SKINNY的差分故障攻击与ForkAE的密钥恢复攻击  

作　　者：谢敏[1] 江家煜 陈杰[1,2] XIE Min;JIANG Jia-Yu;CHEN Jie(State Key Laboratory of Integrated Services Networks,Xidian University,Xi’an 710071,China;Henan Key Laboratory of Network Cryptography Technology,Zhengzhou 450001,China)

机构地区：[1]西安电子科技大学空天地一体化综合业务网全国重点实验室,西安710071 [2]河南省网络密码技术重点实验室,郑州450001

出　　处：《密码学报（中英文）》2024年第3期692-705,共14页Journal of Cryptologic Research

基　　金：国家自然科学基金重点项目(62132013);国家自然科学基金(62372346);陕西省重点研发计划(S2024-YFYBGY-1540);河南省网络密码技术重点实验室研究课题(LNCT2022-A08)。

摘　　要：作为LWC竞赛的候选算法之一,ForkAE是基于叉形密码结构的一系列轻量级认证加密算法,其中使用的加密原语为轻量级可调分组密码族SKINNY.本文首先给出了一种对SKINNY族内各算法进行差分故障攻击的方法.对于SKINNY-64-64和SKINNY-64-128,在算法倒数第三轮注入随机半字节故障,理论上平均通过2.32次随机半字节故障注入即可得知连续两轮共4个半字节的信息.通过对多个位置的信息获取,理论上平均通过9.23次随机半字节故障注入即可恢复单轮的64 bit轮密钥,结合密钥扩展算法即可恢复全部64 bit的主密钥.利用类似的方法攻击SKINNY-128-128和SKINNY-128-256,在算法倒数第三轮注入随机字节故障,理论上平均通过2.4次随机字节故障注入即可得知连续两轮共4个半字节的信息,平均通过9.56次随机字节故障注入即可恢复128 bit的主密钥.攻击SKINNY-64-192或SKINNY-128-384时需要额外对倒数第五轮进行攻击,分别需要18.52次随机半字节故障注入和19.18次随机字节故障注入.在对SKINNY完成的差分故障分析的基础上,本文给出了一种对ForkAE进行密钥恢复的方法,理论上仅需要1次对故障加密机的询问即可恢复ForkAE的主密钥.As one of the candidate algorithms for the LWC contest,ForkAE is a family of lightweight authentication encryption algorithms based on fork ciphers,and the encryption primitive of ForkAE is a family of lightweight adjustable block cipher named SKINNY.A differential fault attack on SKINNY is given in this paper.By injecting random nibble faults in the antepenultimate round of the algorithm SKINNY-64-64 and SKINNY-64-128,a total of 4 nibbles in two consecutive rounds can be found after an average of 2.32 random nibble fault injections theoretically.By getting information of multiple locations,the full 64 bits of the round key can be recovered after an average of 9.89 random nibble fault injections,and the master key can be recovered subsequently taking advantage of the key schedule algorithm.Similar methods are utilized for SKINNY-128-128 and SKINNY-128-256.By injecting random byte faults in the antepenultimate round of these two algorithms,a total of 4 bytes in two consecutive rounds can be found after an average of 2.4 random byte fault injections theoretically,and the 128-bit master key can be recovered after an average of 9.56 random byte fault injections theoretically.The full recovery of SKINNY-64-192 or SKINNY-128-384 requires an extra attack to the fifth round from the bottom,taking 18.52 random nibble fault injections and 19.18 random byte fault injections respectively.Using the differential fault analysis on SKINNY,a method for key recovery of ForkAE is given in this paper,and the master key of ForkAE can be recovered in theory with only 1 query to the fault-injected encryptor.

关 键 词：ForkAE算法 SKINNY算法 差分故障攻击 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]