5348fc4
committed
Commits
Comments (0)
Files changed (6)

+5 399FDTC2012/main.tex

+201 0FDTC2012/sec_attack.tex

+23 0FDTC2012/sec_conl.tex

+64 0FDTC2012/sec_intro.tex

+123 0FDTC2012/sec_pre.tex

+26 17FDTC2012/title.tex
FDTC2012/main.tex
Fault analysis is a kind of sidechannel attack that seriously threats the security of cryptographic devices in real world.
When an encryption is executed under faulty condition, error occurs on intermediate states so the normal output changes to a \emph{faulty output}.
Among them, Differential Fault Analysis(DFA) \cite{biham1997differential} is the most well studied.
The relationship between the common output and the specific faulty output provides extra information.
Various of DFA methods have been developed against blockciphers include the AES\cite{piret2003differential}\cite{derbez2011meet},
Camellia and ARIA. Some of them have already reached the information limitation that the fault model could provide\cite{li2010information}.
Most of the DFA target to antepenultimate or penultimate round and take an impossibleandeliminate method to exclude wrong key candidates.
That is to say, it relies on the property that on a subset of the last round(e.g., one or two bytes), the input differential only contains a subset of all possible values.
The attacker uses this restriction to solve some differential equation and excludes wrong key candidates.
If the fault is in an earlier round and therefore the subset of the last round's input differential covers all possible values then the DFA technique is not suitable.
If the fault attack could take advantage of the statistical analysis technique, it is expected to exploit more information leakage.
In 2006, Phan and Yen proposed an amplified sidechannel attack enhanced by traditional cryptanalysis techniques\cite{phan2006amplifying}.
Inspired by their work, in this paper we adopt the idea of statistical and impossible differential cryptanalysis to enhance fault analysis of lightweight blockcipher.
We propose fault analysis of the lightweight SPN blockcipher with bitpermutation and presents specific fault attacks against PRESENT80 and PRINT\scriptsize{CIPHER} \normalsize48.
The research of fault attack against lightweight blockciphers such as PRESENT\cite{bogdanov2007present} and PRINT\scriptsize{CIPHER} \normalsize \cite{knudsen2010printcipher} are reported recent years.
In 2009, Li et al. first proposed a DFA on PRESENT80 \cite{juan2009present} which needs 4050 pairs of faulty ciphertexts occurred at round 29.
which needs a single nibble fault on the round key and can recover the secret key with 64 pairs of correct and faulty ciphertexts on average and the computational complexity is $2^{29}$.
In 2011, Zhao, et al.\cite{zhao2011fault} proposed fault attacks against PRESENT and PRINT\scriptsize{CIPHER} \normalsize.
To the best of our knowledge, no fault attacks on earlier rounds are proposed and these attacks generally adopted one nibble error model.
the fault propagation process is slow and after many rounds, and it is available to employ fault attack to construct an effective distinguisher.
This fault based distinguisher helps attacker determine key with high probability and low data complexity.
%then we analyze the transformation of the original nonuniform distribution after iterative round function and give the probability estimating method.
Based on the distinguishers, we can retrieve round key and estimate which rounds are vulnerable to fault attack.
In Section~\ref{prelimi} we briefly review the structure of PRESENT and PRINT\scriptsize{CIPHER} \normalsize, the common fault injection technique and fault model.
Then we present two practical attacks against PRESENT80 and PRINT\scriptsize{CIPHER} \normalsize48.
PRESENT is a lightweight block cipher designed by Bogdanov et al. in 2007 for extremely constrained environments such as RFID tags and sensor networks.
PRINT\scriptsize{CIPHER} \normalsize is an ultralightweight blockcipher proposed by L.Knudsen et al. in 2010.
The encryption process of PRINT\scriptsize{CIPHER} \normalsize is described in Algorithm~\ref{print_algo}.
For more information about PRINT\scriptsize{CIPHER} \normalsize, readers may refer to \cite{knudsen2010printcipher}
Lightweight blockciphers are used in cryptographic devices such as smart cards and RFID tags in real world.
