Printer Friendly

The security weakness of block cipher piccolo against fault analysis.

1. Introduction

Fault analysis is a type of side channel attack. This analysis was introduced by Boneh et al. in [1]. Differential fault analysis (DFA), which is an improved method of fault analysis, was introduced by Biham and Shamir in [2]. DFA is applied to various block ciphers such as AES [3, 4], ARIA [5], SEED [6], CLEFIA [7], LED [8], Piccolo [9-12], PRESENT [13], and KATAN32 [14]. Cube attack was introduced by Dinur and Shamir in [15]. This attack is an algebraic attack by finding sufficiently low-degree polynomials in a cipher. Cube attack is applied to various cryptosystems such as block cipher [16] and stream cipher [15,17].

In CHES 2011, Piccolo was introduced by Shibutani et al. in [18]. Piccolo is a block cipher which supports 80-bit and 128-bit secret key size. In this paper, we analyze two versions of Piccolo [18] with fault analysis by using cube attack. In ISPEC 2012, fault analysis using cube attack was introduced by Abdul-Latip et al. in [16]. In this paper, we apply this method on Piccolo-80 and Piccolo-128. As a result, we find 16 linear equations corresponding to a round function F by cube attack, which are used to fault analysis.

Piccolo is analyzed by various techniques. In ISPEC 2012, Wang et al. suggest biclique cryptanalysis of reduced round Piccolo in [19]. They analyze reduced version of Piccolo80 without postwhitening keys XOR and reduced 28-round Piccolo-128 without prewhitening keys XOR. In 2013, Song et al. suggest biclique cryptanalysis of full rounds of Piccolo [20]. And also Jeong suggests a differential fault analysis of full rounds of Piccolo [9].

In this paper, we show a fault analysis on the Piccolo by using cube attack. We find 16 linear equations corresponding to a round function F of Piccolo by using cube attack. These equations are used to our attack. In this paper, we describe the case that an adversary injects random 4-bit faults. Our attack has the complexity of [2.sup.20.86] and [2.sup.21.60] encryptions for Piccolo-80 and Piccolo-128, respectively, while the assumption of [9] is an adversary that injects random byte faults. Reference [9] has the complexity of [2.sup.24] and [2.sup.40] encryptions for Piccolo-80 and Piccolo-128, respectively. Our attack has a lower computational complexity than [9], even though the assumption of fault injection in our attack differs from [9].

In Section 2, we briefly describe the procedures of cube attack and cube tester. And then we describe the brief specifications of Piccolo in Section 3. In Section 4, a method of fault analysis of Piccolo by using cube attack is presented. Finally, our conclusions are in Section 5.

2. Cube Attack and Cube Tester

Algebraic attack is to find a solution, which is the key, of a system of equations that represent target cipher with given plaintext and the corresponding ciphertext, that is representing cipher as a system of equations with multiple variables defined over finite field where each key bit is represented as a variable in the system. Solving the system is equivalent to finding the secret key of the target cipher. Cube attack is an algebraic attack finding sufficiently low-degree polynomials in cipher.

2.1. Cube Attack. Cube attack was introduced by Dinur and Shamir in [15]. Cube attack is a chosen plaintext attack. The main idea of cube attack is to find linear equations consisting of secret variables by using cube sum. Let p([v.sub.1], ..., [v.sub.n], [k.sub.1], ..., [k.sub.m]) be a polynomial derived from a cipher, where [v.sub.1], ..., [v.sub.n] are public variables and [k.sub.1], ..., [k.sub.m] are secret variables. In other words, each secret variable is considered a bit in secret key and each public variable is considered a bit in plaintext or internal state. Let I = {[I.sub.1], ..., [I.sub.s]} [subset or equal to] {1, ..., n} be a set and let [t.sub.I] be the monomial [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Note that the set in terms of I is called cube index. Then the polynomial p is represented by three polynomials [t.sub.I], [p.sub.S(I)], and q as the following form:

P([v.sub.1], ..., [v.sub.n], [k.sub.1], ..., [k.sub.m]) = [t.sub.I] x [P.sub.s(I)] + q{[v.sub.1], ..., [v.sub.n], [k.sub.i], ..., [k.sub.m]}, (1)

where q is not consisting of a monomial which has a factor tv Cube attack is required to check the linearity of [p.sub.S(I)] which is called superpoly. A superpoly [p.sub.S(I)] is called a maxterm if [p.sub.S(I)] is linear. We use the following cube sum to finda [P.sub.S(I)]:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], (2)

where plaintext bits except cube index ([v.sub.i], i [member of] {1, ..., n} - I) are fixed as constants.

As the above representation, cube is completed with the sum total [2.sup.S] pairs of plaintext and ciphertext for a cube index I = {71,..., Is}. To check whether [p.sub.S(I)] is a maxterm, linearity test is required. Let [p.sub.S(I)] ([k.sub.1], ..., [k.sub.m]) be a polynomial of m variables over GF(2). Let t be the number of tests. The following is a procedure of linearity test.

Step 1. Choose 2 random vectors x,y [member of] GF[(2).sup.m].

Step 2. If [p.sub.S(I)] (x) [direct sum] [p.sub.S(I)] (y) [direct sum] [p.sub.S(I)] (0) [not equal to] [p.sub.S(I)] (x[direct sum]y), then [p.sub.S(I)] is not linear. Stop the test.

Step 3. Repeat Steps 1 and 2, t times.

Step 4. [p.sub.S(I)] is linear. Stop the test, where 0 = (0, ..., 0) [member of] GF[(2).sup.m].

If [p.sub.S(I)] ([k.sub.1], ..., [k.sub.m]) is linear, the above equation in Step 2 is always correct for all inputs x,y [member of] GF[(2).sup.m]. Because checking all inputs is impossible, an upper bound of number of linearity tests has to be set. If there are at most [d.sub.1] elements in a cube index for testing linearity, at most [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] pairs of plaintext and ciphertext are needed. Cube attack consists of preprocessing phase and online phase. Preprocessing phase is to find a system of linear equations by using cube sum and linearity test. Online phase is recovering the master key stored by using an encryption oracle. The following are details for the two phases.

