Differential Fault Analysis of SHA3-224 and SHA3-256

Transcription

1 Dfferental Fault Analyss f SHA3-4 and SHA3-256 Pe Lu, Yuns Fe, Lwe Zhang, and A Adam Dng slencelu@gmalcm, yfe@eceneuedu, mathlwe@gmalcm, adng@neuedu Electrcal & Cmputer Engneerng Department, Nrtheastern Unversty, Bstn, MA USA Department f Mathematcs, Nrtheastern Unversty, Bstn, MA USA Abstract The securty f SHA-3 aganst dfferent knds f attacks are f vtal mprtance fr crypt systems wth SHA-3 as the securty engne In ths paper, we lk nt the dfferental fault analyss f SHA-3, and ths s the frst wrk t cnquer SHA3-4 and SHA3-256 usng dfferental fault analyss Cmparng wth ne exstng related wrk, we relax the fault mdels and make them realstc fr dfferent mplementatn archtectures We analyze fault prpagatn n SHA-3 under such sngle-byte fault mdels, and prpse t use fault sgnatures at the bserved utput fr analyss and secret retreval Results shw that the prpsed methd can effectvely dentfy the njected sngle-byte faults, and then recver the whle nternal state f the nput f last rund χ peratn (χ ) fr bth SHA3-4 and SHA3-256 Keywrds-SHA-3, Keccak, Securty, Dfferental fault analyss I INTRODUCTION As the new secure hash standard (SHA-3), the securty f Keccak aganst dfferent attacks s f vtal mprtance Keccak algrthm s a famly f spnge functn based n the permutatn functn f, Keccak-f[r+c] The parameter r means the btrate and c means the capacty, and the nternal state sze s 1,600 = r + c bts fr SHA-3 SHA- 3 has fur mdes wth dfferent lengths f the dgest, d {4, 256, 384, 512} [1] Whle there exsts nly ne prevus wrk f dfferental fault analyss (DFA) n SHA3-384 and SHA3-512 under sngle-bt fault mdel [2], SHA3-4 and SHA3-256 have nt been attacked usng DFA yet In ths paper, we extend DFA t SHA3-4 and SHA3-256, and als adpt mre relaxng and realstc fault mdels DFA utlzes the dependency f the utput faults n the nternal ntermedate varables t recver the secret DFA s a pwerful and effcent attack methd, and has been used t break varus cryptgraphc algrthms It was frst ntrduced t hack the Data Encryptn Standard (DES) algrthm [3] Later t was used t break the Advanced Encryptn Standard (AES) [4] - nly tw pars f crrect and faulty cphertexts wth ne fault njected are needed t break the AES-128 Many ther cphers have als been hacked by DFA, ncludng CLEFIA [5], Mckey [6], [7] and Gran [8], [9] Sme exstng hash standards have been evaluated aganst DFA attacks, ncludng SHA-1 [10], Streebg [11], MD5 [12] and GrøStl [13] DFA can be used t retreve the rgnal message when hash functns are n general usage [12], [13] When hash functns are used n the message authentcatn cde (MAC) mde wth a secret key, DFA als becmes a great threat and t can be used t recver the key, and then the attackers can generate frgery messages and MAC aganst authentcatn [10], [11], [13] As Keccak has a very dfferent desgn phlsphy frm prevus crypt algrthms, prevus attack methds n hash functns cannt be appled drectly t SHA-3 Prevus wrks n SHA-3 manly fcus n sde-channel pwer analyss and cllsns attacks, etc [14] [30] The nly exstng DFA wrk n SHA-3 [2] s based n sngle-bt fault mdel, and targets tw mdes f SHA-3, SHA3-512 and SHA3-384 Hwever, ths fault mdel s verly smplfed and unrealstc Because many general fault njectn methds, such as clck gltches and supply vltage varatn, wuld affect a grup f bts n ntermedate states all tgether and t s almst mpssble t precsely nject sngle-bt faults nt the system wthut usng sphstcated nvasve fault njectn methds, such as laser emssn and n beamng Attackng the ther tw mdes f SHA-3 s als much mre challengng wth less bservable dgest utput In ths paper, we prpse DFA attack n SHA3-4 and SHA3-256, whch have nt been cnquered usng DFA yet, under mre realstc and relaxed fault mdels - byte-level faults Our apprach ncludes generatn f Fault Sgnature (FS) representng the prpagatn result n SHA-3 wth varus faults njected It then uses the lmted bservable dgest utput t recver part f the nput f the last rund χ peratn, χ, fr attacks We mplement and smulate all the prpsed methds and algrthms n C++ usng randmly generated messages and faults Results shw that the prpsed DFA can effcently recver all 1,600 nternal state bts fr bth SHA3-4 and SHA3-256 The rest f ths paper s rganzed as fllws In Sectn II, the prelmnares f SHA-3 wll be gven frst, then the fault mdel used n ths wrk wll be presented In Sectn III, we wll ntrduce the use f fault sgnatures t represent the fault prpagatn n SHA-3, and the methd t recver part f χ fr attacks Attack results based n the generated fault sgnatures and the recvered χ wll be gven In Sectn IV, we mprve the attacks by cnstructng fault sgnatures at the utput f last χ peratn and present the attack results We further mprve the attacks by njectng faults nt the last rund nput, and present the mprved

2 attack results Fnally, we cnclude ths paper n Sectn V II PRELIMINARIES OF SHA-3 AND DIFFERENTIAL FAULT ANALYSIS A Prelmnares f Keccak Hash Functn The Keccak hash algrthm can wrk n dfferent mdes wth varable length Standardzed by NIST, SHA-3 functns perate n mdes f Keccak-f[1600, d] [1], where each nternal state s 1600-bt rganzed n a 3-D array, as shwn n Fgure 1, and d s the capacty and als the utput length at chce Each state bt s addressed by three crdnates, dented as S(x, y, z), x, y {0, 1,, 4}, z {0, 1,, 63} 2-D enttes, plane, sheet and slce, and 1-D enttes, lane, clumn and rw, are als defned n Keccak and shwn n Fgure 1 y x z Fgure 1: State data structures used n Keccak [31] We als defne vectrs X = [0 : 4], Y = [0 : 4] and Z = [0 : 63] t stand fr multple bts n ne rw, clumn, and lane, respectvely Fr example, we can dente the bttm plane f state S (320 bts) as S(X, 0, Z) Nte that crdnates x and y are mdular f 5 whle z s mdular f 64 Keccak reles n a Spnge archtecture t teratvely absrb message nputs and squeeze ut dgests