Previous research shows that certain round of the encryption could be affected when clock faults occur,
and devices such as FPGA using a DLLbased FPGA platform is vulnerable to fault attack\cite{agoyan2010clocks}.
Under the fault attack, it is a reasonable assumption that a cryptographic device with fixed secret key is controlled by an attacker.
The attacker could ask the device to encrypt(or even decrypt) arbitrary plaintext(or even ciphertext).
the attacker deliberately interferes the normal encryption by changing the power supply voltage or the frequency of the external clock,
In \cite{agoyan2010clocks}, Agoyan et al. demonstrated how to inject single bit fault in a reproducible way,
despite the optical precision of the equipment was not able to target the smallest features of the target chip.
However, fault attack is more or less harmful to devices, and due to most popular devices' lifetime(for instance, a sim card is able to do the encryption for at most 5000060000 times),
What's more, although fault attack may affect the certain round, it is often hard for the attacker to know which parts of the internal state are changed.
The most possible situation is that one Sbox or small number of Sboxes of one round are affected and the fault is random.
Another situation is that in a parallel $n$ different Sboxes, one of them is most vulnerable to unstable circumstance such as low voltage.
Our attack considers two fault models: \emph{Single Random Sbox}, and \emph{Multi Sboxes} fault model.
We can recover the secret key within the faults injected after a specific rounds depending on the fault model used.
%This model requires one fixed Sbox of a certain round are repeatedly and randomly disturbed thus produces a set of different faulty outputs.
 The input of \textbf{one} Sbox in a certain round is switched to a random and uniformly distributed value due to the fault injection.
 For a pair of correct ciphertext and its corresponding faulty ciphertext, they are encrypted from the same plaintext and the same key.
 Multiple pairs of correct and faulty ciphertexts (may from different plaintext) provided to attacker are encrypted by the same key.
 The input of \textbf{multiple} Sboxes in a certain round are switched to random and uniformly distributed values due to the fault injection.
 For a pair of correct ciphertext and its corresponding faulty ciphertext, they are encrypted from the same plaintext and the same key.
 Multiple pairs of correct and faulty ciphertexts (may from different plaintext) provided to attacker are encrypted by the same key.
First, Lightweight blockciphers would generally have smaller Sboxes and more iterative rounds to enhance the security for the lack of complicated round function.
The fast encryption speed of device makes fault injection hard to locate accurate rounds or certain Sbox, especially for fault attack focusing on last one or two rounds or requiring single Sbox error model.
Second, due to the device's lifetime, attackers may not acquire enough amount of faulty ciphertext.
Thus to take advantage of multiple Sboxes fault and earlier round fault is meaningful for fault analysis.
a popular design methodology of bitpermutation is adopted because it is simple and easy to be implemented.
The basic idea of our fault attack is to acquire an effective distinguisher based on fault injection and employ distinguishing attack.
We found single random Sbox fault model and multi Sboxes fault model are both suitable for attacking.
it takes several rounds for a single Sbox fault differential to be diffused and yet change the output "randomly".
If the fault is not well diffused due to the lack of enough round encryption, the differential distribution is nonuniform
The distinguisher is based on the fact that the differential distribution is significantly different from uniform.
The faultbased distinguisher, compared with traditional distinguisher, has following restrictions:
 According to the fault model, the input is coarse grained. Attackers could not precisely control the internal state.
 The amount of available output is limited. Unlike theoretical model, an attacker could not do the encryption unlimited. The allowed number of encryption is restricted by devices' lifetime.
 Analysis is complex. To precisely describe the probability of the distinguisher model is hard. In this paper, we adopt a simulationbased technique to avoid probability calculation of the distinguisher.
According to the {\it Wrong Key Randomisation Hypothesis}, the attacker guesses part of the ultimate round(or plus penultimate round) key and partially decrypt the ciphertext.
The incorrect key decryption is expected to have the same affect of encrypting one more round. That is to say, the partially decrypted distribution should be a uniform one.
If the guessed key is correct, the distance between partially decrypted distribution and the uniform distribution could be a well distinguisher.
