Differential Fault Attack on Feistel-Based Sponge AE Schemes

Abstract

Performing differential fault attack (DFA) for any sponge authenticated encryption (AE) in the encryption query is a challenging task due to the employment of a unique nonce. Therefore, we need to repeat the nonce to perform DFA and, probably, this can be done through the decryption queries. The sponge duplex is a popular mode of operation for constructing authenticated encryption schemes, where 25 out of the 56 round 1 submissions in the ongoing NIST lightweight cryptography standardization process are sponge-based. The majority of these sponge-based constructions employed substitution permutation networks (SPN)/Feistel-like structures inside their underlying permutation. In this paper, we are interested in Feistel-based permutations used in the sponge AE construction. We call this kind of Feistel design a generalized Feistel network (GFN). We observe that, for a duplex sponge mode with GFN-based permutation, we might be able to recover the state by performing faulty forgeries in the decryption query. We make the reasonable assumption that the internal round function used in GFN follows an SPN-like structure. In this work, under random fault model, we first present an attack on the CiliPadi family of an authenticated encryption scheme to retrieve its state and then recover the secret key. We show that around \(2^{21}\) (data complexity) faulty queries are sufficient to recover its master key. Also, the time and memory complexities of this attack are respectively \(2^{14.5}\) and \(2^{8.5}\) nibbles. Then, we generalize this attack for any GFN-based sponge AE where SPN internally used inside the GFN. We propose two fault attacks to recover the internal state. In the first case, we assume that SPN has at least two rounds used in GFN. In the second case, GFN has employed one round SPN inside it. In both attacks, we recover the state by performing faulty forgery at the final permutation call (before the tag is obtained) under two different fault models. Then, we give a complete theoretical analysis to perform faulty forgeries. We also discuss the possibilities to extend state recovery attacks to full key recovery. Finally, we propose a general countermeasure against these kinds of fault attacks. To the best of our knowledge, this is the first fault attack reported on GFN-based sponge AE, where GFN internally uses SPN to fulfill its structure.

Appendix

1.1 Fault Attack on Single Round SPN-Based GFN Sponge AE

In this attack, we first describe the fault model. Then, we give a description of the state recovery by repeatedly performing faulty forgery in the decryption query.

1.1.1 The Fault Model

In this attack, we have considered a known byte/nibble fault model where the injected byte/nibble fault is only assumed to disturb a particular byte/nibble in such a way that the distribution of the faulty value is fully biased. More specifically, the attacker perfectly knows the statistical distribution of the faulty value.

1.1.2 The Fault Attack Description

In this attack model, we will inject a byte/nibble fault at the last round of SPN (\(\mathbf {f}\)) structure (before SC operation). Here, we assume that the last round of \(\mathbf {f}\) permutation has the MixColumnsSerial operation. The following steps, by an attacker to get a faulty forgery using faults in the decryption query, are given in Algorithm 6.

Fig. 10

Forgery in sponge-based AE with AES-based GFN as underlying permutation

For better understanding, the above steps are explained for AES-like \(\mathbf {f^{'}}\), where MCS is used in the last round of \(\mathbf {f^{'}}\) permutation. Faults will be injected at the last round of \(\mathbf {f^{'}}\) just before the SC operation. At the 1st phase, we choose \(i_0\)-th byte/nibble as the fault position. Repeatedly make faulty decryption queries by injecting faults at the \(i_0\)-th position until we collect \(q_{0}\) number of tag forgeries. Next at the 2nd phase, we choose the \(i_1\)-th byte/nibble as the fault position so that \(\mathrm{MC}(i_1)\cap \mathrm{MC}(i_0)\) will be minimized or an empty set. Then, repeat the faulty decryption queries (with faults at the \(i_{1}\)-th position) until we collect \(q_{1}\) number of tag forgeries. We will continue this for other faulty positions until we have \(\mathrm{MC}(i_0) \cup \mathrm{MC}(i_1)\cup \cdots \cup \mathrm{MC}(i_{PC-1}) = \{1,2,\cdots ,m\}\).

