Sage Journals: Discover world-class research

Abstract

Piccolo is a 64-bit lightweight block cipher which is able to be implemented in constrained hardware environments such as a wireless sensor network. Fault analysis is a type of side channel attack and cube attack is an algebraic attack finding sufficiently low-degree polynomials in a cipher. In this paper, we show a fault analysis on the Piccolo by using cube attack. We find 16 linear equations corresponding to a round function F by cube attack, which are used to fault analysis. Our attack has the complexity of 2^8.49 and 2^9.21 encryptions with fault injections of target bit positions into Piccolo-80 and Piccolo-128, respectively. And our attack needs 2^20.86 and 2^21.60 encryptions with random 4-bit fault injections for Piccolo-80 and Piccolo-128, respectively.

1. Introduction

Fault analysis is a type of side channel attack. This analysis was introduced by Boneh et al. in [1]. Differential fault analysis (DFA), which is an improved method of fault analysis, was introduced by Biham and Shamir in [2]. DFA is applied to various block ciphers such as AES [3, 4], ARIA [5], SEED [6], CLEFIA [7], LED [8], Piccolo [9–12], PRESENT [13], and KATAN32 [14]. Cube attack was introduced by Dinur and Shamir in [15]. This attack is an algebraic attack by finding sufficiently low-degree polynomials in a cipher. Cube attack is applied to various cryptosystems such as block cipher [16] and stream cipher [15, 17].

In CHES 2011, Piccolo was introduced by Shibutani et al. in [18]. Piccolo is a block cipher which supports 80-bit and 128-bit secret key size. In this paper, we analyze two versions of Piccolo [18] with fault analysis by using cube attack. In ISPEC 2012, fault analysis using cube attack was introduced by Abdul-Latip et al. in [16]. In this paper, we apply this method on Piccolo-80 and Piccolo-128. As a result, we find 16 linear equations corresponding to a round function F by cube attack, which are used to fault analysis.

Piccolo is analyzed by various techniques. In ISPEC 2012, Wang et al. suggest biclique cryptanalysis of reduced round Piccolo in [19]. They analyze reduced version of Piccolo-80 without postwhitening keys XOR and reduced 28-round Piccolo-128 without prewhitening keys XOR. In 2013, Song et al. suggest biclique cryptanalysis of full rounds of Piccolo [20]. And also Jeong suggests a differential fault analysis of full rounds of Piccolo [9].

In this paper, we show a fault analysis on the Piccolo by using cube attack. We find 16 linear equations corresponding to a round function F of Piccolo by using cube attack. These equations are used to our attack. In this paper, we describe the case that an adversary injects random 4-bit faults. Our attack has the complexity of $2^{20.86}$ and $2^{21.60}$ encryptions for Piccolo-80 and Piccolo-128, respectively, while the assumption of [9] is an adversary that injects random byte faults. Reference [9] has the complexity of 2²⁴ and 2⁴⁰ encryptions for Piccolo-80 and Piccolo-128, respectively. Our attack has a lower computational complexity than [9], even though the assumption of fault injection in our attack differs from [9].

In Section 2, we briefly describe the procedures of cube attack and cube tester. And then we describe the brief specifications of Piccolo in Section 3. In Section 4, a method of fault analysis of Piccolo by using cube attack is presented. Finally, our conclusions are in Section 5.

2. Cube Attack and Cube Tester

Algebraic attack is to find a solution, which is the key, of a system of equations that represent target cipher with given plaintext and the corresponding ciphertext, that is representing cipher as a system of equations with multiple variables defined over finite field where each key bit is represented as a variable in the system. Solving the system is equivalent to finding the secret key of the target cipher. Cube attack is an algebraic attack finding sufficiently low-degree polynomials in cipher.

2.1. Cube Attack

Cube attack was introduced by Dinur and Shamir in [15]. Cube attack is a chosen plaintext attack. The main idea of cube attack is to find linear equations consisting of secret variables by using cube sum. Let $p (v_{1}, \dots, v_{n}, k_{1}, \dots, k_{m})$ be a polynomial derived from a cipher, where $v_{1}, \dots, v_{n}$ are public variables and $k_{1}, \dots, k_{m}$ are secret variables. In other words, each secret variable is considered a bit in secret key and each public variable is considered a bit in plaintext or internal state. Let $I = {I_{1}, \dots, I_{s}} \subseteq {1, \dots, n}$ be a set and let $t_{I}$ be the monomial $x_{I_{1}} x_{I_{2}} \dots x_{I_{s}}$ . Note that the set in terms of I is called cube index. Then the polynomial p is represented by three polynomials $t_{I}$ , $p_{S (I)}$ , and q as the following form:

\begin{array}{l} p (v_{1}, \dots, v_{n}, k_{1}, \dots, k_{m}) \\ = t_{I} \cdot p_{S (I)} + q (v_{1}, \dots, v_{n}, k_{1}, \dots, k_{m}), \end{array}

(1) where q is not consisting of a monomial which has a factor

t_{I}

Cube attack is required to check the linearity of $p_{S (I)}$ which is called superpoly. A superpoly $p_{S (I)}$ is called a maxterm if $p_{S (I)}$ is linear. We use the following cube sum to find a $p_{S (I)}$ :

\begin{matrix} p_{S (I)} = \sum_{(v_{I_{1}}, \dots, v_{I_{s}}) \in GF (2)^{s}} p (v_{1}, \dots, v_{n}, k_{1}, \dots, k_{m}), \end{matrix}

(2) where plaintext bits except cube index (

v_{i}, i \in {1, \dots, n} - I

) are fixed as constants.

As the above representation, cube is completed with the sum total $2^{S}$ pairs of plaintext and ciphertext for a cube index $I = {I_{1}, \dots, I_{s}}$ . To check whether $p_{S (I)}$ is a maxterm, linearity test is required. Let $p_{S (I)} (k_{1}, \dots, k_{m})$ be a polynomial of m variables over GF(2). Let t be the number of tests. The following is a procedure of linearity test.

Step 1.

Choose 2 random vectors $x, y \in GF (2)^{m}$ .

Step 2.

If $p_{S (I)} (x) \oplus p_{S (I)} (y) \oplus p_{S (I)} (0) \neq p_{S (I)} (x \oplus y)$ ,

then $p_{S (I)}$ is not linear. Stop the test.

Step 3.

Repeat Steps 1 and 2, t times.

Step 4.

$p_{S (I)}$ is linear. Stop the test,

where $0 = (0, \dots, 0) \in GF (2)^{m}$ .

If $p_{S (I)} (k_{1}, \dots, k_{m})$ is linear, the above equation in Step 2 is always correct for all inputs $x, y \in GF (2)^{m}$ . Because checking all inputs is impossible, an upper bound of number of linearity tests has to be set. If there are at most $d_{1}$ elements in a cube index for testing linearity, at most $2^{d_{1}} \times (3 \times t + 1)$ pairs of plaintext and ciphertext are needed. Cube attack consists of preprocessing phase and online phase. Preprocessing phase is to find a system of linear equations by using cube sum and linearity test. Online phase is recovering the master key stored by using an encryption oracle. The following are details for the two phases.

