Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Linxi Ding,Hongxin Zhang,Jun Xu,Xing Fang,Yejing Wu

DOI: https://doi.org/10.3390/math12050700

IF: 2.4

2024-02-29

Mathematics

Abstract:In modern information technology, research on block cipher security is imperative. Concerning the ultra lightweight block cipher PICO, there has been only one study focused on recovering its complete master key, with a large search space of 264, and no fault analysis yet. This paper proposes a new fault analysis approach, combining differential fault and algebraic equation techniques. It achieved the recovery of PICO's entire master key with 40 faults in an average time of 0.57 h. S-box decomposition was utilized to optimize our approach, reducing the time by a remarkable 75.83% under the identical 40-fault condition. Furthermore, PICO's complete master key could be recovered with 28 faults in an average time of 0.78 h, indicating a significant 237 reduction in its search space compared to the previous study. This marks the first fault analysis on PICO. Compared to conventional fault analysis methods DFA (differential fault analysis) and AFA (algebraic fault analysis), our approach outperforms in recovering PICO's entire master key, highlighting the cruciality of key expansion complexity in block cipher security. Therefore, our approach could serve to recover master keys of block ciphers with comparably complicated key expansions, and production of more secure block ciphers could result.

mathematics

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Xinjie Zhao,Shize Guo,Fan Zhang,Zhijie Shi,Chujiao Ma,Tao Wang

DOI: https://doi.org/10.1109/FDTC.2013.14

2013-01-01

Abstract:This paper proposes a fault analysis technique on LED by combining algebraic cryptanalysis and differential fault analysis (DFA). The technique is called algebraic differential fault analysis (ADFA). In ADFA on LED, we use DFA to deduce the possible fault differences of the correct and faulty S-Box input in the last round, and convert them into algebraic equations. We then combine the equation set of LED with the injected fault and use the CryptoMiniSat solver to recover the secret key. Our experiments show that, on a common PC, ADFA can succeed on LED under the nibble-based fault model within three minutes and with only one fault injection, which is more efficient than previous DFA work. To evaluate DFA on LED, we first propose an improved evaluation algorithm of DFA, then provide a modified ADFA approach to compute the solutions for the secret key. The results are more accurate than previous work. We also successfully extend ADFA on LED to other fault models using a single fault injection, where traditional DFAs are difficult to launch.

Zhang Fan,Zhao Xinjie,Guo Shize,Shen Jizhong,Huang Jing,Hu Zijie

DOI: https://doi.org/10.1109/cc.2015.7188531

2015-01-01

Abstract:PRINCE is a 64-bit lightweight block cipher with a 128-bit key published at ASIACRYPT 2012. Assuming one nibble fault is injected, previous different fault analysis (DFA) on PRINCE adopted the technique from DFA on AES and current results are different. This paper aims to make a comprehensive study of algebraic fault analysis (AFA) on PRINCE. How to build the equations for PRINCE and faults are explained. Extensive experiments are conducted. Under nibble-based fault model, AFA with three or four fault injections can succeed within 300 seconds with a very high probability. Under other fault models such as byte-based, half word-based, word-based fault models, the faults become overlapped in the last round and previous DFAs are difficult to work. Our results show that AFA can still succeed to recover the full master key. To evaluate security of PRINCE against fault attacks, we utilize AFA to calculate the reduced entropy of the secret key for given amount of fault injections. The results can interpret and compare the efficiency of previous work. Under nibble-based fault model, the master key of PRINCE can be reduced to 2 9.69 and 2 36.10 with 3 and 2 fault injections on average, respectively.

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Fan Zhang,Yiran Zhang,Xinjie Zhao,Shize Guo,Ziyuan Liang,Samiya Qureshi

DOI: https://doi.org/10.1109/PADSW.2018.8645010

2018-01-01

Abstract:The block cipher LED is well suited for resource-constrained scenarios. However, it is vulnerable to the recent fault attacks and different results have been achieved even under the same fault model. In this paper, a comprehensive investigation is conducted on the fault analysis on LED. A novel differential fault analysis is proposed, which is based on the so-called constraint equations. The proposed attack can combine constraint equations at different levels, pushing the differential fault analysis on LED towards its limit in terms of the time complexity, the data complexity and the remained key search space. Under random nibble fault model, SINGLE fault injection can reduce the key search space of LED-64 to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">7.90</sup> within 1.89s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">17.65</sup> within 7 minutes in prior finest contributions. As to DFA on LED-128, TWO fault injections can reduce the key search space to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">15.82</sup> within 247.88s, compared to 2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">21.96</sup> within 16 minutes in previous work. To the best of our knowledge, the scheme that we proposed is the most efficient fault attack on LED cryptosystems.