This attack is effective to the blockcipher with the bitpermutation rather than byteoriented permutation.
%Because even the fault on a single Sbox is random, the bitpermutation make this randomness weak by diffuse each bit to different Sboxes.
%even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
%This nonuniform distribution may need more rounds of diffusion to become uniform again compared with byteoriented permutation design.
When we focus on the Single Random Sbox Fault Model in an mround SPN blockcipher with the common bitpermutation design, even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
The Multi Sboxes Fault model shows different properties but the fault differential's nonuniform distribution still exists.
In both cases the nonuniform distribution may need more rounds of diffusion to become random again compared with byteoriented permutation design.
Our fault analysis relies on the nonuniform distribution when a single random Sbox fault transferring for several rounds.
An empirical and simple attack is to just partially decrypt the ciphertext and test the distribution of some subsets with all possible key candidates.
the attack against lightweight blockcipher generally do the partial decryption of two rounds instead of one because the partial key size is relatively small(e.g., 16 bits).
Several distinguishers like Likelihood distinguisher and Squared Euclidean Imbalance (SEI) distinguisher \cite{rivain2009differential} can be used here to select the correct key.
Consider the situation of not having exact knowledge about the fault propagation, especially for multiple Sboxes fault model and simplicity.
We just adopt SEI method which picks the guessed key achieving strongest bias to uniform distribution as the correct one.
The distinguisher $d(k)$ uses the squared Euclidean distance to the uniform distribution and is defined as:
d(k) = \sum_{\delta=0}^{2^m1}\left(\frac{\#\{n; g_{i}(C_{n},\mbox{\~{C}}_{n},k)=\delta\} }{N}\frac{1}{2^m}\right)^2
In this formula $N$ is the number of correct and faulty ciphertexts pairs, $C$ and $\mbox{\~{C}}$ are correct and faulty ciphertexts, $g_{i}$ is the fault differential for the intermediate nibbles which has biased distribution and $k$ is subkeys which are sufficient to recovery the specific $g_{i}$.
The diffusion property of PRESENT is relatively weaker because of the smaller Sbox and bit permutation.
%However, according to the design document[?], any fiveround differential characteristic of PRESENT has a minimum of 10 active Sboxes and thus the maximum differential probability is $2^{20}$.
it is hard to use small amount of faulty ciphertexts to distinguish the correct key with significant probability if the fault propagates too many rounds.
In order to verify how many rounds are not immune to the fault attack, we simulate the fault propagation from two rounds to six rounds with a reasonable 10000 random inputs.
By computing the output differential's squared Euclidean distance to the uniform distribution, we can observe the effectiveness of each round's fault injection.
The distinguishing attack relies on the fact that the squared Euclidean distance acquired from correct subkey decryption is significantly greater than those acquired with incorrect key.
First, we tested the average squared Euclidean distance using 10000 pairs of random ciphertexts and found under random circumstance, the average squared Euclidean distance is about 0.00010.0005.
Then, we do the simulation of fault injection and table~\ref{single_prs_tb} gives the simulation result of the distinguisher $d(k)$ uses the squared Euclidean distance on each nibble before penultimate round(using 10000 pairs of correct and faulty ciphertexts).
if the fault injection position is earlier than round 25, even using the correct subkey to decrypt,
That is to say, for PRESENT with 31 rounds, it is allowed to inject the fault before round 25 and then employs a two round partial decryption.
Our experiments support the simulation well. The correct key gives a significant high squared Euclidean distance value(about 0.006).
While for incorrect keys, the average squared Euclidean distance is about 0.00010.0003 and the most significant is only about 0.0006.
For a full attack process, the attacker should guess four group of each 16+4 subkey bits (16 bits from penultimate round and 4 bits from antipenultimate round)independently to find the correct key.
The attack complexity is about $4$ $\cdot$ $2^{16+4}$ $\cdot$ $10000$ $\cdot$ $2$ = $2^{36.3}$ partial decryption.
Using two IBM xServer(\emph{Intel Xeon E5420 4 core@2.5Ghz}) the attack takes about 2 hours and successfully obtain the last round subkey and four nibble of penultimate round subkey.
