New differential fault analysis on PRESENT

In this paper, we present two differential fault analyses on PRESENT-80 which is a lightweight block cipher. The first attack is a basic attack which induces a fault on only one bit of intermediate states, and we can obtain the last subkey of the block cipher, given 48 faulty cipher texts on average. The second attack can retrieve the master key of the block cipher, given 18 faulty cipher texts on average. In the latter attack, we assume that we can induce faults on a single nibble of intermediate states. Given those faulty cipher texts, the computational complexity of attacks is negligible.


Introduction
Boneh et al. introduced the fault attack in September 1996 [1]. Later, in October 1996, Biham and Shamir published an attack on secret key cryptosystems called differential fault analysis (DFA) which combined the ideas of fault attack and differential attack [2]. Given a plaintext, the DFA attack derived information about the secret key by examining the differences between a related cipher text resulting from a correct encryption and a cipher text of the same plaintext resulting from a faulty encryption. Normally, a faulty cipher text is taken by giving external impact on a device with voltage variation, glitch, laser, etc. A fault may be induced with these external impacts; however, we know neither the location nor the value of the fault. This attack is commonly used to analyze the security of cryptosystems. DFA have been employed to attack several block ciphers where DES [3,4], AES [5][6][7][8][9][10][11], PRINTCIPHER [12], Camellia [13], CALEFIA [14,15], RC4 [16], SMS4 [17], and ARIA [18] are examples. In general, there are two techniques to apply a DFA attack on a block cipher. The first one assumes that the intermediate states were corrupted by the fault injection and tries to recover the key, while the second form assumes that the key schedule algorithm was corrupted by the fault injection and tries to recover the key.
PRESENT is an ultra-lightweight block cipher proposed at CHES 2007 by Bogdanov et al. This block cipher is an SP network-based cipher and consists of 31 rounds. The block length is 64 bits, and two key lengths of 80 *Correspondence: ebrahimpour@ipm.ir Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran and 128 bits are supported [19], denoted by PRESENT-80 and PRESENT-128, respectively. Several basic attacks such as differential cryptanalysis, linear cryptanalysis, and their variants have been applied on PRESENT already [20][21][22][23]. In this paper, we concentrate on the security of PRESENT-80 against DFA attack.

Previous works
A DFA on PRESENT-80 key schedule has been proposed by Wang et al. [24]. They assumed that the key schedule was corrupted by the fault injection and tried to recover the key. They have reduced the master key search space of PRESENT-80 to 2 29 with 64 pairs of correct and faulty cipher texts on average. In addition, Zhao et al. [25] proposed a fault propagation pattern-based DFA on PRESENT-80/128. They reduce the master key search space of PRESENT-80/128 to 2 14.7 and 2 21.1 , respectively, with 8 and 16 pairs of correct and faulty cipher texts on average.

Paper contributions
In this paper, we present two differential fault analyses on PRESENT-80. For the first attack, we assume that the fault occurs on only one bit of the intermediate states. In the second attack, we induce a fault on a single nibble of the intermediate states and we employ our first attack to retrieve the master key. Our attack can recover the master key, given 18 faulty cipher texts on average. http://asp.eurasipjournals.com/content/2013/1/145

Paper organization
The notations used in the paper are presented in Section 3. PRESENT is briefly described in Section 3.2. In Section 4, we describe our basic attack. We present another DFA attack based on the basic attack in Section 5. Finally, we conclude the paper in Section 6.

Notations
Throughout the paper, we use the following notations: • P : denotes the plaintext.
• K : denotes the master key. • S i : denotes the correct state before ith round's S-box layer and S i j denotes the jth bit of S i . • S i * : denotes the faulty state before ith round's S-box layer. • S i N j : denotes the jth nibble of state before ith round's S-box layer and S i N j n denotes its nth bit of the nibble. • B i : denotes the state after ith round's S-box layer and B i N j denotes the jth nibble of B i . • B i * : denotes the faulty state after ith round's S-box layer and B i * N j denotes the jth nibble of B i * . • K i : denotes ith subround key and K i j denotes the jth bit of K i . • C : denotes the correct cipher text.
• D : denotes the faulty cipher text.

Description of PRESENT
The PRESENT block cipher, depicted in Figure 1, is an ultra-lightweight substitution-permutation network and consists of 31 rounds. The block length is 64 bits. The cipher supports 80 and 128-bit secret keys. Each round of PRESENT consists of three stages: key addition, nonlinear substitution layer, and bit-wise permutation layer.

