TY - GEN
T1 - Fault injection attack on Salsa20 and ChaCha and a lightweight countermeasure
AU - Fukushima, Kazuhide
AU - Xu, Rui
AU - Kiyomoto, Shinsaku
AU - Homma, Naofumi
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/9/7
Y1 - 2017/9/7
N2 - We propose a fault injection attack on Salsa20 and ChaCha stream ciphers. In these stream ciphers, the initial matrix X, which consists of constants, a key, a block counter, and a nonce, is added to the matrix X(20) process with a round function to generate a keystream. Our proposed fault injection attack skips the corresponding addition (add) instruction to obtain the matrix X or X(20) and extracts the key. General countermeasures against instruction skipping, including randomization, duplication, and parity checking, are not suitable for the software implementation of a stream cipher that requires high performance and lightweight computation. We thus demonstrate an algorithm-specific but extremely lightweight countermeasure with less than 0.5% execution time overhead based on a variable separation technique. Furthermore, we study the feasibility of the countermeasure in the IA-32, Intel 64, and ARM architectures.
AB - We propose a fault injection attack on Salsa20 and ChaCha stream ciphers. In these stream ciphers, the initial matrix X, which consists of constants, a key, a block counter, and a nonce, is added to the matrix X(20) process with a round function to generate a keystream. Our proposed fault injection attack skips the corresponding addition (add) instruction to obtain the matrix X or X(20) and extracts the key. General countermeasures against instruction skipping, including randomization, duplication, and parity checking, are not suitable for the software implementation of a stream cipher that requires high performance and lightweight computation. We thus demonstrate an algorithm-specific but extremely lightweight countermeasure with less than 0.5% execution time overhead based on a variable separation technique. Furthermore, we study the feasibility of the countermeasure in the IA-32, Intel 64, and ARM architectures.
KW - ChaCha
KW - Fault Injection Attack
KW - Instruction skip
KW - Salsa20
UR - http://www.scopus.com/inward/record.url?scp=85032360672&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85032360672&partnerID=8YFLogxK
U2 - 10.1109/Trustcom/BigDataSE/ICESS.2017.348
DO - 10.1109/Trustcom/BigDataSE/ICESS.2017.348
M3 - Conference contribution
AN - SCOPUS:85032360672
T3 - Proceedings - 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 11th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Conference on Embedded Software and Systems, Trustcom/BigDataSE/ICESS 2017
SP - 1032
EP - 1037
BT - Proceedings - 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 11th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Conference on Embedded Software and Systems, Trustcom/BigDataSE/ICESS 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 11th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Conference on Embedded Software and Systems, Trustcom/BigDataSE/ICESS 2017
Y2 - 1 August 2017 through 4 August 2017
ER -