scholarly journals Breaking Trivium Stream Cipher Implemented in ASIC Using Experimental Attacks and DFA

Sensors ◽  
2020 ◽  
Vol 20 (23) ◽  
pp. 6909
Author(s):  
Francisco Eugenio Potestad-Ordóñez ◽  
Manuel Valencia-Barrero ◽  
Carmen Baena-Oliva ◽  
Pilar Parra-Fernández ◽  
Carlos Jesús Jiménez-Fernández
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Clock Cycle ◽  
Fault Analysis ◽  
Invasive Technique ◽  
Sensitive Information ◽  
Secret Key ◽  
Key Recovery ◽  
Differential Fault Analysis ◽  
Secret Keys

One of the best methods to improve the security of cryptographic systems used to exchange sensitive information is to attack them to find their vulnerabilities and to strengthen them in subsequent designs. Trivium stream cipher is one of the lightweight ciphers designed for security applications in the Internet of things (IoT). In this paper, we present a complete setup to attack ASIC implementations of Trivium which allows recovering the secret keys using the active non-invasive technique attack of clock manipulation, combined with Differential Fault Analysis (DFA) cryptanalysis. The attack system is able to inject effective transient faults into the Trivium in a clock cycle and sample the faulty output. Then, the internal state of the Trivium is recovered using the DFA cryptanalysis through the comparison between the correct and the faulty outputs. Finally, a backward version of Trivium was also designed to go back and get the secret keys from the initial internal states. The key recovery has been verified with numerous simulations data attacks and used with the experimental data obtained from the Application Specific Integrated Circuit (ASIC) Trivium. The secret key of the Trivium were recovered experimentally in 100% of the attempts, considering a real scenario and minimum assumptions.

scholarly journals Towards Optimized DFA Attacks on AES under Multibyte Random Fault Model

2018 ◽  
Vol 2018 ◽  
pp. 1-9
Author(s):  
Ruyan Wang ◽  
Xiaohan Meng ◽  
Yang Li ◽  
Jian Wang
Keyword(s):  
Fault Model ◽  
Fault Analysis ◽  
Advanced Encryption Standard ◽  
Security Assessment ◽  
Secret Key ◽  
Key Recovery ◽  
Differential Fault Analysis ◽  
Recovery Strategies ◽  
Secret Keys ◽  
Fault Distribution

Differential Fault Analysis (DFA) is one of the most practical methods to recover the secret keys from real cryptographic devices. In particular, DFA on Advanced Encryption Standard (AES) has been massively researched for many years for both single-byte and multibyte fault model. For AES, the first proposed DFA attack requires 6 pairs of ciphertexts to identify the secret key under multibyte fault model. Until now, the most efficient DFA under multibyte fault model proposed in 2017 can complete most of the attacks within 3 pairs of ciphertexts. However, we note that the attack is not fully optimized since no clear optimization goal was set. In this work, we introduce two optimization goals as the fewest ciphertext pairs and the least computational complexity. For these goals, we manage to figure out the corresponding optimized key recovery strategies, which further increase the efficiency of DFA attacks on AES. A more accurate security assessment of AES can be completed based on our study of DFA attacks on AES. Considering the variations of fault distribution, the improvement to the attack has been analyzed and verified.

scholarly journals Cryptanalysis of Plantlet

2019 ◽  
pp. 103-120
Author(s):  
Subhadeep Banik ◽  
Khashayar Barooti ◽  
Takanori Isobe
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Polynomial Equations ◽  
Secret Key ◽  
Key Recovery ◽  
Internal States ◽  
Key Recovery Attack ◽  
System Of Polynomial Equations ◽  
The Given ◽  
Generic Time

Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 276.26 Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key. In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 269.98 Plantlet encryptions.

scholarly journals Cryptanalysis of Loiss Stream Cipher-Revisited

2014 ◽  
Vol 2014 ◽  
pp. 1-7
Author(s):  
Lin Ding ◽  
Chenhui Jin ◽  
Jie Guan ◽  
Qiuyan Wang
Keyword(s):  
Time Complexity ◽  
Stream Cipher ◽  
Linear Equations ◽  
Data Complexity ◽  
Secret Key ◽  
Key Recovery ◽  
Systems Of Linear Equations ◽  
Key Recovery Attack ◽  
Better Than

Loiss is a novel byte-oriented stream cipher proposed in 2011. In this paper, based on solving systems of linear equations, we propose an improved Guess and Determine attack on Loiss with a time complexity of 2231and a data complexity of 268, which reduces the time complexity of the Guess and Determine attack proposed by the designers by a factor of 216. Furthermore, a related key chosenIVattack on a scaled-down version of Loiss is presented. The attack recovers the 128-bit secret key of the scaled-down Loiss with a time complexity of 280, requiring 264chosenIVs. The related key attack is minimal in the sense that it only requires one related key. The result shows that our key recovery attack on the scaled-down Loiss is much better than an exhaustive key search in the related key setting.