An interesting observation is that nibble 5, 7, 13 and 15 of PRESENT's block have farther distance from uniform than any other nibbles after fault propagation.
In other words, when employing distinguishing attack, the attacker should make use of these nibble to better distinguish correct keys.
Another observation is that if the fault injection is restricted to half of the whole block(e.g., from nibble 07 rather than 015),
An effective distinguishing attack is allowed to be employed with one round earlier fault injection(injecting the fault before round 23).
%The property is because these nibbles are only affected by 2nd and 4th bit of last round Sbox's output.
%So the leftmost bits are suitable for attacking rather than the rightmost bits with almost random distribution after 5 rounds(both in theoretical analysis and simulation).
According to the simulation, For Two, Three and Four Sboxes fault model, separately a 4+2, 3+2 and 2+2 fault propagation and partial decryption distinguishing attack could be employed.
Also, due to the observed property that nibble 5, 7, 13 and 15 of PRESENT's block could be used in 3 Sboxes fault model to employ a 4+2 fault propagation and partial decryption distinguishing attack.
And the results show that if the number of affected Sboxes increases by one, the upperbounds of the fault injection round within which we can accomplish the attack decrease by one.
we can discover that begin with less faults directly injected in the earlier round after one round function the affected Sboxes increase and this intermediate state has some similarity with the one which is produce by more faults directly injected in this later round.
Our attack is obviously not optimal because we don't have a precise knowledge of the fault model and is hence not able to estimate the precise distribution,
The attack process against PRINT\small{CIPHER}\normalsize48 is almost the same as the process against PRESENT.
A slight difference is that PRINT\scriptsize{CIPHER} \normalsize uses the keydependent permutation.
Because in the situation of PRINT\scriptsize{CIPHER} \normalsize, the distribution keeps the same on each bit even with four different secret permutation.
%The principle is that for the distinguisher is irrelevant to Sbox. Using Different Sboxes doesn't change our
For single random Sbox fault attack, a 7round fault and 2round partial decryption distinguishing attack is suggested.
That is to say, in PRINT\small{CIPHER}\normalsize48, 9 of 48 rounds are threatened by our fault attack.
For a distinguishing attack, the attacker should guess not only the subkey but also the secret keypermutation key.
One convenience is that in PRINT\scriptsize{CIPHER} \normalsize each round key is exactly the same.
The attack complexity is about $5$ $\cdot$ $2^{25}$ $\cdot$ $2^{11}$ $\cdot$ $2$ $\approx$ $2^{39}$ partial decryption.
For two and three random Sbox fault attacks, separately a 6+2, 5+2 fault propagation and partial decryption distinguishing attack could be employed.
if the number of affected Sboxes increases by one, the upperbounds of the fault injection round within which we can accomplish the attack decrease by one.
In this paper we propose differential fault analysis combining with statistical cryptanalysis technique to deal with middle round and multiple Sboxes fault injection of lightweight blockciphers.
The basic idea is that both single random Sbox fault and multiple Sboxes fault lead to an effective distinguisher which is useful for obtaining subkey.
We describe how to attack the lightweight SPN blockciphers and give two practical attacks against PRESENT80 and PRINT\scriptsize{CIPHER}\normalsize48.
The results show that our attack is powerful for exploiting vulnerability of lightweight blockciphers under the fault attack.
our analysis extends the vulnerable rounds of these lightweight blockciphers and is able to deal with multiple Sboxes fault injection.
Our attack against PRINT\scriptsize{CIPHER} \normalsize reveals that even with secret bitpermutation the weakness still exists.
We also opensourced our simulation source code and hope more analysis could be found by other researchers.
%We also released the attacking simulation source code at http://bitbucket.org/ with GIT form and hope more analysis could be found by other researchers.
FDTC2012/sec_attack.tex
+First, Lightweight block ciphers would generally have smaller Sboxes and more iterative rounds to enhance the security for the lack of complicated round function.
+The fast encryption speed of device makes fault injection hard to locate accurate rounds or certain Sbox, especially for fault attack focusing on last one or two rounds or requiring single Sbox fault model.
