Fault Attack on ACORN v3

Fault Attack on ACORN v3 Abstract Fault attack is one of the most efficient side channel attacks and has attracted much attention in recent public cryptographic literatures. In this work, we introduce a fault attack on the authenticated cipher ACORN v3. Our attack is done under the assumption that a fault is injected into an initial state of ACORN v3 randomly, and contains two main steps: fault locating and equation solving. At the first step, we introduce concepts of unique set and non-unique set, where differential strings belonging to unique sets can determine the fault location uniquely. For strings belonging to non-unique sets, we use some strategies to increase the probability of determining the fault location uniquely to almost 1. At the second step, we demonstrate several ways of retrieving equations, and then obtain the initial state by solving equations with the guess-and-determine method. With n fault experiments, we can recover the initial state with time complexity c⋅2146.5−3.52⋅n, where c is the time complexity of solving linear equations and 26 <n< 43. We also apply the attack to ACORN v2, which shows that the changes from ACORN v2 to ACORN v3 have reduced the security margin of this algorithm against the differential fault attack. 1. INTRODUCTION The CAESAR competition [1], launched in 2014, aims at finding authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption. Totally, 57 candidates have been submitted to the competition. After two rounds of assessment, only 15 survivors were announced to be included in the third round. ACORN submitted by Wu is one of the 15 proposals. It contains three versions [2–4], and is based on a simple binary feedback shift register (FSR, for short) of length 293. The third round submission ACORN v3 is different from ACORN v2 in the feedback function and the filter function. Up to now, there are some cryptographic analyses on ACORN that provide some insights into the diffusion ability of the cipher. Using the guess-and-determine and the differential-algebraic techniques, Liu et al. proposed a state recovering attack on ACORN v1 [5]. But the attack is worse than a brute force attack. Chaigneau et al. showed a key recovery attack on ACORN v1 when nonce is reused to encrypt a small amount of chosen plaintexts [6]. It is shown that if one IV is reused seven times, the security of ACORN is lost. Salam et al. developed cube attacks on the reduced round versions of ACORN v1 and v2 [7], which are far from threatening the real-life use of the cipher. Salam et al. also investigated an attack to find a collision of the state under the assumption that the key is known [8]. Lafitte et al. described that they develop practical attacks to recover the state and the key [9]. However, the attacks are much more expensive than the brute force attack. Josh et al. claimed that the associate data do not affect any keystream bits if the size of the associated data is small [10]. Zhang et al. gave a research on state collisions of authenticated cipher ACORN [11]. Roy et al. gave some results on ACORN [12], one of them is that they find a probabilistic linear relation between plaintext bits and ciphertext bits, which hold with probability 12+12350. But the bias is too small to be tested. Another result is that they could recover the initial state of the cipher with time complexity approximately equaling to 240, which is done under an impractical assumption. The designer of ACORN gave the comments on these analyses in [13], which shows that some of the attacks are not really attacks. Since fault differential attack is one of side channel attacks working on physical implementations, it is interesting to apply side channel cryptanalysis to a cryptographic algorithm that is being used or will be used in reality. Due to the work of Biham et al., fault attack becomes a powerful tool to retrieve the secret key of many cryptographic primitives [14]. The first fault attack on stream cipher was introduced by Hoch and Shamir [15]. Skorobogatov et al. showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches into a device initialized by a secret key and change one or more bits of its internal state [16, 17]. Then by analyzing the difference between the faulty device and the right device, he or she could deduce some information about the internal state or secret key. Under the assumption that a hard fault is injected at a certain position, Dey et al. proposed a hard fault attack on ACORN v1 and v2 in a nonce-respecting scenario in [18]. Zhang et al. gave a fault attack on the authenticated cipher ACORN v2 under a general fault model of random fault injection [19]. But there are not any results of differential fault attack on ACORN v3. In this work, we give some results of fault differential attacks on ACORN v3 under a general fault model of random fault injection into an initial state. Our attack contains two main steps: fault locating and equation solving. At the fault locating step, we show that when a fault is injected into an initial state randomly, we can get a differential string between the error and correct keystream bits. With the differential string, we aim at identifying the fault location. First, for each fault location, we give a method to obtain the differential set, which contains all possible differential strings. And then sort the sets into two parts: unique set and non-unique set. We say that a differential set is a unique set if all the strings belonging to it can determine the fault location uniquely. Otherwise, we call it non-unique set. If the differential string belongs to non-unique sets, we use some strategies including the keystream bits extension strategy and the high probability priority strategy, to increase the probability of determining the fault location uniquely. We show that when 163-bit keystream is available, the probability can reach to 99.998%. At the second step, we first give two algorithms to retrieve equations. Our main idea is based on the observation that the first 99-bit differential keystream of ACORN v3 can be expressed as linear or quadratic functions with respect to the initial state, which helps us to recover the initial state. We also give several methods to retrieve more linear equations. Then we use the guess-and-determine method to obtain the initial state. With n fault experiments, we can recover the initial state with time complexity c·2146.5−3.52·n, where c is the time complexity of solving linear equations and 26<n<43. We also apply the differential fault attack to ACORN v2. The initial state of ACORN v2 can be recovered with time complexity c·2146.5−1.95·n, where 40<n<77. The results show that the changes from ACORN v2 to ACORN v3 have reduced the security margin of this algorithm against the differential fault attack. The fault attack on ACORN v3 is based on [19]. However, we give some improvements as follows: ACORN v3 and v2 are different in the feedback function and the filter function which are the most important factors to affect the fault attack. Compare to ACORN v2, the feedback function used in ACORN v3 becomes complex, which means that the confusion property of the algorithm is improved. But the filter function becomes simple which makes the keystream less random intuitively. There should be a tradeoff between these two functions. This new paper together with previous publication can provide some insights to design such stream ciphers. The process of the fault attack in this article is the same as that of previous publication, containing two main steps: fault locating and equation solving. But we give some new and efficient techniques to achieve our goals: At the first step, fault locating, we provide a new method to compute the differential strings (or differential sets). It is more simple than the previous method. We also introduce concepts of unique set and non-unique set to increase the possibility of determining the fault location. At the second step, equation solving, we give two algorithms to retrieve differential equations. According to the structure of ACORN v3, we observe two properties which can provide more linear equations. We also apply our new method on ACORN v2. The time complexity is lower than that of previous result, see Table 1. Table 1. Related result. Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper View Large Table 1. Related result. Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper View Large The rest of this paper is organized as follows. In Section 2, a brief description of ACORN is provided. The fault attacks on ACORN v3 and v2 are introduced in Sections 3 and 4 . Finally, we conclude this paper in Section 4. 2. BRIEF DESCRIPTION OF ACORN ACORN v3 will be restated briefly in this section, for more details one can refer to [2]. Here we do not intend to introduce the procedures of the initialization, the process of the associated data and the finalization, because our attack does not involve them, and just restate the encryption procedure briefly. Denote by S=(s0,s1,…,s292) the initial state of ACORN v3 before the first keystream bit is outputted and p the plaintext. The functions used in the encryption procedure of ACORN v3 are the feedback function f(S,p), the state update function F(S,p) and the filter function g(S). The feedback function f(S,p) mainly involves in the feedback computation of the FSR, defined as f(S,p)=1⊕s0⊕s61⊕s66⊕s107⊕s196⊕s23s160⊕s23s244⊕s160s244⊕p. Introducing intermediate variables yi(1≤i≤293), y293=f(S,p)y289=s289⊕s235⊕s230y230=s230⊕s196⊕s193y193=s193⊕s160⊕s154y154=s154⊕s111⊕s107y107=s107⊕s66⊕s61y61=s61⊕s23⊕s0yi=si(1≤i≤292,i∉{61,107,154,193,230,289}), the state update function F(S,p) can be described as si=yi+1,where0≤i≤292. It is easy to check that the state update function F(S,p) is invertible on S when p is given. The process of introducing intermediate variables can be regarded as a linear transformation L with respect to the internal state. The keystream z is generated by the filter function g(S) defined as g(S)=s12⊕s66⊕s107⊕s111⊕s154⊕(s61⊕s23⊕s0)(s193⊕s160⊕s154)⊕(s66⊕s111)(s230⊕s193⊕s196)⊕(s61⊕s23⊕s0⊕s193⊕s160⊕s154)s235. At each step i of the encryption procedure, one plaintext bit p is injected into the state and one ciphertext C is obtained by p⊕z. The pseudo-code for the generation of the encryption procedure of ACORN v3 is given as follows: l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for For ACORN v2, the only difference from ACORN v3 is that a part of the filter function s66⊕(s66⊕s111)(s230⊕s193⊕s196) is moved to the feedback function. All other details are the same as those of ACORN v3. For more details, one can refer to [3]. 3. FAULT ATTACK ON ACORN V3 We first give an outline of the fault attack model before introducing our fault attack on ACORN v3. We assume that an attacker can access the physical device of a stream cipher, and know the IV and the keystream. The attack can also be performed without observing the keystream directly if the attacker can force the same plaintext to be encrypted repeatedly, since the required differentials can then be obtained by XORing the corresponding ciphertexts. The attacker just attempts to exploit a fault and tracks the differential trail of the keystream. By analyzing the differential trail, one could deduce some information about the internal state, and then proceed to recover the key or forge a valid tag for any plaintext. In our fault attack, the following privileges of an attacker are required: The attacker has the ability to reset the physical device with the original Key-IV and restart the cipher operations multiple times. The attacker can inject a fault into the initial state randomly before the encryption procedure, but cannot choose the location. The attacker can observe the keystream resulting from each trial. Our attack contains two main parts: fault locating and equation solving. At the first step, we will demonstrate how to determine the fault location, and at the second step, we will retrieve a system of equations with respect to the initial state, and exploit how to recover the initial state with this system of equations. Once the initial state is recovered, the forgery attack can be executed easily. 