Linear Fault Analysis of
Block Ciphers
Zhiqiang Liu1, Dawu Gu1, Ya Liu1, Wei Li2
1. Shanghai Jiao Tong University
2. Donghua University
ACNS 2012
June 28 , 2012
Shanghai Jiao Tong University
Outline
Brief Introduction of Fault Attack
A New Extension to Fault Attack:
Linear Fault Analysis (LFA)
A Key Recovery Attack on SERPENT by Using LFA
Conclusion and Discussion
http://LoCCS.sjtu.edu.cn
Brief Introduction of Fault Attack (1/5)
Shanghai Jiao Tong University
Fault analysis is a class of implementation attacks that disturb
cryptographic computations so as to recover secret keys.
In Eurocrypt 1996, Boneh et al. firstly proposed the idea of
fault attack.
In Crypto 1997, Biham et al. presented an extension to the
above approach, i.e., Differential Fault Analysis (DFA).
http://LoCCS.sjtu.edu.cn
Brief Introduction of Fault Attack (2/5)
Shanghai Jiao Tong University
About fault injection:
An attacker is able to deliberately interfere the normal operation
of the device with voltage variations, clock glitches and lasers so
as to induce faults.
A laser with certain energy and wavelength could interfere fixed
parts of the memory/registers without damaging them, resulting
in single bit/byte error at some internal state accurately.
http://LoCCS.sjtu.edu.cn
Brief Introduction of Fault Attack (3/5)
Shanghai Jiao Tong University
Basic idea of differential fault analysis (DFA):
Cryptographic Device
X=1|1|0|0|1|0|1|0
Y=0|1|0|0|0|0|1|1
Cryptographic Procedures
△Y=Y⊕Y*=1|0|0|1|1|1|1|0
X=1|1|0|0|1|0|1|0
Internal Round
1|0|0|0|1|0|1|1
1|0|0|0|0|0|1|1
http://LoCCS.sjtu.edu.cn
Radiation
X-Ray
Micro-Probe
Y*=1|1|0|1|1|1|0|1
Brief Introduction of Fault Attack (4/5)
Shanghai Jiao Tong University
Research work with respect to DFA:
DFA has been used as an effective cryptanalytic tool to
evaluate the security of various block ciphers such as DES,
AES, IDEA, CLEFIA, SMS4, ARIA, Camellia, and so on.
Some extensions to DFA have been presented in order to
make fault attack more efficient.
http://LoCCS.sjtu.edu.cn
Brief Introduction of Fault Attack (5/5)
Shanghai Jiao Tong University
General countermeasure against DFA:
Basically, DFA techniques target the last few rounds of a block
cipher, i.e., faults will be triggered at the last few rounds of the
cipher so as to induce information leakage.
The general countermeasure against DFA is to protect the last
few rounds of the cipher by means of redundancy.
For a block cipher, the practical implementations used to thwart
DFA will cover as less protected rounds as possible.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (1/8)
We first apply the idea of linear cryptanalysis in fault attack
and present a new fault attack on block ciphers called linear
fault analysis (LFA).
Fault Model and Assumption in LFA:
Random single-bit/single-byte fault model induced at some
certain round.
 The values and positions (within the impacted round) of the faults
injected by the attacker are unknown and randomly distributed.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (2/8)
Basic idea of LFA:
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (3/8)
How LFA works?
Let E be a block cipher and decompose the cipher into E = E1 ◦ E0.
Let ΓP · P ⊕ΓC · C = ΓK ·K (also denoted as ΓP → ΓC) be a linear
approximation for E1 with probability ½ +ε.
Let SΓP→ΓC be a set consisting of all bits of P involving in the item ΓP · P.
Suppose that an attacker has the ability to induce single-bit faults at the
input of E1 repeatedly and the error bits don’t belong to the set SΓP→ΓC , then
an effective distinguisher ΓC · C1 ⊕ ΓC · C2 = 0 for the cipher E with
probability ½ + 2ε2 can be derived by the attacker.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (4/8)
How LFA works? (to continue)
Based on the above distinguisher, we can mount a key recovery attack on
E′= E2 ◦E = E2 ◦E1 ◦E0 by guessing part of the subkey information used in
E2.
Attack procedure:
Step 1. Given the linear characteristic ΓP → ΓC for E1, collect N pairs of
ciphertexts, each pair consisting of a right ciphertext C1i under E′and the
corresponding faulty ciphertext C2i derived by injecting single-bit fault at
any position of the input of E1, where 1 ≤ i ≤ N.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (5/8)
How LFA works? (to continue)
Step 2. Let Kg denote the subkey information which is related to the item ΓC
· E2-1(Cji). Then for each possible value of Kg, do as below:
 Initialize a counter TKg firstly.
 For each ciphertext pair (C1i, C2i), implement the partial decryptions of C1i and
C2i respectively and compute the parity of ΓC · E2-1(C1i)⊕ΓC · E2-1(C2i). If the
parity is 0, increase the relevant counter TKg by 1, and decrease by 1 otherwise.
 Store the value of Kg as well as the absolute value of the corresponding TKg.
