Differential Fault Attack on PHOTON-Beetle

Abstract

In this paper, we report the first differential fault attack (DFA) on nonce-based AE scheme PHOTON-BEETLE, which is one of the finalists in the ongoing NIST LwC competition. In general, it is a challenging task to perform DFA for any nonce-based sponge AE because of a unique nonce in the encryption query. However, the decryption procedure (with a fixed nonce) is still susceptible to DFA. We propose two fault attack models, and for both, we give theoretical estimates of the number of faulty queries to get multiple forgeries. Our simulated values corroborate closely the theoretical estimates. Finally, we devise an algorithm to recover the state based on the collected forgeries. Under the random fault attack model, to retrieve the secret key, we need approximately 2^37.15 number of faulty queries. Also, the offline time and memory complexities of this attack are respectively 216 and 210 nibbles. In the known fault attack model, we need around 211.05 number of faulty queries to retrieve the secret key. Also, the time and memory complexities of this state recovery attack are respectively 211 and 29 nibbles. Further, we have reduced the number of faulty queries to 640 under the precise bit-flip fault model.