Paper 2024/478

The Insecurity of SHA2 under the Differential Fault Characteristic of Boolean Functions

Abstract

SHA2 is widely used in various traditional public key ryptosystems, post-quantum cryptography, personal identification, and network communication protocols. Therefore, ensuring its robust security is of critical importance. Several differential fault attacks based on random word fault have targeted SHA1 and SHACAL-2. However, extending such random word-based fault attacks to SHA2 proves to be much more difficult due to the increased complexity of the Boolean functions in SHA2. In this paper, assuming random word fault, we identify distinctive differential properties within the Boolean functions of SHA2. Based on these findings, we propose a novel differential fault attack methodology that can be effectively used to recover the final message block and its corresponding initial vector in SHA2, forge HMAC-SHA2 messages, extract the key of SHACAL-2, and extend our analysis to similar algorithms such as SM3. The efficacy of these attacks is validated through rigorous simulations and theoretical deductions, illustrating that they represent a considerable threat to the security of SHA2. In simulations, our approach only requires guessing $T$ bits of a register, where $T$ is at most $5$. Moreover, the probability of successfully recovering a register (excluding the guessed bits) approaches 100\% when introducing 15 faults (in 1000 instances), and the approximate probability is at least 95\% when $T=1$. Consequently, approximately 928 random faults are necessary to successfully execute the attack on the compression function. Furthermore, we discuss potential countermeasures, including verification and infection detection, and propose methods to determine the time and location of fault injection in practical experiments.