Preprocessing Phase. After finding a polynomial from a cipher, find a cube, that is, a maxterm, by using linearity test. Since we know output after all plaintext bits are entered in encryption oracle, fix plaintext except cube index as a constant. Fixed constants of every cube do not have to be equal. Let [f.sub.i] be a maxterm which consists of only secret variables [k.sub.1], ..., [k.sub.m] and let [b.sub.i] be the value of the maxterm [f.sub.i] which is found from online phase. We consider the following system of equations:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (3)

In the preprocessing phase, find enough maxterms to recover the master key and precalculate this system of equations by using Gaussian elimination. If we find m linear independent maxterms, then recover all the master keys with [m.sup.3] operations for recovery by using Gaussian elimination. In general, it is lower than complexity [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] for finding l maxterms. Let [f.sub.1], ..., [f.sub.m] be linearly independent. Then the master keys are represented as the following system:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. (4)

Online Phase. In online phase, calculate the value of cube sum from an encryption oracle by using the cube that has been found in the preprocessing phase. Let each plaintext bit not in the cube be constant. The calculated value is [b.sub.i], that is, the value of the maxterm. By substituting the value [b.sub.i] into (4), we recover the master key. Let cube index found at preprocessing phase have at most [d.sub.2] elements. Then the complexity of online phase is [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

2.2. Cube Tester. Cube attack finds a maxterm by testing linearity of [p.sub.S(I)] of a given polynomial p and cube index I. Cube tester distinguishes a polynomial from a random polynomial by many tests including linearity test. There are some other tests using cube sum in [21]. In cube attack, a plaintext bit not in the cube is fixed as a constant. However all bits not in the cube have to be considered variables in the cube tester. Since the purpose of using the cube tester is getting information, which are properties of polynomial, we use the low-degree test that is in [21]. The degree N is determined by low-degree test. Let I be a cube index, let J be the number of bits not in the cube index (i.e., J = n + m - S; [p.sub.S(I)] consists of J variables), and t is the number of tests. Since low-degree test is valid only when p(0) = 0 for the given polynomial p, we define [p.sup.*.sub.S(I)] (x) = [p.sub.S(I)] (x) + [p.sub.S(I)](0). Then low-degree test for the polynomial [p.sup.*.sub.S(I)](x) is as follows.

Step 1. Choose N + 1 random vectors [y.sub.1], ..., [y.sub.N+1] [member of] GF(2)'.

step 1 if [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], then degree of [p.sub.S(I)] > N. Stop the test.

Step 3. Repeat Steps 1 and 2, t times.

Step 4. Degree of [less than or equal to] N. Stop the test.

if N = 1,thenthelow-degreetestissimilartothelinearity test. We use the idea of the cube tester which uses everybit not in the cube index (consisting of plaintext and the master key) as a variable.

3. Description of Piccolo

Piccolo is a 64-bit block cipher with 80- and 128-bit key size. The structure of Piccolo is a Feistel network. Piccolo-80 consists of 25 rounds and Piccolo-128 consists of 31 rounds. Figure 1 illustrates the working processing of Piccolo. Each round consists of two functions, round function F and round permutation RP. The round functions F and RP are as follows.

Round Function F. The round function F is defined by

F([x.sub.0], [x.sub.1], [x.sub.2], [x.sub.3]) = (S([x.sub.0]), S([x.sub.1]), S([x.sub.2]), S([x.sub.3])) x M x [(S([x.sub.0]), S([x.sub.1]), S([x.sub.2]), S([x.sub.3])).sup.t] (5)

where [X.sup.t] is the transposition of X.

S(x) is the 4-bit S-box and M is the diffusion matrix as follows (see Table 1):

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (6)

The multiplications between M and vectors are defined by an irreducible polynomial [x.sup.4] + x + 1 over GF([2.sup.4]).

Round Permutation RP. The round permutation RP is defined by

RP ([x.sub.0], [x.sub.1], ..., [x.sub.7]) = ([x.sub.2], [x.sub.7], [x.sub.4], [x.sub.1], [x.sub.6], [x.sub.3], [x.sub.0], [x.sub.5]), (7)

where [x.sub.i] is byte.

For description of Piccolo and our attack, we denote intermediate variables before r-round as [X.sup.r] = [X.sup.r.sub.0] [absolute value of ([X.sup.r.sub.1])] [X.sup.r.sub.2] | [X.sup.r.sub.3] = ([x.sup.r.sub.0], ..., [x.sup.r.sub.63]) and intermediate variables before r-round's RP function as [Y.sup.r] = [Y.sup.r.sub.0] | [Y.sup.r.sub.1] | [Y.sup.r.sub.2] | [Y.sup.r.sub.3] (i.e., RP([Y.sup.r]) = [X.sup.r+1]). Let the round function F in r-round be F([X.sup.r.sub.i]) = ([F.sub.0]([X.sup.r.sub.i]), ..., [F.sub.15]([X.sup.r.sub.i])) and let the round key be [rk.sub.r] = ([k.sup.r.sub.0], ..., [k.sup.r.sub.15]). The other notations are as follows:

[([X.sup.r.sub.i]).sup.L]: left 8 bits of [X.sup.r.sub.i] and [([X.sup.r.sub.i]).sup.R]: right 8 bits of [X.sup.r.sub.i]; [K.sup.L.sub.r]: left 8 bits of [K.sub.i] and [K.sup.R.sub.i]: right 8 bits of [K.sub.i];

A | B: concatenation of A and B.

Let the 64-bit plaintext and ciphertext be P and C, respectively. Encryption of Piccolo is defined as follows:

(1) [P.sub.0] | [P.sub.1] | [P.sub.2] | [P.sub.3] [left arrow] P ([P.sub.i] is the 16-bit plaintext);

(2) [X.sup.1.sub.0] [left arrow] [p.sub.0] [direct sum] w[k.sub.0], [X.sup.1.sub.1] = [P.sub.1] [X.sup.1.sub.2] [left arrow] [p.sub.2] [direct sum] w[k.sub.2], [X.sup.1.sub.3] = [P.sub.3];

(3) for i = 1 to r - 1

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

(4) [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

(5) C [left arrow] [Y.sup.r.sub.0] | [Y.sup.r.sub.1] | [Y.sup.r.sub.2] | [Y.sup.r.sub.3] ([Y.sup.r.sub.i] is the 16-bit ciphertext).

Key schedule of Piccolo consists of the following. Piccolo-80:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (8)

for i [left arrow] 0 to 24 do

if i mod 5 = 0 or 2, then

(r[k.sub.2i],r[k.sub.2i+1]) [left arrow] ([con.sup.80.sub.2i] [con.sup.80.sub.2i+1]) [direct sum] ([K.sub.2], [K.sub.3]) (9)

if i mod 5 = 1 or 4, then

(r[k.sub.2i],r[k.sub.2i+1]) [left arrow] ([con.sup.80.sub.2i] [con.sup.80.sub.2i+1]) [direct sum] ([K.sub.0], [K.sub.1]) (10)

if i mod 5 = 3, then

(r[k.sub.2i],r[k.sub.2i+1]) [left arrow] ([con.sup.80.sub.2i] [con.sup.80.sub.2i+1]) [direct sum] ([K.sub.4], [K.sub.4]) (11)

where [con.sup.80.sub.i] is the round constant.

