Hard Fault Analysis of Trivium
aa r X i v : . [ c s . CR ] J u l Hard Fault Analysis of Trivium
Yupu Hu, Fengrong Zhang, and Yiwei Zhang,
Abstract —Fault analysis is a powerful attack to stream ciphers.Up to now, the major idea of fault analysis is to simplify thecipher system by injecting some soft faults. We call it soft faultanalysis. As a hardware–oriented stream cipher, Trivium is weakunder soft fault analysis.In this paper we consider another type of fault analysisof stream cipher, which is to simplify the cipher system byinjecting some hard faults. We call it hard fault analysis. Wepresent the following results about such attack to Trivium.In Case 1 with the probability not smaller than 0.2396, theattacker can obtain 69 bits of 80–bits–key. In Case 2 with theprobability not smaller than 0.2291, the attacker can obtainall of 80–bits–key. In Case 3 with the probability not smallerthan 0.2291, the attacker can partially solve the key. In Case4 with non–neglectable probability, the attacker can obtain asimplified cipher, with smaller number of state bits and slowernon–linearization procedure. In Case 5 with non–neglectableprobability, the attacker can obtain another simplified cipher.Besides, these 5 cases can be checked out by observing the key–stream.
Index Terms —Side–channel analysis, fault analysis, streamcipher, Trivium
I. I
NTRODUCTION
A. Background and Results of Our Work
Side–channel analysis of stream ciphers [1] is a classof novel attacks by combining physical and mathematicalmethods, including fault analysis [2], power analysis [3],timing analysis, etc. In the class of side–channel analysis, faultanalysis is a powerful attack. Up to now, the major idea offault analysis is to simplify the cipher system by injectingsome soft faults (that is, by changing the values of somepositions at some moment), thus revealing the key hidden inthe encryption machine. We call such attack soft fault analysis.Soft fault analysis is a known differential attack [4], by whichthe attacker can obtain additional low–degree–equations of thestate. Trivium [5], [6] is a hardware–oriented stream cipher,and one of the finally chosen ciphers by eSTREAM project,but it is weak under soft fault analysis [7], [8].In this paper we consider another type of fault analysisof stream cipher, which is to simplify the cipher system byinjecting some hard faults (that is, by setting the values ofsome positions permanently 0). We call it hard fault analysis.Such attack was presented by Eli Biham and Adi Shamir [9],used for breaking block ciphers. We present the followingresults about hard fault analysis of Trivium. In Case 1 with theprobability not smaller than 0.2396, the attacker can obtain 69
Manuscript received July 1, 2009; This work was supported in part byNational Science Foundation of China under grant 60833008 and by 973Project under grant 2007CB311201.Y. Hu and F. Zhang are with the CNIS Laboratory, Xidian University,710071 Xi’an, China e-mail: ([email protected]; zhfl[email protected]).Y. Zhang is with ZTE IC Design CO., LTD., 518057 Shenzhen, Chinae-mail: ([email protected]). bits of 80–bits–key. In Case 2 with the probability not smallerthan 0.2291, the attacker can obtain all of 80–bits–key. In Case3 with the probability not smaller than 0.2291, the attackercan partially solve the key. In Case 4 with non–neglectableprobability, the attacker can obtain a simplified cipher, withsmaller number of state bits and slower non–linearizationprocedure. In Case 5 with non–neglectable probability, theattacker can obtain another simplified cipher. Besides, these5 cases can be checked out by observing the key–stream.The contents are organized as follows. Next subsection isan explanation to soft fault analysis and hard fault analysis.In section II we prepare for hard fault analysis of Trivium,including description of Trivium, our assumptions, notations,and some facts. In section III we present different features offault injected machine, in 7 different cases. In this section weshow that, in each of former 5 cases, either the key can berevealed, or the cipher can be practically simplified. In sectionIV we present an algorithm to identify the cases, by observingthe key–stream. In this section we identify the former 4 caseswith the probability closed to 1, and identify Case 5 with theprobability no smaller than / . Section V is the conclusionand future work expectation. B. Soft Fault Analysis and Hard Fault Analysis
Soft fault analysis is based on soft fault injection. At a ran-dom moment of the encryption machine’s driving procedure,the attacker changes the values of some random positions ofthe state. By the differential of the key–stream, the attacker canobtain several additional low–degree–equations of the state.Hard fault analysis is based on hard fault injection. Theattacker makes the values of some random positions of thestate permanently 0. That is, after hard fault injection, thoseinjected bits can be read out as 0, but can no longer be writtenin. According to technical restriction, hard fault injection mustbe made before the encryption machine’s driving procedure.Three comparisons between hard fault analysis and soft faultanalysis are as follows.Comparison 1: Hard fault analysis is more practical thansoft fault analysis. The main criticism against soft fault anal-ysis was the transient fault model that was claimed to beunrealistic [9]. Hard fault injection is a current technique formicro–probing, and has already become real danger to cipherchip [10]. For example, DS5003 is a new product of Maxim.It is a secure microprocessor chip by using coating technique,for resisting hard fault injection.Comparison 2: Hard fault analysis is more expensive thansoft fault analysis. Soft fault injection is assumed to be madeby simple fault induction (special kind of light, magneticdisturbance, or other brute methods). Hard fault injectionneeds expensive FIB and related equipment.