scholarly journals Physical Layer Key Generation in 5G and Beyond Wireless Communications: Challenges and Opportunities

Entropy ◽  
2019 ◽  
Vol 21 (5) ◽  
pp. 497 ◽  
Author(s):  
Guyue Li ◽  
Chen Sun ◽  
Junqing Zhang ◽  
Eduard Jorswieck ◽  
Bin Xiao ◽  
...  
Keyword(s):  
Wireless Communications ◽  
Communication Systems ◽  
Multiple Input Multiple Output ◽  
Key Distribution ◽  
Physical Layer ◽  
Sensitive Information ◽  
Key Generation ◽  
Secret Key ◽  
Challenges And Opportunities ◽  
Secret Keys

The fifth generation (5G) and beyond wireless communications will transform many exciting applications and trigger massive data connections with private, confidential, and sensitive information. The security of wireless communications is conventionally established by cryptographic schemes and protocols in which the secret key distribution is one of the essential primitives. However, traditional cryptography-based key distribution protocols might be challenged in the 5G and beyond communications because of special features such as device-to-device and heterogeneous communications, and ultra-low latency requirements. Channel reciprocity-based key generation (CRKG) is an emerging physical layer-based technique to establish secret keys between devices. This article reviews CRKG when the 5G and beyond networks employ three candidate technologies: duplex modes, massive multiple-input multiple-output (MIMO) and mmWave communications. We identify the opportunities and challenges for CRKG and provide corresponding solutions. To further demonstrate the feasibility of CRKG in practical communication systems, we overview existing prototypes with different IoT protocols and examine their performance in real-world environments. This article shows the feasibility and promising performances of CRKG with the potential to be commercialized.

scholarly journals ExpFault: An Automated Framework for Exploitable Fault Characterization in Block Ciphers

2018 ◽  
pp. 242-276 ◽  
Author(s):  
Sayandeep Saha ◽  
Debdeep Mukhopadhyay ◽  
Pallab Dasgupta
Keyword(s):  
Defense Mechanisms ◽  
Block Ciphers ◽  
Fault Analysis ◽  
Proof Of Concept ◽  
Secret Key ◽  
Cryptographic Primitives ◽  
Differential Fault Analysis ◽  
Comprehensive Knowledge ◽  
Fault Characterization ◽  
First Time

Malicious exploitation of faults for extracting secrets is one of the most practical and potent threats to modern cryptographic primitives. Interestingly, not every possible fault for a cryptosystem is maliciously exploitable, and evaluation of the exploitability of a fault is nontrivial. In order to devise precise defense mechanisms against such rogue faults, a comprehensive knowledge is required about the exploitable part of the fault space of a cryptosystem. Unfortunately, the fault space is diversified and of formidable size even while a single cryptoprimitive is considered and traditional manual fault analysis techniques may often fall short to practically cover such a fault space within reasonable time. An automation for analyzing individual fault instances for their exploitability is thus inevitable. Such an automation is supposed to work as the core engine for analyzing the fault spaces of cryptographic primitives. In this paper, we propose an automation for evaluating the exploitability status of fault instances from block ciphers, mainly in the context of Differential Fault Analysis (DFA) attacks. The proposed framework is generic and scalable, which are perhaps the two most important features for covering diversified fault spaces of formidable size originating from different ciphers. As a proof-of-concept, we reconstruct some known attack examples on AES and PRESENT using the framework and finally analyze a recently proposed cipher GIFT [BPP+17] for the first time. It is found that the secret key of GIFT can be uniquely determined with 1 nibble fault instance injected at the beginning of the 25th round with a reasonable computational complexity of 214.

scholarly journals Fast Correlation Attacks on Grain-like Small State Stream Ciphers

2017 ◽  
pp. 58-81 ◽  
Author(s):  
Bin Zhang ◽  
Xinxin Gong ◽  
Willi Meier
Keyword(s):  
Internal State ◽  
Stream Ciphers ◽  
Small Scale ◽  
Secret Key ◽  
Small State ◽  
Key Recovery ◽  
Key Recovery Attack ◽  
Correlation Attacks ◽  
Fast Correlation Attacks

In this paper, we study the security of Grain-like small state stream ciphers by fast correlation attacks, which are commonly regarded as classical cryptanalytic methods against LFSR-based stream ciphers. We extend the cascaded structure adopted in such primitives in general and show how to restore the full internal state part-by-part if the non-linear combining function meets some characteristic. As a case study, we present a key recovery attack against Fruit, a tweaked version of Sprout that employs key-dependent state updating in the keystream generation phase. Our attack requires 262.8 Fruit encryptions and 222.3 keystream bits to determine the 80-bit secret key. Practical simulations on a small-scale version confirmed our results.

scholarly journals Some cryptanalytic results on Lizard

2017 ◽  
pp. 82-98
Author(s):  
Subhadeep Banik ◽  
Takanori Isobe ◽  
Tingting Cui ◽  
Jian Guo
Keyword(s):  
Stream Cipher ◽  
Secret Key ◽  
Key Recovery ◽  
Key Recovery Attack ◽  
Key Recovery Attacks

