Differential Fault Analysis Of Lightweight Block Ciphers With Different Structure

As a special block cipher,lightweight block cipher can achieve high efficiency under the case of low cost and low energy consumption,which can also provide sufficient security.Therefore,deploying a large number of lightweight block cphers in a resource-constrained environment can produce good economic benefits.The design of lightweight block cipher includes structure and roundfunction.The structure mainly includes Feistel structure and SPN structure.Differential fault attack is a cryptanalysis method combined with physical implementation.Due to the round structure characteristics of lightweight block cipher,faults are injected into encryption device to recover the key using differential analysis.After the method was proposed,it has successfully attacked several ciphers in public key cryptography and private key cryptography.uBlock and FBC are two lightweight block ciphers proposed in the national cipher design competition.Their design adopts two different round structures.In order to evaluate the security of these two ciphers,this thesis successfully carries out differential fault attack on them.It is shown that differential fault attack can be implemented effectively on both uBlock with a SPN structure and FBC with a generalized Feistel structure,and the choice of fault model is more flexible for block ciphers with Feistel-like structure.The main contributions are as follows.uBlock is a lightweight block cipher based on SPN structure.Because of the characteristics of the SPN structure,the input difference of the active S-boxes cannot be directly obtained.So it is necessary to guess the input difference of the active S-boxes when the key is recovered.Therefore,the single bit random fault model is used to minimize the candidate space,while performing differential fault analysis on uBlock.The structure of uBlock is studied carefully,then we found and proved a unique diffusion property of the cipher that if a single bit fault is randomly injected into the output of S-boxes at a certain round,11 identical non-zero nibble output differences will be generated at the output of the round.On this foundation,a differential fault attack to uBlock based on single bit random falut model is proposed for the first time.By introducing random single bit fault at the output of the Sboxes in the third-to-last round,the differential information is obtained by using the linear layer diffusion characteristics,and the key recovery is realized according to the statistical law of the S-box differential distribution.The simulation results show that the 128-bit master key of uBlock-128/128 can be recovered by 13.4 fault injections on average,the 256-bit master key of ublock-128/256 can be recovered by 26.8 fault injections on average,and the256-bit master key of ublock-256/256 can be recovered by 32.6 fault injections on average.FBC is a lightweight block cipher based on generalized Feistel structure.In this thesis,through the research of the unique round structure of FBC,we get the differential propagation characteristics under the interaction of the dual Feistel structures,and then obtain the relationship between the input difference and output difference of the S-boxes at the last round.On this basis,a differential fault attack on FBC is proposed.The key recovery is realized by introducing random faults into the input of the S-boxes in the third-to-last round.Unlike the differential fault attack on uBlock with a SPN structure,which needs to guess the input difference of the active S-boxes,the input difference of the active S-boxes at the last round can be obtained directly using differential propagation characteristics for FBC with a Feistel structure.Therefore,random fault models such as single bit and single byte can be used in the differential fault attack on FBC.The simulation results show that using single byte random fault model,the 128-bit master key of FBC-128/128 can be recovered with an average of 8.06 fault injections,the 256-bit master key of FBC-128/256 can be recovered with an average of 16.1 fault injections,and the 256-bit master key of FBC-256/256 can be recovered with an average of 13.6 fault injections.While using single bit random fault model,the average number of fault injections needed to recover the master key of FBC-128/128,FBC-128/256 and FBC-256/256 is 10.1,20.2 and 20.6 respectively.The attack effect of single byte random fault model is better than that of single bit random fault model.