Cryptography Reference
In-Depth Information
Fig. 14.2
A diagram of one of the two symmetric halves of HC-128
employs two values from the
P
state table. The first one is employed to perform
a lookup on the other state table
Q
, by using two of its four bytes to look up two
values, one in the lower, the other in the upper half of
Q
. These two values are then
combined through addition and the result is employed to mask the value of the
P
table which had just been refreshed before being output as the output word for the
cycle.
After outputting the word, the cipher increments the value of the counting index
i
by 1 and resumes the keystream generation.
The key scheduling strategy of the cipher is based on initializing the
P
and
Q
tables with the key material and expanding it until both tables are filled. After the
whole state is filled with key material, the cipher is clocked 1,024 times to avoid the
production of low-degree keystream in output. After these 1,024 rounds, the cipher
is ready to generate a usable keystream.
As can be noticed, the bit-wise relations among the cipher, the counters and the
internal state are highly nonlinear and the cipher also has a wide temporal memory
implemented through the use of the values from the table at rest as a mask for
the output. These features significantly reduce the possibility of breaking this stream
cipher using classic cryptanalysis, since it is very difficult to obtain exploitable linear
or near-linear relations.
14.4.2 Attack Description
In order to attack the HC-128 cipher through the use of faults, the authors of [184]
propose a two-phase technique akin to the one employed to break RC4. In the first
phase the position where the fault hit the internal state of the cipher is recovered,
while in the second phase the recovery of the inner state takes place. The fault model
