New differential fault analysis on PRESENT
 Nasour Bagheri^{1},
 Reza Ebrahimpour^{1}Email author and
 Navid Ghaedi^{1}
https://doi.org/10.1186/168761802013145
© Bagheri et al.; licensee Springer. 2013
Received: 18 March 2012
Accepted: 4 July 2013
Published: 4 September 2013
Abstract
In this paper, we present two differential fault analyses on PRESENT80 which is a lightweight block cipher. The first attack is a basic attack which induces a fault on only one bit of intermediate states, and we can obtain the last subkey of the block cipher, given 48 faulty cipher texts on average. The second attack can retrieve the master key of the block cipher, given 18 faulty cipher texts on average. In the latter attack, we assume that we can induce faults on a single nibble of intermediate states. Given those faulty cipher texts, the computational complexity of attacks is negligible.
Keywords
1 Introduction
Boneh et al. introduced the fault attack in September 1996[1]. Later, in October 1996, Biham and Shamir published an attack on secret key cryptosystems called differential fault analysis (DFA) which combined the ideas of fault attack and differential attack[2]. Given a plaintext, the DFA attack derived information about the secret key by examining the differences between a related cipher text resulting from a correct encryption and a cipher text of the same plaintext resulting from a faulty encryption. Normally, a faulty cipher text is taken by giving external impact on a device with voltage variation, glitch, laser, etc. A fault may be induced with these external impacts; however, we know neither the location nor the value of the fault. This attack is commonly used to analyze the security of cryptosystems. DFA have been employed to attack several block ciphers where DES[3, 4], AES[5–11], PRINTCIPHER[12], Camellia[13], CALEFIA[14, 15], RC4[16], SMS4[17], and ARIA[18] are examples. In general, there are two techniques to apply a DFA attack on a block cipher. The first one assumes that the intermediate states were corrupted by the fault injection and tries to recover the key, while the second form assumes that the key schedule algorithm was corrupted by the fault injection and tries to recover the key.
PRESENT is an ultralightweight block cipher proposed at CHES 2007 by Bogdanov et al. This block cipher is an SP networkbased cipher and consists of 31 rounds. The block length is 64 bits, and two key lengths of 80 and 128 bits are supported[19], denoted by PRESENT80 and PRESENT128, respectively. Several basic attacks such as differential cryptanalysis, linear cryptanalysis, and their variants have been applied on PRESENT already[20–23]. In this paper, we concentrate on the security of PRESENT80 against DFA attack.
1.1 Previous works
A DFA on PRESENT80 key schedule has been proposed by Wang et al.[24]. They assumed that the key schedule was corrupted by the fault injection and tried to recover the key. They have reduced the master key search space of PRESENT80 to 2^{29} with 64 pairs of correct and faulty cipher texts on average. In addition, Zhao et al.[25] proposed a fault propagation patternbased DFA on PRESENT80/128. They reduce the master key search space of PRESENT80/128 to 2^{14.7} and 2^{21.1}, respectively, with 8 and 16 pairs of correct and faulty cipher texts on average.
1.2 Paper contributions
In this paper, we present two differential fault analyses on PRESENT80. For the first attack, we assume that the fault occurs on only one bit of the intermediate states. In the second attack, we induce a fault on a single nibble of the intermediate states and we employ our first attack to retrieve the master key. Our attack can recover the master key, given 18 faulty cipher texts on average.
2 Paper organization
The notations used in the paper are presented in Section 3. PRESENT is briefly described in Section 3.2. In Section 4, we describe our basic attack. We present another DFA attack based on the basic attack in Section 5. Finally, we conclude the paper in Section 6.
3 Notations and preliminaries
3.1 Notations
Throughout the paper, we use the following notations:

P : denotes the plaintext.

K : denotes the master key.

S ^{ i }: denotes the correct state before i th round’s Sbox layer and${S}_{j}^{i}$ denotes the j th bit of S ^{ i }.

S ^{ i∗}: denotes the faulty state before i th round’s Sbox layer.

S ^{ i } N ^{ j }: denotes the j th nibble of state before i th round’s Sbox layer and${S}^{i}{N}_{n}^{j}$ denotes its n th bit of the nibble.

B ^{ i }: denotes the state after i th round’s Sbox layer and B ^{ i } N ^{ j } denotes the j th nibble of B ^{ i }.