TABLE IT
HE KEY – STREAM GENERATION ALGORITHM
Input: the initial state ( s , · · · , s ) ,the number of output bits N ≤ Output: key-stream ( z , z , z , · · · , z N )1 : for i = 0 to N − do z i ← s + s + s + s + s + s t ← s + s s + s + s t ← s + s s + s + s t ← s + s s + s + s s , · · · , s ) ← ( t , s , · · · , s )7 : ( s , · · · , s ) ← ( t , s , · · · , s )8 : ( s , · · · , s ) ← ( t , s , · · · , s )9 : end for Comparison 3: After soft fault analysis, an encryptionmachine can be returned back to the owner and be used again.On the other hand, after hard fault analysis, an encryptionmachine is destroyed, so that it seems meaningless to revealthe hidden key for this machine. By this, it may be consideredthat hard fault analysis is not as valuable as soft fault analysis.This may also be the reason for that hard fault analysis hassparsely appeared in the literature of stream cipher analysis.For Comparison 3, we argue that hard fault analysis isuseful in some application scenes. One scene is that currentkey is used for decrypting the former plain–texts before theyare outdated. Another scene is that the system has a weakkey–renewal–algorithm, where current key can help to predictfuture keys. The third scene is that several machines share acommon key, or have closely related keys.II. P
REPARATION FOR H ARD F AULT A NALYSIS OF T RIVIUM
A. Trivium Key–Stream Generation and Trivium State Initial-ization
The state of Trivium is 288 bits long, denoted as ( s , · · · , s ) . The state is renewed by 3 combined NFSRs(Non–linear Feedback Shift Registers). The first NFSR is 93bits long, denoted as ( s , · · · , s ) . The second NFSR is 84bits long, denoted as ( s , · · · , s ) . The third NFSR is bits long, denoted as ( s , · · · , s ) . Current key–stream bitis a linear function of current state. Table 1 is an equivalentalgorithm for the key–stream generation.The key is 80 bits long, denoted as ( k , · · · , k ) , andis secret. IV (Initial Vector) is 80 bits long, denoted as ( IV , · · · , IV ) , and is public. In other words, if anyoneobtains an encryption machine, he can arbitrarily set the valueof IV. Table 2 is an equivalent algorithm for the initial stategeneration.Table 1 and Table 2 show that, for key–stream generationand initial state generation, the state renewal is the same. Indetail, let s ( t,j ) denote the state bit at time t and position j , thenTable 3 presents a clearer description for the state renewal. Lemma 1: [5], [6] Let ( s , · · · , s ) denote the initial state(that is, the state at the time just before generating z ). Take { z , z , z , · · · } as functions of ( s , · · · , s ) . Then1) { z , z , · · · , z } are 66 linear functions.2) { z , z , · · · , z } are 82 quadratic functions. TABLE IIT
HE INITIAL STATE GENERATION ALGORITHM
Input: the state ( s , · · · , s ) ← ( k , · · · , k , , · · · , s , · · · , s ) ← ( IV , · · · , IV , , · · · , s , · · · , s ) ← (0 , · · · , , , , Output: the initial state ( s , · · · , s )1 : for i=1 to do t ← s + s s + s + s t ← s + s s + s + s t ← s + s s + s + s s , · · · , s ) ← ( t , s , · · · , s )6 : ( s , · · · , s ) ← ( t , s , · · · , s )7 : ( s , · · · , s ) ← ( t , s , · · · , s )8 : end for TABLE IIIT
HE STATE RENEWAL ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, , s ( t, ,s ( t, , · · · , s ( t, )( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, )( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) { z , z , · · · , z } are 66 cubic functions.4) Each of { z , z , · · · , } is at least a quartic function.Lemma 1 shows such a weakness of Trivium that itsnon–linearization procedure is over slow. By knowing thekey–stream, a large number of low–degree–equations will beobtained. B. Assumptions, Notations and Some Facts
Suppose that the attacker obtains an encryption machine(or an encryption card, etc), equipped with Trivium. He wantsto obtain the hidden key ( k , · · · , k ) . He makes hard faultinjection. The hard fault bits are from random one of 3 NFSRs,and at random positions in this NFSR. At injecting moment, hecan not control the positions of hard fault bits. After injection,he does not know the positions of hard fault bits. Then heset ( IV , · · · , IV ) = (0 , · · · , . That is, for initial stategeneration procedure, the input state is ( s , · · · , s ) ← ( k , · · · , k , , · · · , , ( s , · · · , s ) ← (0 , · · · , , ( s , · · · , s ) ← (0 , · · · , , , , . Then he starts up the machine (initial state generation and key–stream generation), and checks the output key–stream fromthis fault–injected machine.It is easy to see that our assumptions are quite trivial. P L denotes the lowest position of injected faults. P H denotes the highest position of injected faults. According toour assumptions, P H and P L fall into the same index set { , · · · , } , or { , · · · , } , or { , · · · , } . P L is ofthe following 7 cases. Case 1: ≤ P L ≤ .Case 2: ≤ P L ≤ .Case 3: ≤ P L ≤ .Case 4: ≤ P L ≤ .Case 5: ≤ P L ≤ .Case 6: P L = 177 .Case 7: other values of P L , that is, ≤ P L ≤ or ≤ P L ≤ .It is clear that the probability of Case 1 is never smallerthan 69/288=0.2396, that the probability of Case 2 is neversmaller than 66/288=0.2291, and that the probability of Case3 is never smaller than 66/288=0.2291. Probabilities of Case4 and Case 5 are not clear, because we do not set detailedinjection model. We can only say that these 2 probabilitiesare non–neglectable. The probability of Case 6 is never largerthan 1/288=0.0035, and generally is far smaller than 0.0035.We call the input state the state at time 0, and sequentiallyrank the state at time , , · · · . By this ranking, the initial state(that is, the state at the time just before generating z ) is thestate at time 1152. ( s ( t, , s ( t, , · · · , s ( t, ) denotes the stateat time t . So that, for each m ≥ , the key–stream bit z m hassuch a representation z m = s ( m +1152 , + s ( m +1152 , + s ( m +1152 , + s ( m +1152 , + s ( m +1152 , + s ( m +1152 , . ∗ denotes an arbitrary bit–value.Some simple facts about hard fault injection are as follows.Suppose j is a position of hard fault injected bit, where ≤ j ≤ . Then s ( t,j + m ) = 0 for each ( t, m ) such that t ≥ and ≤ m ≤ min { − j, t } .Suppose j is a position of hard fault injected bit, where ≤ j ≤ . Then s ( t,j + m ) = 0 for each ( t, m ) such that t ≥ and ≤ m ≤ min { − j, t } .Suppose j is a position of hard fault injected bit,where ≤ j ≤ . Then s ( t,j + m ) = 0 for each ( t, m ) such that t ≥ and ≤ m ≤ min { − j, t } .III. F EATURES OF F AULT I NJECTED M ACHINE IN
