Cryptography Reference
In-Depth Information
mathematical specification. It is clear that in theory fault attacks are much more
powerful than regular cryptographic attacks: indeed, consider the (hypothetical) sit-
uation when an injected fault results in the bypassing of the initialization phase of a
stream cipher, causing a direct leak of a key material, or when it changes the address
of the output register, pointing instead to the register containing a current state!
Fortunately, not all theoretical fault models can be easily achieved in practice.
Nonetheless, the state of the art in physical fault attacks is constantly improving,
and a large number of spectacular successes in breaking CRT-RSA and AES have
been reported in the literature. Interestingly enough, until now there seem to be no
practical implementations of fault attacks on stream ciphers, although, starting with
Hoch and Shamir [182], where they developed a method of exploiting perturbations of
LFSR-based stream ciphers to recover the key, the number of publications describing
“realistic” theoretical attacks on stream ciphers has been steadily growing.
In this chapter we survey techniques of differential fault analysis of a number of
stream ciphers, with special emphasis on some leaders of the eSTREAM competi-
tion. However, to give a flavor of fault attacks, we will start with an “impossible” fault
analysis of RC4 that is easy to describe and to understand, followed by a more tradi-
tional differential fault analysis of the same cipher. We proceed with a fault analysis
of the LFSR-based cipher Trivium in Sect.
14.3
and demonstrate how far differential
fault analysis can be pushed by describing an attack on a markedly different and
much more complex cipher, HC-128, in Sect.
14.4
. A brief survey of publications on
fault analysis on other stream ciphers, such as Grain, Rabbit, and SNOW 2.0 is given
in Sect.
14.5
. In the conclusion we address some aspects of the practical implementa-
tion of fault attacks and countermeasures for software and hardware implementations
of stream ciphers and how they differ from those of block ciphers and public key
algorithms.
14.2 Impossible Cryptanalysis Enhanced: Faults on RC4
14.2.1 Cipher Description and Properties
The Alleged RC4 cipher is a stream cipher designed by Ron Rivest in 1987 and made
public in 1995 by an anonymous researcher who analyzed the implementation pro-
vided by RSA Security and posted the source code on a newsgroup. After the public
disclosure of its inner workings, the cipher has been widely used in a large range
of applications, ranging from document encryption (the PDF file format employs
RC4 as a standard protection) to network traffic protection (IEEE 802.11b wireless
equivalent privacy). One of the key reasons for this widespread adoption is the sim-
plicity of the cipher structure, which results in ease of implementation. The cipher
state is characterized by two indices
i
and
j
which range from 0 to 255, and may thus
be contained in a single byte variable, and an array of 256 bytes which is properly
initialized by the key scheduling procedure. The values contained in the array are
