Shortcut2Secrets: A Table-based Differential Fault Attack Framework

Differential Fault Attack; Elisabeth-b4; Elisabeth4; Gabriel-4; Hybrid Homomorphic Encryption; Margrethe-18-4; Differential fault attack; Hybrid homomorphic encryption; Stream Ciphers; Computer Networks and Communications

Abstract :

[en] Recently, Differential Fault Attacks (DFAs) have proven highly effective against stream ciphers designed for Hybrid Homomorphic Encryption (HHE). In this work, we present a table-based DFA framework called the shortcut attack, which generalizes the attack proposed by Wang and Tang on the cipher Elisabeth. The framework applies to a broad sub-family of ciphers following the Group Filter Permutator (GFP) paradigm and enhances previous DFAs by improving both the fault identification and path generation steps. Notably, the shortcut attack circumvents the issue of function representation, allowing successful attacks even when the cipher’s filter function cannot be represented over the ring it is defined on. Additionally, we provide complexity estimates for the framework and apply the shortcut attack to Elisabeth-4 and its patches. As a result, we optimize the DFA on Elisabeth-4, requiring fewer keystreams and running faster than previous methods. Specifically, we achieve a DFA that requires only 3000 keystreams, which is one-fifth of the previous best result. We also successfully mount a practical DFA on Gabriel-4 and provide a theoretical DFA for Elisabeth-b4. For the latest patch, Margrethe-18-4, which follows the more general Mixed Filter Permutator (MFP) paradigm, we present a DFA in a stronger model. To the best of our knowledge, these are the first DFA results on the patches of Elisabeth-4. Finally, we derive security margins to prevent shortcut attacks on a broad sub-family of MFP ciphers, which can serve as parameter recommendations for designers.

Disciplines :

Computer science

Author, co-author :

Wang, Weizhe; Shanghai Jiao Tong University, Shanghai, China

MEAUX, Pierrick ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > PI Coron

Tang, Deng; Shanghai Jiao Tong University, Shanghai, China

External co-authors :

yes

Language :

English

Title :

Shortcut2Secrets: A Table-based Differential Fault Attack Framework

Publication date :

04 March 2025

Journal title :

IACR Transactions on Cryptographic Hardware and Embedded Systems

eISSN :

2569-2925

Publisher :

Ruhr-University of Bochum

Volume :

2025

Issue :

Pages :

385 - 419

Peer reviewed :

Peer Reviewed verified by ORBi

Additional URL :

https://tches.iacr.org/index.php/TCHES/article/download/12052/11896

Funding text :

We are very grateful for the insightful comments and suggestions from the anonymous reviewers that improved the technical as well as editorial quality of this paper. The work of Pierrick M\u00E9aux was funded by the European Research Council (ERC) under the Advanced Grant program (reference number: 787390). The work of Deng Tang was supported in part by the National Natural Science Foundation of China (Nos. 62272303, 12101404).

Available on ORBilu :

since 11 November 2025

Statistics

Number of views

27 (0 by Unilu)

