Differential Fault Attack on Rasta and $\text{FiLIP}_{\text{DSM}}$

In this paper we propose Differential Fault Attack (DFA) on two Fully Homomorphic Encryption (FHE) friendly stream ciphers Rasta and $\text{FiLIP}_{\text{DSM}}$ . Design criteria of Rasta rely on affine layers and nonlinear layers, whereas $\text{FiLIP}_{\text{DSM}}$ relies on permutations and a nonlinear filter function. Here we show that the secret key of these two ciphers can be recovered by injecting only 1 bit fault in the initial state. Our DFA on full round (# rounds $=6$ ) Rasta with 219 block size requires only one block (i.e., 219 bits) of normal and faulty keystream bits. In the case of our DFA on FiLIP-430 (one instance of $\text{FiLIP}_{\text{DSM}}$ ), we need 30000 normal and faulty keystream bits.