Fault Attacks on Cryptosystems

Sayan Chaudhuri

Abstract : In this paper we put forward an outlook on fault attack techniques aimed at cryptanalysis of two stream ciphers ­ MICKEY and the Grain family and also on public key encryption scheme RSA­CRT algorithm. The study will start with an overview of fault attack types and methods and then introduce cryptanalysis against the noted stream ciphers. Introduction :Stream ciphers are type of symmetric key cipher where 1

plaintext digits are combined with a pseudorandom cipher digit stream. In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream to yield a digit of the ciphertext stream. Stream ciphers are generally used for their speed and simplicity of implementation in hardware. An eavesdropper can induce errors during the computation of the cryptographic algorithm and exploit the faulty results to extract information about the secret key in the hardware which is often preferred to be some embedded systems like smart card. Fault attacks can break systems generally more quickly than the other available side channel attacks like simple power analysis (SPA), differential power analysis (DPA), electromagnetic analysis (EMA). As an example, it has been possible to break RSA­CRT public key cryptosystem with just one faulty result along with the Data Encryption Standard (DES) and Advanced Encryption Standard (AES) with two faulty results. In the smart card industry, fault attacks have been increasing studied since the publication of paper of Dan Boneh, DeMill and Lipton in 1996. In 2001, Skorobogatov and Anderson presented a practical attack requiring very cheap equipment, a photoflash lamp they succeeded in flipping a bit in a memory cell of a old unprotected chip. Again the protection against any probable fault attacks on a certain system is more costly in terms of chip area. Fault Injection methods : There are many ways of inducing faults. We briefly discuss four of them which get published often in papers. All of those techniques are moderately difficult to carry out but require relatively simple equipment. They are all non­invasive or semi­invasive, which means that they don’t require any physical tampering with the chip; however the packaging may be destroyed in some cases.

1 Symmetric key algorithms are the algorithms that use the same cryptographic keys for both encryption and decryption of ciphertext.

Glitch Attack : Historically the first process of inducing faults in a smart card was to induce a glitch of power on one of the contacts. Variations in the Vcc power supply, GND (Ground) or to the external clock can delay or hinder the functionality of a device and good results were applied with a power glitch applied to those. A very powerful and brief addition of power can perturb the component and hence generates a fault. The additional signal has to short enough so that its detection could be avoided or the system isn’t damaged. For a successful attack, we must set the timing, amplitude and duration of the glitch.

Often hardware based stream ciphers use the external clock that can be overclocked or underclocked by an attacker. The overclocking may cause data misread or the misinterpretation or omission of an instruction. In case of data misread the circuit tries to read a value from the data bus before the memory has time to latch out the asked value. In case of instruction miss, the circuit starts executing instruction n+1 before the microprocessor has finished executing the instruction n.

This method is the most common one and also easy to set up and apply as the intruder need not worry about the localization. However the main drawback of the method is that the attacker can’t focus on specific parts of the device.

The popular countermeasures are also employed on most smart cards with mounted glitch detectors, DC converters or power sensors, filters to resist those attacks. The smart card can either detect or cancel an out of specifications peak of power that might induce faulty behaviour. The hardware reacts accordingly by forcing a reset.

Light Attack :It was introduced in 2000 and is now the most common way to induce faults on smart cards. This attack is based on using the energy of a light emission to perturb the silicon of a chip. Actually any electric circuit is sensitive to light due to photoelectric effect. This is very much directional and an attacker can choose an exact location of the device and can furthermore control the light’s energy, intensity, wavelength, emission time etc properties. The penetration depth of the energy depends on the light’s wavelength. For CMOS technology, a successful generation of electron­hole pairs close to the N­channel or the P­channel, makes the memory cells become very sensitive.

This attack is semi­invasive. The plastic layer on the component has to be removed in order to reach the silicon with the light beam. The energy carried by the light beam is absorbed by the silicon’s electrons and that energy enables them to jump from the valence band to the conductance band. Each new electron in the conductance band creates an electron­hole pair and the set of all of these pairs forms a local photoelectric current. The logical gates or the memory cells of the component are sensitive to such a current and behave accordingly to induce faults. The longer the emission,

the larger the electron­hole pairs created and thus the longer the generated current.