The number of required faulty decryptions to get one forgery is summarized in the following proposition.

Proposition 5

Let \(\chi\) denote the number of faulty decryption queries to collect q distinct tag forgeries, i.e., repeatedly induce nibble (known) faults at the fixed posision in the state (last round) until we get q different forgeries. Then, \(E(\chi ) < \lambda ^{2}\cdot \Big [1+ \log \bigg (\frac{\lambda }{\lambda -q+1}\bigg )\Big ]\).

Proof

To make a valid forgery, we have to satisfy this condition: \(\textsf {SC} (\Delta _{in}) = \Delta _{out}^{'}\). Therefore, at any phase \(i, 0\le i < 4\),

$$\begin{aligned} \Pr [ \textsf{SC} (\Delta _{in}) = \Delta _{out}^{\prime}] = \frac{\lambda }{\lambda \times \lambda }=\frac{1}{\lambda } = p (say). \end{aligned}$$

Let, \(\chi _{j}, 1\le j \le q\) be the number of trials needed to collect \(j^{th}\) forgery after \(j-1\) forgeries have been collected. As \(\chi\) represents the number of independent trials needed to collect q number of successful forgeries, we have, \(\chi = \chi _1+\cdots +\chi _q\). Furthermore, the probability of collecting \(j^{th}\) forgery is \(p_j = \frac{\lambda -j+1}{\lambda \times \lambda }= \frac{\lambda -j+1}{\lambda ^{2}}\). Therefore, \(\chi _j\) follows geometric distribution and \(E(\chi _j) = \frac{1}{p_j}\). By the linearity of expectations, we have,

$$\begin{aligned} E(\chi )&= \sum _{j=1}^{q} \frac{\lambda ^{2}}{\lambda -j+1}\\&= \frac{\lambda ^{2}}{\lambda }+\frac{\lambda ^{2}}{\lambda -1}+\cdots +\frac{\lambda ^{2}}{\lambda -q+1} \\&< \lambda ^{2}\cdot \Big [1+ \log \bigg (\frac{\lambda }{\lambda -q+1}\bigg )\Big ] \\&\Bigg [\log (x+1)< \sum _{i=1}^{x}\frac{1}{i} < 1+\log (x)\Bigg ] \end{aligned}$$

1.1.3 State Recovery of Sponge AE

Based on the collected lists \(\mathcal {H}_{PC}\) according to Algorithm 6, we have to recover the \(\mathbf {f^{'}}\) state byte/nibble-wise since there is only one difference in \(\Delta _{out}^{'}\) (see Fig. 10). Let \(r_{PC}\) (=1) denote the number of byte/nibble differences in \(\Delta _{out}^{'}\). The state recovery of \(\mathbf {f^{'}}\) is described in Algorithm 7.

Furthermore, we can recover other branches of \(\textsf {GFN} ^{\mathbf {f^{'}}}\) in the similar way that we have discussed in Sect. 7.1.4. Finally, the key can be recovered when either the key is directly used to output the tag by XORing with the state (output of the last permutation) or there are no extra key injections used after the initialization or before the finalization calls.

1.1.4 Attack Complexity

According to Proposition 3, to get at least one successful forgery, we need to perform \(\mu (=\lambda )\) number of faulty decryption queries. Let us assume that the retrieval of \(\mathbf {f^{'}}\) (SPN) state has been done by z number of phases using Algorithm 6. Now, let \(q = q_0+q_1+\cdots +q_{z-1}\) (\(q_0=\ldots =q_{z-1}\)) represent total number of different forging tags to retrieve the \(\mathbf {f^{'}}\) state uniquely. Thus, we need at least \(z \cdot \lambda\) number of byte/nibble faults to recover the full \(\mathbf {f}\) state uniquely. Again, there are l different branches for the \(\textsf {GFN} ^{\mathbf {f}}\) inside the sponge-based AE. Hence, we need approximately \(l \cdot z \cdot \lambda\) number of byte/nibble faults to recover the full \(\textsf {GFN} ^{\mathbf {f}}\) (sponge) state.