Paper 2024/1005

Differential Fault Attack on HE-Friendly Stream Ciphers: Masta, Pasta and Elisabeth

Abstract

In this paper, we propose the Differential Fault Attack (DFA) on three Homomorphic Encryption (HE) friendly stream ciphers \textsf{Masta}, \textsf{Pasta}, and \textsf{Elisabeth}. Both \textsf{Masta} and \textsf{Pasta} are \textsf{Rasta}-like ciphers with publicly derived and pseudorandom affine layers. The design of \textsf{Elisabeth} is an extension of \textsf{FLIP} and \textsf{FiLIP}, following the group filter permutator paradigm. All these three ciphers operate on elements over $\mathbb{Z}_p$ or $\mathbb{Z}_{2^n}$, rather than $\mathbb{Z}_2$. We can recover the secret keys of all the targeted ciphers through DFA. In particular, for \textsf{Elisabeth}, we present a new method to determine the filtering path, which is vital to make the attack practical. Our attacks on various instances of \textsf{Masta} are practical and require only one block of keystream and a single word-based fault. By injecting three word-based faults, we can theoretically mount DFA on two instances of \textsf{Pasta}, \textsf{Pasta}-3 and \textsf{Pasta}-4. For \textsf{Elisabeth}-4, the only instance of the \textsf{Elisabeth} family, we present two DFAs in which we inject four bit-based faults or a single word-based fault. With 15000 normal and faulty keystream words, the DFA on \textsf{Elisabeth}-4 can be completed in just a few minutes.

Note: The DFA on Elisabeth has been revised, with the single-bit fault now limited to the Most Significant Bit (MSB) of a word. Additionally, we have supplemented the analysis with a DFA on Elisabeth under the random word error model.