Fault Attack on the Authenticated Cipher ACORN v 2

Fault attack is an efficient cryptanalysis method against cipher implementations and has attracted a lot of attention in recent public cryptographic literatures. In this work we introduce a fault attack on the CAESAR candidate ACORN v2. Our attack is done under the assumption of random fault injection into an initial state of ACORN v2 and contains twomain steps: fault locating and equation solving. At the first step, we first present a fundamental fault locating method, which uses 99-bit output keystream to determine the fault injected location with probability 97.08%. And then several improvements are provided, which can further increase the probability of fault locating to almost 1. As for the system of equations retrieved at the first step, we give two solving methods at the second step, that is, linearization and guess-and-determine. The time complexity of our attack is not larger than c ⋅ 2179.19−1.76N at worst, where N is the number of fault injections such that 31 ≤ N ≤ 88 and c is the time complexity of solving linear equations. Our attack provides some insights into the diffusion ability of such compact stream ciphers.


Introduction
CAESAR [1] is a new competition calling for authenticated encryption schemes.Its purpose is to find authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption.In total, 57 candidates were submitted to the CAESAR competition, and after the challenge of two rounds, 15 submissions have been selected for the third round.As one of them, ACORN is a lightweight stream cipher based authenticated encryption cipher submitted by Hongjun [2][3][4].The cipher consists of a simple binary feedback shift register (FSR, for short) of length 293 and aims to protect up to 2 64 bits of associated data (AD) and up to 2 64 bits of plaintext and to generate up to a 128-bit authentication tag by using a 128-bit secret key and a 128-bit initial value (IV).
There are some attacks against ACORN.Meicheng et al. showed the slid properties of ACORN v1 and used it to recover the internal state of ACORN v1 by means of guessand-determine and differential-algebraic technique [5].But the attack was worse than a brute force attack.Chaigneau et al. described an attack that allowed an instant key recovery when the nonce was reused to encrypt a small amount of chosen plaintexts [6].Johymalyo and Sarkar kept the key and IV unchanged, then modified the associated data, and then found that the associated data did not affect any keystream bits if they had a small size [7].Salam et al. investigated cube attacks against both ACORN v1 and v2 up to 477 initialization rounds which was far from threatening the real-life usage of the cipher [8].Salam et al. developed an attack to find a collision of internal states when the key was known [9].Frédéric et al. claimed that they developed practical attacks to recover the internal state and secret key, which were much more expensive than the brute force attack [10].Dibyendu and Mukhopadhyay gave some results on ACORN [11]; one of them was that they found a probabilistic linear relation between plaintext bits and ciphertext bits, which held with probability 1/2 + 1/2 350 .The bias was too small to be tested.The other result was that they could recover the initial state of the cipher with complexity approximately equalling 2 40 , which was done under an impractical assumption.The designer gave the comments on the analysis of ACORN in (https://groups.google.com/forum/#!topic/crypto-competitions/dzzNcybqFP4), which show that some of the attacks are not really attacks.Since fault differential attack is one of side channel attacks working on physical implementations, it is interesting to apply side channel cryptanalysis to a cryptographic algorithm that is being used or will be used in reality.In [12], the authors shows that with 9 faults experiments, they can recover the initial state.However, the length of keystream bits they use is 1200, which mean that the optimizing SAT solver they used can solve the equations with very high degrees, as the equations they used are output functions and the feedback functions.So far, there are not any results of fault differential attacks on ACORN.In this paper we introduce a fault attack on ACORN v2.
Fault attack is one of the most powerful tools to retrieve the secret key of many cryptographic primitives due to the work of [13].In [14], Hoch and Shamir first introduced the fault attack on stream ciphers.They showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches [15,16] into a device initialized by a secret key and change one or more bits of its internal state.Then he or she could deduce some information about the internal state or secret key by analyzing the difference between the faulty device and the right device.A number of recent works have shown that stream ciphers are vulnerable against fault attacks.In 2008, Michal and Bohuslav showed a differential fault attack on Trivium in [17].In 2011, Mohamed et al. improved Michal and Bohuslav's attack by a SAT solver in [18].In 2009, Castagnos et al. gave a fault analysis of Grain-128 by targeting the LFSR in [19].Karmakar and Chowdhury also showed an attack of Grain-128 but by targeting the NFSR in [20].Later on, Banik et al. presented a differential fault attack on the Grain family [21,22].In 2013, Banik and Maitra evaluated the security of MICKEY 2.0 against fault attacks in [23], and in 2015, Banik et al. gave its improvement in [24].
In this work we present a differential fault attack on ACORN v2.As there are not any practical attacks against the security of the second version of ACORN so far, the attack present in our paper is still of interest.Our basic idea is coming from the signature based model proposed in [19].The main difference is that we use a new method to compute the signature vectors which are differential strings in our paper.Omitting the 0 components, we represent the differential string only as the sequence of positions where their corresponding components are either 1 or nonconstant functions on the initial state.We have added these statements in our paper.Our attack is based on a general fault model where a fault is injected into the initial state of ACORN v2 randomly, and our main idea is based on the observation that the first 99-bit keystream of ACORN v2 can be expressed as linear or quadratic functions of the initial state, which helps us retrieve enough linear equations to recover the initial state.Our attack consists of two main steps: fault locating and equation solving.At the first step, after a fault is injected into the initial state randomly, we can locate it with probability 97.08% by a 99-bit differential string between the error and correct keystream bits.If the string cannot determine the fault location uniquely, then it can determine at most 20 optional fault locations.Subsequently, some improvements are provided to increase the probability of fault locating and reduce the number of optional fault locations, including keystream extension, high probability priority, and making-the-most-use-of-things.At the second step, we give two methods of solving the equation system retrieved at the first step: linearization and guess-and-determine.The time complexity of our attack is not larger than  ⋅ 2 179.19−1.76at worst, where  is the number of fault injections such that 31 ≤  ≤ 88 and  is the time complexity of solving linear equations.
The rest of this paper is organized as follows.In Section 2 a brief description of ACORN v2 is provided.In Section 3 we present a fault attack on ACORN v2 and further give a forgery attack on it.Finally, Section 4 concludes the paper.

Description of ACORN v2
We will recall ACORN v2 briefly in this section; for more details one can refer to [3].Since our attack does not involve the procedures of the initialization, the process of associated data, and the finalization, here we do not intend to introduce them and just restate the encryption procedure briefly.
Denote by  = ( 0 ,  1 , . . .,  292 ) the initial state of ACORN v2, that is, the state of the FSR after initialization and immediately before the keystream bits are outputted, and  the plaintext.There are three functions used in the encryption procedure of ACORN v2: the feedback function (, ), the state update function (, ), and the filter function ().As is implied by its name, the feedback function (, ) mainly involves in the feedback computation of the FSR and is defined as Then the state update function (, ) can be described as It is easy to check that (, ) is invertible on  when  is fixed.

Fault Attack on ACORN v2
Before introducing our fault attack on ACORN v2, we first give an outline of the fault attack model described in [19].
We assume that an attacker can access the physical device of a stream cipher and knows the IV and the keystream .The goal of the attacker is to recover the key or forge a valid tag for plaintext.In our fault attack, the following privileges are required.
(1) The attacker has the ability to reset the physical device with the original Key-IV and restart cipher operations multiple times with the same plaintext.
(2) The attacker can inject a fault into the initial state randomly before the encryption procedure but not choose the location of fault injection.
Our attack contains two main steps: fault locating and equation solving.At the first step, we will demonstrate how to determine the fault location and retrieve a system of equations on the initial state, and at the second step, we will exploit how to recover the initial state from this system of equations.Once the initial state is recovered, the forgery attack can be executed easily.

Fault Locating.
In this section we will discuss how to locate a fault after it is injected into the initial state of the FSR.We first introduce a fundamental fault locating method and then provide several improvements.Here we just consider 99-bit differential keystream since they all can be represented as linear or quadratic functions of .When  = 99, the first feedback bit of degree 2 will come to 193rd position; the degree of   will be 4 and the degree of the differential keystream bit may be 3.So when 0 ≤  < 99, the degrees of the differential keystream bits will not be larger than 2.There are three steps to determine the fault location. Firstly which is the set of all locations that can be involved in (, ) or () directly.For any  ∈ , we can get Δ  by changing one bit   , whose component Δ   is 0, 1, or a function on ,  ∈ [0, 292].When  ∈ [0, 292] and  ∉ , the new differences that are not the differences caused by shifting are introduced when Δ  shifts to the locations in .So for any  ∉ , Δ  can be got directly from some Δ   by shifting or performing a linear transformation on Δ   , where   ∈ .Omitting the 0 components, we represent Δ  only as the sequence of positions where their corresponding components are either 1 or nonconstant functions on .To better understand the method, an example is given.
Secondly, we divide Δ  ( ∈ [0, 292]) into 99 categories denoted by   ( ∈ [0, 98]) according to the subscript  satisfying Δ   = 1 ( ∈ [0, 98]) and Δ   = 0 (0 ≤  < ).For example,  0 contains Δ  whose first component Δ  0 is 1.It is noticed that, for Δ 0 = (0, 38, 49, 58, 61, 76, 87, 96), it may occur in  0 ,  38 , and  49 since its first 1 may occur at position 0, 38, and 49 (Δ 1 49 = 1 always holds).Finally, for a given Δ, we first determine which category it belongs to according to the position of its first 1.Then by comparing other locations of 1 appearing in Δ, we can determine all possible locations of a fault.In a very small number of cases, a single differential string can correspond to more than one fault location.Because of this, we cannot always determine the fault location uniquely.
Running through all possible Δ, we find that the proportion of strings that cannot determine the fault location uniquely is about 2.92%, and for each nonzero string, the number of optional fault locations is at most 20.So for a given string Δ, on average, we can determine the fault location uniquely with probability 97.08% (Table 2).

Several Improvement Strategies.
In order to decrease the proportion of strings that cannot determine the fault location uniquely and reduce the number of optional fault locations, here we provide several improvement strategies.
(i) Keystream Extension Strategy.Extending keystream is a very valid method of increasing the proportion of strings determining the fault location uniquely.The longer the keystream available to us, the higher the probability of determining the unique fault location.We want to guarantee that the number of fault location candidates is less than or equal to 3. Running through the lengths of the keystream from 99 bits to 167 bits, the result shows that it is enough to choose 163 bits.We find that the proportion of strings that cannot determine the fault location uniquely depends mostly on the fault locations in [230,292].One of the main reasons is that there is not any components of the differential strings that can always be 1 when the fault locations belong to [230,292].This is because the diffusion ability of the last 63 register bits is stronger than that of the first 230 register bits.
Here we extend the keystream to at most 167 bits and divide all possible fault positions into two parts: [0, 229] and [230,292].When a fault is injected in   , where  ∈ [0, 229], we can get an approximate distribution of differential strings on the numbers of optional fault locations by Algorithm 2, seen in Table 3.It is found that when the length of keystream is extended to 163 bits, the proportion of strings not locating a fault is decreased to 0.0650% and the number of optional fault locations is reduced to at most 3.We make a similar process for a fault location in [230,292], seen in Table 4.It is seen that when the keystream length reaches 163 bits, the proportion of all zero strings can almost reduce to 0, but the proportion for each fault locations  do (6)   ←   ⊕ 1 (7) proceed the encryption phase of ACORN v2 to get a 180-bit keystream   (8) for different length of keystream from 99 to 180 do (9) determine the fault location  with Δ  (10) calculate the number of optional fault locations (11) end for (12) end for (13) end for (14) return the numbers of optional fault locations Algorithm 2 of the strings not locating a fault only decreases to 14.45%.How to use the strategy in our fault locating method will be described in the improved fault locating method.
(ii) High Probability Priority Strategy.Here we assume that the initial state of the FSR is random and uniformly distributed.For a given string Δ, we find that different fault location candidates appear with different probabilities.For example, when we get Δ = ( 85 ⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞ 0, . . ., 0, 1, 13 ⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞ 0, . . ., 0) = (85) , (11) since each candidate  in  85 needs to satisfy Δ   = 0, where  ∈ [0, 98] and  ̸ = 85, by the expression of Δ  , it is known that  takes 278 with probability 2 −3 , but 239 with probability 2 −8 (the probabilities of all candidates  in  85 are listed in Table 5).For each candidate , we prefer to choose  with higher probability and call it high probability priority strategy.
(iii) Cross-Referencing Strategy.Cross-referencing is a common maximized way.Here we adopt it to decrease the proportion of strings not locating a fault.Indeed, there are some inherent relations among the strings got from faults at distinct locations.For a new string Δ, it is helpful to In order to shorten the table, we omit the (%) in each column.The symbols are the same as in Table 3, except n0s: the proportion of the zero string among all strings not locating a fault; others: the proportion of the strings that can determine more than 10 optional fault locations among all strings not locating a fault.For example, when we get Δ = (85), candidates  are listed in Table 5.If we have located the fault at  65 and  197 which satisfy Δ 65  4 ⊕ Δ 197 4 = 1, we can exclude the candidate  = 239.Because if the candidate  = 239 is the fault location, Δ 239  4 should be 1.

Improved Fault Locating Method.
Here we present an improvement of the fundamental fault locating method by means of the above optimized strategies.For a given 99-bit Δ, we first determine which category it belongs to according to the position of its first 1.Then by comparing other locations of 1 appearing in Δ, on average, we can locate the fault with probability 97.08%.If Δ cannot locate the fault, we adopt the keystream extension strategy and extend the keystream to at most 163 bits.After this step, the fault has been located with probability 99.95%.If Δ cannot still locate the fault, we will first use the making-the-most-use-of-things strategy to exclude some candidates and then use the high probability priority strategy to guess the right fault location.At last we can locate the fault with probability almost 1.For more detail, see Algorithm 3.

Recovering the Initial State.
Once a fault is located, we will retrieve some equations on the initial state .When Require: A 99-bit differential string Δ Ensure: the fault locations (1) Determine which category Δ belongs to according to the position of its first 1 (2) Determine the candidates by comparing other locations of 1 appearing in Δ and using the making-the-most-use-of-things strategy (3) if the number of candidates is 1 then (4) return the unique candidate ( 5) else (6) for the keystream length extended to 99 +  bits,  from 1 to 64 do (7) use the making-the-most-use-of-things strategy (8) compare the extra  locations of 1 appearing in Δ (9) if the number of candidates can be reduced to 1 then (10) return the unique candidate (11) end if (12) end for (13) if the number of candidates is still larger than 1 then (14) use the high probability priority strategy to choose the location   that the string appears in the Δ   with the highest probability (15) return the unique candidate   (16) end if (17) the number of equations is enough, we can recover  from them.Below we show how to retrieve equations and provide two equation solving methods: linearization and guess-anddetermine.

Equation Retrieving.
As shown in fundamental fault locating method, we just consider 99-bit differential keystream since they all can be represented as linear or quadratic functions of .We first get differential equations when fault is injected in   , where  ∈ ,  = {0, 12,23,61,66,107,111,154,160,193,196,230, 235, 244} .(13) When  ∈ [0, 292] and  ∉ , the main idea to retrieve differential equations is to shift or perform the inversion of the linear transformation on Δ   , where   ∈ .For more detail, one can see Example 1.Note that the inversion of the linear transformation will not lead to the transformation of a linear function to a nonlinear function but increase the number of terms in the function (ignoring possible cancellations due to the exclusive OR operation).
For each fault location , where  ∈ [0, 292], we have stored the corresponding equations containing both linear and quadratic equations.When one fault experiment is executed, we first judge the fault location and then find the corresponding equations according to the differential string.In order to recover the initial state, next, we will show two methods to solve the equations.

Linearization Method.
Our basic idea is to retrieve as many linear equations as possible and then solve the system of linear equations to get .At first, one observation of the functions used in ACORN v2 is given.
where   ,   , and   are linear functions of the initial state.

Implementation and Verification.
To prove the validity of our guess-and-determine method, we experimentally test it on a shrunk cipher with similar structure and properties.More specifically, we built a small stream cipher according to the design principles used for ACORN but with a small state of 31 bits.We then implemented our attack to recover the initial state.
Denote by  = ( 0 , The encryption procedure of the toy cipher is the same as that of ACORN v2.
Here we just consider the first 9-bit keystream, since the first 9-bit differential keystream can be represented as linear or quadratic functions of .Statistic shows that for one fault experiment, on average, we can get 2.3 linear equations and 1.5 quadratic equations.So with 9 fault experiments, we can get 34 equations where there are 21 linear equations.By guessing 5-bit value, the initial state  can be recovered.Based on heuristic, the time complexity of recovering  is  ⋅ 2 5 , where  is the time complexity of solving linear equations.Next, we will provide some experimental results.
By guessing the values of  31 ,  32 ,  33 , and  34 , the 6 quadratic equations can be simplified as linear equations and provide 4 new quadratic equations.Using Gaussian elimination method and guessing one bit more, the 26 linear equations and 4 quadratic equations can be solved easily.The time complexity  is the sum of the Gaussian elimination about 26 linear equations and solving the 4 quadratic equations with 4 variables.There are some differences in the value of  comparing to our estimation.So the time complexity in the realistic attack may be higher than that of our estimation.We also try several other fault locations and the result shows that if the linearly independent equations are enough, we can always recover the initial state.Of course, if the linearly independent equations are not enough, we need to carry out more fault experiments.

Forgery Attack.
Once the initial state of ACORN v2 is recovered, we can encrypt any message to get the ciphertext and generate a valid tag for it.In other words, we can forge tags for any plaintext.It should be pointed out that our attack is suitable to ACORN v1 as well.Due to the invertibility of the initial process in ACORN v1, we can further recover its secret key.

Conclusion
In this work we present a fault attack on ACORN v2 which is one of the second round candidates of CAESAR.Our results show that we can locate almost all faults and recover the initial state with at least 41 fault experiments, whose time complexity is  ⋅ 2 67 , where  is the time complexity of solving linear equations.
ksl: the length of keystream; nup: the proportion of the strings not locating a fault; nup ( = 2, . .., 7): the proportion of the strings that can determine  optional fault locations among all strings not locating a fault; others: the proportion of the strings that can determine more than 7 optional fault locations among all strings not locating a fault.(1)Choose 2 15 initial states randomly (2) for each initial state do
5 ⊕   1   1 ⊕     ⊕     ⊕    (17)and     , where   1 ,   1 ,   1 ,   ,   , and   are linear functions of .According to Observation 4, the term     ⊕     ⊕     can be linearized as   with probability 3/4 and   1   1 can be linearized as 0 or   1 by guessing the value of   1 with probability 1/2.So (17) can be linearized as   1 ⊕   or   1 ⊕   1 ⊕   with probability 3/4 ⋅ 1/2 and provide two linear equations.For quadratic function of form     , if     = 1, we know that   = 1 and   = 1.If     = 0, we guess the values of   and   with probability 1/3.So by guessing the value of   and   , we can get 2 linear equations with probability 1/2.(P3)ForallΔ  ( ∈ [0, 292]), we calculate the numbers of the quadratic functions of form (17) and     .On average, the numbers of linear equations, quadratic equations of form (17), and quadratic equations of form     are 2.7, 3.3, and 1.2 for each Δ  , respectively.Based on the above observations, we can retrieve enough linear equations to recover .By (P1), about 58 linear equations can be retrieved with probability 2 −24 , and by (P3), about 11.7 linear equations with probability 2 −5.87 for each fault.Let  be the number of fault experiments.In order to guarantee the probability of recovering  is larger than 2 −128 , Replace  by  in 2 −5.87−24 ; the probability of recovering  is 2 −179.19+1.76.In particular, when  = 0, 88 fault experiments are needed and the probability is 2 −24 .When  = 17, 31 fault experiments are needed and the probability is 2 −124.63 .As fault injection is hard work and each fault experiment would damage the device, we hope the number of fault experiments required should be as small as possible.31faultexperimentsisthesmallest number in our attack.Below we roughly estimate the time complexity of recovering  with probability 1.When  fault experiments are carried out, denote by  the random event of recovering .Then  follows a binomial distribution with parameters   ∈ N (N is the set of natural numbers) and  = 2 −179.19+1.76,denotedby∼(  , ).If the expected value of  is 1, the expected value of   is about 2 179.19−1.76,where31≤≤ 88.Actually, the value of   is smaller than 2 179.19−1.76.As shown in Observation 4, if the first experiment is failed with probability 1 − , the success probability of the next experiment becomes (4/3).So, the time complexity of recovering  with probability 1 is smaller than  ⋅ 2 179.19−1.76,where  is the time complexity of solving linear equations and  is the number of fault experiments such that 31 ≤  ≤ 88.By the birthday paradox, there is a high chance of randomly chosen locations being repeated by the time √ 293 ≈ 17 experiments are performed, so the number of actual experiments required to obtain  distinct fault locations will be rather higher than .3.2.3.Guess-and-DetermineMethod.Here we discuss the complexity of solving the above equation system by guessand-determine method.For one fault experiment, on average, we can get 4.5quadratic equations including 1.2 quadratic equations of form     and 2.7 linear equations as shown in (P2).The quadratic function of form     can be regarded as one linear equation.For quadratic function of form     , it is expected to obtain 1 linear equation.If     = 1, we know that   = 1 and   = 1.If     = 0, we guess the values of   and   with probability 1/3.So by guessing the value of   and   , we can get 2 linear equations with probability 1/2.So for one fault experiment, on average, we can get 3.3 linear equations and 3.3 quadratic equations.So we can get 295 equations with 160 linear equations with 41 fault experiments.By guessing 67-bit value, the initial state  can be recovered.The time complexity of recovering  is  ⋅ 2 67 , where  is the time complexity of solving linear equations.