The spectrum of the camera flash is composed of all the visible wavelengths and a great part of infra red. Moreover a camera flash is difficult to control accurately. Laser systems are much more directive. The main characteristics of a laser are discrete wavelength emission, very thin beam and controllable beam­duration and power. It can be made to target very small area of the device. Lasers are effective than camera flashes and so are used customarily.

The advantage of the camera flash attack is low­cost. Again a laser attack can also be performed to the back side of the chip (or smart card) where usually no protecting mechanism like metal shields or light detectors are mounted.

Magnetic Attack : Faults can also be induced by using an powerful magnetic pulse emission near the silicon. The magnetic field creates local currents on the component’s surface to generate a fault. The attack can be performed on small parts on the chip. Practically the attack is performed with cheap set­ups ­ a current carrying wire is wound around a very sharp needle, the wire creates an oriented magnetic field. For better results, the attack is to be semi­invasive. The needle is kept as close as possible to the silicon and so the cover has to be removed. Depending upon the size of the needle, number of loops around the needle, multiple parameters like power of the magnetic field, its duration and localization on the chip etc. are taken into account. However the equipments are difficult to set­up practically because generation of a high magnetic field requires high current which would destroy the wire. Comparatively laser can focus on a very small part of the chip much more accurately than the needle even if it concentrates the magnetic field.

Temperature Attack : Each hardware has some certain temperature range in between of which they perform great. In extreme temperatures devices won’t work as they are expected causing random modification of the RAM cells or R&W threshold mismatches in non­volatile memories (NVMs). However temperature detectors can be attached to smart cards, enabling them to cease performing if beyond the range.

Types of Fault : Electronic circuits are susceptible to two main type of faults ­ provisional faults and destructive faults.

Provisional Fault ­A provisional attack is transient type that is it has reversible effects and the circuit will recover its original behavior

after the system is reset or when the source of the fault is removed. These are the most common one. They occur when a code execution or a certain computation is perturbed. In this type of attack, silicon is locally ionized so as to induce a current that may be falsely interpreted as an internal signal if it’s strong enough. When ionization ceases, the induced current and the resulting faulty signal also comes to a halt and the chip thereafter recovers in normal behavior or its original state.

Destructive fault ­As its name suggests it affects permanently and is created by purposely inflicted defects to the chip’s structure. They can be generated by self­sustained current by bipolar transistor or with releasing of PNPN parasitic bipolar transistor, thermal runaway due to a parasitic thyristor etc. They normally occurs when the value of a cell is definitively changed. They can concern either data contained in EEPROM or in RAM or the code contained in EEPROM. Modifying data is very powerful, particularly when the data is related to sensitive objects of the smart card

While using fault injection as a side channel cryptanalysis strategy,

provisional faults are the method of choice as they permits to attempt numerous experimental conditions on the device until a reasonable desired result is achieved while keeping the system fully functional after all the operations. There is however a third kind of fault attack which is called as Latent Fault and it is caused by hardware or software bugs. Fault Attack on RSA­CRT : RSA is one of the first public key cryptosystems and undoubtedly the most common digital signature scheme used in embedded security.

RSA system ­ Let N = p.q be the product of two large primes of similar length. To sign a message m ∈ Zn using RSA we compute S : = m

d mod N, where d is the private exponent satisfying e.d ≡ 1 mod(p­1)(q­1) for the public exponent e. The computationally expensive part of signing is the modular exponentiation. For efficiency reasons, it is possible to perform the decryption modulo p and q separately and then use the Chinese Remainder

Theorem (CRT) to compute the decryption m = cd mod n.

RSA decryption with CRT ­ This implementation speeds up the decryption by a factor of 4 compared to naive implementations. Decryption of a ciphertext c using CRT :

Reduce the ciphertext modulo the prime factors :

cp=c mod p cq=c mod q

Exponentiate the received values :

mp = cpdp mod p

mq = cqdq mod q

Where dp ≡ d mod(p­1) and dq ≡ d mod(q­1) Use the CRT to compute m ∈ Zn

* such that m ≡ mp mod p and m ≡ mq mod q

The last step is done by computing m = (xmp+ymq)mod n, where x and y are pre­computed integers that satisfy : x ≡ 1 mod p ; x ≡ 0 mod q y ≡ 0 mod p ; y ≡ 1 mod q Here x and y are only computed once and then every execution of the third step requires only two modular exponentiations.