Hao Chen,Tao Wang,Shize Guo,Xinjie Zhao,Fan Zhang,Jian Liu

DOI: https://doi.org/10.1587/transfun.E100.A.811

2017-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:The differential fault analysis of SOSEMNAUK was presented in Africacrypt in 2011. In this paper, we improve previous work with algebraic techniques which can result in a considerable reduction not only in the number of fault injections but also in time complexity. First, we propose an enhanced method to determine the fault position with a success rate up to 990'o based on the single-word fault model. Then, instead of following the design of SOSEMANUK at word levels, we view SOSEMANUK at bit levels during the fault analysis and calculate most components of SOSEMANUK as bit-oriented. We show how to build algebraic equations for SOSEMANUK and how to represent the injected faults in bit-level. Finally, an SAT solver is exploited to solve the combined equations to recover the secret inner state. The results of simulations on a PC show that the full 384 bits initial inner state of SOSEMANUK can be recovered with only 15 fault injections in 3.97h.

Hao Chen,Tao Wang,Xinjie Zhao,Fan Zhang,Yunfei Ma,Xiaohan Wang

DOI: https://doi.org/10.13232/j.cnki.jnju.2017.06.016

2017-01-01

Abstract:HIGHT is built by using ARX(addition modulo 2n,bit rotation and XOR)structure,which is suitable for resource-constrained environment such as Radio Frequency Identification(RFID)tag or ubiquitous computing system and it has been adopted as a standard block cipher by Telecommunications Technology Association(TTA)of Korea and ISO/IEC 18033-3.Since the accurate location of the injected fault cannot be successfully determined when fault failures are occurred,the success rate of the existing algebraic fault attack on HIGHT is always less than 100%.To improve the success rate and efficiency,a fault tolerant algebraic fault attack is proposed in this paper.Firstly,fault failures and its properties are studied and a complete distinguisher based on fault failures,fault locations and cipher differences for determining the accurate fault locations in all different scenarios is built.Then,HIGHT is described as a set of algebraic equations.The faulty ciphertext is generated via fault injections and fault differences are represented with algebraic equations.To make maximum use of the injected faults,fault failures are also described as a set of algebraic equations.In the meantime,the procedure of constructing algebraic equations for the inj ected faults is optimized to perform automatically to further make the attack easy to launch.Finally,the CryptoMiniSAT solver is applied to solve the equations for the key and the number of fault injections that required and success rate of the proposed attack are analyzed in theory.The simulation experiments show that compared with the existing algebraic fault attack on HIGHT,the success rate of the proposed attack has been improved to 100% and the method of con-structing algebraic equations for the injected faults is easier and can be performed automatically,the entire mater key bytes can be fully recovered in a rather smaller time by solving the algebraic equations with the CryptoMiniSAT solver,and the proposed attack can be easily extended to other cipher which has the similar structure.

Fan Zhang,Tianxiang Feng,Zhiqi Li,Kui Ren,Xinjie Zhao

DOI: https://doi.org/10.46586/tches.v2022.i2.289-311

2022-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Persistent Fault Analysis (PFA) is a new fault analysis method for block ciphers proposed in CHES 2018, which utilizes those faults that persist in encryptions. However, one fact that has not been raised enough attention is that: while the fault itself does persist in the entire encryption, the corresponding statistical analysis merely leverages fault leakages in the last one or two rounds, which ignores the valuable leakages in deeper rounds. In this paper, we propose Algebraic Persistent Fault Analysis (APFA), which introduces algebraic analysis to facilitate PFA. APFA tries to make full usage of the free fault leakages in the deeper rounds without incurring additional fault injections. The core idea of APFA is to build similar algebraic constraints for the output of substitution layers and apply the constraints to as many rounds as possible. APFA has many advantages compared to PFA. First, APFA can bypass the manual deductions of round key dependencies along the fault propagation path and transfer the burdens to the computing power of machine solvers such as Crypto-MiniSAT. Second, thanks to the free leakages in the deeper round, APFA requires a much less number of ciphertexts than previous PFA methods, especially for those lightweight block ciphers such as PRESENT, LED, SKINNY, etc. Only 10 faulty ciphertexts are required to recover the master key of SKINNY-64-64, which is about 155 times of reduction as compared to the state-of-the-art result. Third, APFA can be applied to the block ciphers that cannot be analyzed by PFA due to the key size, such as PRESENT-128. Most importantly, APFA replaces statistical analysis with algebraic analysis, which opens a new direction for persistent-fault related researches.

Shivam Bhasin,Jingyu Pan,Fan Zhang

2018-01-01

Abstract:This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design.

