Differential Fault Attack on HE-Friendly Stream Ciphers: Masta, Pasta, and Elisabeth

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Computers Pub Date : 2025-04-04 DOI:10.1109/TC.2025.3558036

Weizhe Wang;Deng Tang

{"title":"Differential Fault Attack on HE-Friendly Stream Ciphers: Masta, Pasta, and Elisabeth","authors":"Weizhe Wang;Deng Tang","doi":"10.1109/TC.2025.3558036","DOIUrl":null,"url":null,"abstract":"In this paper, we propose the Differential Fault Attack (DFA) on three Homomorphic Encryption (HE) friendly stream ciphers <monospace>Masta</monospace>, <monospace>Pasta</monospace>, and <monospace>Elisabeth</monospace>. Both <monospace>Masta</monospace> and <monospace>Pasta</monospace> are <monospace>Rasta</monospace>-like ciphers with publicly derived and pseudorandom affine layers. The design of <monospace>Elisabeth</monospace> is an extension of <monospace>FLIP</monospace> and <monospace>FiLIP</monospace>, following the group filter permutator paradigm. All these three ciphers operate on elements over <inline-formula><tex-math>$\\mathbb{Z}_{p}$</tex-math></inline-formula> or <inline-formula><tex-math>$\\mathbb{Z}_{2^{n}}$</tex-math></inline-formula>, rather than <inline-formula><tex-math>$\\mathbb{Z}_{2}$</tex-math></inline-formula>. We can recover the secret keys of all the targeted ciphers through DFA. In particular, for <monospace>Elisabeth</monospace>, we present a new method to determine the filtering path, which is vital to make the attack practical. Our attacks on various instances of <monospace>Masta</monospace> are practical and require only one block of keystream and a single word-based fault. By injecting three word-based faults, we can theoretically mount DFA on two instances of <monospace>Pasta</monospace>, <monospace>Pasta</monospace>-3 and <monospace>Pasta</monospace>-4. For <monospace>Elisabeth</monospace>-4, the only instance of the <monospace>Elisabeth</monospace> family, we present two DFAs in which we inject four bit-based faults or a single word-based fault. With 15000 normal and faulty keystream words, the DFA on <monospace>Elisabeth</monospace>-4 can be completed in just a few minutes.","PeriodicalId":13087,"journal":{"name":"IEEE Transactions on Computers","volume":"74 7","pages":"2267-2277"},"PeriodicalIF":3.8000,"publicationDate":"2025-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Computers","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10949832/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

In this paper, we propose the Differential Fault Attack (DFA) on three Homomorphic Encryption (HE) friendly stream ciphers Masta, Pasta, and Elisabeth. Both Masta and Pasta are Rasta-like ciphers with publicly derived and pseudorandom affine layers. The design of Elisabeth is an extension of FLIP and FiLIP, following the group filter permutator paradigm. All these three ciphers operate on elements over

$\mathbb{Z}_{p}$

$\mathbb{Z}_{2^{n}}$

, rather than

$\mathbb{Z}_{2}$

. We can recover the secret keys of all the targeted ciphers through DFA. In particular, for Elisabeth, we present a new method to determine the filtering path, which is vital to make the attack practical. Our attacks on various instances of Masta are practical and require only one block of keystream and a single word-based fault. By injecting three word-based faults, we can theoretically mount DFA on two instances of Pasta, Pasta-3 and Pasta-4. For Elisabeth-4, the only instance of the Elisabeth family, we present two DFAs in which we inject four bit-based faults or a single word-based fault. With 15000 normal and faulty keystream words, the DFA on Elisabeth-4 can be completed in just a few minutes.

查看原文本刊更多论文

he友好流密码的差分故障攻击：Masta、Pasta和Elisabeth

本文提出了对三种同态加密（HE）友好的流密码Masta、Pasta和Elisabeth的差分故障攻击（DFA）。Masta和Pasta都是类似拉斯塔的密码，具有公开派生的伪随机仿射层。Elisabeth的设计是FLIP和FiLIP的扩展，遵循组过滤器置换器范例。这三个密码都对$\mathbb{Z}_{p}$或$\mathbb{Z}_{2^{n}}$上的元素进行操作，而不是对$\mathbb{Z}_{2}$进行操作。我们可以通过DFA恢复所有目标密码的密钥。特别是，对于Elisabeth，我们提出了一种确定过滤路径的新方法，这对于使攻击实现至关重要。我们对各种Masta实例的攻击是实用的，只需要一个密钥流块和一个基于单词的错误。通过注入三个基于单词的错误，理论上我们可以将DFA挂载到Pasta、Pasta-3和Pasta-4两个实例上。对于Elisabeth家族的唯一实例Elisabeth-4，我们给出了两个dfa，我们在其中注入了四个基于位的错误或一个基于单词的错误。有15000个正常和故障关键字，DFA上伊丽莎白-4可以在短短几分钟内完成。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Computers 工程技术-工程：电子与电气

CiteScore

6.60

自引率

5.40%

发文量

199

审稿时长

6.0 months

期刊介绍： The IEEE Transactions on Computers is a monthly publication with a wide distribution to researchers, developers, technical managers, and educators in the computer field. It publishes papers on research in areas of current interest to the readers. These areas include, but are not limited to, the following: a) computer organizations and architectures; b) operating systems, software systems, and communication protocols; c) real-time systems and embedded systems; d) digital devices, computer components, and interconnection networks; e) specification, design, prototyping, and testing methods and tools; f) performance, fault tolerance, reliability, security, and testability; g) case studies and experimental and theoretical evaluations; and h) new and important applications and trends.