Piccolo-128:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], (12)

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (13)

where [con.sup.128.sub.i] is the round constant.

Since key schedule of Piccolo is just performing XOR determined constants to the master key, recovering the round key and recovering the master key are the same. Table 2 is showing the master key used for the round key of Piccolo. Detailed descriptions of Piccolo are in [18].

4. Fault Analysis on the Piccolo

In this section, we show the fault analysis for Piccolo-80 and Piccolo-128. We assume that an adversary is able to make 4-bit errors in a maximum at a time on a round during an encryption process. By using cube sum, find system of linear equations in the common F of Piccolo-80 and Piccolo-128. And use the system to represent the phase recovering the master key of Piccolo-80 and Piccolo-128. Analysis of a round function F in Section 4.1 is corresponding to the preprocessing phase of cube attack. The attack in Sections 4.2 and 4.3 is the case of an encryption oracle that is given and is corresponding to online phase.

4.1. Equations of Round Function F. Since round function F is the same for Piccolo-80 and Piccolo-128, the results of fault injection attack on F are the same in the both algorithms. Let F(X) = ([F.sub.0](X), ..., [F.sub.15](X)), where X = ([x.sub.0], [x.sub.1], ..., [x.sub.15]) is an 16-bit intermediate value and each [F.sub.j](x) is a bit (F : GF[(2).sup.16] [right arrow] GF[(2).sup.16]). We test all possible cubes of degree 1 to degree 4 and all possible inputs for each cube. We get many linear polynomials and choose 16 appropriate polynomials for recovering the master key. Table 3 shows our selected 16 polynomials, cube index, and output bit ([F.sub.i]).

4.2. Analysis on the Piccolo-80. We explain how to recover all the master keys of Piccolo-80. By key schedule of Piccolo80, recovering [wk.sub.2], [wk.sub.3], [rk.sub.44], [rk.sub.48], and [rk.sub.49] is equal to recovering all the master keys of Piccolo-80. Let plaintext P be given and let [X.sup.j.sub.i], [Y.sup.j.sub.i] be intermediate values for plaintext P. In this paper, we recover the master key of Piccolo-80 by recovering some [X.sup.j.sub.i]s. Figure 2 is for the last 4 rounds of Piccolo-80. The following is the attack on Piccolo-80.

Step 1. First, we analyze the last round (i.e., round 25). Perform cube sum by using the cube in Table 3 for F which

takes [X.sup.25.sub.0]. For example, consider 6th equation of Table 3. Suppose that inject fault into [x.sup.25.sub.4] to [x.sup.25.sub.8]. Then, since fault is injected into only [X.sup.25.sub.0], value of [X.sup.25.sub.1] or [rk.sub.48] is not changed. We notate the following to explain our attack:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

We calculate cube sum for cube index {4,8} like the following:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. (14)

[y.sup.25.sub.12] is not the output of F. But since cube sum does XOR even times, [x.sup.25.sub.28] and [rk.sup.48.sub.12] are offset. That is, we know value of cube sum cause of [Y.sup.25.sub.0] | [Y.sup.25.sub.1] | [Y.sup.25.sub.2] | [Y.sup.25.sub.3] = C. In the same way, cube sum using fault injection in this paper is performed. By performing cube sum for every cube in Table 3, we get 16 systems of equations. Recover input [X.sup.25.sub.0].

Similarly, we recover input Xf using F which takes X^.Since [X.sup.25.sub.0] [direct sum] [wk.sub.2] = [Y.sup.25.sub.0], [X.sup.25.sub.2] [direct sum] [wk.sub.3] = [Y.sup.25.sub.2], we recover [wk.sub.2], [wk.sub.3] (i.e., [K.sub.3], [K.sub.4]).

Step 2. Since we know [wk.sub.2] and [wk.sub.3], calculate intermediate value [X.sup.25.sub.0], [X.sup.25.sub.2] for given ciphertext. Round permutation RP in round 24 is as follows:

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. (15)

Therefore, we calculate [Y.sup.24.sub.1], [Y.sup.24.sub.3] for given ciphertext. By using this, analyze round 24. In a similar way with Step 1, recover [X.sup.24.sub.0], [X.sup.24.sub.2] by using the cube in Table 3 for F which takes [X.sup.24.sub.0], [X.sup.24.sub.2]. Since [X.sup.24.sub.0] = [Y.sup.24.sub.0], [X.sup.24.sub.2] = [Y.sup.24.sub.2], [Y.sup.24.sub.0] = [([X.sup.25.sub.3]).sup.L]|[([X.sup.25.sub.1]).sup.B], and [Y.sup.24.sub.2] = [([X.sup.25.sub.1]).sup.L] | [([X.sup.25.sub.3]).sup.R], we recover [X.sup.25.sub.1], [X.sup.25.sub.3] Then we recover [rk.sub.48], [rk.sub.49] (i.e., [K.sub.0], [K.sub.1]) since [X.sup.25.sub.1] [direct sum] F([X.sup.25.sub.0]) [direct sum] [rk.sub.48] = [Y.sup.25.sub.1], [X.sup.25.sub.3] [direct sum]] F([X.sup.25.sub.2]) [direct sum] [rk.sub.49] = [Y.sup.25.sub.3].

Step 3. We recover [K.sub.0], [K.sub.1], [K.sub.3], and [K.sub.4] so far. Given ciphertext C, we calculate [X.sup.24.sub.0], [X.sup.24.sub.1], [X.sup.24.sub.3], and [X.sup.24.sub.3]. That is, we recover [X.sup.23.sub.0], [X.sup.23.sub.2], [Y.sup.23.sub.1] and [Y.sup.23.sub.3]. We want to recover [X.sup.23.sub.1]. Since [X.sup.22.sub.0] = [Y.sup.22.sub.0] = [([X.sup.23.sub.3]).sup.L] | [([X.sup.23.sub.1]).sup.R], [X.sup.22.sub.2] = [Y.sup.22.sub.2] = [([X.sup.23.sub.1]).sup.L] | [([X.sup.23.sub.3]).sup.R], if we recover right 8 bits of [X.sup.22.sub.0] and left 8 bits of [X.sup.22.sub.2], then we recover [X.sup.22.sub.1]. To recover right 8 bits of [X.sup.22.sub.0], inject fault into bits corresponding to cube index of last 8 equations in Table 3. For recovering left 8 bits of [X.sup.22.sub.2], inject fault into bits corresponding to cube index of first 8 equations in Table 3. Then we recover [X.sup.23.sub.1]. Since [X.sup.23.sub.1] [direct sum] F([X.sup.23.sub.0]) [direct sum] [rk.sub.44] = [Y.sup.23.sub.1], we recover [rk.sub.44] (i.e., K2).

