Differential Fault Analysis of NORX

Abstract

In recent literature, there has been a particular interest in studying nonce-based Authenticated Encryption (AE) schemes in the light of fault-based attacks as they seem to present automatic protection against Differential Fault Attacks (DFA). In this work, we present the first DFA on nonce-based CAESAR scheme NORX (applicable to all the versions v1, v2.0, v3.0). We demonstrate a scenario when faults introduced in NORX in parallel mode can be used to collide the internal branches to produce an all-zero state. We later show how this can be used to replay NORX despite being instantiated by different nonces, messages. Once replayed, we show how the key of NORX can be recovered using secondary faults and using the faulty tags. We use different fault models to showcase the versatility of the attack strategy. A detailed theoretical analysis of the expected number of faults required under various models is also furnished. Under the random bit-flip model, around 1384 faults need to be induced to reduce the key-space from 2128 to 232 while the random byte-flip model requires 332 faults to uniquely identify the key. To the best of our knowledge, this is the first fault attack that uses both internal and classical differentials to mount a DFA on a nonce-based authenticated cipher which is otherwise believed to be immune to DFA.