ASES
A. Features of Fault Injected Machine in Case 1: ≤ P L ≤ Lemma 2:
The state at time 27 is the follow.1) ( s (27 , , · · · , s (27 , )= ( k , · · · , k , k + 1 , k + 1 , k , k , · · · , k ) . ( s (27 , , · · · , s (27 , ) = ( ∗ , · · · , ∗ ) , and ( s (27 , , · · · , s (27 , ) = (0 , · · · , .3) ( s (27 , , · · · , s (27 , ) = (0 , · · · , . Lemma 3:
1) For each t such that t ≥ , ( s ( t +1 , , · · · , s ( t +1 , ) = ( s ( t, , s ( t, , · · · , s ( t, ) .So that { ( s ( t, , · · · , s ( t, ) , t ≥ } has a period 69.2) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) = ( s ( t, , · · · , s ( t, ) .3) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) = (0 , · · · , .Lemma 2 and Lemma 3 are clear by gradually renewing thestate (see Table 3), and by considering the state at time 0: ( s (0 , , · · · , s (0 , ) = ( k , · · · , k , , · · · , . ( s (0 , , · · · , s (0 , ) = (0 , · · · , . ( s (0 , , · · · , s (0 , ) = (0 , · · · , , , , . Proposition 1:
Suppose ≤ P L ≤ . Then the key–stream ( z z z · · · ) has a period , where ( z , z , z , · · · , z )= ( k , k , · · · , k , k , k +1 , k +1 , k , k , · · · , k ) . Proof:
By Lemma 2 and Lemma 3, z = s (1152 , , z = s (1153 , , z = s (1154 , · · · . So that the key–stream ( z z z · · · ) has a period 69. Again z = s (1152 , = s (27 , = k . Proposition 1 is proved. B. Features of Fault Injected Machine in Case 2: ≤ P L ≤ Lemma 4:
The state at time 27 is the follow.1) ( s (27 , , · · · , s (27 , )= ( k , · · · , k , k + 1 , k + 1 , k , k , · · · , k ) . ( s (27 , , · · · , s (27 , )= ( k + k k + k , k + k k + k , · · · ,k + k k + k , k + k k ,k , k , · · · , k , , · · · , . ( s (27 , , · · · , s (27 , ) = ( ∗ , · · · , ∗ ) . ( s (27 , , · · · , s (27 , ) = (0 , · · · , . Proof:
We induce the state at time 27 by graduallyrenewing the state.The state at time 1: ( s (1 , , · · · , s (1 , ) = ( k , k , · · · , k , , · · · , , ( s (1 , , · · · , s (1 , ) = ( k , , · · · , , ( s (1 , , · · · , s (1 , ) = (0 , · · · , , , .The state at time 2: ( s (2 , , · · · , s (2 , ) = ( k + 1 , k , k , · · · , k , , · · · , , ( s (2 , , · · · , s (2 , ) = ( k , k , , · · · , , ( s (2 , , · · · , s (2 , ) = (0 , · · · , , .The state at time 3: ( s (3 , , · · · , s (3 , )= ( k + 1 , k + 1 , k , k , · · · , k , , · · · , , ( s (3 , , · · · , s (3 , ) = ( k , k , k , , · · · , , ( s (3 , , · · · , s (3 , ) = (0 , · · · , .The state at time 12: ( s (12 , , · · · , s (12 , )= ( k , · · · , k , k + 1 , k + 1 , k , k , · · · , k , , ( s (12 , , · · · , s (12 , ) = ( k , · · · , k , , · · · , , ( s (12 , , · · · , s (12 , ) = ( ∗ , · · · , ∗ ) , ( s (12 , , · · · , s (12 , ) = (0 , · · · , .The state at time 13: ( s (13 , , · · · , s (13 , )= ( k , · · · , k , k + 1 , k + 1 , k , k , · · · , k ) , ( s (13 , , · · · , s (13 , )= ( k + k k , k , · · · , k , , · · · , , ( s (13 , , · · · , s (13 , ) = ( ∗ , · · · , ∗ ) , ( s (13 , , · · · , s (13 , ) = (0 , · · · , .The state at time 14: ( s (14 , , · · · , s (14 , )= ( k , · · · , k , k + 1 , k + 1 , k , k , · · · , k ) , ( s (14 , , · · · , s (14 , )= ( k + k k + k , k + k k , k , · · · , k , , · · · , , ( s (14 , , · · · , s (14 , ) = ( ∗ , · · · , ∗ ) , ( s (14 , , · · · , s (14 , ) = (0 , · · · , .The state at time 27: ( s (27 , , · · · , s (27 , )= ( k , · · · , k , k + 1 , k + 1 , k , k , · · · , k ) , ( s (27 , , · · · , s (27 , )= ( k + k k + k , · · · , k + k k + k , k + k k ,k , · · · , k , , · · · , , ( s , , · · · , s (27 , ) = ( ∗ , · · · , ∗ ) , ( s (27 , , · · · , s (27 , ) = (0 , · · · , .Lemma 4 is proved.Notice that 1) and 2) of Lemma 3 are still true for Case2: ≤ P L ≤ . Now we present a definition. For each t suchthat t ≥ , define a t +1 = s ( t, + s ( t, s ( t, + s ( t, . Foreach t such that ≤ t < , define a t +1 = a t +70 . Lemma 5:
1) For each t such that t ≥ , ( s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + a t +1 , s ( t, , · · · , s ( t, ) . { a t +1 , t ≥ } has a period 69, where ( a , · · · , a ) = ( k + k k + k , k + k k + k , · · · , k + k k + k , k + k k + k , k +1 + k k + k , k + 1 + k k + k , k + k k + k , k + k k + k , · · · , k + k k + k , k + k k + k , k +( k +1) k + k , k +( k +1)( k +1) + k , k + k ( k + 1) + k + 1 , k + k k + k + 1) . { a t +1 , t ≥ } has a period 69. Proof:
1) is clear from Trivium state renewal. For each t such that t ≥ , each j such that ≤ j ≤ , s ( t,j ) = s (27 ,j − t +27( mod . So that a t +1 = s ( t, + s ( t, s ( t, + s ( t, = s ( t, + s ( t, s ( t, + s ( t, = s (27 , − t ( mod + s (27 , − t ( mod s (27 , − t ( mod + s (27 , − t ( mod . So that 2) is true, and 3) is immediate from 2). Lemma 5is proved.
Lemma 6:
Take the following changes for the state at time27. ( s (27 , , · · · , s (27 , ) are changed as ( s (27 , , · · · , s (27 , )= ( s (27 , + a , s (27 , + a , · · · , s (27 , + a ) , and other positions of the state at time 27 are kept unchanged.Then1) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) and ( s ( t, , · · · , s ( t, ) are kept unchanged.2) The key–stream ( z z z · · · ) are kept unchanged. Proof: Proof:
Notice that we are in Case 2: ≤ P L ≤ , and that the state bits shift rightwards. So that Lemma 6is clear. Lemma 7:
Take the state at time as the changed valueas described in Lemma 6. Then For each t such that t ≥ ,each j such that ≤ j ≤ , s ( t +78 ,j ) = s ( t,j ) + a t +172 − j . Proof:
1) If ≤ j ≤ and t ≥ , then t + 172 − j ≥ , sothat s ( t +78 ,j ) = s ( t +172 − j, = s ( t +171 − j, + a t +172 − j = s ( t,j ) + a t +172 − j .