Number of downloads

7 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

[ACG+19] Martin R. Albrecht, Carlos Cid, Lorenzo Grassi, Dmitry Khovratovich, Reinhard Lüftenegger, Christian Rechberger, and Markus Schofnegger. Algebraic cryptanalysis of STARK-friendly designs: Application to MARVELlous and MiMC. In Steven D. Galbraith and Shiho Moriai, editors, ASIACRYPT 2019, Part III, volume 11923 of LNCS, pages 371–397. Springer, Cham, December 2019.
[ADSR24] Aikata Aikata, Ahaan Dabholkar, Dhiman Saha, and Sujoy Sinha Roy. SASTA: Ambushing hybrid homomorphic encryption schemes with a single fault. Cryptology ePrint Archive, Report 2024/041, 2024.
[AK96] Ross Anderson and Markus Kuhn. Tamper resistance-a cautionary note. In Proceedings of the second Usenix workshop on electronic commerce, volume 2, pages 1–11, 1996.
[BBL+24] Augustin Bariant, Aurélien Boeuf, Axel Lemoine, Irati Manterola Ayala, Morten Øygarden, Léo Perrin, and Håvard Raddum. The algebraic FreeLunch: Efficient Gröbner basis attacks against arithmetization-oriented primitives. In Leonid Reyzin and Douglas Stebila, editors, CRYPTO 2024, Part IV, volume 14923 of LNCS, pages 139–173. Springer, Cham, August 2024.
[BBLP22] Augustin Bariant, Clémence Bouvier, Gaëtan Leurent, and Léo Perrin. Algebraic attacks against some arithmetization-oriented primitives. IACR Trans. Symm. Cryptol., 2022(3):73–101, 2022.
[BDL97] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of checking cryptographic protocols for faults (extended abstract). In Walter Fumy, editor, EUROCRYPT’97, volume 1233 of LNCS, pages 37–51. Springer, Berlin, Heidelberg, May 1997.
[BHJ+18] Jakub Breier, Xiaolu Hou, Dirmanto Jap, Lei Ma, Shivam Bhasin, and Yang Liu. Practical fault attack on deep neural networks. In David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang, editors, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, pages 2204–2206. ACM, 2018.
[BIP+18] Dan Boneh, Yuval Ishai, Alain Passelègue, Amit Sahai, and David J. Wu. Exploring crypto dark matter: New simple PRF candidates and their applications. In Amos Beimel and Stefan Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 699–729. Springer, Cham, November 2018.
[BMS12] Subhadeep Banik, Subhamoy Maitra, and Santanu Sarkar. A differential fault attack on the Grain family of stream ciphers. In Emmanuel Prouff and Patrick Schaumont, editors, CHES 2012, volume 7428 of LNCS, pages 122–139. Springer, Berlin, Heidelberg, September 2012.
[Buc65] Bruno Buchberger. Ein algorithmus zum auffinden der basiselemente des restklassenringes nach einem nulldimensionalen polynomideal. Ph. D. Thesis, Math. Inst., University of Innsbruck, 1965.
[CCH+24] Mingyu Cho, Woohyuk Chung, Jincheol Ha, Jooyoung Lee, Eun-Gyeol Oh, and Mincheol Son. FRAST: tfhe-friendly cipher based on random s-boxes. IACR Trans. Symmetric Cryptol., 2024(3):1–43, 2024.
[CDPP22] Kelong Cong, Debajyoti Das, Jeongeun Park, and Hilder V. L. Pereira. SortingHat: Efficient private decision tree evaluation via homomorphic encryption and transciphering. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, ACM CCS 2022, pages 563–577. ACM Press, November 2022.
[CHMS22] Orel Cosseron, Clément Hoffmann, Pierrick Méaux, and François-Xavier Standaert. Towards case-optimized hybrid homomorphic encryption-featuring the elisabeth stream cipher. In Shweta Agrawal and Dongdai Lin, editors, ASIACRYPT 2022, Part III, volume 13793 of LNCS, pages 32–67. Springer, Cham, December 2022.
[CM03] Nicolas Courtois and Willi Meier. Algebraic attacks on stream ciphers with linear feedback. In Eli Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages 345–359. Springer, Berlin, Heidelberg, May 2003.
[Cou03] Nicolas Courtois. Fast algebraic attacks on stream ciphers with linear feedback. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 176–194. Springer, Berlin, Heidelberg, August 2003.
[DGH+21] Itai Dinur, Steven Goldfeder, Tzipora Halevi, Yuval Ishai, Mahimna Kelkar, Vivek Sharma, and Greg Zaverucha. MPC-friendly symmetric cryptography from alternating moduli: Candidates, protocols, and applications. In Tal Malkin and Chris Peikert, editors, CRYPTO 2021, Part IV, volume 12828 of LNCS, pages 517–547, Virtual Event, August 2021. Springer, Cham.
