Yun-fei MA,Tao WANG,Hao CHEN,Fan ZHANG,Xiao-xuan LOU,Lu-min XU,Wen-bing YANG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2017.09.011

2017-01-01

Abstract:A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack.The round-candidates for fault injection were identified according to the number of linear and quadratic equations.Positions for fault injection were determined by using a difference-characteristics table.Some round-keys were recovered by extracting low-degree equations during the off-line phase.Then,the entire round-keys were obtained with combination of guess-and-determine attack.The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91,which is better than the previous cube attack.Compared to differential fault attack,the fault-cube method is more effective in determining fault positions.Moreover,using the fault model is easier to realize and the attack process is of high automation.The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.

Shivam Bhasin,Jingyu Pan,Fan Zhang

2018-01-01

Abstract:This works gives an overview of persistent fault attacks on block ciphers, a recently introduced fault analysis technique based on persistent faults. The fault typically targets stored constant of cryptographic algorithms over several encryption calls with a single injection. The underlying analysis technique statistically recovers the secret key and is capable of defeating several popular countermeasures by design.

Guangyao ZHAO,Lei CHENG,Ruilin LI,Chao LI,Bing SUN

DOI: https://doi.org/10.11887/j.cn.201506024

2015-01-01

Abstract:PUFFIN is a lightweight block cipher,in which the block length is 64 bit while the key size is 128 bit.The integral cryptanalysis resistance ability of PUFFIN was analyzed.The existence of 5 and 6 round integral distinguisher in PUFFIN was constructed and proved.An integral attack on 8 round PUFFIN was mounted by 6 round integral distinguisher to recover 2 round 100 bit round cipher.The data complexity of the attack is 220 chosen plaintexts,the time complexity is about 233 8 round encryptions,and the space complexity is 220 .This has been the best integral attack on PUFFIN up to now.

Xinjie Zhao,Shize Guo,Tao Wang,Fan Zhang,Zhijie Shi

DOI: https://doi.org/10.1007/s11859-012-0875-7

2012-01-01

Abstract:This article proposes an enhanced differential fault analysis (DFA) method named as fault-propagation pattern-based DFA (FPP-DFA). The main idea of FPP-DFA is using the FPP of the ciphertext difference to predict the fault location and the fault-propagation path. It shows that FPP-DFA is very effective on SPN structure block ciphers using bitwise permutation, which is applied to two block ciphers. The first is PRESENT with the substitution-permutation sequence. With the fault model of injecting one nibble fault into the r -2nd round, on average 8 and 16 faults can reduce the key search space of PRESENT-80/128 to 2 14.7 and 2 21.1 , respectively. The second is PRINTcipher with the permutation-substitution sequence. For the first time, it shows that although the permutation of PRINTcipher is secret key dependent, FPP-DFA still works well on it. With the fault model of injecting one nibble fault into the r -2nd round, 12 and 24 effective faults can reduce the key search space of PRINTcipher-48/96 to 2 13.7 and 2 22.8 , respectively.

Dawu Gu,Juanru Li,Sheng Li,Zhouqian Ma,Zheng Guo,Junrong Liu

DOI: https://doi.org/10.1109/fdtc.2012.16

2012-01-01

Abstract:Differential fault analysis is one of the most efficient side channel attack techniques that threat the security of block cipher. However, it often requires a penultimate or an antepenultimate round faulty encryption and is not suitable for middle round fault. This paper presents attacks combining differential fault analysis with statistical cryptanalysis techniques against lightweight ciphers. The analysis makes use of statistical cryptanalysis techniques in practice rather than theoretically, and exploits the weakness of bit-permutation adopted by many lightweight block ciphers under fault attack. Specific attacks against PRESENT and PRINT\scriptsize{CIPHER} \normalsize are given to prove the validity. The result shows that about one fifth of the iterative rounds are needed to be protected for these lightweight ciphers with bit-permutation.

Yue-chuan WEI,Bing SUN,Chao LI

DOI: https://doi.org/10.3969/j.issn.1001-2486.2010.03.026

2010-01-01

Abstract:PUFFIN is a block cipher with 64-bit block size and 128-bit key size. For evaluating its security, the balance at bit-level was analyzed. A 5-round integral distinguisher was constructed and then extended to a 6-round one based on the theory of higher order integral. By using the 6-round distinguisher, 8-round attack was performed. For 8-round attack, the data complexity, time complexity and space complexity were, and respectively. The result shows that PUFFIN reduced to 8 rounds is not immune to the integral attack. Besides, the cipher with SPN-structure and permutation-linear layer which at least has 3-round integral distinguisher is proved. The result also indicates the method for finding the distinguisher.

