Differential fault analysis of full lblock

Liang Zhao, Takashi Nishide, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Citations (Scopus)


LBlock is a 64-bit lightweight block cipher which can be implemented in both hardware environments and software platforms. It was designed by Wu and Zhang, and published at ACNS2011. In this paper, we explore the strength of LBlock against the differential fault analysis (DFA). As far as we know, this is the first time the DFA attack is used to analyze LBlock. Our DFA attack adopts the random bit fault model. When the fault is injected at the end of the round from the 25 th round to the 31 st round, the DFA attack is used to reveal the last three round subkeys (i.e., K 32, K 31 and K 30) by analyzing the active S-box of which the input and output differences can be obtained from the right and faulty ciphertexts (C, C̃). Then, the master key can be recovered based on the analysis of the key scheduling. Specially, for the condition that the fault is injected at the end of the 25 th and 26 th round, we show that the active S-box can be distinguished from the false active S-box by analyzing the nonzero differences from the pair of ciphertexts (C, C̃). The false active S-box which we define implies that the nonzero input difference does not correspond to the right output difference. Moreover, as the LBlock can achieve the best diffusion in eight rounds, there can exist the countermeasures that protect the first and last eight rounds. This countermeasure raises a question whether provoking a fault at the former round of LBlock can reveal the round subkey. Our current work also gives an answer to the question that the DFA attack can be used to reveal the round subkey when the fault is injected into the 24 th round. If the fault model used in this analysis is a semi-random bit model, the round subkey can be revealed directly. Specially, the semi-random bit model corresponds to an adversary who could know the corrupted 4 bits at the chosen round but not know the exact bit in these 4 bits. Finally, the data complexity analysis and simulations show the number of necessary faults for revealing the master key.

Original languageEnglish
Title of host publicationConstructive Side-Channel Analysis and Secure Design - Third International Workshop, COSADE 2012, Proceedings
Number of pages16
Publication statusPublished - Jun 15 2012
Event3rd International Workshop, Constructive Side-Channel Analysis and Secure Design, COSADE 2012 - Darmstadt, Germany
Duration: May 3 2012May 4 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7275 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other3rd International Workshop, Constructive Side-Channel Analysis and Secure Design, COSADE 2012

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Differential fault analysis of full lblock'. Together they form a unique fingerprint.

Cite this