by a f permutatn functn Each f functn wrks n a state at a fxed length b = r + c In the squeezng phase, the length f the utput s cnfgurable (a multple f r bts) r c P0 P P P z z1 z 2 f f f f f f Fgure 2: The spnge cnstructn The f functn cnssts f 24 runds fr 1600-bt peratns, where each rund has fve sequental steps: S +1 = ι χ π ρ θ(s ), {0, 1,, } (1) n whch S 0 s the ntal nput Detals f each step are descrbed belw: θ s a lnear peratn whch nvlves 11 nput bts and utputs a sngle bt Each utput state bt s the XOR between the nput state bt and tw ntermedate bts prduced by ts tw neghbr clumns We dente the nput t θ peratn as θ whle the utput as θ, and the peratn s gven as fllws: θ (x, y, z) = θ (x, y, z) ( 4 y=0θ (x 1, y, z)) ( 4 y=0θ (x + 1, y, z 1)) (2) ρ s a rtatn ver the state bts alng z-axs (n lanes), and the shft amunt f bts depends n the (x, y) crdnates π s a rtatn ver the state bts wthn slces Only the crner bt (x = 0, y = 0) f the slce des nt mve All ther bts are permuted t ther pstns dependng n ther rgnal crdnates π can als be vewed as rtatn amng lanes χ s a nn-lnear step that cntans mxed bnary peratns ver state bts n rws Each bt f the utput state s the result f an XOR between the crrespndng nput state bt and ts tw neghbrng bts alng the x-axs (n a rw): χ (x, y, z) = χ (x, y, z) (χ (x + 1, y, z) χ (x + 2, y, z)) ι s a bnary XOR wth a rund cnstant whch s publcly knwn The SHA-3 famly cnssts f fur utput lengths (d n Keccak-f[1600, d]), called SHA3-4, SHA3-256, SHA3-384, and SHA3-512 [1] In ths paper, we fcus n SHA3-4 and SHA3-256, whch have shrter utput dgests (less bservable nfrmatn) than SHA3-384 and SHA3-512, and therefre are mre challengng t break by DFA Fr SHA-3, f an nternal state f the absrptn phase s recvered, the rgnal message and all the ther nternal states are recvered because the absrptn algrthm s reversble [31] We set ur DFA target as recverng the entre nternal state χ (1,600 bts) fr SHA3-4 and SHA3-256 We anntate the last tw runds f SHA-3 peratns and mprtant ntermedate states n Fgure 3, and use the ntatns n the rest f ths paper 21 Fgure 3: Ntatns fr peratns and ntermedate states The DFA takes the bserved fault at the utput (H), traces t back t certan ntermedate state (cmparsn pnt) t have the ntermedate fault, whch s then cmpared aganst all pssble faults that are generated by prpagatn f dfferent rgnal faults njected at θ In ths paper, fr basc attacks whch wll be presented n Sectn III, the fault njectn pnt s θ and the cmparsn pnt s χ Fr mprved attacks n Sectn IV, anther fault njectn H

3 pnt θ and cmparsn pnt χ wll be used t further mprve the attack effcency B Fault Mdels n Ths Paper In the prevus wrk f DFA n SHA-3 [2], the fault mdel s sngle-bt Ths s an unrealstc strngent mdel and nt feasble t attan wth general fault njectn methds, ncludng clck gltches and supply vltage varatn Faults njected by these methds tend t fall n multple bts at ne tme, fr example, n an 8-bt byte r a 32-bt wrd Multple cncurrent bt faults wll nterfere wth each ther durng peratns n the hash algrthm, and cnsderng ndvdual ndependent sngle-bt faults nly des nt address these nteractns In ths paper, we adpt relaxed and mre realstc fault mdels fr dfferent mplementatns, and prpse a generc fault prpagatn analyss methd Dfferent frm DFA n blck cphers and stream cphers [3] [9], multple faults are njected fr the same nput message n the attacks n hash functns As dfferent message may have dfferent mpact n the attack prcess, fr all the smulatn n ths paper, we generate multple randm messages (e, 10 3 randm messages) and attack each nput message separately, and then cmbne ther results t get an average number as the fnal smulatn result All the sngle-byte faults n ths paper are randmly generated, wth randm value (1-255) and randm pstns (200 bytes) T llustrate ur prpsed methd, we use the fault mdel f sngle-byte faults as example: The attacker can nject faults nt ne byte f the last tw runds nput θ and θ ; The attacker has n cntrl n ether the pstn (whch byte) r the value f the njected faults; The attacker can nly bserve the crrect and faulty SHA-3 utputs, H and H, whch are d bts fr mde SHA3-d (where d s 4, 256, 384, and 512, fr the fur mdes, respectvely), nstead f the entre 1,600 bts; The attacker can nject randm faults fr the same nput message fr multple tmes Fr cmmnly used SHA-3 mplementatn examples, data structures are rganzed alng each lane [32], [33] Thus ne byte s eght cnsecutve bts n ne lane n ths paper We refer t the surce cde prvded nlne [32] fr all mplementatn and smulatn n ths paper We nte here that ur attack methd nly requres the faults njected at θ t recver the whle nternal state χ, and we prpse t nject faults at θ t further mprve the attack effcency n ths paper III BASIC DIFFERENTIAL FAULT ANALYSIS OF SHA3-4 AND SHA3-256 Generally, because f cnfusn and dffusn prpertes n crypt peratns, any bt flp at the nput message wll affect all the bts at the utput under perfect randmness and the fault analyss wuld nt wrk Fr SHA-3, the path frm the fault njectn pnt (θ ) t the bservable utput (H) s nt very lng - nly tw runds f peratns, and therefre dfferent faults njected wll cause dfferent patterns at the dfferental utput H = H H We call such dfferental patterns as Fault Sgnature n ths paper We next dscuss the bservable nfrmatn and the fault prpagatn prcess A Observable Hash Dgest In [2], the cmparsn pnt s pcked at θ fr SHA3-384 and SHA3-512 t dentfy the sngle-bt fault njected Fr SHA3-384 and SHA3-512, a whle plane f 320 bts (y = 0, the bttm plane) at the utput H s bservable Because all the peratns ρ, π, χ, and ι are reversble, the attacker can make use f ths plane t recver 320 bts f χ : χ (x, 0, Z) = χ 1 (ι ) 1( H(y = 0)) Observable fve lanes f the bttm plane f H wll be used by attackers t retreve fve lanes f θ (x, y, Z) (x = y {0, 1, 2, 3, 4}) By bservng the rgnal