Fault Attack on SKINNY Cipher

Fault Attack on SKINNY Cipher

SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present fault attacks (FA) on all SKINNY variants. In the first part of the paper, w...

Full description

Saved in:
Bibliographic Details
Published in:Journal of hardware and systems security Vol. 4; no. 4; pp. 277 - 296
Main Authors: Vafaei, Navid, Saha, Sayandeep, Bagheri, Nasour, Mukhopadhyay, Debdeep
Format: Journal Article
Language:English
Published: Cham Springer International Publishing 01-12-2020
Springer Nature B.V
Subjects:
Access control
Algorithms
Circuits and Systems
Computer Hardware
Encryption
Engineering
Explicit knowledge
Information Systems Applications (incl.Internet)
Recovery
Redundancy
Systems and Data Security
Random tweak fault attack
SKINNY
Block cipher
Differential fault attack
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:SKINNY is a family of tweakable lightweight block ciphers, proposed in CRYPTO 2016. The proposal of SKINNY describes two block size variants of 64 and 128 bits as well as three options for tweakey. In this paper, we present fault attacks (FA) on all SKINNY variants. In the first part of the paper, we propose differential fault analysis (DFA) attacks on SKINNY variants keeping the tweak fixed. The attack model of tweakable block ciphers allows the access and full control of the tweak by the attacker. Respecting this attack model, we assume a fixed tweak for the attack window. With this assumption, extraction of the master key of SKINNY requires about 10 random nibble fault injections on average for 64-bit versions of the cipher, whereas the 128-bit versions require roughly 21 byte-fault-injections. In the later part of this work, we relax this assumption and perform fault attacks under known but randomly varying tweaks. It is found that pairs of bit faults at the input and output of the S-Boxes allow complete key recovery under random tweak. Moreover, explicit access to ciphertexts is not required in our attack, and key recovery is possible only by knowing if the ciphertext is correct or faulty. This property of the attack allows key recovery even at the presence of simple redundancy-based FA countermeasures. Both the DFA and paired fault-based attacks were validated through extensive simulation. To the best of authors’ knowledge, these are the first instances of FAs reported on SKINNY tweakable block cipher family.
ISSN:2509-3428
2509-3436
DOI:10.1007/s41635-020-00103-z