B ^{ i∗}: denotes the faulty state after i th round’s Sbox layer and B ^{ i∗} N ^{ j } denotes the j th nibble of B ^{ i∗}.

K ^{ i }: denotes i th subround key and${K}_{j}^{i}$ denotes the j th bit of K ^{ i }.

C : denotes the correct cipher text.

D : denotes the faulty cipher text.
3.2 Description of PRESENT
3.2.1 Key addition
where K ^{32} is used for postwhitening.
3.2.2 Substitution layer (Sbox)
The substitution layer (Sbox)
Sbox action  

x  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F 
S[x]  C  5  6  B  9  0  A  D  3  E  F  8  4  7  1  2 
3.2.3 Permutation layer P
The permutation layer
i and P(i)  

i  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15 
P(i)  0  16  32  48  1  17  33  49  2  18  34  50  3  19  35  51 
i  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31 
P(i)  4  20  36  52  5  21  37  53  6  22  38  54  7  23  39  55 
i  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47 
P(i)  8  24  40  56  9  25  41  57  10  26  42  58  11  27  43  59 
i  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63 
P(i)  12  28  44  60  13  29  45  61  14  30  46  62  15  31  47  63 
The key schedule algorithm supports two key lengths of 80 and 128 bits. However, we do not explain the key schedule algorithm here because it is not directly relevant to our attack. For more information about the key schedule, the interested reader can refer to[19].
4 The basic DFA attack
In this section, we introduce a basic DFA attack against PRESENT80 which is based on the injection of a fault on only one bit of intermediate states at the beginning of the last round’s Sbox layer. The given attack requires a singlebit fault in the last round of the cipher which may sound difficult in practice. However, the recent results[26] show the feasibility of this type of DFA attacks.
Hence, following the given attack, it is possible to retrieve K ^{32} given on average 48 faulty cipher texts and related correct cipher text for the fixed value of input message P (Additional details of the basic attack are given in Appendix 2).
If we can induce a fault on one bit of several nibbles of S ^{31} for each fault experiment, we can reduce the required number of faulty cipher texts to obtain S ^{31} and K ^{32}. In this case, we can still use Algorithms 1 and 2 for obtaining S ^{31} and K ^{32}. Obviously, the injection of a single bit fault for a nibble of S ^{31} generates a faulty nibble at the output of last round’s Sbox layer, and single bit faults injection on several nibbles of S ^{31} generates several faulty nibbles at the output of last round’s Sbox layer.
Algorithm 1 Determining the faulty output of last round’s Sbox layer
Algorithm 2 Obtain one nibble of S ^{31}
Given K ^{32}, a similar attack can be used to retrieve S ^{30} and K ^{31} and finally recover the master key. However, the number of required faulty cipher texts would be increased (96 faulty cipher texts on average), but in the next section, we show an approach to obtain the master key given 18 faulty cipher texts on average.
Remarks 1
It must be noted that sometimes faulty cipher texts will be repeated (if we inject a fault on the same bit of S ^{31} ), and we exclude this faulty cipher text. We collect three unique faulty cipher texts on average for obtaining each nibble of S ^{31}.
5 The second DFA attack
In the previous section, we described a basic attack that, on each experiment, induces a fault on a single bit of intermediate state of the last round. In this section, to retrieve the whole master key, we extend the previous attack such that the adversary can inject a fault on one nibble rather than a bit.
 1.
The four input bits to an Sbox come from four distinct Sboxes of the same group.
 2.
The input bits to a group of 4 Sboxes come from 16 different Sboxes.
 3.
The four output bits from a particular Sbox enter four distinct Sboxes, each of which belongs to a distinct group of Sboxes in the subsequent round.
 4.
The output bits of Sboxes in distinct groups go to distinct Sboxes.
Following the above criteria, we state that:

Inducing a fault on only one nibble of intermediate states at the beginning of the i th round’s Sbox layer, S ^{ i }, leads to fault occurrence on one bit of some Sboxes of the next round, where on average, the inputs of two Sboxes would be corrupted at the beginning of S ^{ i+1}.

