Multi-Bit Differential Fault Analysis of Grain-128 with Very Weak Assumptions

Very few differential fault attacks (DFA) were reported on Grain-128 so far. In this paper we present a generic attack strategy that allows the adversary to challenge the cipher under different multi-bit fault models with faults at a targeted keystream generation round even if bit arrangement of the actual cipher device is unknown. Also unique identification of fault locations is not necessary. To the best of our knowledge, this paper assumes the weakest adversarial power ever considered in the open literature for DFA on Grain-128 and develops the most realistic attack strategy so far on Grain-128. In particular, when a random area within k ∈ {1, 2, 3, 4, 5} neighbourhood bits can only be disturbed by a single fault injection at the first keystream generation round (k-neighbourhood bit fault), without knowing the locations or the exact number of bits the injected fault has altered, our attack strategy always breaks the cipher with 5 faults. In a weaker setup even if bit arrangement of the cipher device is unknown, bad-faults (at the first keystream generation round) are rejected with probabilities 0.999993, 0.999979, 0.999963, 0.999946 and 0.999921 assuming that the adversary will use only 1, 2, 3, 4 and 5 neighbourhood bit faults respectively for key-IV recovery.