Xinjie Zhao,Shize Guo,Fan Zhang,Zhijie Shi,Chujiao Ma,Tao Wang

DOI: https://doi.org/10.1109/FDTC.2013.14

2013-01-01

Abstract:This paper proposes a fault analysis technique on LED by combining algebraic cryptanalysis and differential fault analysis (DFA). The technique is called algebraic differential fault analysis (ADFA). In ADFA on LED, we use DFA to deduce the possible fault differences of the correct and faulty S-Box input in the last round, and convert them into algebraic equations. We then combine the equation set of LED with the injected fault and use the CryptoMiniSat solver to recover the secret key. Our experiments show that, on a common PC, ADFA can succeed on LED under the nibble-based fault model within three minutes and with only one fault injection, which is more efficient than previous DFA work. To evaluate DFA on LED, we first propose an improved evaluation algorithm of DFA, then provide a modified ADFA approach to compute the solutions for the secret key. The results are more accurate than previous work. We also successfully extend ADFA on LED to other fault models using a single fault injection, where traditional DFAs are difficult to launch.

Liang Dong,Hongxin Zhang,Lei Zhu,Shaofei Sun,Han Gan,Fan Zhang

DOI: https://doi.org/10.1109/access.2019.2901753

IF: 3.9

2019-01-01

IEEE Access

Abstract:This paper presents an optimal method for recovering the secret keys of the light encryption device (LED) by combining the impossible differential fault attack with the algebraic differential fault attack. The proposed optimal method effectively improves the performance of fault attacks. A fault attack model, named the redundant random nibble fault model (RRNFM), is proposed to simulate a multiple fault injection in a real-world environment. Using the optimal method and the RRNFM, the 64-bit secret key of LED can be recovered by injecting no more than six faults in 1300 experiments. We establish an equation of inverse proportionality between the number of faults injected and the remaining amount of the secret key. Using the equation, the number of fault injection can be accurately predicted, providing an effective way of evaluating fault attacks.

Jing Huang,Xinjie Zhao,Yidi Wang,Shize Guo,Fan Zhang,Tianming Zheng

DOI: https://doi.org/10.1109/IMCCC.2018.00048

2018-01-01

Abstract:In January 2016, Li et al. introduced an impossible differential fault analysis on the LED cryptosystem. If one random nibble fault is injected into the preantepenultimate round of LED, 48 fault injections are required to recover the secret key. In this comment, we provide an improved scheme with theoretical analysis and experimental results. Under the same fault model, our analysis can reduce the key search space of LED to 27:92 on average with only ONE fault. The key extraction takes about 13.84 seconds on average.

Wei Li,Da-wu Gu,Xiao-ling Xia,Chen Zhao,Zhi-qiang Liu,Ya Liu,Qing-ju Wang

DOI: https://doi.org/10.1080/18756891.2012.733223

IF: 2.259

2012-01-01

International Journal of Computational Intelligence Systems

Abstract:The LED is a new lightweight cipher, which was published in CHES 2011. This cipher could be applied in the Wireless Sensor Network to provide security. On the basis of the single byte-oriented fault model, we propose a differential fault analysis on the LED cipher. The attack could recover its 64-bit secret key by introducing 4 faulty ciphertexts, and 128-bit secret key by introducing 8 faulty ciphertexts. The results in this study will be beneficial to the analysis of the same type of other iterated lightweight ciphers.

Fan Zhang,Liang Geng,Jizhong Shen,Shivam Bhasin,Xinjie Zhao,Shize Guo

DOI: https://doi.org/10.1109/AsianHOST.2017.8353994

2017-01-01

Abstract:Recent lightweight cryptographic algorithms are vulnerable to side channel attacks (SCA), requiring a careful design of implementations. In this paper, we carefully investigate the "Low-Entropy Masking Scheme" (LEMS) on the block cipher LED in the context of resource-constrained environments. We propose an improved LEMS called "iMLED", so as to satisfy two different yet unified design goals: to maintain the entropy of the masking at one bit, meanwhile, to enhance first-order SCA-resistance against advanced SCAs such as correlation-enhanced collision attack (CCA). The security of the implementation has been evaluated based on the SASEBO-W board, which proves that iM-LED has boosted its mitigation against SCA with limited overheads.

