5. ● Exponentiate the received values :
mp = cp
dp
mod p
mq = cq
dq
mod q
Where dp ≡ d mod(p1) and dq ≡ d mod(q1)
● Use the CRT to compute m ∈ Zn
*
such that m ≡ mp mod p and m ≡ mq mod q
The last step is done by computing m = (xmp+ymq)mod n, where x and y are
precomputed integers that satisfy :
x ≡ 1 mod p ; x ≡ 0 mod q
y ≡ 0 mod p ; y ≡ 1 mod q
Here x and y are only computed once and then every execution of the third
step requires only two modular exponentiations.
Fault attack Let c be a ciphertext using CRT. We assume that only the
exponentiation modulo the factor q is faulty i.e. the value mq is incorrect
while the value of mp is correct.
After applying CRT, we get a value m, which is different than the correct
message m. For that value it holds that :
m ≡ mp mod p ; m ≡ mq mod q and
m ≡ mp mod p ; m ≡ mq mod q
An attacker who gets a hold on both m and m can break RSA by computing :
gcd(m m, n) = p.
Alternatively, we can compute : gcd(C me
, n)=p if m is unavailable.
Stream ciphers Prior to the appearance of fast block ciphers, such as
DES, stream ciphers ruled the world of encryption. A stream cipher generates
successive elements of the keystream based on an initial state. The state is
updated in essentially two ways if the state changes independently of the
plaintext or ciphertext messages, the cipher is classified as a synchronous
stream cipher. On the contrast, selfsynchronous stream ciphers update their
state based on previous ciphertext digits. In a synchronous stream cipher a
stream of pseudorandom digits is generated independently of the plaintext
14. Fast Clock
Frequency
(MHz)
No Fault Single bit
fault
Multi bit fault
130 1024 0 0
140 1024 0 0
150 1024 0 0
160 1024 0 0
170 1024 0 0
180 1024 0 0
190 0 bitNFSR128(1024) 0
200 0 bitNFSR125(2) {bitNFSR128, bitNFSR125}(1022)
210 0 0 {bitNFSR127, bitNFSR126,
bitNFSR125}(1024)
220 0 0 {bitNFSR127, bitNFSR126,
bitNFSR125, bitNFSR124}(1024)
Grain 128a The first 64 bits can not be accessed by the attackers when
authentication mode is on. Maitra et al. proposed a differential fault
attack that targets the MAC instead of keystream. The attack requires 211
fault injections and 212
MAC generation routines to access the key.
Ding and Guan proposed a related key attack that requires 296 chosen
IVs and 2103.613
keystream bits to recover the 128 bit key with the
computational complexity of 296.322
.
The following table gives the key length, IV size and padding used in
IV’s to fill it for different ciphers of Grain family :
Cipher Key Length IV Length Padding in IV
Grain V0 80 64 FFFF
Grain V1 80 64 FFFF
15. Grain 128 128 96 FFFFFFFF
Grain 128a 128 96 FFFFFFFE
The following table presents the update functions of all the ciphers of the
Grain family for the two shift register LFSR and NFSR :
Ciphe
r
LFSR update
function
NFSR update function
Grain
V0
si+80=si+si+13+si+23+
si+38+si+51+si+62
bi+80=si+bi+63+bi+60+bi+52+bi+45+bi+37+bi+33+bi+28+bi+21+
bi+15+bi+9+bi+bi+63bi+60+bi+37bi+33+bi+15bi+9+bi+60bi+52bi
+45+
bi+33bi+28bi+21+bi+63bi+45bi+28bi+9+bi+60bi+52bi+37bi+33+
bi+63bi+60bi+21bi+15+bi+63bi+60bi+52bi+45bi+37+
bi+33bi+28bi+21bi+15bi+9+ bi+52bi+45bi+37bi+33bi+28bi+21
Grain
V1
si+80=si+si+13+si+23+
si+38+si+51+si+62
bi+80=si+bi+bi+9+bi+14+bi+21+bi+28+bi+33+bi+37+bi+45+bi+5
2+
bi+60+bi+62+bi+9bi+15+bi+33bi+37+bi+60bi+63+bi+21bi+28bi+33
+
bi+45bi+52bi+60+ bi+15bi+21bi+60bi+63+bi+33bi+37bi+52bi+60+
bi+9bi+28bi+45bi+63+bi+9bi+15bi+21bi+28bi+33+
bi+37bi+45bi+52bi+60bi+63+bi+21bi+28bi+33bi+37bi+45bi+52
Grain
128
si+128=si+si+7+si+38+
si+70+si+81+si+96
bi+128=si+bi+bi+26+bi+56+bi+91+bi+96+bi+3bi+67+bi+11bi+13
+
bi+17bi+18+bi+27bi+59+bi+40bi+48+ bi+61bi+65+bi+68bi+84
Grain
128a
bi+128=si+bi+bi+26+bi+56+bi+91+bi+96+bi+3bi+67+bi+11bi+13
+
bi+17bi+18+bi+27bi+59+bi+40bi+48+bi+61bi+65+bi+68bi+84+
bi+88bi+92bi+93bi+95+ bi+22bi+24bi+25+bi+70bi+78bi+82
MICKEY 2.0 Mickey 2.0 is a hardware efficient synchronous cipher designed
by Steve Babbbage and Mattew Dodd aimed at resource constrained platforms.