Fault analysis of Trivium


As a hardware-oriented stream cipher, Trivium is on the edge of low cost and compactness. In this paper we discuss how brittle Trivium is under fault attack. Our fault model is based on the following two assumptions: (1)We canmake fault injection on the state at a random time and (2) after each fault injection, the fault positions are from random one of three registers, and from a random area within eight neighboring bits. Our fault model has extremely weak assumptions for effective attack , and much weaker than that of Hojsík and Rudolf, in their fault attack onTrivium.We present a checkingmethod such that, by observing original key-stream segment and fault injected key-stream segment, the injecting time and fault positions can be determined. Then, for several distributions of the injecting time, our random simulations always show that the attacker can break Trivium by a small number of repeated fault injections. For example, suppose that the injecting time has an uniform distribution over {0, 1, . . . , 32}, then averagely nomore than 16 repeated fault injection procedures will break Trivium, by averagely observing no more than 195× 17 key-stream bits.

DOI: 10.1007/s10623-011-9518-9

3 Figures and Tables

Cite this paper

@article{Hu2012FaultAO, title={Fault analysis of Trivium}, author={Yupu Hu and Juntao Gao and Qing Liu and Yiwei Zhang}, journal={Des. Codes Cryptography}, year={2012}, volume={62}, pages={289-311} }