Differential Fault Analysis on Tiaoxin and AEGIS Family of Ciphers

  • Prakash Dey
  • Raghvendra Singh Rohit
  • Santanu Sarkar
  • Avishek AdhikariEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 625)


Tiaoxin and AEGIS are two second round candidates of the ongoing CAESAR competition for authenticated encryption. In 2014, Brice Minaud proposed a distinguisher for AEGIS-256 that can be used to recover bits of a partially known message, encrypted \(2^{188}\) times, regardless of the keys used. Also he reported a correlation between AEGIS-128 ciphertexts at rounds i and \(i + 2\), although the biases would require \(2^{140}\) data to be detected. Apart from that, to the best of our knowledge, there is no known cryptanalysis of AEGIS or Tiaoxin. In this paper we propose differential fault analyses of Tiaoxin and AEGIS family of ciphers in a nonce reuse setting. Analysis shows that the secret key of Tiaoxin can be recovered with 384 single bit faults and the states of AEGIS-128, AEGIS-256 and AEGIS-128L can be recovered respectively with 384, 512 and 512 single bit faults. Considering multi byte fault, the number of required faults and re-keying reduces 128 times.


Stream cipher AEAD Differential fault analysis 


  1. 1.
    CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) (2013).
  2. 2.
    Ali, S.S., Mukhopadhyay, D.: A differential fault analysis on AES key schedule using single fault. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 35–42. IEEE (2011)Google Scholar
  3. 3.
    Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the grain family of stream ciphers. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 122–139. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Banik, S., Maitra, S., Sarkar, S.: A differential fault attack on the grain family under reasonable assumptions. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 191–208. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Berzati, A., Canovas, C., Castagnos, G., Debraize, B., Goubin, L., Gouget, A., Paillier, P., Salgado, S.: Fault analysis of GRAIN-128. In: IEEE International Workshop on Hardware-Oriented Security and Trust, HOST 2009, pp. 7–14. IEEE (2009)Google Scholar
  6. 6.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  7. 7.
    Dey, P., Adhikari, A.: Improved multi-bit differential fault analysis of Trivium. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 37–52. Springer International Publishing, Heidelberg (2014)Google Scholar
  8. 8.
    Dey, P., Chakraborty, A., Adhikari, A., Mukhopadhyay, D.: Improved practical differential fault analysis of grain-128. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, DATE 2015, pp. 459–464. EDA Consortium, San Jose (2015)Google Scholar
  9. 9.
    Dey, P., Rohit, R.S., Adhikari, A.: Full key recovery of acorn with a single fault. J. Inf. Secur. Appl. 29, 57–64 (2016)Google Scholar
  10. 10.
    Hojsík, M., Rudolf, B.: Differential fault analysis of Trivium. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 158–172. Springer, Heidelberg (2008)Google Scholar
  11. 11.
    Hojsík, M., Rudolf, B.: Floating fault analysis of Trivium. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 239–250. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Yupu, H., Gao, J., Liu, Q., Zhang, Y.: Fault analysis of Trivium. Des. Codes Crypt. 62(3), 289–311 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Karmakar, S., Roy Chowdhury, D.: Fault analysis of grain-128 by targeting NFSR. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 298–315. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Kircanski, A., Youssef, A.M.: Differential fault analysis of rabbit. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 197–214. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Minaud, B.: Linear biases in AEGIS keystream. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 290–305. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  16. 16.
    Mohamed, M.S.E., Bulygin, S., Buchmann, J.: Using SAT solving to improve differential fault analysis of Trivium. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 62–71. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Mukhopadhyay, D.: An improved fault based attack of the advanced encryption standard. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 421–434. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Nikolić, I.: Tiaoxin - 346 (2014).
  19. 19.
    Saha, D., Mukhopadhyay, D., Chowdhury, D.R.: A diagonal fault attack on the advanced encryption standard. IACR Cryptol. ePrint Arch. 2009, 581 (2009)Google Scholar
  20. 20.
    Esmaeili Salehani, Y., Kircanski, A., Youssef, A.: Differential fault analysis of Sosemanuk. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 316–331. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Sarkar, S., Banik, S., Maitra, S.: Differential fault attack against grain family with very few faults and minimal assumptions. IACR Cryptol. ePrint Arch. 2013, 494 (2013)Google Scholar
  22. 22.
    Sarkar, S., Dey, P., Adhikari, A., Maitra, S.: Probabilistic signature based generalized framework for differential fault analysis of stream ciphers. Cryptogr. Commun. 1–21 (2016)Google Scholar
  23. 23.
    Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential fault analysis of the advanced encryption standard using a single fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011)Google Scholar
  24. 24.
    Hongjun, W., Bart Preneel, A.: A fast authenticated encryption algorithm. In: 20th International Conference on Selected Areas in Cryptography - SAC 2013, Burnaby, BC, Canada, 14–16 August 2013, Revised Selected Papers, pp. 185–201 (2013)Google Scholar
  25. 25.
    Hongjun, W., Bart Preneel, A.: A fast authenticated encryption algorithm (v1). CAESAR Submission, updated from Cryptology ePrint Archive Report 2013/695, updated from SAC 2013 version (2014).

Copyright information

© Springer Nature Singapore Pte Ltd. 2016

Authors and Affiliations

  • Prakash Dey
    • 1
  • Raghvendra Singh Rohit
    • 2
  • Santanu Sarkar
    • 3
  • Avishek Adhikari
    • 1
    Email author
  1. 1.Department of Pure MathematicsUniversity of CalcuttaKolkataIndia
  2. 2.Department of Mathematics and StatisticsIndian Institute of Science Education and ResearchKolkataIndia
  3. 3.Indian Institute of Technology MadrasChennaiIndia

Personalised recommendations