Security and Communication Networks

Volume 2017, Article ID 3834685, 16 pages

https://doi.org/10.1155/2017/3834685

## Fault Attack on the Authenticated Cipher ACORN v2

^{1}State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China^{2}School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China^{3}Key Laboratory of Mathematics Mechanization, Academy of Mathematics and System Science, Chinese Academy of Sciences, Beijing, China

Correspondence should be addressed to Xiaojuan Zhang; nc.ca.eii@naujoaixgnahz

Received 9 May 2017; Revised 24 July 2017; Accepted 23 August 2017; Published 2 October 2017

Academic Editor: Angelos Antonopoulos

Copyright © 2017 Xiaojuan Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains two main steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability . And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than at worst, where is the number of fault injections such that and is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers.

#### 1. Introduction

CAESAR [1] is a new competition calling for authenticated encryption schemes. Its purpose is to find authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption. In total, 57 candidates were submitted to the CAESAR competition, and after the challenge of two rounds, 15 submissions have been selected for the third round. As one of them, ACORN is a lightweight stream cipher based authenticated encryption cipher submitted by Hongjun [2–4]. The cipher consists of a simple binary feedback shift register (FSR, for short) of length 293 and aims to protect up to bits of associated data (AD) and up to bits of plaintext and to generate up to a 128-bit authentication tag by using a 128-bit secret key and a 128-bit initial value (IV).

There are some attacks against ACORN. Meicheng et al. showed the slid properties of ACORN v1 and used it to recover the internal state of ACORN v1 by means of guess-and-determine and differential-algebraic technique [5]. But the attack was worse than a brute force attack. Chaigneau et al. described an attack that allowed an instant key recovery when the nonce was reused to encrypt a small amount of chosen plaintexts [6]. Johymalyo and Sarkar kept the key and IV unchanged, then modified the associated data, and then found that the associated data did not affect any keystream bits if they had a small size [7]. Salam et al. investigated cube attacks against both ACORN v1 and v2 up to 477 initialization rounds which was far from threatening the real-life usage of the cipher [8]. Salam et al. developed an attack to find a collision of internal states when the key was known [9]. Frédéric et al. claimed that they developed practical attacks to recover the internal state and secret key, which were much more expensive than the brute force attack [10]. Dibyendu and Mukhopadhyay gave some results on ACORN [11]; one of them was that they found a probabilistic linear relation between plaintext bits and ciphertext bits, which held with probability . The bias was too small to be tested. The other result was that they could recover the initial state of the cipher with complexity approximately equalling , which was done under an impractical assumption. The designer gave the comments on the analysis of ACORN in (https://groups.google.com/forum/#!topic/crypto-competitions/dzzNcybqFP4), which show that some of the attacks are not really attacks. Since fault differential attack is one of side channel attacks working on physical implementations, it is interesting to apply side channel cryptanalysis to a cryptographic algorithm that is being used or will be used in reality. In [12], the authors shows that with 9 faults experiments, they can recover the initial state. However, the length of keystream bits they use is 1200, which mean that the optimizing SAT solver they used can solve the equations with very high degrees, as the equations they used are output functions and the feedback functions. So far, there are not any results of fault differential attacks on ACORN. In this paper we introduce a fault attack on ACORN v2.

Fault attack is one of the most powerful tools to retrieve the secret key of many cryptographic primitives due to the work of [13]. In [14], Hoch and Shamir first introduced the fault attack on stream ciphers. They showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches [15, 16] into a device initialized by a secret key and change one or more bits of its internal state. Then he or she could deduce some information about the internal state or secret key by analyzing the difference between the faulty device and the right device. A number of recent works have shown that stream ciphers are vulnerable against fault attacks. In 2008, Michal and Bohuslav showed a differential fault attack on Trivium in [17]. In 2011, Mohamed et al. improved Michal and Bohuslav’s attack by a SAT solver in [18]. In 2009, Castagnos et al. gave a fault analysis of Grain-128 by targeting the LFSR in [19]. Karmakar and Chowdhury also showed an attack of Grain-128 but by targeting the NFSR in [20]. Later on, Banik et al. presented a differential fault attack on the Grain family [21, 22]. In 2013, Banik and Maitra evaluated the security of MICKEY 2.0 against fault attacks in [23], and in 2015, Banik et al. gave its improvement in [24].

