Practical Fault Attacks On Minalpher: How To Recover Key With Minimum Faults?

This work presents two differential fault attacks (or DFA) on Minalpher, a second round CAESAR candidate under practical fault model with as few faults as possible. Minalpher uses a new primitive called tweakable Even-Mansour, based on a permutation-based block-cipher proposed by Even and Mansour and to the best of our knowledge, no practical DFA has yet been reported on it. In the first DFA, only two random faults have been injected on two consecutive 4-bit nibbles (i.e. within total 8 bits) of a specific internal state. We show that (i) if both the faults are injected at the same nibble the key-space for the intermediate key can be reduced significantly from 2(256) to 2(32) and (ii) if the faults are injected at different positions, the key-space for the intermediate key can be reduced further to only 2(16). In the second DFA, we first consider two faults into a single nibble, which reduces the keyspace from 2(256) to 2(48). Moreover, we show that one additional fault (i.e. total three faults) helps to reduce the key -space significantly to 2(8). We can compute the correct intermediate key by observing a few more plain-text, cipher-text pairs, which helps in computing valid cipher-text, tag pairs for any message and associated data under a fixed nonce.