Paper 2024/1005
Differential Fault Attack on HE-Friendly Stream Ciphers: Masta, Pasta and Elisabeth
Abstract
In this paper, we propose the Differential Fault Attack (DFA) on three Homomorphic Encryption (HE) friendly stream ciphers Masta, Pasta, and Elisabeth. Both Masta and Pasta are Rasta-like ciphers with publicly derived and pseudorandom affine layers. The design of Elisabeth is an extension of FLIP and FiLIP, following the group filter permutator paradigm. All these three ciphers operate on elements over $\mathbb{Z}_p$ or $\mathbb{Z}_{2^n}$, rather than $\mathbb{Z}_2$. We can recover the secret keys of all the targeted ciphers through DFA. In particular, for Elisabeth, we present a new method to determine the filtering path, which is vital to make the attack practical. Our attacks on various instances of Masta are practical and require only one block of keystream and a single word-based fault. By injecting three word-based faults, we can theoretically mount DFA on two instances of Pasta, Pasta-3 and Pasta-4. For our DFA on Elisabeth-4, the only instance of the Elisabeth family, a single bit-based fault injection is needed. With 15000 normal and faulty keystream words, the DFA on Elisabeth-4 can be completed within several minutes.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- Differential fault attackMastaPastaElisabeth
- Contact author(s)
-
SJTUwwz @ sjtu edu cn
dengtang @ sjtu edu cn - History
- 2024-06-24: approved
- 2024-06-21: received
- See all versions
- Short URL
- https://ia.cr/2024/1005
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1005, author = {Weizhe Wang and Deng Tang}, title = {Differential Fault Attack on {HE}-Friendly Stream Ciphers: Masta, Pasta and Elisabeth}, howpublished = {Cryptology ePrint Archive, Paper 2024/1005}, year = {2024}, note = {\url{https://eprint.iacr.org/2024/1005}}, url = {https://eprint.iacr.org/2024/1005} }