 Research
 Open Access
Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks
 Kitae Jeong^{1},
 Changhoon Lee^{2}Email author and
 Jong In Lim^{1}
https://doi.org/10.1186/168714992013151
© Jeong et al.; licensee Springer. 2013
 Received: 3 April 2013
 Accepted: 22 May 2013
 Published: 3 June 2013
Abstract
LBlock is a 64bit lightweight block cipher which can be implemented in both constrained hardware environments, such as wireless sensor network, and software platforms. In this paper, we study the security of LBlock against a differential fault analysis. Based on a random nibble fault model, we propose two versions of the attack on LBlock. In the first attack, we inject random nibble faults to the input register of round 29. As a result, it can recover the secret key of LBlock using an exhaustive search of 2^{25} and five random nibble fault injections on average. This attack can be simulated on a general PC within a few seconds. In the case of second attack, random nibble faults are induced to the input register of round 30. This attack can recover the secret key of LBlock using an exhaustive search of 2^{30} and seven random nibble fault injection on average. This attack can be simulated on a general PC within 1 h. These results are superior to known differential fault analytic result on LBlock.
Keywords
 Wireless Sensor Network
 Block Cipher
 Fault Injection
 Input Register
 Fault Position
Introduction
Differential fault analysis (DFA), one of the side channel attacks, was first proposed by Biham and Shamir on DES in 1997 [1]. This attack exploits faults within the computation of a cryptographic algorithm to reveal the secret information. So far, DFAs on many block ciphers such as DES, Piccolo, LED, SEED, and ARIA have been proposed [2–7]. It means that DFA poses a major threat to the security on block ciphers.
LBlock [8] proposed in ACNS 2011 is a 64bit lightweight block cipher suitable for both constrained hardware environments such as wireless sensor network and software platforms. It is based on the 32round variant Feistel structure with 64bit block size and 80bit key size. There were several cryptanalytic results on LBlock. For example, the proposers of LBlock explored the strength of LBlock against some attacks such as differential cryptanalysis, integral attack, and relatedkey attack [8]. Also, Karakoc et al. [9] and Liu et al. [10] proposed impossible differential cryptanalysis on a reduced version of LBlock, respectively. On the other hand, in [11], a differential fault analysis on LBlock was proposed. Based on a random bit fault model, the proposed attack needs at least 7 fault injections.
Comparison between DFA results on LBlock
Reference  Fault  Fault  Number of  Exhaustive 

assumption  position  fault injection  search  
[11]  Random bit  Round 25 to 31  7   
This paper  Random nibble  Round 29  5  2^{25} 
(Attack 1)  
This paper  Random nibble  Round 30  7  2^{30} 
(Attack 2) 
This paper is organized as follows. In the ‘Description of LBlock’ section, we briefly introduce the structure of LBlock. In the ‘Attack 1  fault position: round 29’ and ‘Attack 2  fault position: round 30’ sections, our attacks on LBlock are presented. Finally, in the last section, we give our conclusion.
Description of LBlock
In this section, we introduce the structure of LBlock briefly. The notations used in this paper are as follows. Here, a 32bit value X = (X_{7}, X_{6}, ⋯, X_{0}), where X_{ i } is a nibble value.

P = (P^{ L }, P^{ R }): a 64bit plaintext.

C = (C^{ L }, C^{ R }): a 64bit ciphertext.

${I}_{r}=({I}_{r}^{L},{I}_{r}^{R})$: a 64bit input value of round r (r = 1, 2, ⋯, 32).

