IEEE Access (Jan 2021)
Random Differential Fault Attacks on the Lightweight Authenticated Encryption Stream Cipher Grain-128AEAD
Abstract
Grain-128AEAD is a lightweight authenticated encryption stream cipher and one of the finalists in the National Institute of Standards and Technology (NIST) Lightweight Cryptography (LWC) project. This paper provides an independent third-party analysis of Grain-128AEAD against fault attacks. We investigate the application of three differential fault attack models on Grain-128AEAD. All these attacks can recover the initial state of Grain-128AEAD. First, we demonstrate an attack using a bit-flipping fault that requires access to 27.80 faulty outputs to recover the initial state. Then, we demonstrate an attack with a more relaxed assumption of a random fault with a probabilistic approach. Our probabilistic random fault attack requires access to 211.60 faulty outputs and 210.45 fault injections to recover the initial state with a success rate over 99%. Both of the above two attacks are based on precise control on the fault target. Finally, we apply a random fault attack with a deterministic approach (can conclusively determine the random fault value) and using different precision controls. For the precise control, we use existing approaches that have been applied to other ciphers, such as Tiaoxin-346. We also propose a technique for less stringent precision models, such as moderate control and no control, which are more practical than the precise control. Our result indicates that the deterministic random fault attack with a precise control requires an average of 27.64 fault injections and a data complexity of 28.80. The deterministic random fault attack with moderate control requires a weak assumption on the fault injection and hence, is the best attack presented in this paper; and is expected to require about 29.39 fault injections with a data complexity of about 212.98. All the attacks discussed in this paper are verified experimentally.
Keywords