2) If ≤ j ≤ and t ≥ , then ≤ j − ≤ and t − ≥ . By 1), s ( t +78 ,j ) = s ( t − ,j − = s ( t − ,j − + a t − − ( j − = s ( t,j ) + a t +172 − j .
3) If ≤ j ≤ and t = 27 , then ≤ j − ≤ ,so that s (27+78 ,j ) = s (27 ,j − . By the assumptions ofLemma 6, s (27+78 ,j ) = s (27 ,j − = s (27 ,j ) + a − j .
4) If ≤ j ≤ , ≤ t ≤ , and j − ( t − ≤ ,then ≤ j − ( t − ≤ . By 1), s ( t +78 ,j ) = s (27+78 ,j − ( t − = s (27 ,j − ( t − + a − ( j − ( t − = s ( t,j ) + a t +172 − j .
5) If ≤ j ≤ , ≤ t ≤ , and j − ( t − ≥ ,then ≤ j − ( t − ≤ . By 3), s ( t +78 ,j ) = s (27+78 ,j − ( t − = s (27 ,j − ( t − + a − ( j − ( t − = s ( t,j ) + a t +172 − j . Lemma 7 is proved.
Lemma 8:
Take the state at time 27 as the changed valueas described in Lemma 6. Then1) For each t such that t ≥ , each j such that ≤ j ≤ , s ( t +1794 ,j ) = s ( t,j ) + X m =0 a t +34 − j +3 m . { ( s ( t, , · · · , s ( t, ) , t ≥ } has a period 3358. Proof:
According to Lemma 5, Lemma 6, Lemma 7 andthe fact that ×
23 = 69 × , s ( t +1794 ,j ) = s ( t +78 × ,j ) = s ( t,j ) + P n =0 a t +172 − j +78 × n ( mod = s ( t,j ) + P m =0 a t +34 − j +3 m , so that 1) is true. According to 1), for each t such that t ≥ ,each j such that ≤ j ≤ , s ( t +3588 ,j ) = s ( t +1794+1794 ,j ) = s ( t,j ) + P m =0 a t +34 − j +3 m + P m =0 a t +1794+34 − j +3 m = s ( t,j ) . This implies that { ( s ( t, , · · · , s ( t, ) , t ≥ } has a period3358. Again by the fact that { ( s ( t, , · · · , s ( t, ) , t ≥ } hasa period 69, 2) is true. Lemma 8 is proved. Proposition 2:
Suppose ≤ P L ≤ . Then1) The key–stream ( z z z · · · ) has a period 3358.2) { z , z , z , · · · , z } are linear functions of 216 vari-ables ( s (27 , , · · · , s (27 , , s (27 , , · · · , s (27 , , a , · · · , a ) , and these functions are known.3) By knowing the values of { z , z , z , · · · , z } , theattacker obtains 3358 linear equations of 216 variables ( s (27 , , · · · , s (27 , , s (27 , , · · · , s (27 , , a , · · · , a ) . The rank of these linear equations is 210, so that thereare = 64 possible solutions. Proof:
1) is clear from Lemma 8. Notice that for each t such that t ≥ , ( s ( t +1 , , · · · , s ( t +1 , ) = ( s ( t, , s ( t, , · · · , s ( t, ) , ( s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + a t +1 , s ( t, , · · · , s ( t, ) . So that, for each t such that t ≥ , ( s ( t, , · · · , s ( t, ) canbe induced from ( s (27 , , · · · , s (27 , , s (27 , , · · · , s (27 , , a , · · · , a ) by linear recursion which is already known. So that 2) is true.3) is our checking result. Proposition 2 is proved.Notice that the true value of ( s (27 , , · · · , s (27 , , s (27 , , · · · , s (27 , , a , · · · , a ) satisfies ( s (27 , , · · · , s (27 , )= ( k + 1 , k + 1 , k , k , · · · , k ) , and ( s (27 , , · · · , s (27 , ) = ( k + k k + k , · · · ,k + k k + k , k + k k , k , · · · , k , , · · · , ,k + k k + k + a , · · · , k + k k + k + a ) . These relations present another group of equations of 216variables ( s (27 , , · · · , s (27 , , s (27 , , · · · , s (27 , , a , · · · , a ) , described as the follow. ( s (27 , , · · · , s (27 , )= ( s (27 , , · · · , s (27 , , , · · · , ,a = s (27 , + s (27 , s (27 , + s (27 , ,a = s (27 , + s (27 , s (27 , + s (27 , , · · · a = s (27 , + s (27 , s (27 , + s (27 , ,a = s (27 , + s (27 , s (27 , + s (27 , ,a = s (27 , + s (27 , s (27 , + s (27 , , · · · a = s (27 , + s (27 , s (27 , + s (27 , ,a = s (27 , + s (27 , s (27 , + s (27 , ,a = s (27 , + s (27 , s (27 , + s (27 , . All these equations are enough to determine the true value of ( s (27 , , · · · , s (27 , , s (27 , , · · · , s (27 , , a , · · · , a ) , so that enough to determine the value of ( k , · · · , k ) .Besides, all these equations can determine the value of ( k k + k , k k + k , · · · , k k + k ) , so that determine the value of ( k , · · · , k ) . C. Features of Fault Injected Machine in Case 3: ≤ P L ≤ Lemma 9:
1) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) = (0 , · · · , .
2) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) = ( s ( t, , · · · , s ( t, ) . { ( s ( t, , · · · , s ( t, ) , t ≥ has a period 78. Proof:
1) is clear in Case 3. 2) and 3) are immediate from1).Now we present a definition. For each t such that t ≥ ,define b t +1 = s ( t, + s ( t, s ( t, + s ( t, . For each t such that ≤ t < , define b t +1 = b t +79 . Lemma 10:
1) For each t such that t ≥ , ( s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + b t +1 , ( s ( t, · · · , s ( t, ) . { b t +1 , t ≥ } has a period 78. Proof:
Lemma 10 is just similar to Lemma 5.
