Statistical Ineffective Fault Analysis of GIMLI
This work addresses security vulnerabilities in lightweight cryptography for embedded systems, but it is incremental as it extends an existing attack method to a new cipher.
The paper tackles the problem of applying Statistical Ineffective Fault Analysis (SIFA) to the GIMLI cipher, a participant in the NIST-LWC competition, by identifying two attack locations during initialization that recover key bits with specific fault counts, such as 3 unique bits and parity of 8 bits using 180 faults at the first location.
Ineffective Fault Analysis (SIFA) was introduced as a new approach to attack block ciphers at CHES 2018. Since then, they have been proven to be a powerful class of attacks, with an easy to achieve fault model. One of the main benefits of SIFA is to overcome detection-based and infection-based countermeasures. In this paper we explain how the principles of SIFA can be applied to GIMLI, an authenticated encryption cipher participating the NIST-LWC competition. We identified two possible rounds during the intialization phase of GIMLI to mount our attack. If we attack the first location we are able to recover 3 bits of the key uniquely and the parity of 8 key-bits organized in 3 sums using 180 ineffective faults per biased single intermediate bit. If we attack the second location we are able to recover 15 bits of the key uniquely and the parity of 22 key-bits organized in 7 sums using 340 ineffective faults per biased intermediate bit. Furthermore, we investigated the influence of the fault model on the rate of ineffective faults in GIMLI. Finally, we verify the efficiency of our attacks by means of simulation.