DESIV: Differential Fault Analysis of SIV-Rijndael256 with a Single Fault

2020 
This work analyzes the strength of NIST Lightweight Cryptography (LWC) Round 1 Candidate SIV-Rijndael256 in light of Differential Fault Attacks (DFA). It is observed that SIV-Rijndael256 presents an interesting case for DFA due to its large state-size which has been capitalized in this work to contribute to the state-of-the-art in DFA on AES-like ciphers. We first study the differential properties over three rounds of the cipher and then use it to mount a DFA that uses a classical strategy in conjunction with the properties of the key-schedule. The nonce-misuse property of SIV-Rijndael256 facilitates the use of DFA and is exploited to reduce the key-space from 2128 to just one using only a single random byte fault in the internal state. Moreover, the support for the release of unverified plaintexts which have been shown in literature as a vulnerability to DFA, makes the decryption also vulnerable to the same attack. Finally, the ability to uniquely retrieve the key using just a single fault makes the attack, reported here, an optimal DFA. To the best of our knowledge, this is the first differential fault analysis of any candidate in the NIST LWC competition.
    • Correction
    • Source
    • Cite
    • Save
    • Machine Reading By IdeaReader
    28
    References
    0
    Citations
    NaN
    KQI
    []