Cryptanalysis of Two Fault Countermeasure Schemes

Subhadeep Banik, Andrey Bogdanov

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


In this paper, we look at two fault countermeasure schemes proposed very recently in literature. The first proposed in ACISP 2015 constructs a transformation function using a cellular automata based linear diffusion, and a non-linear layer using a series of bent functions. This countermeasure is meant for the protection of block ciphers like AES. The second countermeasure was proposed in IEEE-HOST 2015 and protects the Grain-128 stream cipher. The design divides the output function used in Grain-128 into two components. The first called the masking function, masks the input bits to the output function with some additional randomness and computes the value of the function. The second called the unmasking function, is computed securely using a different register and undoes the effect of the masking with random bits. We will show that there exists a weakness in the way in which both these schemes use the internally generated random bits which make these designs vulnerable. We will outline attacks that cryptanalyze the above schemes using 66 and 512 faults respectively.
Original languageEnglish
Title of host publicationProgress in Cryptology – INDOCRYPT 2015 : Proceedings of the 16th International Conference on Cryptology in India
EditorsAlex Biryukov, Vipul Goyal
Publication date2015
ISBN (Print)978-3-319-26616-9
ISBN (Electronic)978-3-319-26617-6
Publication statusPublished - 2015
Event16th International Conference on Cryptology in India - Bangalore, India
Duration: 6 Dec 20159 Dec 2015
Conference number: 16


Conference16th International Conference on Cryptology in India
Internet address
SeriesLecture Notes in Computer Science


  • AES
  • Fault analysis
  • Grain-128
  • Infective countermeasures


Dive into the research topics of 'Cryptanalysis of Two Fault Countermeasure Schemes'. Together they form a unique fingerprint.

Cite this