Differential fault analysis of NORX using variants of coupon collector problem

摘要

Abstract In this paper, we report the first DFA on nonce-based CAESAR scheme NORX (applicable to all the versions v1, v2.0, v3.0). This demonstrates a scenario when faults introduced in NORX in parallel mode can be used to collide the internal branches to produce an all-zero state. Later, this fault is used to replay on NORX despite being instantiated by different nonces and messages. Once replayed, the secret key of NORX can be recovered using secondary faults and using the faulty tags. The attack presents a case where for the first time both internal and classical differentials are used to mount a DFA on a nonce-based authenticated cipher. Different fault models are used to showcase the versatility of the attack strategy. A detailed theoretical analysis of the expected number of faults is furnished under various models. Under the random bit-flip model, around 1384 faults need to be induced to reduce the key-space from 2128documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} begin{document}$$2^{128}$$end{document} to 232documentclass[12pt]{minimal} usepackage{amsmath} usepackage{wasysym} usepackage{amsfonts} usepackage{amssymb} usepackage{amsbsy} usepackage{mathrsfs} usepackage{upgreek} setlength{oddsidemargin}{-69pt} begin{document}$$2^{32}$$end{document}, while the random byte-flip model requires 332 faults to uniquely identify the key. Moreover, we have identified and solved a new theoretical problem for the consecutive bit-flip fault model that is a special variant of the generalized coupon collector problem. We refer to the new problem as the consecutive coupon collector problem. We also present a mathematical proof to this problem for the first time in the literature. Additionally, we corroborate that our theoretical values are matched very closely to the simulated values. Further, we show the validation of our calculations of the problem using hypothesis testing. Finally, we furnish a discussion to assess the DFA vulnerability of FORK-256 based on a strategy similar to the one used for NORX.