Lemma 11:
Take the following changes for the state at time98. ( s (98 , , · · · , s (98 , ) are changed as ( s (98 , , · · · , s (98 , )= ( s (98 , + b , s (98 , + b , · · · , s (98 , + b ) , and other positions of the state at time 98 are kept unchanged.Then1) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) arekept unchanged.2) The key–stream ( z z z · · · ) are kept unchanged. Proof:
Notice that we are in Case 3: ≤ P L ≤ , andthat the state bits shift rightwards. So that Lemma 11 is clear. Lemma 12:
Take the state at time 98 as the changed valueas described in Lemma 11. Then for each t such that t ≥ ,each j such that ≤ j ≤ , s ( t +87 ,j ) = s ( t,j ) + b t +265 − j . Proof:
The proof of Lemma 12 is somewhat similar tothat of Lemma 7. The proving details are the follow.1) If ≤ j ≤ and t ≥ ,then t + 265 − j ≥ , sothat s ( t +87 ,j ) = s ( t +265 − j, = s ( t +264 − j, + a t +265 − j = s ( t,j ) + a t +265 − j .
2) If ≤ j ≤ and t ≥ , then ≤ j − ≤ and t − ≥ . By 1), s ( t +87 ,j ) = s ( t − ,j − = s ( t − ,j − + a t − − ( j − = s ( t,j ) + a t +265 − j .
3) If ≤ j ≤ and t = 98 , then ≤ j − ≤ , so s (98+87 ,j ) = s (98 ,j − . By the assumptions ofLemma 11, s (98+87 ,j ) = s (98 ,j − = s (98 ,j ) + a − j .
4) If ≤ j ≤ , ≤ t ≤ , and j − ( t − ≤ ,then ≤ j − ( t − ≤ . By 1), s ( t +87 ,j ) = s (98+87 ,j − ( t − = s (98 ,j − ( t − + a − ( j − ( t − = s ( t,j ) + a t +265 − j .
5) If ≤ j ≤ , ≤ t ≤ , and j − ( t − ≥ ,then ≤ j − ( t − ≤ . By 3), s ( t +87 ,j ) = s (98+87 ,j − ( t − = s (98 ,j − ( t − + a − ( j − ( t − = s ( t,j ) + a t +265 − j . Lemma 12 is proved.
Lemma 13:
Take the state at time 98 as the changed valueas described in Lemma 11. Then1) For each t such that t ≥ , each j such that ≤ j ≤ , s ( t +2262 ,j ) = s ( t,j ) + X m =0 b t +31 − j +3 m . { ( s ( t, , · · · , s ( t, , t ≥ } has a period 4524. Proof:
According to Lemma , Lemma , Lemma and the fact that ×
26 = 78 × , s ( t +2262 ,j ) = s ( t +87 × ,j ) = s ( t,j ) + P n =0 b t +265 − j +87 × n ( mod = s ( t,j ) + P m =0 b t +31 − j +3 m , so that 1) is true. According to 1), for each t such that t ≥ ,each j such that ≤ j ≤ , s ( t +4524 ,j ) = s ( t +2262+2262 ,j ) = s ( t,j ) + P m =0 b t +31 − j +3 m + P m =0 b t +2262+31 − j +3 m = s ( t,j ) , This implies that { ( s ( t, , · · · , s ( t, , t ≥ } has a period . Again by the fact that { ( s ( t, , · · · , s ( t, , t ≥ } has a period , Lemma 13 is proved. Proposition 3:
Suppose ≤ P L ≤ . Then1) The key–stream ( z z z · · · ) has a period 4524.2) ( z , z , z , · · · , z ) are linear functions of vari-ables ( s (98 , , · · · , s (98 , , s (98 , , · · · , s (98 , ,b , · · · , b ) , and these functions are known.3) By knowing the values of ( z , z , z , · · · , z ) , theattacker obtains linear equations of variables ( s (98 , , · · · , s (98 , , s (98 , , · · · , s (98 , , b , · · · ,b ) . The rank of these linear equations is , so thatthere are = 64 possible solutions. Proof:
1) is clear from Lemma 13. Notice that for each t such that t ≥ , ( s ( t +1 , , · · · , s ( t +1 , ) = ( s ( t, , s ( t, , · · · , s ( t, ) , ( s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + b t +1 , s ( t, , · · · , s ( t, ) . So that, for each t such that t ≥ , ( s ( t, , · · · , s ( t, ) can be induced from ( s (98 , , · · · , s (98 , , s (98 , , · · · ,s (98 , , b , · · · , b ) by linear recursion which is alreadyknown. So that 2) is true.3) is our checking result. Proposition 3 is proved.Notice that the true value of ( s (98 , , · · · , s (98 , ,s (98 , , · · · , s (98 , , b , · · · , b ) satisfies non–linearequations, described as the follow. b = s (98 , + s (98 , s (98 , + s (98 , ,b = s (98 , + s (98 , s (98 , + s (98 , , · · · b = s (98 , + s (98 , s (98 , + s (98 , ,b = s (98 , + s (98 , s (98 , + s (98 , ,b = s (98 , + s (98 , s (98 , + s (98 , , · · · b = s (98 , + s (98 , s (98 , + s (98 , ,b = s (98 , + s (98 , s (98 , + s (98 , ,b = s (98 , + s (98 , s (98 , + s (98 , .
