Common use of Table 5 Clause in Contracts

Table 5. A 8-round linear trail for Friet-PC in the form of masks at the output of ξ in the 8 successive rounds. round δa δb δc weight 0 ...............................1 2 1 ...............................1 ...............................1 ...............................1 2 2 ................8............... ................................ ...............................1 2 3 ................8...8..........1 ................8............... ................8..1............ 6 4 ................4..18...8......1 ....................8..........1 .......1........8...8..........1 10 5 ....4..1........4..14...8...8... ................4..1....8....... ....8...........4..18...8..1...1 14 6 8...c..14.......2...c......18..1 ....4..1............4.......8... ....4..18......14...4.......8. 22 7 8.......c......16...a...8..1...1 8...8...4.......2...8......1...1 8..18..14.......2...c......1...1 22 5.6 Combined Resistance Against 1st Order DPA and SIFA‌ A straightforward Friet-P implementation is vulnerable to SIFA [17] and SIFA- like attacks [28]. A realistic attack scenario would be the following. An adversary has access to the outer part of the state at a given time and can inject a fault during the computation of the permutation in order to recover some information on the inner part of the state. Provided that she can redo the attack multiple times on the same initial state, She could then try to inject a fault in the first round to modify one of the inputs of the AND operation in ξ. A bitflip in an input of a binary AND only propagates to its output if the other input is 1 and hence is only effective in that case. It can hence be simply be derived from the behavior of the fault-detection mechanism. Simulating probabilistic or less precise fault models such as, e.g., the random-AND fault model or a byte-based fault model would also yield exploitable results, although the adversary might need to profile the fault behavior of the device in advance with fault templates [28].

Table 5. A 8-round linear trail for Friet-PC in the form of masks at the output of ξ in the 8 successive rounds. round δa δb δc weight 0 ...............................1 2 1 ...............................1 ...............................1 ...............................1 2 2 ................8............... ................................ ...............................1 2 3 ................8...8..........1 ................8............... ................8..1............ 6 4 ................4..18...8......1 ....................8..........1 .......1........8...8..........1 10 5 ....4..1........4..14...8...8... ................4..1....8....... ....8...........4..18...8..1...1 14 6 8...c..14.......2...c......18..1 ....4..1............4.......8... ....4..18......14...4.......8. 22 7 8.......c......16...a...8..1...1 8...8...4.......2...8......1...1 8..18..14.......2...c......1...1 22 5.6 Combined Resistance Against 1st Order DPA and SIFA‌ A straightforward Friet-P implementation is vulnerable to SIFA [17] and SIFA- like attacks [28]. A realistic attack scenario would be the following. An adversary has access to the outer part of the state at a given time and can inject a fault during the computation of the permutation in order to recover some information on the inner part of the state. Provided that she can redo the attack multiple times on the same initial state, She could then try to inject a fault in the first first round to modify one of the inputs of the AND operation in ξ. A bitflip bitflip in an input of a binary AND only propagates to its output if the other input is 1 and hence is only effective effective in that case. It can hence be simply be derived from the behavior of the fault-detection mechanism. Simulating probabilistic or less precise fault models such as, e.g., the random-AND fault model or a byte-based fault model would also yield exploitable results, although the adversary might need to profile profile the fault behavior of the device in advance with fault templates [28].