K_{ r } = (K_{r, 7}, K_{r, 6}, ⋯, K_{r, 0}): a 64bit round key of round r.
 (1)
${I}_{1}=({I}_{1}^{L},{I}_{r}^{1})\leftarrow ({P}^{L},{P}^{R})$.
 (2)For r = 1, 2, ⋯, 32, do the following:${I}_{r+1}=({I}_{r+1}^{L},{I}_{r+1}^{R})=\left(F({I}_{r}^{L},{K}_{r})\oplus ({I}_{r}^{R}\u22d88),{I}_{r}^{L}\right).$
 (3)
$({C}^{L},{C}^{R})\leftarrow ({I}_{33}^{R},{I}_{33}^{L})$.
 (4)
Output C = (C ^{ L }, C ^{ R }) as a 64bit ciphertext.
Contents of Sboxes used in LBlock
Sbox  Contents 

S _{0}  14, 9, 15, 0, 13, 4, 10, 11, 1, 2, 8, 3, 7, 6, 12, 5 
S _{1}  4, 11, 14, 9, 15, 13, 0, 10, 7, 12, 5, 6, 2, 8, 1, 3 
S _{2}  1, 14, 7, 12, 15, 13, 0, 6, 11, 5, 9, 3, 2, 4, 8, 10 
S _{3}  7, 6, 8, 11, 0, 15, 3, 14, 9, 10, 12, 13, 5, 2, 4, 1 
S _{4}  14, 5, 15, 0, 7, 2, 12, 13, 1, 8, 4, 9, 11, 10, 6, 3 
S _{5}  2, 13, 11, 12, 15, 14, 0, 9, 7, 10, 6, 3, 1, 8, 4, 5 
S _{6}  11, 9, 4, 14, 0, 15, 10, 13, 6, 12, 5, 7, 3, 8, 1, 2 
S _{7}  13, 10, 15, 0, 14, 4, 9, 11, 2, 1, 8, 3, 7, 5, 12, 6 
S _{8}  14, 9, 15, 0, 13, 4, 10, 11, 1, 2, 8, 3, 7, 6, 12, 5 
S _{9}  4, 11, 14, 9, 15, 13, 0, 10, 7, 12, 5, 6, 2, 8, 1, 3 
The 80bit secret key K is stored in a key register and denoted as K = (k_{79}, k_{78}, k_{77}, k_{76}, ⋯, k_{1}, k_{0}). Output the leftmost 32 bits of current content of register K as round subkey K_{1}, and then operate as follows:
 (1)
K ← (K ⋘ 29).
 (2)
(k _{79}, k _{78}, k _{77}, k _{76}) = S _{9}((k _{79}, k _{78}, k _{77}, k _{76})).
 (3)
(k _{75}, k _{74}, k _{73}, k _{72}) = S _{9}((k _{75}, k _{74}, k _{73}, k _{72})).
 (4)
(k _{50}, k _{49}, k _{48}, k _{47}, k _{46}) ← ((k _{50}, k _{49}, k _{48}, k _{47}, k _{46}) ⊕ i).
 (5)
Output the leftmost 32 bits of current content of register K as a round key K _{i + 1} of round i + 1.
Partial secret key used in round keys
Round  Partial secret key 

1  (k_{79}, k_{78}, ⋯, k_{49}, k_{48}) 
2  (k_{50}, k_{49}, ⋯, k_{20}, k_{19}) 
⋮  ⋮ 
29  (k_{67}, k_{66}, ⋯, k_{37}, k_{36}) 
30  (k_{38}, k_{37}, ⋯, k_{8}, k_{7}) 
31  (k_{9}, k_{8}, ⋯, k_{0}, k_{79}, k_{78}, ⋯, k_{58}) 
32  (k_{60}, k_{59}, ⋯, k_{30}, k_{29}) 
Attack 1  fault position: round 29
In this section, we propose DFA on LBlock, where the fault position is the input register of round 29. Our fault assumption includes the following assumptions:

The attacker has the capability to choose one plaintext to encrypt and obtain the corresponding right/faulty ciphertexts.

The attacker can induce random byte faults to the input register of round 29.