Xue Gong,Fan Zhang,Xinjie Zhao,Jie Xiao,Shize Guo

DOI: https://doi.org/10.1109/tifs.2024.3495234

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Persistent Fault Analysis (PFA) is a powerful analysis technique proposed in CHES 2018, which utilizes those faults that are injected before execution and persist throughout the encryption. However, when it is applied to the block cipher which has multiple S-boxes, the key can not be recovered in just one attack. The adversary has to conduct the fault attack several times and inject faults into all the distinct S-boxes. In this paper, we propose Key Schedule Guided Persistent Fault Attack (KGPFA), which utilizes the key schedule to guide the fault injection and fault analysis. By analyzing the key schedule, KGPFA exploits the relations between the key leakages caused by the same faulty S-box in various rounds. It can reduce the number of attacks and the number of faults required to recover the key. Our major contributions are twofold. Firstly, in the fault injection step, we provide Key Schedule Guided Persistent Fault Injection (KGPFI) strategies to reduce the number of attacks and the number of faults under the assumption of both ciphertext-only and known-plaintext attacks. Secondly, in the fault analysis step, as our target ciphers are Feistel-based, we propose the Ineffective Algebraic Persistent Fault Analysis (IAPFA) to extend the usage of Algebraic Persistent Fault Analysis (APFA) in the ineffective persistent fault setting. To demonstrate the effectiveness of our technique, we apply KGPFA to four widely used block ciphers with multiple S-boxes, DES, 3DES, LBlock, and Camellia. In our experiment, in the ciphertext-only attack, the key of DES can be recovered with 300 ineffective ciphertexts (coresponding to 827 ciphertexts) and four faulty S-boxes within 12.18min. Under the assumption of known-plaintext, the key of DES is recovered within two faulty S-boxes in 2.34h. For LBlock, the key is recovered with two faulty S-boxes and 100 ineffective ciphertexts (coresponding to 6211 ciphertexts) in 1.16min.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao,Wei He,Lumin Xu,Yunfei Ma

DOI: https://doi.org/10.1155/2017/8051728

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:HIGHT is a lightweight block cipher which has been adopted as a standard block cipher. In this paper, we present a bit-level algebraic fault analysis (AFA) of HIGHT, where the faults are perturbed by a stealthy HT. The fault model in our attack assumes that the adversary is able to insert a HT that flips a specific bit of a certain intermediate word of the cipher once the HT is activated. The HT is realized by merely 4 registers and with an extremely low activation rate of about 0.000025. We show that the optimal location for inserting the designed HT can be efficiently determined by AFA in advance. Finally, a method is proposed to represent the cipher and the injected faults with a merged set of algebraic equations and the master key can be recovered by solving the merged equation system with an SAT solver. Our attack, which fully recovers the secret master key of the cipher in 12572.26 seconds, requires three times of activation on the designed HT. To the best of our knowledge, this is the first Trojan attack on HIGHT.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Chujiao Ma,Dawu Gu

DOI: https://doi.org/10.1109/FDTC.2014.13

2014-01-01

Abstract:GOST is a well-known block cipher as the official encryption standard for the Russian Federation. A special feature of GOST is that its eight S-boxes can be secret. However, most of the researches on GOST assume that the design of these S-boxes is known. In this paper, the security of GOST against side-channel attacks is examined with algebraic fault analysis (AFA), which combines the algebraic cryptanalysis with the fault attack. Three AFAs on GOST, which have different attack goals in different scenarios, are investigated. The results show that 8 fault injections are required to recover the secret key when the full design of GOST is known, which is less than 64 fault injections required in previous work. 64 fault injections are required to recover the eight unknown S-boxes assuming the key is known. 270 fault injections are required to recover the key and the eight S-boxes when both are unknown. The results prove that AFA is very effective and keeping some components in a cipher secret cannot guarantee its security against fault attacks.

HUANG Jing,ZHAO Xin-jie,ZHANG Fan,GUO Shi-ze,ZHOU Ping,CHEN Hao,YANG Jian

DOI: https://doi.org/10.11959/j.issn.1000-436x.2016165

2016-01-01

Abstract:An enhanced algebraic fault analysis on PRESENT was proposed.Algebraic cryptanalysis was introduced to build the algebraic equations for both the target cipher and faults.The equation set of PRESENT was built reversely in order to accelerate the solving speed.An algorithm of estimating the reduced key entropy for given amount of fault injec-tions was proposed,which can evaluate the resistance of PRESENT against fault attacks under different fault models.Fi-nally,extensive glitch-based fault attacks were conducted on an 8-bit smart card PRESENT implemented on a smart card.The best results show that only one fault injection was required for the key recovery,this is the best result of fault attacks on PRESENT in terms of the data complexity.

Xiaoxuan Lou,Fan Zhang,Guorui Xu,Ziyuan Liang,Xinjie Zhao,Shize Guo,Kui Ren

DOI: https://doi.org/10.1007/978-3-030-42921-8_29

2020-01-01

Abstract:Block ciphers with Feistel structures are vulnerable to a specific type of cache attacks named differential cache attacks. The attacks leverage side-channel leakages from cache and differential property of cipher component to reveal the master key of cipher. In this paper, we combine the algebraic analysis to enhance the attacks, and propose a novel method named Algebraic Differential Cache Attack (ADCA). By converting both cipher and cache leakages to algebraic equations, ADCA can reveal the cipher key automatically with the help of the SAT solver, which allows the analysis on much deeper rounds and makes a considerable reduction in attack complexity. When it is applied to the block cipher SM4, 10 plaintexts are enough to reveal the master key in 8-rounds analysis, while the traditional differential cache attack needs 20 ones. Finally, to eliminate the impact from noise, an error-tolerant method is proposed to deduce cache events from the leakage traces. It vastly enhances the robustness of attack, and makes the attack more practical. The experimental results show that the error-tolerant ADCA can correctly reveal the master key even when the uncertainty rate of cache events reaches to 60%.