#### Abstract

In this paper, we show that stream ciphers with a particular form of ciphertext output function are vulnerable to differential fault attacks using random faults. The CAESAR competition candidates Tiaoxin-346 and AEGIS-128L both fall into this category, and we show that our attack can be used to recover the secret key of Tiaoxin-346 and the entire state of AEGIS-128L with practical complexity. In the case of AEGIS-128L, the attack can be applied in a ciphertext-only scenario. Our attacks are more practical than previous fault attacks on these ciphers, which assumed bit-flipping faults. Although we also consider other ways of mitigating our attacks, we recommend that cipher designers avoid the form of ciphertext output function that we have identified.

#### 1. Introduction

In this paper, we apply a random fault attack to a particular type of stream cipher. The type of stream cipher we consider is word-based and produces two ciphertext words at each time interval using an output function for each of these ciphertext words that includes both linear and quadratic terms. In particular, one part of the internal state appears as a linear term in the output function producing one of the ciphertext words and in a quadratic term in the output function producing the other ciphertext word. We show that an output function of this type is a straightforward target for random fault attacks.

Two of the third-round candidates in the recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), Tiaoxin-346 [1–3] and AEGIS-128L [4, 5], have output functions of the type we describe, with AEGIS-128L being selected in the final portfolio of this competition. Dey et al. [6] noted that the presence of a bitwise AND operation in the output function of these two ciphers makes them vulnerable to bit-flipping fault attacks. We have identified additional features in these two ciphers that permit exploitation using a less restrictive random fault attack. In particular, the following features combine to provide this vulnerability:(i)Two ciphertext words are generated at each time step(ii)The function used to compute each of the ciphertext words includes the bitwise AND of two of the underlying internal state words(iii)The function used to compute one of the ciphertext words also includes the bitwise XOR of one of the state words that was used in the AND of the other ciphertext word.

We treat Tiaoxin-346 and AEGIS-128L as case studies of stream ciphers of this type. In this paper, we demonstrate that a random fault attack is practical against each of these ciphers. This work is an extension of research on Tiaoxin-346 previously published in [7].

##### 1.1. Notation

In this paper, let , , and denote the plaintext, ciphertext, and internal state of the stream cipher, respectively. For encryption, the plaintext is divided into blocks, with each plaintext block composed of two words. Let denote the plaintext block to be encrypted at time , with . Similarly, the ciphertext is given by , with and denoting the two ciphertext words produced at time as a result of the encryption of .

Let denote the internal state of the cipher at time . Suppose the internal state of the cipher consists of words. Then, . Suppose denotes a particular state word that is common to the output functions of both ciphertext words and . The type of output function we consider in this paper has the following form:where and are linear (XOR) combinations of state words used to form and , respectively, and is the reduced linear combination of state words formed by excluding the state word from . That is, . Similarly, and are (quadratic) functions consisting of the bitwise product (AND) of two state words, and is the reduced term obtained by excluding the state word from .

Both of the ciphers we consider use the AES round function [8] in their calculations. In our work, we use to denote one AES round transformation without XOR-ing the subkey; that is,Importantly, we note that this transformation is invertible. We will use this property when extending our attack from a single state word to either multiple words or the entire state at a given time point.

#### 2. Fault Attacks

Responses of cryptographic algorithms to faults, either accidental or intentional, differ from one implementation to another. Attacks that exploit the output of an implementation after an error is induced during the device operation are called fault attacks [9]. Boneh et al. [9] first used fault attacks to attack an implementation of RSA. Since then, fault attacks have been widely used against many encryption schemes, including DES [10] and AES [11]. Fault attacks can be very powerful, such that an entire AES key can be retrieved using only a single fault injection [12].

The effect of fault attacks on a cryptosystem depends on(i)the number of bits affected: one bit, a few bits, one byte, a few bytes, or multiple bytes(ii)the modification type: stuck-at-zero, stuck-at-one, flip a bit, or a random fault(iii)fault precision: how precisely the fault location and its timing can be controlled(iv)fault duration: whether the fault is transient or permanent.