Step 3. For all possible values of Kg, compare the stored values and take the
value of Kg as the correct key information if the absolute value of the
corresponding TKg is maximal.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (6/8)
Why the above attack works?
Case 1: the guessed value of Kg is correct
 For any ciphertext pair (C1i, C2i) in which C2i is derived by inducing single-bit
fault at the input of E1 such that the error bit is not in the set SΓP→ΓC:
the equation ΓC · E2-1(C1i)⊕ΓC · E2-1(C2i) = 0 holds with probability ½ + 2ε2;
 For any ciphertext pair (C1i, C2i) where C2i is obtained by injecting single-bit
fault at the input of E1 such that the error bit belongs to the set SΓP→ΓC:
the equation ΓC · E2-1(C1i)⊕ΓC · E2-1(C2i) = 1 holds with probability ½ + 2ε2;
Thus in this case, we can estimate |TKg| by the following formula:
| TK g | N  | 1  2  (# SP C ) / m | 4 2
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (7/8)
Why the above attack works? (to continue)
Case 2: the guessed value of Kg is wrong
 According to the Wrong-Key Randomization Hypothesis, it’s assumed
that the wrong guess of Kg results in a random-looking parity of ΓC · E21(C i)⊕Γ · E -1(C i).
1
C
2
2
 Thus in this case the value of |TKg| approximates to 0.
Therefore, it is feasible to distinguish the correct value of Kg from all wrong
guesses of Kg by applying the above key recovery attack if given sufficient
ciphertext pairs (C1i, C2i) .
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A New Extension to Fault Attack:
Linear Fault Analysis (LFA) (8/8)
The number of ciphertext pairs required in our key recovery
attack can be estimated by the following formula:
cN 
1
1
 4
| 1  2  (# SP C ) / m | 4
Moreover, similar result can be derived regarding the linear
fault analysis under the condition of single-byte fault model.
http://LoCCS.sjtu.edu.cn
A Key Recovery Attack on SERPENT
by Using LFA (1/7)
SERPENT block cipher:
Shanghai Jiao Tong University
proposed by Anderson et al in 1998
As a candidate of AES contest, it was
rated just behind the AES Rijndael
classical SPN structure with 32 rounds
block size: 128 bits
key size: 128, 192 or 256 bits
Schematic description of SERPENT at
the right side
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A Key Recovery Attack on SERPENT
by Using LFA (2/7)
Current status of fault analysis for SERPENT:
So far there isn't any known fault attack on SERPENT which can be done
by inducing faults at the round earlier than the penultimate round of the
cipher.
Countermeasure against fault attack on SERPENT:
It could be implemented by protecting the last two rounds of the cipher if
taking into account the cost and efficiency of the implementation.
However, our effective attack shows that LFA could be a
threat to the protected implementation of SERPENT.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A Key Recovery Attack on SERPENT
by Using LFA (3/7)
Assume that single-bit faults can be injected at the input of the round 29
(that is, third from the last round) of SERPENT repeatedly and randomly.
We construct twelve 2-round linear characteristics ΓPi → ΓCi (1 ≤ i ≤ 12)
for the rounds from round 29 to round 30 of SERPENT.
We could derive twelve distinguishers for the 31 rounds from round 0 to
round 30 of SERPENT as below:
Ci  SERPENTlr1 (C1 )  Ci  SERPENTlr1 (C2 )  0, 1  i  12
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A Key Recovery Attack on SERPENT
by Using LFA (4/7)
Linear characteristics used in our attack:
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A Key Recovery Attack on SERPENT
by Using LFA (5/7)
Linear characteristics used in our attack (to continue):
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A Key Recovery Attack on SERPENT
by Using LFA (6/7)
Linear characteristics used in our attack (to continue):
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
A Key Recovery Attack on SERPENT
by Using LFA (7/7)
By applying the above twelve distinguishers sequentially, we can recover
all the 128 bits of K32.
Strip the last round by decrypting with K32, and mount an attack on the
reduced-round cipher similarly so as to get the 128 bits of K31.
Attack complexity:
data complexity: 223.14 correct/faulty ciphertext pairs
time complexity: 231.73 SERPENT encryptions
memory complexity: 226.14 bytes
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
Conclusion and Discussion (1/2)
We have proposed a new extension to fault attack on block ciphers, i.e.,
linear fault analysis (LFA), in which linear cryptanalysis is combined with
fault attack delicately.
In order to illustrate the effectiveness of LFA, we have applied it to
analyze the security of SERPENT and achieved the currently best
cryptanalytic result on SERPENT with respect to fault attack.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
Conclusion and Discussion (2/2)
Note that our key recovery attack on SERPENT has a data complexity which
seems impractical for real cryptographic devices, but it does show that LFA
could be a potential threat to the previously protected implementations
(against fault attack) of block ciphers.
For a block cipher, the number of protected rounds must be chosen very
carefully in order to prevent security flaws as well as keep the corresponding
implementation economical and efficient. We hope that LFA could be
beneficial to determining this number.
http://LoCCS.sjtu.edu.cn
Shanghai Jiao Tong University
Q&A
Thanks!
http://LoCCS.sjtu.edu.cn