and faulty hash utput, H and H, the attacker can calculate the crrespndng fve dfferental lanes f θ (nt n the the same plane any mre thugh, but n the dagnal f each slce): θ (x, y = x, Z) = ρ 1 π 1( ) χ (x, 0, Z) (3) Whle ρ and π peratns just rtate state bts t dfferent pstns wthut changng ther values, χ can be drectly used nstead, and the cmparsn pnt wll be χ crrespndngly Thus, we need t cnstruct fault sgnatures at χ, F S χ, fr attacks n ths paper In ths paper, we fcus n SHA3-4 and SHA3-256, whch have nt been targeted by DFA yet, and the methd prpsed n [2] cannt be appled drectly t them because f lmted number f bservable dgest bts In Sectn III-C, we wll shw methds t recver part f χ n bttm plane, and llustrate hw t use χ nstead f θ as cmparsn pnt fr DFA attacks n ths wrk B Fault Sgnature Generatn Fr the sngle-byte fault mdel, any nternal state f Keccak-f[1600, d] s cmpsed f 200 bytes (0 P < 200), and the fault value (F, the fault drpped n ne nput state byte f the penultmate rund) ranges frm 1 t 255, where F = 1 means t flp the lwest bt f the crrupted byte whle F = 255 means t flp all the eght bts Fr any pssble fault (F ) at any ne f the 200 pstns (P ), we dente the crrespndng fault sgnature at χ as F S χ [P ][F ] We nte here that f wthut extra specfcatn, all fault sgnatures are 1,600 bts, standng fr the 1,600 dfferental bts f the state caused by the fault F njected at P

4 Fr faults njected at θ, t wll prpagate t χ thrugh the peratns shwn n Fgure 3 We separate these peratns nt tw categres: Operatns that wll nt change bt values f fault sgnatures, ncludng bt rtatn peratns ρ and π that nly change the bt pstns, and cnstant number addtn peratn ι Operatns that wll change the bt values f fault sgnatures, whch nvlve multple bts t generate a sngle utput bt, namely θ and χ There s als dfference between these tw peratns, θ s lnear (nly cnsstng f exclusve OR peratns) whle χ s nn-lnear (cnsstng f bnary peratns AND and NOT) In the frst knd f peratns, fr ρ and π, faults at the nput wll g thrugh the peratn (pstn permutatn) drectly t prpagate t the utput, e, ρ = ρ( ρ ) and π = π( π ) Fr peratn ι, the fault des nt change at all, e, ι = ι Fr the secnd knd f peratns, ne utput bt s generated frm multple nput bts Fr θ peratn, ne snglebt fault θ (x, y, z) wll prpagate t 11 bts f θ, wth ther dfferental dented as θ (x, y, z), θ (x+1, Y, z) and θ (x 1, Y, z+1), whch are n three dfferent sheets, respectvely Fr the sngle-byte fault mdel, all the faulty bts are n the same lane f θ Wth θ peratn, n θ bt wll nvlve mre than ne faulty bt Thus, fr θ, we have θ = θ( θ ) In ths paper, we use a sngle-bt fault at θ (0, 0, 0) ( θ (0, 0, 0) = 1 whle all ther bts f θ are 0) as example t demnstrate the fault prpagatn n SHA-3, and use t t explan the cnstructn f fault sgnatures Accrdng t the abve analyss f fault prpagatn thrugh dfferent peratns, the sngle-bt fault wll be dffused t 11 bts after θ peratns, and then rtated nt dfferent lanes and rws thrugh ρ and π The fault sgnature F S χ at the nput f χ fr ths sngle-bt fault s shwn n Fgure 4 It s drect frward t cnstruct the fault sgnatures at χ because f the lnear prpertes f θ, ρ and π peratns Each bt f F S χ wll be ether 0 r 1, dependng n the value and pstn f the njected faults nly T cnstruct the fault sgnature F S χ, we need t examne the fault prpagatn prcess f χ and θ If we dente the fault prpagatn f χ as F P χ, and the fault prpagatn f θ as F P θ, the crrespndng fault sgnature at χ can be dented as fllws (nte that peratn ι des nt change the fault): F S χ = π ρ F P θ F P χ ( χ ) (4) We next analyze fault prpagatn f χ and θ 1) Fault Prpagatn n χ : χ s the nly nnlnear peratn n Keccak, and ts bt-wse AND peratn leaks nfrmatn f ts nput state bts f fault(s) happen n χ x=0: x=1: x=2: x=3: x=4: z=0 Fgure 4: Fault sgnature at χ njected 63 y=0 4 y=0 4 y=0 4 y=0 4 y=0 4 fr the example sngle-bt fault Under the sngle-bt fault mdel n [2], n mre than ne bt wll be plluted n each rw f χ, as als shwn n Fgure 4 fr vectrs χ (X, y, z) Fr the relaxed mdels used n ths paper, multple bts may be plluted n ne rw f χ In ths sectn, we present the general fault prpagatn f mult-bt faults n χ peratn Dente fve bts n ne rw f χ nput as {a, b, c, d, e }, then fve bts f crrespndng χ utput rw can be dented as a = a ( b c ), b = b ( c d ), c = c ( d e ), d = d (ē a ) and e = e (ā b ) We take a as an example t demnstrate the fault prpagatn n χ peratn Bt a s affected by bts a, b and c : 1) Wth a sngle-bt fault n a ( a = 1), a = a = 1 2) Wth a sngle-bt fault n b ( b = 1), a = a ( b c ), and then a = b c = c, whch leaks the nternal state c nfrmatn 3) Wth a sngle-bt fault n c ( c = 1), a = a ( b c ), and then a = (1 b ) c = b 4) Wth a tw-bt fault n a and b ( a = b = 1), a = a ( b c ), and then a = c 5) Wth a tw-bt fault n b and c ( b = c = 1), a = a ( b c ), and then a = b c (1 b ) c b c = b c 6) Wth a tw-bt fault n a and c ( a = c = 1), a = a ( b c ), and then a = a (1 b ) c = b 7) Wth a three-bt fault ( c = b = c = 1), a = a ( b c ), and thus a = a b c (1 b ) c b c = b c In summary, we can dente the fault sgnature fr bt