3.1. Fault locating In this section, we will present how to identify the fault location after a fault is injected into the initial state randomly. We first introduce a method to obtain differential sets, and then provide a fault locating method. Denote by S=(s0,s1,…,s292) the initial state of the FSR and P=(p0,p1,…,pl−1) the i-bit plaintext. [a,b] denotes the closed interval from a to b for integers a and b, where a≤b. Let z=(z0,z1,…,zl−1) be the correct keystream and zi=(z0i,z1i,…,zli) be the error keystream generated by a faulty initial state at location i, where i∈[0,292]. We define a l-bit differential string Δzi. The jth element Δzji of Δzi satisfies Δzji=zj⊕zji. As Δzji is 0, 1 or a non-zero function with respect to S, we also denote by Δzi a differential set that contains all possible differential strings resulting from the faulty initial state at location i, where i∈[0,292]. 3.1.1. Obtaining differential sets Now, we need to get all differential sets Δzi, where i∈[0,292]. This part is a pre-processing step that only needs to be done once and the results of this step can then be used for all later attacks. We represent Δzi as a sequence of positions where their corresponding components are either 1 or non-constant functions with respect to S by omitting the 0 components. Here, we suppose l=99, since the first 99 bits differential keystream can be represented as linear or quadratic functions with respect to S. These equations can be used to retrieve enough linear equations to recover the initial state. For example, when s0 is changed, we can get Δz0=(Δz00,037,Δz380,010,1,08,Δz580,02,Δz610,014,Δz760,010,1,08,Δz960,Δz970,0) where 0i(i∈{37,10,8,2,14}) represents i consecutive 0, and Δzj0(j∈{0,38,58,61,76,96,97}) is non-constant function with respect to S. Omitting the 0 components, Δz0 can be represented as Δz0=(0,38,49,58,61,63,76,87,96,97), where the numbers in bold represent that 1 is always occurring in these positions. Let A be the set of all locations that can be involved in f(S,p) or g(S) directly, that is A={0,12,23,61,66,107,111,154,160,193,196,230,235,244}. By injecting one fault at location i, where i∈A, we find that the length of Δzi is at most 25, see Table 2. Table 2. Δzi, i∈A. i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 The numbers in bold represent the positions of components 1 and others represent the positions of the non-constant functions with respect to S. View Large Table 2. Δzi, i∈A. i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 The numbers in bold represent the positions of components 1 and others represent the positions of the non-constant functions with respect to S. View Large For the non-constant function components in each Δzi, where i∈A, we have checked that at most 4 equal to 1 with probability 14 and others equal to 1 with probability 12. For one non-constant function component Δzji equaling to 1 with probability 14(or12), if we choose 32 initial states randomly, we can get 32 Δzji correspondingly. All the 32 values equal to 0 with probability about 2−13(or2−32), where (1−1/4)32≃2−13(or(1−1/2)32=2−32). Due to the length of Δzi at most 25 for i∈A, the event that there is at least one position where 1 should occur, but does not occur with probability less than 1−(1−2−13)25, which can be neglected. So, for one fault location i∈A, it is enough to choose 32 initial states randomly to get all the positions where 1 may occur. For other fault locations i, where i∈[0,292] and i∉A, the first new differences that are not the differences caused by shifting, is introduced when the difference in si, denoted by Δsi, shifts to some locations in A. So, the length of Δzi is also at most 25 and 32 random initial states is enough. Algorithm 1 is used to obtain all differential sets. The main idea is to fix one fault location i, and choose 32 initial states randomly to get 32 differential strings. And then extract the positions where 1 may occur and 1 is always occurring. Due to the limitation of pages, we list a part of differential sets Δzi in Appendix A. Algorithm 1 Obtain differential set Δzi, where i∈[0,292] Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi Algorithm 1 Obtain differential set Δzi, where i∈[0,292] Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi 3.1.2. Fault locating method When a faulty experiment is carried out, i.e. a fault is injected into an initial state randomly, we can get a differential string Δz, with which we can determine the fault location according to the differential sets obtained above. The main idea is to compare the 1’s positions in Δz with those in strings belonging to Δzi, where i∈[0,292]. In a very small number of cases, some different fault locations can generate the same differential string. So we separate the fault locations into two parts: unique sets and non-unique sets. By analyzing the strings separately, we aim at giving a more accurate assessment of our fault locating method. Because strings belonging to unique sets can increase the possibility of determining the fault location. The definition of unique set is given as follows. Definition 1 For one differential set Δzicorresponding to the fault location i, if each string belonging to it can determine only one fault location, we say that Δziis a unique set, where i∈[0,292]. Otherwise we say that Δziis a non-unique set. Algorithm 2 Find unique set Δzi, where i∈[0,292] Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for Algorithm 2 Find unique set Δzi, where i∈[0,292] Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for For all 293 fault locations, Algorithm 2 is used to extract unique sets. The major task is to compare the locations where 1 is always occurring. Running through all differential sets Δzi, where i∈[0,292], we find that there are 103 unique sets, 96 of which are marked out in Appendix A. The number of unique sets can provide some insights into the diffusion ability of the cipher to some extent. Given one differential string, if it belongs to one of the unique sets, the unique fault location is clear. The strings belonging to non-unique sets can also be divided into two parts. One part can determine the fault locations uniquely and the other part cannot. For the strings that cannot determine the fault location uniquely, we adopt the keystream extension strategy and the high probability priority strategy to increase the possibility of determining the fault location. The detail process is shown as follows: Separate strings belonging to non-unique sets into 99 categories denoted by Bt(t∈[0,98]) according to the subscript t satisfying Δzti=1(t∈[0,98]) and Δzji=0(0≤j<t). For example, B0 contains Δzi whose first component Δz0i can be 1. It is noticed that for Δz0=(0,38,49,58,61,63,76,87,96,97), it may occurs in B0,B38 and B49 since its first 1 may occur at position 0,38 and 49 ( Δz491=1 always holds). For a given differential string Δz, we need to determine which category it belongs to according to the position of its first 1. And then by comparing other locations of 1 appearing in Δz, we can determine all possible fault locations, see Algorithm 3, where Δzj means the jth element of Δz. If the number of optional fault locations is one, it means that the unique fault location has been determined. Otherwise, we use the keystream bits extension strategy and the high probability priority strategy to guess the right fault location. These two strategies are introduced in [19]. Keystream extension strategy: Extending keystream is a very valid method of increasing the proportion of strings that can determine the fault location uniquely. The longer the keystream available to us, the higher probability of determining the unique fault location. High probability priority strategy: Here we assume that the initial state of the FSR is random and uniformly distributed. For a given string Δz, the different fault location candidates appear with different probabilities. For each candidate i, we prefer to choose i with higher probability, and call it high probability priority strategy. For example, when we get Δz=(0,···,0︷57,1,0···,0︷41), we know each candidate i in B57 needs to satisfy Δzji=0, where j∈[0,98] and j≠57. According to the expression of Δzi, i takes 292 with the highest probability 2−3. The probabilities of all the candidates i are listed in Table 3. Algorithm 3 Fault locating Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Algorithm 3 Fault locating Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Table 3. Optional fault locations of Δzi=(57). Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 View Large Table 3. Optional fault locations of Δzi=(57). Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 View Large 3.1.3. Implementation and verification In ACORN v3, there are at most 2293 initial states and a differential string is dependent on both the initial state and the fault location. The whole space is beyond our computation capability. We just choose 220 differential strings belonging to non-unique sets randomly to verify the validity of the above two strategies. We choose 215 initial states randomly, and for each initial state, we choose 25 non-unique fault locations randomly to obtain 220 differential strings. Then we calculate the probability of guessing the right fault location every time 10-bit keystream is lengthened. The result shows that when the length of the keystream reaches to 169 bits, we can determine the right fault location with probability 1, see Table 4. When the keystream length is 99 bits, the proportion of the strings that can determine the fault location uniquely is about 86.48%. For the other 13.52% strings, we can guess the right fault location with probability 83.01%. The total proportion of strings that can get the right fault location is 86.48%+13.52%∗83.01%=97.70%. When the keystream length reaches to 169 bits, the total proportion is almost 100%. Table 4. Determine the fault location. 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 Uniquely determine proportion(% ): the proportion of strings that can determine the fault location uniquely. Non-uniquely determine: the strings that cannot determine the fault location uniquely. Proportion (%): the proportion of strings that cannot determine the fault location uniquely. Guess probability (%): the probability of guessing the right fault location. Total proportion (%): the total proportion of strings that can get the right fault location. View Large Table 4. Determine the fault location. 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 Uniquely determine proportion(% ): the proportion of strings that can determine the fault location uniquely. Non-uniquely determine: the strings that cannot determine the fault location uniquely. Proportion (%): the proportion of strings that cannot determine the fault location uniquely. Guess probability (%): the probability of guessing the right fault location. Total proportion (%): the total proportion of strings that can get the right fault location. View Large 3.2. Recovering the Initial State Once several faults are located, we can retrieve enough equations with respect to the initial state to recover the initial state. In this section, we first give a fundamental method to retrieve equations and then give some improvement strategies to get more linear equations. Last, we use the guess-and-determine method to obtain the initial state and the time complexity is bounded by the number of faulty experiments. 3.2.1. Fundamental equation retrieving method Here, we just use the first 99-bit keystream, as the first 99 bits differential keystream can be expressed as linear or quadratic functions with respect to the initial state. Denote by S=(s0,s1,…,s292) the initial state of the FSR and s293,…,s391 the 99 feedback variables. The first 58 feedback variables can be expressed as quadratic functions with respect to S. We give two algorithms to retrieve equations. In Algorithm 4, we show how to get differential equations when fault is injected in si, where i∈A, A={0,12,23,61,66,107,111,154,160,193,196,230,235,244}. When i∈[0,292] and i∉A, the main idea to retrieve differential equations is to shift and perform the inversion of the linear transformation L on Δzi′, where i′∈A, see Algorithm 5. Note that the inversion of the linear transformation L will not lead to the transformation of a linear function to a non-linear function, but increase the number of terms in the function. Algorithm 4 Retrieve Equations (1) Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Algorithm 4 Retrieve Equations (1) Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Algorithm 5 Retrieve Equations (2) Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Algorithm 5 Retrieve Equations (2) Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Statistics show that, on an average, we can get 6.38 linear equations and 4.23 non-linear equations with one faulty experiment. We choose the quadratic equations of form xixj as 0.5 linear equations, where xi and xj are linear functions with respect to the initial state. Because the value of the quadratic equations of the form xixj equal to 1 with probability 14. If xixj=1, we know that xi=1 and xj=1. Thus, it is expected to obtain 0.5 linear equation. 