injected

into the desired location and timing from Table 1 and he can select the output

needed for a successful attack even if the attacker does not control the location

and the timing of fault injection.

···

Table 1. Number of Rounds Until Faulty Output First Appears From the Fault In-

jection and Output Patterns. T

Denotes a Output Without a Fault and F Denotes a

Output With a Fault.

Fault location

a 0 a 1 a 2

b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 b 9 b 10 b 11 b 12 b 13 b 14 b 15

Number of rounds

11 0 6 543243232 143287

Output patterns

ABAB BBBBBBBAA A A A A B B

Output pattern A: T,··· ,T, F ,T, F , F , F , ···

Output pattern B: T,··· ,T, F , F , F , F , F , ···

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home