Use the above 3 steps to recover all the master keys used for Piccolo-80. This needs the assumption that we inject fault into at most 4 bits in the same time. Thus in this paper we consider the following as an analyzing way.

Assumption 1. We inject fault into at most 4 bits in the same time. But, apply this to only last round.

Assumption 2. We inject fault into at most 4 bits in the same time. But, apply this to only rounds 24 and 25.

Assumption 3. We inject fault into at most 4 bits in the same time.

That is, suppose that we analyze only Step 1 or Steps 1 and 2. Even though we analyze only Steps 1 and 2, since at least 32 bits of 80-bit master key are recovered, we recover all the master keys with less operations than brute-force attack. To recover [X.sup.r.sub.i], inject fault into 11 bits among 16 bits of internal state [X.sup.r.sub.i] by using injections 66 times. To recover left 8 bits and right 8 bits of [X.sup.r.sub.i](i.e., [([X.sup.r.sub.i]).sup.L], [([X.sup.r.sub.i]).sup.R]), we inject fault into 8 bits and 10 bits among 16 bits of [X.sup.r.sub.i], respectively. Then [([X.sup.r.sub.i]).sup.L], [([X.sup.r.sub.i]).sup.R] are recovered by using injections 44 and 39 times, respectively.

Under Assumption 1, we need 133 encryptions for recovering 32-bit master key ([wk.sub.2], [wk.sub.3]). We exclusively search to recover remaining 48-bit master key. Therefore, we need total 133 + 248 ~ 248 encryptions for recovering the master key under Assumption 1.

Under Assumption 2, we need 133 encryptions for recovering 32-bit master key ([wk.sub.2],[wk.sub.3]). For recovering 32-bit round keys [rk.sub.48] and [rk.sub.49], we have to calculate [Y.sup.24.sub.1], [Y.sup.24.sub.3]. Given ciphertext, calculating [Y.sup.24.sub.1] is equivalent to 0.5 round encryption. So is [Y.sup.24.sub.3]. Hence, we need 132 + (132 x 0.5 + 1)/25 encryptions for recovering 32-bit round keys [rk.sub.48] and [rk.sub.49]. We exclusively search to recover remaining 16-bit master key. Therefore, we need total 133 + (132 + 67/25) + [2.sup.16] [approximately equal to] [2.sup.16.01] encryptions for recovering the master key under Assumption 2.

Under Assumption 3, we need 133+(132+67/25) encryptions for recovering [wk.sub.2], [wk.sub.3], [rk.sub.48], and [rk.sub.49]. Given ciphertext, calculating Y22 is equivalent to 2.5 round encryption. We need 44 + 39 + {(44 + 39) x 2.5 + 1 x 3}/25 encryptions for recovering 32-bit round keys [rk.sub.44], [rk.sub.45]. Therefore, we need total 133+ (132+ 67/25)+ (83+ 210.5/25) [approximately equal to] [2.sup.8.49] encryptions for recovering the master key under Assumption 3. Table 4 is showing encryption complexity needed for recovering the master key of each assumption.

4.3. Analysis on the Piccolo-128. Piccolo-128 recovers the master key in a similar way to Piccolo-80. Figure 3 is for the last 5 rounds of Piccolo-128. The following is how Piccolo-128 recovers the master key.

Step 1. First, we analyze the last round (i.e., round 25). In a similar way with Step 1 in analysis of Piccolo-80, recover [X.sup.31.sub.0], [X.sup.31.sub.2] by using the cube in Table 3 for F which takes [X.sup.31.sub.0], [X.sup.31.sub.2]. Since [X.sup.31.sub.0] [direct sum] [wk.sub.2] = [Y.sup.31.sub.0], [X.sup.31.sub.2] [direct sum] [wk.sub.3] = [Y.sup.2.sub.31], we recover [wk.sub.2], [wk.sub.3] ([K.sub.4], [K.sub.7]).

Step 2. Since we know [wk.sub.2] and [wk.sub.3], calculate intermediate values [X.sup.31.sub.0], [X.sup.31.sub.2] for given ciphertext. Since [Y.sup.30.sub.1] = [([X.sup.31.sub.0]).sup.L] [absolute value of [([X.sup.31.sub.2]).sup.R], [Y.sup.30.sub.3] = [([X.sup.31.sub.2]).sup.L]] [([X.sup.31.sub.0]).sup.R] , we calculate [Y.sup.30.sub.1], [Y.sup.30.sub.3]] for given ciphertext. In a similar way with Step 1 in analysis of Piccolo-80, recover [X.sup.31.sub.0], [X.sup.31.sub.2] by using the cube in Table 3 for F which takes [X.sup.31.sub.0], [X.sup.31.sub.2]. We recover [X.sup.31.sub.1], [X.sup.31.sub.3], since [X.sup.30.sub.0] = [Y.sup.30.sub.0], [X.sup.30.sub.2] = [y.sup.30.sub.2], and [y.sup.30.sub.0] = [([X.sup.31.sub30]).sup.L] [absolute value of [([X.sup.31.sub.1]).sup.R], [Y.sup.30.sub.2] = [([X.sup.31.sub.1).sup.L]] [([X.sup.31.sub.1]).sup.R]. Since [X.sup.31.sub.1] [direct sum] F([X.sup.31.sub.0])[direct sum][rk.sub.60] = [Y.sup.31.sub.1], [X.sup.31.sub.1] [direct sum] F ([X.sup.31.sub.2])[direct sum][rk.sub.61] = [Y.sup.31.sub.3], were cover [rk.sub.60], [rk.sub.61] ([K.sub.2], [K.sub.5]).

Step 3. Since we know [wk.sub.2], [wk.sub.3], [rk.sub.60], and [rk.sub.61], calculate intermediate values [X.sup.30.sub.0], [X.sup.30.sub.2], [Y.sup.31.sub.1], and [Y.sup.30.sub.3] for given ciphertext. Since [Y.sup.29.sub.1] = ([X.sup.30.sub.0]) [absolute value of [([X.sup.30.sub.2]).sup.R] [Y.sup.29.sub.3] = ([X.sup.30.sub.2])] [([X.sup.30.sub.0]).sup.R], we calculate [Y.sup.29.sub.1], [Y.sup.29.sub.3] for given ciphertext. In a similar way with Step 1 in analysis of Piccolo-80, recover [X.sup.29.sub.0], [X.sup.29.sub.2] by using the cube in Table 3 for F which takes [X.sup.29.sub.0], [X.sup.29.sub.2]. We recover [X.sup.30.sub.1], [X.sup.30.sub.3] since [X.sup.29.sub.0] = [Y.sup.29.sub.0], [X.sup.29.sub.0] = [X.sup.29.sub.2], and [Y.sup.29.sub.0] = [([X.sup.30.sub.3]).sup.L][absolute value of [([X.sup.30.sub.1]).sup.R], [Y.sup.29.sub.2] = [([X.sup.30.sub.1]).sup.L]] [([X.sup.30.sub.0]).sup.R]. Since [X.sup.30.sub.1] [direct sum] F ([X.sup.30.sub.0]) [direct sum] [rk.sub.58] = [Y.sup.30.sub.1] [X.sup.30.sub.3] [direct sum] F([X.sup.30.sub.2]) [direct sum] [rk.sub.59] = [Y.sup.30.sub.3], we recover [rk.sub.58], [rk.sub.59] ([K.sub.6], [X.sub.3]).

