IACR News item: 17 March 2025
Weizhe Wang, Pierrick Méaux, Deng Tang
Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the \textit{shortcut attack}, which generalizes the attack proposed by Wang and Tang on the cipher \textsf{Elisabeth}.
The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher's filter function cannot be represented over the ring it is defined on.
Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}.
For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.
Additionally, we provide complexity estimates for the framework and apply the shortcut attack to \textsf{Elisabeth-4} and its patches. As a result, we optimize the DFA on \textsf{Elisabeth-4}, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only $3000$ keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on \textsf{Gabriel-4} and provide a theoretical DFA for \textsf{Elisabeth-b4}.
For the latest patch, \textsf{Margrethe-18-4}, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of \textsf{Elisabeth-4}. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.
Additional news items may be found on the IACR news page.