The location and value of faults are both unknown.
From the above assumptions, a random nibble fault can be induced to the input byte register ${I}_{29,i}^{L}$ of round 29 (i = 0, 1, ⋯, 7). Note that in Attack 1, we do not consider events injecting random nibble faults to ${I}_{29,i}^{R}$. They are considered in Attack 2, where random nibble faults are injected to ${I}_{30,i}^{L}$. Thus, the number of all possible fault positions is 8. For the simplicity of notations, we denote each case by ${E}_{29,i}^{L}$. For example, ${E}_{29,7}^{L}$ means an event that a random nibble fault is injected to ${I}_{29,7}^{L}$.
Computation of the exact fault position
Hence, when a random nibble fault was injected to${I}_{29,7}^{L}$, that is an event${E}_{29,7}^{L}$, the ciphertext difference has the following pattern.
Attack 1  ciphertext differences for the positions of fault injections
Event  Ciphertext difference 

${E}_{29,7}^{L}$  [(?, ?, 0, 0, 0, 0, 0, ?), (?, ?, ?, 0, ?, ?, 0, 0)] 
${E}_{29,6}^{L}$  [(0, 0, 0, ?, 0, ?, ?, 0), (?, ?, 0, 0, ?, ?, 0, ?)] 
${E}_{29,5}^{L}$  [(?, ?, ?, 0, 0, 0, 0, 0), (?, 0, ?, ?, 0, 0, ?, ?)] 
${E}_{29,4}^{L}$  [(?, 0, ?, 0, 0, 0, 0, ?), (0, 0, ?, ?, 0, ?, ?, ?)] 
${E}_{29,3}^{L}$  [(0, 0, 0, ?, ?, ?, 0, 0), (?, ?, 0, 0, ?, ?, ?, 0)] 
${E}_{29,2}^{L}$  [(0, ?, ?, 0, 0, 0, 0, ?), (?, ?, 0, ?, ?, ?, 0, 0)] 
${E}_{29,1}^{L}$  [(0, 0, 0, 0, ?, ?, ?, 0), (0, 0, ?, ?, ?, 0, ?, ?)] 
${E}_{29,0}^{L}$  [(0, 0, 0, ?, ?, 0, ?, 0), (0, ?, ?, ?, 0, 0, ?, ?)] 
Computation of round keys for each fault position
 (1)
K _{32,7}. Guess 4bit K _{32,7} and compute the output difference of Sbox S _{7} in round 32 (see red lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{5}^{R}$. The probability passing this test is 2^{−4}. Thus, we can expect that only the right K _{32,7} has survived.
 (2)
K _{32,6}. Guess 4bit K _{32,6} and compute the output difference of Sbox S _{6} in round 32 (see red lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{7}^{R}$. Since the filtering probability is 2^{−4}, we can compute the right K _{32,6}.
 (3)
K _{32,0}. Guess 4bit K _{32,0} and compute the output difference of Sbox S _{0} in round 32 (see red lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{2}^{R}$. The probability passing this test is 2^{−4}. Thus, we can expect that only the right K _{32,0} has survived.
 (4)
(K _{31,4}, K _{32,4}). Guess 8bit (K _{31,4}, K _{32,4}) and compute the output difference of Sbox S _{4} in round 31 (see blue lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{6}^{L}$. Since the filtering probability is 2^{−4}, we can get 2^{4} candidates of (K _{31,4}, K _{32,4}).
 (5)
(K _{31,1}, K _{32,2}). Guess 8bit (K _{31,1}, K _{32,2}) and compute the output difference of Sbox S _{1} in round 31 (see blue lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{0}^{L}$. Since the filtering probability is 2^{−4}, we can get 2^{4} candidates of (K _{31,1}, K _{32,2}).
 (6)
(K _{30,5}, K _{31,6}, K _{32,1}). Guess 12bit (K _{30,5}, K _{31,6}, K _{32,1}) and compute the output difference of Sbox S _{5} in round 30 (see green lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{6}^{R}$. Since the filtering probability is 2^{−4}, we can get 2^{8} candidates of (K _{30,5}, K _{31,6}, K _{32,1}).
 (7)
(K _{29,7}, K _{30,3}, K _{31,7}, K _{32,3}). Guess 16bit (K _{29,7}, K _{30,3}, K _{31,7}, K _{32,3}) and compute the output difference of Sbox S _{7} in round 29 (see bold black lines in Figure 3). Then, check that this value is equal to$\Delta {C}_{7}^{L}$. Since the filtering probability is 2^{−4}, we can obtain 2^{12} candidates of (K _{29,7}, K _{30,3}, K _{31,7}, K _{32,3}).
 (1)
Round 29: K _{29,7}.
 (2)
Round 30: (K _{30,3}, K _{30,5}).
 (3)
Round 31: (K _{31,1}, K _{31,4}, K _{31,6}, K _{31,7}).
 (4)
Round 32: (K _{32,0}, K _{32,1}, K _{32,2}, K _{32,3}, K _{32,4}, K _{32,6}, K _{32,7}).
Other events${E}_{29,i}^{L}$ can be explained in a similar fashion (i = 0, 1, ⋯, 6). In detail, in each event, we can get 2^{ 28 } candidates of the 56bit round keyp