Preprocessing Phase. After finding a polynomial from a cipher, find a cube, that is, a maxterm, by using linearity test. Since we know output after all plaintext bits are entered in encryption oracle, fix plaintext except cube index as a constant. Fixed constants of every cube do not have to be equal. Let $f_{i}$ be a maxterm which consists of only secret variables $k_{1}, \dots, k_{m}$ and let $b_{i}$ be the value of the maxterm $f_{i}$ which is found from online phase. We consider the following system of equations:

\begin{array}{l} f_{1} (k_{1}, \dots, k_{m}) = b_{1} \\ ⋮ \\ f_{l} (k_{1}, \dots, k_{m}) = b_{l} . \end{array}

(3) In the preprocessing phase, find enough maxterms to recover the master key and precalculate this system of equations by using Gaussian elimination. If we find m linear independent maxterms, then recover all the master keys with

m^{3}

operations for recovery by using Gaussian elimination. In general, it is lower than complexity

l \times 2^{d_{1}} \times (3 \times t + 1)

for finding l maxterms. Let

f_{1}, \dots, f_{m}

be linearly independent. Then the master keys are represented as the following system:

\begin{array}{l} k_{1} = \sum_{i = 1}^{m} a_{1, i} \cdot b_{i} \\ ⋮ \\ k_{m} = \sum_{i = 1}^{m} a_{m, i} \cdot b_{i}, \end{array}

(4) where

a_{i, j} \in GF (2)

Online Phase. In online phase, calculate the value of cube sum from an encryption oracle by using the cube that has been found in the preprocessing phase. Let each plaintext bit not in the cube be constant. The calculated value is $b_{i}$ , that is, the value of the maxterm. By substituting the value $b_{i}$ into (4), we recover the master key. Let cube index found at preprocessing phase have at most $d_{2}$ elements. Then the complexity of online phase is $m \times 2^{d_{2}}$ .

2.2. Cube Tester

Cube attack finds a maxterm by testing linearity of $p_{S (I)}$ of a given polynomial p and cube index I. Cube tester distinguishes a polynomial from a random polynomial by many tests including linearity test. There are some other tests using cube sum in [21]. In cube attack, a plaintext bit not in the cube is fixed as a constant. However all bits not in the cube have to be considered variables in the cube tester. Since the purpose of using the cube tester is getting information, which are properties of polynomial, we use the low-degree test that is in [21]. The degree N is determined by low-degree test. Let I be a cube index, let J be the number of bits not in the cube index (i.e., $J = n + m - S$ ; $p_{S (I)}$ consists of J variables), and t is the number of tests. Since low-degree test is valid only when $p (0) = 0$ for the given polynomial p, we define $p_{S (I)}^{*} (x) = p_{S (I)} (x) + p_{S (I)} (0)$ . Then low-degree test for the polynomial $p_{S (I)}^{*} (x)$ is as follows.

Step 1.

Choose $N + 1$ random vectors $y_{1}, \dots, y_{N + 1} \in GF (2)^{J}$ .

Step 2.

If $\sum_{ϕ \neq S \subset {y_{1}, \dots, y_{N + 1}}}^{} p_{S (I)}^{*} (\sum_{y_{i} \in S}^{} y_{i}) \neq 0$ , then

degree of $p_{S (I)} > N$ . Stop the test.

Step 3.

Repeat Steps 1 and 2, t times.

Step 4.

Degree of $p_{S (I)} \leq N$ . Stop the test.

If $N = 1$ , then the low-degree test is similar to the linearity test. We use the idea of the cube tester which uses every bit not in the cube index (consisting of plaintext and the master key) as a variable.

3. Description of Piccolo

Piccolo is a 64-bit block cipher with 80- and 128-bit key size. The structure of Piccolo is a Feistel network. Piccolo-80 consists of 25 rounds and Piccolo-128 consists of 31 rounds. Figure 1 illustrates the working processing of Piccolo. Each round consists of two functions, round function F and round permutation $RP$ . The round functions F and $RP$ are as follows.

Figure 1

Encryption process of Piccolo.

Round Function F. The round function F is defined by

\begin{array}{l} F (x_{0}, x_{1}, x_{2}, x_{3}) & = (S (x_{0}), S (x_{1}), S (x_{2}), S (x_{3})) \\ \cdot M \cdot {(S (x_{0}), S (x_{1}), S (x_{2}), S (x_{3}))}^{t}, \end{array}

(5) where

X^{t}

is the transposition of X.

$S (x)$ is the 4-bit S-box and M is the diffusion matrix as follows (see Table 1):

\begin{matrix} M = (\begin{pmatrix} 2 & 3 & 1 & 1 \\ 1 & 2 & 3 & 1 \\ 1 & 1 & 2 & 3 \\ 3 & 1 & 1 & 2 \end{pmatrix}) . \end{matrix}

(6) The multiplications between M and vectors are defined by an irreducible polynomial

x^{4} + x + 1

over

GF (2^{4})

Table 1

S-box of Piccolo.

x	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
$S (x)$	e	4	b	2	3	8	0	9	1	a	7	f	6	c	5	d

Round Permutation RP. The round permutation $RP$ is defined by

\begin{matrix} RP (x_{0}, x_{1}, \dots, x_{7}) = (x_{2}, x_{7}, x_{4}, x_{1}, x_{6}, x_{3}, x_{0}, x_{5}), \end{matrix}

(7) where

x_{i}

is byte.

For description of Piccolo and our attack, we denote intermediate variables before r-round as $X^{r} = X_{0}^{r} ∣ X_{1}^{r} ∣ X_{2}^{r} ∣ X_{3}^{r} = (x_{0}^{r}, \dots, x_{63}^{r})$ and intermediate variables before r-round's $RP$ function as $Y^{r} = Y_{0}^{r} ∣ Y_{1}^{r} ∣ Y_{2}^{r} ∣ Y_{3}^{r}$ (i.e., $RP (Y^{r}) = X^{r + 1}$ ). Let the round function F in r-round be $F (X_{i}^{r}) = (F_{0} (X_{i}^{r}), \dots, F_{15} (X_{i}^{r}))$ and let the round key be $r k_{r} = (k_{0}^{r}, \dots, k_{15}^{r})$ . The other notations are as follows: $(X_{i}^{r})^{L}$

: left 8 bits of $X_{i}^{r}$ and $(X_{i}^{r})^{R}$ : right 8 bits of $X_{i}^{r}$ ;

$K_{i}^{L}$ : left 8 bits of $K_{i}$ and $K_{i}^{R}$ : right 8 bits of $K_{i}$ ;

$A ∣ B$ : concatenation of A and B.