Key addition
As the first step of ith round, for 1 ≤ i ≤ 32, the current state is combined using bit-wise XOR with the ith round subkey.
where K 32 is used for postwhitening.

Substitution layer (S-box)
The output of the key addition stage goes through the S-box layer ( Table 1) which is the non-linear operation of the round. The S-box used in PRESENT is a single 4-bit to 4-bit S-box which is applied 16 times in parallel. The action of the S-box is shown by the following table.

Permutation layer P
Finally, the output of the S-box layer is rearranged to the permutation layer (Table 2). Following this operation, bit i of the current state is moved to the bit position P(i).
The key schedule algorithm supports two key lengths of 80 and 128 bits. However, we do not explain the key schedule algorithm here because it is not directly relevant to our attack. For more information about the key schedule, the interested reader can refer to [19].

The basic DFA attack
In this section, we introduce a basic DFA attack against PRESENT-80 which is based on the injection of a fault on only one bit of intermediate states at the beginning of the last round's S-box layer. The given attack requires a singlebit fault in the last round of the cipher which may sound difficult in practice. However, the recent results [26] show the feasibility of this type of DFA attacks.
The main idea of the given attack is to obtain S 31 by searching in the differences distribution table of the S-box (see Appendix 1), then we can obtain K 32 . Injection of a single-bit fault on the jth nibble of S 31 , S 31 N j , can be on S 31 N j 0 , S 31 N j 1 , S 31 N j 2 , or S 31 N j 3 . We denote the difference between the jth nibble of the correct state S 31 N j and the jth nibble of the faulty state S 31 * N j by a, i.e., a = S 31 N j ⊕ S 31 * N j . Hence, there are four possible fault differences for this nibble, a ∈ {1, 2, 4, 8}. In Figure 2, an example of the fault required for the basic attack is given where the first bit of the first nibble of S 31 is corrupted.
Through the attack, we assume that the master key and the input plaintext remain fixed. Moreover, for each faulty cipher text, exactly one bit of S 31 is randomly modified. To recover the last round key, following this attack, Table 1 The substitution layer (S-box)  To find out the nibble of S 31 which is involved in the faults, the adversary may reverse the difference output of P layer (P layer −1 (C ⊕ D)) following the approaches presented in Algorithms 1 and 2 to obtain one nibble of S 31 . Algorithm 1 arranges the faulty cipher texts and correct the cipher text in 16 groups of difference outputs of last round's S-box layer, i.e., B 31 N j for 1 ≤ j ≤ 16.

S-box action
In each specific group, the bits of faults occurred on the bits of the same nibble and the related nibble of S 31 , S 31 N j , can be obtained following Algorithm 2. On the other hand, Algorithm 1 determines for each faulty cipher text, which the nibble has been corrupted. Hence, at the end of Algorithm 1, we expect to receive three difference outputs of last round's S-box layer for each nibble. It is possible to repeat Algorithm 2 and retrieve whole nibbles of S 31 . Given S 31 and the correct cipher text C, K 32 can be extracted as follows: Hence, following the given attack, it is possible to retrieve K 32 given on average 48 faulty cipher texts and related correct cipher text for the fixed value of input message P (Additional details of the basic attack are given in Appendix 2).
If we can induce a fault on one bit of several nibbles of S 31 for each fault experiment, we can reduce the required number of faulty cipher texts to obtain S 31 and K 32 . In this case, we can still use Algorithms 1 and 2 for obtaining S 31 and K 32 . Obviously, the injection of a single bit fault for a nibble of S 31 generates a faulty nibble at the output of last round's S-box layer, and single bit faults injection on several nibbles of S 31 generates several faulty nibbles at the output of last round's S-box layer.

Algorithm 1 Determining the faulty output of last round's S-box layer
Step 1. Consider the correct and faulty cipher text, and compute the difference output of last round's S-box layer by in the fault(s), and save this (these) nibble(s) of the difference output(s) of last round's S-box layer, B 31 N j , in related group(s).
Step 3. Consider another faulty cipher texts, and repeat step1 and step 2 till when there are at least 3 distinct recodes for each nibble of the difference output(s) of last round's S-box layer.
Step 4. Apply Algorithm 2 on each group.

Algorithm 2 Obtain one nibble of S 31
Step 1. Consider a member of this group ( B 31 N j ). Then set up a list L containing all pairs that makes this difference output of S-box by searching in the differences distribution table of the S-box (remember that difference input can be a ∈ {1, 2, 4, 8}). Step 2. Repeat step 1 with another member of this group, and store candidates in the new list M.
Step 3. Consider L and M Then remove non-member common of L.
Step 4. Go to step 2 until there remains only one candidate in L.
In Figure 3, the flowchart of this attack is depicted. Given K 32 , a similar attack can be used to retrieve S 30 and K 31 and finally recover the master key. However, the number of required faulty cipher texts would be increased (96 faulty cipher texts on average), but in the next section, we show an approach to obtain the master key given 18 faulty cipher texts on average.

Remarks 1.
It must be noted that sometimes faulty cipher texts will be repeated (if we inject a fault on the same bit http://asp.eurasipjournals.com/content/2013/1/145 of S 31 ), and we exclude this faulty cipher text. We collect three unique faulty cipher texts on average for obtaining each nibble of S 31 .

The second DFA attack
In the previous section, we described a basic attack that, on each experiment, induces a fault on a single bit of intermediate state of the last round. In this section, to retrieve the whole master key, we extend the previous attack such that the adversary can inject a fault on one nibble rather than a bit.
In the design criteria of PRESENT, it has been stated that: 1. The four input bits to an S-box come from four distinct S-boxes of the same group. 2. The input bits to a group of 4 S-boxes come from 16 different S-boxes. 3. The four output bits from a particular S-box enter four distinct S-boxes, each of which belongs to a distinct group of S-boxes in the subsequent round. 4. The output bits of S-boxes in distinct groups go to distinct S-boxes.
Following the above criteria, we state that: We can use this approach to reduce the number of required faulty cipher texts in the basic attack (same as when we can induce the single bit faults on several nibbles of S 31 in the basic attack). An example of fault injection at the beginning of the 29th round's S-box layer and its propagation toward 31st round has been depicted in Figure 4. In this picture, for the sake of simplicity, we have assumed that the first nibble of S 29 is corrupted. It can be seen that eight nibbles of S 31 have been corrupted, and also, only one bit of inputs of each faulty S-boxes at 31st round is corrupted. Therefore, we can apply the basic attack on the received data. However, in the new fault model, we receive on average four faulty nibbles at the output 31st round in each fault injection (four nibbles of the output of the last round's S-box layer were corrupted). Hence, the required number of faulty cipher texts to obtain the S 31 is reduced to 12. Whenever we obtained S 31 and K 32 , we can also retrieve K 31 . To retrieve K 31 , from the first phase of attack which retrieves K 32 , we have 24 nibbles of the faulty output of the 30th round's S-box layer (B 30 * N j ) on average, and we require extra 24 nibbles of the faulty output of the 30th round's S-box layer to obtain S 30 and K 31 . We can obtain those faulty states by inducing six extra faults on nibbles of intermediate state at the beginning of the 28th round's S-box layer on average. http://asp.eurasipjournals.com/content/2013/1/145 Figure 3 The flowchart of DFA on present. Therefore, we can obtain K 32 given 12 faulty cipher texts on average, where we have injected faults on the nibbles of S 29 . To retrieve K 31 , we require also to induce faults on the nibbles of intermediate state at the beginning of the 28th round's S-box layer. Following the basic attack (with some change in notation and extent formula, see Appendix 1), to retrieve K 31 , we require additional six faulty cipher texts on average. Given the round keys K 31 and K 32 , it is possible to determine the master key uniquely. Hence, in total, it is possible to recover the master key of PRESENT-80 given 18 faulty cipher texts on average (An toy example of attacks are given in Appendix 3).
To compare our approach with [25], it must be noted that they have injected fault on the 29th round and tried to find the difference input of S-box 31st round where they have got some candidates for S-box inputs of 31st round and then recovered K 32 and K 31 . On the other hand, the given attack in this paper does not require to find the difference input of S-box 31st round, and it recovers the S-box input of 31st round by searching in the differences distribution table of S-box and then obtains K 32 .
Any secure cryptosystems should be protected against DFA attacks. So, any implementation of PRESENT also requires to protect the last round of encryption against the basic DFA attack and protect the 29th and 30th rounds of encryption against the second DFA attack. Therefore, an implementation of PRESENT requires to protect the three last rounds against our DFA attacks.

The difference distribution table of the S-box and the categorization algorithm for the faulty cipher texts
The difference distribution table of the S-box is shown in Table 3. The categorization algorithm for the faulty cipher texts is shown in Algorithm 3.