5 χ (x, y, z) as n Table I Accrdng t the abve analyss, we present the whle fault patterns at χ as n Fgure 5, n whch χ (x, y, z) s dented as C(x, y, z) fr smplcty, and the same sngle-bt fault θ (0, 0, 0) = 1 example s assumed x x x x C(0,0,44) (2,0,44); C(0,1,21) (2,1,21); C(0,3,10) (1,3,10); C(0,4,40) (1,4,40) x x x x C(1,1,45) (2,1,45); C(1,2,9) (2,2,9); C(1,3,10) (3,3,10); C(1,4,40) (3,4,40) x x x x C(2,0,15) (3,0,15); C(2,1,45) (4,1,45); C(2,2,9) (4,2,9); C(2,4,2) (3,4,2) x x x x x C(3,0,0) (4,0,0); C(3,0,15 ) (0,0,15 ); C(3,2,1) (4,2,1); C(3,3,28 ) (4,3,28 ); C(3,4,2 ) (0,4,2 ) x x x x x C(4,0,0) (1,0,0); C(4,0,44 ) (0,0,44); C(4,1,21) (0,1,21); C(4,2,1) (1,2,1); C(4,3,28) (1,3,28) Fgure 5: Fault sgnature at the utput f χ In Fgure 5, each dfferental bt χ (x, y, z) takes a value f 0, 1 r x, n whch 1 (0) means ths crrespndng utput bt flps (des nt flp) wth the specfc fault njected, respectvely, regardless f the nternal states Hwever, x at a bt pstn means that the crrespndng χ bt value depends n sme χ bt(s), and t can be 0 r 1 Fr example, we dente χ (0, 0, 44) as x, because χ (0, 0, 44) = χ (2, 0, 44) under the fault njected ( θ (0, 0, 0) = 1), and χ (0, 0, 44) wuld flp f χ (2, 0, 44) = 1, therwse t remans unchanged f χ (2, 0, 44) = 0 Thus, f the attacker has knwledge f χ (0, 0, 44) and the njected fault, he can cnstruct the crrespndng fault sgnature and then recver bt (2, 0, 44) χ 2) Fault Prpagatn n θ : Each bt f θ s the XOR f tself wth tw near clumns As shwn n Sectn III-B1, each bt f χ can be dented as 0, 1 r the XOR f χ bts Whle θ nvlves nly XOR peratn fr the 11 nput bts, we can dente θ (x, y, z) as fllws: θ (x, y, z) = θ (x, y, z) ( 4 y=0 θ (x 1, y, z)) ( 4 y=0 θ (x + 1, y, z 1)) (5) Thus the fault prpagatn functn F P θ can be dented as fllws: F S θ = θ(f S χ ) (6) Fr each bt f θ, sme f the crrespndng 11 θ bts may depend n the same χ bts, and therefre wth the peratn f XOR sme dependences wll be elmnated Ths s a key nsght fr ur fault prpagatn analyss Fr example, n the nterleaved mplementatn [34], when fault F = 65 s njected at P = 16, θ (4, 4, 3) = χ (0, 4, 3) and θ (3, 4, 3) = χ (0, 4, 3) θ (4, 4, 3), whch nvlves the tw nput bts θ (4, 4, 3) and θ (3, 4, 3), wll nt depend n χ (0, 4, 3) anymre because the dependences get canceled ut by XOR between the tw nput bts Eventually, the fault sgnature at the θ utput, F S θ, has a smlar frmat as F S χ, wth each bt beng 0, 1, r an dd r even functn (XOR) ver sme χ bts and cnstant ne As χ = π ρ( θ ), t s easy fr us t buld the fault sgnature at χ wth F S θ cnstructed based n the abve analyss, thus we shw F S χ drectly here We use the same example t shw hw the sngle-bt fault at θ (0, 0, 0) prpagates t χ Fr SHA3-4 and SHA3-256, nly partal bttm plane (less than 320 bts) f the utput state H wll be bservable Nevertheless Fgure 6 presents the fault sgnature n the whle bttm plane f F S χ, n whch we dente χ (x, 0, z) as E(x, z) fr smplcty xx xx x x x00x1x E(0,0) (1,0,0); E(0,1) (1,2,1); E(0,10) (2,2,9); E(0,11) (3,3,10); E(0,46) (2,1,45); E(0,21) (0,1,21); E(0,28) (1,3,28); E(0,41) (3,4,40); E(0,44) (0,0,44) (2,0,44); 0x x100 xxx x x1 0000x000 E(1,1) (2,1,21); E(1,20) (1,4,40); E(1,24) (2,0,44); E(1,25) (2,1,45); E(1,26) (4,1,45); E(1,47) (3,4,2); E(1,54) (4,2,9) (1,3,10); E(1,60) (3,0,15); x x0001 x xxx0 0000xx00 000x0000 E(2,8) (4,3,28); E(2,19) (3,4,40); E(2,24) (2,1,45); E(2,44) (4,0,0); E(2,45) (4,2,1); E(2,46) (0,4,2); E(2,52) (2,2,9) (4,2,9); E(2,53) (3,3,10); E(2,59) (0,0,15); 00x xx x1 0000x x0000 0xx E(3,2) (0,0,44) (4,1,45); E(3,) (1,0,0); E(3,) (1,2,1) (3,4,2); E(3,30) (4,2,9); E(3,36) (3,0,15); E(3,43) (0,1,21); E(3,49) (4,3,28); E(3,50) (1,3,28); xx x x000x x000 00x x 000x0000 E(4,14) (4,0,0); E(4,15) (4,2,1); E(4,16) (0,4,2); E(4,25) (1,3,10); E(4,29) (0,0,15); E(4,36) (2,1,21); E(4,42) (4,3,28); E(4,55) (1,4,40); E(4,59) (2,0,44); Fgure 6: Fault sgnature at χ (Bttm plane) Wth the bserved bts f χ and the fault sgnatures, attackers can wrk n equatns whch nvlve nly ne bt f χ t recver the χ bts, and then plug them back nt equatns whch nvlve mre than ne χ bt t recver the remanng χ bts Fr example, as shwn n Fgure 6, wth the sngle-bt fault njected at θ (0, 0, 0), attackers can use F S χ (1, 0, 24) t recver χ (2, 0, 44) frst Then replace χ (2, 0, 44) n F S χ (0, 0, 44) t recver χ(0, 0, 44) C χ Bts Recvery frm the Observable Dgest Fr SHA3-4 and SHA3-256, nly partal bttm plane f the hash utput s bservable, e, n mre than fur bts

6 χ Table I: Fault prpagatn f peratn χ Fault at χ nput Fault sgnature at χ utput ([x : x + 2], y, z) F S χ (x, y, z) [1,0,0] 1 [0,1,0] χ (x + 2, y, z) [0,0,1] 1 χ (x + 1, y, z) [1,1,0] 1 χ (x + 2, y, z) [0,1,1] χ (x + 1, y, z) χ(x + 2, y, z) [1,0,1] χ (x + 1, y, z) [1,1,1] 1 χ (x + 1, y, z) χ(x + 2, y, z) n each rw f χ n the bttm plane are knwn The χ peratn s reversble, and therefre each χ bt can be expressed n belw frmula whch nvlves all fve bts f χ [31], [35]: χ (x, y, z) = χ (x, y, z) χ (x + 1, y, z) (χ (x 1, y, z) χ (x + 2, y, z) χ (x 1, y, z) χ (x + 3, y, z) ) (7) Snce nt all the χ bts are knw, the attacker cannt get the crrespndng χ bts fr SHA3-4 and SHA3-256 drectly In ths sectn, we shw that wth lmted nfrmatn, part f χ n the bttm plan can stll be recvered frm the bservable utput 1) Recver χ Bts n Thery: Fr smplcty, we use ne rw n χ peratn as an example here We express the nput bts (a, b, c, d, e ) as functns ver the utput bts (a, b, c, d, e ) as: a = a b (e ) c e d b = b c (a ) d a e c = c d (b ) e b a d = d e (c ) (8) a c b e = e a (d ) b d c Fr SHA3-256, fr each rw, bt e s unknwn whle (a, b, c, d ) are bservable by attackers; fr SHA3-4, bt e s unknwn fr the frst 32 rws whle bth d and e are unknwn fr the remanng 32 rws Fr the equatns n (8), we have the fllwng bservatns fr SHA3-256: Fr a, f d = 1, a = a b c ; f b = 1, a = a Fr bth stuatns, the value f a s ndependent f the unknwn e, and attackers can retreve a wthut knwledge f e The prbablty f d = 1 and the prbablty f b = 1 are 05 respectvely, and thus the ttal prbablty f d = 1 r b = 1 s 075, whch means that the value f a can be recvered wth a prbablty f 75% Fr b, f a = 0, b = b c d ; f c = 1, b = b Smlarly, the prbablty f recverng b wth unknwn e s als 075 Fr c, f d = 1, c = c, thus the prbablty f recverng c s 05 Fr d, f c a c b = 0, d = d, thus the prbablty f recverng d s 05 The value f e always depends n e, thus the attackers cannt retreve e wthut knwledge f e In cnclusn, fr SHA3-256, the attacker can recver the bts n the frst and secnd lanes f the bttm plan f χ wth 075 prbablty, and the bts n the thrd and furth lane wth 05 prbablty In