Fault based almost universal forgeries on CLOC and SILC

Abstract

CLOC and SILC are two blockcipher based authenticated encryption schemes, submitted to the CAESAR competition, that aim to use low area buffer and handle short input efficiently. The designers of the schemes claimed n/2 -bit integrity security against nonce reusing adversaries, where n is the blockcipher state size in bits. In this paper, we present single fault-based almost universal forgeries on both CLOC and SILC with only one single bit fault at a fixed position of a specific blockcipher input. In the case of CLOC, the forgery can be done for almost any nonce, associated data and message triplet, except some nominal restrictions on associated data. In the case of SILC, the forgery can be done for almost any associated data and message, except some nominal restrictions on associated data along with a fixed nonce. Both the attacks on CLOC and SILC require several nonce-misusing encryption queries. This attack is independent of the underlying blockcipher and works on the encryption mode. In this paper, we also validate the proposed fault based forgery methodology by performing actual fault attacks by electromagnetic pulse injection which shows practicality of the proposed forgery procedure. Finally, we provide updated constructions, that can resist the fault attack on the mode assuming the underlying blockcipher is fault resistant. We would like to note that our attacks do not violate the designers’ claims as our attacks require fault. However, it shows some vulnerability of the schemes when fault is feasible.