3.2.2. Several improvement strategies In order to get more linear equations, two observations are given. Observation 1 When i∉A, if we stretch the length of the differential string, we can get more linear equations. The number of these functions is 0.7 on an average. For example, when s0 is changed, we can get Δz0=(Δz00,037,Δz380,010,1,08,Δz580,02,Δz610,014,Δz760,010,1,08,Δz960,Δz970,0) where 0i,i∈{37,10,8,2,14} presents i consecutive 0, and Δz00=s154⊕s160⊕s193⊕s235, Δz380=s159⊕s165⊕s192⊕s194⊕s197⊕s198⊕s231⊕s273, Δz580=s20⊕s43⊕s58⊕s73⊕s78⊕s81⊕s119⊕s173⊕s185⊕s212⊕s214⊕s217⊕s218⊕s251, Δz610=s176⊕s188⊕s215⊕s217⊕s220⊕s221⊕s237⊕s242⊕s254⊕s296, Δz630=s83⊕s88⊕s127⊕s129⊕s131⊕s174, Δz760=s164⊕s170⊕s191⊕s193⊕s195⊕s196⊕s199⊕s201⊕s202⊕s203⊕s230⊕s232⊕s235⊕s236⊕s252⊕s257⊕s269⊕s311, Δz960=(s159⊕s165⊕s198⊕s282)(s20⊕s35⊕s43⊕s65⊕s73⊕s75⊕s78⊕s81⊕s96⊕s110⊕s111⊕s114⊕s116⊕s119⊕s157⊕s172⊕s178⊕s184⊕s190⊕s211⊕s213⊕s215⊕s216⊕s219⊕s221⊕s222⊕s223⊕s230⊕s235⊕s250⊕s252⊕s255⊕s256⊕s289), Δz970=1⊕s71⊕s81⊕s114⊕s116⊕s117⊕s120⊕s161⊕s163⊕s165⊕s169⊕s175⊕s208. Δz960 is of form xixj and can be regarded as 0.5 linear equations, where xi=s159⊕s165⊕s198⊕s282 and xj=s20⊕s35⊕s43⊕s65⊕s73⊕s75⊕s78⊕s81⊕s96⊕s110⊕s111⊕s114⊕s116⊕s119⊕s157⊕s172⊕s178⊕s184⊕s190⊕s211⊕s213⊕s215⊕s216⊕s219⊕s221⊕s222⊕s223⊕s230⊕s235⊕s250⊕s252⊕s255⊕s256⊕s289. Note that Δz960 and Δz970 can be regarded as linear functions. Δz993 and Δz97+ii(1<i<12) are also linear functions which will not be used when only 99-bit keystream is in consideration. Observation 2 For all equations, we find two features of the equations. For one fault experiment, if the number of quadratic equations xixj is larger than 1, there would exist equations of forms xixj1 and xixj2, where xi, xj1 and xj2 are linear functions with respect to the initial state. Then we can retrieve more linear equations. For one quadratic equation of form xixj, there may exist linear equation of form xi or xj which can be used to deduce more linear equations, where xi and xj are linear functions with respect to the initial state. For example, for two experiments where faults are injected at location i=0 and i=23, we can get In Δz23, there are four quadratic equations of form xixj, three of which are Δz5823=(s160⊕s244)(s20⊕s43⊕s58⊕s73⊕s78⊕s81⊕s119⊕s173⊕s185⊕s212⊕s214⊕s217⊕s218⊕s251), Δz6323=(s160⊕s244)(s83⊕s88⊕s127⊕s129⊕s131⊕s174), Δz9723=(s160⊕s244)(1⊕s71⊕s81⊕s114⊕s116⊕s117⊕s120⊕s161⊕s163⊕s165⊕s169⊕s175⊕s208). If at least one of them equal to 1, we can get four linear equations. In Δz0, two equations Δz580=s20⊕s43⊕s58⊕s73⊕s78⊕s81⊕s119⊕s173⊕s185⊕s212⊕s214⊕s217⊕s218⊕s251, and Δz630=s83⊕s88⊕s127⊕s129⊕s131⊕s174, are parts of Δz5823 and Δz6323, respectively. 3.2.3. Solving equation As discussed above, on an average, we can get about 7.03 linear equations and about 4.23 non-linear equations with one faulty experiment. With 27 fault experiments, we can get 304 equations including 190 linear equations. We need to pick out another 103(=293−190) linear equations from 114(=304−190) non-linear equations. For 103 non-linear equations, we can get 51 linear equations by guessing 52 bits. By guessing 52 bits, we can get 241 linear equations with 241 unknown variables, which means that the initial states can be recovered. The time complexity of recovering the initial state is c·252, where c is the time complexity of solving linear equations of 241 variables. Also, we can get 295 linear equations with 42 fault experiments and the time complexity is to solve linear equations of 293 variables. Let n be the number of faulty experiments. We can get about 11.26n equations including about 7.03n linear equations. We use the guess-and-determine method to solve the equations. The time complexity of obtaining the initial state equals to c·2293−7.03n2≈c·2146.5−3.52n approximately, where 26<n<43 and c is the time complexity of solving linear equations. With the method of [20], c depends on the number m of variables c<m2.3727. In a practical attack, the number of variables is less than 293 which means that c is small. As there are some relations between the equations in a practical attack as shown in Observation 2, the time complexity can be smaller. 3.2.4. Implementation and verification We verify the validity of our solving equation method on a shrunk cipher with similar structure and properties. More specifically, we built a small stream cipher according to the design principles used for ACORN v3 but with a small state of 31 bits. We then implemented our attack to recover the initial state. The result shows that if the number of linearly independent equations is larger than 31, we can recover the initial state by guessing some feedback values and a small part of the initial state values involved in these feedback function. Of course, if the linearly independent equations are not enough, we need to proceed more faulty experiments. 3.3. The Forgery Attack Once the initial state of ACORN v3 is recovered we can encrypt any message to generate a valid tag, i.e. we can forge tags for all plaintexts. All the methods used in this work can be easily applied to ACORN v1 and v2, and for ACORN v1, we can recover the key by stepping the cipher backward. 4. THE FAULT ATTACK ON ACORN V2 We also apply the above attack to ACORN v2. In the fault locating part, we find that there are 127 unique sets in ACORN v2 which is larger than that of ACORN v3. And for strings belonging to non-unique sets, we can also determine the fault location uniquely with the keystream extension strategy and the high probability priority strategy. In the initial state recovery part, we can get 3.9 linear equations and 3.3 non-linear equations, on an average, with one faulty experiment. And in ACORN v2, Observation 1 is not useful to retrieve more linear equations. Let n be the number of faulty experiments. We can get 7.2n equations with 3.9n linear equations. The time complexity of obtaining the initial state equals to c·2293−3.9n2=c·2146.5−1.95n, where c is the time complexity of solving linear equations and 40<n<77. The changes from ACORN v2 to ACORN v3 have reduced the security margin of this algorithm against the differential fault attack, see Table 5. The main reason is caused by the tweak that a part of terms in the feedback function are moved to the output filtering functions. For one experiment, the number of linear equations retrieved from ACORN v3 is larger than that from ACORN v2. The tweak is to provide large security margin against the guess-and-determine attack. However, it makes the algorithm more vulnerable against the fault attack. Table 5. Comparison of ACORN v3 and v2. Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible View Large Table 5. Comparison of ACORN v3 and v2. Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible View Large 5. CONCLUSIONS In this paper, we described a fault attack on ACORN v3 which is one of the third round candidates of CAESAR. We also applied the attack to ACORN v2. This work shows that comparing with ACORN v2, the tweaked version ACORN v3 is more vulnerable against fault attack. For ACORN v3, we can recover the initial state with time complexity c·2146.5−3.52n, where c is the time complexity of solving linear equations and 26<n<43. However, for ACORN v2, the time complexity is c·2146.5−1.95n with 40<n<77. The difference between ACORN v3 and ACORN v2 makes the algorithm small security margin against the differential fault attack. FUNDING The works of Zhang X. and Lin D. were supported by the National Natural Science Foundation of China (No. 61379139) and the ‘Strategic Priority Research Program’ of the Chinese Academy of Sciences [XDA06010701]. The work of Feng X. was supported by the National Natural Science Foundation of China (Nos. 61572491 and 11688101) and Science and Technology on Communication Security Laboratory (No. 6142103010701). ACKNOWLEDGEMENTS The authors would like to thank the anonymous reviewers for their comments and suggestions which significantly improve the quality and presentation of this paper. REFERENCES 1 CAESAR : http://competitions.cr.yp.to/index.html. 2 Wu , H. ( 2014 ) ACORN: A Lightweight Authenticated Cipher (v3). http://competitions.cr.yp.to/round3/acornv3.pdf. 3 Wu , H. ( 2015 ) ACORN: A Lightweight Authenticated Cipher (v2). http://competitions.cr.yp.to/round2/acornv2.pdf. 4 Wu , H. ( 2016 ) ACORN: A Lightweight Authenticated Cipher (v1). http://competitions.cr.yp.to/round1/acornv1.pdf. 5 Liu , M. and Lin , D. ( 2014 ) Cryptanalysis of Lightweight Authenticated Cipher ACORN. Posed on the Crypto-Competition Mailing List. 6 Chaigneau , C. , Fuhr , T. and Gilbert , H. ( 2015 ) Full Key-Recovery on ACORN in Nonce-Reuse and Decryption-Misuse Settings. Posed on the Crypto-Competition Mailing List. 7 Salam , M.I. , Bartlett , H. , Dawson , E. , Pieprzyk , J. , Simpson , L. and Wong , K.K. ( 2016 ) Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN. Proc. ATIS 16, Cairns, Australia, October 26–28, pp. 15–26. Springer Nature, Singapore. 8 Salam , M.I. , Wong , K.K. , Bartlett , H. , Simpson , L. , Dawson , E. and Pieprzyk , J. ( 2016 ) Finding State Collisions in the Authenticated Encryption Stream Cipher ACORN. Proc. ACSW 16, Canberra, Australia, February 2–5, pp. 36. ACM, New York. 9 Lafitte , F. , Lerman , L. , Markowitch , O. and Van Heule , D. ( 2016 ) SAT-Based Cryptanalysis of ACORN. IACR Cryptology ePrint Archive, 2016, 521. 10 Josh , R.J. and Sarkar , S. ( 2015 ) Some Observations on ACORN v1 and Trivia-SC. Proc. Lightweight Cryptography Workshop 15, NIST Gaithersburg, July 20–21, pp. 20–21. No formal publication. 11 Zhang , P. , Guan , J. , Li , J. and Shi , T. ( 2015 ) Research on State Collisions of Authenticated Cipher ACORN. Proc. ICSMIM 15, Shenzhen, China, December 27–28, pp. 459–465. Atlantis Press, Amsterdam. 12 Roy , D. and Mukhopadhyay , S. ( 2016 ) Some Results on ACORN. IACR Cryptology ePrint Archive, 2016, 1132. 13 Google Groups : https://groups.google.com/forum/#!forum/crypto-competitions/dzzNcybqFP4. 14 Biham , E. and Shamir , A. ( 1997 ) Differential Fault Analysis of Secret Key Cryptosystems. Proc. CRYPTO 97, Santa Barbara, USA, August 17–21, pp. 513–525. Springer-Verlag, Berlin. 15 Hoch , J.J. and Shamir , A. ( 2004 ) Fault Analysis of Stream Ciphers. Proc. CHES 04, Cambridge, USA, August 11–13, pp. 240–253. Springer-Verlag, Berlin. 16 Skorobogatov , S.P. ( 2006 ) Optically Enhanced Position-Locked Power Analysis. Proc. CHES 06, Yokohama, Japan, October 10–13, pp. 61–75. Springer-Verlag, Berlin. 17 Skorobogatov , S.P. and Anderson , R.J. ( 2002 ) Optical Fault Induction Attacks. Proc. CHES 2002, Redwood Shores, USA, August 13–15, pp. 2–12. Springer-Verlag, Berlin. 18 Dey , P. , Rohit , R.S. and Adhikari , A. ( 2016 ) Full key recovery of ACORN with a single fault . J. Inf. Secur. Appl. , 29 , 57 – 64 . 19 Zhang , X. , Feng , X. and Lin , D. ( 2017 ) Fault Attack on the Authenticated Cipher ACORN v2. Security and Communication Networks, 2017, https://doi.org/10.1155/2017/3834685. 20 Williams , V.V. ( 2012 ) Multiplying Matrices Faster than Coppersmith–Winograd. Proc. STOC 2012, New York, USA, May 20–22 , pp. 887–898. ACM, New York. APPENDIX A Due to the limitation of pages, we just list the differential sets Δzi, where i∈[0,168] in Table A1. The first column is the fault location, and the second column is the differential set. For each differential set Δzi, the numbers in the second column represent the positions where 1 may occur when the fault location is i, that is, fault is injected in si. And the numbers in bold represent the positions where 1 is always occurring. The numbers in the first column are the locations where faults are injected, and the numbers in bold represent that the corresponding differential sets are unique sets. Table A1. Δzi, i∈[0,168]. i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 Table A1. Δzi, i∈[0,168]. i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 For example, when i=12, the components of Δz12 are the positions where 1 may occur when fault is injected in s12, where Δz12=(0,12,50,61,70,73,75,88). The number 0 and 61 represent the positions where 1 is always occurring. Other numbers represent the positions where 1 may occur with some specified probability. 12 in the first column means that the differential set Δz12 is an unique set. Author notes Handling editor: Keith Martin © The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png The Computer Journal Oxford University Press

Fault Attack on ACORN v3

The Computer Journal , Volume 61 (8) – Aug 1, 2018

Loading next page...