Algorithm 3 Categorize the faulty cipher texts and cipher text in 16 groups based on the difference output of the 30th round's S-box layer
Step 1. Consider the correct and faulty cipher text, and compute difference output of 30th round's S-box layer by Step 2. Find nibble(s) of S 30 which is (are) involved in the fault, and save this (these) nibble(s) of the difference output of 30th round's S-box layer, B 30 N j , in the related group(s).
Step 3. Consider another faulty cipher text, and repeat step1 and step 2 till when there are at least 3 distinct recodes for each nibble of difference output(s) of 30th round's S-box layer.

Algorithm 4 Obtain one nibble of S 30 , given that K 31 =P-Layer(S-Layer(S 30 ))⊕ S 31
Step 1. Consider a member of this group, B 30 N j , then set up a list L containing all pairs that makes this difference output of S-box by searching in the differences distribution table of the S-box (remember that difference input can be a ∈ {1, 2, 4, 8}). Step 2. Repeat step 1 with another member of this group, and store candidates in the new list M.
Step 3. Consider L and M then remove non-common members from L. Step 4. Go to step 2 until there remains only one candidate in L.

Additional details of the basic attack
For each faulty cipher text, we have got a difference output of the last round's S-box layer, and we can determine possible inputs of the last round's S-box layer by searching in the differences distribution table of the S-box. In Table 4, all possible inputs of the last round's S-box layer for each difference output of the last round's S-box layer are shown (remember that difference input can be a ∈ {1, 2, 4, 8}). In Table 4, it can be seen that given a faulty cipher text, eight candidates for S-box input with probability 5 11 have been determined or four candidates for S-box input with probability 6 11 have been determined. In Table 5, all S-box difference outputs for each S-box input, with one bit difference in S-box input, are depicted. Table 5, we see that the sets of S-box difference outputs for each specific input are different. Hence, we can obtain the exact value of the S-box input with four faulty cipher texts. In the following, we explain the states that two and three faulty cipher texts are given.

Given in
• When two faulty cipher texts are given, these states can occur: -Two faulty cipher texts determine eight candidates for S-box input. In this state, when we apply Algorithm 2, we obtain two, three, four, or five candidates for S-box input. -The first faulty cipher text determined eight candidates for S-box input, and the second faulty cipher text determined four candidates for S-box input. If we denote by A the sets of the candidates obtained with the first faulty cipher text except the correct value of S-box input and by B the sets of the candidates obtained with the second faulty cipher text except the correct value of S-box input, we can identify the correct value with probability:

15%
-The first faulty cipher text determined four candidates for S-box input, and the second Table 3 The differences distribution table of the S-box
In this state, we can identify the correct value with probability: • When three faulty cipher texts are given, these states can occur: -All faulty cipher texts determined eight candidates for S-box input. If we denote by C the sets of the candidates obtained with the third faulty cipher text except the correct value of S-box input, we can identify the correct value with probability:

18%
-The first and second faulty cipher texts determine eight candidates for S-box input, and the third faulty cipher text determine four candidates for S-box input.
In this state, we can identify the correct value with probability:

50%
-The first faulty cipher texts determine eight candidates for S-box input, and the second and third faulty cipher texts determine four candidates for S-box input.
In this state, we can identify the correct value with probability:

A toy example of attacks
Assume that a message M is encrypted by PRESENT-80, the basic attack works as follows. For the sake of simplicity, we assume that the first nibble of S 31 , S 31 N 0 , is A in hexadecimal ((1010) 2 in binary). So, if we inject a singlebit fault on S 31 N 0 , we obtain a faulty cipher text D. If we do this fault injection to other bits of S 31 N 0 , we have four faulty cipher texts that is shown in the following table (Table 6, note that throughout the attack, we do not know the fault location, and we put this value in this table only for the reader): So we show each step of Algorithm 2 in the following table (Table 7): After we obtain S 31 N 0 , we obtain 4 bits of K 32 . For verifying the second attack, we present an example that the message, key, and some details are shown in Table 8. We injected 16 faults on S 31 in random and have got 16 faulty cipher texts. In Table 9, the value and location of faults were given (this table was given just for the reader); then, in Table 10, the results of Algorithms 1 and 2 were given.
In Table 10, two candidates existed for nibbles 4, 6, and 11 of S 31 , so for obtaining the exact value of these nibbles, we have to inject at least three faults on S 29 . In total, we obtain 13 nibbles of K 32 , 9 nibbles of K 31 , and two candidates for some nibbles of K 32 and K 31 with 16 faulty cipher texts (in this example). For recovering whole of K 31 , we have to inject some faults as mentioned in Section 5.