Differential Fault Analysis of Secret Key Cryptosystems
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Low Cost Attacks on Tamper Resistant Devices
Proceedings of the 5th International Workshop on Security Protocols
Optical Fault Induction Attacks
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Security enhancement for digital signature schemes with fault tolerance in RSA
Information Sciences: an International Journal
Differential fault analysis on the ARIA algorithm
Information Sciences: an International Journal
Differential Fault Analysis of Trivium
Fast Software Encryption
Slid Pairs in Salsa20 and Trivium
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Floating Fault Analysis of Trivium
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
Cube Attacks on Tweakable Black Box Polynomials
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Fast Software Encryption
Hi-index | 0.07 |
Fault analysis is an attack on stream ciphers with potential power. Up until now, major efforts on fault analysis have been to simplify the cipher by injecting some soft faults, that is, momentarily changing values of some register bits. We call this soft fault analysis. As a hardware-oriented stream cipher, Trivium is weak under soft fault analysis. In this paper we consider another type of fault analysis. It is to simplify the cipher by injecting some hard faults, that is, permanently setting values of some register bits to be zero. We call this hard fault analysis, and use it to analyze Trivium. We classify the faults positions into seven cases, and in five cases the cipher can be broken or be efficiently simplified. We present the following results about such attack on Trivium. In one case with the probability not smaller than 0.2396, the attacker can obtain 69 bits of the 80-bit key. In another case with the probability not smaller than 0.2292, the attacker can recover the full key. In the third case with the probability not smaller than 0.2292, the attacker can partially solve the key. In the fourth case with non-negligible probability, the attacker can obtain a simplified cipher, with smaller number of state bits and slower non-linearization procedure. In the fifth case with non-negligible probability, the attacker can obtain another simplified cipher. The attacker's computations are simple and immediate, and the cipher can be broken or be efficiently simplified with the probability not smaller than 0.698. Besides, these five cases can be distinguished by observing the keystream.