${E}_{29,6}^{L}$

Round 29: K _{29,6}.

Round 30: (K _{30,1}, K _{30,7}).

Round 31: (K _{31,0}, K _{31,2}, K _{31,3}, K _{31,5}).

Round 32: (K _{32,0}, K _{32,1}, K _{32,2}, K _{32,4}, K _{32,5}, K _{32,6}, K _{32,7}).


${E}_{29,5}^{L}$

Round 29: K _{29,5}.

Round 30: (K _{30,4}, K _{30,6}).

Round 31: (K _{31,1}, K _{31,4}, K _{31,6}, K _{31,7}).

Round 32: (K _{32,1}, K _{32,2}, K _{32,3}, K _{32,4}, K _{32,5}, K _{32,6}, K _{32,7}).


${E}_{29,4}^{L}$

Round 29: K _{29,4}.

Round 30: (K _{30,4}, K _{30,6}).

Round 31: (K _{31,1}, K _{31,4}, K _{31,6}, K _{31,7}).

Round 32: (K _{32,0}, K _{32,1}, K _{32,2}, K _{32,3}, K _{32,4}, K _{32,5}, K _{32,7}).


${E}_{29,3}^{L}$

Round 29: K _{29,3}.

Round 30: (K _{30,1}, K _{30,7}).

Round 31: (K _{31,0}, K _{31,2}, K _{31,3}, K _{31,5}).

Round 32: (K _{32,0}, K _{32,2}, K _{32,3}, K _{32,4}, K _{32,5}, K _{32,6}, K _{32,7}).


${E}_{29,2}^{L}$

Round 29: K _{29,2}.

Round 30: (K _{30,3}, K _{30,5}).

Round 31: (K _{31,1}, K _{31,4}, K _{31,6}, K _{31,7}).

Round 32: (K _{32,0}, K _{32,1}, K _{32,2}, K _{32,3}, K _{32,4}, K _{32,5}, K _{32,6}).


${E}_{29,1}^{L}$

Round 29: K _{29,1}.

Round 30: (K _{30,0}, K _{30,2}).

Round 31: (K _{31,0}, K _{31,2}, K _{31,3}, K _{31,5}).

Round 32: (K _{32,0}, K _{32,1}, K _{32,2}, K _{32,3}, K _{32,5}, K _{32,6}, K _{32,7}).


${E}_{29,0}^{L}$

Round 29: K _{29,0}.

Round 30: (K _{30,0}, K _{30,2}).

Round 31: (K _{31,0}, K _{31,2}, K _{31,3}, K _{31,5}).

Round 32: (K _{32,0}, K _{32,1}, K _{32,3}, K _{32,4}, K _{32,5}, K _{32,6}, K _{32,7}).

Recovery of the secret key from candidates of round keys
In the previous subsection, we presented the method to obtain the candidates of round keys by injecting random nibble faults to the input register of round 29. In this subsection, we explain the method to recover candidates of the secret key of LBlock using candidates of round keys.
As shown in Table 3, the partial secret key used in (K_{29}, K_{30}, K_{31}, K_{32}) is as follows:

K_{29}: (k_{67}, k_{66}, ⋯, k_{37}, k_{36}).

K_{30}: (k_{38}, k_{37}, ⋯, k_{8},k_{7}).

K_{31}: (k_{9}, k_{8}, ⋯, k_{0}, k_{79}, k_{78}, ⋯, k_{58}).