Let the 64-bit plaintext and ciphertext be P and C, respectively. Encryption of Piccolo is defined as follows: (1)

$P_{0} ∣ P_{1} ∣ P_{2} ∣ P_{3} \leftarrow P$ ( $P_{i}$ is the 16-bit plaintext);

(2)

$X_{0}^{1} \leftarrow P_{0} \oplus w k_{0}, X_{1}^{1} = P_{1}$

$X_{2}^{1} \leftarrow P_{2} \oplus w k_{1}, X_{3}^{1} = P_{3}$ ;

(3)

for $i = 1$ to $r - 1$

$Y_{0}^{i} \leftarrow X_{0}^{i}, Y_{1}^{i} \leftarrow X_{1}^{i} \oplus F (X_{0}^{i}) \oplus r k_{2 i - 2}$

$Y_{2}^{i} \leftarrow X_{2}^{i}, Y_{3}^{i} \leftarrow X_{3}^{i} \oplus F (X_{2}^{i}) \oplus r k_{2 i - 1}$

$X^{i + 1} \leftarrow RP (Y^{i})$ ;

(4)

$Y_{0}^{r} \leftarrow X_{0}^{r} \oplus w k_{2}, Y_{1}^{r} \leftarrow X_{1}^{r} \oplus F (X_{0}^{r}) \oplus r k_{2 r - 2}$

$Y_{2}^{r} \leftarrow X_{2}^{r} \oplus w k_{3}, Y_{3}^{r} \leftarrow X_{3}^{r} \oplus F (X_{2}^{r}) \oplus r k_{2 r - 1}$ ;

(5)

$C \leftarrow Y_{0}^{r} ∣ Y_{1}^{r} ∣ Y_{2}^{r} ∣ Y_{3}^{r}$ ( $Y_{i}^{r}$ is the 16-bit ciphertext).

Key schedule of Piccolo consists of the following.

Piccolo-80:

\begin{array}{l} w k_{0} ⟵ K_{0}^{L} ∣ K_{1}^{R}, w k_{1} ⟵ K_{1}^{L} ∣ K_{0}^{R}, \\ w k_{2} ⟵ K_{4}^{L} ∣ K_{3}^{R}, w k_{3} ⟵ K_{3}^{L} ∣ K_{4}^{R}, \end{array}

(8)for

i \leftarrow 0

24

if $i \mod 5 = 0 or 2$ , then

\begin{matrix} (r k_{2 i}, r k_{2 i + 1}) ⟵ ({con}_{2 i}^{80}, {con}_{2 i + 1}^{80}) \oplus (K_{2}, K_{3}) \end{matrix}

(9)

if $i \mod 5 = 1 or 4$ , then

\begin{matrix} (r k_{2 i}, r k_{2 i + 1}) ⟵ ({con}_{2 i}^{80}, {con}_{2 i + 1}^{80}) \oplus (K_{0}, K_{1}) \end{matrix}

(10)

if $i \mod 5 = 3$ , then

\begin{matrix} (r k_{2 i}, r k_{2 i + 1}) ⟵ ({con}_{2 i}^{80}, {con}_{2 i + 1}^{80}) \oplus (K_{4}, K_{4}), \end{matrix}

(11)where

{con}_{i}^{80}

is the round constant.

Piccolo-128:

\begin{matrix} w k_{0} ⟵ K_{0}^{L} ∣ K_{1}^{R}, w k_{1} ⟵ K_{1}^{L} ∣ K_{0}^{R}, \\ w k_{2} ⟵ K_{4}^{L} ∣ K_{7}^{R}, w k_{3} ⟵ K_{7}^{L} ∣ K_{4}^{R}, \end{matrix}

(12)for

i \leftarrow 0

61

if $(i + 2) \mod 8 = 0$ , then

\begin{array}{l} (K_{0}, K_{2}, K_{6}, K_{4}) ⟵ (K_{2}, K_{6}, K_{4}, K_{0}) \\ (K_{3}, K_{7}, K_{5}) ⟵ (K_{7}, K_{5}, K_{3}) \\ r k_{i} ⟵ r k_{(i + 2) \mod 8} \oplus {con}_{i}^{128}, \end{array}

(13)where

{con}_{i}^{128}

is the round constant.

Since key schedule of Piccolo is just performing XOR determined constants to the master key, recovering the round key and recovering the master key are the same. Table 2 is showing the master key used for the round key of Piccolo. Detailed descriptions of Piccolo are in [18].

Table 2

Round key of Piccolo.

Piccolo-80			Piccolo-128
Round	Round key	Master key	Round	Round key	Master key
First	wk ₀, wk₁	$K_{0}^{L} \| K_{1}^{R}, K_{1}^{L} \| K_{0}^{R}$	First	wk ₀, wk₁	$K_{0}^{L} \| K_{1}^{R}, K_{1}^{L} \| K_{0}^{R}$
1	rk₀, rk₁	K₂, K₃	1	rk₀, rk₁	K₂, K₃
2	rk₂, rk₃	K₀, K₁	2	rk₂, rk₃	K₄, K₅
3	rk₄, rk₅	K₂, K₃	3	rk₄, rk₅	K₆, K₇
4	rk₆, rk₇	K₄, K₄	4	rk₆, rk₇	K₂, K₁
5	rk₈, rk₉	K₀, K₁	5	rk₈, rk₉	K₆, K₇
6	rk₁₀, rk₁₁	K₂, K₃	6	rk₁₀, rk₁₁	K₀, K₃
7	rk₁₂, rk₁₃	K₀, K₁	7	rk₁₂, rk₁₃	K₄, K₅
8	rk₁₄, rk₁₅	K₂, K₃	8	rk₁₄, rk₁₅	K₆, K₁
9	rk₁₆, rk₁₇	K₄, K₄	9	rk₁₆, rk₁₇	K₄, K₅
10	rk₁₈, rk₁₉	K₀, K₁	10	rk₁₈, rk₁₉	K₂, K₇
11	rk₂₀, rk₂₁	K₂, K₃	11	rk₂₀, rk₂₁	K₀, K₃
12	rk₂₂, rk₂₃	K₀, K₁	12	rk₂₂, rk₂₃	K₄, K₁
13	rk₂₄, rk₂₅	K₂, K₃	13	rk₂₄, rk₂₅	K₀, K₃
14	rk₂₆, rk₂₇	K₄, K₄	14	rk₂₆, rk₂₇	K₆, K₅
15	rk₂₈, rk₂₉	K₀, K₁	15	rk₂₈, rk₂₉	K₂, K₇
16	rk₃₀, rk₃₁	K₂, K₃	16	rk₃₀, rk₃₁	K₀, K₁
17	rk₃₂, rk₃₃	K₀, K₁	17	rk₃₂, rk₃₃	K₂, K₇
18	rk₃₄, rk₃₅	K₂, K₃	18	rk₃₄, rk₃₅	K₄, K₃
19	rk₃₆, rk₃₇	K₄, K₄	19	rk₃₆, rk₃₇	K₆, K₅
20	rk₃₈, rk₃₉	K₀, K₁	20	rk₃₈, rk₃₉	K₂, K₁
21	rk₄₀, rk₄₁	K₂, K₃	21	rk₄₀, rk₄₁	K₆, K₅
22	rk₄₂, rk₄₃	K₀, K₁	22	rk₄₂, rk₄₃	K₀, K₇
23	rk₄₄, rk₄₅	K₂, K₃	23	rk₄₄, rk₄₅	K₄, K₃
24	rk₄₆, rk₄₇	K₄, K₄	24	rk₄₆, rk₄₇	K₆, K₁
25	rk₄₈, rk₄₉	K₀, K₁	25	rk₄₈, rk₄₉	K₄, K₃
Final	wk₂, wk₃	$K_{4}^{L} \| K_{3}^{R}, K_{3}^{L} \| K_{4}^{R}$	26	rk₅₀, rk₅₁	K₂, K₅
			27	rk₅₂, rk₅₃	K₀, K₇
			28	rk₅₄, rk₅₅	K₄, K₁
			29	rk₅₆, rk₅₇	K₀, K₇
			30	rk₅₈, rk₅₉	K₆, K₃
			31	rk₆₀, rk₆₁	K₂, K₅
			Final	wk₂, wk₃	$K_{4}^{L} \| K_{7}^{R}, K_{7}^{L} \| K_{4}^{R}$

