Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4

Biham, Eli; Granboulan, Louis; Nguyêñ, Phong Q.

doi:10.1007/11502760_24

Cited by 74 publications

(37 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…However, these undesirable structural properties might be useful to mount an impossible fault attack for the stream cipher. Particularly, what we have called A-states could play a role analogous to Finney states for RC4, in way similar to that presented by Biham et al at FSE'05 [5]. We consider this as an interesting direction for future research.…”

Section: Discussionsupporting

confidence: 57%

On the Salsa20 Core Function

Hernández-Castro

Tapiador

Quisquater

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. In this paper, we point out some weaknesses in the Salsa20 core function that could be exploited to obtain up to 2 31 collisions for its full (20 rounds) version. We first find an invariant for its main building block, the quarterround function, that is then extended to the rowround and columnround functions. This allows us to find an input subset of size 2 32 for which the Salsa20 core behaves exactly as the transformation f (x) = 2x. An attacker can take advantage of this for constructing 2 31 collisions for any number of rounds. We finally show another weakness in the form of a differential characteristic with probability one that proves that the Salsa20 core does not have 2 nd preimage resistance.

show abstract

Section: Discussionsupporting

confidence: 57%

On the Salsa20 Core Function

Hernández-Castro

Tapiador

Quisquater

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…This fact is illustrated by the Figure 4. In this section, two principles are associated, the first one impossible differential, which is first published in [21,22], and the second one fault analysis, like [2,26]. Our impossible differential fault analysis corresponds to 5-round impossible differential cryptanalysis attack, which is described in [3].…”

Section: Impossible Differential Fault Attack On Aes-128mentioning

confidence: 99%

“…C (1) is the faulty ciphertext obtained where fault 1 is injected, similarly,C (2) the faulty ciphertext links to fault 2 . We have the two following facts :…”

Section: Property Of Recombinationmentioning

confidence: 99%

Meet-in-the-Middle and Impossible Differential Fault Analysis on AES

Derbez

Fouque

Leresteux³

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Since the early work of Piret and Quisquater on fault attacks against AES at CHES 2003, many works have been devoted to reduce the number of faults and to improve the time complexity of this attack. This attack is very efficient as a single fault is injected on the third round before the end, and then it allows to recover the whole secret key in 2 32 in time and memory. However, since this attack, it is an open problem to know if provoking a fault at a former round of the cipher allows to recover the key. Indeed, since two rounds of AES achieve a full diffusion and adding protections against fault attack decreases the performance, some countermeasures propose to protect only the three first and last rounds. In this paper, we give an answer to this problem by showing two practical cryptographic attacks on one round earlier of AES-128 and for all keysize variants. The first attack requires 10 faults and its complexity is around 2 40 in time and memory, an improvement allows only 5 faults and its complexity in memory is reduced to 2 24 while the second one requires either 1000 or 45 faults depending on fault model and recovers the secret key in around 2 40 in time and memory.

show abstract

“…It was first proposed by E. Biham and A. Shamir on DES 2 in 1997. The similar attacks have been applied to AES [3][4][5][6][7][8] , Triple-DES 9 , RC4 10 , Camellia 11 , ARIA 12 , SMS4 [13][14] , PRESENT 15 and so on. The DFA exploits easily accessible information like input-output behavior under malfunctions, amplifies and evaluates the leaked information with the help of mathematical methods.…”

Section: Introductionmentioning

confidence: 99%

Single Byte Differential Fault Analysis on the LED Lightweight Cipher in the Wireless Sensor Network

Li¹,

Gu²,

Xia³

et al. 2012

IJCIS

View full text Add to dashboard Cite

The LED is a new lightweight cipher, which was published in CHES 2011. This cipher could be applied in the Wireless Sensor Network to provide security. On the basis of the single byte-oriented fault model, we propose a differential fault analysis on the LED cipher. The attack could recover its 64-bit secret key by introducing 4 faulty ciphertexts, and 128-bit secret key by introducing 8 faulty ciphertexts. The results in this study will be beneficial to the analysis of the same type of other iterated lightweight ciphers.

show abstract

Impossible Fault Analysis of RC4 and Differential Fault Analysis of RC4

Cited by 74 publications

References 13 publications

On the Salsa20 Core Function

On the Salsa20 Core Function

Meet-in-the-Middle and Impossible Differential Fault Analysis on AES

Single Byte Differential Fault Analysis on the LED Lightweight Cipher in the Wireless Sensor Network

Contact Info

Product

Resources

About