Differential Fault Attack on Grain v1, ACORN v3 and Lizard

Abstract

Differential Fault Attack (DFA) is a very well known technique to evaluate security of a stream cipher. This considers that the stream cipher can be weakened by injection of the fault. In this paper we study DFA on three ciphers, namely Grain v1, Lizard and ACORN v3. We show that Grain v1 (an eStream cipher) can be attacked with injection of only 5 faults instead of 10 that has been reported in 2012. For the first time, we have mounted the fault attack on Lizard, a very recent design and show that one requires only 5 faults to obtain the state. ACORN v3 is a third round candidate of CAESAR and there is only one hard fault attack on an earlier version of this cipher. However, the ‘hard fault’ model requires a lot more assumption than the generic DFA. In this paper, we mount a DFA on ACORN v3 that requires 9 faults to obtain the state. In case of Grain v1 and ACORN v3, we can obtain the secret key once the state is known. However, that is not immediate in case of Lizard. While we have used the basic framework of DFA that appears in literature quite frequently, specific tweaks have to be explored to mount the actual attacks that were not used earlier. To the best of our knowledge, these are the best known DFAs on these three ciphers.

Appendix: Description of the ciphers

1.1 A1: Grain v1

Grain v1 has two registers, LFSR and NFSR of 80 bits each and we use the notation \(s_i, s_{1+i}, \ldots ,s_{79+i} \) and \(b_i, b_{1+i}, \ldots , b_{79+i}\) for state bits of LFSR and NFSR respectively. The output function calculates the key stream bit and then the LFSR and NFSR states are updated. The output function is given by:

$$\begin{aligned} z_i&= b_{i+1} \oplus b_{i+2} \oplus b_{i+4} \oplus b_{i+10} \oplus b_{i+31} \nonumber \\&\oplus b_{i+43} \oplus b_{i+56} \oplus h(s_{i+3}, s_{i+25}, s_{i+46}, s_{i+64}, b_{i+63}) \end{aligned}$$

where \(h(x_0,x_1,x_2,x_3,x_4)\) is given by:

$$\begin{aligned} h(x_0,x_1,x_2,x_3,x_4)&= x_1 \oplus x_4 \oplus x_0 x_3 \oplus x_2 x_3 \oplus x_3 x_4 \oplus x_0 x_1 x_2 \nonumber \\&\oplus x_0 x_2 x_3 \oplus x_0 x_2 x_4 \oplus x_1 x_2 x_4 \oplus x_2 x_3 x_4. \end{aligned}$$

The LFSR feedback bit \(s_{i+80}\) is calculated as:

$$\begin{aligned} s_{i+80} = s_{i+62} \oplus s_{i+51} \oplus s_{i+38} \oplus s_{i+23} \oplus s_{i+13} s_{i} \end{aligned}$$

and the NFSR feedback bit is calculated as:

$$\begin{aligned} b_{i+80}&= s_i \oplus b_{i+62} \oplus b_{i+60} \oplus b_{i+52} \oplus b_{i+45} \oplus b_{i+37} \nonumber \\&\oplus b_{i+33}\oplus b_{i+28}\oplus b_{i+9}\oplus b_{i} \oplus b_{i+63}b_{i+60} \oplus b_{i+37}b_{i+33} \nonumber \\&\oplus b_{i+15}b_{i+9} \oplus b_{i+60}b_{i+52}b_{i+45} \oplus b_{i+33}b_{i+28}b_{i+21} \nonumber \\&\oplus b_{i+63}b_{i+45}b_{i+28}b_{i+9} \oplus b_{i+60}b_{i+52}b_{i+37}b_{i+33} \nonumber \\&\oplus b_{i+63}b_{i+60}b_{i+52}b_{i+45}b_{i+37} \oplus b_{i+33}b_{i+28}b_{i+21}b_{i+15}b_{i+9} \nonumber \\&\oplus b_{i+52}b_{i+45}b_{i+37}b_{i+33}b_{i+28}b_{i+21} \end{aligned}$$

The cipher is initialized using the key and IV bits as per the following:

$$\begin{aligned} b_i&= k_i ~~~\quad \text {for} \quad 0 \le i \le 79, \\ s_i&= IV_i ~\quad \text {for} \quad 0 \le i \le 63\\ s_i&= 1 ~~~~\quad \text {for} \quad 64 \le i \le 79 \end{aligned}$$

After initialization, the cipher is clocked 160 times without producing any key stream bit. In fact, the key stream bit is XOR’d with the feedback bit during the KSA. After 160 rounds, we get our first key stream bit.

1.2 A2: ACORN v3

We briefly state here the description of ACORN v3 relevant to our work, i.e. we assume the plaintext message to be a stream of 0’s and are concerned only about the key stream generation process (PRGA), hence initialization of the cipher has been omitted. As stated before, ACORN v3 has 6 LFSRs concatenated to form a 293 bit state. We denote the state of the cipher by \(S^t\) and its respective bits as: \(S^t_0 \ldots S^t_{292}\). The cipher has the following three functions:

1. 1.

