Differential Fault Attacks On Lightweight Stream Cipher Fruit Family

In a resource-constrained environment,maintaining the proper balance between security and other performance indicators(such as memory requirements,throughput,and energy requirements)is a major challenge.In 2017,the National Institute of Standards and Technology(NIST)pointed out in its latest lightweight encryption report that the operation of asymmetric cryptography requires a lot of computing processing,storage space and energy,and is not suitable for resource-constrained environments.It is recommended to use symmetric cryptography.In recent years,lightweight symmetric cryptography has received widespread attention because it provides a high level of security in constrained environments such as the Internet of Things(Io T).FSE 2015 introduced a new idea,namely the design of stream ciphers using key continuously.In recent years,many ultra-lightweight stream ciphers have been produced based on this idea,such as Sprout,Plantlet,Lizard,Fruit,etc.With the emergence of different lightweight and ultra-lightweight stream ciphers,various corresponding analysis methods have also appeared one after another.However,there are currently few analysis methods for the Fruit family ciphers,and the differential fault attack for the Fruit family has not been involved.The main contributions of this article are as follows:On the one hand: This paper analyzes the existing attacks of the Fruit family cipher,summarizes the weaknesses of the Fruit family ciphe,and gives the differential characteristics of the Fruit family cipher.Then,based to the location detection algorithm for Grain proposed by Banik et al.,we proposed a signature vector-based fault location identification method suitable for Fruit v2 and Fruit-80.On this premise,the three algorithms are verified by simulated position injection and position detection,and the statistical results of the feasibility and accuracy of the recognition are given.According to the fact that the round key function of Fruit-F is determined by the internal state rather than the counter,this paper modifies the position detection algorithm for Sprout proposed by Maitra et al.And proposes a position detection algorithm for Fruit-F.it is found that this algorithm is universal to the Fruit family.Compared with Sprout and Plantlet,the results show that Fruit v2,Fruit-80 and Fruit 128 are easier to determine the fault location than Sprout and Plantlet.Finally,this paper compares the complexity of the two methods.On the other hand: In this paper,the Differential Fault Analysis(DFA)against the Grain family of stream ciphers has been studied under various fault models – some more restrictive and some more relaxed.In the first attack,we assume that the attacker is able to inject time-synchronized,single bit-flipping faults in the same albeit random register location.The attacker uses a linear first order derivative of the output function h used in the Fruit family to formulate linear equations and recover the internal state of the cipher.In the second attack,the attacker is no longer allowed to inject multiple faults on the same register location.this paper analyzes the Grain family analysis method proposed by Banik et al,optimizes and modifies it according to the characteristics of Fruit,proposes the D-Fruit algorithm to record the fault diffusion,and further proposes the FLE algorithm to obtain linear equations containing only LFSR or NFSR.Finally,a nonlinear equation system is established according to the periodicity of the Fruit family round key function,and the SAT solver is used to solve the established equation system to further complete the key recovery.