On Misuse of Nonce-Misuse Resistance : Adapting Differential Fault Attacks on (few) CAESAR Winners

Abstract

New cryptographic schemes are often built upon old and proven primitives which withstood long public scrutiny. The recently concluded CAESAR competition saw several authenticated ciphers which were directly built upon proven primitives like AES. However, any attacks associated with these underlying primitives become a vulnerability to the whole scheme. AES, which is considered theoretically secure, has a very low fault resistance against differential fault attacks (DFA) requiring only 1-2 faults. In this paper, we study DFA attacks on some of the CAESAR competition winners with AES block cipher as the underlying primitive. We study the challenges imposed by the design of these modes, such as masking of the cipher-text. We also show that a very small number of nonce repetition and faults is required to extend the original attack on AES, which makes it very practical. We show that OCB and COLM need 1 nonce repetition and 3 faults only to uniquely identify the Key.