Combinations of these parameters determine the feasibility of a fault attack. For example, if an attack is performed under the assumption that a fault results in flipping every bit in a targeted variable, the assumption implies a very strong adversary. This bit-flipping approach is considered unrealistic in practice [13]. Fault models in which a random fault is injected, such that the adversary does not know in advance the effect of the fault on a variable value, are widely used. Random fault attacks are considered more realistic than bit-flipping fault attacks [13], since less precise control of the fault outcome by the attacker is required.

The fault attacks described in this section can be applied during the encryption phase of any cipher that has the structure described in Section 1. Note that these attacks require an adversary to observe multiple faulty and fault-free ciphertext pairs resulting from the encryption of a given plaintext using the same key and initialization vector. This is a nonce-reuse condition, which may be specifically prohibited by the cipher designer. Such nonce reuse was necessary for the bit-flipping attack by Dey et al. in their attacks on Tiaoxin-346 and AEGIS [6] and similarly is necessary for the random fault attack presented in this paper. The success of these attacks demonstrates the unsuitability of this type of algorithm for use in any environment where nonce reuse may occur.

For simplicity, we first outline the fault attack using bit-flipping faults, taking an approach based on that of Dey et al. in [6]. We then present a fault attack that follows a similar approach but which makes use of the additional ciphertext word produced at each time interval and requires only random faults.

##### 2.1. Bit-Flipping Fault Attacks

Suppose an adversary introduces fault in state word resulting in the complementation of the entire word. That is, and the faulty state word is defined aswhere denotes the bitwise complement of . The fault-free and faulty ciphertext words and are defined in the following:From (5) and (6), it is clear that XORed with allows the attacker to recover the value of the term , as shown in the following:

##### 2.2. Random Fault Attacks

We adapt the bit-flipping fault attack outlined in Section 2.1 to recover the value of using only random faults. This is a more realistic assumption than the stringent requirements on the attacker’s capabilities needed for bit-flipping fault attacks. Specifically, the inclusion of state word by XOR in the computation of and by AND with in the computation of (see (1) and (2)) is a vulnerability that can be exploited by an adversary in a random fault attack; specifically, inserting such faults in allows the value of to be recovered.

In its basic form, this attack provides partial state recovery, but repeated applications may allow full state recovery. In the case studies presented in Sections 3.2 and 4.2 of this paper, we show that partial state recovery (complete recovery of one of three state components) is possible for Tiaoxin-346 and full state recovery is possible for AEGIS-128L.

Suppose now that fault is a randomly generated value unknown to the attacker. Let the random fault affect the contents of such that the faulty state word . In this case, the fault-free and faulty ciphertext words and are determined as shown in the following:The attacker can obtain the value of the random error simply by calculating XOR (from (8) and (9)), as shown in the following: That is, if the attacker has access to the ciphertext pair , the value of the random error introduced in state word can be obtained from the faulty and fault-free ciphertext alone. Further, we observe that, replacing by , (7) becomesThus, once the random fault value is known, this can be used to find the value of certain bits in , namely, those bits in where the corresponding bits of have a value of one.

This is a limitation of our approach. Unlike the bit-flipping fault attack described by Dey et. al. [6], using random faults does not necessarily recover all of the bits in with a single fault. However, this limitation can be addressed by performing the random fault injection attack multiple times, injecting a different random fault each time, until all the bits in are recovered.

The process for recovering the contents of using random fault injection is summarised in Algorithm 1. In Section 3.2 and Section 4.2, we apply this attack to Tiaoxin-346 and AEGIS-128L, respectively. In the case of Tiaoxin-346, the attack can be repeated six times in total to recover the entire contents of the state component at time . Under the known-plaintext scenario (as assumed, for example, by Dey et al), this then allows the secret key to be recovered completely. In the case of AEGIS-128L, the attack can be repeated (under either the known-plaintext or the ciphertext-only scenario) to recover the contents of all state words at time ; from that point, the cipher can then be used to encrypt and verify any variant plaintext that the attacker may wish to send.