 
/lp/ou_press/fault-attack-on-acorn-v3-CO7UocYQ1Y
Publisher
Oxford University Press
Copyright
© The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com
ISSN
0010-4620
eISSN
1460-2067
D.O.I.
10.1093/comjnl/bxy044
Publisher site
See Article on Publisher Site

Abstract

Abstract Fault attack is one of the most efficient side channel attacks and has attracted much attention in recent public cryptographic literatures. In this work, we introduce a fault attack on the authenticated cipher ACORN v3. Our attack is done under the assumption that a fault is injected into an initial state of ACORN v3 randomly, and contains two main steps: fault locating and equation solving. At the first step, we introduce concepts of unique set and non-unique set, where differential strings belonging to unique sets can determine the fault location uniquely. For strings belonging to non-unique sets, we use some strategies to increase the probability of determining the fault location uniquely to almost 1. At the second step, we demonstrate several ways of retrieving equations, and then obtain the initial state by solving equations with the guess-and-determine method. With n fault experiments, we can recover the initial state with time complexity c⋅2146.5−3.52⋅n, where c is the time complexity of solving linear equations and 26 <n< 43. We also apply the attack to ACORN v2, which shows that the changes from ACORN v2 to ACORN v3 have reduced the security margin of this algorithm against the differential fault attack. 1. INTRODUCTION The CAESAR competition [1], launched in 2014, aims at finding authenticated ciphers that offer advantages over AES-GCM and are suitable for widespread adoption. Totally, 57 candidates have been submitted to the competition. After two rounds of assessment, only 15 survivors were announced to be included in the third round. ACORN submitted by Wu is one of the 15 proposals. It contains three versions [2–4], and is based on a simple binary feedback shift register (FSR, for short) of length 293. The third round submission ACORN v3 is different from ACORN v2 in the feedback function and the filter function. Up to now, there are some cryptographic analyses on ACORN that provide some insights into the diffusion ability of the cipher. Using the guess-and-determine and the differential-algebraic techniques, Liu et al. proposed a state recovering attack on ACORN v1 [5]. But the attack is worse than a brute force attack. Chaigneau et al. showed a key recovery attack on ACORN v1 when nonce is reused to encrypt a small amount of chosen plaintexts [6]. It is shown that if one IV is reused seven times, the security of ACORN is lost. Salam et al. developed cube attacks on the reduced round versions of ACORN v1 and v2 [7], which are far from threatening the real-life use of the cipher. Salam et al. also investigated an attack to find a collision of the state under the assumption that the key is known [8]. Lafitte et al. described that they develop practical attacks to recover the state and the key [9]. However, the attacks are much more expensive than the brute force attack. Josh et al. claimed that the associate data do not affect any keystream bits if the size of the associated data is small [10]. Zhang et al. gave a research on state collisions of authenticated cipher ACORN [11]. Roy et al. gave some results on ACORN [12], one of them is that they find a probabilistic linear relation between plaintext bits and ciphertext bits, which hold with probability 12+12350. But the bias is too small to be tested. Another result is that they could recover the initial state of the cipher with time complexity approximately equaling to 240, which is done under an impractical assumption. The designer of ACORN gave the comments on these analyses in [13], which shows that some of the attacks are not really attacks. Since fault differential attack is one of side channel attacks working on physical implementations, it is interesting to apply side channel cryptanalysis to a cryptographic algorithm that is being used or will be used in reality. Due to the work of Biham et al., fault attack becomes a powerful tool to retrieve the secret key of many cryptographic primitives [14]. The first fault attack on stream cipher was introduced by Hoch and Shamir [15]. Skorobogatov et al. showed that a typical fault attack allows an attacker to inject faults by means of laser shots/clock glitches into a device initialized by a secret key and change one or more bits of its internal state [16, 17]. Then by analyzing the difference between the faulty device and the right device, he or she could deduce some information about the internal state or secret key. Under the assumption that a hard fault is injected at a certain position, Dey et al. proposed a hard fault attack on ACORN v1 and v2 in a nonce-respecting scenario in [18]. Zhang et al. gave a fault attack on the authenticated cipher ACORN v2 under a general fault model of random fault injection [19]. But there are not any results of differential fault attack on ACORN v3. In this work, we give some results of fault differential attacks on ACORN v3 under a general fault model of random fault injection into an initial state. Our attack contains two main steps: fault locating and equation solving. At the fault locating step, we show that when a fault is injected into an initial state randomly, we can get a differential string between the error and correct keystream bits. With the differential string, we aim at identifying the fault location. First, for each fault location, we give a method to obtain the differential set, which contains all possible differential strings. And then sort the sets into two parts: unique set and non-unique set. We say that a differential set is a unique set if all the strings belonging to it can determine the fault location uniquely. Otherwise, we call it non-unique set. If the differential string belongs to non-unique sets, we use some strategies including the keystream bits extension strategy and the high probability priority strategy, to increase the probability of determining the fault location uniquely. We show that when 163-bit keystream is available, the probability can reach to 99.998%. At the second step, we first give two algorithms to retrieve equations. Our main idea is based on the observation that the first 99-bit differential keystream of ACORN v3 can be expressed as linear or quadratic functions with respect to the initial state, which helps us to recover the initial state. We also give several methods to retrieve more linear equations. Then we use the guess-and-determine method to obtain the initial state. With n fault experiments, we can recover the initial state with time complexity c·2146.5−3.52·n, where c is the time complexity of solving linear equations and 26<n<43. We also apply the differential fault attack to ACORN v2. The initial state of ACORN v2 can be recovered with time complexity c·2146.5−1.95·n, where 40<n<77. The results show that the changes from ACORN v2 to ACORN v3 have reduced the security margin of this algorithm against the differential fault attack. The fault attack on ACORN v3 is based on [19]. However, we give some improvements as follows: ACORN v3 and v2 are different in the feedback function and the filter function which are the most important factors to affect the fault attack. Compare to ACORN v2, the feedback function used in ACORN v3 becomes complex, which means that the confusion property of the algorithm is improved. But the filter function becomes simple which makes the keystream less random intuitively. There should be a tradeoff between these two functions. This new paper together with previous publication can provide some insights to design such stream ciphers. The process of the fault attack in this article is the same as that of previous publication, containing two main steps: fault locating and equation solving. But we give some new and efficient techniques to achieve our goals: At the first step, fault locating, we provide a new method to compute the differential strings (or differential sets). It is more simple than the previous method. We also introduce concepts of unique set and non-unique set to increase the possibility of determining the fault location. At the second step, equation solving, we give two algorithms to retrieve differential equations. According to the structure of ACORN v3, we observe two properties which can provide more linear equations. We also apply our new method on ACORN v2. The time complexity is lower than that of previous result, see Table 1. Table 1. Related result. Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper View Large Table 1. Related result. Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper Faults’ number n Time complexity 31≤n≤88 c·2179.19−1.76n [19] 39≤n≤76 c·2146.5−1.95nthis paper View Large The rest of this paper is organized as follows. In Section 2, a brief description of ACORN is provided. The fault attacks on ACORN v3 and v2 are introduced in Sections 3 and 4 . Finally, we conclude this paper in Section 4. 