Fault attack ­ Let c be a ciphertext using CRT. We assume that only the

exponentiation modulo the factor q is faulty i.e. the value mq is incorrect while the value of mp is correct. After applying CRT, we get a value m, which is different than the correct message m. For that value it holds that :

m ≡ mp mod p ; m ≡ mq mod q and

m ≡ mp mod p ; m ≡ mq mod q An attacker who gets a hold on both m and m can break RSA by computing : gcd(m ­ m, n) = p.

Alternatively, we can compute : gcd(C ­ me, n)=p if m is unavailable.

Stream ciphers ­ Prior to the appearance of fast block ciphers, such as DES, stream ciphers ruled the world of encryption. A stream cipher generates successive elements of the keystream based on an initial state. The state is updated in essentially two ways ­ if the state changes independently of the plaintext or ciphertext messages, the cipher is classified as a synchronous stream cipher. On the contrast, self­synchronous stream ciphers update their state based on previous ciphertext digits. In a synchronous stream cipher a stream of pseudo­random digits is generated independently of the plaintext

and ciphertext messages and then combined with the plaintext (to encrypt) or the ciphertext (to decrypt). Synchronous stream ciphers include Sober­128, Trivium etc.

Stream ciphers are often constructed using (Linear) Feedback Shift Registers as they can be easily implemented in hardware, can be readily analysed mathematically, have provably long cycles and good statistical properties. (L)FSR based ciphers are the main workhorses when there is a need to encrypt large quantities of fast streaming data.

There are many secret military hardware­oriented ciphers as well as civically used ciphers E0 (Bluetooth), designed for a short­range LAN and one of the most widely used (by the virtue of being included in the GSM cipher suite for ensuring over­the­air privacy) ciphers A5/1. Another preference is to use parts of block­cipher like rounds mixed with LFSR­like structure. MUGI is an example of them.

However,the LFSR alone can’t provide good security due to its inherent linearity. Various schemes are used to increase the security of LFSRs. Registers are combined in a variety of ways : LFSR with nonlinear filters, irregular stepping function, nonlinear feedback functions, irregular decimation or shrinking and any kind of non­linear transform. There are certain possibilities for constructing a stream cipher with LFSRs with greater enhancement in security :

Filter the output of the LFSRs through a nonlinear function. Control the clocking of one LFSR by the output sequence of another

LFSR. Filter the output of the LFSRs through a FSM (Finite State Machine).

The length of the LFSR is generally denoted by n and the XOR of the original and faulted value of the LFSR at the time the fault was introduced by Δ and the number of flipped bits by k which is also the hamming weight of Δ. Grain : Grain is best described as a family of hardware­oriented synchronous stream ciphers. The cipher’s initial version used an 80 bit key and a 64 bit initialization vector. The revised specifications, Grain v1, described two stream ciphers : one for 80 bit with 64 bit initialization vector and another for 128 bit keys with 80 bit initialization vector. Elegant and simple, Grain v1 has been an attractive choice with two shift registers : one with linear feedback and the second with nonlinear feedback ­ being the essential feature of the algorithm family. These registers and the output

bits are coupled by means of very lightweight but judiciously chosen boolean functions.

Basic Design ­ The cipher consists of three main building blocks,

namely an LFSR, a NFSR and a filter function also called an output function.

The content of the LFSR is denoted by bi, bi+1,. . .,bi+79. The feedback polynomial of the LFSR, f(x) is a primitive polynomial of degree 80. It is defined as

f(x)=1+x18+x29+x42+x57+x67+x80

We also define the update function of the LFSR as

si+80=si+62+si+51+si+38+si+23+si+13+si The feedback polynomial of the NFSR g(x) is defined as

g(x)=1+x17+x20+x28+x35+x43+x47+x52+x59+x65+x71+x80+x17x20+x43x47+ x65x71+x20x28x35+x47x52x59+x17x35x52x71+x20x28x43x47+x17x20x59x65+ x17x20x28x35x43+x47x52x59x65x71+x28x35x43x47x52x59.

The bit si which is masked with the input is included in the update function as described below

bi+80=si+bi+63+bi+60+bi+45+bi+37+bi+33+bi+28+bi+21+bi+15+bi+9+bi+ bi+63bi+60+bi+37bi+33+bi+15bi+9+bi+60bi+52bi+45+bi+33bi+28bi+21+ bi+63bi+45bi+28bi+9+bi+60bi+52bi+37bi+33+bi+63bi+60bi+21bi+15+ bi+63bi+60bi+52bi+45bi+37+bi+33bi+28bi+21bi+15bi+9+ bi+52bi+45bi+37bi+33bi+28bi+21.