ttal, the attackers can recver 160 bts f χ theretcally Smlarly, fr SHA3-4, attackers can use the same methd t recver 112 bts f χ theretcally 2) A Practcal Methd t Recver χ Bts: In the prevus sectn, we analyze that the attacker can recver 160 bts f χ fr SHA3-256 and 112 bts f χ fr SHA3-4 theretcally In ths sectn, we present a practcal methd t recver χ bts whch can be easly mplemented We stll use the rw wth nput (a, b, c, d, e ) and utput (a, b, c, d, e ) n SHA3-256 as an example here Whle a, b, c, d are bservable by attackers, e can nly be ether 0 r 1, then we can make assumptns f bth stuatns and wrte them as rw 0 = {a, b, c, d, 0} and rw 1 = {a, b, c, d, 1} Fr bth stuatns, we can calculate the nput rw 0, rw1 usng χ nversn peratn: { {a 0, b 0, c0, d0, e0 } = χ 1 ({a, b, c, d, 0}) {a 1, b1, c1, d1, e1 } = χ 1 ({a, b, c, d, 1}) (9) Take bt a as an example here, the value f a can nly be a 0 r a1 : 1) If a 0 = a1, then the value f a des nt depend n the value f e and ths s the crrect recvered value fr a ; 2) If a 0 a1, then the value f a depends n the value f e, and attacker cannt recver a n ths stuatn T verfy the abve algrthm, we mplement bth SHA3-4 and SHA3-256 n C++ and randmly generate 10 5 nput messages fr each f them We use the prpsed algrthm

7 t recver the χ bts fr bth SHA3-4 and SHA3-256 Results shw that the prpsed algrthm can crrectly recver bts f χ fr SHA3-256 and bts f χ fr SHA3-4 n average fr these 10 5 trals, whch are the same as the theretcal results gven n the prevus sectn Usng the abve methd, the attacker can recver part f the χ bts n the bttm plane frm the rgnal dgest H, and faulty χ bts fr faulty dgest H Usng the recvered χ (X, 0, Z) and χ (X, 0, Z), the attacker can calculate the crrespndng χ (X, 0, Z) bts Nte that here the attacker can recver 160 (112) bts f bth χ (X, 0, Z) and χ (X, 0, Z) fr SHA3-256 (SHA3-4) n average, but the recvered χ and χ may have dfferent lcatns, and therefre the attackers wll recver fewer than 160 (112) bts f χ (X, 0, Z) nstead The smulatn results shw that attacker can recver bts f χ fr SHA3-256, and 9368 bts fr SHA3-4 n average fr 10 5 trals D Injected Fault Identfcatn and χ Bts Recvery Usng the prevus algrthms, the attacker can cnstruct fault sgnatures F S χ fr all njected faults, and recver sme bts f χ (X, 0, Z) frm the bservable utput In ths sectn, we present the algrthms t use the abve nfrmatn t dentfy the njected faults and recver χ bts Fr the recvered χ (X, 0, Z) bts, we separate them nt tw grups: χ whte cntans the recvered bt pstns (x, y, z) f χ wth χ (x, y, z) = 0, whch means the bts at these pstns are nt flpped; black cntans the recvered bt pstns (x, y, z) f χ wth χ (x, y, z) = 1, whch means the bts at these pstns are flpped χ Fr these recvered bt pstns, we check the crrespndng fault sgnatures at F S χ [P ][F ](x, y, z) fr fault F njected at pstn P at the penultmate rund nput We can separate them nt three grups: F S χ [P ][F ]whte cntans the bt pstns (x, y, z) wth χ (x, y, z) recvered and F S χ [P ][F ](x, y, z) = 0, e, the njected fault des nt affect these utput bts F S χ [P ][F ]black cntans the bt pstns (x, y, z) wth χ (x, y, z) recvered and F S χ [P ][F ](x, y, z) = 1, whch are fr sure t flp when the fault s njected F S χ [P ][F ]grey cntans the bt pstns (x, y, z) wth χ (x, y, z) recvered and F S χ [P ][F ](x, y, z) s a functn dependent n sme bts f χ, e, they can leak sme nternal state bts nfrmatn Fr the crrect fault F 0 njected at the crrect pstn P 0, the fllwng relatns shuld hld: Fr bt n F S χ [P 0][F 0 ]whte, ths bt shuld nt flp fr sure, then ths bt shuld be n χ whte; Fr bt n F S χ [P 0][F 0 ]black, ths bt shuld flp fr sure, then ths bt shuld be n χ black; Fr any bt n F S χ [P 0][F 0 ]grey, t can be n χ whte r χ black, dependng n sme nternal state bts We can summarze the abve relatns as fllws: F S χ F S χ [P ][F ]whte χ whte [P ][F ]black χ black [P ][F ]whte F S χ [P ][F ]grey} [P ][F ]black F S χ [P ][F ]grey} (10) χ whte {F S χ χ black {F S χ By checkng relatnshps n (10), attackers can exclude many pstns and fault values If nly ne pstn wth ne fault value satsfes these relatnshp, the njected fault s dscvered All the F S χ [P 0][F 0 ]grey bts nw are mapped t ether zer (whte) r ne (black) n the bserved dfferentals, and therefre the nternal state bts can be recvered We smulate the njected fault dentfcatn algrthm fr bth SHA3-4 and SHA3-256 We randmly generate 10 4 nput messages and randmly nject 10 3 sngle-byte faults nt the penultmate rund nput θ fr each message Results shw that fr SHA3-256, wth a prbablty f 6661% the attacker can fnd a unque fault that satsfes the abve relatns Wth the rest 3339% prbablty, mre than ne faults satsfy the abve relatns and the attacker cannt precsely dentfy the njected fault The results are shwn n Table II Table II: Smulatn results fr SHA3-4 and SHA3-256 wth fault njected at θ Number f Recvered Prbablty f χ χ unque fault SHA % SHA % In ths paper, we nly make use f the njected faults whch can be dentfed unquely based n the prpsed algrthm, and dscard thse faults that attacker has ambguty - recverng mre than ne faults that satsfy the relatnshp n (10) We defne such unque faults as effectve faults, and a hgher percentage f effectve faults wll make the attacks mre effcent Wth the njected fault dentfed, ncludng the fault value F and njected pstn P, we next shw the results f recverng χ bts n ths sectn Once the unque fault value at a certan pstn s dentfed, all the bts n the F S χ are knwn t be zer r ne Usng the methd descrbed n Sectn III-B2, we can recver all the χ bts based n the equatns cnstructed n the x bts f F S χ