Inducing a fault on only one nibble of intermediate states at the beginning of the i th round’s Sbox layer, S ^{ i }, leads to fault occurrences on one bit of some Sboxes of the next round, S ^{ i+1}, where on average the inputs of two Sboxes would be corrupted at the beginning of S ^{ i+1}. These differences are propagated to extra Sboxes in (i + 2)th round. However, following the designing criteria, for any corrupted input of Sboxes at (i + 1)th and (i + 2)th round, we have difference on one bit. Therefore, the injection of a fault on a nibble of intermediate states at the beginning of the 29th round’s Sbox layer, on average, provides the adversary with faults on single bits of four nibbles of S ^{31}.
Whenever we obtained S ^{31} and K ^{32}, we can also retrieve K ^{31}. To retrieve K ^{31}, from the first phase of attack which retrieves K ^{32}, we have 24 nibbles of the faulty output of the 30th round’s Sbox layer (B ^{30∗} N ^{ j }) on average, and we require extra 24 nibbles of the faulty output of the 30th round’s Sbox layer to obtain S ^{30} and K ^{31}. We can obtain those faulty states by inducing six extra faults on nibbles of intermediate state at the beginning of the 28th round’s Sbox layer on average.
Therefore, we can obtain K ^{32} given 12 faulty cipher texts on average, where we have injected faults on the nibbles of S ^{29}. To retrieve K ^{31}, we require also to induce faults on the nibbles of intermediate state at the beginning of the 28th round’s Sbox layer. Following the basic attack (with some change in notation and extent formula, see Appendix 1), to retrieve K ^{31}, we require additional six faulty cipher texts on average. Given the round keys K ^{31} and K ^{32}, it is possible to determine the master key uniquely. Hence, in total, it is possible to recover the master key of PRESENT80 given 18 faulty cipher texts on average (An toy example of attacks are given in Appendix 3).
To compare our approach with[25], it must be noted that they have injected fault on the 29th round and tried to find the difference input of Sbox 31st round where they have got some candidates for Sbox inputs of 31st round and then recovered K ^{32} and K ^{31}. On the other hand, the given attack in this paper does not require to find the difference input of Sbox 31st round, and it recovers the Sbox input of 31st round by searching in the differences distribution table of Sbox and then obtains K ^{32}.
Any secure cryptosystems should be protected against DFA attacks. So, any implementation of PRESENT also requires to protect the last round of encryption against the basic DFA attack and protect the 29th and 30th rounds of encryption against the second DFA attack. Therefore, an implementation of PRESENT requires to protect the three last rounds against our DFA attacks.
Remarks 2
Sometimes, we may receive useless faulty nibbles of cipher texts through the experiments which increase the attack complexity, i.e., number of required faulty cipher texts. Based on the random nature of the faults, and also the faults propagation property, it is possible to receive same errors on the same nibbles of the 31st round in different experiments. It should be noted that the errors that we induce in different experiments could be in different nibbles or even in the same nibble. These errors are propagated through the remaining rounds. However, if we receive several errors in a same bit of a nibble at the beginning of the 31st round, then only one of them is useful and the rest do not include new information. For example, following Figure 4 which is drawn for a fault on the first nibble of the internal state of 29th round, if we induce another fault on the same nibble in the next experiment and assume that the output difference of the related Sbox at round 29 is 3, it has overlapped with the previous fault and it does not provide us with new information. It must be noted that we collect the unique nibble of faulty cipher texts and unique nibbles of faulty cipher texts on average to obtain one nibble of S ^{31}.
6 Conclusions
In this paper, we introduced two new DFAs on PRESENT80. Our attacks are based on the injection of the faults on the intermediate state of the cipher and can retrieve the last round key and the master key efficiently. The basic attack which requires to induce a fault on a single bit of nibbles at the input of the last round requires 48 faulty cipher texts on average, and the extended attack which retrieves the master key induces a fault on a nibble of the intermediate states and requires 18 faulty cipher texts on average.
Appendix 1
The difference distribution table of the Sbox and the categorization algorithm for the faulty cipher texts
The differences distribution table of the Sbox
0_{ x }  1_{ x }  2_{ x }  3_{ x }  4_{ x }  5_{ x }  6_{ x }  7_{ x }  8_{ x }  9_{ x }  A _{ x }  B _{ x }  C _{ x }  D _{ x }  E _{ x }  F _{ x }  