In this work we present a differential fault attack on ACORN v2. As there are not any practical attacks against the security of the second version of ACORN so far, the attack present in our paper is still of interest. Our basic idea is coming from the signature based model proposed in [19]. The main difference is that we use a new method to compute the signature vectors which are differential strings in our paper. Omitting the 0 components, we represent the differential string only as the sequence of positions where their corresponding components are either 1 or nonconstant functions on the initial state. We have added these statements in our paper. Our attack is based on a general fault model where a fault is injected into the initial state of ACORN v2 randomly, and our main idea is based on the observation that the first 99-bit keystream of ACORN v2 can be expressed as linear or quadratic functions of the initial state, which helps us retrieve enough linear equations to recover the initial state. Our attack consists of two main steps: fault locating and equation solving. At the first step, after a fault is injected into the initial state randomly, we can locate it with probability by a 99-bit differential string between the error and correct keystream bits. If the string cannot determine the fault location uniquely, then it can determine at most 20 optional fault locations. Subsequently, some improvements are provided to increase the probability of fault locating and reduce the number of optional fault locations, including keystream extension, high probability priority, and making-the-most-use-of-things. At the second step, we give two methods of solving the equation system retrieved at the first step: linearization and guess-and-determine. The time complexity of our attack is not larger than at worst, where is the number of fault injections such that and is the time complexity of solving linear equations.

The rest of this paper is organized as follows. In Section 2 a brief description of ACORN v2 is provided. In Section 3 we present a fault attack on ACORN v2 and further give a forgery attack on it. Finally, Section 4 concludes the paper.

#### 2. Description of ACORN v2

We will recall ACORN v2 briefly in this section; for more details one can refer to [3]. Since our attack does not involve the procedures of the initialization, the process of associated data, and the finalization, here we do not intend to introduce them and just restate the encryption procedure briefly.

Denote by the initial state of ACORN v2, that is, the state of the FSR after initialization and immediately before the keystream bits are outputted, and the plaintext. There are three functions used in the encryption procedure of ACORN v2: the feedback function , the state update function , and the filter function . As is implied by its name, the feedback function mainly involves in the feedback computation of the FSR and is defined as

Introduce intermediate variables (): Then the state update function can be described as It is easy to check that is invertible on when is fixed. The filter function is used to derive a keystream and defined as

At each step of the encryption procedure, one plaintext bit is injected into the state of the FSR, and the ciphertext is got by XOR . The pseudocode of the encryption procedure is given as follows: the bit length of the plaintext; for from 0 to do end for

#### 3. Fault Attack on ACORN v2

Before introducing our fault attack on ACORN v2, we first give an outline of the fault attack model described in [19].

We assume that an attacker can access the physical device of a stream cipher and knows the IV and the keystream . The goal of the attacker is to recover the key or forge a valid tag for plaintext. In our fault attack, the following privileges are required.(1)The attacker has the ability to reset the physical device with the original Key-IV and restart cipher operations multiple times with the same plaintext.(2)The attacker can inject a fault into the initial state randomly before the encryption procedure but not choose the location of fault injection.

Our attack contains two main steps: fault locating and equation solving. At the first step, we will demonstrate how to determine the fault location and retrieve a system of equations on the initial state, and at the second step, we will exploit how to recover the initial state from this system of equations. Once the initial state is recovered, the forgery attack can be executed easily.

##### 3.1. Fault Locating

In this section we will discuss how to locate a fault after it is injected into the initial state of the FSR. We first introduce a fundamental fault locating method and then provide several improvements.

###### 3.1.1. Fundamental Fault Locating Method

Let be the initial state of the FSR and the plaintext. Denote by the closed integer interval from to for two integers and , where . Let and be the correct keystream and the error keystream generated by a faulty initial state at location , respectively, where . We define a 99-bit differential string whose th element satisfies , where . Here we just consider 99-bit differential keystream since they all can be represented as linear or quadratic functions of . When , the first feedback bit of degree 2 will come to 193rd position; the degree of will be 4 and the degree of the differential keystream bit may be 3. So when , the degrees of the differential keystream bits will not be larger than 2. There are three steps to determine the fault location.

Firstly, we get all possible for . Let which is the set of all locations that can be involved in or directly. For any , we can get by changing one bit , whose component is 0, 1, or a function on , . When and , the new differences that are not the differences caused by shifting are introduced when shifts to the locations in . So for any , can be got directly from some by shifting or performing a linear transformation on , where . Omitting the components, we represent only as the sequence of positions where their corresponding components are either 1 or nonconstant functions on . To better understand the method, an example is given.

*Example 1. *When is changed, we can get where means consecutive 0s, and Then omitting the components, we rewrite as where () means that the position is always 1.

For any , it is easy to obtain by shifting . For example, Repeating the above process (see Algorithm 1),we can obtain all , which are listed in Table 1.