2. BRIEF DESCRIPTION OF ACORN ACORN v3 will be restated briefly in this section, for more details one can refer to [2]. Here we do not intend to introduce the procedures of the initialization, the process of the associated data and the finalization, because our attack does not involve them, and just restate the encryption procedure briefly. Denote by S=(s0,s1,…,s292) the initial state of ACORN v3 before the first keystream bit is outputted and p the plaintext. The functions used in the encryption procedure of ACORN v3 are the feedback function f(S,p), the state update function F(S,p) and the filter function g(S). The feedback function f(S,p) mainly involves in the feedback computation of the FSR, defined as f(S,p)=1⊕s0⊕s61⊕s66⊕s107⊕s196⊕s23s160⊕s23s244⊕s160s244⊕p. Introducing intermediate variables yi(1≤i≤293), y293=f(S,p)y289=s289⊕s235⊕s230y230=s230⊕s196⊕s193y193=s193⊕s160⊕s154y154=s154⊕s111⊕s107y107=s107⊕s66⊕s61y61=s61⊕s23⊕s0yi=si(1≤i≤292,i∉{61,107,154,193,230,289}), the state update function F(S,p) can be described as si=yi+1,where0≤i≤292. It is easy to check that the state update function F(S,p) is invertible on S when p is given. The process of introducing intermediate variables can be regarded as a linear transformation L with respect to the internal state. The keystream z is generated by the filter function g(S) defined as g(S)=s12⊕s66⊕s107⊕s111⊕s154⊕(s61⊕s23⊕s0)(s193⊕s160⊕s154)⊕(s66⊕s111)(s230⊕s193⊕s196)⊕(s61⊕s23⊕s0⊕s193⊕s160⊕s154)s235. At each step i of the encryption procedure, one plaintext bit p is injected into the state and one ciphertext C is obtained by p⊕z. The pseudo-code for the generation of the encryption procedure of ACORN v3 is given as follows: l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for l← the bit length of the plaintext; for i from 0 to l−1do zi=g(S); ci=zi⊕pi; s=F(S,pi); end for For ACORN v2, the only difference from ACORN v3 is that a part of the filter function s66⊕(s66⊕s111)(s230⊕s193⊕s196) is moved to the feedback function. All other details are the same as those of ACORN v3. For more details, one can refer to [3]. 3. FAULT ATTACK ON ACORN V3 We first give an outline of the fault attack model before introducing our fault attack on ACORN v3. We assume that an attacker can access the physical device of a stream cipher, and know the IV and the keystream. The attack can also be performed without observing the keystream directly if the attacker can force the same plaintext to be encrypted repeatedly, since the required differentials can then be obtained by XORing the corresponding ciphertexts. The attacker just attempts to exploit a fault and tracks the differential trail of the keystream. By analyzing the differential trail, one could deduce some information about the internal state, and then proceed to recover the key or forge a valid tag for any plaintext. In our fault attack, the following privileges of an attacker are required: The attacker has the ability to reset the physical device with the original Key-IV and restart the cipher operations multiple times. The attacker can inject a fault into the initial state randomly before the encryption procedure, but cannot choose the location. The attacker can observe the keystream resulting from each trial. Our attack contains two main parts: fault locating and equation solving. At the first step, we will demonstrate how to determine the fault location, and at the second step, we will retrieve a system of equations with respect to the initial state, and exploit how to recover the initial state with this system of equations. Once the initial state is recovered, the forgery attack can be executed easily. 3.1. Fault locating In this section, we will present how to identify the fault location after a fault is injected into the initial state randomly. We first introduce a method to obtain differential sets, and then provide a fault locating method. Denote by S=(s0,s1,…,s292) the initial state of the FSR and P=(p0,p1,…,pl−1) the i-bit plaintext. [a,b] denotes the closed interval from a to b for integers a and b, where a≤b. Let z=(z0,z1,…,zl−1) be the correct keystream and zi=(z0i,z1i,…,zli) be the error keystream generated by a faulty initial state at location i, where i∈[0,292]. We define a l-bit differential string Δzi. The jth element Δzji of Δzi satisfies Δzji=zj⊕zji. As Δzji is 0, 1 or a non-zero function with respect to S, we also denote by Δzi a differential set that contains all possible differential strings resulting from the faulty initial state at location i, where i∈[0,292]. 3.1.1. Obtaining differential sets Now, we need to get all differential sets Δzi, where i∈[0,292]. This part is a pre-processing step that only needs to be done once and the results of this step can then be used for all later attacks. We represent Δzi as a sequence of positions where their corresponding components are either 1 or non-constant functions with respect to S by omitting the 0 components. Here, we suppose l=99, since the first 99 bits differential keystream can be represented as linear or quadratic functions with respect to S. These equations can be used to retrieve enough linear equations to recover the initial state. For example, when s0 is changed, we can get Δz0=(Δz00,037,Δz380,010,1,08,Δz580,02,Δz610,014,Δz760,010,1,08,Δz960,Δz970,0) where 0i(i∈{37,10,8,2,14}) represents i consecutive 0, and Δzj0(j∈{0,38,58,61,76,96,97}) is non-constant function with respect to S. Omitting the 0 components, Δz0 can be represented as Δz0=(0,38,49,58,61,63,76,87,96,97), where the numbers in bold represent that 1 is always occurring in these positions. Let A be the set of all locations that can be involved in f(S,p) or g(S) directly, that is A={0,12,23,61,66,107,111,154,160,193,196,230,235,244}. By injecting one fault at location i, where i∈A, we find that the length of Δzi is at most 25, see Table 2. Table 2. Δzi, i∈A. i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 The numbers in bold represent the positions of components 1 and others represent the positions of the non-constant functions with respect to S. View Large Table 2. Δzi, i∈A. i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 i Δzi 0 0 38 49 58 61 63 76 87 96 97 12 0 12 50 61 70 73 75 88 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 193 0 33 34 37 39 66 68 70 71 72 74 76 78 82 86 91 92 96 97 196 0 3 34 36 37 40 42 58 63 68 69 70 71 73 74 75 76 77 79 81 85 89 92 94 95 230 0 34 37 54 59 68 70 71 74 76 92 93 96 97 235 0 5 39 42 54 59 64 73 75 76 79 81 93 96 97 98 244 9 14 48 51 58 63 68 73 82 84 85 88 90 97 The numbers in bold represent the positions of components 1 and others represent the positions of the non-constant functions with respect to S. View Large For the non-constant function components in each Δzi, where i∈A, we have checked that at most 4 equal to 1 with probability 14 and others equal to 1 with probability 12. For one non-constant function component Δzji equaling to 1 with probability 14(or12), if we choose 32 initial states randomly, we can get 32 Δzji correspondingly. All the 32 values equal to 0 with probability about 2−13(or2−32), where (1−1/4)32≃2−13(or(1−1/2)32=2−32). Due to the length of Δzi at most 25 for i∈A, the event that there is at least one position where 1 should occur, but does not occur with probability less than 1−(1−2−13)25, which can be neglected. So, for one fault location i∈A, it is enough to choose 32 initial states randomly to get all the positions where 1 may occur. For other fault locations i, where i∈[0,292] and i∉A, the first new differences that are not the differences caused by shifting, is introduced when the difference in si, denoted by Δsi, shifts to some locations in A. So, the length of Δzi is also at most 25 and 32 random initial states is enough. Algorithm 1 is used to obtain all differential sets. The main idea is to fix one fault location i, and choose 32 initial states randomly to get 32 differential strings. And then extract the positions where 1 may occur and 1 is always occurring. Due to the limitation of pages, we list a part of differential sets Δzi in Appendix A. Algorithm 1 Obtain differential set Δzi, where i∈[0,292] Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi Algorithm 1 Obtain differential set Δzi, where i∈[0,292] Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi Require: fault location i, where i∈[0,292] Ensure: the position set MQi where 1 occurs with probability less than 1 and the position set AQi where 1 is always occurring 1: Choose 32 initial states randomly 2: for each initial state do 3:   proceed the encryption phase of ACORN v3 to get a l-bit keystream z 4:   si←si⊕1 5:   proceed the encryption phase of ACORN v3 to get a l-bit keystream zi, calculate Δzi 6:   for j from 0 to l−1do 7:    if Δzji≠0then 8:     add j to MQi (repeated j are always preserved) 9:    end if 10:   end for 11: end for 12: for j from 0 to l−1do 13:   if there are 32 j in MQithen 14:    add j to AQi and delete j in MQi 15:   end if 16: end for 17: delete the repeated numbers in MQi 18: return MQi and AQi 3.1.2. Fault locating method When a faulty experiment is carried out, i.e. a fault is injected into an initial state randomly, we can get a differential string Δz, with which we can determine the fault location according to the differential sets obtained above. The main idea is to compare the 1’s positions in Δz with those in strings belonging to Δzi, where i∈[0,292]. In a very small number of cases, some different fault locations can generate the same differential string. So we separate the fault locations into two parts: unique sets and non-unique sets. By analyzing the strings separately, we aim at giving a more accurate assessment of our fault locating method. Because strings belonging to unique sets can increase the possibility of determining the fault location. The definition of unique set is given as follows. Definition 1 For one differential set Δzicorresponding to the fault location i, if each string belonging to it can determine only one fault location, we say that Δziis a unique set, where i∈[0,292]. Otherwise we say that Δziis a non-unique set. Algorithm 2 Find unique set Δzi, where i∈[0,292] Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for Algorithm 2 Find unique set Δzi, where i∈[0,292] Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for