International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

RAFA: Redundancies-assisted Algebraic Fault Analysis and its implementation on SPN block ciphers

Authors:
Zehong Qiu (Zephyr) , College of Computer Science and Technology, Zhejiang University, Hangzhou, China
Fan Zhang , College of Computer Science and Technology, Zhejiang University, Hangzhou, China; Alibaba-Zhejiang University Joint Institute of Frontier Technologies, Hangzhou, China; Zhengzhou Xinda Institute of Advanced Technology, Zhengzhou, China
Tianxiang Feng , College of Computer Science and Technology, Zhejiang University, Hangzhou, China
Xue Gong , College of Computer Science and Technology, Zhejiang University, Hangzhou, China
Download:
DOI: 10.46586/tches.v2023.i3.570-596
URL: https://tches.iacr.org/index.php/TCHES/article/view/10974
Search ePrint
Search Google
Abstract: Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.
BibTeX
@article{tches-2023-33300,
  title={RAFA: Redundancies-assisted Algebraic Fault Analysis and its implementation on SPN block ciphers},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2023, Issue 3},
  pages={570-596},
  url={https://tches.iacr.org/index.php/TCHES/article/view/10974},
  doi={10.46586/tches.v2023.i3.570-596},
  author={Zehong Qiu (Zephyr) and Fan Zhang and Tianxiang Feng and Xue Gong},
  year=2023
}