Fault analysis study of the block cipher FOX64

Li, Ruilin; You, Jianxiong; Sun, Bing; Li, Chao

doi:10.1007/s11042-011-0895-x

Cited by 7 publications

(5 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We run this program 1000 times on a PC (Pentium Dual-Core E6700 3.2 GHz, 2 GB RAM). The secret key can be recovered within several seconds (average 2.7 s), and the average number of key candidates after step 3 is about 2 14.02 , that is larger than the theoretical predication we analysed above. Fig.…”

Section: Resultsmentioning

confidence: 62%

“…In 1997, Biham and Shamir [10] extended the idea and proposed the method of differential fault analysis (DFA), and applied it to DES successfully. Since then, DFA has been applied to many other block ciphers, such as AES [11], CLEFIA [12], SMS4 [13], FOX64 [14] etc. By injecting some faults to the intermediate states of a cryptographic algorithm, some information of the secret key can be derived by differential analysis, and this is why we call such fault attack the DFA.…”

Section: Backgroundsmentioning

confidence: 99%

See 1 more Smart Citation

Differential fault analysis on LED using Super‐Sbox

Zhao

Cheng

et al. 2015

IET Information Security

Self Cite

View full text Add to dashboard Cite

Light encryption device (LED) is a 64 bit lightweight block cipher proposed by Guo et al. at CHES 2011, and its key size is primarily defined as 64 and 128 bits. This study studies differential fault analysis (DFA) of LED using the technique of Super-Sbox analysis. Under various fault models, the fault pattern propagation rule of the Super-Sbox can be obtained, based on which the efficiency of fault attack on LED can be greatly improved. For LED-64, under the nibble-based fault model, a random nibble fault at the 30th round can reduce the size of key search space to 2 7 -2 20 (average 2 14.02 ). Even if a random nibble fault is injected into the 29th round, the size of the key search space can also be reduced to about 2 17.43 -2 17.72 (average 2 17.65 ) using early-abort technique. Although under the byte-based fault model, a random byte fault at the 30th round can reduce the size of the key space to 2 7 -2 16 (average 2 11.92 ). If the adversary has the capability of injecting two random nibble faults at some specified rounds, then the above fault attack on LED-64 can be similarly extended to LED-128, and the size of the exhaustive search space for the 128 bit key can be reduced to 2 15 -2 27.94 (average 2 21.96 ). These results demonstrate that Super-Sbox is a powerful technique that can be used to obtain significant improvements in the key filtration, and thus improve the efficiency of DFA on some special ciphers.

show abstract

Section: Resultsmentioning

confidence: 62%

Section: Backgroundsmentioning

confidence: 99%

Differential fault analysis on LED using Super‐Sbox

Zhao

Cheng

et al. 2015

IET Information Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…where F 2 8 � F 2 〈α〉, α is a root of polynomial x 8 ⊕x 7 ⊕x 6 ⊕x 5 ⊕x 4 ⊕x 3 ⊕1, and z � α − 1 ⊕1. e security of FOX64 and its high-level structure are extensively studied [29][30][31][32]. For the impossible differential attack, Wu et al [33] presented an impossible differential for 4-round FOX64 of the following form (0, u, 0, u, 0, u, 0, u)↛(v 1 , v 2 , v 1 , v 3 , v 1 , v 2 , v 1 , 3 ).…”

Section: Fox64 Block Ciphermentioning

confidence: 99%

New Search Method for Sbox-Related Impossible Differentials

Zhang

Shen

Liu

et al. 2022

Security and Communication Networks

Self Cite

View full text Add to dashboard Cite

The impossible differential attack is one of the most fundamental tools of cryptanalysis and has been successfully applied to a large variety of block ciphers. In a typical impossible differential attack, the foundation and first step is to construct an impossible differential. Nowadays, two kinds of most commonly used approaches in impossible differential construction are the matrix-based and tool-aided automatic search methods. In this paper, we proposed a new search method combining an early-abort strategy with the guess-and-determine technique to find longer impossible differentials. Compared with the previous matrix-based search methods, ours has taken the details of Sbox into consideration, while compared with the tool-aided methods, ours is independent of a third-party solver and is applicable to ciphers with large (≥8 bits) Sboxes, which could be tough work for tool-aided methods to cover. Therefore, more accurate results could be obtained. To prove the effectiveness of our method, it is applied to CSA and FOX64. For CSA, 23/24/25-round impossible differentials were found for CSA-BC. This improved the longest impossible differential distinguisher so far by 1/2/3 rounds. And 25-round key recovery attacks are performed against CSA-BC and CSA, which are the longest impossible differential attack by now. For FOX64, we proved that an impossible differential for its round function always implies an impossible differential for 4-round FOX64, and new types of impossible differentials were able to be found. Our method has its own advantage in dealing with large Sboxes, and it may be a possible direction to search for Sbox-related impossible differentials.

show abstract

“…In 2004, instancing the Lai-Massey scheme's F-function with an SPS structure and orthomorphism [20] as ( , ) ( , ), or x y y x y = ⊕ Junod and Vaudenay designed the FOX [21] family of block ciphers, also named "IDEA NXT." Thus far, existing analysis results indicate that the FOX family of ciphers is secure enough from such attacks as differential cryptanalysis [14]- [22], integral attacks [23], fault attacks [24], and so on [21]. Moreover, Yun and others introduced the notion of a quasi-Feistel network [25], which is a generalization of the Feistel network and contains the Lai-Massey scheme as an instance.…”

Section: Introductionmentioning

confidence: 99%

Impossible Differential Cryptanalysis on Lai-Massey Scheme

Guo¹,

Jin²

2014

ETRI J

View full text Add to dashboard Cite

The Lai-Massey scheme, proposed by Vaudenay, is a modified structure in the International Data Encryption Algorithm cipher. A family of block ciphers, named FOX, were built on the Lai-Massey scheme. Impossible differential cryptanalysis is a powerful technique used to recover the secret key of block ciphers. This paper studies the impossible differential cryptanalysis of the Lai-Massey scheme with affine orthomorphism for the first time. Firstly, we prove that there always exist 4-round impossible differentials of a Lai-Massey cipher having a bijective F-function. Such 4-round impossible differentials can be used to help find 4-round impossible differentials of FOX64 and FOX128. Moreover, we give some sufficient conditions to characterize the existence of 5-, 6-, and 7round impossible differentials of Lai-Massey ciphers having a substitution-permutation (SP) F-function, and we observe that if Lai-Massey ciphers having an SP Ffunction use the same diffusion layer and orthomorphism as a FOX64, then there are indeed 5-and 6-round impossible differentials. These results indicate that both the diffusion layer and orthomorphism should be chosen carefully so as to make the Lai-Massey cipher secure against impossible differential cryptanalysis.

show abstract

Fault analysis study of the block cipher FOX64

Cited by 7 publications

References 36 publications

Differential fault analysis on LED using Super‐Sbox

Differential fault analysis on LED using Super‐Sbox

New Search Method for Sbox-Related Impossible Differentials

Impossible Differential Cryptanalysis on Lai-Massey Scheme

Contact Info

Product

Resources

About