Require: differential sets Δzi, MQi and AQi, where i∈[0,292] Ensure: unique sets and non-unique sets 1: for i from 0 to 291 do 2:   for k from i+1 to 292 do 3:    if MQi∪AQi⊆MQk∪AQk and AQk⊆MQi∪AQithen 4:     return Δzi and Δzk are non-unique sets 5:  end if 6: end for 7: if there is not any return then 8:    return Δzi is a unique set 9:   end if 10: end for For all 293 fault locations, Algorithm 2 is used to extract unique sets. The major task is to compare the locations where 1 is always occurring. Running through all differential sets Δzi, where i∈[0,292], we find that there are 103 unique sets, 96 of which are marked out in Appendix A. The number of unique sets can provide some insights into the diffusion ability of the cipher to some extent. Given one differential string, if it belongs to one of the unique sets, the unique fault location is clear. The strings belonging to non-unique sets can also be divided into two parts. One part can determine the fault locations uniquely and the other part cannot. For the strings that cannot determine the fault location uniquely, we adopt the keystream extension strategy and the high probability priority strategy to increase the possibility of determining the fault location. The detail process is shown as follows: Separate strings belonging to non-unique sets into 99 categories denoted by Bt(t∈[0,98]) according to the subscript t satisfying Δzti=1(t∈[0,98]) and Δzji=0(0≤j<t). For example, B0 contains Δzi whose first component Δz0i can be 1. It is noticed that for Δz0=(0,38,49,58,61,63,76,87,96,97), it may occurs in B0,B38 and B49 since its first 1 may occur at position 0,38 and 49 ( Δz491=1 always holds). For a given differential string Δz, we need to determine which category it belongs to according to the position of its first 1. And then by comparing other locations of 1 appearing in Δz, we can determine all possible fault locations, see Algorithm 3, where Δzj means the jth element of Δz. If the number of optional fault locations is one, it means that the unique fault location has been determined. Otherwise, we use the keystream bits extension strategy and the high probability priority strategy to guess the right fault location. These two strategies are introduced in [19]. Keystream extension strategy: Extending keystream is a very valid method of increasing the proportion of strings that can determine the fault location uniquely. The longer the keystream available to us, the higher probability of determining the unique fault location. High probability priority strategy: Here we assume that the initial state of the FSR is random and uniformly distributed. For a given string Δz, the different fault location candidates appear with different probabilities. For each candidate i, we prefer to choose i with higher probability, and call it high probability priority strategy. For example, when we get Δz=(0,···,0︷57,1,0···,0︷41), we know each candidate i in B57 needs to satisfy Δzji=0, where j∈[0,98] and j≠57. According to the expression of Δzi, i takes 292 with the highest probability 2−3. The probabilities of all the candidates i are listed in Table 3. Algorithm 3 Fault locating Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Algorithm 3 Fault locating Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Require: a differential string Δz, MQi and AQi, where i∈[0,292] Ensure the set I of possible fault locations 1: Denote by J the set of j satisfying Δzj=1, where j∈[0,l−1] 2: Determine the category B* that Δz belongs to, according to the first 1’s position in Δz 3: for all Δzi∈B*do 4:   if J⊆MQi∪AQi and AQi⊆Jthen 5:    add location i to the set I 6:   end if 7: end for 8: return the set I Table 3. Optional fault locations of Δzi=(57). Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 View Large Table 3. Optional fault locations of Δzi=(57). Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 Fault location Δzi Probability 233 3 37 40 57 62 71 73 74 77 79 95 96 2−12 238 3 8 42 45 57 62 67 76 78 79 82 84 96 2−13 250 15 20 54 57 64 69 74 79 88 90 91 94 96 2−13 253 18 23 57 60 67 72 77 82 91 93 94 97 2−12 287 52 57 91 94 2−4 292 57 62 96 2−3 View Large 3.1.3. Implementation and verification In ACORN v3, there are at most 2293 initial states and a differential string is dependent on both the initial state and the fault location. The whole space is beyond our computation capability. We just choose 220 differential strings belonging to non-unique sets randomly to verify the validity of the above two strategies. We choose 215 initial states randomly, and for each initial state, we choose 25 non-unique fault locations randomly to obtain 220 differential strings. Then we calculate the probability of guessing the right fault location every time 10-bit keystream is lengthened. The result shows that when the length of the keystream reaches to 169 bits, we can determine the right fault location with probability 1, see Table 4. When the keystream length is 99 bits, the proportion of the strings that can determine the fault location uniquely is about 86.48%. For the other 13.52% strings, we can guess the right fault location with probability 83.01%. The total proportion of strings that can get the right fault location is 86.48%+13.52%∗83.01%=97.70%. When the keystream length reaches to 169 bits, the total proportion is almost 100%. Table 4. Determine the fault location. 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 Uniquely determine proportion(% ): the proportion of strings that can determine the fault location uniquely. Non-uniquely determine: the strings that cannot determine the fault location uniquely. Proportion (%): the proportion of strings that cannot determine the fault location uniquely. Guess probability (%): the probability of guessing the right fault location. Total proportion (%): the total proportion of strings that can get the right fault location. View Large Table 4. Determine the fault location. 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 220 strings in non-unique sets Keystream length (bits) Uniquely determine proportion(%) Non-uniquely determine Total proportion (%) Proportion (%) Guess probability (%) 99 86.48 13.52 83.01 97.70 109 91.31 8.69 86.21 98.80 119 92.38 7.62 92.82 99.45 129 93.31 6.69 98.11 99.87 139 93.84 6.16 99.07 99.94 149 94.48 5.52 99.59 99.98 159 94.66 5.34 99.80 99.99 169 94.72 5.28 99.96 100.00 179 94.73 5.27 99.98 100.00 Uniquely determine proportion(% ): the proportion of strings that can determine the fault location uniquely. Non-uniquely determine: the strings that cannot determine the fault location uniquely. Proportion (%): the proportion of strings that cannot determine the fault location uniquely. Guess probability (%): the probability of guessing the right fault location. Total proportion (%): the total proportion of strings that can get the right fault location. View Large 3.2. Recovering the Initial State Once several faults are located, we can retrieve enough equations with respect to the initial state to recover the initial state. In this section, we first give a fundamental method to retrieve equations and then give some improvement strategies to get more linear equations. Last, we use the guess-and-determine method to obtain the initial state and the time complexity is bounded by the number of faulty experiments. 3.2.1. Fundamental equation retrieving method Here, we just use the first 99-bit keystream, as the first 99 bits differential keystream can be expressed as linear or quadratic functions with respect to the initial state. Denote by S=(s0,s1,…,s292) the initial state of the FSR and s293,…,s391 the 99 feedback variables. The first 58 feedback variables can be expressed as quadratic functions with respect to S. We give two algorithms to retrieve equations. In Algorithm 4, we show how to get differential equations when fault is injected in si, where i∈A, A={0,12,23,61,66,107,111,154,160,193,196,230,235,244}. When i∈[0,292] and i∉A, the main idea to retrieve differential equations is to shift and perform the inversion of the linear transformation L on Δzi′, where i′∈A, see Algorithm 5. Note that the inversion of the linear transformation L will not lead to the transformation of a linear function to a non-linear function, but increase the number of terms in the function. Algorithm 4 Retrieve Equations (1) Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Algorithm 4 Retrieve Equations (1) Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Require: the set A of fault locations Ensure: differential equations 1: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293′,…,s391′ and keystream z0,z1,…,z98 as functions of S 2: for i∈Ado 3: si←si⊕1 4: proceed the encryption phase of ACORN v3 to represent the 99 feedback variables s293″,…,s391″ as functions of S 5: for j from 293 to 391 do 6: sj←sj⊕sj′⊕sj″ 7: end for 8: Regard S=(s0,s1,…,s292) and s293,…,s391 as the initial state and feedback variables, proceed the encryption phase of ACORN v3 to represent the keystream z0′,z1′,…,z98′ as functions of S 9: for j from 0 to 98 do 10: Δzji←zj′⊕zj 11: if Δzji≠0,1then 12: return Δzji is a differential equation 13: end if 14: end for 15: end for Algorithm 5 Retrieve Equations (2) Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Algorithm 5 Retrieve Equations (2) Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Require: fault location i∈[a,b], where a−1,b+1∈A and there is not any c∈A satisfying a<c<b; the components of Δza−1 Ensure: differential equations 1: for each component Δzja−1≠0,1, where j∈[0,98]do 2: Δzj+a−1−ii←Δzja−1 3: for each variable sk in Δzj+a−1−ii, where k∈[0,292]do 4: sk←ska−1−i 5: sk+a−1−i0←L−1(L−1(···(L−1(L−1︸a−1−i(ska−1−i)))⋯) 6: ska−1−i←sk+a−1−i0 7: return Δzj+a−1−ii is a differential equation 8: end for 9: end for Statistics show that, on an average, we can get 6.38 linear equations and 4.23 non-linear equations with one faulty experiment. We choose the quadratic equations of form xixj as 0.5 linear equations, where xi and xj are linear functions with respect to the initial state. Because the value of the quadratic equations of the form xixj equal to 1 with probability 14. If xixj=1, we know that xi=1 and xj=1. Thus, it is expected to obtain 0.5 linear equation. 