1: Load key and initialization vector and perform the initialization phase. | |

2: Encrypt plaintext to compute the fault free ciphertexts and . | |

3: Repeat Step 2 but inject a random multi-byte fault in the state word . | |

Proceed to compute the faulty ciphertext words and . | |

4: Observe the faulty and fault free ciphertext words and apply Equation (10) | |

to recover the value of the random fault . | |

5: For any bits in the random fault equal to one, observe the values in the | |

corresponding bit positions in the faulty and fault free ciphertext and apply | |

Equation (11) to recover the corresponding bits of . | |

6: Repeat steps 3 to 5 until all of the bits in are recovered. |

#### 3. Case 1: Tiaoxin-346

Tiaoxin-346 is a third-round authenticated encryption stream cipher candidate in the CAESAR cryptographic competition. It uses a 128-bit key , and a 128-bit initialization vector . An input plaintext , of arbitrary length , where , is encrypted to form ciphertext , providing confidentiality. The ciphertext is of the same length as the plaintext . Integrity assurance is provided by an authentication tag of length 128 bits. Tiaoxin-346 also provides integrity assurance for associated data which does not require confidentiality. Tiaoxin-346 supports associated data of arbitrary length, , where .

##### 3.1. Structure

Tiaoxin-346 has a similar structure to feedback shift register-based stream ciphers. The internal state has three components , , and consisting of three, four, and six 128-bit register stages, respectively. This gives the cipher a total internal state size of bits.

At the start of the intialisation phase, various stages of the cipher are loaded with copies of the secret key , the initialisation vector , and certain specified constants (namely, zero, , and ). In particular, note that each of the components , , and has two stages set to the value of and one stage set to the value of at this time.

Tiaoxin-346 uses the state update function to update the internal state. Here, , and are the external inputs to the states , , and , respectively; depending on the operational phase of the cipher, these may be defined in terms of the defined constants, the associated data, or the plaintext. We note that their values during the initialization and associated data loading phases are determined by constants or associated data, both of which are known to the adversary. More precisley, the state of Tiaoxin-346 at time is defined aswhere and . Thus, all stages except for the first two stages in each component are updated by shifting, while the first two stages of each component are updated nonlinearly using the transformation from AES.

###### 3.1.1. Encryption Process

The encryption phase begins after the associated data processing phase is completed. The three components , , and have been loaded with the associated data at the beginning of the encryption phase. Figure 1 shows the encryption process of Tiaoxin-346. As shown in Figure 1, the plaintext is divided into two-word blocks which are successively loaded into the internal state of each component. Each ciphertext block is then computed after loading the corresponding plaintext block.

In more detail, the plaintext words are loaded by defining the external inputs , , and to the state update function as , , and . The ciphertext words are then computed asNote that depends on , since the plaintext blocks and were XORed into and during the state update process.

##### 3.2. Key Recovery Attack Using Random Faults

The fault attack described in Section 2.2 can be applied during the encryption phase of Tiaoxin-346. Recall that this attack requires an adversary to observe multiple faulty and fault-free ciphertext pairs which are encrypted using the same key and initialization vector.

In our generic attack, the ciphertext words are calculated according to (1) and (2) from Section 1.1. Comparing this general form to (13) and (14), we can make the identification to verify that our attack applies to this cipher. By applying Algorithm 1, we are therefore able to recover the value of . By repeating this process at consecutive time steps, we can progressively recover the state words , , , , and . Since for and the invertibility of guarantees that can be uniquely recovered from , this enables us to recover the entire contents of . The process for recovering the contents of with these random faults is shown in Figure 2.

If the plaintext words and are known (as, for example, Dey et al. [6] assume), it is then possible to recover the secret key for Tiaoxin-346. To do this, we first apply the above attack to recover the contents of . The state words to can be recovered from to by the process described above, while can be recovered from , , and the message word . Note again that all the message words used during initialisation are public, so the updates of state component can be reversed from all the way to the beginning of the initialization phase and the key can then be obtained from the intial loaded contents of . Similarly, the initialization vector can be obtained from ; since this value is public, this provides a confirmation of a successful attack.

From this point, all components in the state of Tiaoxin-346 can be initialized with the known key and IV, and the cipher can then be clocked forwards to encrypt and verify any message chosen by the attacker.

