轻量级分组密码GIFT的差分故障攻击

Differential Fault Analysis on Lightweight Block Cipher GIFT

差分故障攻击是一种通过利用注入故障前后状态差分,进行密钥信息恢复的一种方法.它是针对轻量级密码算法具有严重威胁的攻击之一.在CHES 2017上, Subhadeep Banik等人提出的新型轻量级密码算法GIFT具有结构设计简单、实现效率高等优点,备受业界广泛关注.目前已经有学者用线性密码分析、差分密码分析等传统的数学攻击手段对GIFT算法进行研究,获得了许多研究结果,然而它能否有效地抵抗差分故障攻击仍待进一步探索.本文根据GIFT算法轮函数特点,运用差分故障基本思想,提出两种差分故障攻击方法.第一种攻击方法,分别在第28、27、26、25轮中间状态注入1比特故障,理论上平均需要192个错误密文即可恢复主密钥信息.第二种攻击方法,分别在第26、25、24、23轮中间状态注入1比特故障,理论上平均需要32个错误密文可恢复主密钥信息.因此,在不加防护的条件下,本文所提出的攻击方法能有效地攻击GIFT算法.

Differential fault analysis is one of the most powerful attacks to lightweight ciphers,which uses the differences between the fault free states and the fault states to recover the secret keys.Lightweight block cipher GIFT was designed by Subhadeep Banik et al.at CHES 2017.Due to its concise design and efficient implementation,GIFT has attracted extensive attention.So far,many researchers have obtained many attack results about GIFT by using traditional mathematical analyses,such as linear cryptanalysis and differential cryptanalysis.However,the resistance of GIFT against DFA attack appears to be an unsolved problem.In this study,two DFAs on GIFT are proposed by using the structure of round function and the basic idea behind differential fault analysis.More precisely,in the first attack mode,one-bit fault is induced in the states of the 28th round,the 27th round,the 26th round,and the 25th round,respectively.It is shown that the attack requires 192 fault ciphertexts on average and the entire secret keys can be recovered.In the second attack mode,one-bit fault is also induced in the states of the 26th round,the 25th round,the 24th round,and the 23rd round,respectively.It is shown that the attack only requires 32 fault ciphertexts on average.The results show that the attacks proposed in this study are effective in breaking GIFT without any protection.