Algebraic Fault Attack on the SHA-256 Compression Function

The cryptographic hash function SHA-256 is one member of the SHA-2 hash family, which was proposed in 2000 and was standardized by NIST in 2002 as a successor of SHA-1. Although the differential fault attack on SHA-1compression function has been proposed, it seems hard to be directly adapted to SHA-256. In this paper, an efficient algebraic fault attack on SHA-256 compression function is proposed under the word-oriented random fault model. During the attack, an automatic tool STP is exploited, which constructs binary expressions for the word-based operations in SHA-256 compression function and then invokes a SAT solver to solve the equations. The simulation of the new attack needs about 65 fault injections to recover the chaining value and the input message block with about 200 seconds on average. Moreover, based on the attack on SHA-256 compression function, an almost universal forgery attack on HMAC-SHA-256 is presented. Our algebraic fault analysis is generic, automatic and can be applied to other ARX-based primitives..

[1]  Seokhie Hong,et al.  Security Analysis of HMAC/NMAC by Using Fault Injection , 2013, J. Appl. Math..

[2]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[3]  David Naccache,et al.  When Clocks Fail: On Critical Paths and Clock Faults , 2010, CARDIS.

[4]  Seokhie Hong,et al.  Differential Fault Analysis on HAS-160 Compression Function , 2012, CSA 2012.

[5]  Lei Hu,et al.  Differential Fault Attack on the PRINCE Block Cipher , 2013, IACR Cryptol. ePrint Arch..

[6]  Ilia Polian,et al.  A Fault Attack on the LED Block Cipher , 2012, COSADE.

[7]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[8]  Pierre Dusart,et al.  Differential Fault Analysis on A.E.S , 2003, ACNS.

[9]  E. Garfield When to Cite , 1996, The Library Quarterly.

[10]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[11]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[12]  Nt Courtois,et al.  Fault-Algebraic Attacks on Inner Rounds of DES , 2010 .

[13]  B. Preneel,et al.  Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa20⋆ , 2013 .

[14]  Yu Sasaki Cryptanalyses on a Merkle-Damgård Based MAC - Almost Universal Forgery and Distinguishing-H Attacks , 2012, EUROCRYPT.

[15]  Michal Hojsík,et al.  Differential Fault Analysis of Trivium , 2008, FSE.

[16]  Michal Hojsík,et al.  Floating Fault Analysis of Trivium , 2008, INDOCRYPT.

[17]  Claude Castelluccia,et al.  Extending SAT Solvers to Cryptographic Problems , 2009, SAT.

[18]  Stanislav Bulygin,et al.  Improved Dierential Fault Analysis of Trivium , 2011 .

[19]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[20]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[21]  Richard J. Lipton,et al.  On the Importance of Eliminating Errors in Cryptographic Computations , 2015, Journal of Cryptology.

[22]  Pierre-Alain Fouque,et al.  Automatic Search of Attacks on round-reduced AES and Applications , 2011, IACR Cryptol. ePrint Arch..

[23]  Dawu Gu,et al.  Differential Fault Analysis on the MD5 Compression Function , 2013, J. Comput..

[24]  Lars Hoffmann,et al.  Differential Fault Analysis on the SHA1 Compression Function , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[25]  Eli Biham,et al.  Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4 , 2005, FSE.

[26]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[27]  Kitae Jeong Differential Fault Analysis on Block Cipher Piccolo , 2012, IACR Cryptol. ePrint Arch..

[28]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[29]  Christian A. Reuter,et al.  Differential Fault Analysis on Grøstl , 2012, 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[30]  Adi Shamir,et al.  Fault Analysis of Stream Ciphers , 2004, CHES.

[31]  Ilia Polian,et al.  An Algebraic Fault Attack on the LED Block Cipher , 2012, IACR Cryptol. ePrint Arch..

[32]  Seokhie Hong,et al.  Differential fault analysis on block cipher SEED , 2012, Math. Comput. Model..

[33]  Adi Shamir,et al.  ALRED Blues: New Attacks on AES-Based MAC's , 2011, IACR Cryptol. ePrint Arch..

[34]  Tao Wang,et al.  Improving and Evaluating Differential Fault Analysis on LED with Algebraic Techniques , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[35]  Fan Zhang,et al.  Improved Algebraic Fault Analysis: A Case Study on Piccolo and Applications to Other Lightweight Block Ciphers , 2013, COSADE.

[36]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[37]  Chao Li,et al.  Differential Fault Analysis on SHACAL-1 , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).