Statistical Ineffective Fault Analysis of GIMLI

TL;DR

This paper demonstrates how Ineffective Fault Analysis (SIFA) can be applied to GIMLI, a NIST-LWC candidate, to recover significant key bits with a relatively small number of faults, highlighting vulnerabilities in the cipher.

Contribution

It adapts SIFA techniques to GIMLI, identifying specific attack points and quantifying the number of faults needed to recover key bits, revealing new vulnerabilities.

Findings

Recover 3 bits of key with 180 faults at one location

Recover 15 bits of key with 340 faults at another location

Verified attack effectiveness through simulation

Abstract

Ineffective Fault Analysis (SIFA) was introduced as a new approach to attack block ciphers at CHES 2018. Since then, they have been proven to be a powerful class of attacks, with an easy to achieve fault model. One of the main benefits of SIFA is to overcome detection-based and infection-based countermeasures. In this paper we explain how the principles of SIFA can be applied to GIMLI, an authenticated encryption cipher participating the NIST-LWC competition. We identified two possible rounds during the intialization phase of GIMLI to mount our attack. If we attack the first location we are able to recover 3 bits of the key uniquely and the parity of 8 key-bits organized in 3 sums using 180 ineffective faults per biased single intermediate bit. If we attack the second location we are able to recover 15 bits of the key uniquely and the parity of 22 key-bits organized in 7 sums using 340 ineffective faults per biased intermediate bit. Furthermore, we investigated the influence of the fault model on the rate of ineffective faults in GIMLI. Finally, we verify the efficiency of our attacks by means of simulation.