Practical Fault Attacks on Minalpher: How to Recover Key with Minimum Faults?

Abstract

This work presents two differential fault attacks (or DFA) on Minalpher, a second round CAESAR candidate under practical fault model with as few faults as possible. Minalpher uses a new primitive called tweakable Even-Mansour, based on a permutation-based block-cipher proposed by Even and Mansour and to the best of our knowledge, no practical DFA has yet been reported on it. In the first DFA, only two random faults have been injected on two consecutive 4-bit nibbles (i.e. within total 8 bits) of a specific internal state. We show that (i) if both the faults are injected at the same nibble the key-space for the intermediate key can be reduced significantly from \(2^{256}\) to \(2^{32}\) and (ii) if the faults are injected at different positions, the key-space for the intermediate key can be reduced further to only \(2^{16}\). In the second DFA, we first consider two faults into a single nibble, which reduces the keyspace from \(2^{256}\) to \(2^{48}\). Moreover, we show that one additional fault (i.e. total three faults) helps to reduce the key-space significantly to \(2^{8}\). We can compute the correct intermediate key by observing a few more plain-text, cipher-text pairs, which helps in computing valid cipher-text, tag pairs for any message and associated data under a fixed nonce.

A Appendix

1.1 A.1 Backward Propagation of the Ciphertext Differences Along with the Keys

Fig. 13.

Backward propagation of the ciphertext differences along with I and K

1.2 A.2 Three Sets of Equations for the First Fault

First Set of Equations

$$\begin{aligned} R_1= & {} SN^{I, X, 0}_{03} \oplus SN^{I, X, A}_{03}, \ T_1^3 = SN^{I, X, 0}_{12} \oplus SN^{I, X, A}_{12} \end{aligned}$$

$$\begin{aligned} T_1^3= & {} SN^{I, X, 0}_{26} \oplus SN^{I, X, A}_{26}, \ P_3 = SN^{I, X, 0}_{34} \oplus SN^{I, X, A}_{34} \end{aligned}$$

$$\begin{aligned} S_1= & {} SN^{I, X, 0}_{02} \oplus SN^{I, X, A}_{02}, \ U_1^3 = SN^{I, X, 0}_{13} \oplus SN^{I, X, A}_{13} \end{aligned}$$

$$\begin{aligned} U_1^3= & {} SN^{I, X, 0}_{27} \oplus SN^{I, X, A}_{27}, \ Q_3 = SN^{I, X, 0}_{35} \oplus SN^{I, X, A}_{35} \end{aligned}$$

$$\begin{aligned} P_2= & {} SN^{I, X, 0}_{04} \oplus SN^{I, X, A}_{04}, \ P_2 = SN^{I, X, 0}_{16} \oplus SN^{I, X, A}_{16} \end{aligned}$$

$$\begin{aligned} P_2= & {} SN^{I, X, 0}_{21} \oplus SN^{I, X, A}_{21} \end{aligned}$$

$$\begin{aligned} Q_2= & {} SN^{I, X, 0}_{05} \oplus SN^{I, X, A}_{05}, \ Q_2 = SN^{I, X, 0}_{17} \oplus SN^{I, X, A}_{17} \end{aligned}$$

$$\begin{aligned} Q_2= & {} SN^{I, X, 0}_{20} \oplus SN^{I, X, A}_{20} \end{aligned}$$

$$\begin{aligned} V_1^4= & {} SN^{I, X, 0}_{06} \oplus SN^{I, X, A}_{06}, \ T_2^1 = SN^{I, X, 0}_{10} \oplus SN^{I, X, A}_{10} \end{aligned}$$

$$\begin{aligned} W_2^4= & {} SN^{I, X, 0}_{22} \oplus SN^{I, X, A}_{22},\ Y = SN^{I, X, 0}_{37} \oplus SN^{I, X, A}_{37} \end{aligned}$$

$$\begin{aligned} V_4^1= & {} SN^{I, X, 0}_{07} \oplus SN^{I, X, A}_{07},\ U_2^3 = SN^{I, X, 0}_{11} \oplus SN^{I, X, A}_{11} \end{aligned}$$

$$\begin{aligned} X_2^4= & {} SN^{I, X, 0}_{23} \oplus SN^{I, X, A}_{23},\ Z = SN^{I, X, 0}_{36} \oplus SN^{I, X, A}_{36} \end{aligned}$$

$$\begin{aligned} R_3= & {} SN^{I, X, 0}_{00} \oplus SN^{I, X, A}_{00},\ R_3 = SN^{I, X, 0}_{24} \oplus SN^{I, X, A}_{24} \end{aligned}$$

$$\begin{aligned} R_3= & {} SN^{I, X, 0}_{32} \oplus SN^{I, X, A}_{32} \end{aligned}$$

$$\begin{aligned} S_3= & {} SN^{I, X, 0}_{01} \oplus SN^{I, X, A}_{01},\ S_3 = SN^{I, X, 0}_{25} \oplus SN^{I, X, A}_{25} \end{aligned}$$

$$\begin{aligned} S_3= & {} SN^{I, X, 0}_{33} \oplus SN^{I, X, A}_{33} \end{aligned}$$

