Differential fault analysis (DFA) and algebraic fault analysis (AFA) are both conventional fault analysis methods for conducting key recovery. However, neither of these approaches has been applied in the study of PICO. In this section, we compare our combined analysis approach with these two methods and elucidate the reasons and benefits of opting for our approach.
5.2. Comparison with AFA
The core idea of AFA is to use algebraic equations to articulate the encryption process both before and after fault injection, and employ a solver to determine the master key. The established equations serve various roles. Multiple sets of equations that cover the encryption process from the site of fault injection to completion are to obtain the subkeys for these rounds. Additionally, equations representing key expansion are to acquire possible master keys. Furthermore, equations for full-round encryption are to ensure that the attained master key can encrypt the correct plaintext into the correct ciphertext.
Contrasting with our combined analysis, the distinguishing factor is that AFA utilizes algebraic equations to solve subkeys used after the round of fault injection, while our approach derives subkeys for each round in a reverse order using differential values before and after fault injection. In the context of AFA, there are two subjective factors that can affect the solving speed–the round of fault injection and the number of faults, each of which is discussed individually as follows. When considering the round where faults are injected, if the round is distant from the final round, there is a higher count of equations from the injection site to the end and a larger number of subkeys to be solved, resulting in an extended solving time. Conversely, if the round is close to the final round, the number of derived subkeys decreases, and the subsequent filtering process takes longer due to the increased count of possible master keys inferred from key expansion. The number of faults, on the other hand, affects the quantity of equations from the fault injection round to the end. These equations are designed for solving a specific number of subkeys. If the capability to solve is already established, increasing the number of faults indiscriminately does not enhance the solving speed. Hence, AFA is constrained by the objective experimental conditions. Faster solving speed is attainable only when a greater number of threads are concurrently engaged in the solution, provided that an appropriate selection of fault injection round and fault number is made. Otherwise, there is no alternative means to expedite the process. However, our combined analysis approach can overcome this drawback. The increase in the number of faults allows for the extraction of more subkeys within seconds, leading to a reduction in the potential number of master keys and their filtering time, ultimately shortening the overall solution time.
We have also experimented with the application of AFA on PICO to validate our theory. All equations required are established through a forward process. The equations before fault injection, referring to
Section 3.3, amount to a total of 25,664, with the forward and reverse representations of key expansion being identical. The assignment equations and those after fault injection are detailed below. Due to the challenge of obtaining the complete master key in a short time, we assign values to some bits of the master key and test the time required to solve the remaining portion.
Equations for assignment
Include the constant 1, the correct plaintext P, the correct ciphertext C, bits assigned to the master key, and erroneous ciphertexts obtained from fault injections performed n times, for a total of equations.
Equations for the differential values at the fault injection site
Assume the fault is injected in the input of
SubColumn in the
r-th
round. Let
denote the state before fault injection,
denote the state after fault injection, and a fault known in width and specific bit positions be injected at
. Equations are as shown in Equation (
18).
In total there are equations for n instances of fault injections.
Equations for forward encryption from the round of fault injection to the end
This segment encompasses the encryption processes from the
r-th round to the concluding round after each fault injection. Equation establishment refers to
Section 3.3, resulting in a total of
equations for
n instances of fault injections.
The complete set of AFA conducted on PICO comprises (20,256 25,793 ) equations, where n is no less than 1, v ranges from 0 to 128, and r ranges from 1 to 32.
Algorithm 7 outlines the experimental process of conducting AFA on PICO, where
denotes the round of fault injection,
denotes the number of faults,
denotes the width of faults,
denotes the number of bits assigned to the master key,
N denotes the total number of experiments,
denotes the number of experiments successfully solved within 1
, and
denotes the success rate within 1
for
N experiments. The solving results to be observed remain as the outputs from CryptoMiniSat v5.8.0. Additionally, each scenario in the following experiments consisted of 50 trials.
Algorithm 7: Experimental Procedures of AFA on PICO |
|
Taking single-bit faults as examples. The selection of the fault injection round is guided by
Figure 7, with the aim of maximizing the diffusion and impact of the fault across several encryption rounds. Moreover, we perform fault injections in different S-boxes to ensure effective fault diffusion.
Experimental results for single-bit fault injection when conducting AFA on PICO are presented in
Figure 8.
Figure 8a depicts that even with assigning bits to part of PICO’s master key, there is still no round of fault injection that can achieve a success rate of 100% within 1
.
Figure 8b shows that simply increasing the number of faults does not lead to an improvement in the success rate within 1
.
Figure 8c demonstrates a decline in the success rate within 1
as the number of bits assigned to PICO’s master key decreases, indicating the challenge of using AFA to recover the complete master key of PICO within 1
. In addition, experiments were conducted under the conditions of
, with the objective of solving the entire master key of PICO. Across 15 experiments, the average solving time for PICO’s complete master key was
, confirming the difficulty of obtaining it within 1
using AFA. We also carried out experiments with nibble, single-byte, and double-byte faults at various fault injection rounds and fault counts, and achieving a success rate of 100% within 1
all proved challenging when assigning 10 bits to PICO’s master key. Considering the reasons, we believe that the high complexity of PICO’s key expansion and the resulting multiplicity of equation solutions lead to excessively long equation solving time, causing difficulties in recovering its master key within a short time period using AFA.
However, our combined analysis approach adopts a strategy that involves first utilizing differential faults to solve partial subkeys of PICO and then establishing algebraic equations to recover its master key, with the former requiring no equation solving. This strategic approach narrows down the search space for equation solutions, thereby effectively addressing the issue of prolonged equation solving time. With the decomposed S-boxes, our combined analysis approach achieved successful recovery of PICO’s entire master key in an average time of , which was significantly shorter than the required when using AFA. Furthermore, all these AFA experiments were conducted with known fault positions and still faced difficulties in obtaining solutions. In our approach, valuable information can be obtained as long as the fault positions are non-repetitive, eliminating the requirement for precise fault locations.