K_{32}: (k_{60}, k_{59}, ⋯, k_{30}, k_{29}).
From the above relation, (K_{29}, K_{30}, K_{31}, K_{32}) includes all 80bit secret key information. Thus, from the keyschedule of LBlock, we can easily compute candidates of the secret key of LBlock by using candidates of round keys computed in the previous subsection. However, in the case that the number of candidates of round keys is very large, we require the exhaustive search with the large computational complexity. On the other hand, from the above relation, we can check that each round key include the common partial secret key information. Thus, if equations are constructed by using this property, we can decrease the number of candidates of the secret key of LBlock.
Attack 1  equations to decrease the number of candidates of the secret key
Related secret key  Equation  Filtering probability 

(k_{58}, k_{59}, k_{60})  $\left\{\right({S}_{9}^{1}\left[{K}_{32,7}\right])\gg 1\}=({K}_{32,0}\&0x7)$  2^{ −3 } 
(k_{37}, k_{38})  (K_{32,2}&0x 3) = (K_{30,7} ≫ 2)  2^{ −2 } 
(k_{35}, k_{36})  (K_{32,1}≫2) = (K_{30,7}&0x 3)  2^{ −2 } 
(k_{33}, k_{34})  (K_{32,1}&0x 3) = (K_{30,6} ≫ 2)  2^{ −2 } 
(k_{31}, k_{32})  {(K_{32,0} ≫ 2) ⊕ 0x 1} = (K_{30,6}&0x 3)  2^{ −2 } 
(k_{29}, k_{30})  {(K_{32,0}&0x 3) ⊕ 0x 3} = (K_{30,5} ≫ 2)  2^{ −2 } 
(k_{7}, k_{8}, k_{9})  $\left\{\right({S}_{9}^{1}\left[{K}_{31,7}\right])\gg 1\}=({K}_{30,0}\&0x7)$  2^{ −3 } 
k _{60}  $\left[\right\{\left({S}_{9}^{1}\right[{K}_{32,7}\left]\right)\gg 3\}\oplus 0x1]=({K}_{29,6}\&0x1)$  2^{ −1 } 
(k_{57}, k_{58}, k_{59})  $\left[\right\{\left({S}_{9}^{1}\right[{K}_{32,7}\left]\right)\&0x7\}\oplus 0x7]=({K}_{29,5}\gg 1)$  2^{ −3 } 
k _{56}  $\left\{\right({S}_{8}^{1}\left[{K}_{32,6}\right])\gg 3\}=({K}_{29,5}\&0x1)$  2^{ −1 } 
(k_{53}, k_{54}, k_{55})  $\left\{\right({S}_{8}^{1}\left[{K}_{32,6}\right])\&0x7\}=({K}_{29,4}\gg 3)$  2^{ −3 } 
k _{52}  (K_{32,5} ≫ 3) = (K_{29,4}&0x 1)  2^{ −1 } 
(k_{49}, k_{50}, k_{51})  (K_{32,5}&0x 7) = (K_{29,3} ≫ 1)  2^{ −3 } 
k _{48}  (K_{32,4} ≫ 3) = (K_{29,3}&0x 1)  2^{ −1 } 
(k_{45}, k_{46}, k_{47})  (K_{32,4}&0x 7) = (K_{29,2} ≫ 1)  2^{ −3 } 
k _{44}  (K_{32,3} ≫ 3) = (K_{29,2}&0x 1)  2^{ −1 } 
(k_{41}, k_{42}, k_{43})  (K_{32,3}&0x 7) = (K_{29,1} ≫ 1)  2^{ −3 } 
k _{40}  (K_{32,2} ≫ 3) = (K_{29,1}&0x 1)  2^{ −1 } 
k _{39}  {(K_{32,2} ≫ 2)&0x 1} = (K_{29,0} ≫ 3)  2^{ −1 } 
(k_{36}, k_{37}, k_{38})  $\left\{\right({S}_{9}^{1}\left[{K}_{30,7}\right])\gg 1\}=({K}_{29,0}\&0x7)$  2^{ −3 } 
DFA on LBlock (Attack 1)
 (1)
Collection of right ciphertext. Choose a plaintext P and obtain the corresponding right ciphertext C = (C ^{ L }, C ^{ R }).
 (2)
Collection of faulty ciphertext. After inducing an i th random nibble fault to${I}_{29}^{L}=({I}_{29,7}^{L},{I}_{29,6}^{L},\cdots \phantom{\rule{0.3em}{0ex}},{I}_{29,0}^{L})$ of round 29, get the corresponding faulty ciphertext C ^{ i }(i = 1, ⋯, n).
 (3)
Computation of fault positions. Compute Δ C ^{ i } by using (C, C ^{ i }) and then compute the exact fault positions from Table 4.
 (4)
Computation of the candidates of (K _{29}, K _{30}, K _{31}, K _{32}). According to the fault positions computed in step 3, compute the candidates of (K _{29}, K _{30}, K _{31}, K _{32}) by using the method in ‘Computation of round keys for each fault position’ section.
 (5)
Recovery of the 80bit secret key. Using the method in ‘Recovery of the secret key from candidates of round keys’ section, compute the candidates of the secret key by using the candidates of (K _{29}, K _{30}, K _{31}, K _{32}). Then, recover the 80bit secret key of LBlock by using one trial encryption.
We simulated our attack on a general PC 10,000 times. Based on the simulation results, we can obtain about 2^{ 25 } candidates of the secret key by using five fault injections on average. Thus, we do an exhaustive search for them. Since the filtering probability is 2^{ −64 }, the expected number of wrong secret keys passing our attack algorithm is 2^{ −39 }(= 2^{ 25 }·2^{ −64 }). It means that the possibility that a wrong key can pass our attack algorithm is very low. Based on the simulation results, we can always recover the 80bit secret key of LBlock within a few seconds by using five fault injections on average.
Attack 2  fault position: round 30
In this section, we propose the second attack (Attack 2) where random nibble faults are induced to the input register of round 30. Since the attack procedure of Attack 2 is similar to that of Attack 1, we briefly discuss the attack procedure of Attack 2.
Our fault assumption is as follows.