8 F S χ (x, y, z) =F S χ (x, y, z) F S χ (x + 1, y, z) χ (x + 2, y, z) (1 χ (x + 1, y, z)) F S χ (x + 2, y, z) F S χ (x + 1, y, z) F S χ (x + 2, y, z) (11) We use smlar smulatn settngs as prevus sectn, and we smulate nt nly SHA3-4 and SHA3-256, but als cmpare ther results wth SHA3-384/512 The results fr attackng fur SHA-3 mdes are shwn n Fgure 7, where the x-axs s the number f effectve njected faults that attackers can dentfy a unque fault, whle the y-axs s the ttal number f recvered χ bts Results shw that the prpsed scheme can recver the χ bts, but the attack s much less effcent than the attack n SHA3-384/512 Ths s because much fewer bts f F S χ and χ are avalable fr SHA3-4 and SHA3-256 than SHA3-384/512 In next sectn, we prpse effectve methds t mprve the prpsed attacks Number f recvered bts SHA3 4 SHA3 256 SHA3 384/ Number f effectve faults njected Fgure 7: Number f recvered χ njected faults IV IMPROVED ATTACKS bts fr dfferent number f In prevus sectn, we present hw t use fault sgnatures at state χ t recver nternal state χ bts fr SHA3-4 and SHA3-256, wth much less effcency than SHA3-384/512 In ths sectn, we prpse tw methds t mprve the effcency f the attacks: Prpagate the faults further t generate fault sgnatures F S χ, and use them n addtn t F S χ t mprve the attack Ths methd des nt need any extra nfrmatn (lke state bts etc) frm the target system Inject faults at the last rund nput θ t recver mre bts f χ n the bttm plane, and thus t mprve the number f avalable χ and F S χ bts Next we present these tw methds n detal A Attacks Usng bth F S χ Fault sgnature at χ and F S χ, can leak nfrmatn nt, F S χ cntaned n F S χ Cmbnng F S χ wth F S χ, the attacker shuld be able t extract mre nfrmatn than usng nly F S χ 1) Fault Sgnature F S χ Generatn: Fr any fault n the three bts a, b, and c, the χ peratn prpagates t nt the utput bt, a = a ( b c ) Smlar t the χ fault prpagatn, there are several types f pssble faults n the three nput bts Hwever, fr any χ, t can nly be 0 r 1 (ndependent f the nternal state bts but nly dependent n the fault) when faults are njected at the penultmate rund nput Whle fr any χ bt, t can be 0, 1 r x (as a functn ver certan χ bts) Whle a, b and c can be all faulty, we can dente a as a ( b c ), then: a = a b c (1 b ) c b c (12) Thus F S χ (x, y, z) can be dented as (11) Each bt f F S χ can be dented as 0, 1 r the peratns f χ bts, thus F S χ (x, y, z) can als be dented as ether 0, 1 r the peratns f χ bts There are sme specal case fr the cnstructn f a n (12) When there are tw faulty bts: 1) If c = 0, a 0 and b 0, then a = a b c 2) If a = 0, b 0 and c 0, then a = b c (1 b ) c b c 3) If b = 0, a 0 and c 0, then a = a (1 b ) c If nly ne bt s faulty fr a, b and c, the cnstructn f a can be further smplfed as fllws: 1) If b = c = 0 and a 0 ( a = 1 r a =x), a = a, and the cnstructn f a des nt requre knwledge f b and c 2) If a = c = 0 and b 0, a = b c, and the cnstructn f a requres knwledge f c 3) If a = b = 0 and c 0, a = (1 b ) c As demnstrated n Sectn III-C, we can recver sme bts f χ usng the bservable dgest H, thus we can cnstruct fault sgnatures fr sme bts f χ based n the abve analyss Use the same methd as Sectn III-D, we can separate the cnstructed fault sgnature F S χ [P ][F ] nt three grups, defntely 0 (whte), defntely 1 (black), r dependent n sme nput bts and/r nput faults (grey) Fr SHA3-4, 4 bts f χ are avalable, 256 bts f χ are avalable fr SHA3-256 We can use the same relatnshps fr χ and F S χ as shwn n (10) t buld relatnshps fr χ and F S χ, and cmbne t wth (10) t mprve the effectve fault dentfcatn rate

9 2) Smulatn Results: We run smulatns fr the mprved attacks, and results shw that the prbablty f dentfyng the unque njected faults rses sgnfcantly fr bth SHA3-4 and SHA3-256, frm 3067% t 4912% fr SHA3-4 and frm 5328% t 7873% fr SHA3-256 We nject multple randm sngle-byte faults t extract all the 1, 600 χ bts fr SHA3-4 and SHA3-256 usng the prpsed mprved attacks, stll cmparng wth the attack result f SHA3-384/512 The results are shwn n Fgure 8 Number f recvered bts SHA3 4 SHA3 256 SHA3 384/ Number f effectve faults njected Fgure 8: Number f recvered χ njected faults bts fr dfferent number f Cmpared wth the rgnal attack and ts results n Fgure 7, the prpsed methd n ths sectn mprves the attack effcency sgnfcantly fr bth SHA3-4 and SHA3-256 Fr SHA3-4, the attack methd n Sectn III needs abut 200 faults t recver 1, 300 bts f χ, whle the mprved methd n ths sectn nly needs 82 faults Smlarly, fr SHA3-256, the number f faults needed reduces frm 200 t 80 t recver abut 1, 510 bts f χ Nte ths mprvement methd des nt need any extra nfrmatn extracted frm the target system, and generatng fault sgnature F S χ effrt, makng t sutable fr real attacks des nt requre much cmputatn B Imprved Attacks by Injectng Faults n θ Fr the methd prpsed n Sectn IV-A, the unque fault dentfcatn rate and the number f recvered χ bts by usng the same number f effectve njected faults are stll lwer than attacks n SHA3-384/512 The reasn les n the fact that attackers can recver less number f χ and χ bts fr SHA3-4 and SHA3-256 than SHA3-384/512 In ths sectn, we prpse t mprve the attacks n SHA3-4 and SHA3-256 by njectng faults nt the last rund nput t recver mre χ bts frm the crrect hash dgest, and thus t mprve the number f avalable χ and F S χ bts fr attack 1) Recverng mre χ by Injectng Faults nt θ : T recver χ bts by njectng faults at θ, we need t calculate the fault prpagatn frm θ t χ These faults wll prpagate thrugh θ, ρ, π and χ peratns The fault prpagatn prcess s exactly the same as n the penultmate rund (frm θ t χ ) as presented n Sectn III-B1 We dente the fault sgnature at χ fr faults njected at θ as F S χ n ths sectn Usng the faults njected at θ, attackers can recver sme bts f χ wth a shrter dstance between the hash dgest and the cmparsn pnt (χ ) fr dfferental fault analyss Nte here that fr SHA3-256 and the frst 32 rws f SHA3-4 (wth fur bts ut f fve bts f each utput rw n the bttm plane knwn), f the attacker recvers ne bt χ (x, 0, z) that has nt been recvered usng the algrthm