Diagonal fault analysis of Gr⊘stl in dedicated MAC mode

In this work, we present a differential fault analysis of the SHA-3 finalist Grøstl when used in the dedicated MAC mode. The fault model exploited here is similar to fault repeatability model proposed and used by Roche et al. in CARDIS 2011. We propose a new way of extracting half of the state of Grøstl from the knowledge of the remaining half. This result is of particular interest since it may be applied to any AES-like construction. The number of faults required to invert the output transformation is 8 improving the previous record of 16. Retrieving the key used in the MAC amounts to inverting the permutation Q in the last call of the compression function. This requires 34 additional faults beating the existing result of 140 faults by a huge margin. To the best of our knowledge this work presents the first fault analysis of Grøstl which is entirely based on the byte-error fault model and requires no precomputation.