Differential Fault Analysis Of Lightweight Block Ciphers With Fast Diffusion

In the era of digital economy,"Internet plus"has become the new normal and the Internet of Things is a new industry.RFID and other technologies are widely used in the Internet of Things,which are applied to micro devices with small storage capacity and low power consumption.It is necessary to ensure secure communications among the devices.Block cipher is widely used,which is one of the important technologies for information security.Lightweight block cipher is a hot spot in the research of cryptography.This new type of cipher has the advantages of simple structure,low power consumption,high implementation efficiency and sufficient security,so it is extremely suitable for the resource-constrained environment of the Internet of Things.Differential fault analysis is a method combining differential analysis and fault analysis.By injecting faults into the physical device,wrong ciphertexts are obtained.Then the differential information between correct ciphertexts and wrong ciphertexts is used to complete the attack.The efficiency of key recovery is affected by the diffusion speed of the cipher.In order to evaluate the security of lightweight block ciphers with fast diffusion and explore the factors affecting the efficiency of differential fault analysis,this thesis carries out differential fault attack on two ciphers with fast diffusion,Lilliput and BORON,respectively.Main contributions are as follows.Lilliput is studied,which uses the EGFN(Extended Generalized Feistel Network)structure adding a linear layer to the Feistel structure to obtain strong diffusion property.By analyzing the structural characteristics of Lilliput carefully,it is found that faults injected at the 7th nibble of the cipher can diffuse to the next round as soon as possible,and make all S-boxes in the next round become active S-boxes.On this basis,this thesis proposes the first differential fault attack on Lilliput.By successively injecting faults at the 7^th nibble of the28^th,27^th,and 26^th round,the corresponding 32-bit round keys of the 29^th,28^th and 27^th round are recovered using the statistical characteristics of the S-box differential distribution.Then the master key can be recovered according to the key schedule algorithm.For the nibble random fault model,theoretical analysis and experimental results show that the master key can be restored after an average of 6.78 and 6.81 fault injections respectively,while for the single-bit random fault model,experimental results show that the master key can be restored by injecting an average of 7.20 faults.It is shown that differential fault analysis can attack Lilliput effectively,and the input difference and output difference distribution of S-box will affect the efficiency of differential fault analysis,and injecting faults at the position with fastest diffusion can achieve good attack effect.BORON is studied,which uses SPN structure.The cipher with fast diffusion has two versions,BORON-80 and BORON-128.By analyzing the fault propagation characteristics of BORON carefully,it is found that the faults can diffuse to up to 12 active S-boxes after two rounds at the fastest speed when one single bit random fault is injected into the 0^thand2^nd or the 1^st and 3^rd or the 12^nd and 14^th or the 13^rd and 15^th nibble of the penultimate round at the same time.On this basis,this thesis proposes the first differential fault attack on BORON.By successively injecting faults at the 23^th,22^th,and 21^th round of BORON-80,the corresponding round keys of the last three rounds are recovered.By successively injecting faults at the 23^th,22^th,21^th,20^th,19^thand 18^th round of BORON-128,the corresponding round keys of the last six rounds are recovered.Then the master key can be recovered according to the respective key schedule algorithms.With the help of the differential distribution of the S-boxes and the law of fault propagation,the set space of candidate key is reduced,and the algebraic relationship between round keys is used to reduce the number of round key bits to be recovered,which significantly reduce the complexity of the differential fault attack.Experimental results show that the master key recovery of BORON-80 and BORON-128requires an average of 23.46 and 37.58 faults respectively.If the exhaustive calculations of2^{5.7 2} and 2^10.06 are added respectively,the average number of injection faults required for BORON-80 and BORON-128 is reduced to 13.60 and 27.74 respectively.It is shown that differential fault analysis can effectively attack BORON which has the SPN structure with fast diffusion,the key schedule algorithm will affect the efficiency of differential fault analysis,and adding other attack methods to differential fault analysis can enhance the attack effect.