Fig. 1 ­ Grain Cipher

The contents of the two shift registers represent the state of the cipher. From this state, five variables are taken as input to a boolean function h(x). This filter function is chosen to be balanced, correlation immune to the first order and has algebraic degree 3. The nonlinearity is the highest possible for these functions, namely twelve. The input is taken both from the LFSR and from the NFSR. The function is defined as

h(x)=x1+x4+x0x3+x2x3+x3x4+x0x1x2+x0x2x3+x0x2x4+x1x2x4+x2x3x4 where the variables x0,x1,x2,x3,x4 corresponds to the tap positions si+3, si+25, si+46, si+64, si+63 respectively. The output of the filter function is masked with the bit bi from the NFSR to produce the keystream.

Key Initialization ­ Before any keystream is generated the cipher must be initialized with the key and the IV. Let the bits of the key k be denoted

by ki where 0≤i≤79 and the bits of the IV be denoted IVi where 0≤i≤63. The initialization of the key is done as follows.

Load the LFSR with the key bits bi=ki for 0≤i≤79 Load the first 64 bits of the LFSR with the IV, si=IVi for 0≤i≤63 The remaining bits of the LFSR are filled with ones, si=1 for 64≤i≤79.

Because of this, the LFSR can’t be initialized to all zero state. Then the cipher is clocked 160 times without producing any running key. Instead the output of the filter function h(x) is fed back and XORed with the input both to the LFSR and to the NFSR.

Fig. 2 ­ The key initialization

There are four members of Grain Family of stream ciphers with different

feedback polynomials and other design specifications.

Grain V0 ­ It’s the first design submitted to eSTREAM. It is an 80 bit stream cipher that uses one LFSR, one NFSR of 80 bit each that gives an internal state of 160 bit.

Feedback polynomial of LFSR f(x)= 1+ x18 + x29 + x42 + x57 + x67 + x80

Feedback polynomial of NFSR

g(x) = 1+ x17+ x20+ x28+ x35+ x43+ x47+ x52+ x59+ x65+ x71+ x80+ x17x20+ x43x47+ x65x71+ x20x28x35+ x47x52x59+ x17x35x52x71+ x20x28x43x47+ x17x20x59x65+ x17x20x28x35x43+ x47x52x59x65x71+ x28x35x43x47x52x59

The filter function used is

h(x) = x1+ x4+ x0x3+ x2x3+ x3x4+ x0x1x2+ x0x2x3+ x0x2x4+ x1x2x4+ x2x3x4

where the variables x0, x1, x2, x3, x4 correspond to the tap positions si+3, si+25, si+46, si+64, bi+63 respectively.

Keystream function : zt = xt ⨁ h(yt+3, yt+25, yt+46, yt+64, yt+63)

Grain V1 ­ It has similar design specs as in Grain V0 and it is also 80 bit stream cipher but the feedback function of NFSR is slightly modified :

The new feedback polynomial of NFSR

g1(x) = 1+ x18+ x20+ x28+ x35+ x43+ x47+ x52+ x59+ x65+ x71+ x80+ x17x20+

x43x47+ x65x71+ x20x28x35+ x47x52x59+ x17x35x52x71+ x20x28x43x47+ x17x20x59x65+ x17x20x28x35x43+ x47x52x59x65x71+ x28x35x43x47x52x59.

The filter function is same as V0 but the keystream function is modified. The new keystream function is defined as :

zi = bi+k + h(si+3, si+25, si+46, si+64, si+63) where A = 1, 2, 4, 10, 31, 43, 56

Grain 128 ­ Feedback polynomial of LFSR f(x) = 1+ x32+ x47+ x58+ x90+ x121+ x128

Feedback polynomial of NFSR

g(x) = 1+ x32+ x37+ x72+ x102+ x128+ x44x60+ x61x125+ x63x67+ x69x101+ x80x88+ x110x111+ x115x117

The filter function is h(x) = x0x1+ x2x3+ x4x5+ x6x7 +x0x4x8 where the variables x0 to x8 respectively correspond to the tap position bi+12, si+8, si+13, si+20, bi+95, si+42, si+60, si+79, si+95 The keystream function is defined as

zi = bi+j+ h(x)+ si+93 where A = 2, 15, 36, 45, 64, 73, 89 Grain 128a ­ It is the strongest member of the Grain Family of stream ciphers that is 128 bit cipher which also incorporate authentication mechanism. It uses the same feedback polynomial for LFSR and similar filter function as in the Grain 128 but the feedback polynomial has been strengthened with respect of different possible attacks.