n Sectn III-C, he can recver all the ther unknwn bts n ths rw Fr example, we assume a 0 a 1 n (9) and ths bt has been recvered by njectng faults at θ, then the attackers can knw whch assumptn f e s crrect, and then recver all the fve bts n ths rw Ths methd can be used fr all 64 rws n the bttm plane f SHA3-256 and the frst 32 rws f SHA3-4 In SHA3-4, fr the remanng rws wth tw bts unknwn, χ (X, 0, z), 32 z < 63, these tw bts can nly be recvered by njectng faults at θ separately T dentfy the njected faults, we use bth fault sgnatures at χ and χ, dented as F S and F S χ χ We randmly generate 10 3 messages, and fr each message randmly nject 1000 faults at θ fr attacks Fr bth SHA3-4 and SHA3-256, we can dentfy the crrect fault njected at θ wth abut 20% prbablty After dentfyng the crrect fault njected at θ, we can recver all bts n the bttm plane f χ, and we present the results n Fgure 9 bts Number f recvered χ SHA3 4 SHA Number f effectve faults njected Fgure 9: Revery f χ bts by njectng faults at θ It shws that fr SHA3-256, the attacker can recver abut 244 bts f χ usng nly fve effectve faults, cmpared wth 160 bts recvered when n faults njected at θ We nte here that the attacker des nt need t recver all the bts f χ n the bttm plane fr attacks, he can recver part f χ t mprve the effcency f attackng χ We wll shw hw the attacks n χ change wth the number f χ bts recvered n next sectn 2) Attack Results: Wth mre fault-free χ bts, attackers can cnstruct mre bts f χ and F S χ and use them fr

10 attacks Fr smplcty, we make the fllwng assumptns fr attackers: Attackers can recver part f χ bts usng algrthm presented n Sectn III-C (wth n fault njected at θ ) Attackers can nject faults at θ t recver the remanng bts f χ, and we assume that the attackers can recver ne rw usng the recvered bts n ths rw fr all the rws f bth SHA3-4 and SHA3-256 fr smplcty We randmly generate 10 3 nput message, fr each message, we use the algrthm n Sectn III-C t recver part f χ bts frst Fr each message, we randmly recver frm 0 t 64 rws f χ fr 10 3 trals In each tral, we nject 1000 randm faults at θ t calculate the fault dentfcatn rate and shw the results n Fgure 10 Percentage f effectve fault (%) SHA3 4 SHA Number f recvered rws Fgure 10: Percentage f unque faults dentfcatn wth dfferent number f χ rws recvered Fgure 10 shws that wth mre rws f χ recvered, attackers can dentfy the randmly njected faults at θ wth hgher rates Fr example, fr SHA3-4, the fault dentfcatn rate s 5328% when n rws are recvered by njectng faults at θ, and t rses t 8834% when all 64 rws (320 bts) are recvered Smlarly, fr SHA3-256, ths rate rses frm 7873% t 9367% It means that by recverng extra χ bts, the faults njected at θ can be dentfed wth much hgher prbablty Take SHA3-4 fr an example, the attacker may need t nject abut 375 faults at θ t get nly 200 effectve faults whch can be unquely dentfed, but he wll need nly t nject abut 6 faults nstead after he has knwledge f all the bts f θ n the bttm plane Wth knwledge f mre χ bts, the attacker can buld mre equatns lke n Fgure 6 wth mre χ and F S χ bts, then attacker can recver mre χ bts fr each njected fault n average T verfy the assumptn, we assume the attacker can recver frm 0 t 64 rws f χ, and we run attacks n SHA3-4 and SHA3-256 t recver all the bts f χ We present the attack results n SHA3-4 wth dfferent numbers f rws recvered n Fgure 11 Number f recvered bts rws 16 rws 32 rws 48 rws 64 rws Number f effectve faults njected Fgure 11: Number f recvered χ bts fr dfferent number f njected faults wth a number f χ rws recvered Fgure 11 shws that attacker needs smaller number f effectve faults t recver all the bts f χ f he has recvered mre rws f χ Fr example, f he has full knwledge f the bttm plane f χ, he can recver 1590 bts f χ usng 110 randm faults n average Fr attacker wh cannt nject fault nt the last rund nput, usng the mprved methd n Sectn IV-A1, he can recver abut nly 1, 412 bts usng 110 njected faults Fr SHA3-256, the results are smlar, and we wll nt present the detals here C Dscussnss and Future Wrk In ths paper, we prpse a methd t use dfferental fault analyss t break SHA3-4 and SHA3-256, and then present tw methds t mprve the attacks The frst mprved methd n Sectn IV-A requres n extra knwledge f the target system, whle the methd prpsed n Sectn IV-B requres t nject faults nt θ extra χ bts n the bttm plane t recver Take SHA3-4 as an example here, the fault dentfcatn rate s abut 49% f n extra rws recvered, and ths rate rses t abut 75% wth abut 30 extra rws recvered (needs abut fve effectve faults, thus 25 faults n ttal at θ ) Then f the attacker needs abut 200 faults at θ t recver the whle state f χ, he needs t nject abut 408 faults (fault dentfcatn rate abut 49%) wthut knwledge f extra rws f χ, and abut 267 faults (fault dentfcatn rate abut 75%) wth knwledge f the extra rws f χ In ths case, njectng faults at θ t recver extra rws f χ wll mprve the effcency f the attack sgnfcantly Actually, the prpsed methd used n the attacks f SHA3-4 and SHA3-256 can be appled t mprve the attacks f SHA3-512 Fr SHA3-512, the dgest sze s 512 bts, and 192 bts wll be bservable n the plane χ (X, 1, Z) Thus usng the methd n Sectn III-C, sme bts n the plane χ (X, 1, Z) can be recvered fr attacks Cmparng wth usng nly the 320 bts n the bttm plane

