Full key recovery of ACORN with a single fault

The ongoing CAESAR competition launched in 2013, aimed to design authenticated encryption schemes for different applications and environments, attracted 57 submissions as candidates. Out of the 57 round 1 submissions, only 29 candidates were selected for round 2. Each of these candidates is to be analyzed carefully. Among these 29 candidates, ACORN is a family of Lightweight Authenticated Ciphers with Associated Data (AEAD). In this paper we propose a hard fault attack on both the versions of ACORN in a nonce-respecting scenario whereby a random bit of the fifth LFSR is permanently stuck at the value '1' before the driving procedure of the encryption device. Without the repetition of the same key-IV pair, this is the first work that we are aware of, where the secret key can be recovered fully with a computational complexity well below the limit of brute force search. With hard fault at a certain position the attack complexity reduces to 255.85.

[1]  Qing Liu,et al.  Fault analysis of Trivium , 2012, Des. Codes Cryptogr..

[2]  Leonie Ruth Simpson,et al.  Finding state collisions in the authenticated encryption stream cipher ACORN , 2016, IACR Cryptol. ePrint Arch..

[3]  Michal Hojsík,et al.  Differential Fault Analysis of Trivium , 2008, FSE.

[4]  Debdeep Mukhopadhyay,et al.  Improved practical differential fault analysis of Grain-128 , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[5]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[6]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[7]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[8]  Yupu Hu,et al.  Hard fault analysis of Trivium , 2009, Inf. Sci..

[9]  Michal Hojsík,et al.  Floating Fault Analysis of Trivium , 2008, INDOCRYPT.

[10]  François-Xavier Standaert,et al.  A Tutorial on Physical Security and Side-Channel Attacks , 2004, FOSAD.

[11]  Goutam Paul,et al.  Recovering RC4 Permutation from 2048 Keystream Bytes if jIs Stuck , 2008, ACISP.

[12]  Santanu Sarkar,et al.  A Differential Fault Attack on the Grain Family of Stream Ciphers , 2012, CHES.

[13]  Avishek Adhikari,et al.  Improved Multi-Bit Differential Fault Analysis of Trivium , 2014, INDOCRYPT.

[14]  Santanu Sarkar,et al.  Probabilistic Signature Based Framework for Differential Fault Analysis of Stream Ciphers , 2015, IACR Cryptol. ePrint Arch..

[15]  Goutam Paul,et al.  Deterministic Hard Fault Attack on Trivium , 2014, IWSEC.

[16]  Eli Biham,et al.  Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4 , 2005, FSE.

[17]  Dipanwita Roy Chowdhury,et al.  Fault Analysis of Grain-128 by Targeting NFSR , 2011, AFRICACRYPT.

[18]  Debdeep Mukhopadhyay,et al.  A Differential Fault Analysis on AES Key Schedule Using Single Fault , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.