Algebraic Fault Analysis of SHA-3 under Relaxed Fault Models

As the new hash standard, Keccak-based secure hash function (SHA-3) will be used in various cryptographic applications. Its security will be of paramount importance to the systems built on top of it. This paper proposes efficient algebraic fault analysis (AFA) methods, and for the first time, applies them to all four modes of SHA-3 under relaxed fault models. Our AFA utilizes the clear algebraic properties of Keccak operations and is very suitable for the fault analysis of SHA-3. Both our analysis and experimental results show that the proposed AFA method is more efficient than the traditional differential fault analysis (DFA) under the single-byte fault model, requiring much fewer faults to recover a whole internal state of the hashing computation. Meanwhile, as AFA is able to exploit all the information available, it can be applied to SHA-3 modes with shorter digests and under more relaxed fault models, where often times the DFA method fails. Our results show that AFA can successfully break all the four SHA-3 modes under a 16-bit fault model, and break SHA3-512 under an even more relaxed fault model, 32-bit fault, all within several minutes. The successful AFA on SHA-3 demonstrates the vulnerability of Keccak algorithms to fault analysis, calling for protections against fault injection and fault analysis.