Impossible Statistical Fault Analysis of the Pyjamask and SUNDAE-GIFT Lightweight Cryptosystems
The lightweight cryptosystems Pyjamask and SUNDAE-GIFT,proposed in the IACR Transactions on Symmetric Cryptology,are candidates for the second round of Lightweight Cryp-tography Standardization.They aim to protect the data of sensors,smart chips,and embedded devices on the Internet of Things.The Pyjamask block cipher adopts a substitution-permutation network and consists of two versions:Pyjamask-96 and Pyjamask-128,whose block sizes are 96 and 128 bits,respectively.Its key size is 128bits,with 14 rounds of encryption or decryption.It has perfect diffusion and compatibility and can resist many types of attacks,such as side-channel analysis,differential analysis,linear analysis,impossible differential analysis,Boomerang analysis,integral analysis,algebraic higher-order differential analysis,etc.The SUNDAE-GIFT authenticated encryption lies on a GIFT block cipher with a 128-bit secret key,128-bit blocks,and 40 rounds of encryption or decryption.It provides confidentiality and authentication,and its security analysis includes typical fault analysis and traditional cryptanalysis.This study presents the Pyjamask and SUNDAE-GIFT lightweight cryptosystems against a new impossible statistical fault analysis.It is based on the basic assumption of a ciphertext-only attack and combines an impossible relationship with statistical analysis.In addition,this study constructs novel distinguishers of Wasserstein Distance-Hamming Weight(WD-HW)and Wasserstein Distance-Maximum Likelihood Estimation(WD-MLE)based on the Wasserstein distance.The attackers can inject random nibble faults to filter out some bits of the round keys through the impossible and statistical relationships.They can obtain all round keys to recover the secret key through successive fault injections and the key schedule.The experiments consider the number of faults,accuracy,reliability,latency,and complexity to study the performance of the new fault analysis and distinguishers.The number of faults is the minimum required for retrieving the secret key with the maximum probability.The smaller the faults,the better the attacking performance and the distinguisher.Accuracy is measured using root mean square error.The smaller the value of RMSE,the closer the prediction results are to the accurate results.Reliability refers to the probability of recovering the secret key.When the reliability reaches no less than 99%,the attacker can recover the secret key in most cases.Latency is the time required to retrieve the secret key using different distinguishers.The com-plexity serves as metrics to assess the computational time and total data processed required for recovery the key.In practice,latency and complexity are important indicators for measuring the performance of fault analysis and distinguishers.In this paper,the experimental results show that neither Pyjamask nor SUNDAE-GIFT can resist the proposed impossible statistical fault analysis.The analysis requires only 1024 and 1120 random fault ciphertexts to recover the secret keys of Pyjamask-96 and Pyjamask-128 in 59.84 and 140.16 milliseconds,respectively.In addition,the analysis requires only 400 faults to recover the 128-bit secret key of SUNDAE-GIFT in 5.78 seconds.Compared with the classical statistical fault analysis,the impossible statistical fault analysis performs better.It can reduce the attacking cost and improve the attacking effectiveness of lightweight cryptosystems.As a result,the impossible statistical fault analysis threatens the security of the Pyjamask and SUNDAE-GIFT lightweight cryptosystems.This study provides a valuable reference for securing lightweight cryptosystems in the Internet of Things.
NETL
NSTL
万方数据
