DESIV- Differential Fault Analysis of SIV-Rijndael256 with a Single Fault

Here we mounted a Differential Fault Attack (DFA) on NIST LWC Round-1 candidate SIV-Rijndael256 AEAD and thus we completely recovered the master-key inducing only one fault in the internal state of the SIV-Rijndael256 AEAD. Moreover, we have used key-scheduling algorithm of Rijndael256 to make our DFA more stronger.


Brief Description of SIV-Rijndael256 AEAD

General Structure of SIV.Enc (Encryption Algorithm of SIV-Rijndael256 AEAD)


General Structure of SIV.Dec (Decryption Algorithm of SIV-Rijndael256 AEAD)


Brief Description of Rijndael256

Each round of modified Rijndael256 executes following steps (almost like AES):

  1. AddTweak (AT) : In this step a 3-bit tweak is XORed with each byte of the second column of the state.
  2. SubBytes (SB) : Same like the SubBytes operation of AES.
  3. ShiftRows (SR) : The shift offsets for rows 0, 1, 2, 3 are determined by the shift-offset vector \(\sigma\) = {0, 1, 3, 4}
  4. MixColumns (MC) : Same like the MixColumns operation of AES.
  5. AddRoundKey (ARK) : In this linear step, each byte of the state is exclusive-ORed with the corresponding byte of the round key.

Round structure of modified Rijndael256 is as follows:


3-round Fault Diffusion Property of Rijndael256

Diagonal: A diagonal is the set of four bytes of the state which maps to the same column under SR operation.

\[j^\text{th} (0 \le j \le 7) diagonal = D_j\]

3-round fault diffusion with a single-byte fault in the diagonal \(D_7\):