Li Wei,Ge Chenyu,Gu Dawu,Liao Linfeng,Gao Zhiyong,Guo Zheng,Liu Ya,Liu Zhiqiang,Shi Xiujin

DOI: https://doi.org/10.7544/issn1000-1239.2017.20170437

2012-01-01

Chinese Journal of Computers

Abstract:The typical lightweight cipher LED ,proposed in CHES 2011 ,is applied in the Internet of things (IoT ) to provide security for RFID tags and smart cards etc .Fault analysis has become an important method of cryptanalysis to evaluate the security of lightweight ciphers ,depending on its fast speed ,simple implementation ,complex defense ,etc .On the basis of the half byte-oriented fault model ,we propose new statistical fault analysis on the LED cipher by inducing faults .Simulating experiment shows that our attack can recover its 64-bit and 128-bit secret keys with 99% probability using an SEI distinguisher ,a GF distinguisher and a GF-SEI distinguisher ,respectively .The attack can be implemented in the ciphertext-only attacking environment to improve the attacking efficiency and decrease the number of faults .It provides vital reference for security analysis of other lightweight ciphers in the Internet of things .

Wei Li,Vincent Rijmen,Zhi Tao,Qingju Wang,Hua Chen,Yunwen Liu,Chaoyun Li,Ya Liu

DOI: https://doi.org/10.1007/s11432-017-9209-0

2018-01-01

Abstract:With the expansion of wireless technology, vehicular ad-hoc networks (VANETs) are emerging as a promising approach for realizing smart cities and addressing many serious traffic problems, such as road safety, convenience, and efficiency. To avoid any possible rancorous attacks, employing lightweight ciphers is most effective for implementing encryption/decryption, message authentication, and digital signatures for the security of the VANETs. Light encryption device (LED) is a lightweight block cipher with two basic keysize variants: LED-64 and LED-128. Since its inception, many fault analysis techniques have focused on provoking faults in the last four rounds to derive the 64-bit and 128-bit secret keys. It is vital to investigate whether injecting faults into a prior round enables breakage of the LED. This study presents a novel impossible meet-in-the-middle fault analysis on a prior round. A detailed analysis of the expected number of faults is used to uniquely determine the secret key. It is based on the propagation of truncated differentials and is surprisingly reminiscent of the computation of the complexity of a rectangle attack. It shows that the impossible meet-in-the-middle fault analysis could successfully break the LED by fault injections.

Fan Zhang,Xinjie Zhao,Shize Guo,Tao Wang,Zhijie Shi

DOI: https://doi.org/10.1007/978-3-642-40026-1_5

2013-01-01

Abstract:This paper proposes some techniques to improve algebraic fault analysis (AFA). First, we show that building the equation set for the decryption of a cipher can accelerate the solving procedure. Second, we propose a method to represent the injected faults with algebraic equations when the accurate fault location is unknown. We take Piccolo as an example to illustrate our AFA and compare it with differential fault analysis (DFA). Only one fault injection is required to break Piccolo with the improved AFA. Finally, we extend the proposed AFA to other lightweight block ciphers, such as MIBS, LED, and DES. For the first time, the full secret key of DES can be recovered with only a single fault injection.

