Differential fault attack on the XOR version of SNOW 5G stream cipher

This paper presents a differential fault attack (DFA) on the XOR version of SNOW 5G, in which modular $2^{16}$ addition is replaced by bitwise XOR. Using single-byte faults in the Finite State Machine (FSM) during the keystream generation phase, we demonstrate a complete recovery of the 896-bit internal state and 256-bit secret key. By injecting a single-byte fault into registers R1 and R2 of FSM during the keystream generation phase, we solve linear equations derived from keystream differences, obtaining an average of $2^{1.01}$ candidate values for 25 bytes and 14 bytes of the internal state, respectively. Furthermore, we present a fault timing and location determination method based on keystream differential patterns, determining the internal state at one time from the multi-time state of R1 and R2. By leveraging 4 collision attacks, the attack complexity is reduced to a time complexity of $2^{19.115}$ and a storage complexity of $2^{12.697}$ (using 16 faults). For key recovery, we formulate the problem as recovering R2 at 14th and 15th time during the initialization phase, and propose a subspace trail-based fault localization technique. This technique uniquely identifies the location of single-byte FSM faults by analyzing keystream differential deviations, even when distinct fault positions induce identical differential patterns. Finally, we derive the differential propagation patterns induced by single-byte faults in R2 at 14th/15th time and R1 at 13th/14th time during initialization phase, and propose two key recovery schemes. When fault location is unknown, using 80 faults yields an average of $2^{25.877}$ candidate keys. When fault location is controllable, using 8 faults yields an average of $2^8$ candidate keys, with a storage complexity of $2^{4.01}$ and time complexity of $2^{17.16}$.