11 f χ, ths methd can be used t mprve the effectve fault rate fr the njected faults Ths wrk shws that DFA n SHA3-4 and SHA3-256 are mre dffcult than SHA3-384 and SHA3-512, whle SHA3-4 s mre dffcult t cnquer than SHA3-256, and ths s dfferent frm ther securty level under ther attack methds such as cllsn attacks [31] Thus dfferent knds f attacks shuld be taken nt cnsderatn at the desgn stage f SHA-3 systems As the prtectn f SHA-3 aganst fault njectn attacks has nt been dscussed thrughly [36], [37], future wrk wll nclude the prtectns f SHA-3 systems aganst fault njectn attacks V CONCLUSION In ths paper, we prpse effcent methds t cnquer SHA3-4 and SHA3-256 usng dfferental fault analyss Cmparng wth prevus wrk, we extend the DFA n SHA- 3 t SHA3-4 and SHA3-256 under relaxed fault mdel Results shw that the prpsed methds n ths paper can effcently dentfy the randmly njected sngle-byte fault, and then use the recvered fault nfrmatn t recver χ bts Acknwledgment: Ths wrk was supprted n part by Natnal Scence Fundatn under grants SaTC and MRI Smulatn cde used n ths paper s avalable at REFERENCES [1] N F Pub, FIPS PUB 202 SHA-3 Standard: Permutatn- Based Hash and Extendable-Output Functns, Federal Infrmatn Prcessng Standards Publcatn, 2015 [2] N Bagher, N Ghaed, and S Sanadhya, Dfferental fault analyss f SHA-3, n Prgress n Cryptlgy INDOCRYPT 2015, 2015, pp [3] E Bham and A Shamr, Dfferental fault analyss f secret key cryptsystems, n Advances n Cryptlgy - CRYPTO 97, Aug 1997, pp [4] G Pret and J-J Qusquater, A dfferental fault attack technque aganst SPN structures, wth applcatn t the AES and KHAZAD, n Cryptgraphc Hardware & Embedded Systems, Sept 2003, pp [5] H Chen, W Wu, and D Feng, Dfferental fault analyss n CLEFIA, n Infrmatn and cmmuncatns securty, 2007, pp [6] S Karmakar and D R Chwdhury, Dfferental fault analyss f mckey , n Fault Dagnss and Tlerance n Cryptgraphy (FDTC), 2013 Wrkshp n, 2013, pp [7] S Bank and S Matra, A dfferental fault attack n MICKEY 20, n Cryptgraphc Hardware and Embedded Systems-CHES 2013, pp [8] S Bank, S Matra, and S Sarkar, A dfferental fault attack n the Gran famly f stream cphers, n Cryptgraphc Hardware and Embedded Systems CHES 2012, 2012, pp [9] P Dey, A Chakrabrty, A Adhkar, and D Mukhpadhyay, Imprved practcal dfferental fault analyss f Gran-128, n Prceedngs f the 2015 Desgn, Autmatn & Test n Eurpe Cnference & Exhbtn, pp [10] L Hemme and L Hffmann, Dfferental fault analyss n the SHA1 cmpressn functn, n Fault Dagnss and Tlerance n Cryptgraphy (FDTC), 2011 Wrkshp n, Sept 2011, pp [11] R AlTawy and A M Yussef, Infrmatn Securty Practce and Experence: 11th Internatnal Cnference, ISPEC 2015, Bejng, Chna, May 5-8, 2015, Prceedngs, 2015, ch Dfferental Fault Analyss f Streebg, pp [12] W L, Z Ta, D Gu, Y Wang, Z Lu, and Y Lu, Dfferental fault analyss n the MD5 cmpressn functn, Jurnal f Cmputers, n 11, 2013 [13] W Fscher and C A Reuter, Dfferental fault analyss n GrøStl, n Prceedngs f the 2012 Wrkshp n Fault Dagnss and Tlerance n Cryptgraphy, ser FDTC 12, 2012, pp [14] P Lu, Y Fe, X Fang, A Dng, M Leeser, and D Kael, Pwer analyss attack n hardware mplementatn f MAC- Keccak n FPGAs, n ReCnFgurable Cmputng and FP- GAs, 2014 [15] P Lu, Y Fe, X Fang, A Dng, D Kael, and M Leeser, Sde-channel analyss f MAC-Keccak hardware mplementatns, n Hardware and Archtectural Supprt fr Securty and Prvacy, 2015 [16] M Taha and P Schaumnt, Sde-channel analyss f MAC- Keccak, n Hardware-Orented Securty and Trust (HOST), 2013 IEEE Internatnal Sympsum n, June 2013, pp [17] I Dnur, O Dunkelman, and A Shamr, Cllsn attacks n up t 5 runds f SHA-3 usng generalzed nternal dfferentals, n Fast Sftware Encryptn, S Mra, Ed, 2014, pp [18] C Bura and A Canteaut, A zer-sum prperty fr the Keccak-f permutatn wth 18 runds, n 2010 IEEE Internatnal Sympsum n Infrmatn Thery, June 2010, pp [19] O Benît and T Peyrn, Sde-channel analyss f sx SHA- 3 canddates, n Cryptgraphc Hardware and Embedded Systems, CHES 2010, pp [20] C Bura and A Canteaut, Zer-sum dstngushers fr terated permutatns and applcatn t Keccak-f and Hams- 256, n Selected Areas n Cryptgraphy, 2010, pp 1 17 [21] C Bura, A Canteaut, and C De Cannere, Hgher-rder dfferental prpertes f Keccak and Luffa, n Fast Sftware Encryptn, 2011, pp

12 [] S Das and W Meer, Dfferental bases n reduced-rund Keccak, n Prgress n Cryptlgy AFRICACRYPT 2014, 2014, pp [] I Dnur, O Dunkelman, and A Shamr, New attacks n Keccak-4 and Keccak-256 n FSE, 2012, pp [24] I Dnur, O Dunkelman, and A Shamr, Imprved practcal attacks n rund-reduced Keccak, Jurnal f cryptlgy, n 2, pp , 2014 [25] I Dnur, P Mraweck, J Peprzyk, M Srebrny, and M Straus, Cube attacks and cube-attack-lke cryptanalyss n the rund-reduced Keccak spnge functn, n Advances n Cryptlgy EUROCRYPT 2015, pp [26] A Duc, J Gu, T Peyrn, and L We, Unalgned rebund attack: applcatn t Keccak, n Fast Sftware Encryptn, 2012, pp [27] J Jean and I Nklć, Internal dfferental bmerangs: practcal analyss f the rund-reduced Keccak-f permutatn, n Fast Sftware Encryptn, 2015, pp [28] S Kölbl, F Mendel, T Nad, and M Schläffer, Dfferental cryptanalyss f Keccak varants, n Cryptgraphy and Cdng, 2013, pp [29] P Mraweck, J Peprzyk, and M Srebrny, Rtatnal cryptanalyss f rund-reduced Keccak, n Fast Sftware Encryptn, 2013, pp [30] M Naya-Plasenca, A Röck, and W Meer, Practcal analyss f reduced-rund keccak, n Prgress n Cryptlgy INDOCRYPT 2011, 2011, pp [31] G Bertn, J Daemen, M Peeters, and G Assche, The Keccak reference, Submssn t NIST (Rund 3), January, 2011 [32] Reference and ptmzed cde n C, 32zp [33] P Pessl and M Hutter, Pushng the lmts f SHA-3 hardware mplementatns t ft n RFID, n Cryptgraphc Hardware and Embedded Systems - CHES 2013, 2013, pp [34] G Bertn, J Daemen, M Peeters, G Van Assche, and R Van Keer, Keccak mplementatn vervew, Reprt, STMcrelectrncs, Antwerp, Belgum, 2012 [35] J Daemen, Cpher and hash functn desgn strateges based n lnear and dfferental cryptanalyss, PhD dssertatn, Dctral Dssertatn, March 1995, KU Leuven, 1995 [36] P Lu, C L, and Y Fe, Cncurrent errr detectn fr relable SHA-3 desgn, n Prceedngs f the 26th Edtn n Great Lakes Sympsum n VLSI, ser GLSVLSI 16, 2016, pp [37] S Bayat-Sarmad, M Mzaffar-Kerman, and A Reyhan- Masleh, Effcent and cncurrent relable realzatn f the secure cryptgraphc SHA-3 algrthm, Cmputer-Aded Desgn f Integrated Crcuts and Systems, IEEE Transactns n, vl 33, n 7, pp , 2014