+Second, due to the device's lifetime, attackers may not acquire enough amount of faulty ciphertext.
+Thus to take advantage of multiple Sboxes fault and earlier round fault is meaningful for fault analysis.
+a popular design methodology of bitpermutation is adopted because it is simple and easy to be implemented.
+The basic idea of our fault attack is to acquire an effective distinguisher based on fault injection and employ distinguishing attack.
+We found single random Sbox fault model and multi Sboxes fault model are both suitable for attacking.
+it takes several rounds for a single Sbox fault differential to be diffused and yet change the output "randomly".
+the differential distribution is nonuniform \textbf{even on a subset}(e.g. a single Sbox) of the penultimate or an antepenultimate block.
+The distinguisher is based on the fact that the differential distribution is significantly different from uniform.
+The faultbased distinguisher, compared with traditional distinguisher, has following restrictions:
+ According to the fault model, the input is coarse grained. Attackers could not precisely control the internal state.
+ The amount of available output is limited. Unlike theoretical model, an attacker could not do the encryption unlimited. The allowed number of encryption is restricted by devices' lifetime.
+ Analysis is complex. To precisely describe the probability of the distinguisher model is hard. In this paper, we adopt a simulationbased technique to avoid probability calculation of the distinguisher.
+the attacker guesses part of the ultimate round(or plus penultimate round) key and partially decrypt the ciphertext.
+If the guessed key is correct, the distance between partially decrypted distribution and the uniform distribution could be a well distinguisher.
+%Because even the fault on a single Sbox is random, the bitpermutation make this randomness weak by diffuse each bit to different Sboxes.
+%even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
+%This nonuniform distribution may need more rounds of diffusion to become uniform again compared with byteoriented permutation design.
+When we focus on the Single Random Sbox Fault Model in an mround SPN blockcipher with the common bitpermutation design, even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
+The Multi Sboxes Fault model shows similar property and the fault differential's nonuniform distribution still exists.
+In both cases the nonuniform distribution may need more rounds of diffusion to become random again compared with byteoriented permutation design.
+Our fault analysis relies on the nonuniform distribution when a single random Sbox fault transferring for several rounds.
+An empirical and simple attack is to just partially decrypt the ciphertext and test the distribution of some subsets with all possible key candidates.
+the attack against lightweight blockcipher generally do the partial decryption of two rounds instead of one because the partial key size is relatively small(e.g., 16 bits).
+Several distinguishers like Likelihood distinguisher and Squared Euclidean Imbalance (SEI) distinguisher \cite{rivain2009differential} can be used here to select the correct key.
+Consider the situation of not having exact knowledge about the fault propagation, especially for multiple Sboxes fault model and simplicity.
+We just adopt SEI method which picks the guessed key achieving strongest bias to uniform distribution as the correct one.
+The distinguisher $d(k)$ uses the squared Euclidean distance to the uniform distribution and is defined as:
+d(k) = \sum_{\delta=0}^{2^m1}\left(\frac{\#\{n; g_{i}(C_{n},\mbox{\~{C}}_{n},k)=\delta\} }{N}\frac{1}{2^m}\right)^2
+In this formula $N$ is the number of correct and faulty ciphertexts pairs, $C$ and $\mbox{\~{C}}$ are correct and faulty ciphertexts, $g_{i}$ is the fault differential for the intermediate nibbles which has biased distribution and $k$ is subkeys which are sufficient to recovery the specific $g_{i}$.
+The diffusion property of PRESENT is relatively weaker because of the smaller Sbox and bit permutation.
+%However, according to the design document[?], any fiveround differential characteristic of PRESENT has a minimum of 10 active Sboxes and thus the maximum differential probability is $2^{20}$.
+it is hard to use small amount of faulty ciphertexts to distinguish the correct key with significant probability if the fault propagates too many rounds.
+In order to verify how many rounds are not immune to the fault attack, we simulate the fault propagation from two rounds to six rounds with a reasonable 10000 random inputs.
+By computing the output differential's squared Euclidean distance to the uniform distribution, we can observe the effectiveness of each round's fault injection.
