RAFA: Redundancies-assisted Algebraic Fault Analysis and its implementation on SPN block ciphers

IACR Trans. Cryptogr. Hardw. Embed. Syst. Pub Date : 2023-06-09 DOI:10.46586/tches.v2023.i3.570-596

Zehong Qiu, Fan Zhang

{"title":"RAFA: Redundancies-assisted Algebraic Fault Analysis and its implementation on SPN block ciphers","authors":"Zehong Qiu, Fan Zhang","doi":"10.46586/tches.v2023.i3.570-596","DOIUrl":null,"url":null,"abstract":"Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.","PeriodicalId":13186,"journal":{"name":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","volume":"33 1","pages":"570-596"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Trans. Cryptogr. Hardw. Embed. Syst.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tches.v2023.i3.570-596","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

查看原文本刊更多论文

冗余辅助代数故障分析及其在SPN分组密码中的实现

代数故障分析(Algebraic Fault Analysis, AFA)是由Courtois等人提出的一种分组密码分析方法，它结合了代数密码分析，克服了差分故障分析(Differential Fault Analysis, DFA)中人工分析的复杂性。在轻量级分组密码中证明了AFA的有效性。然而，代数系统的复杂性使其无法有效地攻击重量级分组密码。在本文中，我们提出了一种新的密码分析方法，称为冗余辅助代数故障分析(RAFA)，以方便求解重量级分组密码设置中的代数系统。RAFA的核心思想是通过修改代数系统来加快SAT求解，这是通过两种方法来实现的。第一种方法引入冗余约束，首次在代数密码分析领域提出。第二种是非线性代数范式(ANF)的复杂线性化。英国空军攻击AES-128大约需要9.68小时。据我们所知，这是第一个使用通用SAT求解器仅通过单个字节错误注入攻击AES的工作。基于咬点和比特的故障模型，RAFA攻击AES-128的时间分别为50.92分钟和27.54分钟。相比之下，在本文研究的三种故障模型下，纯C实现的传统DFA算法需要4 ~ 5个小时。此外，为了显示RAFA的通用性，我们还将其应用于其他重量级分组密码。结果表明，在3次故障情况下，RAFA分别在20.7小时和1.5小时内恢复了snake -256和speed -r-192的密钥。相比之下，即使这两个密码的密钥分别已知30位和50位，AFA也无法破解。此外，使用可比较的故障模型对Serpent或SPEEDY进行的DFA工作是未知的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Trans. Cryptogr. Hardw. Embed. Syst.

自引率

0.00%

发文量