This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Junko TAKAHASHI, Toshinori FUKUNAGA, Kazuo SAKIYAMA, "Differential Fault Analysis on Stream Cipher MUGI" in IEICE TRANSACTIONS on Fundamentals,
vol. E95-A, no. 1, pp. 242-251, January 2012, doi: 10.1587/transfun.E95.A.242.
Abstract: This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E95.A.242/_p
Copy
@ARTICLE{e95-a_1_242,
author={Junko TAKAHASHI, Toshinori FUKUNAGA, Kazuo SAKIYAMA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Differential Fault Analysis on Stream Cipher MUGI},
year={2012},
volume={E95-A},
number={1},
pages={242-251},
abstract={This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.},
keywords={},
doi={10.1587/transfun.E95.A.242},
ISSN={1745-1337},
month={January},}
Copy
TY - JOUR
TI - Differential Fault Analysis on Stream Cipher MUGI
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 242
EP - 251
AU - Junko TAKAHASHI
AU - Toshinori FUKUNAGA
AU - Kazuo SAKIYAMA
PY - 2012
DO - 10.1587/transfun.E95.A.242
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E95-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2012
AB - This paper proposes a differential fault analysis on the stream cipher MUGI, which uses two kinds of update functions of an intermediate state. MUGI was proposed by Hitachi, Ltd. in 2002 and is specified as ISO/IEC 18033-4 for keystream generation. Differential fault analysis (DFA) is a type of fault analysis, which is considered to be a serious threat against secure devices such as smart cards. DFA on MUGI was first proposed at ICISC 2010 [25]; however, the attack condition for the successful attack such as the position into which the fault is injected was restricted. In this paper, we extend the attack methods which are more practical, based on a one-byte and a multi-byte fault models using the relationship between two kinds of update functions that are mutually dependent. In the proposed attack, the attacker can know the position affected by the fault injection even if he has no control of the timing of the fault injection. As a result, a 128-bit secret key can be recovered using 13 pairs of correct and faulty outputs on average.
ER -