+The distinguishing attack relies on the fact that the squared Euclidean distance acquired from correct subkey decryption is significantly greater than those acquired with incorrect key.
+First, we tested the average squared Euclidean distance using 10000 pairs of random ciphertexts and found under random circumstance, the average squared Euclidean distance is about 0.00010.0005.
+Then, we do the simulation of fault injection and table~\ref{single_prs_tb} gives the simulation result of the distinguisher $d(k)$ uses the squared Euclidean distance on each nibble before penultimate round(using 10000 pairs of correct and faulty ciphertexts).
+if the fault injection position is earlier than round 25, even using the correct subkey to decrypt,
+That is to say, for PRESENT with 31 rounds, it is allowed to inject the fault before round 25 and then employs a two round partial decryption.
+Our experiments support the simulation well. The correct key gives a significant high squared Euclidean distance value(about 0.006).
+While for incorrect keys, the average squared Euclidean distance is about 0.00010.0003 and the most significant is only about 0.0006.
+For a full attack process, the attacker should guess four group of each 16+4 subkey bits (16 bits from penultimate round and 4 bits from antipenultimate round)independently to find the correct key.
+The attack complexity is about $4$ $\cdot$ $2^{16+4}$ $\cdot$ $10000$ $\cdot$ $2$ = $2^{36.3}$ partial decryption.
+Using two IBM xServer(\emph{Intel Xeon E5420 4 core@2.5Ghz}) the attack takes about 2 hours and successfully obtain the last round subkey and four nibble of penultimate round subkey.
+An interesting observation is that nibble 5, 7, 13 and 15 of PRESENT's block have farther distance from uniform than any other nibbles after fault propagation.
+In other words, when employing distinguishing attack, the attacker should make use of these nibble to better distinguish correct keys.
+Another observation is that if the fault injection is restricted to half of the whole block(e.g., from nibble 07 rather than 015),
+An effective distinguishing attack is allowed to be employed with one round earlier fault injection(injecting the fault before round 23).
+%The property is because these nibbles are only affected by 2nd and 4th bit of last round Sbox's output.
+%So the leftmost bits are suitable for attacking rather than the rightmost bits with almost random distribution after 5 rounds(both in theoretical analysis and simulation).
+According to the simulation, For Two, Three and Four Sboxes fault model, separately a 4+2, 3+2 and 2+2 fault propagation and partial decryption distinguishing attack could be employed.
+Also, due to the observed property that nibble 5, 7, 13 and 15 of PRESENT's block could be used in 3 Sboxes fault model to employ a 4+2 fault propagation and partial decryption distinguishing attack.
+And the results show that if the number of affected Sboxes increases by one, the upperbounds of the fault injection round within which we can accomplish the attack decrease by one.
+we can discover that begin with less faults directly injected in the earlier round after one round function the affected Sboxes increase and this intermediate state has some similarity with the one which is produce by more faults directly injected in this later round.
+Our attack is obviously not optimal because we don't have a precise knowledge of the fault model and is hence not able to estimate the precise distribution,
+The attack process against PRINT\small{CIPHER}\normalsize48 is almost the same as the process against PRESENT.
+A slight difference is that PRINT\scriptsize{CIPHER} \normalsize uses the keydependent permutation.
+Because in the situation of PRINT\scriptsize{CIPHER} \normalsize, the distribution keeps the same on each bit even with four different secret permutation.
+%The principle is that for the distinguisher is irrelevant to Sbox. Using Different Sboxes doesn't change our
+For single random Sbox fault attack, a 7round fault and 2round partial decryption distinguishing attack is suggested.
+That is to say, in PRINT\small{CIPHER}\normalsize48, 9 of 48 rounds are threatened by our fault attack.
+For a distinguishing attack, the attacker should guess not only the subkey but also the secret keypermutation key.
+One convenience is that in PRINT\scriptsize{CIPHER} \normalsize each round key is exactly the same.
+The attack complexity is about $5$ $\cdot$ $2^{25}$ $\cdot$ $2^{11}$ $\cdot$ $2$ $\approx$ $2^{39}$ partial decryption.
