Cryptography Reference
In-Depth Information
The only attack which can be counted more or less efficiently is the “impossible
fault analysis” of RC4, as it is relatively inexpensive to check that the two indices
do not fall into the Finney state. However, even this would add two comparisons to
each state transition. As an optimization one may want to calculate how often these
checks need to be carried out so that the fault is caught before the damage is done.
This can be done taking into account that it is possible to detect if the cipher has
entered a Finney state only after roughly 20 outputs: this implies that a check every
20 cycles is enough to thwart even the distinguishing capabilities of the attack. If the
defender is not concerned with the attacker detecting the Finney state, but only with
the state extraction, the check may be delayed further, since the attacker is not in
possession of the information concerning the first output of the Finney state, and the
only ordering provided by the output values is the one among the interleaved values
(which appear once every 255 outputs).
Yet, if stream ciphers are inherently vulnerable to fault attacks, the question is,
why there are no publications demonstrating these attacks in practice? The answer
to this question illustrates another similarity in reviewed papers: a relatively large
number of faulty ciphertexts are required for successful cryptanalysis. Indeed, unlike
in fault simulations, injecting faults in real life, no matter what the device or the fault
injection means, is never deterministic: not every laser shot leads to an exploitable
error and not every glitch produces an expected outcome. Thus to obtain thousands
or millions of faulty ciphertexts may take in practice much more time than processing
them on a PC. It would be interesting to see experimental results on how long it takes
to break RC4 with an impossible fault attack!
