Differential Fault Analysis of Secret Key Cryptosystems
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Error detection and error correction procedures for the advanced encryption standard
Designs, Codes and Cryptography
Secret External Encodings Do Not Prevent Transient Fault Analysis
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
PRESENT: An Ultra-Lightweight Block Cipher
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
Differential Fault Analysis of Trivium
Fast Software Encryption
Improved Differential Fault Analysis on CLEFIA
FDTC '08 Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography
Lightweight Block Ciphers Revisited: Cryptanalysis of Reduced Round PRESENT and HIGHT
ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy
KATAN and KTANTAN -- A Family of Small and Efficient Hardware-Oriented Block Ciphers
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Differential Fault Analysis on DES Middle Rounds
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Side Channel Cube Attack on PRESENT
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
On the importance of checking cryptographic protocols for faults
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Differential fault analysis on AES key schedule and some countermeasures
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
Differential fault analysis on CLEFIA
ICICS'07 Proceedings of the 9th international conference on Information and communications security
PRINTcipher: a block cipher for IC-printing
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
CHES'10 Proceedings of the 12th international conference on Cryptographic hardware and embedded systems
A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
LBlock: a lightweight block cipher
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Differential fault analysis of Sosemanuk
AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa
A cryptanalysis of PRINTcipher: the invariant subspace attack
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Meet-in-the-middle and impossible differential fault analysis on AES
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
HIGHT: a new block cipher suitable for low-resource device
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
A generalized method of differential fault attack against AES cryptosystem
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
Differential fault analysis of HC-128
AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Cube cryptanalysis of LBlock with noisy leakage
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Hi-index | 0.00 |
$\textsf{LBlock}$ is a 64-bit lightweight block cipher which can be implemented in both hardware environments and software platforms. It was designed by Wu and Zhang, and published at ACNS2011. In this paper, we explore the strength of $\textsf{LBlock}$ against the differential fault analysis ( $\textsf{DFA}$ ). As far as we know, this is the first time the $\textsf{DFA}$ attack is used to analyze $\textsf{LBlock}$ . Our $\textsf{DFA}$ attack adopts the random bit fault model. When the fault is injected at the end of the round from the 25th round to the 31st round, the $\textsf{DFA}$ attack is used to reveal the last three round subkeys (i.e., K 32 , K 31 and K 30 ) by analyzing the $\textit{active S-box}$ of which the input and output differences can be obtained from the right and faulty ciphertexts (C , $\widetilde{C}$ ). Then, the master key can be recovered based on the analysis of the key scheduling. Specially, for the condition that the fault is injected at the end of the 25th and 26th round, we show that the active S-box can be distinguished from the $\textit{false active S-box}$ by analyzing the nonzero differences from the pair of ciphertexts (C , $\widetilde{C}$ ). The false active S-box which we define implies that the nonzero input difference does not correspond to the right output difference. Moreover, as the $\textsf{LBlock}$ can achieve the best diffusion in eight rounds, there can exist the countermeasures that protect the first and last eight rounds. This countermeasure raises a question whether provoking a fault at the former round of $\textsf{LBlock}$ can reveal the round subkey. Our current work also gives an answer to the question that the $\textsf{DFA}$ attack can be used to reveal the round subkey when the fault is injected into the 24th round. If the fault model used in this analysis is a $\textit{semi-random bit model}$ , the round subkey can be revealed directly. Specially, the semi-random bit model corresponds to an adversary who could know the corrupted 4 bits at the chosen round but not know the exact bit in these 4 bits. Finally, the data complexity analysis and simulations show the number of necessary faults for revealing the master key.