In light of the above comments, the security of this cipher against our key recovery attack depends entirely on maintaining the secrecy of the initial plaintext block. In cases where the message format requires particular header information to be included at the start of the message, this may be problematic.

##### 3.3. Experimental Results

Experiments were conducted to analyse the feasibility of the fault attack described in Section 3.2. The experiments were performed as computer simulations using Python 3.6 on a standard desktop computer. The faulty 128-bit words were generated using the Python built-in random number function.

We first investigated the success rate for recovering the state word using multiple random faults. As discussed above, we assume here that the adversary is able to observe multiple faulty and fault-free ciphertext pairs that are encrypted using the same key and initialisation vector. The investigation considered a multibyte fault model; that is, we assume that the error potentially affects all bytes of the state word in the faulty ciphertext. In the following discussion, “number of faults” refers to the number of faulty ciphertexts of this type observed. Each of the results below is based on 10,000 simulated trials for the given number of faults.

For a given number of random faults, the number of bits recovered by the attack is a random variable. The probability of recovering a specified number of bits increases with the number of faults but decreases as the specified number of bits increases. Table 1 presents the average number of bits recovered for different numbers of faults and the corresponding estimated probability, based on 10,000 trials, of recovering that average number of bits using the given number of faults.

As shown in Table 1, with seven or more faults, an adversary can recover an average of 126 or more of the 128 bits of , with a probability higher than 90%. With ten faults, 127 bits can be recovered, with a probability of 99.32%. In all such cases, the adversary needs to guess the remaining bits to recover the entire state word .

Table 2 presents the probability of recovering all 128 bits of for a given number of faults. For ten or more faults, the probability of recovering all bits was over 85%, while 14 faults were required to obtain a 99% probability for recovering all 128 bits of .

To explore the trade-off between number of recovered bits and required number of faults, we also investigated the number of bits it was possible to recover with a 99% success rate for specific numbers of random faults. The left-hand side of Table 3 presents the number of bits of that can be recovered for a given number of faults when at least 99% success probability is stipulated, together with the actual success rate observed in each case. For instance, an adversary can recover 124 bits of state with over 99% probability of success by introducing seven faults, and the remaining four bits must then be guessed with a guessing complexity of .

The right-hand side of Table 3 gives the corresponding results for determining the entire contents of component , including the relevant complexity for guessing the bits that have not already been recovered. Recall that the adversary needs to repeat the same process five more times to recover the state words , , , , and in order to achieve this goal. Note from this table that the overall probability of recovering the required number of bits in all six words is over 95% in all cases,and that the complexity of guessing remains practical with 48, 42, or 36 faults. However, the complexity of guessing increases significantly and becomes infeasible for any further reduction in the number of faults beyond 36 faults.

#### 4. Case 2: AEGIS-128L

AEGIS has been selected in the final portfolio of the CAESAR cryptographic competition. AEGIS has three different variants, namely, AEGIS-128, AEGIS-256, and AEGIS-128L. In this section, we discuss AEGIS-128L, as this cipher produces two ciphertext words at each time instant, similar to Tiaoxin-346. This is not the case for AEGIS-128 and AEGIS-256 which only produce one ciphertext word at each time instant.

##### 4.1. Structure

The internal state of AEGIS-128L consists of eight 128-bit register stages and has a total size of bits. The internal state is updated at each time instant using a nonlinear state update function . This update function has two external inputs, and , and nonlinearity is provided by applying the transformation function to the contents of each register stage, as shown in Figure 3. Under this update function, the state of AEGIS-128L at time is defined aswhere .

###### 4.1.1. Encryption Process

Figure 3 shows the state update and encryption process of AEGIS-128L. AEGIS-128L performs the encryption phase following the associated data processing phase. As with Tiaoxin-346, each 256-bit plaintext block is split into two words, , and is encrypted to obtain the corresponding ciphertext block . This process is repeated at total of times to encrypt the entire plaintext message.