78 non–linear equations and 4524 linear equations areenough to determine the true value of ( s (98 , , · · · ,s (98 , , b , · · · , b ) . They are not enough to determine thetrue value of ( s (98 , , · · · , s (98 , ) because, in each linearequation, just 2 variables of ( s (98 , , · · · , s (98 , ) appear.After that determination, 4524 linear equations become thelinear equations of 87 variables ( s (98 , , · · · , s (98 , ) , andwe have verified that the rank of these linear equations is86. This fact restricts ( s (98 , , · · · , s (98 , ) into 2 possiblevalues.Then we redefine { a t +1 , t ≥ } . For each t such that t ≥ , a t +1 = s ( t, + s ( t, s ( t, + s ( t, . By considering Lemma9, a t +1 = 0 for each t such that t ≥ . Lemma 14: ( s (98 , , · · · , s (98 , ) = ( a , a , · · · , a , a + a ,a + a , · · · , a + a , a , a · · · , a ) . ( s (98 , , · · · , s (98 , ) = ( a , a , · · · , a , , · · · , ,b + a , b + a , · · · , b + a ) . (this is the changed value according to Lemma 11) Proof:
We induce the state at time 98 by graduallyrenewing the state.1) ( s (78 , , · · · , s (78 , ) = ( a , a , · · · , a , , · · · , , ( s (84 , , · · · , s (84 , ) = ( a + a , a + a , · · · ,a + a , a , a , · · · , a ) , ( s (92 , , · · · , s (92 , ) = ( a + a , a + a , · · · ,a + a , a , a , · · · , a ) , ( s (98 , , · · · , s (98 , ) = ( a , a , · · · , a , a + a ,a + a , · · · , a + a , a , a , · · · , a ) . ( s (69 , , · · · , s (69 , ) = (0 , · · · , , ( s (78 , , · · · , s (78 , ) = ( a , a , · · · , a , , · · · , , ( s (98 , , · · · , s (98 , ) = ( a , a , · · · , a , , · · · , . But the value of ( ( s (98 , , · · · , s (98 , ) is changedaccording to Lemma 11, so that ( s (98 , , · · · , s (98 , ) = ( a , a , · · · , a , , · · · , ,b + a , b + a , · · · , b + a ) . Lemma 14 is proved.Lemma 14 shows ( s (98 , , s (98 , , · · · , s (98 , ) =(0 , · · · , . This fact and all former equations are enough todetermine the true value of ( s (98 , , · · · , s (98 , ) .Up to now, 243 variables { s (98 , , · · · , s (98 , , s (98 , , · · · , s (98 , , b , · · · , b } have already been uniquely de-termined. According to Lemma 14, the attacker can solve thevalue of ( a , a , · · · , a ) , which is the closest to the key ( k , · · · , k ) . ( a , a , · · · , a ) is an unknown function of ( k , · · · , k ) , because hard fault positions are unknown. But ( a , a , · · · , a ) can partially reveal the key, as described inProposition 4 and Proposition 5. Lemma 15:
Suppose the indices of hard–fault–injected–bitsare not from the set { j, j + 1 , · · · , j + m } , where ≤ j ≤ j + m ≤ . Then s ( m,j + m ) = s (0 ,j ) . Proposition 4:
Suppose ≤ P L ≤ . Suppose a t +1 = 1 for some t such that ≤ t ≤ . Then ( a , a , · · · , a t +1 ) = ( k , k , · · · , k − t ) . Proof:
Notice that ( s (0 , , s (0 , , · · · , s (0 , ) = (0 , · · · , , so that ( s (0 , s (0 , + s (0 , , s (1 , s (1 , s (1 , , · · · ,s (12 , s (12 , + s (12 , ) = (0 , · · · , , and that ( a , a , · · · , a ) = ( s (0 , , s (1 , , · · · , s (12 , ) . Suppose a t +1 = 1 for some t such that ≤ t ≤ , thenthe indices of hard–fault–injected–bits are never from the set { − t, − t, · · · , } , or else there would be a contradiction.According to Lemma 15, ( a , a , · · · , a t +1 ) = ( s (0 , , s (1 , , · · · , s ( t, )= ( s (0 , , s (0 , , · · · , s (0 , − t ) )= ( k , k , · · · , k − t ) . Proposition 4 is proved.
Proposition 5:
Suppose ≤ P L ≤ . Suppose a t +1 = 1 for some t such that ≤ t ≤ . Then1) ( a , a , · · · , a ) = ( k , k , · · · , k ) . a = k + k k .
3) Either a) or b) is true, wherea) a u +1 = k − u + k − u k − u + k − u for ≤ u ≤ t − , and a v +1 = k − v k − v + k − v for ≤ v ≤ t − .b) a u +1 = k − u + k − u k − u for ≤ u ≤ t − ,and a v +1 = k − v k − v for ≤ v ≤ t − . Proof:
By the assumption ”1 ≤ P L ≤ we know that ( s (65 , , s (66 , , · · · , s (91 , ) = (0 , · · · , , so that ( a , a , · · · , a )= ( s (65 , s (65 , + s (65 , ,s (66 , s (66 , + s (66 , , · · · , s (91 , s (91 , + s (91 , ) . Suppose a t +1 = s ( t, s ( t, + s ( t, = 1 for some t suchthat ≤ t ≤ , then the indices of hard–fault–injected–bit are never from the set { − t, − t, · · · , } , or elsethere would be a contradiction. Notice that ( a , a , · · · , a ) =( s (0 , , s (1 , , · · · , s (11 , ) . So that ( a , a , · · · , a ) = ( s (0 , , s (1 , , · · · , s (11 , )= ( s (0 , , s (0 , , · · · , s (0 , )= ( k , k , · · · , k ) .a = s (12 , + s (12 , s (12 , + s (12 , = s (0 , + s (0 , s (0 , + s (0 , = k + k k .
1) and 2) are true.Now suppose that 93 is not an index of hard–fault–injected–bit.For each u such that ≤ u ≤ t − , we have − t ≤ − u < − u < − u < − u ≤ , so that a u +1 = s ( u, + s ( u, s ( u, + s ( u, = s (0 , − u ) + s (0 , − u ) s (0 , − u ) + s (0 , − u ) = k − u + k − u k − u + k − u . For each v such that ≤ v ≤ t − , we have − t ≤ − v < − v < − v ≤ , so that a v +1 = s ( v, + s ( v, s ( v, + s ( v, = s ( v, s ( v, + s ( v, = s (0 , − v ) s (0 , − v ) + s (0 , − v ) = k − v k − v + k − v . a) is true.Now suppose that 93 is an index of hard–fault–injected–bit.Then s (0 , = s (1 , = · · · = s (91 , = 0 . For each u such that ≤ u ≤ t − , we have − t ≤ − u < − u < − u ≤ , so that a u +1 = s ( u, + s ( u, s ( u, + s ( u, = s ( u, + s ( u, s ( u, = s (0 , − u ) + s (0 , − u ) s (0 , − u ) = k − u + k − u k − u . For each v such that ≤ v ≤ t − , we have − t ≤ − v < − v ≤ , so that a v +1 = s ( v, + s ( v, s ( v, + s ( v, = s ( v, s ( v, = s (0 , − v ) s (0 , − v ) = k − v k − v . Proposition 5 is proved.
D. Features of Fault Injected Machine in Case 4: ≤ P L ≤ Proposition 6:
Suppose we are in Case 4: ≤ P L ≤ .Then1) For each t such that t ≥ , ( s ( t, , · · · , s ( t, ) = (0 , · · · , ,so that generation of the key–stream ( z z z · · · ) isdegraded as z t = s ( t +1152 , + s ( t +1152 , + s ( t +1152 , + s ( t +1152 , + s ( t +1152 , , t ≥ . and the state is degraded into 273 bits ( s ( t, , s ( t, , · · · , s ( t, , s ( t, , s ( t, , · · · , s ( t, ) .2) The state renewal is the follow. ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, , s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, , s ( t, , · · · , s ( t, ) .
