dc.description.abstract |
Privacy is one of the most fundamental aspects of the digital age that
we live in. With the advent of the Internet and the advances in both nanoscale
electronics and communication technologies, data has become the new
oil. And wherever there is data there is a notion of its privacy. Whether data
is at rest or in motion, privacy and authenticity have always been the hallmark
of modern day communication. Cryptography provides us the necessary tools
and primitives that help us achieve among others, the goals of privacy, integrity
authenticity in isolation and more recently even simultaneously. While conventional
crypto tackles most of the problems efficiently, it has been seen to be
particularly, not suitable for resource constrained environments which are being
increasingly prevalent in present-day Internet-of-Thing (IoT) environments,
RFID tags so on and so forth. This is primarily attributed to the fact that
traditional crypto is “heavy-weight” in terms of the computational resources
that it demands, be it in terms of chip-area, power-consumption, throughputs
etc and hence become unusable or overwhelming for devices that operated on
limited resources. This points us in the direction of a new typo of crypto which
is referred to as “Lightweight” crypto. Lightweight Cryptographic algorithms
are tailored for resource starved settings and hence perform better in such environments.
The importance of lightweight crypto is evidence by the on-going
multi-year global competition by NIST for standardizing the next generation
lightweight authenticated ciphers and presently in the final round.
This work consists cryptanalysis of two lightweight block ciphers namely
PRINCE, and PRINCEv2 which are based on the SPN design philosophy. PRINCE
has been around for some time and is proposed keeping in mind unrolled implementations.
PRINCEv2 is the new version of PRINCE which was reported in
SAC 2020. In the current work, we introduce a new fault attack on PRINCE
based on the random bit-model where faults are injected in the input of 10
th round. The attack is able to uniquely recover the key using 7 faults. It
is interesting to see that the random bit-fault model which is a popular fault
model has not yet been explored independently on PRINCE. Though Song and
Fu [SH13] have explored the random-nibble fault and mentioned the bit-model
to be a special case, they actually fail to capture the full scenario. Herein lies
the motivation of the current work. We look at the bit-model in isolation and
in-depth and conclude that it is more effective both in terms of the point at
which the fault is injected as well as the complexity of the resulting DFA. In
terms of the point of fault injection it is important to emphasize that in the
attack reported in [SH13], the fault is actually injected before/during the SubByte-Inverse operation in the 10 th round which is the last operation of the 10
th round. Thus it will be more appropriate to state the fault injection point to
be 10.5 rounds at best instead of 10 rounds as claimed by the authors in [SH13]
(Refer Fig. 3.7). We touch upon this aspect in details in the discussion section
later in this work. On the contrary, the random bit-flip DFA proposed here
actually induces the fault at the input of 10 th round. The work further gives
a classification of fault-invariants that are generated at the end of 11 th round
due to a random bit-fault at the beginning of 10 th round. Further, PRINCEv2
was introduced with many modifications primarily in the key-schedule to thwart
many classical attacks on PRINCE. We investigated PRINCEv2 in the light of
the current work and found that PRINCEv2 is equally vulnerable to all attacks
reported here. Finally, we look at PRINCE-like ciphers in general and comment
on the impact of the -reflection property on the amplification of the scope of
fault injection. |
en_US |