Step 4. This step is similar to Step 3 in analysis of Piccolo-80. Given ciphertext C, we calculate [X.sup.29.sub.0], [X.sup.29.sub.2], [Y.sup.29.sub.1], and [Y.sup.29.sub.3]. We want to recover [X.sup.29.sub.1]. Since [X.sup.28.sub.0] = [Y.sup.28.sub.0] = [([X.sup.29.sub.3]).sup.L] [absolute value of [([X.sup.29.sub.1]).sup.R], [X.sup.28.sub.2] = [Y.sup.28.sub.2]] = [([X.sup.29.sub.1]).sup.L]] [([X.sup.29.sub.3]).sup.R], if we recover right 8 bits of [X.sup.28.sub.0] and left 8 bits of [X.sup.28.sub.2] , then we recover [X.sup.29.sub.1]. To recover right 8 bits of [X.sup.28.sub.2], inject fault into bits corresponding to cube index of last 8 equations in Table 3. For recovering left 8 bits of [X.sup.28.sub.2], inject fault into bits corresponding to cube index of first 8 equations in Table 3. Then [X.sup.29.sub.1] is recovered. And then we recover [rk.sub.56]([K.sub.0]), because [X.sup.29.sub.1] [direct sum] F([X.sup.29.sub.0]) [direct sum] [rk.sub.56] = [Y.sup.29.sub.1].

Step 5. This step is similar to Step 3 in analysis of Piccolo-80. We want to recover [X.sup.28.sub.3]. Given ciphertext C, we calculate [X.sub.28.sub.0], [X.sub.28.sub.2], [Y.sub.28.sub.1], and [Y.sup.28.sub.3]. Since [X.sup.27.sub.0] = [Y.sup.27.sub.0] = [([X.sup.28.sub.3]]).sup.L]] [([X.sup.28.sub.1]).sup.R], [X.sup.27.sub.2] = [Y.sup.27.sub.2] = [([X.sup.28.sub.1]).sup.L]] [([X.sup.28.sub.3]).sup.R], we recover left 8 bits of [X.sup.27.sub.0] and right 8 bits of [X.sup.27.sub.2]. To recover left 8 bits of [X.sup.27.sub.0], inject fault into bits corresponding to cube index of first 8 equations in Table 3. For recovering right 8 bits of X27, inject fault into bits corresponding to cube index of last 8 equations in Table 3. Then we recover [X.sup.28.sub.3]. And we recover [rk.sub.55]([K.sub.1]) since [X.sup.28.sub.3] [direct sum] F([X.sup.28.sub.2]) [direct sum] [rk.sub.55] = [Y.sup.28.sub.3].

Use the above 5 steps to recover all the master keys used for Piccolo-128. This needs the assumption that we inject fault into at most 4 bits in the same time. Assume that we analyze only Steps 1, 2, 3, and 4 such as Piccolo-80. Even though we analyze only Steps 1,2, 3, and 4, since at least 32 bits of 128-bit master key are recovered, we recover all the master keys with less operations than brute-force attack. Table 5 is showing encryption complexity needed for recovering the master key of each assumption.

4.4. Improved Attack. The attacks described in Sections 4.2 and 4.3 are valid under the assumption that an adversary is able to control the injecting time and bit positions to inject fault and the number of bits of fault injection. However it is difficult to control bit positions where faults are injected. Therefore, in this section, we explain the way of attack under the assumption that an adversary is not able to control bit positions to inject faults. That is, an adversary is able to inject i bits of random faults into Piccolo-80 and Piccolo-128. The attack of Section 4.4 is similar to the attack of Sections 4.2 and 4.3. But this attack adds the process that determines fault position before each Step of Sections 4.2 and 4.3.

Assume that we inject i bits of random fault into last round. In some cases, we determine fault position. Then, the following is how to determine position of fault injection for 3 cases. (Each case with 4 fault bits is described in Figures 4, 5, and 6).

Case 1. There are i bits error in [Y.sup.r.sub.0]([Y.sup.r.sub.2]) after fault injection. Since [X.sup.r.sub.0] [direct sum] [wk.sub.2] = [Y.sup.r.sub.0] ([X.sup.r.sub.2] [direct sum] [wk.sub.3] = [Y.sup.r.sub.2]) and i fault bits, if [Y.sup.r.sub.0] ([Y.sup.r.sub.2]) is different i bits from original ciphertext, then fault injection position in [X.sup.r.sub.0]([X.sup.r.sub.2) must be same with changed i bits after fault injection in [Y.sup.r.sub.0] ([Y.sup.r.sub.2]).

Case 2. There are j bits error in [Y.sup.r.sub.0] and i - j bits error in [Y.sup.r.sub.2]. after fault injection. In a similar way to Case 1, fault injection position in [X.sup.r.sub.0] must be same with changed j bits after fault injection in [Y.sup.r.sub.0]. And fault injection position in [X.sup.r.sub.2] must be same with changed i-j bits after fault injection in [Y.sup.r.sub.2].

Case 3. There are i - j bits error in [Y.sup.r.sub.0]([Y.sup.r.sub.2]) and j bits error in [Y.sup.r.sub.3]([Y.sup.r.sub.1]). And there is no error in [Y.sup.r.sub.2]([Y.sup.r.sub.0]). If there are j bits error

in [Y.sup.r.sub.3] ([Y.sup.r.sub.1]), then [X.sup.r.sub.0]([X.sup.r.sub.0]) or [X.sup.r.sub.3] ([X.sup.r.sub.1]) is fault injected. Since there is no error in [Y.sup.r.sub.2] ([Y.sup.r.sub.0]), fault injection position in [X.sup.r.sub.3]([X.sup.r.sub.1]) must be same with changed j bits after fault injection in [Y.sup.r.sub.3]([Y.sup.r.sub.1]). Furthermore, [X.sup.r.sub.0] ([X.sup.r.sub.0]) must be same with changed i - j bits after fault injection in [Y.sup.r.sub.0] ([Y.sup.r.sub.2]) since there are i - j bits error in [Y.sup.r.sub.0] ([Y.sup.r.sub.2]).