3.2.2. Several improvement strategies In order to get more linear equations, two observations are given. Observation 1 When i∉A, if we stretch the length of the differential string, we can get more linear equations. The number of these functions is 0.7 on an average. For example, when s0 is changed, we can get Δz0=(Δz00,037,Δz380,010,1,08,Δz580,02,Δz610,014,Δz760,010,1,08,Δz960,Δz970,0) where 0i,i∈{37,10,8,2,14} presents i consecutive 0, and Δz00=s154⊕s160⊕s193⊕s235, Δz380=s159⊕s165⊕s192⊕s194⊕s197⊕s198⊕s231⊕s273, Δz580=s20⊕s43⊕s58⊕s73⊕s78⊕s81⊕s119⊕s173⊕s185⊕s212⊕s214⊕s217⊕s218⊕s251, Δz610=s176⊕s188⊕s215⊕s217⊕s220⊕s221⊕s237⊕s242⊕s254⊕s296, Δz630=s83⊕s88⊕s127⊕s129⊕s131⊕s174, Δz760=s164⊕s170⊕s191⊕s193⊕s195⊕s196⊕s199⊕s201⊕s202⊕s203⊕s230⊕s232⊕s235⊕s236⊕s252⊕s257⊕s269⊕s311, Δz960=(s159⊕s165⊕s198⊕s282)(s20⊕s35⊕s43⊕s65⊕s73⊕s75⊕s78⊕s81⊕s96⊕s110⊕s111⊕s114⊕s116⊕s119⊕s157⊕s172⊕s178⊕s184⊕s190⊕s211⊕s213⊕s215⊕s216⊕s219⊕s221⊕s222⊕s223⊕s230⊕s235⊕s250⊕s252⊕s255⊕s256⊕s289), Δz970=1⊕s71⊕s81⊕s114⊕s116⊕s117⊕s120⊕s161⊕s163⊕s165⊕s169⊕s175⊕s208. Δz960 is of form xixj and can be regarded as 0.5 linear equations, where xi=s159⊕s165⊕s198⊕s282 and xj=s20⊕s35⊕s43⊕s65⊕s73⊕s75⊕s78⊕s81⊕s96⊕s110⊕s111⊕s114⊕s116⊕s119⊕s157⊕s172⊕s178⊕s184⊕s190⊕s211⊕s213⊕s215⊕s216⊕s219⊕s221⊕s222⊕s223⊕s230⊕s235⊕s250⊕s252⊕s255⊕s256⊕s289. Note that Δz960 and Δz970 can be regarded as linear functions. Δz993 and Δz97+ii(1<i<12) are also linear functions which will not be used when only 99-bit keystream is in consideration. Observation 2 For all equations, we find two features of the equations. For one fault experiment, if the number of quadratic equations xixj is larger than 1, there would exist equations of forms xixj1 and xixj2, where xi, xj1 and xj2 are linear functions with respect to the initial state. Then we can retrieve more linear equations. For one quadratic equation of form xixj, there may exist linear equation of form xi or xj which can be used to deduce more linear equations, where xi and xj are linear functions with respect to the initial state. For example, for two experiments where faults are injected at location i=0 and i=23, we can get In Δz23, there are four quadratic equations of form xixj, three of which are Δz5823=(s160⊕s244)(s20⊕s43⊕s58⊕s73⊕s78⊕s81⊕s119⊕s173⊕s185⊕s212⊕s214⊕s217⊕s218⊕s251), Δz6323=(s160⊕s244)(s83⊕s88⊕s127⊕s129⊕s131⊕s174), Δz9723=(s160⊕s244)(1⊕s71⊕s81⊕s114⊕s116⊕s117⊕s120⊕s161⊕s163⊕s165⊕s169⊕s175⊕s208). If at least one of them equal to 1, we can get four linear equations. In Δz0, two equations Δz580=s20⊕s43⊕s58⊕s73⊕s78⊕s81⊕s119⊕s173⊕s185⊕s212⊕s214⊕s217⊕s218⊕s251, and Δz630=s83⊕s88⊕s127⊕s129⊕s131⊕s174, are parts of Δz5823 and Δz6323, respectively. 3.2.3. Solving equation As discussed above, on an average, we can get about 7.03 linear equations and about 4.23 non-linear equations with one faulty experiment. With 27 fault experiments, we can get 304 equations including 190 linear equations. We need to pick out another 103(=293−190) linear equations from 114(=304−190) non-linear equations. For 103 non-linear equations, we can get 51 linear equations by guessing 52 bits. By guessing 52 bits, we can get 241 linear equations with 241 unknown variables, which means that the initial states can be recovered. The time complexity of recovering the initial state is c·252, where c is the time complexity of solving linear equations of 241 variables. Also, we can get 295 linear equations with 42 fault experiments and the time complexity is to solve linear equations of 293 variables. Let n be the number of faulty experiments. We can get about 11.26n equations including about 7.03n linear equations. We use the guess-and-determine method to solve the equations. The time complexity of obtaining the initial state equals to c·2293−7.03n2≈c·2146.5−3.52n approximately, where 26<n<43 and c is the time complexity of solving linear equations. With the method of [20], c depends on the number m of variables c<m2.3727. In a practical attack, the number of variables is less than 293 which means that c is small. As there are some relations between the equations in a practical attack as shown in Observation 2, the time complexity can be smaller. 3.2.4. Implementation and verification We verify the validity of our solving equation method on a shrunk cipher with similar structure and properties. More specifically, we built a small stream cipher according to the design principles used for ACORN v3 but with a small state of 31 bits. We then implemented our attack to recover the initial state. The result shows that if the number of linearly independent equations is larger than 31, we can recover the initial state by guessing some feedback values and a small part of the initial state values involved in these feedback function. Of course, if the linearly independent equations are not enough, we need to proceed more faulty experiments. 3.3. The Forgery Attack Once the initial state of ACORN v3 is recovered we can encrypt any message to generate a valid tag, i.e. we can forge tags for all plaintexts. All the methods used in this work can be easily applied to ACORN v1 and v2, and for ACORN v1, we can recover the key by stepping the cipher backward. 4. THE FAULT ATTACK ON ACORN V2 We also apply the above attack to ACORN v2. In the fault locating part, we find that there are 127 unique sets in ACORN v2 which is larger than that of ACORN v3. And for strings belonging to non-unique sets, we can also determine the fault location uniquely with the keystream extension strategy and the high probability priority strategy. In the initial state recovery part, we can get 3.9 linear equations and 3.3 non-linear equations, on an average, with one faulty experiment. And in ACORN v2, Observation 1 is not useful to retrieve more linear equations. Let n be the number of faulty experiments. We can get 7.2n equations with 3.9n linear equations. The time complexity of obtaining the initial state equals to c·2293−3.9n2=c·2146.5−1.95n, where c is the time complexity of solving linear equations and 40<n<77. The changes from ACORN v2 to ACORN v3 have reduced the security margin of this algorithm against the differential fault attack, see Table 5. The main reason is caused by the tweak that a part of terms in the feedback function are moved to the output filtering functions. For one experiment, the number of linear equations retrieved from ACORN v3 is larger than that from ACORN v2. The tweak is to provide large security margin against the guess-and-determine attack. However, it makes the algorithm more vulnerable against the fault attack. Table 5. Comparison of ACORN v3 and v2. Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible View Large Table 5. Comparison of ACORN v3 and v2. Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible Fault experiments’ number Time complexity ACORN v3 ACORN v2 n c·2146.5−3.52n c·2146.5−1.95n 42 c c·264.6 27 c·251.46 Impossible View Large 5. CONCLUSIONS In this paper, we described a fault attack on ACORN v3 which is one of the third round candidates of CAESAR. We also applied the attack to ACORN v2. This work shows that comparing with ACORN v2, the tweaked version ACORN v3 is more vulnerable against fault attack. For ACORN v3, we can recover the initial state with time complexity c·2146.5−3.52n, where c is the time complexity of solving linear equations and 26<n<43. However, for ACORN v2, the time complexity is c·2146.5−1.95n with 40<n<77. The difference between ACORN v3 and ACORN v2 makes the algorithm small security margin against the differential fault attack. FUNDING The works of Zhang X. and Lin D. were supported by the National Natural Science Foundation of China (No. 61379139) and the ‘Strategic Priority Research Program’ of the Chinese Academy of Sciences [XDA06010701]. The work of Feng X. was supported by the National Natural Science Foundation of China (Nos. 61572491 and 11688101) and Science and Technology on Communication Security Laboratory (No. 6142103010701). ACKNOWLEDGEMENTS The authors would like to thank the anonymous reviewers for their comments and suggestions which significantly improve the quality and presentation of this paper. REFERENCES 1 CAESAR : http://competitions.cr.yp.to/index.html. 2 Wu , H. ( 2014 ) ACORN: A Lightweight Authenticated Cipher (v3). http://competitions.cr.yp.to/round3/acornv3.pdf. 3 Wu , H. ( 2015 ) ACORN: A Lightweight Authenticated Cipher (v2). http://competitions.cr.yp.to/round2/acornv2.pdf. 4 Wu , H. ( 2016 ) ACORN: A Lightweight Authenticated Cipher (v1). http://competitions.cr.yp.to/round1/acornv1.pdf. 5 Liu , M. and Lin , D. ( 2014 ) Cryptanalysis of Lightweight Authenticated Cipher ACORN. Posed on the Crypto-Competition Mailing List. 6 Chaigneau , C. , Fuhr , T. and Gilbert , H. ( 2015 ) Full Key-Recovery on ACORN in Nonce-Reuse and Decryption-Misuse Settings. Posed on the Crypto-Competition Mailing List. 7 Salam , M.I. , Bartlett , H. , Dawson , E. , Pieprzyk , J. , Simpson , L. and Wong , K.K. ( 2016 ) Investigating Cube Attacks on the Authenticated Encryption Stream Cipher ACORN. Proc. ATIS 16, Cairns, Australia, October 26–28, pp. 15–26. Springer Nature, Singapore. 