4. Fault Analysis on the Piccolo

In this section, we show the fault analysis for Piccolo-80 and Piccolo-128. We assume that an adversary is able to make 4-bit errors in a maximum at a time on a round during an encryption process. By using cube sum, find system of linear equations in the common F of Piccolo-80 and Piccolo-128. And use the system to represent the phase recovering the master key of Piccolo-80 and Piccolo-128. Analysis of a round function F in Section 4.1 is corresponding to the preprocessing phase of cube attack. The attack in Sections 4.2 and 4.3 is the case of an encryption oracle that is given and is corresponding to online phase.

4.1. Equations of Round Function F

Since round function F is the same for Piccolo-80 and Piccolo-128, the results of fault injection attack on F are the same in the both algorithms. Let $F (X) = (F_{0} (X), \dots, F_{15} (X))$ , where $X = (x_{0}, x_{1}, \dots, x_{15})$ is an 16-bit intermediate value and each $F_{j} (x)$ is a bit $(F : GF (2)^{16} \to GF (2)^{16})$ . We test all possible cubes of degree 1 to degree 4 and all possible inputs for each cube. We get many linear polynomials and choose 16 appropriate polynomials for recovering the master key. Table 3 shows our selected 16 polynomials, cube index, and output bit $(F_{i})$ .

Table 3

Cube sum result of $F (x_{0}, \dots, x_{15})$ .

Cube index	Outbit ( $F_{i}$ )	Polyequation
1, 5, 6	8	$x_{0} + 1$
0, 8, 9, 11	10	$x_{1} + 1$
1, 5, 6	12	$x_{0} + x_{2}$
0, 8, 9, 11	7	$x_{3}$
0, 1, 5, 6	4	$x_{4} + 1$
4, 8	12	$x_{5} + x_{9}$
4, 5, 8, 9	4	$x_{6} + 1$
4, 8, 9, 11	7	$x_{5} + x_{7} + 1$
5, 6, 9	12	$x_{8} + 1$
4, 5, 7, 8	6	$x_{9}$
5, 6, 9	8	$x_{10} + 1$
4, 5, 7, 8	3	$x_{11}$
5, 6, 13	8	$x_{12} + x_{14}$
0, 12	4	$x_{1} + x_{13}$
5, 6, 13	12	$x_{14} + 1$
0, 8, 11, 12	7	$x_{3} + x_{15}$

4.2. Analysis on the Piccolo-80

We explain how to recover all the master keys of Piccolo-80. By key schedule of Piccolo-80, recovering ${w k}_{2}$ , ${w k}_{3}$ , ${r k}_{44}$ , ${r k}_{48}$ , and ${r k}_{49}$ is equal to recovering all the master keys of Piccolo-80. Let plaintext P be given and let $X_{i}^{j}, Y_{i}^{j}$ be intermediate values for plaintext P. In this paper, we recover the master key of Piccolo-80 by recovering some $X_{i}^{j}$ s. Figure 2 is for the last 4 rounds of Piccolo-80. The following is the attack on Piccolo-80.

Figure 2

Fault analysis of Piccolo-80.

Step 1.

First, we analyze the last round (i.e., round 25). Perform cube sum by using the cube in Table 3 for F which takes $X_{0}^{25}$ . For example, consider 6th equation of Table 3. Suppose that inject fault into $x_{4}^{25}$ to $x_{8}^{25}$ . Then, since fault is injected into only $X_{0}^{25}$ , value of $X_{1}^{25}$ or $r k_{48}$ is not changed. We notate the following to explain our attack:

$X_{0}^{25} = (x_{0}^{25}, \dots, x_{15}^{25}), X_{1}^{25} = (x_{16}^{25}, \dots, x_{31}^{25})$ ;

$Y_{0}^{25} = (y_{0}^{25}, \dots, y_{15}^{25})$ ;

$y_{12}^{25} [x_{4}^{25}]$ : $y_{12}^{25}$ when fault is injected into $x_{4}^{25}$ ;

$y_{12}^{25} [x_{8}^{25}]$ : $y_{12}^{25}$ when fault is injected into $x_{8}^{25}$ ;

$y_{12}^{25} [x_{4}^{25}, x_{8}^{25}]$ : $y_{12}^{25}$ when fault is injected into both $x_{4}^{25}$ , $x_{8}^{25}$ .

We calculate cube sum for cube index

{4,8}

like the following:

\begin{array}{l} Cube sum = \sum_{x_{4}, x_{8} \in {0,1}} F_{12} (x_{0}^{25}, \dots, x_{15}^{25}) \\ = \sum_{x_{4}, x_{8} \in {0,1}} [F_{12} (x_{0}^{25}, \dots, x_{15}^{25}) \oplus x_{28}^{25} \oplus k_{12}^{48}] \\ = y_{12}^{25} \oplus y_{12}^{25} [x_{4}^{25}] \oplus y_{12}^{25} [x_{8}^{25}] \oplus y_{12}^{25} [x_{4}^{25}, x_{8}^{25}] . \end{array}

(14)

y_{12}^{25}

is not the output of F. But since cube sum does XOR even times,

x_{28}^{25}

and

r k_{12}^{48}

are offset. That is, we know value of cube sum cause of

Y_{0}^{25} ∣ Y_{1}^{25} ∣ Y_{2}^{25} ∣ Y_{3}^{25} = C

. In the same way, cube sum using fault injection in this paper is performed. By performing cube sum for every cube in Table 3, we get 16 systems of equations. Recover input

X_{0}^{25}

. Similarly, we recover input

X_{2}^{25}

using F which takes

X_{2}^{25}

. Since

X_{0}^{25} \oplus w k_{2} = Y_{0}^{25}, X_{2}^{25} \oplus w k_{3} = Y_{2}^{25}

, we recover

w k_{2}, w k_{3}

(i.e.,

K_{3}

K_{4}

Step 2.

Since we know ${w k}_{2}$ and ${w k}_{3}$ , calculate intermediate value $X_{0}^{25}$ , $X_{2}^{25}$ for given ciphertext. Round permutation $RP$ in round 24 is as follows:

\begin{matrix} Y_{1}^{24} = {(X_{0}^{25})}^{L} ∣ {(X_{2}^{25})}^{R}, Y_{3}^{24} = {(X_{2}^{25})}^{L} ∣ {(X_{0}^{25})}^{R} \\ Y_{0}^{24} = {(X_{3}^{25})}^{L} ∣ {(X_{1}^{25})}^{R}, Y_{2}^{24} = {(X_{1}^{25})}^{L} ∣ {(X_{3}^{25})}^{R} . \end{matrix}

(15) Therefore, we calculate

Y_{1}^{24}

Y_{3}^{24}

for given ciphertext. By using this, analyze round 24. In a similar way with Step 1, recover

X_{0}^{24}

X_{2}^{24}

by using the cube in Table 3 for F which takes

X_{0}^{24}

X_{2}^{24}

. Since

X_{0}^{24} = Y_{0}^{24}

X_{2}^{24} = Y_{2}^{24}

Y_{0}^{24} = (X_{3}^{25})^{L} ∣ (X_{1}^{25})^{R}

, and

Y_{2}^{24} = (X_{1}^{25})^{L} ∣ (X_{3}^{25})^{R}

, we recover

X_{1}^{25}

X_{3}^{25}

. Then we recover

r k_{48}, r k_{49}

(i.e.,

K_{0}

K_{1}

) since

X_{1}^{25} \oplus F (X_{0}^{25}) \oplus r k_{48} = Y_{1}^{25}, X_{3}^{25} \oplus F (X_{2}^{25}) \oplus r k_{49} = Y_{3}^{25}

Step 3.

We recover $K_{0}$ , $K_{1}$ , $K_{3}$ , and $K_{4}$ so far. Given ciphertext C, we calculate $X_{0}^{24}$ , $X_{1}^{24}$ , $X_{2}^{24}$ , and $X_{3}^{24}$ . That is, we recover $X_{0}^{23}$ , $X_{2}^{23}$ , $Y_{1}^{23}$ , and $Y_{3}^{23}$ . We want to recover $X_{1}^{23}$ . Since $X_{0}^{22} = Y_{0}^{22} = (X_{3}^{23})^{L} ∣ (X_{1}^{23})^{R}$ , $X_{2}^{22} = Y_{2}^{22} = (X_{1}^{23})^{L} ∣ (X_{3}^{23})^{R}$ , if we recover right 8 bits of $X_{0}^{22}$ and left 8 bits of $X_{2}^{22}$ , then we recover $X_{1}^{23}$ . To recover right 8 bits of $X_{0}^{22}$ , inject fault into bits corresponding to cube index of last 8 equations in Table 3. For recovering left 8 bits of $X_{2}^{22}$ , inject fault into bits corresponding to cube index of first 8 equations in Table 3. Then we recover $X_{1}^{23}$ . Since $X_{1}^{23} \oplus F (X_{0}^{23}) \oplus r k_{44} = Y_{1}^{23}$ ,we recover $r k_{44}$ (i.e., $K_{2}$ ).

Use the above 3 steps to recover all the master keys used for Piccolo-80. This needs the assumption that we inject fault into at most 4 bits in the same time. Thus in this paper we consider the following as an analyzing way.

Assumption 1.

We inject fault into at most 4 bits in the same time. But, apply this to only last round.

Assumption 2.

We inject fault into at most 4 bits in the same time. But, apply this to only rounds 24 and 25.

Assumption 3.

We inject fault into at most 4 bits in the same time.

That is, suppose that we analyze only Step 1 or Steps 1 and 2. Even though we analyze only Steps 1 and 2, since at least 32 bits of 80-bit master key are recovered, we recover all the master keys with less operations than brute-force attack. To recover $X_{i}^{r}$ , inject fault into 11 bits among 16 bits of internal state $X_{i}^{r}$ by using injections 66 times. To recover left 8 bits and right 8 bits of $X_{i}^{r}$ (i.e., $(X_{i}^{r})^{L}, (X_{i}^{r})^{R}$ ), we inject fault into 8 bits and 10 bits among 16 bits of $X_{i}^{r}$ , respectively. Then $(X_{i}^{r})^{L}, (X_{i}^{r})^{R}$ are recovered by using injections 44 and 39 times, respectively.

Under Assumption 1, we need 133 encryptions for recovering 32-bit master key $({w k}_{2}, {w k}_{3})$ . We exclusively search to recover remaining 48-bit master key. Therefore, we need total $133 + 2^{48} \approx 2^{48}$ encryptions for recovering the master key under Assumption 1.

Under Assumption 2, we need 133 encryptions for recovering 32-bit master key $({w k}_{2}, {w k}_{3})$ . For recovering 32-bit round keys ${r k}_{48}$ and ${r k}_{49}$ , we have to calculate $Y_{1}^{24}, Y_{3}^{24}$ . Given ciphertext, calculating $Y_{1}^{24}$ is equivalent to 0.5 round encryption. So is $Y_{3}^{24}$ . Hence, we need $132 + (132 \times 0.5 + 1) / 25$ encryptions for recovering 32-bit round keys ${r k}_{48}$ and ${r k}_{49}$ . We exclusively search to recover remaining 16-bit master key. Therefore, we need total $133 + (132 + 67 / 25) + 2^{16} \approx 2^{16.01}$ encryptions for recovering the master key under Assumption 2.

Under Assumption 3, we need $133 + (132 + 67 / 25)$ encryptions for recovering ${w k}_{2}$ , ${w k}_{3}$ , ${r k}_{48}$ , and ${r k}_{49}$ . Given ciphertext, calculating $Y_{1}^{22}$ is equivalent to 2.5 round encryption. We need $44 + 39 + {(44 + 39) \times 2.5 + 1 \times 3} / 25$ encryptions for recovering 32-bit round keys ${r k}_{44}$ , ${r k}_{45}$ . Therefore, we need total $133 + (132 + 67 / 25) + (83 + 210.5 / 25) \approx 2^{8.49}$ encryptions for recovering the master key under Assumption 3. Table 4 is showing encryption complexity needed for recovering the master key of each assumption.

Table 4

Attack complexity of Piccolo-80.

Assumption	Required fault	Complexity
Assumption 1	$132 \approx 2^{7.04}$	$2^{48}$
Assumption 2	$264 \approx 2^{8.04}$	$2^{16.01}$
Assumption 3	$347 \approx 2^{8.44}$	$359.1 \approx 2^{8.49}$

4.3. Analysis on the Piccolo-128

Piccolo-128 recovers the master key in a similar way to Piccolo-80. Figure 3 is for the last 5 rounds of Piccolo-128. The following is how Piccolo-128 recovers the master key.

Figure 3

Fault analysis of Piccolo-128.