Encryption begins by computing the keystream words and asFollowing the keystream computation, the ciphertext words are then computed by XOR-ing the plaintext words with the corresponding keystream words as follows:

After the ciphertext has been computed, the internal state of AEGIS-128L is updated using the state update function . That is, the input plaintext words and are used as the external input for the following time step during the encryption phase of AEGIS-128L.

##### 4.2. State Recovery Attack Using Random Faults

We now show that the fault-based attack described in Section 2.2 can also be applied to the encryption phase of AEGIS-128L. Recall again that the ciphertext words in our generic attack are calculated according to (1) and (2) from Section 1.1.

Comparing this general form to (19) and (20), we see that there are two alternative ways of identifying the generic form with these cipher-specific equations. Identifying and from the generic form with and (respectively) in (19) and (20), we havewhich verifies that our attack applies to this cipher. Using this identification in Algorithm 1 enables us to recover the value of . Alternatively, we can identify from the generic form with in (20) and from the generic form with in (19), giving the identification Applying Algorithm 1 with this identification enables us to recover the value of .

By repeating this process at time , we can also obtain the values of and . Together with the values of and , these enable us to determine the values of and from (16) (this is possible because the transformation function in (16) is invertible). If the plaintext words , , , and are also known, then the process used by Dey et al. [6] can be followed to obtain the whole state contents at time (except that the values of and no longer need to be calculated, as they are already known).

We note, however, that our attack can also be extended to recover the entire state even when the attacker does not have access to the plaintext: by recovering the values of and , one can successively determine the values of , , , , and ; likewise, by recovering and , we can determine and , so that the entire state contents at time are known without knowing any of the plaintext. Thus, this attack is stronger than that reported by Dey et al., as it is a ciphertext-only attack.

##### 4.3. Experimental Results

As for Tiaoxin-346, experiments were conducted to analyse the feasibility of the fault attack on AEGIS-128L described in Section 4.2. The experiments were again performed as computer simulations using Python 3.6 on a standard desktop computer and the faulty 128-bit words were generated using the Python built-in random number function.

We began by investigating the success rate for recovering the state word using multiple random faults applied to the state word . As discussed previously, we assume that the adversary is able to observe multiple faulty and fault-free ciphertext pairs that are encrypted using the same key and initialisation vector. The investigation again considered a multibyte fault model; that is, we assume that the error potentially affects all bytes of the state word in the faulty ciphertext. As before, “number of faults” refers to the number of faulty ciphertexts of this type observed and each of the results below is based on 10,000 simulated trials for the given number of faults.

As for Tiaxoin-346, the probability of recovering a specified number of bits increases with the number of faults but decreases as the specified number of bits increases. Table 4 presents the average number of bits recovered for different numbers of faults and the corresponding probability of recovering that average number of bits using the given number of faults.

As shown in Table 4, with eight or more faults, an adversary can recover an average of 127 or more of the 128 bits of , with a probability higher than 90%. With ten faults, an average of 127 bits can be recovered, with a probability of 99.11%. In all such cases, the adversary needs to guess the remaining bit to recover the entire state word . As the process for recovering bits from is identical to that for recovering bits from , similar probabilities can be expected to apply to the recovery of .

Table 5 presents the probability of recovering all 128 bits of (or all 128 bits of ) for a given number of faults. For ten or more faults, the probability of recovering all bits was over 85%, while 14 faults were required to obtain a 99% probability for recovering all 128 bits of or .

Finally, we again explored the trade-off between number of recovered bits and required number of faults by investigating the number of bits it was possible to recover with a 99% success rate for specific numbers of random faults. The left-hand side of Table 6 presents the number of bits of or that can be recovered for a given number of faults when at least 99% success probability is stipulated, together with the actual success rate observed in each case. For instance, an adversary can recover 124 bits of the state word with over 99% probability of success by introducing seven faults, and the remaining four bits must then be guessed with a guessing complexity of .

