Secur. Commun. Networks | 2019
Random Fault Attacks on a Class of Stream Ciphers
Abstract
In this paper, we show that stream ciphers with a particular form of ciphertext output function are vulnerable to differential fault attacks using random faults. The CAESAR competition candidates Tiaoxin-346 and AEGIS-128L both fall into this category, and we show that our attack can be used to recover the secret key of Tiaoxin-346 and the entire state of AEGIS-128L with practical complexity. In the case of AEGIS-128L, the attack can be applied in a ciphertext-only scenario. Our attacks are more practical than previous fault attacks on these ciphers, which assumed bit-flipping faults. Although we also consider other ways of mitigating our attacks, we recommend that cipher designers avoid the form of ciphertext output function that we have identified.