摘要
本文研究Grain-v1的差分故障攻击.目前,很多文献在一个故障引起一个中间状态比特翻转的假设条件下,利用差分故障攻击对Grain系列算法进行了分析.然而,随着芯片尺寸的缩小以及复杂性的提升,一个故障精确地引起一个中间状态比特的翻转在技术上实现的难度越来越大.对于Grain-v1,目前并没有文献在一个故障引起多个中间状态比特翻转的假设条件下,给出一个有效的差分故障攻击.本文针对Grain-v1,在一个故障至多引发连续8比特翻转,翻转比特的位置可以是LFSR,或者NFSR,或者横跨LFSR和NFSR,并且具体翻转比特数量未知的条件下,给出了一个有效的差分故障攻击.特别地,文中利用在FSE 2013中提出的Grain-v1近似碰撞攻击的思想,给出了一个新的确定故障信息的方法,即故障实际引发的比特翻转位置和比特翻转数量.实验数据表明,已知160比特的差分序列,该方法能以大约97.5%的概率确定出故障信息.通过SAT求解器CryptoMiniSat2.9.6,在CPU频率为2.83GHz、4G系统内存的PC机上,利用大约8个故障,五十分钟左右可以恢复出Grain-v1的160比特中间状态.本文攻击思想也适用于Grain-128以及一个故障引发大于8比特翻转的情形.
This paper studies differential fault attack against Grain-v1. Recently several differential fault attacks were reported on Grain family under the assumption that a single fault could flip a single bit of the internal state. However, as chip sizes shrink and the complexity of devices increases, one bit of internal state being flipped by a single fault with acceptable accuracy seems to be more and more difficult in practice. As for Grain-v1, no efficient multi-bit differential fault attack has been proposed yet. This paper presents a multi-bit differential attack against Grain-v1, under the assumption that a single fault could flip no more than 8 consecutive bits in the main register without knowing the specific location and the exact number of bits. Those flipped bits could be located at the LFSR, or at the NFSR, or even across the LFSR and the NFSR. In particular, inspired by the main idea of near collision attack against Grain-v1 proposed in FSE 2013, a new method of identifying a multi-bit fault is proposed, including the position and the number of the flipped bits. By this new method, using 160 differential key-stream bits, the corresponding fault information could be determined with a probability of 97.5%. By the SAT solver CryptoMiniSat2.9.6, on a computer with a 2.83GHz CPU and 4G RAM, the 160-bit internal state of Grain-v1 could be recovered within 50 minutes using about eight faults. The idea of the analysis in this paper could also be applied to Grain-128 and the case of more than 8 bits flipped by a single fault.
出处
《密码学报》
CSCD
2016年第3期258-269,共12页
Journal of Cryptologic Research
基金
国家自然科学基金(61272042
61521003)
国家863重点项目(2015AA01A708)