3) The state renewal is reversible, and the inverse is thefollow. ( s ( t, , s ( t, , · · · , s ( t, )= ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , ,s ( t +1 , + s ( t +1 , s ( t +1 , + s ( t +1 , ) , ( s ( t, , s ( t, , · · · , s ( t, )= ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , ,s ( t +1 , + s ( t +1 , ) , ( s ( t, , s ( t, , · · · , s ( t, )= ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , ,s ( t +1 , + s ( t +1 , s ( t +1 , + s ( t +1 , + s ( t +1 , ) .
4) Change the IV (Initial Vector) from ( IV , · · · , IV ) =(0 , · · · , to the follow: IV j = 0 for each j such that ≤ j ≤ , except IV = 1 . Then the key–stream ( z z z · · · ) are kept unchanged.Proposition 6 is clear by considering Trivium key–streamgeneration and Trivium state renewal. The following Proposi-tion 7 is our checking result. Proposition 7:
Suppose we are in Case 4: ≤ P L ≤ . Let ( s , · · · , s , s , · · · , s ) denote the initial state(that is, the state at the time just before generating z ). Take { z , z , z , · · · } as functions of ( s , · · · , s , s , · · · , s ) .Then1) { z , z , · · · , z } are 66 linear functions.2) { z , z , · · · , z } are 94 quadratic functions.3) { z , z , · · · , z } are 69 cubic functions.4) Each of { z , z , · · · } is at least a quartic function.Proposition 6 and Proposition 7 present a simpler cipherthan Trivium. It has a smaller number of state bits and a slowernon–linearization procedure. So that it is easier to solve thestate at a fixed time. If the state at a fixed time is known, thekey will be known by reversing the state. E. Features of Fault Injected Machine in Case 5: ≤ P L ≤ Lemma 16:
Suppose we are in Case 5: ≤ P L ≤ .Then1) For each t such that t ≥ , ( s ( t, , s ( t, ) = (0 , .2) Suppose m is the earliest time such that, for each t ≥ m , ( s ( t, , s ( t, ) = (0 , . Then for each t ≥ m , wehavea) The state is degraded into 282 bits ( s ( t, , s ( t, , · · · , s ( t, , s ( t, , s ( t, , · · · ,s ( t, ) .b) State renewal is the follow. ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= s ( t, + s ( t, , s ( t, , · · · , s ( t, ) . Lemma 16 is clear by considering Trivium key–streamgeneration and Trivium state renewal. Notice that state renewalprocedure in Lemma 16-2)-b) is irreversible.
Lemma 17:
Suppose m is the earliest time such that, foreach t ≥ m , ( s ( t, , s ( t, ) = (0 , . Then1) For each t such that t ≥ m + 1 , s ( t, + s ( t, + s ( t, = 0 .
2) For each t such that t ≥ m + 2 , s ( t, + s ( t, + s ( t, = 0 . · · ·
9) For each t such that t ≥ m + 9 , s ( t, + s ( t, + s ( t, = 0 . Proof:
By Lemma 16 we know that, for each t such that t ≥ m + 1 , s ( t, = s ( t − , ,s ( t, = s ( t − , + s ( t − , ,s ( t, = s ( t − , . So that 1) is true. Again for each t such that t ≥ m + 1 , s ( t, + s ( t, + s ( t, = s ( t +1 , + s ( t +1 , + s ( t +1 , · · · = s ( t +8 , + s ( t +8 , + s ( t +8 , . So that , , · · · , are true, by considering 1). Lemma17 is proved. Proposition 8:
Suppose we are in Case 5: ≤ P L ≤ .Then1) Generation of the key–stream ( z z z · · · ) is degradedas z t = s ( t +1152 , + s ( t +1152 , + s ( t +1152 , + s ( t +1152 , + s ( t +1152 , , t ≥ .
2) Suppose m is the earliest time such that, for each t ≥ m , ( s ( t, , s ( t, ) = (0 , . Then for each t ≥ m + 9 , wehavea) the state is degraded into 273 bits ( s ( t, , s ( t, , · · · , s ( t, , s ( t, , s ( t, , · · · ,s ( t, ) .b) The state renewal is the follow. ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, , s ( t, , · · · , s ( t, ) . c) The state renewal is reversible, and the inverse isthe follow. ( s ( t, , s ( t, , · · · , s ( t, )= ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , ,s ( t +1 , + s ( t +1 , s ( t +1 , + s ( t +1 , + s ( t +1 , + s ( t +1 , ) , ( s ( t, , s ( t, , · · · , s ( t, )= ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , ,s ( t +1 , + s ( t +1 , ) , ( s ( t, , s ( t, , · · · , s ( t, )= ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , , s ( t +1 , + s ( t +1 , + s ( t +1 , + s ( t +1 , s ( t +1 , ) .
3) Change the IV (Initial Vector) from ( IV , · · · , IV ) =(0 , · · · , to the follow: IV j = 0 for each j such that ≤ j ≤ , except IV = 1 . Then the key–stream ( z z z · · · ) are kept unchanged. Proof:
1) is clear. 2) is a natural corollary of Lemma 16and Lemma 17. 3) is clear.The following Proposition 9 is our checking result.
Proposition 9:
Suppose we are in Case 5: ≤ P L ≤ . Let ( s , · · · , s , s , · · · , s ) denote the initial state(that is, the state at the time just before generating z ). Take { z , z , z , · · · } as functions of ( s , · · · , s , s , · · · , s ) .Then1) { z , z , · · · , z } are 66 linear functions.2) { z , z , · · · , z } are 94 quadratic functions.3) { z , z , · · · , z } are 69 cubic functions.4) Each of { z , z , · · · } is at least a quartic function.Proposition 8 and Proposition 9 present a simpler cipherthan Trivium. It has a smaller number of state bits and a slowernon–linearization procedure. So that it is easier to solve thestate at a fixed time. If the state at a fixed time is known, thestate at time 14 will be known by reversing the state, describedin Proposition 8 (we know that ≥ m + 9 , where m is theearliest time such that, for each t ≥ m , ( s ( t, , s ( t, ) =(0 , ).Now suppose that the state at time 14 is known. We knowthat ( k , · · · , k ) = ( s (14 , , s (14 , , · · · , s (14 , ) . Then, if m < , k = s (13 , = s (14 , + s (14 , s (14 , + s (14 , + s (14 , + s (14 , , according to Proposition 8. If m = 5 , thevalue of k can not be determined. F. Features of Fault Injected Machine in Case 6: P L = 177 Proposition 10:
Suppose we are in Case 6: P L = 177 . Then1) Generation of the key–stream ( z z z · · · ) is degradedas z t = s ( t +1152 , + s ( t +1152 , + s ( t +1152 , + s ( t +1152 , + s ( t +1152 , , t ≥ .
