Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Lightweight Cryptography for Security and Privacy

LightSec 2014: Lightweight Cryptography for Security and Privacy pp 85–108Cite as

Ciphertext-Only Fault Attacks on PRESENT

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8898))

Abstract

In this work, we introduce fault attacks on PRESENT with faulty ciphertexts-only. In contrast to current differential fault attacks on PRESENT, which are mostly chosen-plaintext attacks, our fault attacks do not require the knowledge of the plaintexts to recover the secret key. This is a typical scenario when plaintexts are not easily accessible for the attacker, like in the case of smart devices for the upcoming Internet-of-Things (IoT) era where input data are mostly assembled within the cryptographic device, or when protocol-level countermeasures are deployed to prevent chosen-plaintext attacks explicitly. Our attacks work under the assumption that the attacker is able to bias the (nibble-wise) distribution of intermediate states in the final rounds of PRESENT by careful fault injections. To support our statements, we provide a detailed simulation analysis to estimate the practical attack complexities of (faulty) ciphertext-only fault attacks on PRESENT-80 discussing different fault injection scenarios. In the best case analysis (worst-case security scenario), only two faulty ciphertexts and negligible computational time are required to recover the entire secret key.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The attacker can (possibly) exploit faulty intermediate states in different rounds obtained by injecting faults across different cryptographic computations and it is not required to inject multiple faults during the same cryptographic operation.

References

  1. Akyildiz, I., Su, W., Sankarasubramaniam, Y., Cayirci, E.: A survey on sensor networks. IEEE Commun. Mag. 40(8), 102–114 (2002)

    Article  Google Scholar 

  2. Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)

    Article  MATH  Google Scholar 

  3. Avoine, G., Kara, O. (eds.): LightSec 2013. LNCS, vol. 8162. Springer, Heidelberg (2013)

    MATH  Google Scholar 

  4. Bagheri, N., Ebrahimpour, R., Ghaedi, N.: New differential fault analysis on present. EURASIP J. Adv. Signal Process. 2013(1), 1–10 (2013). http://dx.doi.org/10.1186/1687-6180-2013-145

    Article  Google Scholar 

  5. Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 105–114, September 2011

    Google Scholar 

  6. Barenghi, A., Bertoni, G., Breveglieri, L., Pellicioli, M., Pelosi, G.: Low voltage fault attacks to aes. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 7–12, June 2010

    Google Scholar 

  7. Barenghi, A., Hocquet, C., Bol, D., Standaert, F.-X., Regazzoni, F., Koren, I.: Exploring the feasibility of low cost fault injection attacks on sub-threshold devices through an example of a 65nm AES implementation. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 48–60. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/978-3-642-25286-0_4

    Google Scholar 

  8. Bassi, A., Horn, G.: Internet of things in 2020: A roadmap for the future. European Commission: Information Society and Media (2008)

    Google Scholar 

  9. Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). http://dx.doi.org/10.1007/3-540-44598-6_8

    Chapter  Google Scholar 

  10. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). http://dx.doi.org/10.1007/BFb0052259

    Chapter  Google Scholar 

  11. Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). http://dx.doi.org/10.1007/978-3-540-74735-2_31

    Chapter  Google Scholar 

  12. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). http://dx.doi.org/10.1007/3-540-69053-0_4

    Chapter  Google Scholar 

  13. Fischer, W., Schmidt, J.M. (eds.): 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, 20 August 2013. IEEE (2013)

    Google Scholar 

  14. Fuhr, T., Jaulmes, E., Lomne, V., Thillard, A.: Fault attacks on aes with faulty ciphertexts only. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 108–118, August 2013

    Google Scholar 

  15. Gu, D., Li, J., Li, S., Ma, Z., Guo, Z., Liu, J.: Differential fault analysis on lightweight blockciphers with statistical cryptanalysis techniques. In: Bertoni, G., Gierlichs, B. (eds.) 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, Leuven, Belgium, 9 September 2012, pp. 27–33. IEEE (2012)

    Google Scholar 

  16. Guilley, S., Sauvage, L., Danger, J.L., Selmane, N.: Fault injection resilience. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 51–65, August 2010

    Google Scholar 

  17. Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  18. Hutter, M., Schmidt, J.M.: The temperature side channel and heating fault attacks. Cryptology ePrint Archive, Report 2014/190 (2014). http://eprint.iacr.org/

  19. ISO: Information technology – security techniques – lightweight cryptography – part 2: Block ciphers. ISO/IEC 29192–2:2012, International Organization for Standardization, Geneva, Switzerland (2012)

    Google Scholar 

  20. Junod, P.: Statistical cryptanalysis of block ciphers. Ph.D. thesis, IC, Lausanne (2005)

    Google Scholar 

  21. Li, J., Gu, D.: Differential fault analysis on present. In: CHINACRYPT 2009, pp. 3–13 (2009)

    Google Scholar 

  22. Maistri, P.: Countermeasures against fault attacks: the good, the bad, and the ugly. In: Proceedings of the 2011 IEEE 17th International On-Line Testing Symposium, IOLTS 2011, p. 134137. IEEE Computer Society, Washington, DC (2011). http://dx.doi.org/10.1109/IOLTS.2011.5993825