The new feedback polynomial of NFSR is

g(x) = 1+ x32+ x37+ x72+ x102+ x128+ x44x60+ x61x125+ x63x67+ x69x101+ x80x88+ x110x111+ x115x117+ x46x50x58+ x103x104x106+ x33x35x36x40

The keystream function has been also tweaked :

yi = h(x)+ si+93+ bi+j where A = 2, 15, 36, 45, 64, 73, 89

zi = y64+2i Grain 128a can be used in both the modes ­ with authentication or without authentication.

Assumptions ­ Resistance against all known cryptanalytic attacks is the most important property of a cipher. Initial cryptanalytic attempts against the cipher show fault attacks to be among the strongest attacks. We (from the perspective of an attacker) assume that we can apply some bit flipping faults to one of the two feedback registers at our will. However we have only partial control over their number, location and exact timing. We can make a stronger assumption that any attacker is able to flip a single bit at a time instance and at a location which s/he may not know exactly.

Additionally we can reset the device to its original state and then apply another randomly chosen fault to the device. However we make the strongest possible assumption, which may not be realistic, that we induce a single bit fault in the LFSR and that we’re somehow able to determine the exact position of the fault. The aim is to study input­output properties for h(x) and to derive information on the 5 inputs out of the known input­output pairs similar as for S­boxes in differential cryptanalysis of DES.

Attacks ­ As long as the difference induced by the fault in the LFSR

does not propagate to position bi+63, the difference observed in the output of the cipher is coming from inputs of h(x) from the LFSR alone. If we’re able to reset the device to induce a single bit fault many times at different positions that we can correctly guess from the output difference, we can not preclude that we’ll get get the information about a subset of the state bits in the LFSR. Nonetheless such an attack seems more difficult under the (more realistic) assumption that the fault induced affects several state bits at partially unknown positions, since in that case it’s more difficult to determine the induced difference from output differences.

Likewise, we can also consider faults induced in the NFSR alone. By the way these faults don’t influence the contents of the LFSR. However, faults in the NFSR propagate nonlinearly and their evolution will be harder to predict. Thus a fault attack on the NFSR seems more difficult.

The best classical cryptanalytic techniques haven’t yet obtained any results against Grain. Recently there has been reported of a successful fault attack based on a single bit­flip in the state of the cipher without knowledge of the flipped bit though requiring exact timing downright clock­accurate.

Here is a brief account on various attacks on the Grain family of stream ciphers :

Grain V0 ­ A distinguishing attack against Grain V0 was mounted by Khazaei et al. It uses the concepts of linear sequential circuit approximation

method with a time and memory complexity of O(261.4). The second attack, presented by Maximov et al., is a key recovery

attack against Grain V0. In this attack, first of all linear approximation method is used to derive the LFSR bits and these LFSR bits are further utilized to recover the initial state of NFSR and knowledge of key. This

attack requires 238 keystream bits and computational complexity of O(243) to recover the key. As a countermeasure of these attacks, the designers of the

Grain proposed and submitted a new design Grain V1.

Grain V1 ­ Canniere et al. mounted an attack on Grain V1 by using a weakness in initialization algorithm. This attack was an extension of the work by

Kucuk et al. Those two attacks have exploited the sliding property of the Grain V1 that is due to similarity in key initialization and key generation processes.

Lee et al extended a sophisticated attack by exploiting the same

weakness of related key in Grain V1. This attack is a key recovery attack that recovers the key with 222.59 chosen IVs, 226.29 keystream bits and 222.90 computations.

Recently Dynamic Cube Attack was proposed against Grain V1 by Rahimi et al. This attack can recover the 80 bit key if initialization rounds are

reduced to 100 with the computational complexity of 248.

Grain 128 ­ Due to similarity in the designs of Grain V1 and Grain 128, the attacks that are applicable to Grain V1 are also applicable to Grain 128. The attack proposed by Lee et al. takes 226.59 chosen IVs, 231.39 keystream bits and 227.01 computations to recover the 128 bit key.

Berzati et al. introduced a fault attack against Grain 128 that can calculate 128 bit key within minutes by using an average 24 consecutive faults in LFSR.

Karmakar et al. also proposed a fault attack against Grain 128 that targets NFSR and requires 56 faults to up to 256 faults in NFSR state to

compute the secret key with time complexity of O(221) and space complexity of O(222).

A more realistic differential fault attack of Grain­128 was demonstrated in CHES 2015 in which multi clock glitches were supposed instead of single clock glitch because of obtaining enough faults. Also the concept of k­neighbourhood faults were theorized.

Fig. 3 ­ More realistic DFA

2

Fig. 4 ­ k­neighbourhood faults Practical results reveal the following data :

2 NLFSR in the fig. 5 is often termed as NFSR.

Fast Clock Frequency (MHz)

No Fault Single bit fault

Multi bit fault

130 1024 0 0

140 1024 0 0

150 1024 0 0

160 1024 0 0

170 1024 0 0

180 1024 0 0

190 0 bitNFSR128(1024) 0

200 0 bitNFSR125(2) bitNFSR128, bitNFSR125(1022)

210 0 0 bitNFSR127, bitNFSR126, bitNFSR125(1024)

220 0 0 bitNFSR127, bitNFSR126, bitNFSR125, bitNFSR124(1024)

Grain 128a ­ The first 64 bits can not be accessed by the attackers when authentication mode is on. Maitra et al. proposed a differential fault

attack that targets the MAC instead of keystream. The attack requires 211 fault injections and 212 MAC generation routines to access the key.

Ding and Guan proposed a related key attack that requires 296 chosen

IVs and 2103.613 keystream bits to recover the 128 bit key with the computational complexity of 296.322.

The following table gives the key length, IV size and padding used in IV’s to fill it for different ciphers of Grain family :

Cipher Key Length IV Length Padding in IV

Grain V0 80 64 FFFF

Grain V1 80 64 FFFF

Grain 128 128 96 FFFFFFFF

Grain 128a 128 96 FFFFFFFE

The following table presents the update functions of all the ciphers of the Grain family for the two shift register ­ LFSR and NFSR :

Cipher

LFSR update function

NFSR update function

Grain

V0 si+80=si+si+13+si+23+ si+38+si+51+si+62

bi+80=si+bi+63+bi+60+bi+52+bi+45+bi+37+bi+33+bi+28+bi+21+ bi+15+bi+9+bi+bi+63bi+60+bi+37bi+33+bi+15bi+9+bi+60bi+52bi+45+

bi+33bi+28bi+21+bi+63bi+45bi+28bi+9+bi+60bi+52bi+37bi+33+ bi+63bi+60bi+21bi+15+bi+63bi+60bi+52bi+45bi+37+ bi+33bi+28bi+21bi+15bi+9+ bi+52bi+45bi+37bi+33bi+28bi+21

Grain

V1 si+80=si+si+13+si+23+ si+38+si+51+si+62

bi+80=si+bi+bi+9+bi+14+bi+21+bi+28+bi+33+bi+37+bi+45+bi+52+

bi+60+bi+62+bi+9bi+15+bi+33bi+37+bi+60bi+63+bi+21bi+28bi+33+

bi+45bi+52bi+60+ bi+15bi+21bi+60bi+63+bi+33bi+37bi+52bi+60+ bi+9bi+28bi+45bi+63+bi+9bi+15bi+21bi+28bi+33+ bi+37bi+45bi+52bi+60bi+63+bi+21bi+28bi+33bi+37bi+45bi+52

Grain 128

si+128=si+si+7+si+38+ si+70+si+81+si+96

bi+128=si+bi+bi+26+bi+56+bi+91+bi+96+bi+3bi+67+bi+11bi+13+

bi+17bi+18+bi+27bi+59+bi+40bi+48+ bi+61bi+65+bi+68bi+84

Grain 128a

bi+128=si+bi+bi+26+bi+56+bi+91+bi+96+bi+3bi+67+bi+11bi+13+

bi+17bi+18+bi+27bi+59+bi+40bi+48+bi+61bi+65+bi+68bi+84+ bi+88bi+92bi+93bi+95+ bi+22bi+24bi+25+bi+70bi+78bi+82

MICKEY 2.0 ­ Mickey 2.0 is a hardware efficient synchronous cipher designed by Steve Babbbage and Mattew Dodd aimed at resource constrained platforms.

The name MICKEY is abbreviated from Mutual Irregular Clocking KEY Stream Generator.

Design ­ The cipher makes use of a 80 bit key and an initialization vector with up to 80 bits in length. The cipher secret state consists of two 100 bit shift registers : one linear and one nonlinear, each of which is irregularly clocked under mutual control of the other.

The specific clocking mechanisms contribute cryptographic strength while still providing guarantee on period and pseudorandomness. The cipher

specification states that each key can be used with up to 240 different IVs of the same length and that 240 keystream bits can be generated from each key/IV pair. The designers have also specified a scaled­up version of the cipher called MICKEY­128 2.0 which takes a 128 bit key and an IV up to 128 bits.

The building blocks of MICKEY 2.0 are two registers R and S, each of which is 100 stages long (each stage contains 1 bit). The register R is envisioned as the “linear register” and the S one as the “nonlinear register”. The clocking of R is done in two ways, depending on the control bit of R. When the bit is 0 the clocking of R is a standard LFSR clocking operation with a primitive polynomial of degree 100. When the bit is 1, each bit in the register is shifted to the right as well as XOR­ed into the current state.

Fig. 5 ­ MICKEY generic algorithm structure

The clocking of S is done by use of given four sequences of 100 bits each. Two of the sequences are used to derive an intermediate state and the other two are then multiplied with the feedback bit, one when the control bit of S is 0 and the other one otherwise.

The generator is clocked on depending on both of the registers R and S. The registers are both initialized with all zeros. After that IV and key are loaded. Keystream bits are generated by XOR­ing the registers R and S.

1 IV Loading for i=0 to (v­1) CLOCK_KG(R,S,1,IVi) 3

2 Key Loading for i=0 to 79 CLOCK_KG(R,S,1,Ki)

3 Pre Clock For i=0 to 99 CLOCK_KG(R,S,1,0)

4 PRGA While required z=r0+s0 CLOCK_KG(R,S,0,0)

3 Let’s say the cipher supports an 80bit Key and a v­bit IV for 0 ≤ v ≤ 80

For security against side channel attacks is required, MICKEY isn’t

optimal. The main area of the susceptibility is the variable clocking of the linear register R. The clocking of the overall generator includes some conditional branching that is based on one bit. Therefore there is a possibility for fault attack.

The first version (v 1.0) of the cipher was cryptanalyzed and presented

in INDOCRYPT 2005. It was a TMD­tradeoff attack by Hong et al. The attack 4

uses low sampling resistance of the cipher. The response to the betterment of the cipher was an increase in state size from 160 to 200.

It has been noted that by Gierlichs et al. in a 2008 paper that straightforward implementations of the MICKEY ciphers are likely to be susceptible to side channel cryptanalysis attacks where these are relevant.

In 2013 Subhamoy Maitra et al. presented a revised and extended version of a differential fault attack on MICKEY 2.0. The work is one of the first cryptanalytic attempts against this cipher and requires reasonable computational effort. The attack works due to the simplicity of the output function and certain register update operations of MICKEY 2.0 and would have been thwarted had those been of more complex nature. Differential Fault Attacks are now known against all of the three ciphers in the hardware portfolio of eSTREAM. The attacks on all the three ciphers use exactly the same fault model that is similar to the operation proposed by Subhamay et al. Let’s summarize the fault requirements :

Cipher State Size Average #Faults

Trivium 288 3.2

Grain v1 160 ≈10

MICKEY 2.0 200 ≈214.7

4 INDOCRYPT is an annual international cryptography conference held each December since 2000 in India. Venue of INDOCRYPT 2005 was Bangalore.

Conclusion ­ This paper try to evaluate that fault attacks are quite efficient and extremely powerful means for side channel cryptanalysis of stream ciphers. Their applicability were demonstrated to a wide variety of (mainly hardware­oriented) stream ciphers, actual schemes and improvement over course of time. There is no such thing as absolute protection. Further details on this subject matter requires practical laboratory based attacks on smart card implementations of the stream ciphers because when describing a fault attack on any cryptographic primitive, it is important to try and bridge the gap between theoretically and practically achievable fault models.