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Hao Chen,Tao Wang,Shize Guo,Xinjie Zhao,Fan Zhang,Jian Liu

DOI: https://doi.org/10.1587/transfun.E100.A.811

2017-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:The differential fault analysis of SOSEMNAUK was presented in Africacrypt in 2011. In this paper, we improve previous work with algebraic techniques which can result in a considerable reduction not only in the number of fault injections but also in time complexity. First, we propose an enhanced method to determine the fault position with a success rate up to 990'o based on the single-word fault model. Then, instead of following the design of SOSEMANUK at word levels, we view SOSEMANUK at bit levels during the fault analysis and calculate most components of SOSEMANUK as bit-oriented. We show how to build algebraic equations for SOSEMANUK and how to represent the injected faults in bit-level. Finally, an SAT solver is exploited to solve the combined equations to recover the secret inner state. The results of simulations on a PC show that the full 384 bits initial inner state of SOSEMANUK can be recovered with only 15 fault injections in 3.97h.

Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Ivica Nikolic,Lei Wang,Shuang Wu

DOI: https://doi.org/10.1007/978-3-662-43933-3_7

2013-01-01

Abstract:In this paper we present known-plaintext single-key and chosen-key attacks on round-reduced LED-64 and LED-128. We show that with an application of the recently proposed slidex attacks [5], one immediately improves the complexity of the previous single-key 4-step attack on LED-128. Further, we explore the possibility of multicollisions and show single-key attacks on 6 steps of LED-128. A generalization of our multicollision attack leads to the statement that no 6-round cipher with two subkeys that alternate, or 2-round cipher with linearly dependent subkeys, is secure in the single-key model. Next, we exploit the possibility of finding pairs of inputs that follow a certain differential rather than a differential characteristic, and obtain chosen-key differential distinguishers for 5-step LED-64, as well as 8-step and 9-step LED-128. We provide examples of inputs that follow the 8-step differential, i.e. we are able to practically confirm our results on 2/3 of the steps of LED-128. We introduce a new type of chosen-key differential distinguisher, called random-difference distinguisher, and successfully penetrate 10 of the total 12 steps of LED-128. We show that this type of attack is generic in the chosen-key model, and can be applied to any 10-round cipher with two alternating subkeys.

Nan Liao,Xiaoxin Cui,Kai Liao,Tian Wang,Dunshan Yu,Xiaole Cui

DOI: https://doi.org/10.1007/s11432-016-0071-7

2016-01-01

Science China Information Sciences

Abstract:Differential fault analysis(DFA) aiming at the advanced encryption standard(AES) hardware implementations has become a widely research topic. Unlike theoretical model, in real attack scenarios, popular and practical fault injection methods like supply voltage variation will introduce faults with random locations,unknown values and multibyte. For analyzing this kind of faults, the previous fault model needed six pairs of correct and faulty ciphertexts to recover the secret round-key. In this paper, on the premise of accuracy, a more efficient DFA attack with unknown and random faults is proposed. We introduce the concept of theoretical candidate number in the fault analysis. Based on this concept, the correct round-key can be identified in advance, so the proposed attack method can always use the least pairs of correct and faulty ciphertexts to accomplish the DFA attacks. To further support our opinion, random fault attacks based on voltage violation were taken on an FPGA board. Experiment results showed that about 97.3% of the attacks can be completed within 3 pairs of correct and faulty ciphertexts. Moreover, on average only 2.17 pairs of correct and faulty ciphertexts were needed to find out the correct round-key, showing significant advantage of efficiency compared with previous fault models. On the other hand, less amount of computation in the analyses can be realized with a high probability with our model, which also effectively improves the time efficiency in DFA attacks with unknown and random faults.

Qingyuan Yu,Xiaoyang Dong,Lingyue Qin,Yongze Kang,Keting Jia,Xiaoyun Wang,Guoyan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i4.1-31

