Fault Attacks on Stream Cipher Scream

In this paper we present a differential fault attack (DFA) on the stream cipher Scream which is designed by the IBM researchers Coppersmith, Halevi, and Jutla in 2002. The known linear distinguishing attack on Scream takes 2120 output words and there is no key recovery attack on it, since the S-box used by Scream is key-dependent and complex. Under the assumption that we can inject random byte faults in the same location multiple number of times, the 128-bit key can be recovered with 294 computations and 272 bytes memory by injecting around 2000 faults. Then combined with the assumption of related key attacks, we can retrieve the key with 244 computations and 240 bytes memory. The result is verified by experiments. To the best of the our knowledge this is the first DFA and key recovery attack on Scream.

[1]  Dipanwita Roy Chowdhury,et al.  Fault Analysis of Grain-128 by Targeting NFSR , 2011, AFRICACRYPT.

[2]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of Twofish , 2012, Inscrypt.

[3]  Yukiyasu Tsunoo,et al.  Key Recovery Attack on Stream Cipher Mir-1 Using a Key-Dependent S-Box , 2008, ICICS.

[4]  Qing Liu,et al.  Fault analysis of Trivium , 2012, Des. Codes Cryptogr..

[5]  Amr M. Youssef,et al.  Differential Fault Analysis of Rabbit , 2009, Selected Areas in Cryptography.

[6]  T. Johansson,et al.  A linear distinguishing attack on Scream , 2003, IEEE International Symposium on Information Theory, 2003. Proceedings..

[7]  Santanu Sarkar,et al.  A Differential Fault Attack on the Grain Family of Stream Ciphers , 2012, CHES.

[8]  Michal Hojsík,et al.  Differential Fault Analysis of Trivium , 2008, FSE.

[9]  Aline Gouget,et al.  Fault analysis of GRAIN-128 , 2009, 2009 IEEE International Workshop on Hardware-Oriented Security and Trust.

[10]  Yukiyasu Tsunoo,et al.  Cryptanalysis of Mir-1: A T-Function-Based Stream Cipher , 2007, IEEE Transactions on Information Theory.

[11]  Shai Halevi,et al.  Scream: A Software-Efficient Stream Cipher , 2002, FSE.

[12]  Cécile Canovas,et al.  Fault Analysis of Rabbit: Toward a Secret Key Leakage , 2009, INDOCRYPT.

[13]  Subhamoy Maitra,et al.  A Differential Fault Attack on MICKEY 2.0 , 2013, CHES.

[14]  Shai Halevi,et al.  Cryptanalysis of Stream Ciphers with Linear Masking , 2002, CRYPTO.

[15]  Adi Shamir,et al.  Fault Analysis of Stream Ciphers , 2004, CHES.