Lizard is a lightweight stream cipher proposed by Hamann, Krause and Meier in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 90 and 31 bits. The cipher uses a 120-bit secret key and a 64-bit IV. The authors claim that Lizard provides 80-bit security against key recovery attacks and a 60-bit security against distinguishing attacks. In this paper, we present an assortment of results and observations on Lizard. First, we show that by doing 258 random trials it is possible to find a set of 264 triplets (K, IV0, IV1) such that the Key-IV pairs (K, IV0) and (K, IV1) produce identical keystream bits. Second, we show that by performing only around 228 random trials it is possible to obtain 264 Key-IV pairs (K0, IV0) and (K1, IV1) that produce identical keystream bits. Thereafter, we show that one can construct a distinguisher for Lizard based on IVs that produce shifted keystream sequences. The process takes around 251.5 random IV encryptions (with encryption required to produce 218 keystream bits) and around 276.6 bits of memory. Next, we propose a key recovery attack on a version of Lizard with the number of initialization rounds reduced to 223 (out of 256) based on IV collisions. We then outline a method to extend our attack to 226 rounds. Our results do not affect the security claims of the designers.

scholarly journals Modified Encryption Standard with High Performance through Secure Protocol

2019 ◽  
Vol 8 (4) ◽  
pp. 3357-3361
Keyword(s):  
High Performance ◽  
Clock Cycle ◽  
Sensitive Information ◽  
Secret Key ◽  
Plain Text ◽  
Text Block ◽  
One Stage ◽  
Secure Protocol ◽  
Encryption And Decryption ◽  
On Chip

The Advanced Encryption Standard (AES) has been accepted worldwide as a desirable algorithm to encryption and decryption sensitive information. In cryptography the unencrypted information referrers to as plaintext it is encrypted into cipher-text, which will in turn be decrypted back into the usable plaintext. The encryption and decryption are based on the type of cryptography system and secret keys. The secret key is responsible for preparing the input key to be used by the cipher in each round. AES with one-stage pipeline producing minor reduction of delay but does not show any improvement in area and power consumption. To overcome the above drawbacks, the basic architecture of AES, which includes encryption and decryption can be modified with one stage pipeline architecture by using one- dimensional Substitute Box (SBOX). Advanced Microcontroller Bus Architecture (AMBA) describes level of an on-chip communication standards for elevated performance embedded microcontrollers. AMBA AHB (Advanced High Performance Bus) is intended for elevated performance and high-frequency clocks. AHB has unique characteristics such as burst transfer, split transaction and single-cycle master bus transfer. 128 bit plain text is guided by AMBA-AHB requirements and can be used to send a plain text block to the cypher per clock cycle.. Plain text of 128 bit is driven by AMBAAdvanced High-performance Bus. AMBA-AHB specifications and supports the transmission to the cipher of a plain text block per clock cycle i.e., Modified Encryption Standard will be implemented with AMBA –AHB driven by input, which provides on-chip communication, increasing security of encryption standard. Propositioning methodology, Modified Encryption Standard will be simulated and synthesized by using Xilinx ISim 14.7 FPGA.

scholarly journals Atom: A Stream Cipher with Double Key Filter

2021 ◽  
pp. 5-36
Author(s):  
Subhadeep Banik ◽  
Andrea Caforio ◽  
Takanori Isobe ◽  
Fukang Liu ◽  
Willi Meier ◽  
...  
Keyword(s):  
Stream Cipher ◽  
Internal State ◽  
Common Knowledge ◽  
Basic Structure ◽  
Stream Ciphers ◽  
Security Level ◽  
Secret Key ◽  
Internal States ◽  
The Face

It has been common knowledge that for a stream cipher to be secure against generic TMD tradeoff attacks, the size of its internal state in bits needs to be at least twice the size of the length of its secret key. In FSE 2015, Armknecht and Mikhalev however proposed the stream cipher Sprout with a Grain-like architecture, whose internal state was equal in size with its secret key and yet resistant against TMD attacks. Although Sprout had other weaknesses, it germinated a sequence of stream cipher designs like Lizard and Plantlet with short internal states. Both these designs have had cryptanalytic results reported against them. In this paper, we propose the stream cipher Atom that has an internal state of 159 bits and offers a security of 128 bits. Atom uses two key filters simultaneously to thwart certain cryptanalytic attacks that have been recently reported against keystream generators. In addition, we found that our design is one of the smallest stream ciphers that offers this security level, and we prove in this paper that Atom resists all the attacks that have been proposed against stream ciphers so far in literature. On the face of it, Atom also builds on the basic structure of the Grain family of stream ciphers. However, we try to prove that by including the additional key filter in the architecture of Atom we can make it immune to all cryptanalytic advances proposed against stream ciphers in recent cryptographic literature.

Sign in / Sign up

Export Citation Format

Share Document