0_{ x }  16  0  0  0  0  0  0  0  0  0  0  0  0  0  0  0 
1_{ x }  0  0  0  4  0  0  0  4  0  4  0  0  0  4  0  0 
2_{ x }  0  0  0  2  0  4  2  0  0  0  2  0  2  2  2  0 
3_{ x }  0  2  0  2  2  0  4  2  0  0  2  2  0  0  0  0 
4_{ x }  0  0  0  0  0  4  2  2  0  2  2  0  2  0  2  0 
5_{ x }  0  2  0  0  2  0  0  0  0  2  2  2  4  0  0  0 
6_{ x }  0  0  2  0  0  0  2  0  2  0  0  4  2  0  0  4 
7_{ x }  0  4  2  0  0  0  2  0  2  0  0  0  2  0  0  4 
8_{ x }  0  0  0  2  0  0  0  2  0  2  0  4  0  2  0  4 
9_{ x }  0  0  2  0  4  0  2  0  2  0  0  0  2  0  4  0 
A _{ x }  0  0  2  2  0  4  0  0  2  0  2  0  0  2  2  0 
B _{ x }  0  2  0  0  2  0  0  0  4  2  2  2  0  2  0  0 
C _{ x }  0  0  2  0  0  4  0  2  2  2  2  0  0  0  2  0 
D _{ x }  0  2  4  2  2  0  0  2  0  0  2  2  0  0  0  0 
E _{ x }  0  0  2  2  0  0  2  2  2  2  0  0  2  2  0  0 
F _{ x }  0  4  0  0  4  0  0  0  0  0  0  0  0  0  4  4 
Algorithm 3 Categorize the faulty cipher texts and cipher text in 16 groups based on the difference output of the 30th round’s Sbox layer
Algorithm 4 Obtain one nibble of S ^{ 30 } , given that K ^{ 31 } = P  Layer( S Layer( S ^{ 30 } )) ⊕ S ^{ 31 }
Appendix 2
Additional details of the basic attack
All possible inputs of last round’s Sbox layer for each difference output of last round’s Sbox layer
Difference output of the Sbox  0011  0101  0110  0111  1001  1010  1011  1100  1101  1110  1111 

All possible Sbox inputs  1100  1100  0011  0111  0000  0010  0001  0010  0010  0001  0111 
1101  1110  0111  0110  0001  0000  1001  0110  0011  0011  1111  
1110  1101  1001  1010  0100  1011  0110  1000  1001  1010  1000  
1111  1111  1011  1011  0101  1111  1110  1010  1000  1110  0000  
that make this difference output  0100  0001  1000  1001  0101  
0110  0101  1100  1101  0111  
1011  0000  0101  0010  1100  
0011  0100  1101  1010  1000 
In Table4, it can be seen that given a faulty cipher text, eight candidates for Sbox input with probability$\frac{5}{11}$ have been determined or four candidates for Sbox input with probability$\frac{6}{11}$ have been determined.
All possible Sbox difference outputs for each Sbox input
Sbox input  0000  0001  0010  0011  0100  0101  0110  0111  1000  1001  1010  1011  1100  1101  1110  1111 

All possible difference  0011  1010  1001  0011  0011  0101  0011  0110  0111  0110  0111  0011  0011  0011  0011  0011 
1001  1001  1101  0110  0101  0111  0111  0111  1100  1001  1001  0111  0101  0101  0101  1010  
output of the Sbox  1110  1110  1010  1110  1001  1001  1011  1111  1111  1101  1100  0110  0111  0111  1110  0101 
1111  1011  1100  1101  1101  1101  1100  1101  1101  1011  1110  1010  1101  1001  1011  1111 
Given in Table5, we see that the sets of Sbox difference outputs for each specific input are different. Hence, we can obtain the exact value of the Sbox input with four faulty cipher texts. In the following, we explain the states that two and three faulty cipher texts are given.

When two faulty cipher texts are given, these states can occur:

Two faulty cipher texts determine eight candidates for Sbox input. In this state, when we apply Algorithm 2, we obtain two, three, four, or five candidates for Sbox input.

