A Statistical Fault Analysis Methodology for the Ascon Authenticated Cipher

Authenticated ciphers are trending in secret key cryptography, since they combine confidentiality, integrity, and authentication into one algorithm, and offer potential efficiencies over the use of separate block ciphers and keyed hashes. Current cryptographic contests and standardization efforts are evaluating authenticated ciphers for weaknesses, to include implementation vulnerabilities, such as fault attacks. In this paper, we analyze fault attacks against the Ascon authenticated cipher, which was selected by CAESAR as the first choice for the lightweight use case. We propose a fault attack technique based on statistical ineffective fault analysis (SIFA) using double-fault injection and key dividing. Faults are injected at two selected S-boxes for every encryption during the last round of permutation in the Ascon Finalization stage. The correct tag values, resulting from ineffective fault inductions, are then used to analyze key hypotheses. The complexity of our attack method is a trade-off between the size of key hypothesis search space and the number of double-fault injections. The sufficient number of correct tag values needed to recover a key subset depends on the bias of fault distributions. We perform experiments on a software implementation of Ascon to show that between 12.5 to 2500 correct tag values (i.e., ineffective faults) are enough for key recovery for highly biased to more uniform fault distributions, respectively.