2023-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Fault analysis is a powerful technique to retrieve secret keys by exploiting side-channel information. Differential fault analysis (DFA) is one of the most powerful threats utilizing differential information between correct and faulty ciphertexts and can recover keys for symmetric-key cryptosystems efficiently. Since DFA usually targets the first or last few rounds of the block ciphers, some countermeasures against DFA only protect the first and last few rounds for efficiency. Therefore, to explore how many rounds DFA can affect is very important to make sure how many rounds to protect in practice. At CHES 2011, Derbez et al. proposed an improved DFA on AES based on MitM approach, which covers one more round than previous DFAs. To perform good (or optimal) MitM DFA on block ciphers, the good (or optimal) attack configurations should be identified, such as the location where the faults inject, the matching point with differential relationship, and the two independent computation paths where two independent subsets of the key are involved. In this paper, we formulate the essential ideas of the construction of the attack, and translate the problem of searching for the best MitM DFA into optimization problems under constraints in Mixed-Integer-Linear-Programming (MILP) models. With the models, we achieve more powerful and practical DFA attacks on SKINNY, CRAFT, QARMA, PRINCE, PRINCEv2, and MIDORI with faults injected in 1 to 9 earlier rounds than the best previous DFAs.

Xinjie Zhao,Shize Guo,Tao Wang,Fan Zhang,Zhijie Shi

DOI: https://doi.org/10.1007/s11859-012-0875-7

2012-01-01

Abstract:This article proposes an enhanced differential fault analysis (DFA) method named as fault-propagation pattern-based DFA (FPP-DFA). The main idea of FPP-DFA is using the FPP of the ciphertext difference to predict the fault location and the fault-propagation path. It shows that FPP-DFA is very effective on SPN structure block ciphers using bitwise permutation, which is applied to two block ciphers. The first is PRESENT with the substitution-permutation sequence. With the fault model of injecting one nibble fault into the r -2nd round, on average 8 and 16 faults can reduce the key search space of PRESENT-80/128 to 2 14.7 and 2 21.1 , respectively. The second is PRINTcipher with the permutation-substitution sequence. For the first time, it shows that although the permutation of PRINTcipher is secret key dependent, FPP-DFA still works well on it. With the fault model of injecting one nibble fault into the r -2nd round, 12 and 24 effective faults can reduce the key search space of PRINTcipher-48/96 to 2 13.7 and 2 22.8 , respectively.

Wei Li,Dawu Gu,Xiaoling Xia,Ya Liu,Zhiqiang Liu

DOI: https://doi.org/10.4304/jnw.7.8.1288-1294

2012-01-01

Abstract:CLEFIA is an efficient lightweight cipher that delivers advanced copyright protection and authentication in computer networks. It is also applied in the secure protocol for transmission including SSL and TLS. Since it was proposed in 2007, some work about its security against differential fault analysis has been devoted to reducing the number of faults and to improving the time complexity of this attack. This attack is very efficient when a single fault is injected into the last several rounds of the CLEFIA, and it allows to recover the whole secret key. Thus, it is an open question whether detecting the faults injected into the CLEFIA with low overhead of space and time tolerance. In this paper, we present a fault detection of the CLEFIA block cipher in the single-byte fault model. Our result in this study could detect the faults with negligible cost when faults are even injected into the last four rounds.

Zhang Fan,Zhao Xinjie,Guo Shize,Shen Jizhong,Huang Jing,Hu Zijie

DOI: https://doi.org/10.1109/cc.2015.7188531

2015-01-01

Abstract:PRINCE is a 64-bit lightweight block cipher with a 128-bit key published at ASIACRYPT 2012. Assuming one nibble fault is injected, previous different fault analysis (DFA) on PRINCE adopted the technique from DFA on AES and current results are different. This paper aims to make a comprehensive study of algebraic fault analysis (AFA) on PRINCE. How to build the equations for PRINCE and faults are explained. Extensive experiments are conducted. Under nibble-based fault model, AFA with three or four fault injections can succeed within 300 seconds with a very high probability. Under other fault models such as byte-based, half word-based, word-based fault models, the faults become overlapped in the last round and previous DFAs are difficult to work. Our results show that AFA can still succeed to recover the full master key. To evaluate security of PRINCE against fault attacks, we utilize AFA to calculate the reduced entropy of the secret key for given amount of fault injections. The results can interpret and compare the efficiency of previous work. Under nibble-based fault model, the master key of PRINCE can be reduced to 2 9.69 and 2 36.10 with 3 and 2 fault injections on average, respectively.