Cryptography Reference
In-Depth Information
This technique leads to a significant reduction in the number of faults which need
to be injected in order to recover the whole state: 43 faults are sufficient in order
to obtain the whole set of
variables. On the other hand, with this attack
improvement, trying to guess a small number of bits through brute-force does not
involve a significant reduction of the number of faults which need to be injected. In
fact, guessing more than half of the state bits (168 out of 288) leads to a reduction
in the number of faults to 42, thus saving the attacker a single fault injection.
The number of injected faults may be further reducible if all the possible quadratic
equations, involving also nonadjacent bits of the state, are considered. According to
the authors of [184], this yields an extra 20 % of equations from the same faults at
the cost of using memory efficient techniques to store all the equations, since all the
{
s
1
...
s
288
}
possible generic quadratic terms are
28
2
instead of just 287.
14.4 An Advanced Case: Differential Fault
Analysis of HC-128
14.4.1 Cipher Description
HC-128 is a stream cipher proposed by Wu [423] and is part of the software portfolio
of the eSTREAM project. The cipher is based on an internal state composed of two
separate tables
P
and
Q
, with 512 entries, each 32 bits wide, which are employed to
generate the keystream, and two indices which drive the generation process.
The keystream generation process is driven by an index,
i
, which acts as both a
counter up to 1
024 and a switch between the table of the cipher that is refreshed with
the feedback function and the table that is not. In particular, when
i
assumes a value
between 0 and 511
P
undergoes diffusion, while when its value is 512
,
1023,
Q
is modified. The
i
index also selects how the output depends on the inner state,
employing a LUT to add complexity to the relationship binding state and outputs.
As HC-128 is (almost) symmetric, Fig.
14.2
provides a block diagram of the table
under refreshment for a fixed value of
i
. The other “half” of the cipher can easily be
obtained by swapping the role of
P
and
Q
and changing the rotation constants and
directions of the rotations.
As depicted in Fig.
14.2
, the nonlinear feedback function, which is driven by
<
i
<
i
mod 512, employs four values from the selected state table (
P
in the figure),
rotates three of the four 32-bit values and recombines them through a mixture of
XOR (
j
=
in figure) and addition modulo 2
32
(
in figure) operations. The recombined
value is then combined with the old value of the cell to obtain the one which will be
replacing it. The positions of the first three elements are determined from the index
j
,
respectively adding to them modulo 512 (the actual length of the table) three constant
values:
⊕
3 and +1.
After the table update operation is performed through the feedback function, the
cipher computes the output 32-bit word through the nonlinear output function which
−
10,
−
