Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks

LBlock is a 64-bit lightweight block cipher which can be implemented in both constrained hardware environments, such as wireless sensor network, and software platforms. In this paper, we study the security of LBlock against a differential fault analysis. Based on a random nibble fault model, we propose two versions of the attack on LBlock. In the first attack, we inject random nibble faults to the input register of round 29. As a result, it can recover the secret key of LBlock using an exhaustive search of 225 and five random nibble fault injections on average. This attack can be simulated on a general PC within a few seconds. In the case of second attack, random nibble faults are induced to the input register of round 30. This attack can recover the secret key of LBlock using an exhaustive search of 230 and seven random nibble fault injection on average. This attack can be simulated on a general PC within 1 h. These results are superior to known differential fault analytic result on LBlock. Introduction Differential fault analysis (DFA), one of the side channel attacks, was first proposed by Biham and Shamir on DES in 1997 [1]. This attack exploits faults within the computation of a cryptographic algorithm to reveal the secret information. So far, DFAs on many block ciphers such as DES, Piccolo, LED, SEED, and ARIA have been proposed [2-7]. It means that DFA poses a major threat to the security on block ciphers. LBlock [8] proposed in ACNS 2011 is a 64-bit lightweight block cipher suitable for both constrained hardware environments such as wireless sensor network and software platforms. It is based on the 32-round variant Feistel structure with 64-bit block size and 80bit key size. There were several cryptanalytic results on LBlock. For example, the proposers of LBlock explored the strength of LBlock against some attacks such as differential cryptanalysis, integral attack, and related-key attack [8]. Also, Karakoc et al. [9] and Liu et al. [10] proposed impossible differential cryptanalysis on a reduced version *Correspondence: [email protected] 2 Department of Computer Science and Engineering, Seoul National University of Science and Technology, Gongneung-ro, Nowon-gu, Seoul, 139–743, South Korea Full list of author information is available at the end of the article of LBlock, respectively. On the other hand, in [11], a differential fault analysis on LBlock was proposed. Based on a random bit fault model, the proposed attack needs at least 7 fault injections. In this paper, we propose a differential fault analysis on LBlock. Based on the random nibble fault model, we consider two fault assumptions. In the first attack (Attack 1), it is assumed that several random nibble faults are injected to the input register of round 29.We can compute the exact fault position by checking the corresponding ciphertext differences. Based on the simulation results, this attack requires an exhaustive search of 225 and five random nibble faults on average, and can recover the 80bit secret key of LBlock within a few seconds on a general PC. In the case of second attack (Attack 2), to recover the 80-bit secret key of LBlock, we inject several random nibble faults to the input register of round 30. This attack requires an exhaustive search of 230 and seven random nibble faults on average. It can also recover the 80-bit secret key of LBlock within 1 h on a general PC. Considering that the proposed attack in [11] requires at least 7 fault injections, our results are superior to it (see Table 1). This paper is organized as follows. In the ‘Description of LBlock’ section, we briefly introduce the structure of LBlock. In the ‘Attack 1 fault position: round 29’ and © 2013 Jeong et al.; licensee Springer. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Jeong et al. EURASIP Journal onWireless Communications and Networking 2013, 2013:151 Page 2 of 9 http://jwcn.eurasipjournals.com/content/2013/1/151 Table 1 Comparison between DFA results on LBlock Reference Fault Fault Number of Exhaustive assumption position fault injection search [11] Random bit Round 25 to 31 7 This paper Random nibble Round 29 5 225