Abstract
Abstract \(\textsf{LBlock}\) is a 64-bit lightweight block cipher which can be implemented in both hardware environments and software platforms. It was designed by Wu and Zhang, and published at ACNS2011. In this paper, we explore the strength of \(\textsf{LBlock}\) against the differential fault analysis (\(\textsf{DFA}\)). As far as we know, this is the first time the \(\textsf{DFA}\) attack is used to analyze \(\textsf{LBlock}\). Our \(\textsf{DFA}\) attack adopts the random bit fault model. When the fault is injected at the end of the round from the 25th round to the 31st round, the \(\textsf{DFA}\) attack is used to reveal the last three round subkeys (i.e., K 32, K 31 and K 30) by analyzing the \(\textit{active S-box}\) of which the input and output differences can be obtained from the right and faulty ciphertexts (C, \(\widetilde{C}\)). Then, the master key can be recovered based on the analysis of the key scheduling. Specially, for the condition that the fault is injected at the end of the 25th and 26th round, we show that the active S-box can be distinguished from the \(\textit{false active S-box}\) by analyzing the nonzero differences from the pair of ciphertexts (C, \(\widetilde{C}\)). The false active S-box which we define implies that the nonzero input difference does not correspond to the right output difference. Moreover, as the \(\textsf{LBlock}\) can achieve the best diffusion in eight rounds, there can exist the countermeasures that protect the first and last eight rounds. This countermeasure raises a question whether provoking a fault at the former round of \(\textsf{LBlock}\) can reveal the round subkey. Our current work also gives an answer to the question that the \(\textsf{DFA}\) attack can be used to reveal the round subkey when the fault is injected into the 24th round. If the fault model used in this analysis is a \(\textit{semi-random bit model}\), the round subkey can be revealed directly. Specially, the semi-random bit model corresponds to an adversary who could know the corrupted 4 bits at the chosen round but not know the exact bit in these 4 bits. Finally, the data complexity analysis and simulations show the number of necessary faults for revealing the master key.KeywordsDifferential fault analysis (\(\textsf{DFA}\))Variant Feistel structureDifferential distributionKey scheduling
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
