Cryptography Reference
In-Depth Information
Fig. 14.3
Block diagram of SNOW 3G
in the FSM is obtained by updating the contents of the last two of the three registers
through a transformation of the 32-bit value derived from two key primitives of the
AES standard: the SubBytes and MixColumns operations. These two primitives are
able to map a 32-bit value to another one providing proper, statistical attack immune,
diffusion and they can be efficiently implemented in hardware.
In 2009, Debraize et al. [117] proposed a fault attack technique able to successfully
break the SNOW 3G cipher. The technique is affine to the one employed to break
HC-128, although a couple of extra issues must be addressed. At first, the attacker
injects a fault into a word of the inner state
s
i
, where the position
i
is known. No
particular assumption on the timing of the attack is made, so the fault hypothesis may
be reformulated as injecting a fault into an arbitrary location of the state, provided
clock-accurate timing is available. After the fault injection, a correct keystream must
be collected in order to analyze its differences with the faulty one. Indicating, as in the
attack on HC-128, with1adifference between two words of the ciphertexts and with
0 two identical words at the same clock cycle, it is possible to build fault fingerprinting
sequences. Employing the fault fingerprint, the attacker is able to discover the part of
the state in which the fault was injected, and is thus able to write an equation having
on its right-hand side the difference between the two keystream values and on its
left-hand side, the same difference between the values of the inner state involved in
the generation of the output. After collecting a number of different equations, the
attacker aims at eliminating the nonlinear terms of the equations (namely, the ones
depending on the values of the three registers of the FSM), by subtracting state to
state the different equations. Since the construction of the cipher does not allow us to
obtain a fully linear system as in the case of HC-128, the authors of [117] employed
Gröbner basis decomposition to solve the low degree nonlinear system obtained from