Therefore, we determine the position of fault injection for these 3 cases. Table 3 is the table of optimal cubes that are used for the attack in Sections 4.2 and 4.3. Therefore, there are many cubes except cubes in Table 3. Because there are too many cubes, we do not describe all cubes in this paper. For example, suppose that we get 16 ciphertexts for cube sum of {0,1,3,4}. Then we calculate all of subcubes of {0,1,3,4}. So, we use cubes in Table 6 and recover 1st, 2nd, 5th, and 7th bit of whitening key.

By the same method, we use sufficient cubes for recovering [wk.sub.2] and [wk.sub.3] of Piccolo-80 and Piccolo-128 and recover [wk.sub.2] and [wk.sub.3]. Since we know wkr and [wk.sub.3], calculate intermediate values [X.sup.r.sub.0], [X.sup.r.sub.2] for given ciphertext. Therefore, we inject faults into (r - 1)th round, determining position of fault injection by 3 cases that described this section. And we recover (r - 1)th round key. This process is the same with Step 2 in Section 4.2 and Step 2 in Section 4.3 except determining position of fault injection. By the same way, we recover all the master keys ofPiccolo-80 and Piccolo-128 using Steps in Sections 4.2 and 4.3 with determining position of fault injection, respectively.

The complexity of this attack depends on the complexity for finding ciphertext to recover round key. For Table 3, we need 66 ciphertexts. Table 7 is showing necessary positions of fault injection for cubes of Table 3.

For calculating complexity, we assume that an adversary always injects 4-bit random fault into the last three and five rounds for Piccolo-80 and Piccolo-128, respectively. Since an adversary injects exactly 4-bit fault, position of all fault bits has to match position that we want. This probability is [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. That is, an adversary injects 2-19'277 times for each round and gets all ciphertexts that correspond to Table 3 for each round. Therefore, this attack on Piccolo-80 needs 3 * [2.sup.19.277] [approximately equal to] [2.sup.20.862] fault injections. Similarly, this attack on Piccolo-128 needs 5 * [2.sup.19.277] = [2.sup.21.599] fault injections. The number of additional encryptions to recover the master key is negligible. Hence, our attack has the complexity of [2.sup.20.86] and [2.sup.21.60] encryptions with four bits of random fault injections for Piccolo-80 and Piccolo-128, respectively.

5. Conclusions

In this paper, we present the security weakness of Piccolo against fault analysis. Our attack fully exploits the structure of Piccolo, which is a Feistel network. We describe an attack for fault injection of target bit positions on Piccolo-80 and Piccolo-128. The master key of Piccolo-80 and Piccolo-128 is recovered by fault analysis by using cube attack with injecting faults [2.sup.8.44] and [2.sup.9.14], respectively. Our attack has the complexity of [2.sup.8.49] and [2.sup.9.21] encryptions for Piccolo-80 and Piccolo-128, respectively, which are practical complexities. And finally, an attack for random four bits fault injection for Piccolo-80 and Piccolo-128 is presented. This attack needs [2.sup.20.86] and [2.sup.21.60] encryptions with four bits of random fault injections for Piccolo-80 and Piccolo-128, respectively.

http://dx.doi.org/10.1155/2014/842675

Conflict of Interests

The authors declare that there is no conflict of interests

regarding the publication of this paper.

References

[1] D. Boneh, R. A. DeMillo, and R. J. Lipton, "On the importance of checking cryptographic protocols for faults," in Advances in Cryptology--EUROCRYPT'97, vol. 1233 of Lecture Notes in Computer Science, pp. 37-51, Springer, 1997

[2] E. Biham and A. Shamir, "Differential fault analysis of secret key cryptosystems," in Advances in Cryptology--CRYPTO'97, vol. 1294 of Lecture Notes in Computer Science, pp. 513-525, Springer, 1997.

[3] C. H. Kim and J.-J. Quisquater, "New differential fault analysis on AES key schedule: two faults are enough," in Smart Card Research and Advanced Applications, vol. 5189 of Lecture Notes in Computer Science, pp. 48-60, Springer, 2008.

[4] M. Tunstall, D. Mukhopadhyay, and S. Ali, "Differential fault analysis of the advanced encryption standard using a single fault," in Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication, vol. 6633 of Lecture Notes in Computer Science, pp. 224-233, Springer, 2011.

[5] W. Li, D. Gu, and J. Li, "Differential fault analysis on the ARIA algorithm," Information Sciences, vol. 178, no. 19, pp. 3727-3737, 2008.

[6] K. Jeong, Y. Lee, J. Sung, and S. Hong, "Differential fault analysis on block cipher SEED," Mathematical and Computer Modelling, vol. 55, no. 1-2, pp. 26-34, 2012.

[7] H. Chen, W. Wu, and D. Feng, "Differential fault analysis on CLEFIA," in Information and Communications Security, vol. 4861 of Lecture Notes in Computer Science, pp. 284-295, Springer, 2007.

[8] K. Jeong and C. Lee, "Differential fault analysis on block cipher LED-64," in Future Information Technology, Application, and Service, vol. 1, pp. 747-755, Springer, 2012.

[9] K. Jeong, "Security analysis of block cipher Piccolo suitable for wireless sensor networks," Peer-to-Peer Networking and Applications, 2013.

[10] S. Li, D. Gu, Z. Ma, and Z. Liu, "Fault analysis of the Piccolo block cipher," in Proceedings of the 8th International Conference on Computational Intelligence and Security (CIS '12), pp. 482-486, 2012.

[11] H. Yoshikawa, M. Kaminaga, A. Shikoda, and T. Suzuki, "Round addition DFA on 80-bit Piccolo and TWINE," IEICE Transactions on Information and Systems, vol. E96-D, no. 9, pp. 2031-2035, 2013.

[12] F. Zhang, X. Zhao, S. Guo, T. Wang, and Z. Shi, "Improved algebraic fault analysis: a case study on Piccolo and applications to other lightweight block ciphers," in Proceedings of the 4th International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE '13), vol. 7864 of Lecture Notes in Computer Science, pp. 62-79, Springer, 2013.

<463_TB006>

<463_TB007>

[13] N. Bagheri, R. Ebrahimpour, and N. Ghaedi, "New differential fault analysis on PRESENT," EURASIP Journal on Advances in Signal Processing, vol. 2013, article 145, 10 pages, 2013.

