Welcome!
To use the personalized features of this site, please log in or register.
If you have forgotten your username or password, we can help.
|
 |
Fault Attacks on Combiners with Memory
| |
|
Stream Ciphers I
Fault Attacks on Combiners with Memory
Frederik Armknecht1  and Willi Meier2
| (1) |
Universität Mannheim, 68131 Mannheim, Germany |
| (2) |
FH Aargau, CH-5210 Windisch, Switzerland |
Abstract
Fault attacks are powerful cryptanalytic tools that are applicable to many types of cryptosystems. Recently, general techniques
have been developed which can be used to attack many standard constructions of stream ciphers based on LFSR’s. Some more elaborated
methods have been invented to attack RC4. These fault attacks are not applicable in general to combiners with memory.
In this paper, techniques are developed that specifically allow to attack this class of stream ciphers. These methods are
expected to work against any LFSR-based construction that uses only a small memory and few input bits in its output function.
In particular, efficient attacks are described against the stream cipher E0 used in Bluetooth, either by inducing faults in
the memory or in one of its LFSR’s. In both cases, the outputs derived from the faulty runs finally allow to describe the
secret key by a system of linear equations. Computer simulations showed that inducing 12 faults sufficed in most cases if
about 2500 output bits were available. Another specific fault attack is developed against the stream cipher SNOW 2.0, whose
output function has a 64-bit memory. Similar to E0, the secret key is finally the solution of a system of linear equations. We expect that one fault is enough if about 212 output words are known.
Keywords: Stream cipher, combiner with memory, LFSR, fault attack, Bluetooth E0, SNOW 2.0.
The first author has been supported by grant Kr 1521/7-2 of the DFG (German Research Foundation).
Fulltext Preview (Small, Large)
|
|
|
|
|
|