Step 1.

First, we analyze the last round (i.e., round 25). In a similar way with Step 1 in analysis of Piccolo-80, recover $X_{0}^{31}$ , $X_{2}^{31}$ by using the cube in Table 3 for F which takes $X_{0}^{31}$ , $X_{2}^{31}$ . Since $X_{0}^{31} \oplus w k_{2} = Y_{0}^{31}, X_{2}^{31} \oplus w k_{3} = Y_{2}^{31}$ , we recover $w k_{2}$ , $w k_{3} (K_{4}, K_{7})$ .

Step 2.

Since we know $w k_{2}$ and $w k_{3}$ , calculate intermediate values $X_{0}^{31}, X_{2}^{31}$ for given ciphertext. Since $Y_{1}^{30} = (X_{0}^{31})^{L} ∣ (X_{2}^{31})^{R}, Y_{3}^{30} = (X_{2}^{31})^{L} ∣ (X_{0}^{31})^{R}$ , we calculate $Y_{1}^{30}, Y_{3}^{30}$ for given ciphertext. In a similar way with Step 1 in analysis of Piccolo-80, recover $X_{0}^{30}$ , $X_{2}^{30}$ by using the cube in Table 3 for F which takes $X_{0}^{30}$ , $X_{2}^{30}$ . We recover $X_{1}^{31}$ , $X_{3}^{31}$ , since $X_{0}^{30} = Y_{0}^{30}, X_{2}^{30} = Y_{2}^{30}$ , and $Y_{0}^{30} = (X_{3}^{31})^{L} ∣ (X_{1}^{31})^{R}, Y_{2}^{30} = (X_{1}^{31})^{L} ∣ (X_{3}^{31})^{R}$ . Since $X_{1}^{31} \oplus F (X_{0}^{31}) \oplus r k_{60} = Y_{1}^{31}$ , $X_{3}^{31} \oplus F (X_{2}^{31}) \oplus r k_{61} = Y_{3}^{31}$ , we recover $r k_{60}$ , $r k_{61} (K_{2}, K_{5})$ .

Step 3.

Since we know $w k_{2}$ , $w k_{3}$ , ${r k}_{60}$ , and ${r k}_{61}$ , calculate intermediate values $X_{0}^{30}$ , $X_{2}^{30}$ , $Y_{1}^{30}$ , and $Y_{3}^{30}$ for given ciphertext. Since $Y_{1}^{29} = (X_{0}^{30})^{L} ∣ (X_{2}^{30})^{R}$ , $Y_{3}^{29} = (X_{2}^{30})^{L} ∣ (X_{0}^{30})^{R}$ , we calculate $Y_{1}^{29}$ , $Y_{3}^{29}$ for given ciphertext. In a similar way with Step 1 in analysis of Piccolo-80, recover $X_{0}^{29}$ , $X_{2}^{29}$ by using the cube in Table 3 for F which takes $X_{0}^{29}$ , $X_{2}^{29}$ . We recover $X_{1}^{30}$ , $X_{3}^{30}$ since $X_{0}^{29} = Y_{0}^{29}$ , $X_{2}^{29} = Y_{2}^{29}$ , and $Y_{0}^{29} = (X_{3}^{30})^{L} ∣ (X_{1}^{30})^{R}$ , $Y_{2}^{29} = (X_{1}^{30})^{L} ∣ (X_{3}^{30})^{R}$ . Since $X_{1}^{30} \oplus F (X_{0}^{30}) \oplus r k_{58} = Y_{1}^{30}$ and $X_{3}^{30} \oplus F (X_{2}^{30}) \oplus r k_{59} = Y_{3}^{30}$ , we recover $r k_{58}$ , $r k_{59}$ ( $K_{6}$ , $K_{3}$ ).

Step 4.

This step is similar to Step 3 in analysis of Piccolo-80. Given ciphertext C, we calculate $X_{0}^{29}$ , $X_{2}^{29}$ , $Y_{1}^{29}$ , and $Y_{3}^{29}$ . We want to recover $X_{1}^{29}$ . Since $X_{0}^{28} = Y_{0}^{28} = (X_{3}^{29})^{L} ∣ (X_{1}^{29})^{R}$ , $X_{2}^{28} = Y_{2}^{28} = (X_{1}^{29})^{L} ∣ (X_{3}^{29})^{R}$ , if we recover right 8 bits of $X_{0}^{28}$ and left 8 bits of $X_{2}^{28}$ , then we recover $X_{1}^{29}$ . To recover right 8 bits of $X_{0}^{28}$ , inject fault into bits corresponding to cube index of last 8 equations in Table 3. For recovering left 8 bits of $X_{2}^{28}$ , inject fault into bits corresponding to cube index of first 8 equations in Table 3. Then $X_{1}^{29}$ is recovered. And then we recover $r k_{56}$ ( $K_{0}$ ), because $X_{1}^{29} \oplus F (X_{0}^{29}) \oplus r k_{56} = Y_{1}^{29}$ .

Step 5.

This step is similar to Step 3 in analysis of Piccolo-80. We want to recover $X_{3}^{28}$ . Given ciphertext C, we calculate $X_{0}^{28}$ , $X_{2}^{28}$ , $Y_{1}^{28}$ , and $Y_{3}^{28}$ . Since $X_{0}^{27} = Y_{0}^{27} = (X_{3}^{28})^{L} ∣ (X_{1}^{28})^{R}$ , $X_{2}^{27} = Y_{2}^{27} = (X_{1}^{28})^{L} ∣ (X_{3}^{28})^{R}$ , we recover left 8 bits of $X_{0}^{27}$ and right 8 bits of $X_{2}^{27}$ . To recover left 8 bits of $X_{0}^{27}$ , inject fault into bits corresponding to cube index of first 8 equations in Table 3. For recovering right 8 bits of $X_{2}^{27}$ , inject fault into bits corresponding to cube index of last 8 equations in Table 3. Then we recover $X_{3}^{28}$ . And we recover $r k_{55} (K_{1})$ since $X_{3}^{28} \oplus F (X_{2}^{28}) \oplus r k_{55} = Y_{3}^{28}$ .

Use the above 5 steps to recover all the master keys used for Piccolo-128. This needs the assumption that we inject fault into at most 4 bits in the same time. Assume that we analyze only Steps 1, 2, 3, and 4 such as Piccolo-80. Even though we analyze only Steps 1, 2, 3, and 4, since at least 32 bits of 128-bit master key are recovered, we recover all the master keys with less operations than brute-force attack. Table 5 is showing encryption complexity needed for recovering the master key of each assumption.

Table 5

Attack complexity of Piccolo-128.