[14] W. Y. Zhang, F. Liu, X. Liu, and S. Meng, "Differential fault analysis and meet-in-the-middle attack on the block cipher KATAN32," Journal of Shanghai Jiaotong University (Science), vol. 18, no. 2, pp. 147-152, 2013.

[15] I. Dinur and A. Shamir, "Cube attacks on tweakable black box-p polynomials," in Advances in Cryptology--EUROCRYPT 2009, vol. 5479 of Lecture Notes in Computer Science, pp. 278-299, Springer, 2009.

[16] S. F. Abdul-Latip, M. R. Reyhanitabar, W. Susilo, and J. Seberry, "Fault analysis of the KATAN family of block ciphers," in Information Security Practice and Experience, vol. 7232 of Lecture Notes in Computer Science, pp. 319-336, Springer, 2012.

[17] I. Dinur and A. Shamir, "Applying cube attacks to stream ciphers in realistic scenarios," Cryptography and Communications, vol. 4, no. 3-4, pp. 217-232, 2012.

[18] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai, "Piccolo: an ultra-lightweight blockcipher," in Proceedings of the 13 th International Workshop on Cryptographic Hardware and Embedded Systems (CHES '11), vol. 6917 of Lecture Notes in Computer Science, pp. 342-357, 2011.

[19] Y. Wang, W. Wu, and X. Yu, "Biclique cryptanalysis of reduced-round Piccolo block cipher," in Information Security Practice and Experience, vol. 7232 of Lecture Notes in Computer Science, pp. 337-352, Springer, 2012.

[20] J. Song, K. Lee, and H. Lee, "Biclique cryptanalysis on lightweight block cipher: HIGHT and Piccolo," International Journal of Computer Mathematics, vol. 90, no. 12, pp. 1-17, 2013.

[21] J.-P. Aumasson, I. Dinur, W. Meier, and A. Shamir, "Cube testers and key recovery attacks on reduced-round MD6 and trivium," in Fast Software Encryption, vol. 5665of Lecture Notes in Computer Science, pp. 1-22, Springer, 2009.

Junghwan Song, Kwanhyung Lee, and Younghoon Jung

Department of Mathematics, Hanyang University, Seoul 133-791, Republic of Korea

Correspondence should be addressed to Younghoon Jung; sky1236@hanyang.ac.kr

Received 23 December 2013; Accepted 21 January 2014; Published 13 March 2014

Academic Editor: Jongsung Kim

Table 1: S-box of Piccolo.

x      0   1   2   3   4   5   6   7

S(x)   e   4   b   2   3   8   0   9

x      8   9   a   b   c   d   e   f

S(x)   1   a   7   f   6   c   5   d

TABLE 2: Round key ofPiccolo.

                                    Piccolo-80

Round           Round key                      Master key

First    [wk.sub.0], [wk.sub.1]     [K.sup.L.sub.0]|[K.sup.R.sub.1],
                                    [K.sup.L.sub.1]|[K.sup.R.sub.0]
1        [rk.sub.0], [rk.sub.1]           [K.sub.2], [K.sub.3]
2        [rk.sub.2], [rk.sub.3]           [K.sub.0], [K.sub.1]
3        [rk.sub.4], [rk.sub.5]           [K.sub.2], [K.sub.3]
4        [rk.sub.6], [rk.sub.7]           [K.sub.4], [K.sub.4]
5        [rk.sub.8], [rk.sub.9]           [K.sub.0], [K.sub.1]
6       [rk.sub.10], [rk.sub.11]          [K.sub.2], [K.sub.3]
7       [rk.sub.12], [rk.sub.13]          [K.sub.0], [K.sub.1]
8       [rk.sub.14], [rk.sub.15]          [K.sub.2], [K.sub.3]
9       [rk.sub.16], [rk.sub.17]          [K.sub.4], [K.sub.4]
10      [rk.sub.18], [rk.sub.19]          [K.sub.0], [K.sub.1]
11      [rk.sub.20], [rk.sub.21]          [K.sub.2], [K.sub.3]
12      [rk.sub.22], [rk.sub.23]          [K.sub.0], [K.sub.1]
13      [rk.sub.24], [rk.sub.25]          [K.sub.2], [K.sub.3]
14      [rk.sub.26], [rk.sub.27]          [K.sub.4], [K.sub.4]
15      [rk.sub.28], [rk.sub.29]          [K.sub.0], [K.sub.1]
16      [rk.sub.30], [rk.sub.31]          [K.sub.2], [K.sub.3]
17      [rk.sub.32], [rk.sub.33]          [K.sub.0], [K.sub.1]
18      [rk.sub.34], [rk.sub.35]          [K.sub.2], [K.sub.3]
19      [rk.sub.36], [rk.sub.37]          [K.sub.4], [K.sub.4]
20      [rk.sub.38], [rk.sub.39]          [K.sub.0], [K.sub.1]
21      [rk.sub.40], [rk.sub.41]          [K.sub.2], [K.sub.3]
22      [rk.sub.42], [rk.sub.43]          [K.sub.0], [K.sub.1]
23      [rk.sub.44], [rk.sub.45]          [K.sub.2], [K.sub.3]
24      [rk.sub.46], [rk.sub.47]          [K.sub.4], [K.sub.4]
25      [rk.sub.48], [rk.sub.49]          [K.sub.0], [K.sub.1]
Final    [wk.sub.2], [wk.sub.3]     [K.sup.L.sub.4]|[K.sup.R.sub.3],
                                    [K.sup.L.sub.3]| [K.sup.R.sub.4]

