Fault Attacks Of Stream Ciphers

Modern cryptography usually divides symmetric ciphers into two classes: block ciphers and stream ciphers. A block cipher is a cipher which operates on chunks of plaintext to produce the ciphertext. On the other hand stream ciphers are commonly composed of a PRG(pseudo-random generator) which produces a pseudo-random stream of bits which is then bitwise xored with plaintext bits to produce the ciphertext. Stream ciphers are usually faster than block ciphers, especially in hardware implementation and requair simple electrocircuits. In addition, when we do not have enough cache memory or have to operate bit by bit, stream ciphers are good choices. Since there are so many advantages in stream ciphers compared with block ciphers, it is important to study stream ciphers.Attacks against cryptosystems can be divided into two classes, direct attacks and indirect attacks. Ditect attacks include attacks against the algorithmic nature of the cryptosystem regardless of its implementation. Indirect attacks make use of the physical implementation of the cryptosystem and include a large variety of techniques which either provide the attacker some'inside information'on the encryption process(such as power or time etc) or impose some kind of influence on the cryptosystem's internal state to derive useful information.Fault attack which is an indirect attack, is based on a careful study of the effect of fault propagation, in order to derive information about either the key or the internal state of the cryptosystem.For many ciphers, when direct attacks are not so effective, fault attack could bring us surprise.This thesis investigates the fault attacks of stream ciphers. Firstly, fault attack of stream cipher A5/1 which is composed of several LFSRs(Linear Feekback Shift Registers) is studied. Assuming that the attacker could apply random single bit fault, combined with the idea of Guess-Determine attack, 99.9% wrong guesses could be discarded, and thus the internal state of A5/1 could be fully recoverd. Only three faults are needed in the attack, and the complexity of the atttack is about 2⁴⁰, the success rate is larger than 99%. Secondly, we investigate the fault attack of Salsa20/256, which is designed in new ways and is also one of the winners of the eSTREAM project. Based on the random fault word model, 186 bits key could be recovered with probability close to 1 with 96 faults, which implies that Salsa20/256 is sensitive to this type of fault attack.