TY - GEN
T1 - Differential fault analysis of full lblock
AU - Zhao, Liang
AU - Nishide, Takashi
AU - Sakurai, Kouichi
PY - 2012/6/15
Y1 - 2012/6/15
N2 - LBlock is a 64-bit lightweight block cipher which can be implemented in both hardware environments and software platforms. It was designed by Wu and Zhang, and published at ACNS2011. In this paper, we explore the strength of LBlock against the differential fault analysis (DFA). As far as we know, this is the first time the DFA attack is used to analyze LBlock. Our DFA attack adopts the random bit fault model. When the fault is injected at the end of the round from the 25 th round to the 31 st round, the DFA attack is used to reveal the last three round subkeys (i.e., K 32, K 31 and K 30) by analyzing the active S-box of which the input and output differences can be obtained from the right and faulty ciphertexts (C, C̃). Then, the master key can be recovered based on the analysis of the key scheduling. Specially, for the condition that the fault is injected at the end of the 25 th and 26 th round, we show that the active S-box can be distinguished from the false active S-box by analyzing the nonzero differences from the pair of ciphertexts (C, C̃). The false active S-box which we define implies that the nonzero input difference does not correspond to the right output difference. Moreover, as the LBlock can achieve the best diffusion in eight rounds, there can exist the countermeasures that protect the first and last eight rounds. This countermeasure raises a question whether provoking a fault at the former round of LBlock can reveal the round subkey. Our current work also gives an answer to the question that the DFA attack can be used to reveal the round subkey when the fault is injected into the 24 th round. If the fault model used in this analysis is a semi-random bit model, the round subkey can be revealed directly. Specially, the semi-random bit model corresponds to an adversary who could know the corrupted 4 bits at the chosen round but not know the exact bit in these 4 bits. Finally, the data complexity analysis and simulations show the number of necessary faults for revealing the master key.
AB - LBlock is a 64-bit lightweight block cipher which can be implemented in both hardware environments and software platforms. It was designed by Wu and Zhang, and published at ACNS2011. In this paper, we explore the strength of LBlock against the differential fault analysis (DFA). As far as we know, this is the first time the DFA attack is used to analyze LBlock. Our DFA attack adopts the random bit fault model. When the fault is injected at the end of the round from the 25 th round to the 31 st round, the DFA attack is used to reveal the last three round subkeys (i.e., K 32, K 31 and K 30) by analyzing the active S-box of which the input and output differences can be obtained from the right and faulty ciphertexts (C, C̃). Then, the master key can be recovered based on the analysis of the key scheduling. Specially, for the condition that the fault is injected at the end of the 25 th and 26 th round, we show that the active S-box can be distinguished from the false active S-box by analyzing the nonzero differences from the pair of ciphertexts (C, C̃). The false active S-box which we define implies that the nonzero input difference does not correspond to the right output difference. Moreover, as the LBlock can achieve the best diffusion in eight rounds, there can exist the countermeasures that protect the first and last eight rounds. This countermeasure raises a question whether provoking a fault at the former round of LBlock can reveal the round subkey. Our current work also gives an answer to the question that the DFA attack can be used to reveal the round subkey when the fault is injected into the 24 th round. If the fault model used in this analysis is a semi-random bit model, the round subkey can be revealed directly. Specially, the semi-random bit model corresponds to an adversary who could know the corrupted 4 bits at the chosen round but not know the exact bit in these 4 bits. Finally, the data complexity analysis and simulations show the number of necessary faults for revealing the master key.
UR - http://www.scopus.com/inward/record.url?scp=84862124865&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84862124865&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-29912-4_11
DO - 10.1007/978-3-642-29912-4_11
M3 - Conference contribution
AN - SCOPUS:84862124865
SN - 9783642299117
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 135
EP - 150
BT - Constructive Side-Channel Analysis and Secure Design - Third International Workshop, COSADE 2012, Proceedings
T2 - 3rd International Workshop, Constructive Side-Channel Analysis and Secure Design, COSADE 2012
Y2 - 3 May 2012 through 4 May 2012
ER -