The first faulty cipher text determined eight candidates for Sbox input, and the second faulty cipher text determined four candidates for Sbox input. If we denote by A the sets of the candidates obtained with the first faulty cipher text except the correct value of Sbox input and by B the sets of the candidates obtained with the second faulty cipher text except the correct value of Sbox input, we can identify the correct value with probability:$\begin{array}{ll}\phantom{\rule{6.5pt}{0ex}}P& =P(A\cap B=\varnothing )=P(\leftA\cap B\right=0)\\ =\frac{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)\times \left(\genfrac{}{}{0.0pt}{}{167}{3}\right)}{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)\times \left(\genfrac{}{}{0.0pt}{}{16}{3}\right)}\simeq 15\%\end{array}$

The first faulty cipher text determined four candidates for Sbox input, and the second faulty cipher text determined four candidates for Sbox input.
In this state, we can identify the correct value with probability:$\begin{array}{ll}\phantom{\rule{6.5pt}{0ex}}P& =P(A\cap B=\varnothing )=P(\leftA\cap B\right=0)\\ =\frac{\left(\genfrac{}{}{0.0pt}{}{16}{3}\right)\times \left(\genfrac{}{}{0.0pt}{}{163}{3}\right)}{{\left(\genfrac{}{}{0.0pt}{}{16}{3}\right)}^{2}}\simeq 51\%\end{array}$


When three faulty cipher texts are given, these states can occur:

All faulty cipher texts determined eight candidates for Sbox input.
If we denote by C the sets of the candidates obtained with the third faulty cipher text except the correct value of Sbox input, we can identify the correct value with probability:$\begin{array}{ll}\phantom{\rule{6.5pt}{0ex}}P& =P(A\cap B\cap C=\varnothing )=P(\leftA\cap B\cap C\right=0)\\ =\sum _{k=1}^{4}P(\leftA\cap B\right=k,\leftA\cap B\cap C\right=0)\\ =\sum _{k=1}^{4}P(\leftA\cap B\right=k)\times P(\leftA\cap B\cap C\right=0/\leftA\cap B\right=k)\\ =\frac{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)\times \left(\genfrac{}{}{0.0pt}{}{7}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{167}{7k}\right)}{{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)}^{2}}\times \frac{\left(\genfrac{}{}{0.0pt}{}{16}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{16k}{7}\right)}{\left(\genfrac{}{}{0.0pt}{}{16}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{16}{7}\right)}\simeq 18\%\end{array}$The first and second faulty cipher texts determine eight candidates for Sbox input, and the third faulty cipher text determine four candidates for Sbox input.
In this state, we can identify the correct value with probability:$\begin{array}{ll}\phantom{\rule{6.5pt}{0ex}}P& =P(A\cap B\cap C=\varnothing )=P(\leftA\cap B\cap C\right=0)\\ =\sum _{k=1}^{4}P(\leftA\cap B\right=k,\leftA\cap B\cap C\right=0)\\ =\sum _{k=1}^{4}P(\leftA\cap B\right=k)\times P(\leftA\cap B\cap C\right=0/\leftA\cap B\right=k)\\ =\frac{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)\times \left(\genfrac{}{}{0.0pt}{}{7}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{167}{7k}\right)}{{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)}^{2}}\times \frac{\left(\genfrac{}{}{0.0pt}{}{16}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{16k}{3}\right)}{\left(\genfrac{}{}{0.0pt}{}{16}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{16}{3}\right)}\simeq 50\%\end{array}$ 
The first faulty cipher texts determine eight candidates for Sbox input, and the second and third faulty cipher texts determine four candidates for Sbox input.
In this state, we can identify the correct value with probability:$\begin{array}{ll}\phantom{\rule{6.5pt}{0ex}}P& =P(A\cap B\cap C=\varnothing )=P(\leftA\cap B\cap C\right=0)\\ =\sum _{k=1}^{4}P(\leftA\cap B\right=k,\leftA\cap B\cap C\right=0)\\ =\sum _{k=1}^{4}P(\leftA\cap B\right=k)\times P(\leftA\cap B\cap C\right=0/\leftA\cap B\right=k)\\ =\frac{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)\times \left(\genfrac{}{}{0.0pt}{}{7}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{167}{3k}\right)}{\left(\genfrac{}{}{0.0pt}{}{16}{7}\right)\times \left(\genfrac{}{}{0.0pt}{}{16}{3}\right)}\times \frac{\left(\genfrac{}{}{0.0pt}{}{16}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{16k}{3}\right)}{\left(\genfrac{}{}{0.0pt}{}{16}{k}\right)\times \left(\genfrac{}{}{0.0pt}{}{16}{3}\right)}\simeq 62\%\end{array}$
Appendix 3
A toy example of attacks
The details of our toy example
Cipher text  x x x 0x x x 1x x x 0x x x 1  