Assumption	Required fault	complexity
Step 1	$132 \approx 2^{7.04}$	$2^{96}$
Step 2	$264 \approx 2^{8.04}$	$2^{64}$
Step 3	$396 \approx 2^{8.63}$	$2^{32}$
Step 4	$479 \approx 2^{8.90}$	$2^{16.01}$
Step 5	$562 \approx 2^{9.13}$	$593.64 \approx 2^{9.21}$

4.4. Improved Attack

The attacks described in Sections 4.2 and 4.3 are valid under the assumption that an adversary is able to control the injecting time and bit positions to inject fault and the number of bits of fault injection. However it is difficult to control bit positions where faults are injected. Therefore, in this section, we explain the way of attack under the assumption that an adversary is not able to control bit positions to inject faults. That is, an adversary is able to inject i bits of random faults into Piccolo-80 and Piccolo-128. The attack of Section 4.4 is similar to the attack of Sections 4.2 and 4.3. But this attack adds the process that determines fault position before each Step of Sections 4.2 and 4.3.

Assume that we inject i bits of random fault into last round. In some cases, we determine fault position. Then, the following is how to determine position of fault injection for 3 cases. (Each case with 4 fault bits is described in Figures 4, 5, and 6).

Figure 4

Determine position of fault injection for Case 1 (i = 4).

Figure 5

Determine position of fault injection for Case 2 ( $i = 4$ , $j = 1$ ).

Figure 6

Determine position of fault injection for Case 3 ( $i = 4$ , $j = 1$ ).

Case 1.

There are i bits error in $Y_{0}^{r} (Y_{2}^{r})$ after fault injection. Since $X_{0}^{r} ⨁ w k_{2} = Y_{0}^{r} (X_{2}^{r} ⨁ w k_{3} = Y_{2}^{r})$ and i fault bits, if $Y_{0}^{r} (Y_{2}^{r})$ is different i bits from original ciphertext, then fault injection position in $X_{0}^{r} (X_{2}^{r})$ must be same with changed i bits after fault injection in $Y_{0}^{r} (Y_{2}^{r})$ .

Case 2.

There are j bits error in $Y_{0}^{r}$ and $i - j$ bits error in $Y_{2}^{r}$ after fault injection. In a similar way to Case 1, fault injection position in $X_{0}^{r}$ must be same with changed j bits after fault injection in $Y_{0}^{r}$ . And fault injection position in $X_{2}^{r}$ must be same with changed i-j bits after fault injection in $Y_{2}^{r}$ .

Case 3.

There are $i - j$ bits error in $Y_{0}^{r} (Y_{2}^{r})$ and j bits error in $Y_{3}^{r} (Y_{1}^{r})$ . And there is no error in $Y_{2}^{r} (Y_{0}^{r})$ . If there are j bits error in $Y_{3}^{r} (Y_{1}^{r})$ , then $X_{2}^{r} (X_{0}^{r})$ or $X_{3}^{r} (X_{1}^{r})$ is fault injected. Since there is no error in $Y_{2}^{r} (Y_{0}^{r})$ , fault injection position in $X_{3}^{r} (X_{1}^{r})$ must be same with changed j bits after fault injection in $Y_{3}^{r} (Y_{1}^{r})$ . Furthermore, $X_{0}^{r} (X_{2}^{r})$ must be same with changed $i - j$ bits after fault injection in $Y_{0}^{r} (Y_{2}^{r})$ since there are $i - j$ bits error in $Y_{0}^{r} (Y_{2}^{r})$ .

Therefore, we determine the position of fault injection for these 3 cases. Table 3 is the table of optimal cubes that are used for the attack in Sections 4.2 and 4.3. Therefore, there are many cubes except cubes in Table 3. Because there are too many cubes, we do not describe all cubes in this paper. For example, suppose that we get 16 ciphertexts for cube sum of ${0,1, 3,4}$ . Then we calculate all of subcubes of ${0,1, 3,4}$ . So, we use cubes in Table 6 and recover 1st, 2nd, 5th, and 7th bit of whitening key.

Table 6

Subcube of {0, 1, 3, 4}.

Cube index	Outbit ( $F_{i}$ )	Polyequation
0, 3	0	$x_{2} + 1$
0, 4	8	$x_{1} + x_{5} + 1$
0, 1, 3, 4	2	$x_{5}$
0, 1, 3, 4	15	$x_{7}$

By the same method, we use sufficient cubes for recovering ${w k}_{2}$ and ${w k}_{3}$ of Piccolo-80 and Piccolo-128 and recover ${w k}_{2}$ and ${w k}_{3}$ . Since we know ${w k}_{2}$ and ${w k}_{3}$ , calculate intermediate values $X_{0}^{r}, X_{2}^{r}$ for given ciphertext. Therefore, we inject faults into $(r - 1)$ th round, determining position of fault injection by 3 cases that described this section. And we recover $(r - 1)$ th round key. This process is the same with Step 2 in Section 4.2 and Step 2 in Section 4.3 except determining position of fault injection. By the same way, we recover all the master keys of Piccolo-80 and Piccolo-128 using Steps in Sections 4.2 and 4.3 with determining position of fault injection, respectively.

The complexity of this attack depends on the complexity for finding ciphertext to recover round key. For Table 3, we need 66 ciphertexts. Table 7 is showing necessary positions of fault injection for cubes of Table 3.

Table 7

Necessary positions of fault injections for Table 3.

Number of fault bits (Number of faults)	Necessary positions of fault injection
1 (11)	(0), (1), (4), (5), (6), (7), (8), (9), (11), (12), (13)

2 (27)	(0, 1), (0, 5), (0, 6), (0, 8), (0, 9), (0, 11), (0, 12), (1, 5), (1, 6), (4, 5), (4, 7), (4, 8), (4, 9), (4, 11), (5, 6), (5, 7), (5, 8), (5, 9), (5, 13), (6, 9), (6, 13), (7, 8), (8, 9), (8, 11), (8, 12), (9, 11), (11, 12)

3 (22)	(0, 1, 5), (0, 1, 6), (0, 5, 6), (0, 8, 9), (0, 8, 11), (0, 8, 12), (0, 9, 11), (0, 11, 12), (1, 5, 6), (4, 5, 7), (4, 5, 8), (4, 5, 9), (4, 7, 8), (4, 8, 9), (4, 8, 11), (4, 9, 11), (5, 6, 9), (5, 6, 13), (5, 7, 8), (5, 8, 9), (8, 9, 11), (8, 11, 12)

4 (6)	(0, 1, 5, 6), (0, 8, 9, 11), (0, 8, 11, 12), (4, 5, 7, 8), (4, 5, 8, 9), (4, 8, 9, 11)

For calculating complexity, we assume that an adversary always injects 4-bit random fault into the last three and five rounds for Piccolo-80 and Piccolo-128, respectively. Since an adversary injects exactly 4-bit fault, position of all fault bits has to match position that we want. This probability is $1 / (\begin{smallmatrix} 64 \\ 4 \end{smallmatrix}) \approx 2^{- 19.277}$ . That is, an adversary injects $2^{- 19.277}$ times for each round and gets all ciphertexts that correspond to Table 3 for each round. Therefore, this attack on Piccolo-80 needs $3 \cdot 2^{19.277} \approx 2^{20.862}$ fault injections. Similarly, this attack on Piccolo-128 needs $5 \cdot 2^{19.277} \approx 2^{21.599}$ fault injections. The number of additional encryptions to recover the master key is negligible. Hence, our attack has the complexity of $2^{20.86}$ and $2^{21.60}$ encryptions with four bits of random fault injections for Piccolo-80 and Piccolo-128, respectively.