   Output Function. The output bit \(z_t\) for any state t is generated as:

   $$\begin{aligned} z_t&= S^t_{12} \oplus S^t_{154} \oplus \nonumber maj(S^t_{235},S^t_{61},S^t_{193}) \\ {}&\oplus ch(S^t_{230}, S^t_{111}, S^t_{66}), \end{aligned}$$

   (5)

   where \(maj(x,y,z)=xy \oplus xz \oplus yz\) and \(ch(x,y,z)=xy \oplus (\sim x)z \).

2. 2.

   Feedback Function. The feedback bit \(f_{t}\) for any state t is generated as:

   $$ \begin{aligned} f_t&= S^{t}_{0} \oplus ( \sim S^{t}_{107}) \oplus maj(S^t_{244}, S^t_{23}, S^t_{160}) \nonumber \\ {}&\oplus (ca_t \, \& S^t_{196}) \oplus ( cb_t \& z_t), \end{aligned}$$

   (6)

   where \(ca_t\) and \(cb_t\) are binary values based on the length of the message.

3. 3.

   State Update Function. Before performing the shift, the bits \(S^t_{289},S^t_{230},\) \(S^t_{193},S^t_{154},S^t_{107},S^t_{61}\) are updated as follows:

   $$\begin{aligned} S^t_{289}&= S^t_{289} \oplus S^t_{235} \oplus S^t_{230}\\ S^t_{230}&= S^t_{230} \oplus S^t_{196} \oplus S^t_{193}\\ S^t_{193}&= S^t_{193} \oplus S^t_{160} \oplus S^t_{154}\\ S^t_{154}&= S^t_{154} \oplus S^t_{111} \oplus S^t_{107}\\ S^t_{107}&= S^t_{107} \oplus S^t_{66} \oplus S^t_{61}\\ S^t_{61}&= S^t_{61} \oplus S^t_{23} \oplus S^t_{0} \end{aligned}$$

And then the bits are shifted in the following manner:

$$\begin{aligned} S^{t+1}_{i} = S^t_{i+1} \ \forall \ i \ \in \ [0,291] \end{aligned}$$

with the last bit initialized with the feedback bit is

$$\begin{aligned} S^{t+1}_{292} = f_t, \end{aligned}$$

when all bits of the pliantext are zero.

1.3 A3: Lizard

The 121-bit inner state of Lizard is divided into two NFSRs namely NFSR1 and NFSR2. At time t, the first NFSR, NFSR1 is denoted by \((S_0^t,\ldots , S_{30}^t)\) and the second NFSR, NFSR2 by \((B_0^t , \ldots , B_{89}^t)\). NFSR1 is of 31 bit and the update rule of this NFSR is

$$\begin{aligned} S_{30}^{t+1}&= S_0^t \oplus S_2^t \oplus S_5^t \oplus S_6 ^t \oplus S_{15}^t \oplus S_{17}^t \oplus S_{18}^t \oplus S_{20}^t \nonumber \\&\oplus S_{25}^t\oplus S_8^t S_{18}^t\oplus S_8^t S_{20}^t \oplus S_{12}^t S_{21}^t \oplus S_{14}^t S_{19}^t \nonumber \\&\oplus S_{17}^t S_{21}^t \oplus S_{20}^t S_{22}^t \oplus S_{4}^tS_{12}^tS_{22}^t \oplus S_{4}^t S_{19}^tS_{22}^t \nonumber \\&\oplus S_7^tS_{20}^tS_{21}^t \oplus S_8 ^t S_{18}^t S_{22}^t \oplus S_{8}^t S_{20}^t S_{22}^t \oplus S_{12}^t S_{19}^t S_{22}^t \nonumber \\&\oplus S_{20}^tS_{21}^t S_{22}^t \oplus S_{4}^t S_{7}^t S_{12}^tS_{21}^t \oplus S_{4}^t S_{7}^t S_{19}^t S_{21}^t \nonumber \\&\oplus S_{4}^t S_{12}^t S_{21}^t S_{22}^t \oplus S_{4}^t S_{19}^t S_{21}^t S_{22}^t \oplus S_{7}^t S_{8}^t S_{18}^t S_{21} \nonumber \\&\oplus S_{7}^t S_{8}^t S_{20}^t S_{21}^t \oplus S_{7}^t S_{12}^t S_{19}^t S_{21}^t \oplus S_{8}^t S_{18}^t S_{21}^t S_{22}^t \nonumber \\&\oplus S_{8}^t S_{20}^t S_{21}^t S_{22}^t\oplus S_{12}^t S_{19}^t S_{21}^t S_{22}^t. \end{aligned}$$

(7)

The second register NFSR2 is of 90 bit and the update rule of this NFSR is

$$\begin{aligned} B_{89}^{t+1}&= S_0^t \oplus B_0^t \oplus B_{24}^t \oplus B_{49}^t \oplus B_{79}^t \oplus B_{84}^t \oplus B_{3}^t B_{59}^t \nonumber \\&\oplus B_{10}^t B_{12}^t \oplus B_{15}^t B_{16}^t \oplus B_{25}^t B_{53}^t \oplus B_{35}^t B_{42}^t\nonumber \\&\oplus B_{55}^t B_{58}^t \oplus B_{60}^t B_{74}^t \oplus B_{20}^t B_{22}^t B _{23}^t\nonumber \\&\oplus B_{62}^t B_{68}^t B_{72}^t \oplus B_{77}^t B_{80}^t B_{81}^t B_{83}. \end{aligned}$$

(8)

Output bit \(z_t\) is a function from \(\{0,1\}^{53}\) to \(\{0,1\}.\) At time t,

$$\begin{aligned} z_t=\mathcal {L}_t \oplus \mathcal {Q}_t \oplus \mathcal {T}_t \oplus \mathcal {\overline{T}}_t, \end{aligned}$$

(9)

where

• \( \mathcal {L}_t=B_7^t \oplus B_{11}^t \oplus B_{30}^t \oplus B_{40}^t \oplus B_{45}^t \oplus B_{54}^t \oplus B_{71}^t\)

• \( \mathcal {Q}_t=B_{4}^t B_{21}^t \oplus B_{9}^t B_{52}^t \oplus B_{18}^t B_{37}^t \oplus B_{44}^t B_{76}^t\)

• \(\mathcal {T}_t=B_5^t\oplus B_8^t B_{82}^t \oplus B_{34}^t B_{67}^t B_{73}^t \oplus B_{2}^t B_{28}^t B_{41}^t B_{65}^t \oplus B_{13}^t B_{29}^t B_{50}^t B_{64}^t B_{75}^t \oplus \) \(B_6^t B_{14}^t B_{26}^t B_{32}^t B_{47}^t B_{61}^t \oplus B_1^t B_{19}^tB_{27}^t B_{43}^t B_{57}^t B_{66}^t B_{78}^t\)

• \(\mathcal {\overline{T}}_t=S_{23}^t \oplus S_{3}^t S_{16}^t \oplus S_{9}^t S_{13}^t B_{48}^t \oplus S_{1}^t S_{24}^t B_{38}^t B_{63}^t\)

The state initialization process is divided into 4 phases.

Phase 1: Key and IV Loading. Let \(K = (K_0,\ldots ,K_{119} ) \) be the 120-bit key and \(IV = (IV_0,\ldots ,\) \(IV_{63} )\) the 64-bit public IV. The state is initialized as follows:

$$\begin{aligned} B_j^0= & {} \left\{ \begin{array}{ll} K_j \oplus IV_j, &{} \text { for } 0 \le j \le 63 \\ K_j, &{} \text { for } 64 \le j \le 89 \end{array} \right. \end{aligned}$$

$$\begin{aligned} S_j^0= & {} \left\{ \begin{array}{ll} K_{j+90}, &{} \text { for } 0 \le j \le 28 \\ K_{119+1}, &{} \text { for } j = 29\\ 1, &{} \text {for } j = 30 \end{array} \right. \end{aligned}$$

Phase 2: Grain-like Mixing. In this phase the output bit \(z_t\) is fed back into both NFSRs for \(0 \le t \le 127\). This type of approach is used in Grain family.

Phase 3: Second Key Addition. In this phase, the 120-bit key is XORed to both NFSRs as follows:

$$\begin{aligned} B_j^{129} = B_j^{128} \oplus K_j, \ \text {for } 0 \le j \le 89 \end{aligned}$$

$$\begin{aligned} S_j^{129}= & {} \left\{ \begin{array}{ll} S_{j}^{128} \oplus K_{j+90}, &{} \text {for } 0 \le j \le 29 \\ 1, &{} \text {for } j = 30 \end{array} \right. \end{aligned}$$

Phase 4: Final Diffusion. This phase is exactly similar to phase 2 except \(z_t\) is not fed back into the NFSRs. In this phase, one has to run both NFSRs 128 rounds. So after this phase, registers are \((S_0^{257},\ldots , S_{30}^{257})\) and \((B_0^{257} , \ldots , B_{89}^{257})\). Now Lizard is ready to produce output key stream bits. The first keystream bit that is used for encryption is \(z_{257}\). For \(t\ge 257\), the states \((S_0^{t+1},\ldots , S_{30}^{t+1})\) and \((B_0^{t+1} , \ldots , B_{89}^{t+1})\) and the output bit \(z_t\) are computed using Eqs. (7), (8) and (9) respectively.