The attacker has the capability to choose one plaintext to encrypt and obtain the corresponding right/faulty ciphertexts.

The attacker can induce random byte faults to the input register of round 30.

The location and value of faults are both unknown.
From the above assumptions, a random nibble fault can be induced to the input byte register${I}_{30,i}^{L}$ of round 30 (i = 0, 1, ⋯, 7). Note that, similarly to Attack 1, we do not also consider events injecting random nibble faults to${I}_{30,i}^{R}$ in Attack 2. Thus, the number of all possible fault positions is 8.
Attack 2  ciphertext differences for the positions of fault injections
Event  Ciphertext difference 

${E}_{30,7}^{L}$  [(0, 0, 0, ?, 0, 0, ?, 0), (?, ?, 0, 0, 0, 0, 0, ?)] 
${E}_{30,6}^{L}$  [(0, 0, ?, 0, 0, 0, 0, ?), (0, 0, 0, ?, 0, 0, ?, ?)] 
${E}_{30,5}^{L}$  [(?, ?, 0, 0, 0, 0, 0, 0), (?, ?, ?, 0, 0, 0, 0, 0)] 
${E}_{30,4}^{L}$  [(?, ?, 0, 0, 0, 0, 0, 0), (?, 0, ?, 0, 0, 0, 0, ?)] 
${E}_{30,3}^{L}$  [(0, 0, ?, 0, 0, 0, 0, ?), (0, 0, 0, ?, ?, ?, 0, 0)] 
${E}_{30,2}^{L}$  [(0, 0, 0, ?, 0, 0, ?, 0), (0, ?, ?, 0, 0, 0, 0, ?)] 
${E}_{30,1}^{L}$  [(0, 0, 0, 0, ?, ?, 0, 0), (0, 0, 0, 0, ?, ?, ?, 0)] 
${E}_{30,0}^{L}$  [(0, 0, 0, 0, ?, ?, 0, 0), (0, 0, 0, ?, ?, 0, ?, 0)] 
Recall that, in Attack 1, we get 2^{28} candidates of the 56bit round key from one random nibble fault injection. In Attack 2, we obtain 2^{12} candidates of the 28bit round key from one random nibble fault injection.

