Differential fault attack on the XOR version of SNOW 5G stream cipher

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-06-07 DOI:10.1016/j.jisa.2025.104108

Wenhao Liu, Chenhui Jin

{"title":"Differential fault attack on the XOR version of SNOW 5G stream cipher","authors":"Wenhao Liu, Chenhui Jin","doi":"10.1016/j.jisa.2025.104108","DOIUrl":null,"url":null,"abstract":"<div><div>This paper presents a differential fault attack (DFA) on the XOR version of SNOW 5G, in which modular <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>16</mn></mrow></msup></math></span> addition is replaced by bitwise XOR. Using single-byte faults in the Finite State Machine (FSM) during the keystream generation phase, we demonstrate a complete recovery of the 896-bit internal state and 256-bit secret key. By injecting a single-byte fault into registers R1 and R2 of FSM during the keystream generation phase, we solve linear equations derived from keystream differences, obtaining an average of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>1</mn><mo>.</mo><mn>01</mn></mrow></msup></math></span> candidate values for 25 bytes and 14 bytes of the internal state, respectively. Furthermore, we present a fault timing and location determination method based on keystream differential patterns, determining the internal state at one time from the multi-time state of R1 and R2. By leveraging 4 collision attacks, the attack complexity is reduced to a time complexity of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>19</mn><mo>.</mo><mn>115</mn></mrow></msup></math></span> and a storage complexity of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>12</mn><mo>.</mo><mn>697</mn></mrow></msup></math></span> (using 16 faults). For key recovery, we formulate the problem as recovering R2 at 14th and 15th time during the initialization phase, and propose a subspace trail-based fault localization technique. This technique uniquely identifies the location of single-byte FSM faults by analyzing keystream differential deviations, even when distinct fault positions induce identical differential patterns. Finally, we derive the differential propagation patterns induced by single-byte faults in R2 at 14th/15th time and R1 at 13th/14th time during initialization phase, and propose two key recovery schemes. When fault location is unknown, using 80 faults yields an average of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>25</mn><mo>.</mo><mn>877</mn></mrow></msup></math></span> candidate keys. When fault location is controllable, using 8 faults yields an average of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>8</mn></mrow></msup></math></span> candidate keys, with a storage complexity of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>4</mn><mo>.</mo><mn>01</mn></mrow></msup></math></span> and time complexity of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mn>17</mn><mo>.</mo><mn>16</mn></mrow></msup></math></span>.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104108"},"PeriodicalIF":3.8000,"publicationDate":"2025-06-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001450","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

This paper presents a differential fault attack (DFA) on the XOR version of SNOW 5G, in which modular

2^{16}

addition is replaced by bitwise XOR. Using single-byte faults in the Finite State Machine (FSM) during the keystream generation phase, we demonstrate a complete recovery of the 896-bit internal state and 256-bit secret key. By injecting a single-byte fault into registers R1 and R2 of FSM during the keystream generation phase, we solve linear equations derived from keystream differences, obtaining an average of

2^{1.01}

candidate values for 25 bytes and 14 bytes of the internal state, respectively. Furthermore, we present a fault timing and location determination method based on keystream differential patterns, determining the internal state at one time from the multi-time state of R1 and R2. By leveraging 4 collision attacks, the attack complexity is reduced to a time complexity of

2^{19.115}

and a storage complexity of

2^{12.697}

(using 16 faults). For key recovery, we formulate the problem as recovering R2 at 14th and 15th time during the initialization phase, and propose a subspace trail-based fault localization technique. This technique uniquely identifies the location of single-byte FSM faults by analyzing keystream differential deviations, even when distinct fault positions induce identical differential patterns. Finally, we derive the differential propagation patterns induced by single-byte faults in R2 at 14th/15th time and R1 at 13th/14th time during initialization phase, and propose two key recovery schemes. When fault location is unknown, using 80 faults yields an average of

2^{25.877}

candidate keys. When fault location is controllable, using 8 faults yields an average of

2^{8}

candidate keys, with a storage complexity of

2^{4.01}

and time complexity of

2^{17.16}

查看原文本刊更多论文

SNOW 5G流密码异或版本的差分故障攻击

本文提出了一种针对SNOW 5G XOR版本的差分故障攻击（DFA），其中模块化216加法被位向XOR取代。在密钥流生成阶段，使用有限状态机（FSM）中的单字节故障，我们演示了896位内部状态和256位秘密密钥的完全恢复。通过在密钥流生成阶段向FSM的寄存器R1和R2中注入一个单字节故障，我们求解了由密钥流差异导出的线性方程，分别获得了25字节和14字节内部状态的平均21.01个候选值。此外，我们提出了一种基于键流差分模式的故障定时和定位方法，从R1和R2的多时间状态中确定一次内部状态。通过利用4次碰撞攻击，攻击复杂度降低到219.115的时间复杂度和212.697的存储复杂度（16个故障）。对于密钥恢复，我们将问题表述为初始化阶段第14次和第15次恢复R2，并提出了一种基于子空间轨迹的故障定位技术。该技术通过分析键流差异偏差来唯一地识别单字节FSM故障的位置，即使不同的故障位置引起相同的差异模式。最后，我们推导了初始化阶段由R2第14 /15次和R1第13 /14次单字节故障引起的差分传播模式，并提出了两种关键恢复方案。当故障位置未知时，使用80个故障平均产生225.877个候选密钥。在故障定位可控的情况下，使用8个故障平均产生28个候选键，存储复杂度为24.01，时间复杂度为217.16。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.