Xue Gong,Fan Zhang,Xinjie Zhao,Jie Xiao,Shize Guo

DOI: https://doi.org/10.1109/tifs.2024.3495234

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Persistent Fault Analysis (PFA) is a powerful analysis technique proposed in CHES 2018, which utilizes those faults that are injected before execution and persist throughout the encryption. However, when it is applied to the block cipher which has multiple S-boxes, the key can not be recovered in just one attack. The adversary has to conduct the fault attack several times and inject faults into all the distinct S-boxes. In this paper, we propose Key Schedule Guided Persistent Fault Attack (KGPFA), which utilizes the key schedule to guide the fault injection and fault analysis. By analyzing the key schedule, KGPFA exploits the relations between the key leakages caused by the same faulty S-box in various rounds. It can reduce the number of attacks and the number of faults required to recover the key. Our major contributions are twofold. Firstly, in the fault injection step, we provide Key Schedule Guided Persistent Fault Injection (KGPFI) strategies to reduce the number of attacks and the number of faults under the assumption of both ciphertext-only and known-plaintext attacks. Secondly, in the fault analysis step, as our target ciphers are Feistel-based, we propose the Ineffective Algebraic Persistent Fault Analysis (IAPFA) to extend the usage of Algebraic Persistent Fault Analysis (APFA) in the ineffective persistent fault setting. To demonstrate the effectiveness of our technique, we apply KGPFA to four widely used block ciphers with multiple S-boxes, DES, 3DES, LBlock, and Camellia. In our experiment, in the ciphertext-only attack, the key of DES can be recovered with 300 ineffective ciphertexts (coresponding to 827 ciphertexts) and four faulty S-boxes within 12.18min. Under the assumption of known-plaintext, the key of DES is recovered within two faulty S-boxes in 2.34h. For LBlock, the key is recovered with two faulty S-boxes and 100 ineffective ciphertexts (coresponding to 6211 ciphertexts) in 1.16min.

Yang Gao,Yongjuan Wang,Qingjun Yuan,Tao Wang,Xiangbin Wang,Lulu Guo

DOI: https://doi.org/10.1109/iaeac.2018.8577744

2018-01-01

Abstract:A new method of differential fault attack was proposed, which is based on the nibble-group differential diffusion property of the lightweight block cipher LBlock. Theoretical proof and experimental results both show that six fault injections in last three rounds are needed to recover the main key. On the basis of the statistical regularity of the S-box differential distribution, the probability of recovering round key was calculated. Then the expectation of number of fault injections when recovering main key $K$ can be estimated, which is 8.35. Finally, experimental data verifies the correctness of the theoretical model.

Fan Zhang,Xinjie Zhao,Wei He,Shivam Bhasin,Shize Guo

DOI: https://doi.org/10.1007/s11432-016-0233-0

2017-01-01

Science China Information Sciences

Abstract:>Fault analysis is a very powerful technique to break cryptographic implementations.In particular,bitlevel fault analysis(BLFA),where faults are injected by flipping one or a few isolated bits,are among the most efficient of the lot.BLFA requires both precise fault injection capabilities and sophisticated key extraction skills.Algebraic fault analysis(AFA)[1]is a good analysis technique for BLFA.Compared with differential fault analysis(DFA),AFA relies on the automation from machine solvers.Since it fully utilizes the leakages

Xue Gong,Ao Shen,Tianxiang Feng,Guorui Xu,Shize Guo,Fan Zhang

DOI: https://doi.org/10.1016/j.vlsi.2024.102174

IF: 1.345

2024-01-01

Integration

Abstract:Cryptographic algorithms have been employed in a variety of fields as the primary method to protect information security. The security of a cryptographic algorithm is closely related to its operating environment and physical devices. Algebraic Persistent Fault Analysis (APFA) is a new fault analysis method for block ciphers proposed in CHES 2022, which utilizes the fault that persists in encryptions and introduces algebraic analysis in the fault analysis step. In the fault injection step, as the transistors of the integrated circuit are getting smaller and tighter, even high-precision devices may cause more than one fault per injection. However, more faults may lead to a more efficient attack in the fault analysis step. In this paper, APFA for double faults is proposed, which can deal with the double faults model and reduce the number of required ciphertexts. The practicality of our fault injection is validated by laser fault injection experiments on the SRAM embedded in an ATmega163L microcontroller. The effectiveness of our fault analysis is proven by successfully recovering the key of PRESENT-128 and AES-128. The number of ciphertexts needed for key recovery is reduced by 46% compared to PFA with a single fault.