Fault location  ${S}^{31}{N}_{0}^{0}$  ${S}^{31}{N}_{1}^{0}$  ${S}^{31}{N}_{2}^{0}$  ${S}^{31}{N}_{3}^{0}$ 
Faulty cipher texts  x x x 0x x x 0x x x 1x x x 0  x x x 1x x x 0x x x 0x x x 1  x x x 1x x x 0x x x 1x x x 1  x x x 1x x x 1x x x 0x x x 0 
P−Layer^{−1}(C ⊕ D)  0000000000000111  0000000000001100  0000000000001110  0000000000001001 
The details of Algorithm 2
Lists  L  M  Update L  New M  Update L 

Difference output of the Sbox  0111  1001  1100  
All pairs of Sbox input  0111  0001  1010  1010  1010 
0110  0000  0101  1000  
1010  0100  1101  0001  
1011  0101  0110  
that make this difference output  1000  1001  
1100  1101  
0101  0010  
1101  1010 
After we obtain S ^{31} N ^{0}, we obtain 4 bits of K ^{32}.
The key and more details of our example
Plaintext  F F F F F F F F F F F F F F F F 

Key  00000000000000000000 
S ^{29}  D 79F 5742C E E 5A 802 
S ^{30}  60991D 31835A 96D D 
S ^{31}  D E 21C D 50C 1F D B 05F 
K ^{31}  8B A 27A 0E B 8783A C 9 
K ^{32}  6D A B 31744F 41D 700 
Cipher text  A 112F F C 72F 68417B 
The value of fault in S ^{ 29 } N ^{ j }
j  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15 

The value of fault in S ^{29} N ^{ j }  3  B  1  A  2  6  C  D  8  7  5  3  F  9  4  B 
The details of Algorithms 1 and 2
Algorithm  j  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15 