8 Salam , M.I. , Wong , K.K. , Bartlett , H. , Simpson , L. , Dawson , E. and Pieprzyk , J. ( 2016 ) Finding State Collisions in the Authenticated Encryption Stream Cipher ACORN. Proc. ACSW 16, Canberra, Australia, February 2–5, pp. 36. ACM, New York. 9 Lafitte , F. , Lerman , L. , Markowitch , O. and Van Heule , D. ( 2016 ) SAT-Based Cryptanalysis of ACORN. IACR Cryptology ePrint Archive, 2016, 521. 10 Josh , R.J. and Sarkar , S. ( 2015 ) Some Observations on ACORN v1 and Trivia-SC. Proc. Lightweight Cryptography Workshop 15, NIST Gaithersburg, July 20–21, pp. 20–21. No formal publication. 11 Zhang , P. , Guan , J. , Li , J. and Shi , T. ( 2015 ) Research on State Collisions of Authenticated Cipher ACORN. Proc. ICSMIM 15, Shenzhen, China, December 27–28, pp. 459–465. Atlantis Press, Amsterdam. 12 Roy , D. and Mukhopadhyay , S. ( 2016 ) Some Results on ACORN. IACR Cryptology ePrint Archive, 2016, 1132. 13 Google Groups : https://groups.google.com/forum/#!forum/crypto-competitions/dzzNcybqFP4. 14 Biham , E. and Shamir , A. ( 1997 ) Differential Fault Analysis of Secret Key Cryptosystems. Proc. CRYPTO 97, Santa Barbara, USA, August 17–21, pp. 513–525. Springer-Verlag, Berlin. 15 Hoch , J.J. and Shamir , A. ( 2004 ) Fault Analysis of Stream Ciphers. Proc. CHES 04, Cambridge, USA, August 11–13, pp. 240–253. Springer-Verlag, Berlin. 16 Skorobogatov , S.P. ( 2006 ) Optically Enhanced Position-Locked Power Analysis. Proc. CHES 06, Yokohama, Japan, October 10–13, pp. 61–75. Springer-Verlag, Berlin. 17 Skorobogatov , S.P. and Anderson , R.J. ( 2002 ) Optical Fault Induction Attacks. Proc. CHES 2002, Redwood Shores, USA, August 13–15, pp. 2–12. Springer-Verlag, Berlin. 18 Dey , P. , Rohit , R.S. and Adhikari , A. ( 2016 ) Full key recovery of ACORN with a single fault . J. Inf. Secur. Appl. , 29 , 57 – 64 . 19 Zhang , X. , Feng , X. and Lin , D. ( 2017 ) Fault Attack on the Authenticated Cipher ACORN v2. Security and Communication Networks, 2017, https://doi.org/10.1155/2017/3834685. 20 Williams , V.V. ( 2012 ) Multiplying Matrices Faster than Coppersmith–Winograd. Proc. STOC 2012, New York, USA, May 20–22 , pp. 887–898. ACM, New York. APPENDIX A Due to the limitation of pages, we just list the differential sets Δzi, where i∈[0,168] in Table A1. The first column is the fault location, and the second column is the differential set. For each differential set Δzi, the numbers in the second column represent the positions where 1 may occur when the fault location is i, that is, fault is injected in si. And the numbers in bold represent the positions where 1 is always occurring. The numbers in the first column are the locations where faults are injected, and the numbers in bold represent that the corresponding differential sets are unique sets. Table A1. Δzi, i∈[0,168]. i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 Table A1. Δzi, i∈[0,168]. i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 i Δzi 0 0 38 49 58 61 63 76 87 96 97 1 1 39 50 59 62 64 77 88 97 98 2 2 40 51 60 63 65 78 89 98 3 3 41 52 61 64 66 79 90 4 4 42 53 62 65 67 80 91 5 5 43 54 63 66 68 81 92 6 6 44 55 64 67 69 82 93 7 7 45 56 65 68 70 83 94 8 8 46 57 66 69 71 84 95 9 9 47 58 67 70 72 85 96 10 10 48 59 68 71 73 86 97 11 11 49 60 69 72 74 87 98 12 0 12 50 61 70 73 75 88 13 1 13 51 62 71 74 76 89 14 2 14 52 63 72 75 77 90 15 3 15 53 64 73 76 78 91 16 4 16 54 65 74 77 79 92 17 5 17 55 66 75 78 80 93 18 6 18 56 67 76 79 81 94 19 7 19 57 68 77 80 82 95 20 8 20 58 69 78 81 83 96 21 9 21 59 70 79 82 84 97 22 10 22 60 71 80 83 85 98 23 0 11 23 38 49 58 63 72 76 81 84 86 87 96 97 24 1 12 24 39 50 59 64 73 77 82 85 87 88 97 98 25 2 13 25 40 51 60 65 74 78 83 86 88 89 98 26 3 14 26 41 52 61 66 75 79 84 87 89 90 27 4 15 27 42 53 62 67 76 80 85 88 90 91 28 5 16 28 43 54 63 68 77 81 86 89 91 92 29 6 17 29 44 55 64 69 78 82 87 90 92 93 30 7 18 30 45 56 65 70 79 83 88 91 93 94 31 8 19 31 46 57 66 71 80 84 89 92 94 95 32 9 20 32 47 58 67 72 81 85 90 93 95 96 33 10 21 33 48 59 68 73 82 86 91 94 96 97 34 11 22 34 49 60 69 74 83 87 92 95 97 98 35 12 23 35 50 61 70 75 84 88 93 96 98 36 13 24 36 51 62 71 76 85 89 94 97 37 14 25 37 52 63 72 77 86 90 95 98 38 15 26 38 53 64 73 78 87 91 96 39 16 27 39 54 65 74 79 88 92 97 40 17 28 40 55 66 75 80 89 93 98 41 18 29 41 56 67 76 81 90 94 42 19 30 42 57 68 77 82 91 95 43 20 31 43 58 69 78 83 92 96 44 21 32 44 59 70 79 84 93 97 45 22 33 45 60 71 80 85 94 98 46 23 34 46 61 72 81 86 95 47 24 35 47 62 73 82 87 96 48 25 36 48 63 74 83 88 97 49 26 37 49 64 75 84 89 98 50 27 38 50 65 76 85 90 51 28 39 51 66 77 86 91 52 29 40 52 67 78 87 92 53 30 41 53 68 79 88 93 54 31 42 54 69 80 89 94 55 32 43 55 70 81 90 95 56 33 44 56 71 82 91 96 57 34 45 57 72 83 92 97 58 35 46 58 73 84 93 98 59 36 47 59 74 85 94 60 37 48 60 75 86 95 61 0 38 41 46 49 58 61 63 76 82 84 87 92 95 96 97 62 1 39 42 47 50 59 62 64 77 83 85 88 93 96 97 98 63 2 40 43 48 51 60 63 65 78 84 86 89 94 97 98 64 3 41 44 49 52 61 64 66 79 85 87 90 95 98 65 4 42 45 50 53 62 65 67 80 86 88 91 96 66 0 5 41 43 46 51 54 58 63 66 68 81 82 84 87 89 92 95 97 67 1 6 42 44 47 52 55 59 64 67 69 82 83 85 88 90 93 96 98 68 2 7 43 45 48 53 56 60 65 68 70 83 84 86 89 91 94 97 69 3 8 44 46 49 54 57 61 66 69 71 84 85 87 90 92 95 98 70 4 9 45 47 50 55 58 62 67 70 72 85 86 88 91 93 96 71 5 10 46 48 51 56 59 63 68 71 73 86 87 89 92 94 97 72 6 11 47 49 52 57 60 64 69 72 74 87 88 90 93 95 98 73 7 12 48 50 53 58 61 65 70 73 75 88 89 91 94 96 74 8 13 49 51 54 59 62 66 71 74 76 89 90 92 95 97 75 9 14 50 52 55 60 63 67 72 75 77 90 91 93 96 98 76 10 15 51 53 56 61 64 68 73 76 78 91 92 94 97 77 11 16 52 54 57 62 65 69 74 77 79 92 93 95 98 78 12 17 53 55 58 63 66 70 75 78 80 93 94 96 79 13 18 54 56 59 64 67 71 76 79 81 94 95 97 80 14 19 55 57 60 65 68 72 77 80 82 95 96 98 81 15 20 56 58 61 66 69 73 78 81 83 96 97 82 16 21 57 59 62 67 70 74 79 82 84 97 98 83 17 22 58 60 63 68 71 75 80 83 85 98 84 18 23 59 61 64 69 72 76 81 84 86 85 19 24 60 62 65 70 73 77 82 85 87 86 20 25 61 63 66 71 74 78 83 86 88 87 21 26 62 64 67 72 75 79 84 87 89 88 22 27 63 65 68 73 76 80 85 88 90 89 23 28 64 66 69 74 77 81 86 89 91 90 24 29 65 67 70 75 78 82 87 90 92 91 25 30 66 68 71 76 79 83 88 91 93 92 26 31 67 69 72 77 80 84 89 92 94 93 27 32 68 70 73 78 81 85 90 93 95 94 28 33 69 71 74 79 82 86 91 94 96 95 29 34 70 72 75 80 83 87 92 95 97 96 30 35 71 73 76 81 84 88 93 96 98 97 31 36 72 74 77 82 85 89 94 97 98 32 37 73 75 78 83 86 90 95 98 99 33 38 74 76 79 84 87 91 96 100 34 39 75 77 80 85 88 92 97 101 35 40 76 78 81 86 89 93 98 102 36 41 77 79 82 87 90 94 103 37 42 78 80 83 88 91 95 104 38 43 79 81 84 89 92 96 105 39 44 80 82 85 90 93 97 106 40 45 81 83 86 91 94 98 107 0 41 43 46 47 58 63 82 84 86 87 88 90 92 93 94 95 97 108 1 42 44 47 48 59 64 83 85 87 88 89 91 93 94 95 96 98 109 2 43 45 48 49 60 65 84 86 88 89 90 92 94 95 96 97 110 3 44 46 49 50 61 66 85 87 89 90 91 93 95 96 97 98 111 0 4 43 45 47 50 51 62 67 88 90 91 92 93 94 96 97 98 112 1 5 44 46 48 51 52 63 68 89 91 92 93 94 95 97 98 113 2 6 45 47 49 52 53 64 69 90 92 93 94 95 96 98 114 3 7 46 48 50 53 54 65 70 91 93 94 95 96 97 115 4 8 47 49 51 54 55 66 71 92 94 95 96 97 98 116 5 9 48 50 52 55 56 67 72 93 95 96 97 98 117 6 10 49 51 53 56 57 68 73 94 96 97 98 118 7 11 50 52 54 57 58 69 74 95 97 98 119 8 12 51 53 55 58 59 70 75 96 98 120 9 13 52 54 56 59 60 71 76 97 121 10 14 53 55 57 60 61 72 77 98 122 11 15 54 56 58 61 62 73 78 123 12 16 55 57 59 62 63 74 79 124 13 17 56 58 60 63 64 75 80 125 14 18 57 59 61 64 65 76 81 126 15 19 58 60 62 65 66 77 82 127 16 20 59 61 63 66 67 78 83 128 17 21 60 62 64 67 68 79 84 129 18 22 61 63 65 68 69 80 85 130 19 23 62 64 66 69 70 81 86 131 20 24 63 65 67 70 71 82 87 132 21 25 64 66 68 71 72 83 88 133 22 26 65 67 69 72 73 84 89 134 23 27 66 68 70 73 74 85 90 135 24 28 67 69 71 74 75 86 91 136 25 29 68 70 72 75 76 87 92 137 26 30 69 71 73 76 77 88 93 138 27 31 70 72 74 77 78 89 94 139 28 32 71 73 75 78 79 90 95 140 29 33 72 74 76 79 80 91 96 141 30 34 73 75 77 80 81 92 97 142 31 35 74 76 78 81 82 93 98 143 32 36 75 77 79 82 83 94 144 33 37 76 78 80 83 84 95 145 34 38 77 79 81 84 85 96 146 35 39 78 80 82 85 86 97 147 36 40 79 81 83 86 87 98 148 37 41 80 82 84 87 88 149 38 42 81 83 85 88 89 150 39 43 82 84 86 89 90 151 40 44 83 85 87 90 91 152 41 45 84 86 88 91 92 153 42 46 85 87 89 92 93 154 0 33 39 43 47 66 72 78 82 86 88 90 91 93 94 96 155 1 34 40 44 48 67 73 79 83 87 89 91 92 94 95 97 156 2 35 41 45 49 68 74 80 84 88 90 92 93 95 96 98 157 3 36 42 46 50 69 75 81 85 89 91 93 94 96 97 158 4 37 43 47 51 70 76 82 86 90 92 94 95 97 98 159 5 38 44 48 52 71 77 83 87 91 93 95 96 98 160 0 6 33 39 45 49 53 58 63 66 72 78 82 84 86 88 91 92 94 96 97 161 1 7 34 40 46 50 54 59 64 67 73 79 83 85 87 89 92 93 95 97 98 162 2 8 35 41 47 51 55 60 65 68 74 80 84 86 88 90 93 94 96 98 163 3 9 36 42 48 52 56 61 66 69 75 81 85 87 89 91 94 95 97 164 4 10 37 43 49 53 57 62 67 70 76 82 86 88 90 92 95 96 98 165 5 11 38 44 50 54 58 63 68 71 77 83 87 89 91 93 96 97 166 6 12 39 45 51 55 59 64 69 72 78 84 88 90 92 94 97 98 167 7 13 40 46 52 56 60 65 70 73 79 85 89 91 93 95 98 168 8 14 41 47 53 57 61 66 71 74 80 86 90 92 94 96 For example, when i=12, the components of Δz12 are the positions where 1 may occur when fault is injected in s12, where Δz12=(0,12,50,61,70,73,75,88). The number 0 and 61 represent the positions where 1 is always occurring. Other numbers represent the positions where 1 may occur with some specified probability. 12 in the first column means that the differential set Δz12 is an unique set. Author notes Handling editor: Keith Martin © The British Computer Society 2018. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

Journal

The Computer JournalOxford University Press

Published: Aug 1, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off