${E}_{30,7}^{L}$

Round 30: K _{30,7}.

Round 31: (K _{31,3},K _{31,5}).

Round 32: (K _{32,1}, K _{32,4}, K _{32,5}, K _{32,6}).


${E}_{30,6}^{L}$

Round 30: K _{30,6}.

Round 31: (K _{31,1}, K _{31,7}).

Round 32: (K _{32,0}, K _{32,2}, K _{32,3}, K _{32,5}).


${E}_{30,5}^{L}$

Round 30: K _{30,5}.

Round 31: (K _{31,4}, K _{31,6}).

Round 32: (K _{32,1}, K _{32,4}, K _{32,6}, K _{32,7}).


${E}_{30,4}^{L}$

Round 30: K _{30,4}.

Round 31: (K _{31,4}, K _{31,6}).

Round 32: (K _{32,1}, K _{32,4}, K _{32,6}, K _{32,7}).


${E}_{30,3}^{L}$

Round 30: K _{30,3}.

Round 31: (K _{31,1}, K _{31,5}).

Round 32: (K _{32,0}, K _{32,2}, K _{32,5}, K _{32,6}).


${E}_{30,2}^{L}$

Round 30: K _{30,2}.

Round 31: (K _{31,3}, K _{31,5}).

Round 32: (K _{32,1}, K _{32,4}, K _{32,6}, K _{32,7}).


${E}_{30,1}^{L}$

Round 30: K _{30,1}.

Round 31: (K _{31,0}, K _{31,2}).

Round 32: (K _{32,0}, K _{32,2}, K _{32,3}, K _{32,5}).


${E}_{30,0}^{L}$

Round 30: K _{30,0}.

Round 31: (K _{31,0}, K _{31,2}).

Round 32: (K _{32,0}, K _{32,2}, K _{32,3}, K _{32,5}).

Using the candidates of round keys, the method to compute the candidates of the secret key of LBlock in Attack 2 is similar to that in Attack 1. Recall that the partial secret key used in (K_{30}, K_{31}, K_{32}) is as follows:

K_{30}: (k_{38}, k_{37}, ⋯, k_{8}, k_{7}).

K_{31}: (k_{9}, k_{8}, ⋯, k_{0}, k_{79}, k_{78}, ⋯, k_{58}).

