Journal of Cryptographic Engineering https://doi.org/10.1007/s13389-019-00203-9 REGULAR PAPER An automated framework for exploitable fault identification in block ciphers Sayandeep Saha 1 · Ujjawal Kumar 1 · Debdeep Mukhopadhyay 1 · Pallab Dasgupta 1 Received: 30 January 2018 / Accepted: 21 February 2019 © Springer-Verlag GmbH Germany, part of Springer Nature 2019 Abstract Faults have been practically exploited on several occasions to compromise the security of mathematically robust cryptosys- tems at the implementation level. However, not every possible fault within a cryptosystem is exploitable for fault attack. Comprehensive knowledge about the exploitable part of the fault space is thus imperative for both the algorithm designer and the implementer in order to invent precise countermeasures and robust algorithms. This paper addresses the problem of exploitable fault characterization in the context of differential fault analysis attacks on block ciphers. A generic and automated framework has been proposed, which can determine the exploitability of fault instances from any given block cipher in a fast and scalable manner. Such automation is supposed to work as the core engine for analysing the fault spaces, which are, in general, difficult to characterize with manual effort due to their formidable size and the complex structural features of the ciphers. Our framework significantly outperforms another recently proposed one as reported by Khanna et.al. (in: DAC, ACM, pp. 1–6, 2017), in terms of attack class coverage and automation effort. Evaluation of the framework on AES and PRESENT establishes the efficacy of it as a potential tool for exploitable fault analysis. Keywords Fault attack · Block cipher · Automation 1 Introduction The pervasive use of cryptographic cores within resource- constrained embedded electronic systems has lent great impetus to the construction of lightweight albeit robust crypto-primitives. Such primitives are expected to be aug- mented with optimally crafted countermeasures against physical attacks, such as passive side-channel attacks and active fault attacks. Ensuring tight security is, however, nontrivial, especially with the resource and performance con- straints imposed. Countermeasures against physical attacks can be optimized with the knowledge of the attack space on the crypto-primitive under consideration. Quantitative B Sayandeep Saha sahasayandeep@iitkgp.ac.in Debdeep Mukhopadhyay debdeep@iitkgp.ac.in Pallab Dasgupta pallab@iitkgp.ac.in 1 Department of Computer Science and Engineering, Indian Institute of Technology, Kharagpur, West Bengal 721302, India knowledge of the attack space is also useful while devel- oping new primitives so that better design options can be chosen. In the context of fault-based attacks, the attack space consists of transient faults corrupting the computation. This paper focuses on block ciphers, which are the most widely deployed symmetric key primitive so far. Differential fault analysis (DFA) attacks, the most widely explored class of fault attacks, are particularly interesting in this context given their (relatively) low data/fault complexity, easy-to-mount nature [1,3,8], and relaxed fault models. It is well estab- lished that even a single properly placed malicious fault is able to compromise the security of mathematically strong crypto-primitives in certain cases. However, discovering even a single attack instance for a given cryptosystem is nontrivial, as not every possible fault may lead to a successful attack. While finding a single exploitable fault instance for a system is sufficient from the perspective of an attacker, certifying a system for fault attack resilience demands the characteriza- tion of the complete space of exploitable faults. The problem becomes even more challenging when different ciphers with diverse structures are considered. 123