Fault Attacks on Stream Cipher Scream

  • Shaoyu DuEmail author
  • Bin Zhang
  • Zhenqi Li
  • Dongdai Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)


In this paper we present a differential fault attack (DFA) on the stream cipher Scream which is designed by the IBM researchers Coppersmith, Halevi, and Jutla in 2002. The known linear distinguishing attack on Scream takes 2120 output words and there is no key recovery attack on it, since the S-box used by Scream is key-dependent and complex. Under the assumption that we can inject random byte faults in the same location multiple number of times, the 128-bit key can be recovered with 294 computations and 272 bytes memory by injecting around 2000 faults. Then combined with the assumption of related key attacks, we can retrieve the key with 244 computations and 240 bytes memory. The result is verified by experiments. To the best of the our knowledge this is the first DFA and key recovery attack on Scream.


Fault Attacks Scream Key-dependent S-box Stream Cipher 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Halevi, S., Coppersmith, D., Jutla, C.S.: Scream: A Software-Efficient Stream Cipher. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 195–209. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. [2]
    Alexander, M., Thomas, J.: A Linear Distinguishing Attack on Scream. IEEE Transaction on Information Theory 53(9) (2007)Google Scholar
  3. [3]
    Coppersmith, D., Halevi, S., Jutla, C.S.: Cryptanalysis of Stream Ciphers with Linear Masking. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 515–532. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. [4]
    Hoch, J.J., Shamir, A.: Fault Analysis of Stream Ciphers. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 240–253. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. [5]
    Berzati, A., Canovas-Dumas, C., Goubin, L.: Fault Analysis of Rabbit: Toward a Secret Key Leakage. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 72–87. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. [6]
    Hojsík, M., Rudolf, B.: Differential Fault Analysis of Trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. [7]
    Banik, S., Maitra, S., Sarkar, S.: A Differential Fault Attack on the Grain Family of Stream Ciphers. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 122–139. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. [8]
    Banik, S., Maitra, S.: A Differential Fault Attack on MICKEY 2.0. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 215–232. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. [9]
    Yupu, H., Juntao, G., Qing, L., Yiwei, Z.: Fault Analysis of Trivium. Designs, Codes and Cryptography 62(3), 289–311 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  10. [10]
    Kircanski, A., Youssef, A.M.: Differential Fault Analysis of Rabbit. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 197–214. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. [11]
    Berzati, A., Canovas, C., Castagnos, G., Debraize, B., Goubin, L., Gouget, A., Paillier, P., Salgado, S.: Fault Analysis of Grain-128. In: IEEE International Work-shop on Hardware-Oriented Security and Trust, pp. 7–14 (2009)Google Scholar
  12. [12]
    Karmakar, S., Roy Chowdhury, D.: Fault analysis of Grain-128 by targeting NFSR. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 298–315. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. [13]
    Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T.: Cryptanalysis of Mir-1: A T-Function-Based Stream Cipher. IEEE Transaction on Information Theory 53(11) (2007)Google Scholar
  14. [14]
    Tsunoo, Y., Saito, T., Kubo, H., Suzaki, T.: Key Recovery Attack on Stream Cipher Mir-1 Using a Key-Dependent S-Box. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 128–140. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. [15]
    Ali, S.S., Mukhopadhyay, D.: Differential Fault Analysis of Twofish. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 10–28. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Shaoyu Du
    • 1
    • 4
    Email author
  • Bin Zhang
    • 1
    • 2
  • Zhenqi Li
    • 1
  • Dongdai Lin
    • 3
  1. 1.Trusted Computing and Information Assurance LaboratoryInstitute of Software, Chinese Academy of SciencesBeijingChina
  2. 2.State Key Laboratory of Computer Science, Institute of SoftwareChinese Academy of SciencesBeijingChina
  3. 3.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  4. 4.University of Chinese Academy of SciencesBeijingChina

Personalised recommendations