                                         Piccolo-128

Round           Round key                      Master key

First    [wk.sub.0], [wk.sub.1]     [K.sup.L.sub.0]|[K.sup.R.sub.1],
                                    [K.sup.L.sub.1]|[K.sup.R.sub.0]
1        [rk.sub.0], [rk.sub.1]           [K.sub.2], [K.sub.3]
2        [rk.sub.2], [rk.sub.3]           [K.sub.4], [K.sub.5]
3        [rk.sub.4], [rk.sub.5]           [K.sub.6], [K.sub.7]
4        [rk.sub.6], [rk.sub.7]           [K.sub.2], [K.sub.1]
5        [rk.sub.8], [rk.sub.9]           [K.sub.6], [K.sub.7]
6       [rk.sub.10], [rk.sub.11]          [K.sub.0], [K.sub.3]
7       [rk.sub.12], [rk.sub.13]          [K.sub.4], [K.sub.5]
8       [rk.sub.14], [rk.sub.15]          [K.sub.6], [K.sub.1]
9       [rk.sub.16], [rk.sub.17]          [K.sub.4], [K.sub.5]
10      [rk.sub.18], [rk.sub.19]          [K.sub.2], [K.sub.7]
11      [rk.sub.20], [rk.sub.21]          [K.sub.0], [K.sub.3]
12      [rk.sub.22], [rk.sub.23]          [K.sub.4], [K.sub.1]
13      [rk.sub.24], [rk.sub.25]          [K.sub.0], [K.sub.3]
14      [rk.sub.26], [rk.sub.27]          [K.sub.6], [K.sub.5]
15      [rk.sub.28], [rk.sub.29]          [K.sub.2], [K.sub.7]
16      [rk.sub.30], [rk.sub.31]          [K.sub.0], [K.sub.1]
17      [rk.sub.32], [rk.sub.33]          [K.sub.2], [K.sub.7]
18      [rk.sub.34], [rk.sub.35]          [K.sub.4], [K.sub.3]
19      [rk.sub.36], [rk.sub.37]          [K.sub.6], [K.sub.5]
20      [rk.sub.38], [rk.sub.39]          [K.sub.2], [K.sub.1]
21      [rk.sub.40], [rk.sub.41]          [K.sub.6], [K.sub.5]
22      [rk.sub.42], [rk.sub.43]          [K.sub.0], [K.sub.7]
23      [rk.sub.44], [rk.sub.45]          [K.sub.4], [K.sub.3]
24      [rk.sub.46], [rk.sub.47]          [K.sub.6], [K.sub.1]
25      [rk.sub.48], [rk.sub.49]          [K.sub.4], [K.sub.3]
26      [rk.sub.50], [rk.sub.51]          [K.sub.2], [K.sub.5]
27      [rk.sub.52], [rk.sub.53]          [K.sub.0], [K.sub.7]
28      [rk.sub.54], [rk.sub.55]          [K.sub.4], [K.sub.1]
29      [rk.sub.56], [rk.sub.57]          [K.sub.0], [K.sub.7]
30      [rk.sub.58], [rk.sub.59]          [K.sub.6], [K.sub.3]
31      [rk.sub.60], [rk.sub.61]          [K.sub.2], [K.sub.5]
Final    [wk.sub.2], [wk.sub.3]     [K.sup.L.sub.4]|[K.sup.R.sub.7],
                                    [K.sup.L.sub.7]| [K.sup.R.sub.4]

TABLE 3: Cube sum result of F([x.sub.0], ..., [x.sub.15]).

Cube index       Outbit            Polyequation
               ([F.sub.i])

1,5,6               8              [x.sub.0] + 1
0, 8, 9,11         10              [x.sub.1] + 1
1, 5, 6            12          [x.sub.0] + [x.sub.2]
0, 8, 9, 11         7                [x.sub.3]
0, 1, 5, 6          4              [x.sub.4] + 1
4, 8               12          [x.sub.5] + [x.sub.9]
4, 5, 8, 9          4              [x.sub.6] + 1
4, 8, 9, 11         7        [x.sub.5] + [x.sub.7] + 1
5, 6, 9            12              [x.sub.8] + 1
4, 5, 7, 8          6                [x.sub.9]
5, 6, 9             8             [x.sub.10] + 1
4, 5, 7, 8          3               [x.sub.11]
5, 6, 13            8         [x.sub.12] + [x.sub.14]
0,12                4         [x.sub.1] + [x.sub.13]
5, 6, 13           12             [x.sub.14] + 1
0, 8, 11, 12        7         [x.sub.3] + [x.sub.15]

TABLE 4: Attack complexity of Piccolo-80.

Assumption                  Required fault

Assumption 1   132 [approximately equal to] [2.sup.7.04]
Assumption 2   264 [approximately equal to] [2.sup.8.04]
Assumption 3   347 [approximately equal to] [2.sup.8.44]

Assumption                      Complexity

Assumption 1                    [2.sup.48
Assumption 2                  [2.sup.16.01]
Assumption 3   359.1 [approximately equal to] [2.sup.8.49]

TABLE 5: Attack complexity of Piccolo-128.

Assumption                Required fault

Step 1       132 [approximately equal to] [2.sup.7.04]
Step 2       264 [approximately equal to] [2.sup.8.04]
Step 3       396 [approximately equal to] [2.sup.8.63]
Step 4       479 [approximately equal to] [2.sup.8.90]
Step 5       562 [approximately equal to] [2.sup.9.13]

Assumption                    complexity

Step 1                        [2.sup.96]
Step 2                        [2.sup.64]
Step 3                        [2.sup.32]
Step 4                      [2.sup.16.01]
Step 5       593.64 [approximately equal to] [2.sup.9.21]

TABLE 6: Subcube of {0,1, 3, 4}.

Cube index   Outbit ([F.sub.i])         Polyequation

0, 3                 0                  [x.sub.2] + 1
0, 4                 8            [x.sub.1] + [x.sub.5] + 1
0, 1, 3, 4           2                    [x.sub.5]
0, 1, 3, 4           15                   [x.sub.7]

TABLE 7: Necessary positions of fault injections for Table 3.

Number offault           Necessary positions offault injection
bits (Number
of faults)

1 (11)            (0), (1), (4), (5), (6), (7), (8), (9), (11), (12),
                                         (13)

2(27)               (0,1), (0, 5), (0, 6), (0, 8), (0, 9), (0,11),
                  (0,12), (1, 5), (1, 6), (4, 5), (4, 7), (4, 8), (4,
                 9), (4,11), (5, 6), (5 , 7), (5 , 8) , (5 , 9), (5 ,
                    13), (6, 9), (6 , 13), (7, 8), (8, 9), (8,11),
                                (8,12), (9,11), (11,12)

3(22)            (0,1, 5), (0,1, 6), (0, 5, 6), (0, 8, 9), (0, 8,11),
                  (0, 8, 12), (0, 9, 11), (0, 11, 12), (1, 5, 6), (4,
                  5, 7), (4, 5, 8), (4, 5, 9), (4, 7, 8), (4, 8, 9),
                 (4, 8, 11), (4, 9, 11), (5, 6, 9), (5, 6, 13), (5, 7,
                         8), (5, 8, 9), (8, 9, 11), (8, 11,12)

4(6)              (0,1, 5, 6), (0, 8, 9,11), (0, 8,11,12), (4, 5, 7,
                            8), (4, 5, 8, 9), (4, 8, 9,11)
COPYRIGHT 2014 Sage Publications, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Research Article
Author:Song, Junghwan; Lee, Kwanhyung; Jung, Younghoon
Publication:International Journal of Distributed Sensor Networks
Article Type:Report
Date:Jan 1, 2014
Words:8706
Previous Article:Game-theoretic camera selection using inference tree method for a wireless visual sensor network.
Next Article:An energy-efficient and scalable secure data aggregation for wireless sensor networks.
Topics:

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters