Differential Fault Attacks For Feistel And SPN Cipher Structures

In this rapidly developing age of network and information security technology,equipment safety and information security have been paid to more and more attention.Encryption algorithm is the basic technology of information security.A variety of typical encryption algorithms emerged for different requirements.Lightweight block cipher algorithm is able to be used in the condition of the limited hardware and software resource.The algorithm combined with radio frequency identification(RFID)technology is widely used in real life,such as entrance guard,charge management and so on.Differential fault attack is one of the effective attack methods for lightweight block cipher algorithm.This attack method combines mathematical difference analysis theory and physical intervention means,so that the attacker can use a small number of correct and false ciphertext pairs and a small key search space to calculate the initial key in the process of algorithm analysis.Therefore,this attack method is widely used in all kinds of cryptanalysis.In this paper,two kinds of typical lightweight cryptographic algorithms are studied.Eight-sided Fortress(ESF),is a 64-bit lightweight block cipher algorithm improved by Liu xuan et al.based on LBlock algorithm.The design structure of ESF is similar to that of LBlock,with simple structure and easy implementation.KLEIN-64 is a lightweight block cipher designed for resource-constrained environment,which has advantages in software performance and hardware implementation.Recent investigation shows that KLEIN-64 is vulnerable to differential fault attack(DFA),and is widely used.In this paper,according to the characteristics of displacement layer structure and the basic idea of differential fault,a differential fault attack method for ESF algorithm is proposed.When a 1-bit fault is injected in the 30th round,different S-box input value sets can be obtained according to differential characteristics of S-box and different input and output differential pairs.Taking its intersection can quickly determine the only input values of S-box.And we can analysis and get the secret key of the final round.Then,1-bit fault is injected on the round of 29th and 28th in order.Combined with the secret keys of the last round and the difference characteristics of s-box,the secret keys of the 29th round and the 28th round can be obtained,which required about 10 fault ciphertexts in the whole attack.After recovering the secret keys of three rounds,the computational complexity of recovering the master key was reduced to 222.This paper proposes an improved differential fault attack algorithm for KLEIN-64.It is found that the differential propagation path and the distribution of the S-box can be fully utilized to distinguish the correct and wrong keys when a half-byte fault is injected in the 10th round.By analyzing the difference matrix before the last round of S-box,the location of fault injection can be limited to a small range.Thus,this can greatly improve the attack efficiency.For the best case,the scale of brute-force attack is only 28.While for the worst case,the scale of brute-force attack is far less than 232 with another half byte fault injection,and the probability for this case is 1/83.Furthermore,the measures for KLEIN-64 to resist are also proposed.