Shan Fu,Guoai Xu,Juan Pan,Zongyue Wang,An Wang

DOI: https://doi.org/10.1145/2967610

2016-01-01

ACM Transactions on Embedded Computing Systems

Abstract:Differential Fault Attack (DFA) is a powerful cryptanalytic technique to retrieve secret keys by exploiting the faulty ciphertexts generated during encryption procedure. This article proposes a novel DFA attack that is effective on ITUbee, a software-oriented block cipher for resource-constrained devices. Different from other DFA, our attack makes use of not only faulty values, but also differences between fault-free intermediate values corresponding to 2 plaintexts, which combine traditional differential analysis with DFA. The possible injection positions with different number of faults are discussed. The most efficient attack takes 225 round function operations with 4 faults, which is achieved in a few seconds on a PC.

DeWei Wang,ZhenHui Zhang,LiJi Wu,XiangMin Zhang

DOI: https://doi.org/10.1109/icasid.2018.8693234

2018-01-01

Abstract:With the development of the Internet of Things (IoT), the application of micro-computing strips,such as RFID chips and wireless sensor networks,has become more and more widespread, bringing great convenience to people's lives. At the same time, how to ensure the security of information has attracted more and more attention. Because of the limited resources of micro-computing devices, lightweight block cipher algorithms that pursue efficiency and ensure security have emerged. The paper proposes to modify the lightweight PUFFIN algorithm in the forwarding engine switch to solve the problem of information security in the switch. The hardware circuit design of the algorithm is optimized, and each module is compiled and implemented. The serial and parallel combination is adopted in the overall implementation of the algorithm, and the simulation is successfully implemented by ModelSim software. The pipeline delay of the de-synchronization plus descrambling module is 8 TCLKs, and the data throughput rate is 100Gbps when entering the pipeline input.

Yang GAO,Yong-juan WANG,Lei WANG,Tao WANG

2017-01-01

Abstract:A new method of differential fault attack was proposed,which was based on the nibble-group differential diffusion property of the lightweight block cipher TWINE.On the basis of the statistical regularity of the S-box differential distribution,the lower bound of the probability of recovering round key was calculated.Then expectation of number of fault injections when restoring seed key can be estimated.Theoretical proof and experimental results both show that an average of nine times of fault injections in 33,34 and 35 rounds bring about the seed key recovered completely.Finally,the improvement of the fault injection location was proposed,which enhances the feasibility of the genuine attack.

Yang Gao,Yongjuan Wang,Qingjun Yuan,Tao Wang,Xiangbin Wang

DOI: https://doi.org/10.1007/978-3-030-24265-7_47

2019-01-01

Abstract:In this paper, we focus on differential fault attack on lightweight block ciphers with GFN (Generalized Feistel Networks) structure. With regard to fault injection model and differential equations solving, two improved DFA (Differential Fault Analysis) methods are proposed. Based on this, we present the improved attack process which aims at applying lightweight block ciphers with GFN structure. We conduct 10000 DFA experiments on TWINE and LBlock. Result shows that it only takes 9.18 and 8.42 faults on average to recover the main key K respectively. Moreover, time and space complexity are both negligible.

Wei Li,Dawu Gu,Zhiqiang Liu,Ya Liu,Xiaohu Huang

DOI: https://doi.org/10.1007/978-3-642-32298-3_7

2011-01-01

Abstract:Since the early work of Biham and Shamir on differential fault attack against block ciphers at CRYPTO 1997, much work has been devoted to reducing the number of faults and to improving the time complexity of this attack. This attack is very efficient when a single fault is injected on the last several rounds, and it allows to recover the whole secret key. Thus, it is an open question whether detecting the faults injected into a block cipher against this attack with low overhead of space and time tolerance. The MacGuffin cipher, a representative of the Unbalanced Feistel Network(UFN) structure, is vulnerable to fault attack at the last four rounds. In this paper, we give an answer to this problem by presenting a fault detection of the MacGuffin block cipher. Our result in this study could detect the faults with negligible cost when faults are injected into the last four rounds.

Fan Zhang,Shize Guo,Xinjie Zhao,Tao Wang,Jian Yang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1109/tifs.2016.2516905

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: 1) the target; 2) the adversary; and 3) the evaluator. We describe the capability of an adversary in four parts: 1) the fault injector; 2) the fault model describer; 3) the cipher describer; and 4) the machine solver. A formal fault model is provided to cover most of current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to guide adversaries, cipher designers, and industrial engineers. To verify the feasibility of the proposed framework, we make a comprehensive study of AFA on an ultra-lightweight block cipher called LBlock. Three scenarios are exploited, which include injecting a fault to encryption, to key scheduling, or modifying the round number or counter. Our best results show that a single fault injection is enough to recover the master key of LBlock within the affordable complexity in each scenario. To verify the generic feature of the proposed framework, we apply AFA to three other block ciphers, i.e., Data Encryption Standard, PRESENT, and Twofish. The results demonstrate that our framework can be used for different ciphers with different structures.