+For two and three random Sbox fault attacks, separately a 6+2, 5+2 fault propagation and partial decryption distinguishing attack could be employed.
+if the number of affected Sboxes increases by one, the upperbounds of the fault injection round within which we can accomplish the attack decrease by one.
FDTC2012/sec_conl.tex
+In this paper we propose differential fault analysis combining with statistical cryptanalysis technique to deal with middle round and multiple Sboxes fault injection of lightweight block ciphers.
+The basic idea is that both single random Sbox fault and multiple Sboxes fault lead to an effective distinguisher which is useful for obtaining subkey.
+We describe how to attack the lightweight SPN block ciphers and give two practical attacks against PRESENT80 and PRINT\scriptsize{CIPHER}\normalsize48.
+The results show that our attack is powerful for exploiting vulnerability of lightweight block ciphers under the fault attack.
+our analysis extends the vulnerable rounds of these lightweight block ciphers and is able to deal with multiple Sboxes fault injection.
+Our attack against PRINT\scriptsize{CIPHER} \normalsize reveals that even with secret bitpermutation the weakness still exists.
+It is noteworthy that for block ciphers with byteoriented design such as the AES and ARIA, neither single random Sbox fault nor multiple Sboxes fault model leads to such an effective attack.
+This attack is effective to the block cipher with the bitpermutation rather than byteoriented permutation.
+the differential distribution is nonuniform \textbf{even on a subset}(e.g. a single Sbox) of the penultimate or an antepenultimate block.
+Finally, we also released the attacking simulation source code at http://bitbucket.org/ with GIT form and hope more analysis could be found by other researchers.
FDTC2012/sec_intro.tex
+Fault analysis is a kind of sidechannel attack that seriously threats the security of cryptographic devices in real world.
+When an encryption is executed under faulty condition, error occurs on intermediate states so the normal output changes to a \emph{faulty output}.
+Among them, Differential Fault Analysis(DFA) \cite{biham1997differential} is the most well studied.
+The relationship between the common output and the specific faulty output provides extra information.
+Various of DFA methods have been developed against block ciphers include the AES\cite{piret2003differential}\cite{derbez2011meet},
+Camellia and ARIA. Some of them have already reached the information limitation that the fault model could provide\cite{li2010information}.
+Most of the DFA target to antepenultimate or penultimate round and take an impossibleandeliminate method to exclude wrong key candidates.
+That is to say, it relies on the property that on a subset of the last round(e.g., one or two bytes), the input differential only contains a subset of all possible values.
+The attacker uses this restriction to solve some differential equation and excludes wrong key candidates.
+If the fault is in an earlier round and therefore the subset of the last round's input differential covers all possible values then the DFA technique is not suitable.
+If the fault attack could take advantage of the statistical analysis technique, it is expected to exploit more information leakage.
+The research of fault attack against lightweight block ciphers such as PRESENT\cite{bogdanov2007present} and PRINT\scriptsize{CIPHER} \normalsize \cite{knudsen2010printcipher} are reported recent years.
+In 2009, Li et al. first proposed a DFA on PRESENT80 \cite{juan2009present} which needs 4050 pairs of faulty ciphertexts occurred at round 29.
+which needs a single nibble fault on the round key and can recover the secret key with 64 pairs of correct and faulty cipher texts on average and the computational complexity is $2^{29}$.
+In 2011, Zhao, et al.\cite{zhao2011fault} proposed fault attacks against PRESENT and PRINT\scriptsize{CIPHER} \normalsize.
+To the best of our knowledge, no fault attacks on earlier rounds are proposed and these attacks generally adopted one nibble error model.
+Traditional statistical cryptanalysis focused on full block ciphers and the attack is of impractical high complexity.
+However, under the situation of fault attack, statistical cryptanalysis is effective for the attack actually exploits a reducedround cipher model.
+In 2006, Phan and Yen proposed an amplified sidechannel attack enhanced by traditional cryptanalysis techniques\cite{phan2006amplifying}.
+Inspired by their work, in this paper we adopt the idea of statistical cryptanalysis to enhance fault analysis of lightweight block cipher.
+In detail We propose fault analysis of the lightweight SPN block cipher with bitpermutation and present specific fault attacks against PRESENT80 and PRINT\scriptsize{CIPHER} \normalsize48.
+the fault propagation process is relatively slow, and it is available to employ fault attack to construct an effective distinguisher.
+This fault based distinguisher helps attacker determine key with high probability and low data complexity.
+In his thesis, Pascal Junod gave a thorough discussion of statistical cryptanalysis of block ciphers\cite{???}.
+%then we analyze the transformation of the original nonuniform distribution after iterative round function and give the probability estimating method.
+Based on the distinguishers, we can retrieve round key and estimate which rounds are vulnerable to fault attack.
+We simulated the fault attack against PRESENT80 and PRINT\scriptsize{CIPHER}\normalsize48 to prove the statistical hypothesis,
+In Section~\ref{prelimi} we briefly review the structure of PRESENT and PRINT\scriptsize{CIPHER} \normalsize, the common fault injection technique and fault model.
+Then we present two practical attacks against PRESENT80 and PRINT\scriptsize{CIPHER} \normalsize48.
FDTC2012/sec_pre.tex
+PRESENT is a lightweight block cipher designed by Bogdanov et al. in 2007 for extremely constrained environments such as RFID tags and sensor networks.
+PRINT\scriptsize{CIPHER} \normalsize is an ultralightweight block cipher proposed by L.Knudsen et al. in 2010.
+The encryption process of PRINT\scriptsize{CIPHER} \normalsize is described in Algorithm~\ref{print_algo}.
+The interested reader is referred to \cite{knudsen2010printcipher} for further information about PRINT\scriptsize{CIPHER} \normalsize.
+Lightweight block ciphers are used in cryptographic devices such as smart cards and RFID tags in real world.
+Previous research shows that certain round of the encryption could be affected when clock faults occur,
+and devices such as FPGA using a DLLbased FPGA platform are vulnerable to fault attack\cite{agoyan2010clocks}.
+Under the fault attack, it is a reasonable assumption that a cryptographic device with fixed secret key is controlled by an attacker.
+The attacker could ask the device to encrypt(or even decrypt) arbitrary plaintext(or even ciphertext).
+the attacker deliberately interferes the normal encryption by changing the power supply voltage or the frequency of the external clock,
+In \cite{agoyan2010clocks}, Agoyan et al. demonstrated how to inject single bit fault in a reproducible way,
+despite the optical precision of the equipment was not able to target the smallest features of the target chip.
+However, fault attack is more or less harmful to devices, and due to most popular devices' lifetime(for instance, a sim card is able to do the encryption for at most 5000060000 times),
+What's more, although fault attack may affect the certain round, it is often hard for the attacker to know which parts of the internal state are changed.
+The most possible situation is that one Sbox or small number of Sboxes of one round are affected and the fault is random.
+Another situation is that in a parallel $n$ different Sboxes, one of them is most vulnerable to unstable circumstance such as low voltage.
+Our attack considers two fault models: \emph{Single Random Sbox}, and \emph{Multi Sboxes} fault model.
+We can recover the secret key within the faults injected after specific rounds depending on the fault model used.
+%This model requires one fixed Sbox of a certain round are repeatedly and randomly disturbed thus produces a set of different faulty outputs.
+ The input of \textbf{one} Sbox in a certain round is switched to a random and uniformly distributed value due to the fault injection.
+ For a pair of correct ciphertext and its corresponding faulty ciphertext, they are encrypted from the same plaintext and the same key.
+ Multiple pairs of correct and faulty ciphertexts (may from different plaintext) provided to attacker are encrypted by the same key.
+ The input of \textbf{multiple} Sboxes in a certain round are switched to random and uniformly distributed values due to the fault injection.
+ For a pair of correct ciphertext and its corresponding faulty ciphertext, they are encrypted from the same plaintext and the same key.
+ Multiple pairs of correct and faulty ciphertexts (may from different plaintext) provided to attacker are encrypted by the same key.