  23. Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 77–88. IEEE (2013)

    Google Scholar 

  24. Mukhopadhyay, D.: An improved fault based attack of the advanced encryption standard. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 421–434. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-02384-2_26

    Chapter  Google Scholar 

  25. Neve, M., Peeters, E., Samyde, D., Quisquater, J.J.: Memories: a survey of their secure uses in smart cards. In: Proceedings of the Second IEEE International Security in Storage Workshop, 2003, SISW 2003, pp. 62–62. IEEE (2003)

    Google Scholar 

  26. Piret, G., Quisquater, J.-J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003). http://dx.doi.org/10.1007/978-3-540-45238-6_7

    Chapter  Google Scholar 

  27. Rivain, M.: Differential fault analysis on DES middle rounds. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 457–469. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-04138-9_32

    Chapter  Google Scholar 

  28. Schmidt, J.M., Hutter, M.: Optical and em fault-attacks on crt-based rsa: concrete results. In: Karl C. Posch, J.W. (ed.) Austrochip 2007, 15th Austrian Workhop on Microelectronics, Proceedings, Graz, Austria, 11 October 2007, pp. 61–67. Verlag der Technischen Universität Graz (2007)

    Google Scholar 

  29. Schmidt, J.M., Hutter, M., Plos, T.: Optical fault attacks on aes: a threat in violet. In: Naccache, D., Oswald, E. (eds.) 6th Workshop on Fault Diagnosis and Tolerance in Cryptography - FDTC 2009, pp. 13–22. IEEE-CS Press (2009)

    Google Scholar 

  30. Skorobogatov, S.: Flash memory ‘bumping’ attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 158–172. Springer, Heidelberg (2010). http://dx.doi.org/10.1007/978-3-642-15031-9_11

    Chapter  Google Scholar 

  31. Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-01001-9_26

    Chapter  Google Scholar 

  32. Wang, G., Wang, S.: Differential fault analysis on present key schedule. In: Proceedings of the 2010 International Conference on Computational Intelligence and Security, CIS 2010, pp. 362–366. IEEE Computer Society, Washington, DC (2010). http://dx.doi.org/10.1109/CIS.2010.84

  33. Zhao, X., Guo, S., Wang, T., Zhang, F., Shi, Z.: Fault-propagate pattern based dfa on present and printcipher. Wuhan Univ. J. Nat. Sci. 17(6), 485–493 (2012). http://dx.doi.org/10.1007/s11859-012-0875-7

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work has been funded in part by the German Federal Ministry of Education and Research 163Y1200D (HIVE).

Author information

Authors and Affiliations

  1. Lehrstuhl für Sicherheit in der Informationstechnik, Technische Universität München, Munich, Germany

    Fabrizio De Santis, Oscar M. Guillen, Ermin Sakic & Georg Sigl

Authors
  1. Fabrizio De Santis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oscar M. Guillen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ermin Sakic
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Georg Sigl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fabrizio De Santis .

Editor information

Editors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, Massachusetts, USA

    Thomas Eisenbarth

  2. Istanbul Commerce University, Istanbul, Turkey

    Erdinç Öztürk

Appendices

A Fault Propagation in the Datapath of PRESENT

Fig. 4.
figure 4

Fault propagation with fault injection after the \(\mathtt {addRoundKey}\) operation in the \(30^{th}\) round. Gray: faulted bits. Blue: key bits to guess (Color figure online).

Full size image
Fig. 5.
figure 5

Fault propagation with fault injection after the \(\mathtt{pLayer}\) operation in the \(30^{th}\) round. Gray: faulted bits. Blue: key bits to guess (Color figure online).

Full size image
Fig. 6.
figure 6

Fault propagation with fault injection after the \(\mathtt{pLayer}\) operation in the \(29^{th}\) round. Gray: faulted bits. Blue: key bits to guess (Color figure online).

Full size image

B Probability Distributions of Faulty Intermediate Nibbles

Fig. 7.
figure 7

Estimated probability distributions of (nibble-wise) faulty intermediate states for Fault Model 1. for all \(c\in \mathbb {Z}_{16}\backslash \{15\}\).

Full size image
Fig. 8.
figure 8

Estimated probability distributions of (nibble-wise) faulty intermediate states for Fault Model 2. for all \(c\in \mathbb {Z}_{16}\backslash \{15\}\).

Full size image
Fig. 9.
figure 9

Estimated probability distributions of (nibble-wise) faulty intermediate states for Fault Model 3. for all \(c\in \mathbb {Z}_{16}\backslash \{0,15\}\).

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

De Santis, F., Guillen, O.M., Sakic, E., Sigl, G. (2015). Ciphertext-Only Fault Attacks on PRESENT. In: Eisenbarth, T., Öztürk, E. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2014. Lecture Notes in Computer Science(), vol 8898. Springer, Cham. https://doi.org/10.1007/978-3-319-16363-5_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16363-5_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16362-8

  • Online ISBN: 978-3-319-16363-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation