841eaa4
committed
Commits
Comments (0)
Files changed (8)

+18 0FDTC2012/fdtc.bib

+18 10FDTC2012/main.bbl

+39 28FDTC2012/sec_attack.tex

+2 12FDTC2012/sec_conl.tex

+7 10FDTC2012/sec_intro.tex

+3 3FDTC2012/sec_pre.tex

+5 5FDTC2012/title.tex

+3 0FDTC2012/tx.bat
FDTC2012/fdtc.bib
FDTC2012/main.bbl
FDTC2012/sec_attack.tex
First, Lightweight block ciphers would generally have smaller Sboxes and more iterative rounds to enhance the security for the lack of complicated round function.
The fast encryption speed of device makes fault injection hard to locate accurate rounds or certain Sbox, especially for fault attack focusing on last one or two rounds or requiring single Sbox fault model.
Second, due to the device's lifetime, attackers may not acquire enough amount of faulty ciphertext.
Thus to take advantage of multiple Sboxes fault and earlier round fault is meaningful for fault analysis.
+First, Lightweight block ciphers would generally use more iterative rounds to enhance the security for the lack of complicated round function.
+The fast encryption speed of device makes fault injection hard to locate accurate rounds or certain Sbox,
+especially for fault attack focusing on last one or two rounds or requiring single Sbox fault model.
+Second, due to the device's lifetime, in practice attackers may not acquire a huge amount of faulty ciphertexts.
+Thus to take advantage of limited faulty ciphertexts, multiple Sboxes fault and earlier round fault is meaningful for fault analysis.
a popular design methodology of bitpermutation is adopted because it is simple and easy to be implemented.
The basic idea of our fault attack is to acquire an effective distinguisher based on fault injection and employ distinguishing attack.
We found single random Sbox fault model and multi Sboxes fault model are both suitable for attacking.
it takes several rounds for a single Sbox fault differential to be diffused and yet change the output "randomly".
the differential distribution is nonuniform \textbf{even on a subset}(e.g. a single Sbox) of the penultimate or an antepenultimate block.
+We found single random Sbox fault model and multi Sboxes fault model are both suitable for our attack.
+we can exploit middle round fault is mainly because it takes several rounds for a single Sbox or multi Sboxes fault differential to be fully diffused,
+the differential distribution is nonuniform \textbf{even on a subset}(e.g. a single Sbox) of the penultimate or an antepenultimate state.
The distinguisher is based on the fact that the differential distribution is significantly different from uniform.
the attacker guesses part of the ultimate round(or plus penultimate round) key and partially decrypt the ciphertext.
If the guessed key is correct, the distance between partially decrypted distribution and the uniform distribution could be a well distinguisher.
%Because even the fault on a single Sbox is random, the bitpermutation make this randomness weak by diffuse each bit to different Sboxes.
%even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
%This nonuniform distribution may need more rounds of diffusion to become uniform again compared with byteoriented permutation design.
When we focus on the Single Random Sbox Fault Model in an mround SPN blockcipher with the common bitpermutation design, even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
+When we focus on the Single Random Sbox Fault Model in an mround SPN block cipher with the common bitpermutation design,
+even if the input of an Sbox is random, after one round of permutation, $l$ Sboxes are to be affected according to Sbox's bit number $l$,
The Multi Sboxes Fault model shows similar property and the fault differential's nonuniform distribution still exists.
In both cases the nonuniform distribution may need more rounds of diffusion to become random again compared with byteoriented permutation design.
+In other words, the fault propagates from random byte to some random bits and then to the whole block.
+neither single random Sbox fault nor multiple Sboxes fault model leads to such an effective attack.
+Fault propagation is faster because the any random byte fault is directly diffused to the whole block and the distinguisher on single Sbox is ineffective.
+Our fault analysis relies on the nonuniform distribution of the input differential of a single Sbox.
+The attack process is to just partially decrypt the ciphertext and test the distribution of the input differential of an Sbox with all possible key candidates.
+the attack against lightweight block ciphers generally do the partial decryption of two rounds instead of one because the partial key size is relatively small(e.g., 16 bits).
Our fault analysis relies on the nonuniform distribution when a single random Sbox fault transferring for several rounds.
An empirical and simple attack is to just partially decrypt the ciphertext and test the distribution of some subsets with all possible key candidates.
the attack against lightweight blockcipher generally do the partial decryption of two rounds instead of one because the partial key size is relatively small(e.g., 16 bits).
+In his thesis, Pascal Junod gave a thorough discussion of statistical cryptanalysis of block ciphers\cite{junod2005statistical}.
Several distinguishers like Likelihood distinguisher and Squared Euclidean Imbalance (SEI) distinguisher \cite{rivain2009differential} can be used here to select the correct key.
Consider the situation of not having exact knowledge about the fault propagation, especially for multiple Sboxes fault model and simplicity.
We just adopt SEI method which picks the guessed key achieving strongest bias to uniform distribution as the correct one.
%However, according to the design document[?], any fiveround differential characteristic of PRESENT has a minimum of 10 active Sboxes and thus the maximum differential probability is $2^{20}$.