Hao Chen,Tao Wang,Fan Zhang,Xinjie Zhao,Wei He,Lumin Xu,Yunfei Ma

DOI: https://doi.org/10.1155/2017/8051728

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:HIGHT is a lightweight block cipher which has been adopted as a standard block cipher. In this paper, we present a bit-level algebraic fault analysis (AFA) of HIGHT, where the faults are perturbed by a stealthy HT. The fault model in our attack assumes that the adversary is able to insert a HT that flips a specific bit of a certain intermediate word of the cipher once the HT is activated. The HT is realized by merely 4 registers and with an extremely low activation rate of about 0.000025. We show that the optimal location for inserting the designed HT can be efficiently determined by AFA in advance. Finally, a method is proposed to represent the cipher and the injected faults with a merged set of algebraic equations and the master key can be recovered by solving the merged equation system with an SAT solver. Our attack, which fully recovers the secret master key of the cipher in 12572.26 seconds, requires three times of activation on the designed HT. To the best of our knowledge, this is the first Trojan attack on HIGHT.

Liang Dong,Hongxin Zhang,Lei Zhu,Shaofei Sun,Han Gan,Fan Zhang

DOI: https://doi.org/10.1109/access.2019.2901753

IF: 3.9

2019-01-01

IEEE Access

Abstract:This paper presents an optimal method for recovering the secret keys of the light encryption device (LED) by combining the impossible differential fault attack with the algebraic differential fault attack. The proposed optimal method effectively improves the performance of fault attacks. A fault attack model, named the redundant random nibble fault model (RRNFM), is proposed to simulate a multiple fault injection in a real-world environment. Using the optimal method and the RRNFM, the 64-bit secret key of LED can be recovered by injecting no more than six faults in 1300 experiments. We establish an equation of inverse proportionality between the number of faults injected and the remaining amount of the secret key. Using the equation, the number of fault injection can be accurately predicted, providing an effective way of evaluating fault attacks.

Haiyan Xiao,Lifang Wang,Jinyong Chang

DOI: https://doi.org/10.1186/s42400-022-00130-z

2022-01-01

Abstract:Feather weight(FeW)cipher is a lightweight block cipher proposed by Kumar et al.in 2019,which takes 64 bits plaintext as input and produces 64 bits ciphertext.As Kumar et al.said,FeW is a software oriented design with the aim of achieving high efficiency in software based environments.It seems that FeW is immune to many cryptographic attacks,like linear,impossible differential,differential and zero correlation attacks.However,in recent work,Xie et al.reassessed the security of FeW.More precisely,they proved that under the differential fault analysis(DFA)on the encryption states,an attacker can completely recover the master secret key.In this paper,we revisit the block cipher FeW and consider the DFA on its key schedule algorithm,which is rather popular cryptanalysis for kinds of block ciphers.In particular,by respectively injected faults into the 30th and 29th round subkeys,one can recover about 55/80 ≈ 69％bits of master key.Then the brute force searching remaining bits,one can obtain the full master secret key.The simulations and experiment results show that our analysis is practical.

Zhang Fan,Zhao Xinjie,Guo Shize,Shen Jizhong,Huang Jing,Hu Zijie

DOI: https://doi.org/10.1109/cc.2015.7188531

2015-01-01

Abstract:PRINCE is a 64-bit lightweight block cipher with a 128-bit key published at ASIACRYPT 2012. Assuming one nibble fault is injected, previous different fault analysis (DFA) on PRINCE adopted the technique from DFA on AES and current results are different. This paper aims to make a comprehensive study of algebraic fault analysis (AFA) on PRINCE. How to build the equations for PRINCE and faults are explained. Extensive experiments are conducted. Under nibble-based fault model, AFA with three or four fault injections can succeed within 300 seconds with a very high probability. Under other fault models such as byte-based, half word-based, word-based fault models, the faults become overlapped in the last round and previous DFAs are difficult to work. Our results show that AFA can still succeed to recover the full master key. To evaluate security of PRINCE against fault attacks, we utilize AFA to calculate the reduced entropy of the secret key for given amount of fault injections. The results can interpret and compare the efficiency of previous work. Under nibble-based fault model, the master key of PRINCE can be reduced to 2 9.69 and 2 36.10 with 3 and 2 fault injections on average, respectively.