Algorithm 1  ΔB ^{31} N ^{ j }  3  9  9  3  5  A  5  3  A  5  3  D  B  9  E  3 
5  D  5  6  7  3  E  5  5  7  5  5  5  A  3  7  
A  5  A  7  9  5  B  7  9  9  7  7  9  C  B  5  
F  7  F  A  D  F  D  9  D  5  9  
Algorithm 2  S ^{31} N ^{ j }  F  5  0  B  D  F  1  C  0  5  D  C  1  2  E  D 
5  E  5 
In Table10, two candidates existed for nibbles 4, 6, and 11 of S ^{31}, so for obtaining the exact value of these nibbles, we have to inject at least three faults on S ^{29}. In total, we obtain 13 nibbles of K ^{32}, 9 nibbles of K ^{31}, and two candidates for some nibbles of K ^{32} and K ^{31} with 16 faulty cipher texts (in this example). For recovering whole of K ^{31}, we have to inject some faults as mentioned in Section 5.
Declarations
Authors’ Affiliations
References
 Boneh D, DeMillo RA, Lipton RJ: On the importance of checking cryptographic protocols for faults (extended abstract). In EUROCRYPT. Edited by: Fumy W. Heidelberg: Springer; 1997:3751.Google Scholar
 Biham E, Shamir A: Differential fault analysis of secret key cryptosystems. In CRYPTO. Edited by: Kaliski Jr. BS. Heidelberg: Springer; 1997:513525.Google Scholar
 Hemme L: A differential fault attack against early rounds of (Triple)DES. In CHES. Edited by: Joye M, Quisquater JJ. Heidelberg: Springer; 2004:254267.Google Scholar
 Rivain M: Differential fault analysis on DES middle rounds. In CHES. Edited by: Clavier C, Gaj K. Heidelberg: Springer; 2009:457469.Google Scholar
 Dusart P, Letourneux G, Vivolo O: Differential fault analysis on A.E.S. In ACNS. Edited by: Zhou J, Yung M, Han Y. Heidelberg: Springer; 2003:293306.Google Scholar
 Giraud C: DFA on AES. In AES Conference. Edited by: Dobbertin H, Rijmen V, Sowa A. Heidelberg: Springer; 2004:2741.Google Scholar
 Giraud C, Thillard A: Piret and quisquater’s DFA on AES revisited. IACR Cryptology ePrint Arch 2010, 2010: 440.Google Scholar
 Kim CH: Differential fault analysis of AES: Toward reducing number of faults. IACR Cryptology ePrint Arch 2011, 2011: 178.Google Scholar
 Kim CH, Quisquater JJ: New differential fault analysis on AES key schedule: two faults are enough. In CARDIS. Edited by: Grimaud G, Standaert FX. Heidelberg: Springer; 2008:4860.Google Scholar
 Piret G, Quisquater JJ: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In CHES. Edited by: Walter CD, Koc CK, Paar C. Heidelberg: Springer; 2003:7788.Google Scholar
 Tunstall M, Mukhopadhyay D, Ali S: Differential fault analysis of the advanced encryption standard using a single fault. In WISTP. Edited by: Ardagna CA, Zhou J. Heidelberg: Springer; 2011:224233.Google Scholar
 Bagheri N, Ebrahimpour R, Ghaedi N: Differential fault analysis on PRINTcipher. IET Netw 2013., 2(1):Google Scholar
 jie Zhao X, Wang T: An improved differential fault attack on camellia. IACR Cryptology ePrint Arch 2009, 2009: 585.Google Scholar
 jie Zhao X, Wang T, zhe Gao J: Multiple bytes differential fault analysis on CLEFIA. IACR Cryptology ePrint Arch 2010, 2010: 78.Google Scholar
 Takahashi J, Fukunaga T: Differential fault analysis on CLEFIA with 128, 192, and 256bit keys. IEICE Trans 2010, 93A(1):136143.View ArticleGoogle Scholar
 Biham E, Granboulan L, Nguyen PQ: Impossible fault analysis of RC4 and differential fault analysis of RC4. In Lecture Notes in Computer Science, vol. 3557. Edited by: Gilbert H, Handschuh. FSE H. Heidelberg: Springer; 2005:359367.Google Scholar
 Li R, Sun B, Li C, You J: Differential fault analysis on SMS4 using a single fault. Inf. Process. Lett 2011, 111(4):156163. 10.1016/j.ipl.2010.11.011MathSciNetView ArticleGoogle Scholar
 Li W, Gu D, Li J: Differential fault analysis on the ARIA algorithm. Inf. Sci 2008, 178(19):37273737. 10.1016/j.ins.2008.05.031View ArticleGoogle Scholar
 Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJB, Seurin Y, Vikkelsoe C: PRESENT: an ultralightweight block cipher. In CHES. Edited by: Paillier P, Verbauwhede I. Heidelberg: Springer; 2007:450466.Google Scholar
 Cho JY: Linear cryptanalysis of reducedround PRESENT. In CTRSA. Edited by: Piepryzk J. Heidelberg: Springer; 2010:302317.Google Scholar
 Özen O, Varici K, Tezcan C, Kocair Çelebi: Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT. In ACISP. Edited by: Boyd C, Nieto JG. Heidelberg: Springer; 2009:90107.Google Scholar
 Wang M: Differential cryptanalysis of PRESENT. IACR Cryptology ePrint Arch 2007, 2007: 408.Google Scholar
 Wang M: Differential cryptanalysis of reducedround PRESENT. In AFRICACRYPT. Edited by: Wang MM. Heidelberg: Springer; 2008:4049.Google Scholar
 Wang G, Wang S: Differential fault analysis on PRESENT key schedule. In CIS. Edited by: Schindler W, Huss SA. Heidelberg: Springer; 2010:362366.Google Scholar
 jie Zhao X, Wang T, Guo S: Faultpropagation pattern based DFA on SPN structure block ciphers using bitwise permutation, with application to PRESENT and PRINTcipher. IACR Cryptology ePrint Arch 2011, 2011: 86.Google Scholar
 Mirbaha AP, Dutertre JM, Ribotta AL, Agoyan M, Tria A, Naccache D: Singlebit DFA using multiplebyte laser fault injection. IEEE International Conference on Technologies for Homeland Security, Waltham, 8–10 Nov 2010Google Scholar
Copyright
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.