it is hard to use small amount of faulty ciphertexts to distinguish the correct key with significant probability if the fault propagates too many rounds.
In order to verify how many rounds are not immune to the fault attack, we simulate the fault propagation from two rounds to six rounds with a reasonable 10000 random inputs.
By computing the output differential's squared Euclidean distance to the uniform distribution, we can observe the effectiveness of each round's fault injection.
+we simulated the fault propagation from two rounds to six rounds with a reasonable 10000 random inputs.
FDTC2012/sec_conl.tex
our analysis extends the vulnerable rounds of these lightweight block ciphers and is able to deal with multiple Sboxes fault injection.
Our attack against PRINT\scriptsize{CIPHER} \normalsize reveals that even with secret bitpermutation the weakness still exists.
It is noteworthy that for block ciphers with byteoriented design such as the AES and ARIA, neither single random Sbox fault nor multiple Sboxes fault model leads to such an effective attack.
This attack is effective to the block cipher with the bitpermutation rather than byteoriented permutation.
the differential distribution is nonuniform \textbf{even on a subset}(e.g. a single Sbox) of the penultimate or an antepenultimate block.
Finally, we also released the attacking simulation source code at http://bitbucket.org/ with GIT form and hope more analysis could be found by other researchers.
+For these two lightweight ciphers, about one fifth of the iterative rounds are needed to be protected according to our results.
+Finally, we released the attacking simulation source code at https://bitbucket.org/RomanGol/faultattack and hope more analysis could be found by other researchers.
FDTC2012/sec_intro.tex
To the best of our knowledge, no fault attacks on earlier rounds are proposed and these attacks generally adopted one nibble error model.
Traditional statistical cryptanalysis focused on full block ciphers and the attack is of impractical high complexity.
However, under the situation of fault attack, statistical cryptanalysis is effective for the attack actually exploits a reducedround cipher model.
+Traditional statistical cryptanalysis focused on full block ciphers and the attack is of impractical high complexity.
+However, under the situation of fault attack, statistical cryptanalysis is effective for the attack actually exploits a reducedround cipher model.
In 2006, Phan and Yen proposed an amplified sidechannel attack enhanced by traditional cryptanalysis techniques\cite{phan2006amplifying}.
Inspired by their work, in this paper we adopt the idea of statistical cryptanalysis to enhance fault analysis of lightweight block cipher.
In detail We propose fault analysis of the lightweight SPN block cipher with bitpermutation and present specific fault attacks against PRESENT80 and PRINT\scriptsize{CIPHER} \normalsize48.
the fault propagation process is relatively slow, and it is available to employ fault attack to construct an effective distinguisher.
This fault based distinguisher helps attacker determine key with high probability and low data complexity.
In his thesis, Pascal Junod gave a thorough discussion of statistical cryptanalysis of block ciphers\cite{???}.
%then we analyze the transformation of the original nonuniform distribution after iterative round function and give the probability estimating method.
Based on the distinguishers, we can retrieve round key and estimate which rounds are vulnerable to fault attack.
We simulated the fault attack against PRESENT80 and PRINT\scriptsize{CIPHER}\normalsize48 to prove the statistical hypothesis,
+We simulated the fault attack against PRESENT80 and PRINT\scriptsize{CIPHER}\normalsize48 to prove the hypothesis,
In Section~\ref{prelimi} we briefly review the structure of PRESENT and PRINT\scriptsize{CIPHER} \normalsize, the common fault injection technique and fault model.
+In Section~\ref{prelimi} we briefly review the structure of PRESENT and PRINT\scriptsize{CIPHER} \normalsize, the common fault injection technique and two fault models.
Then we present two practical attacks against PRESENT80 and PRINT\scriptsize{CIPHER} \normalsize48.
FDTC2012/sec_pre.tex
PRINT\scriptsize{CIPHER} \normalsize is an ultralightweight block cipher proposed by L.Knudsen et al. in 2010.
The encryption process of PRINT\scriptsize{CIPHER} \normalsize is described in Algorithm~\ref{print_algo}.
The interested reader is referred to \cite{knudsen2010printcipher} for further information about PRINT\scriptsize{CIPHER} \normalsize.
+The interested reader is referred to \cite{knudsen2010printcipher} for further information about PRINT\scriptsize{CIPHER} \normalsize.
FDTC2012/title.tex
Differential fault analysis is one of the most efficient side channel attack techniques that threat the security of blockcipher.
+Differential fault analysis is one of the most efficient side channel attack techniques that threat the security of block cipher.
However, it often requires a penultimate or an antepenultimate round faulty encryption and is not suitable for middle round fault.
This paper presents attacks combining differential fault analysis with statistical cryptanalysis techniquesto attacklightweight ciphers.
+This paper presents attacks combining differential fault analysis with statistical cryptanalysis techniques against lightweight ciphers.
The analysis makes use of statistical cryptanalysis techniques in practice rather than theoretically,
and exploits the weakness of bitpermutation adopted by many lightweight blockciphers under fault attack.
+and exploits the weakness of bitpermutation adopted by many lightweight block ciphers under fault attack.
Specific attacks against PRESENT and PRINT\scriptsize{CIPHER} \normalsize are given to prove the validity.
The result shows that about one fifth of the iterative rounds are needed to be protected for these lightweight ciphers with bitpermutation.