Abstract. LEA is a symmetric block cipher proposed in 2014. It uses ARX design and its main advantage is the possibility of a fast software implementation on common computing platforms. In this paper we propose a Differential Fault Analysis attack on LEA. By injecting random bit faults in the last round and in the penultimate round, we were able to recover the secret key by using 258 faulty encryptions in average. If the position of faults is known, then only 62 faulty encryptions are needed in order to recover the key which surpasses the results achieved so far.Keywords: LEA, Fault Attack, DFA
IntroductionToday's applications require efficient ciphers that can run on small devices with constrained computing power. Recent trends show an increasing number of services intended for Internet of Things [8,5] requiring both high level of security and fast running speed on embedded devices. For such applications, lightweight cryptography is an ideal choice.LEA [6] is a symmetric block cipher, using the ARX design (modular Addition, bitwise Rotation, and bitwise XOR). It offers fast software encryption, comparable to lightweight ciphers, and comes in the same key size variants as AES. There is an exhaustive security analysis report published by Bogdanov et al. [2], stating that the cipher is secure against known cryptanalysis attacks. So far, there was only one attempt to break the cipher using fault analysis method, which requires 300 chosen fault injections for recovering the 128-bit secret key.In this paper we present a Differential Fault Analysis attack on LEA. We exploit properties of a non-linearity of modular addition operation used in a round function. To recover the key, our attack requires two different positions of fault injections -in the last round and in the penultimate round. By using a random bit-flip model, we were able to recover a 128-bit secret key by using ≈258 faulty ciphertexts in average. If the precise fault position is known, our attack requires only ≈62 faulty ciphertexts in average. Thus, our method overcomes the fault attack on LEA published so far. This paper is organized as follows. First, we provide an overview of related work in Section 2. LEA cipher is described in details in Section 3. Section 4 provides methodology of our fault attack, following by Section 5 which summarizes our simulation results. Finally, Section 6 concludes this work and provides motivation for further work.
Related WorkSince the first publication proposing a fault analysis as a method to retrieve the secret information from the encryption process proposed by Boneh, DeMillo, and Lipton in 1997 [3] From the attack methodology point of view, the closest attack proposal to this paper is the attak proposed by Tupsamudre et al. [9], aiming at SPECK cipher. Since SPECK uses the ARX structure as well, authors aimed at the only non-linear operation, at the modular addition. They were able to recover the n-bit secret key by using n/3 bit faults on average.
LEA CipherIn this section we will describe a symmetric block cipher...