[DLR16] Sébastien Duval, Virginie Lallemand, and Yann Rotella. Cryptanalysis of the FLIP family of stream ciphers. In Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS, pages 457–475. Springer, Berlin, Heidelberg, August 2016.
[DMMS21] Sébastien Duval, Pierrick Méaux, Charles Momin, and François-Xavier Standaert. Exploring crypto-physical dark matter and learning with physical rounding. IACR TCHES, 2021(1):373–401, 2021.
[DR20] Joan Daemen and Vincent Rijmen. The Design of Rijndael-The Advanced Encryption Standard (AES), Second Edition. Information Security and Cryptography. Springer, 2020.
[Fau99] Jean-Charles Faugere. A new efficient algorithm for computing gröbner bases (f4). Journal of pure and applied algebra, 139(1-3):61–88, 1999.
[Fau02] Jean Charles Faugere. A new efficient algorithm for computing gröbner bases without reduction to zero (f 5). In Proceedings of the 2002 international symposium on Symbolic and algebraic computation, pages 75–83, 2002.
[FGLM93] Jean-Charles Faugere, Patrizia Gianni, Daniel Lazard, and Teo Mora. Efficient computation of zero-dimensional gröbner bases by change of ordering. Journal of Symbolic Computation, 16(4):329–344, 1993.
[FT09] Toshinori Fukunaga and Junko Takahashi. Practical fault attack on a cryptographic LSI with ISO/IEC 18033-3 block ciphers. In Luca Breveglieri, Israel Koren, David Naccache, Elisabeth Oswald, and Jean-Pierre Seifert, editors, Sixth International Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2009, Lausanne, Switzerland, 6 September 2009, pages 84–92. IEEE Computer Society, 2009.
[GAH+23] Lorenzo Grassi, Irati Manterola Ayala, Martha Norberg Hovd, Morten Øygarden, Håvard Raddum, and Qingju Wang. Cryptanalysis of symmetric primitives over rings and a key recovery attack on rubato. In Helena Handschuh and Anna Lysyanskaya, editors, CRYPTO 2023, Part III, volume 14083 of LNCS, pages 305–339. Springer, Cham, August 2023.
[GBJR23] Henri Gilbert, Rachelle Heim Boissier, Jérémy Jean, and Jean-René Reinhard. Cryptanalysis of elisabeth-4. In Jian Guo and Ron Steinfeld, editors, ASIACRYPT 2023, Part III, volume 14440 of LNCS, pages 256–284. Springer, Singapore, December 2023.
[GGM24] François Gérard, Agnese Gini, and Pierrick Méaux. Toolip: How to find new instances of filip cipher with smaller key size and new filters. In Serge Vaudenay and Christophe Petit, editors, Progress in Cryptology-AFRICACRYPT 2024-15th International Conference on Cryptology in Africa, Douala, Cameroon, July 10-12, 2024, Proceedings, volume 14861 of Lecture Notes in Computer Science, pages 21–45. Springer, 2024.
[HMM+23] Clément Hoffmann, Pierrick Méaux, Charles Momin, Yann Rotella, FrançoisXavier Standaert, and Balazs Udvarhelyi. Learning with physical rounding for linear and quadratic leakage functions. In Helena Handschuh and Anna Lysyanskaya, editors, CRYPTO 2023, Part III, volume 14083 of LNCS, pages 410–439. Springer, Cham, August 2023.
[HMS23] Clément Hoffmann, Pierrick Méaux, and François-Xavier Standaert. The patching landscape of elisabeth-4 and the mixed filter permutator paradigm. In Anupam Chattopadhyay, Shivam Bhasin, Stjepan Picek, and Chester Rebeiro, editors, INDOCRYPT 2023, Part I, volume 14459 of LNCS, pages 134–156. Springer, Cham, December 2023.
[HR08] Michal Hojsík and Bohuslav Rudolf. Differential fault analysis of Trivium. In Kaisa Nyberg, editor, FSE 2008, volume 5086 of LNCS, pages 158–172. Springer, Berlin, Heidelberg, February 2008.
[HS04] Jonathan J. Hoch and Adi Shamir. Fault analysis of stream ciphers. In Marc Joye and Jean-Jacques Quisquater, editors, CHES 2004, volume 3156 of LNCS, pages 240–253. Springer, Berlin, Heidelberg, August 2004.
[JLHG24] Lin Jiao, Yongqiang Li, Yonglin Hao, and Xinxin Gong. Differential fault attacks on privacy protocols friendly symmetric-key primitives: Rain and hera. IET Information Security, 2024(1):7457517, 2024.
[JP22] Amit Jana and Goutam Paul. Differential fault attack on photon-beetle. In Chip-Hong Chang, Ulrich Rührmair, Debdeep Mukhopadhyay, and Domenic Forte, editors, Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security, ASHES 2022, Los Angeles, CA, USA, 11 November 2022, pages 25–34. ACM, 2022.
[LKSM24] Fukang Liu, Abul Kalam, Santanu Sarkar, and Willi Meier. Algebraic attack on FHE-friendly cipher HERA using multiple collisions. IACR Trans. Symm. Cryptol., 2024(1):214–233, 2024.
