Abstract—Round addition differential fault analysis using operation skipping for lightweight block ciphers with on-the-fly key scheduling is presented. For 64-bit KLEIN, it is shown that only a pair of correct and faulty ciphertexts can be used to derive the secret master key. For PRESENT, one correct ciphertext and two faulty ciphertexts are required to reconstruct the secret key. Furthermore, secret key extraction is demonstrated for the LBlock Feistel-type lightweight block cipher. Keywords—Differential Fault Analysis (DFA), round addition, block cipher, on-the-fly key schedule. I. INTRODUCTION IFFERENTIAL FAULT ANALYSIS (DFA) using operation skipping is an effective technique for attacking cipher-implemented microcontrollers [1]-[3]. Round addition DFA can be achieved by skipping an increment or decrement command. We have previously demonstrated that round addition DFA can be used to derive secret keys for some ciphers that employ Feistel or substitution-permutation network (SPN) block ciphers [4]-[6]. In recent years, several lightweight block ciphers have been proposed for low-resource devices, such as sensor networks, smartcards, and radio-frequency identification systems. These block ciphers are suitable for hardware environments and are expected to be used in software platforms, such as the software in 8-bit microcontrollers [7]-[9], [13], [15]. Thus, to maintain hardware security, their vulnerability to DFA using operation skipping must be evaluated. In recent years, several reports have presented methods for attacking several cipher-implemented hardware [10]-[12], [14]. However, these methods require a number of fault injections to obtain many faulty ciphertexts. Our attack method uses a power supply with an abnormal voltage glitch or a clock signal with a clock glitch to targeted ICs without de-packaging and microscopic operations [10], [11]; thus, this technique costs less than other methods. In this study, a secret-key-extraction method for lightweight block ciphers with an on-the-fly key schedule is presented. The method is essentially identical to that used for block ciphers with either Feistel or SPN structures [5], [6]; however, those methods do not assume an on-the-fly key schedule. This means Hideki Yoshikawa, Masahiro Kaminaga, Arimitsu Shikoda, and Toshinori Suzuki are with the Faculty of Engineering, Tohoku Gakuin University, Tagajo, Miyagi 985-8537, Japan (e-mail: hyoshi@ mail.tohoku-gakuin.ac.jp). that both the original and added rounds use identical round keys. Here, we have shown that a secret key can be reconstructed using only a pair of correct and faulty ciphertexts to derive the secret master key for 64-bit KLEIN. For PRESENT, it is shown that one correct ciphertext and two faulty ciphertexts are required to reconstruct the secret key. These results indicate that our attack method is effective for a block cipher with an ‘add round key’ operation. Furthermore, the secret key extraction is demonstrated for the LBlock Feistel-type lightweight block cipher [13]. II. ROUND ADDITION DFA MODEL FOR BLOCK CIPHER WITH ON-THE-FLY KEY SCHEDULE Fig. 1 shows the pseudocode of a round addition DFA attack for a block cipher with an on-the-fly key schedule. In the figure, P is plaintext, C is ciphertext derived from P, X is round data, and RK i (i = 1,…,r) is the i-th round subkey. Each round comprises an F-function F( , ) and a swap permutation SW( ). For a block cipher algorithm with an on-the-fly key schedule, a round key update UD( ) is also included in the round operation. A faulty ciphertext can be obtained if the increment instruction, denoted i++, is bypassed. ; } / * Point Attack /* ; ); ( ); ( ); , ( { ) ( while ; 1 ; 1 X C i RK UD RK X SW X RK X F X r i i P X i i i ← + + ← ← ← ≤ = = + Fig. 1 Pseudocode of a round addition DFA attack for a block cipher with an on-the fly key schedule III. KEY RECONSTRUCTION METHOD USING ROUND ADDITION DFA FOR KLEIN SPN BLOCK CIPHER In this section, we present the key reconstruction method for the KLEIN lightweight SPN block cipher [6] with on-the-fly key scheduling. The key reconstruction method for 64-bit KLEIN is illustrated in Fig. 2. This is a 12-round operation lightweight block cipher [8]. The i-th round keys Ki are generated by a 64-bit master key K, which is divided into two byte-oriented tuples as K = A|B = sk 0 …sk 7 , i.e., A = sk 0 …sk 3 and B = sk 4 …sk 7 , where | denotes concatenation. The initial Hideki Yoshikawa, Masahiro Kaminaga, Arimitsu Shikoda, Toshinori Suzuki Round Addition Differential Fault Analysis on Lightweight Block Ciphers with On-the-Fly Key Scheduling D World Academy of Science, Engineering and Technology International Journal of Mathematical and Computational Sciences Vol:9, No:9, 2015 587 International Scholarly and Scientific Research & Innovation 9(9) 2015 ISNI:0000000091950263 Open Science Index, Mathematical and Computational Sciences Vol:9, No:9, 2015 publications.waset.org/10002866/pdf