The right-hand side of Table 6 gives the corresponding results for determining the entire state contents , for each of the attacks discussed in Section 4.2. For the known-plaintext scenario (also contemplated by Dey et al), the adversary needs to repeat the attack process four times in all in order to recover the entire state. Under these conditions, the overall probability of recovering the required number of bits in all four words is over 97% in all cases and the complexity of guessing remains practical for as few as 20 faults. However, the complexity of guessing increases significantly and becomes infeasible for any further reduction in the number of faults beyond 20 faults. For the ciphertext-only attack, the adversary needs to repeat the attack process eight times in all, increasing both the required number of faults and the associated guessing complexity. In this case, the guessing complexity only remains practical for 64 or 56 faults; however, the overall success rate for both of these choices is again above 97%.

#### 5. Impact of Random Fault Attacks on Tiaoxin-346 and AEGIS-128L

In previous sections, we have considered ciphers with a particular form of encryption function and have shown that these ciphers are vulnerable to fault attacks using random faults. We have shown that this attack enables one or more state words to be recovered in any such cipher. Having noted that the ciphers Tiaoxin-346 and AEGIS-128L each exhibit this structure, we have simulated attacks on both of these ciphers and shown that the secret key of Tiaoxin-346 and the entire state contents of AEGIS-128L can be recovered with practical complexity using fault attacks of this sort. Note that we did not perform our experiments on the hardware implementation of either cipher but instead used computer simulations. However, other researchers [13, 14] have demonstrated that it is feasible to apply this random fault model in the hardware implementation of an algorithm. Therefore, our fault attacks should be practical in both ciphers.

In the following sections, we summarise and compare the outcomes of these attacks for each of these ciphers, before considering possible countermeasures and further generalisations of our approach.

##### 5.1. Summary of Outcomes

The discussions in Sections 3.2 and 4.2 show that it is straightforward to recover the contents of a single state word in either cipher by inducing several multibyte faults to a second state word. In terms of the general ciphertext equations, (1) and (2), introducing multibyte faults to the common state word allows us to recover the state word in each case. Tables 2 and 5 summarise the probabilities of fully recovering the relevant state word for various numbers of multibyte faults for each of these ciphers. An alternative approach is to recover most of the state word using the approach above and guess the remaining bits. This provides a tradeoff between number of faults required and guessing complexity, as summarised in the left-hand sections of Tables 3 and 6.

In terms of recovering a single state word, the attacks on the two ciphers are essentially similar. However, to be of practical use, the attacks must be extended to recover multiple words. Here, the different overall structures of the two ciphers result in different possible outcomes. In the case of Tiaoxin-346, extending the attack to recover six designated state words allows the whole of component to be recovered; knowledge of the first plaintext block then allows complete key recovery. This attack can recover the secret key of Tiaoxin-346 using 36 random faults with a practical complexity of guessing, namely, . The attack complexity can be further reduced by increasing the number of faults: for instance, as shown in Table 3, the attack complexity can be reduced to and for 42 and 48 faults, respectively.

In the case of ASEGIS-128L, there are two possible attack scenarios, both of which allow the entire state to be recovered at a specified time point. The more significant of these is a ciphertext only attack, which requires eight state words to be recovered: as shown in the right-hand section of Table 6, this can be done using 56 faults with a guessing complexity of or 64 faults with a guessing complexity of . On the other hand, provided the attacker knows two successive blocks of plaintext, a known plaintext attack is possible. This attack requires only four state words to be recovered using random faults and therefore requires fewer faults to be applied. In fact, 20 faults are sufficient to apply this attack, with an associated guessing complexity of . Again, as shown in the central section of Table 6, the guessing complexity can be lowered by using more faults: for example, with 32 faults, the guessing complexity is reduced to .

In summary, there are two main differences between the full attacks for these two ciphers:(1)The full attack on Tiaoxin-346 is a known-plaintext attack and requires at least the first block of plaintext to be known to the attacker, while AEGIS-128L can be attacked with ciphertext only.(2)Given the necessary plaintext, the attack on Tiaoxin-346 allows full key recovery, whereas the attack on AEGIS-128L allows state recovery only.

In terms of the full attacks discussed here, each of the ciphers has specific structural features which allow these attacks to be mounted. We discuss these features and their security implications in Section 5.3 below.

##### 5.2. Comparison to Existing Attacks

As discussed previously, Dey et al. [6] also described differential fault attacks on Tiaoxin-346 and AEGIS-128L, but using bit-flipping faults rather than random faults. Table 7 compares the work of Dey et al. [6] with our approach based on random faults.

As shown in Table 7, in each case, our technique requires a much larger number of faults and a comparatively larger complexity when compared to the corresponding attack of Dey et al. [6]. However, our technique works under a random fault model, whereas the other attacks work under a bit-flipping fault model. The assumption of the random fault model is more practical, as the inserted fault can be any 128-bit value, whereas in the bit-flipping fault model, the fault must be . This is a serious restriction of the latter model. The random fault model has been shown to be feasible in actual hardware, whereas the bit-flipping fault model is largely theoretical [13].

Note again that both the fault attacks proposed in this paper and those proposed by Dey et. al. [6] are differential fault attacks; therefore, these attacks require the observation of multiple ciphertexts computed over the same key and initialization vector. This falls under the nonce-reuse scenario, which is prohibited by the designers of these ciphers. The practical nature of our attacks confirms the importance of adhering to this restriction. To the best of our knowledge, there are no other nonce-reuse-based attacks on these ciphers.

##### 5.3. Mitigation Techniques

The ciphers we have considered in this paper produce two ciphertext words at each time step. The key observation that makes our fault attack possible for these ciphers is that the same state word is used in both ciphertext functions in the specific manner described in (1) and (2), namely, appearing linearly in one equation and as part of a quadratic term in the other equation. It is therefore crucial, for any cipher which calculates multiple ciphertext words at each time point, that the state words appearing in a quadratic term within the calculation of one ciphertext word do not also appear linearly in the equation for any other ciphertext word.

Beyond this, each of the ciphers we have considered has specific structural features which allow our attack to be extended from individual state words to full state recovery or key recovery. Addressing these features may also help to improve the security of these ciphers.

In the case of Tiaxion-346, our attack can be extended to a key recovery attack because of two combinations of features. Firstly, the state update function is fully reversible once the external inputs are known and the inputs during the initialization and associated data loading phases are public knowledge: as a consequence, the state update function can be reversed through both the associated data loading and initialization phases. Secondly, each component of the state (, , ) is loaded at initialization with a complete copy of the key and is then updated independently of the other components: in combination with the reversibility of the state update function, this means that an attacker only needs the contents of a single component (in our case, ) in order to recover the entire key. By contrast, it is not possible to reverse the state update function of AEGIS-128L without partial knowledge of the earlier state contents. This means that state recovery cannot lead to key recovery for this cipher. AEGIS-128L also takes external input from the secret key during the 10 updates of the initialization phase, making the process of reversing the state update function even more difficult during this phase.

In Tiaoxin-346, reversibility of the state update function through the initialization phase could be prevented by adopting the strategy used in AEGIS-128L of including the secret key as an external input during this phase. This would prevent an attacker from converting recovery of an individual state component to full key recovery. Another approach which would prevent full key recovery in this cipher would be to perform the initial key loading in such a way that the key is distributed across all the components and cannot be recovered from the initial state of any single component. Redesigning the state update function so as to mix information between components during update operations might also ensure that an attacker must recover the entire state contents in order to clock backwards and extract the key. However, these latter approaches would not protect against an attacker who was able to recover the entire state; in order to guard against such an attacker, reversibility of the update function must be prevented during the initialization phase.

In the case of AEGIS-128L, key recovery is not possible, but full recovery of the state allows the attacker to run the cipher forward to encrypt and verify any variant plaintext he or she chooses. Recovery of the state during encryption is aided by the location of the state words that can be recovered using random faults: if, for instance, the random fault attack recovered and instead of and , it would not be possible to determine the contents of any other state words without knowing the input message words and . The prevalence of the more easily recovered words , , , and in the keystream equations ((17) and (18)) (note that only one input word in each equation does not belong to this group) also makes it easier to recover other state words in the known plaintext scenario. By contrast, the ciphertext equations for Tiaoxin-346 ((13) and (14)) contain multiple words from different components as well as the words that can be recovered using random faults; because of this structure, it is not possible to recover any contents of components and from those of , even when the plaintext is known.

Based on the comments above, it is clear that a ciphertext only state recovery attack would not be possible for AEGIS-128L if the random fault attack were only able to recover the state words and . This could be achieved by simply replacing and by and in (17) and (18). This change would also require a known plaintext attacker to recover at least six state words before the final two words could be determined from the keystream equations, increasing the difficulty of the known plaintext attack. It would be better, though, to avoid such attacks entirely by applying the advice in the initial paragraph of this section.

As a further general comment, the success of our full attacks in recovering either the full state or the complete contents of a state component depends on being able to retrieve the contents of state words from previous clocks once the content of the targeted state words are known. For example, in Tiaoxin-346, the information gained from immediately applies to . Also, in AEGIS-128L, the information gained from attacking and can be used to compute . If the states from previous clocks cannot be easily derived from the fault attack target state , relatively straightfoward state recovery strategies like these would not be possible. An obvious example has already been cited in relation to AEGIS-128L: if only and could be recovered from the attack, it would not be possible to compute the contents of other state words through attacks at successive time points without knowledge of the input words and . Note also that the state recovery process is deterministic in both ciphers due to being invertible. Having a noninvertible nonlinear component in the ciphertext equations may increase attack complexity, at the expense of other possible weaknesses such as state convergence.

##### 5.4. Generalisations and Future Work

In the cases we have considered above (Tiaoxin-346 and AEGIS-128L), the term is a simple quadratic term and the term is a single state word. Under this scenario, the random fault attack recovers directly. It might also be possible to extend the form of (1) and (2) to cases where is a general nonlinear boolean polynomial. In such cases, applying the random fault attack may still provide partial information about the state contents at time . For example, if is a monomial in more than two state words, we would be able to detect when all words in the term are 1. For a more general , bit correlations between state words in and the output ciphertext word could be exploited to recover the contents of the individual state words.

#### 6. Conclusion

In this paper, we have considered ciphers with a particular form of encryption function, namely, those which produce two ciphertext words at each time step and in which a common state word appears linearly in the calculation of one ciphertext word and as part of a quadratic term in calculating the other ciphertext word. We have shown that these ciphers are vulnerable to a differential fault attack using random faults and that this attack enables one or more state words to be recovered at a given time point. Depending on the particular cipher involved, it may also be possible to extend this attack to recover either the secret key or the entire state contents at a specified time point.

The ciphers Tiaoxin-346 and AEGIS-128L were both third-round candidates in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR), with AEGIS-128L being selected in the final portfolio of this competition. Both of these ciphers have encryption functions of the type discussed above. We have used these ciphers as case studies, demonstrating that our random fault attack can be extended to recover the secret key of Tiaoxin-346 and the entire state contents of AEGIS-128L, with practical complexity in each case. In the case of Tiaoxin-346, the secret key can be recovered with 36 faults and a guessing complexity of , while the entire state of AEGIS-128L can be recovered with 56 faults and a complexity of using ciphertext alone, and with 20 faults and a complexity of in the known plaintext case.

In order to detemine these complexities, we simulated the attacks on these ciphers in software. Although we did not perform our experiments on the hardware implementation of either cipher, other researchers [13, 14] have demonstrated that it is feasible to apply this random fault model in the hardware implementation of an algorithm. Therefore, our fault attacks should be practical in both ciphers. We have also compared our fault attacks on these ciphers against those of Dey et al [6]; although our attacks require more multibyte faults in each case, the random fault model assumed in our attacks is much more practical than the bit-flipping faults assumed by Dey et al in their attacks.

We have also considered the factors which facilitate the extension of our random fault attack to enable full key recovery or state recovery in Tiaoin-346 and AEGIS-128L and have suggested possible countermeasures to prevent these full attacks or make them more difficult. Ultimately, however, the best protection against the random fault attacks we have described is to avoid using an encryption function with the form we have identified above.

Finally, we note again that our attack and that of Dey et al both require the observation of multiple ciphertexts computed over the same key and initialization vector. This falls under the nonce-reuse scenario, which is prohibited by the designers of these ciphers. Once again, the practical nature of our attack confirms the importance of observing this restriction.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.