[MBB11] Mohamed Saied Emam Mohamed, Stanislav Bulygin, and Johannes Buchmann. Using SAT solving to improve differential fault analysis of trivium. In TaiHoon Kim, Hojjat Adeli, Rosslin John Robles, and Maricel O. Balitanas, editors, Information Security and Assurance-International Conference, ISA 2011, Brno, Czech Republic, August 15-17, 2011. Proceedings, volume 200 of Communications in Computer and Information Science, pages 62–71. Springer, 2011.
[MCJS19] Pierrick Méaux, Claude Carlet, Anthony Journault, and François-Xavier Standaert. Improved filter permutators for efficient FHE: Better instances and implementations. In Feng Hao, Sushmita Ruj, and Sourav Sen Gupta, editors, INDOCRYPT 2019, volume 11898 of LNCS, pages 68–91. Springer, Cham, December 2019.
[MJSC16] Pierrick Méaux, Anthony Journault, François-Xavier Standaert, and Claude Carlet. Towards stream ciphers for efficient FHE with low-noise ciphertexts. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part I, volume 9665 of LNCS, pages 311–343. Springer, Berlin, Heidelberg, May 2016.
[MPP24] Pierrick Méaux, Jeongeun Park, and Hilder V. L. Pereira. Towards practical transciphering for FHE with setup independent of the plaintext space. CiC, 1(1):20, 2024.
[MR24] Pierrick Méaux and Dibyendu Roy. Theoretical differential fault attacks on FLIP and filip. Cryptogr. Commun., 16(4):721–744, 2024.
[MSS17] Subhamoy Maitra, Akhilesh Siddhanti, and Santanu Sarkar. A differential fault attack on plantlet. IEEE Trans. Computers, 66(10):1804–1808, 2017.
[NDE22] Marcel Nageler, Christoph Dobraunig, and Maria Eichlseder. Informationcombining differential fault attacks on DEFAULT. In Orr Dunkelman and Stefan Dziembowski, editors, EUROCRYPT 2022, Part III, volume 13277 of LNCS, pages 168–191. Springer, Cham, May / June 2022.
[NLV11] Michael Naehrig, Kristin E. Lauter, and Vinod Vaikuntanathan. Can homomorphic encryption be practical? In Christian Cachin and Thomas Ristenpart, editors, Proceedings of the 3rd ACM Cloud Computing Security Workshop, CCSW 2011, Chicago, IL, USA, October 21, 2011, pages 113–124. ACM, 2011.
[PQ03] Gilles Piret and Jean-Jacques Quisquater. A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In Colin D. Walter, Çetin Kaya Koç, and Christof Paar, editors, CHES 2003, volume 2779 of LNCS, pages 77–88. Springer, Berlin, Heidelberg, September 2003.
[RBM21] Dibyendu Roy, Bhagwan N. Bathe, and Subhamoy Maitra. Differential fault attack on kreyvium & FLIP. IEEE Trans. Computers, 70(12):2161–2167, 2021.
[RKMR23] R. Radheshwar, Meenakshi Kansal, Pierrick Méaux, and Dibyendu Roy. Differential fault attack on rasta and $\text{FiLIP}_{\text{DSM}}$. IEEE Trans. Computers, 72(8):2418–2425, 2023.
[Rog04] Phillip Rogaway. Nonce-based symmetric encryption. In Bimal K. Roy and Willi Meier, editors, FSE 2004, volume 3017 of LNCS, pages 348–359. Springer, Berlin, Heidelberg, February 2004.
[SC16a] Dhiman Saha and Dipanwita Roy Chowdhury. EnCounter: On breaking the nonce barrier in differential fault analysis with a case-study on PAEQ. In Benedikt Gierlichs and Axel Y. Poschmann, editors, CHES 2016, volume 9813 of LNCS, pages 581–601. Springer, Berlin, Heidelberg, August 2016.
[SC16b] Dhiman Saha and Dipanwita Roy Chowdhury. Scope: On the side channel vulnerability of releasing unverified plaintexts. In Orr Dunkelman and Liam Keliher, editors, SAC 2015, volume 9566 of LNCS, pages 417–438. Springer, Cham, August 2016.
[SKC14] Dhiman Saha, Sukhendu Kuila, and Dipanwita Roy Chowdhury. EscApe: Diagonal fault analysis of APE. In Willi Meier and Debdeep Mukhopadhyay, editors, INDOCRYPT 2014, volume 8885 of LNCS, pages 197–216. Springer, Cham, December 2014.
[SNC09] Mate Soos, Karsten Nohl, and Claude Castelluccia. Extending SAT solvers to cryptographic problems. In Oliver Kullmann, editor, Theory and Applications of Satisfiability Testing-SAT 2009, 12th International Conference, SAT 2009, Swansea, UK, June 30-July 3, 2009. Proceedings, volume 5584 of Lecture Notes in Computer Science, pages 244–257. Springer, 2009.
[WT24] Weizhe Wang and Deng Tang. Differential fault attack on HE-friendly stream ciphers: Masta, pasta and elisabeth. Cryptology ePrint Archive, Report 2024/1005, 2024.
[YZY+24] Hong-Sen Yang, Qun-Xiong Zheng, Jing Yang, Quan feng Liu, and Deng Tang. A new security evaluation method based on resultant for arithmetic-oriented algorithms. Cryptology ePrint Archive, Report 2024/886, 2024.