5. Conclusions

In this paper, we present the security weakness of Piccolo against fault analysis. Our attack fully exploits the structure of Piccolo, which is a Feistel network. We describe an attack for fault injection of target bit positions on Piccolo-80 and Piccolo-128. The master key of Piccolo-80 and Piccolo-128 is recovered by fault analysis by using cube attack with injecting faults 2^8.44 and 2^9.14, respectively. Our attack has the complexity of $2^{8.49}$ and $2^{9.21}$ encryptions for Piccolo-80 and Piccolo-128, respectively, which are practical complexities. And finally, an attack for random four bits fault injection for Piccolo-80 and Piccolo-128 is presented. This attack needs $2^{20.86}$ and $2^{21.60}$ encryptions with four bits of random fault injections for Piccolo-80 and Piccolo-128, respectively.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

References

Boneh

DeMillo

R. A.

Lipton

R. J.

On the importance of checking cryptographic protocols for faults

Advances in Cryptology—EUROCRYPT'97 1997 1233

Springer

37 51 Lecture Notes in Computer Science

10.1007/3-540-69053-0_4

Biham

Shamir

Differential fault analysis of secret key cryptosystems

Advances in Cryptology—CRYPTO'97 1997 1294

Springer

513 525 Lecture Notes in Computer Science

10.1007/BFb0052259

Kim

C. H.

Quisquater

J.-J.

New differential fault analysis on AES key schedule: two faults are enough

Smart Card Research and Advanced Applications 2008 5189

Springer

48 60 Lecture Notes in Computer Science

2-s2.0-52949128011

10.1007/978-3-540-85893-5_4

Tunstall

Mukhopadhyay

Ali

Differential fault analysis of the advanced encryption standard using a single fault

Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication 2011 6633

Springer

224 233 Lecture Notes in Computer Science

2-s2.0-79958840687

10.1007/978-3-642-21040-2_15

Differential fault analysis on the ARIA algorithm

Information Sciences 2008 178 19 3727 3737

2-s2.0-47849097207

10.1016/j.ins.2008.05.031

Jeong

Lee

Sung

Hong

Differential fault analysis on block cipher SEED

Mathematical and Computer Modelling 2012 55 1-2 26 34

2-s2.0-82755161861

10.1016/j.mcm.2011.01.008

Chen

Feng

Differential fault analysis on CLEFIA

Information and Communications Security 2007 4861

Springer

284 295 Lecture Notes in Computer Science

2-s2.0-38149107487

Jeong

Lee

Differential fault analysis on block cipher LED-64

Future Information Technology, Application, and Service 2012 1

Springer

747 755

10.1007/978-94-007-4516-2_79

Jeong

Security analysis of block cipher Piccolo suitable for wireless sensor networks

Peer-to-Peer Networking and Applications 2013

10.1007/s12083-012-0196-9

10.

Liu

Fault analysis of the Piccolo block cipher

Proceedings of the 8th International Conference on Computational Intelligence and Security (CIS '12)

2012

482 486

10.1109/CIS.2012.114

11.

Yoshikawa

Kaminaga

Shikoda

Suzuki

Round addition DFA on 80-bit Piccolo and TWINE

IEICE Transactions on Information and Systems 2013 E96-D 9 2031 2035

12.

Zhang

Zhao

Guo

Wang

Shi

Improved algebraic fault analysis: a case study on Piccolo and applications to other lightweight block ciphers

7864

Proceedings of the 4th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE '13)

2013

Springer

62 79 Lecture Notes in Computer Science

10.1007/978-3-642-40026-1_5

13.

Bagheri

Ebrahimpour

Ghaedi

New differential fault analysis on PRESENT

EURASIP Journal on Advances in Signal Processing 2013 2013, article 145 10

10.1186/1687-6180-2013-145

14.

Zhang

W. Y.

Liu

Meng

Differential fault analysis and meet-in-the-middle attack on the block cipher KATAN32

Journal of Shanghai Jiaotong University (Science) 2013 18 2 147 152

15.

Dinur

Shamir

Cube attacks on tweakable black boxp polynomials

Advances in Cryptology—EUROCRYPT 2009 2009 5479

Springer

278 299 Lecture Notes in Computer Science

2-s2.0-67650699727

10.1007/978-3-642-01001-9_16

16.

Abdul-Latip

S. F.

Reyhanitabar

M. R.

Susilo

Seberry

Fault analysis of the KATAN family of block ciphers

Information Security Practice and Experience 2012 7232

Springer

319 336 Lecture Notes in Computer Science

2-s2.0-84859465482

10.1007/978-3-642-29101-2_22

17.

Dinur

Shamir

Applying cube attacks to stream ciphers in realistic scenarios

Cryptography and Communications 2012 4 3-4 217 232

18.

Shibutani

Isobe

Hiwatari

Mitsuda

Akishita

Shirai

Piccolo: an ultra-lightweight blockcipher

Proceedings of the 13th International Workshop on Cryptographic Hardware and Embedded Systems (CHES '11) 2011 6917 342 357 Lecture Notes in Computer Science

2-s2.0-80053524244

10.1007/978-3-642-23951-9_23

19.

Wang

Biclique cryptanalysis of reduced-round Piccolo block cipher

Information Security Practice and Experience 2012 7232

Springer

337 352 Lecture Notes in Computer Science

2-s2.0-84859456896

10.1007/978-3-642-29101-2_23

20.

Song

Lee

Biclique cryptanalysis on lightweight block cipher: HIGHT and Piccolo

International Journal of Computer Mathematics 2013 90 12 1 17

21.

Aumasson

J.-P.

Dinur

Meier

Shamir

Cube testers and key recovery attacks on reduced-round MD6 and trivium

Fast Software Encryption 2009 5665

Springer

1 22 Lecture Notes in Computer Science

2-s2.0-70350385117

10.1007/978-3-642-03317-9_1

The Security Weakness of Block Cipher Piccolo against Fault Analysis

Abstract

1. Introduction

2. Cube Attack and Cube Tester

2.1. Cube Attack

Step 1.

Step 2.

Step 3.

Step 4.

2.2. Cube Tester

Step 1.

Step 2.

Step 3.

Step 4.

3. Description of Piccolo

4. Fault Analysis on the Piccolo

4.1. Equations of Round Function F

4.2. Analysis on the Piccolo-80

Step 1.

Step 2.

Step 3.

Assumption 1.

Assumption 2.

Assumption 3.

4.3. Analysis on the Piccolo-128

Step 1.

Step 2.

Step 3.

Step 4.

Step 5.

4.4. Improved Attack

Case 1.

Case 2.

Case 3.

5. Conclusions

Footnotes

Conflict of Interests

References