Second Set of Equations

$$\begin{aligned} R_1= & {} SN^{IK, XY, 0}_{06} \oplus SN^{IK, XY, AB}_{06}, \ T_1^3 = SN^{IK, XY, 0}_{14} \oplus SN^{IK, XY, AB}_{14} \end{aligned}$$

$$\begin{aligned} T_1^3= & {} SN^{IK, XY, 0}_{23} \oplus SN^{IK, XY, AB}_{23}, \ P_3 = SN^{IK, XY, 0}_{32} \oplus SN^{IK, XY, AB}_{32} \end{aligned}$$

$$\begin{aligned} S_1= & {} SN^{IK, XY, 0}_{07} \oplus SN^{IK, XY, AB}_{07}, \ U_1^3 = SN^{IK, XY, 0}_{15} \oplus SN^{IK, XY, AB}_{15} \end{aligned}$$

$$\begin{aligned} U_1^3= & {} SN^{IK, XY, 0}_{22} \oplus SN^{IK, XY, AB}_{22}, \ Q_3 = SN^{IK, XY, 0}_{33} \oplus SN^{IK, XY, AB}_{33} \end{aligned}$$

$$\begin{aligned} P_2= & {} SN^{IK, XY, 0}_{01} \oplus SN^{IK, XY, AB}_{01}, \ P_2 = SN^{IK, XY, 0}_{10} \oplus SN^{IK, XY, AB}_{10} \ \end{aligned}$$

$$\begin{aligned} P_2= & {} SN^{IK, XY, 0}_{24} \oplus SN^{IK, XY, AB}_{24} \end{aligned}$$

$$\begin{aligned} Q_2= & {} SN^{IK, XY, 0}_{00} \oplus SN^{IK, XY, AB}_{00}, \ Q_2 = SN^{IK, XY, 0}_{11} \oplus SN^{IK, XY, AB}_{11} \end{aligned}$$

$$\begin{aligned} Q_2= & {} SN^{IK, XY, 0}_{25} \oplus SN^{IK, XY, AB}_{25} \end{aligned}$$

$$\begin{aligned} V_1^4= & {} SN^{IK, XY, 0}_{02} \oplus SN^{IK, XY, AB}_{02}, \ T_2^1 = SN^{IK, XY, 0}_{17} \oplus SN^{IK, XY, AB}_{17} \end{aligned}$$

$$\begin{aligned} W_2^4= & {} SN^{IK, XY, 0}_{26} \oplus SN^{IK, XY, AB}_{26}, \ Y = SN^{IK, XY, 0}_{30} \oplus SN^{IK, XY, AB}_{30} \end{aligned}$$

$$\begin{aligned} V_4^1= & {} SN^{IK, XY, 0}_{03} \oplus SN^{IK, XY, AB}_{03}, \ U_2^3 = SN^{IK, XY, 0}_{16} \oplus SN^{IK, XY, AB}_{16} \end{aligned}$$

$$\begin{aligned} X_2^4= & {} SN^{IK, XY, 0}_{27} \oplus SN^{IK, XY, AB}_{27}, \ Z = SN^{IK, XY, 0}_{31} \oplus SN^{IK, XY, AB}_{31} \end{aligned}$$

$$\begin{aligned} R_3= & {} SN^{IK, XY, 0}_{04} \oplus SN^{IK, XY, AB}_{04}, \ R_3 = SN^{IK, XY, 0}_{20} \oplus SN^{IK, XY, AB}_{20} \end{aligned}$$

$$\begin{aligned} R_3= & {} SN^{IK, XY, 0}_{35} \oplus SN^{IK, XY, AB}_{35} \nonumber \end{aligned}$$

$$\begin{aligned} S_3= & {} SN^{IK, XY, 0}_{05} \oplus SN^{IK, XY, AB}_{05}, \ S_3 = SN^{IK, XY, 0}_{21} \oplus SN^{IK, XY, AB}_{21} \end{aligned}$$

$$\begin{aligned} S_3= & {} SN^{IK, XY, 0}_{34} \oplus SN^{IK, XY, AB}_{34} \nonumber \end{aligned}$$

Third Set of Equations

$$\begin{aligned} F_2&= SN^{-1}(SN^{IK, XY, 0}_{06} \oplus SN^{IK, XY, 0}_{14} \oplus SN^{IK, XY, 0}_{23})\\&\oplus SN^{-1}(SN^{IK, XY, AB}_{06} \oplus SN^{IK, XY, AB}_{14} \oplus SN^{IK, XY, AB}_{23}) \end{aligned}$$

$$\begin{aligned} F_2&= SN^{-1}(SN^{IK, XY, 0}_{17} \oplus SN^{IK, XY, 0}_{26} \oplus SN^{IK, XY, 0}_{30}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{17} \oplus SN^{IK, XY, AB}_{26} \oplus SN^{IK, XY, AB}_{30}) \end{aligned}$$

$$\begin{aligned} F_2&= SN^{-1}(SN^{IK, XY, 0}_{04} \oplus SN^{IK, XY, 0}_{20} \oplus SN^{IK, XY, 0}_{35}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{04} \oplus SN^{IK, XY, AB}_{20} \oplus SN^{IK, XY, AB}_{35}) \end{aligned}$$

$$\begin{aligned} G_2&= SN^{-1}(SN^{IK, XY, 0}_{07} \oplus SN^{IK, XY, 0}_{15} \oplus SN^{IK, XY, 0}_{22}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{07} \oplus SN^{IK, XY, AB}_{15} \oplus SN^{IK, XY, AB}_{22}) \end{aligned}$$

$$\begin{aligned} G_2&= SN^{-1}(SN^{IK, XY, 0}_{16} \oplus SN^{IK, XY, 0}_{27} \oplus SN^{IK, XY, 0}_{31}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{16} \oplus SN^{IK, XY, AB}_{27} \oplus SN^{IK, XY, AB}_{31}) \end{aligned}$$

$$\begin{aligned} G_2&= SN^{-1}(SN^{IK, XY, 0}_{05} \oplus SN^{IK, XY, 0}_{21} \oplus SN^{IK, XY, 0}_{34}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{05} \oplus SN^{IK, XY, AB}_{21} \oplus SN^{IK, XY, AB}_{34}) \end{aligned}$$

$$\begin{aligned} H_1&= SN^{-1}(SN^{IK, XY, 0}_{02} \oplus SN^{IK, XY, 0}_{17} \oplus SN^{IK, XY, 0}_{30}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{02} \oplus SN^{IK, XY, AB}_{17} \oplus SN^{IK, XY, AB}_{30}) \end{aligned}$$

$$\begin{aligned} F_1&= SN^{-1}(SN^{IK, XY, 0}_{01} \oplus SN^{IK, XY, 0}_{10} \oplus SN^{IK, XY, 0}_{24}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{01} \oplus SN^{IK, XY, AB}_{10} \oplus SN^{IK, XY, AB}_{24}) \end{aligned}$$

$$\begin{aligned} G_1&= SN^{-1}(SN^{IK, XY, 0}_{14} \oplus SN^{IK, XY, 0}_{23} \oplus SN^{IK, XY, 0}_{32}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{14} \oplus SN^{IK, XY, AB}_{23} \oplus SN^{IK, XY, AB}_{32}) \end{aligned}$$

$$\begin{aligned} H_1&= SN^{-1}(SN^{IK, XY, 0}_{03} \oplus SN^{IK, XY, 0}_{27} \oplus SN^{IK, XY, 0}_{31}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{03} \oplus SN^{IK, XY, AB}_{27} \oplus SN^{IK, XY, AB}_{31}) \end{aligned}$$

$$\begin{aligned} I_1&= SN^{-1}(SN^{IK, XY, 0}_{03} \oplus SN^{IK, XY, 0}_{16} \oplus SN^{IK, XY, 0}_{31}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{03} \oplus SN^{IK, XY, AB}_{16} \oplus SN^{IK, XY, AB}_{31}) \end{aligned}$$

$$\begin{aligned} G_1&= SN^{-1}(SN^{IK, XY, 0}_{00} \oplus SN^{IK, XY, 0}_{11} \oplus SN^{IK, XY, 0}_{25}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{00} \oplus SN^{IK, XY, AB}_{11} \oplus SN^{IK, XY, AB}_{25}) \end{aligned}$$

$$\begin{aligned} F_3&= SN^{-1}(SN^{IK, XY, 0}_{15} \oplus SN^{IK, XY, 0}_{22} \oplus SN^{IK, XY, 0}_{33}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{15} \oplus SN^{IK, XY, AB}_{22} \oplus SN^{IK, XY, AB}_{33}) \end{aligned}$$

$$\begin{aligned} I_1&= SN^{-1}(SN^{IK, XY, 0}_{02} \oplus SN^{IK, XY, 0}_{26} \oplus SN^{IK, XY, 0}_{30}) \\&\oplus SN^{-1}(SN^{IK, XY, AB}_{02} \oplus SN^{IK, XY, AB}_{26} \oplus SN^{IK, XY, AB}_{30}) \end{aligned}$$