K_{32}: (k_{60}, k_{59}, ⋯, k_{30}, k_{29}).
From the above relation, (K_{30}, K_{31}, K_{32}) includes all 80bit secret key information. Thus, from the keyschedule of LBlock, we can easily compute candidates of the secret key of LBlock by using candidates of the round keys. To decrease the number of candidates of the secret key, we consider seven equations related to round 30 to 32 as shown in Table 5. The total filtering probability is 2^{−16}.
 (1)
Collection of right ciphertext. Choose a plaintext P and obtain the corresponding right ciphertext C = (C ^{ L }, C ^{ R }).
 (2)
Collection of faulty ciphertext. After inducing an i th random nibble fault to ${I}_{30}^{L}=({I}_{30,7}^{L},{I}_{30,6}^{L},\cdots \phantom{\rule{0.3em}{0ex}},{I}_{30,0}^{L})$ of round 30, get the corresponding faulty ciphertext C ^{ i }(i = 1, ⋯, n).
 (3)
Computation of fault positions. Compute Δ C ^{ i } by using (C, C ^{ i }) and then compute the exact fault positions from Table 6.
 (4)
Computation of candidates of (K _{30}, K _{31}, K _{32}). According to the fault positions computed in step 3, compute candidates of (K _{30}, K _{31}, K _{32}).
 (5)
Recovery of the 80bit secret key. Compute candidates of the secret key by using the candidates of (K _{30}, K _{31}, K _{32}). Then, recover the 80bit secret key of LBlock by using one trial encryption.
We simulated our attack on a general PC 10,000 times. Based on the simulation results, we can obtain about 2^{30} candidates of the secret key by using seven fault injections on average. Recall that we obtain 2^{12} candidates of the 28bit round key from one random nibble fault injection under Attack 2. Thus, to get the small number of candidates of the secret key, we need more fault injections than Attack 1. We do an exhaustive search for these candidates. Since the filtering probability is 2^{−64}, the expected number of wrong secret keys passing our attack algorithm is 2^{−34}(=2^{30}·2^{−64}). It means that the possibility that a wrong key can pass our attack algorithm is very low. Based on the simulation results, we can always recover the 80bit secret key of LBlock within 1 h by using seven fault injections on average.
Conclusion
In this paper, we have presented DFA on LBlock suitable for wireless sensor networks. The proposed attack has two versions, Attack 1 and Attack 2. To recover the 80bit LBlock, Attack 1 requires an exhaustive search of 2^{25} and five random nibble fault injections on average. It is executed within a few seconds on a general PC. In the case of Attack 2, this attack is executed within 1 h by using seven random nibble faults. These results are superior to known differential fault analytic result on LBlock.
Declarations
Acknowledgements
This work was supported by a Korea University grant for author KJ. Also, this research was supported by the The Ministry of Knowledge Economy (MKE), Korea, under the Information Technology Research Center (ITRC) support program (NIPA2013H0301–133007) supervised by the National IT Industry Promotion Agency (NIPA).
Authors’ Affiliations
References
 Biham E, Shamir A: Differential fault analysis of secret key cryptosystems. In Proceedings of Advances in Cryptology  CRYPTO 1997. Edited by: Kaliski B. Berlin: Springer; 1997:513525.Google Scholar
 Jeong K, Sung J, Hong S, Lee C: A new approach of differential fault analysis on block ciphers with sbox. Inf.  An Int. Interdiscip. J 2013, 16(3(A):19151928.MathSciNetMATHGoogle Scholar
 Jeong K: Security analysis of block cipher piccolo suitable for wireless sensor networks. PeertoPeer Netw. Appl 2013. 10.1007/s12,08301201969Google Scholar
 Jeong K, Lee C: Differential fault analysis on block cipher led64. In Proceedings of The 6th International Symposium on Digital Forensics and Information Security(DFIS12). Edited by: Park J, Leung V, Wang C, Shon T. Netherlands: Springer; 2012:747755.Google Scholar
 Jeong K, Lee Y, Sung J, Hong S: Differential fault analysis on block cipher seed. Math. Comput. Model 2012, 55(1–2):2634.MathSciNetView ArticleMATHGoogle Scholar
 Li W, Gu D, Li J: Differential fault analysis on the aria algorithm. Inf. Sci 2008, 178(19):37273737. 10.1016/j.ins.2008.05.031View ArticleGoogle Scholar
 Malhotra R, Jain A: Fault prediction using statistical and machine learning methods for improving software quality. JIPS 2012, 8(2):241262.Google Scholar
 Wu W, Zhang L: Lblock: A lightweight block cipher. In Proceedings of ACNS 2011. Edited by: Lopez J, Tsudik G. Berlin: Springer; 2011:327344.Google Scholar
 Karakoc F, Demirci J, Harmanci A: Impossible differential cryptanalysis on reducedround Lblock. In Proceedings of WISTP 2012. Edited by: Posegga J, Askoxylakis I, Pohls H. Berlin: Springer; 2012:179188.Google Scholar
 Liu Y, Gu D, Liu Z, Li W: Impossible differential attacks on reducedround Lblock. In Proceedings of ISPEC 2012. Edited by: Ryan M, Smyth B, Wang G. Berlin: Springer; 2012:97108.Google Scholar
 Zhao L, Nishide T, Sakurai K: Differential fault analysis of full Lblock. In Proceedings of COSADE 2012. Edited by: Huss S, Schindler W. Berlin: Springer; 2012:135150.Google Scholar
Copyright
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.