2) the state is degraded into 287 bits ( s ( t, , s ( t, , · · · , s ( t, , s ( t, , s ( t, , · · · , s ( t, ) .3) The state renewal is the follow. ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) , ( s ( t +1 , , s ( t +1 , , · · · , s ( t +1 , )= ( s ( t, + s ( t, s ( t, + s ( t, ,s ( t, , · · · , s ( t, ) .
4) Change the IV (Initial Vector) as ( IV , · · · , IV ) =(0 , · · · , , and ( IV , IV ) = (0 , . Then the key–stream ( z z z · · · ) are kept unchanged.Proposition 10 is clear. Notice that state renewal is irre-versible. G. Features of Fault Injected Machine in Case 7: ≤ P L ≤ or ≤ P L ≤ Case 7 has many features similar with former cases. Hereare some examples.If ≤ P L ≤ , the features are similar to those ofCase 4.If ≤ P L ≤ , the features are similar to those ofCase 5. If P L = 288 , the features are similar to those of Case 6.If ≤ P L ≤ , the features are similar to those ofCase 4.If ≤ P L ≤ , the features are similar to those ofCase 5.If P L = 93 , the features are similar to those of Case 6.IV. C ASES C HECKING
In this section we present an algorithm, to check the caseby observing the key–stream ( z z z · · · ) . We firstly define 6features for ( z z z · · · ) .Feature 1: ( z z · · · , z ) = ( z z · · · z ) . Feature 2: ( z z · · · , z ) = ( z z · · · z ) . Feature 3: ( z z · · · , z ) = ( z z · · · z ) . Feature 4: Change IV from 0 to 1, then ( z z z · · · z ) are kept unchanged.Feature 5: Change IV from 0 to 1, then ( z z z · · · z ) are kept unchanged.Feature 6: Change IV from 0 to 1, then ( z z z · · · z ) are kept unchanged.Then we point out some facts, as the follow.1) In Case 1, ( z z z · · · ) satisfies Feature 1.2) In Case 2, ( z z z · · · ) satisfies Feature 2.3) In Case 3, ( z z z · · · ) satisfies Feature 3.4) In Case 4, ( z z z · · · ) satisfies Feature 4.5) In Case 5, ( z z z · · · ) satisfies Feature 5.6) In Case 5, ( z z z · · · ) may or may not satisfy Feature6.7) In Case 6, ( z z z · · · ) satisfies both Feature 5 andFeature 6.Then we present some natural assumptions, described in thefollow.1) If the case is not Case 1, ( z z z · · · ) satisfies Feature1 with a neglectable probability.2) If the case is neither Case 1 nor Case 2, ( z z z · · · ) satisfies Feature 2 with a neglectable probability.3) If the case is not from Case 1, Case 2, Case 3, ( z z z · · · ) satisfies Feature 3 with a neglectable prob-ability.4) If the case is not from Case 1, Case 2, Case 3, Case 4, ( z z z · · · ) satisfies Feature 4 with a neglectable prob-ability.5) In Case 7, ( z z z · · · ) satisfies Feature 5 with a ne-glectable probability.6) In Case 7, ( z z z · · · ) satisfies Feature 6 with a ne-glectable probability. Algorithm
Suppose that the attacker has obtained the key–stream ( z z z · · · ) , from a hard–fault–injected machine.1) If ( z z z · · · ) satisfies Feature 1, take the case asCase 1.2) If ( z z z · · · ) does not satisfy Feature 1, but satisfiesFeature 2, take the case as Case 2.3) If ( z z z · · · ) does not satisfy each from Feature 1,Feature 2, but satisfies Feature 3, take the case asCase 3.
4) If ( z z z · · · ) does not satisfy each from Feature 1,Feature 2, Feature 3, but satisfies Feature 4, take thecase as Case 4.5) If ( z z z · · · ) does not satisfy each from Feature 1,Feature 2, Feature 3, Feature 4, but satisfies both Feature5 and Feature 6, take the case as from Case 5, Case 6.6) If ( z z z · · · ) does not satisfy each from Feature 1,Feature 2, Feature 3, Feature 4, Feature 6, but satisfiesFeature 5, take the case as Case 5.7) If ( z z z · · · ) does not satisfy each from Feature 1,Feature 2, Feature 3, Feature 4, Feature 5, Feature 6,take the case as Case 7.Under our natural assumptions, Algorithm selectes wrongcases with a neglectable probability. In step 5) of Algorithm,we can also take the case directly as Case 5. The probabilityof mistake is no more than 1/5.V. C ONCLUSION AND F UTURE W ORK
From all of the discussions above, it is clear that Trivium isweak under hard fault analysis, with our trivial assumptions.Hard fault injection will lead us to continue our work.One future work is combined fault analysis of Grain. Grainis another hardware–oriented stream cipher, and one of thefinally chosen ciphers by eSTREAM project. We find Grainmuch stronger under either soft or hard fault analysis. Wewill combine hard fault injection and soft fault injection,looking for weakness of Grain. The second future work isthe study under weaker assumptions. One weaker assumptionis that, after fault injection, the values of those injected bitsare permanently 0 or 1.R
EFERENCES[1] C. Rechberger and E. Oswald. “Stream ciphers and side–channel analy-sis,Workshop Record,” In
SASC 2004 - The State of the Art of StreamCiphers,
CHES 2004. LNCS,
K.Nyberg (ed.) FSE 2008. LNCS,
Heidelberg, Springer,2008,vol. 5086, pp.158–172.[8] M. Hojsik and B. Rudolf. “Floating fault analysis of Trivium,” In:
D.R.Chowdhury, V. Rijmen, and A. Das (eds.) INDOCRYPT 2008. LNCS,
Heidelberg,Springer,2008,vol. 5365, pp. 239–250.[9] E. Biham and and A. Shamir. “Differential Fault Analysis of Secret KeyCryptosystems,” In:
Advances in Cryptology-Crypto’97. LNCS,
BerlinHeidelberg,Springer-Verlag,1997,vol.1294, pp. 513–525.[10] Ross Anderson and Markus Kuhn. “Low Cost Attacks on TamperResistant Devices,” proceedings of the 1997 Security Protocols Workshop,proceedings of the 1997 Security Protocols Workshop,