EscApe: Diagonal fault analysis of APE

Abstract

This work presents an adaptation of the classical diagonal fault attack on APE which is a member of the PRIMATEs family of authenticated encryption (AE) schemes. APE is the first nonce misuseresistant permutation based AE scheme and is one of the submissions to the CAESAR competition. In this work we showcase how nonce reuse can be misused in the context of differential fault analysis of on-line authenticated encryption schemes like APE. Using the misuse, we finally present a diagonal fault attack on APE-80 that is able to reduce the key-search space from 2160 to 225 using just two random uni-word (A word in this context is a 5-bit vector.) diagonal faults. Increasing the number of faults to 4 results in the unique identification of the key with a high probability. We find that both the AES-like internal permutation and the last round cipher-text output contribute to the reduction in keyspace. We also provide theoretical analysis on the average reduction in the key-search space of the attack. To the best of our knowledge, this work reports the first fault analysis of a Sponge based mode of operation when used in the context of authenticated encryption.