## 1. Introduction

With the rapid growth of Internet of Things (IoT) applications, people’s productivity and daily lives have changed. People are enjoying the convenience of intelligent sensor network services; simultaneously, information security is essential. The potential attacks in IoT networks are increasing. The most exposed and vulnerable devices in IoT are routers, cameras, network attached storage (NAS) and printers, as shown in

Figure 1. The private data collected by the intelligent sensor networks are carried by the underlying chips and transmitted to networks for data exchanges and data analysis. However, the attacker can obtain the secret key from the chip by performing physical attacks on the target chip. After the fault attacks are injected into the chip, the attackers can steal users’ private data; maliciously attack the network terminal nodes; and monitor and tamper with the sensitive data in the network. Therefore, physical attacks cause considerable harm to smart sensors and embedded encryption devices in the IoT.

Physical attacks have attracted widespread attention in lightweight block ciphers. One method to analyze lightweight block ciphers is directly through electromagnetic radiation using methods such as simple electromagnetic analysis (SEMA) [

1], correlation electromagnetic analysis (CEMA) [

2] and differential electromagnetic analysis (DEMA) [

3]. Other methods involve using clock disturbance, electromagnetic fault injection and laser fault injection [

4,

5,

6] on the specified data registers by analyzing the fault ciphertext to obtain the secret key. Laser fault injection can inject bit-level faults in the specified data register, but the instrument for fault injection is more expensive. However, the manufacturing cost of the electromagnetic fault injection probe is lower. Dehbaoui et al. [

7] and S. Ordas et al. [

8] designed electromagnetic probes and used electromagnetic attacks to implement bit set or bit reset of data in the chip. Accurately injecting the fault into the encryption device is a prerequisite for obtaining the secret key. After the fault is injected, a proper fault analysis method is required to further obtain the secret key. Since Boneh et al. [

9] used fault attacks to break RSA, effective fault analysis methods have become research hotspot. In lightweight block encryption analysis, fault attacks have been extended to impossible differential fault attack (IDFA) [

10], impossible differential attack (IDA) [

11,

12], algebraic fault attack (AFA) [

13], impossible meet-in-the-middle attack (IMMA) [

14], differential fault attack (DFA) [

15] and blind fault attack [

16]. These methods mainly analyze the characteristic relationship between the data of the cryptosystem after the injection fault and obtain the secret key by means of solver and mathematical analysis.

The secret key can be quickly obtained by an appropriate fault analysis model. The proposed fault attack models mainly include the random single-byte [

17], random single-nibble model [

15], one-bit model [

18] and diagonal model [

19]. In addition to the fault analysis models proposed above, several novel fault attack models, such as persistent fault attack (PFA) [

20] and rebound attack (RA) [

21], were proposed. The proposed fault analysis models include a few random multiple fault attack models. However, transient multiple fault attacks occur during an electromagnetic transient fault injection [

22,

23]. Therefore, studying the random multiple fault attack model has important practical significance for fault analysis.

Single bit fault [

24] and single nibble fault analysis models are widely used in high precision laser fault attacks. However, the attackers can use less sophisticated electromagnetic fault injection to attack sensors in IoT. An electromagnetic fault attack firstly introduces a transient fault [

7,

8] to the working chip by an electromagnetic probe. The correct key is obtained by collecting and analyzing the relationship between the fault and the correct data. During actual fault injection, the number and location of faults in the data register are affected by the precision of the injection equipment and the electromagnetic interference during the injection. At this time, the output electromagnetic wave injects multiple faults to the target data register. Therefore, the number and locations of random faults in the data register cannot be predicted by the attacker. If a single nibble or single byte model is still used for analysis, the fault attack analysis fails.

Thus, IoT device security can be achieved with a lightweight cryptosystem. Midori is an energy-efficient lightweight cryptosystem proposed by Banik et al. [

25]. Midori has broad application prospects in wireless sensor networks. To assess the security of Midori, many researchers developed various attack techniques on Midori. Cheng et al. [

15] presented a cell-oriented fault propagation patterns on Midori. Chen et al. [

11] designed 10 rounds of impossible differential paths to attack Midori-128. Shahmirzdi et al. [

12] conducted three impossible differential attacks on Midori-64 with 10, 11 and 12 rounds. Nozaki et al. [

26] distinguished the correct key from the error key by Hamming distance. Todo et al. [

27] found a nonlinear invariant Boolean function G to distinguish the secret key.

The differential fault attack (DFA) [

15,

17,

18,

19] is a widely applied cryptanalysis technique. The correct and the faulty value are different at the fault point, and the attacker can obtain the secret key by analyzing differential faults. Impossible differential analysis is a powerful analysis method proposed by Knudsen [

28] and Biham et al. [

29]. By analyzing fault propagation paths, the elements that are absolutely impossible to exist in the key space are eliminated. As such, the correct key is obtained step by step. Differential fault attacks combine well with other attack methods, and the attack effect is significant. Many scholars applied this method to their issues. Combing differential fault analysis with algebraic attack, Jovanovic et al. [

30] and Zhao et al. [

13] successfully attacked LED-64 with a single fault injection. Li et al. [

10] presented a novel impossible differential fault analysis on LED-64. To the best of our knowledge, a random multiple fault attack model on lightweight Midori against the impossible differential fault attack (IDFA) has not been proposed. We further optimized the proposed scheme of fault attacks during the experiment.

The major contributions of the paper are as follows:

- (1)
We propose an analysis model on lightweight Midori that can be used to analyze most of the random multiple fault attacks. We increase the number of analysis faults from one to six. The random multiple fault attack model can effectively analyze complex fault attacks.

- (2)
Through experimental simulation analysis, a linear function relationship between the number of fault attacks and the remaining key information content is obtained.

- (3)
The ciphertext-only fault attack is the attack method with the least known information. In this paper, the secret key is obtained by combining the impossible attack and the differential fault attack. Using the secret key invariant subspace, the secret key can be obtained by intersection of the subspace.

We summarize the results of the best-known attack on Midori-64 in

Table 1. Li et al. [

31] used six distinguishers to analyze the security of Midori-64. Among them, the hamming weight (HW) distinguisher provides the most effective fault analysis. However, the method can only analyze a random-nibble fault in the 15th round, and the number of fault injections is high. Cheng et al. [

15] injected a random-nibble fault into the data register. By analyzing the differential fault propagation path of Midori, they found four invariant fault differential patterns. By analyzing these patterns to estimate the location where the fault was injected, they obtained the secret key. However, Cheng et al. [

15] were only able to recover 80% of the secret key, and they did not discuss multiple fault injections. Our proposed method can be used not only analyze multiple random faults but also requires fewer fault injections. At least 11 fault injections are required to obtain the secret key. At present, the problem of multiple faults in data registers has been ignored by researchers. Analyzing the propagation of multiple fault differentials and using the combination of impossible fault attacks and differential fault attacks to improve the security of the lightweight cryptosystem in the case of multiple faults were the motivations of this study.

The rest of this article is divided into the following sections. In

Section 2, we briefly describe Midori. In

Section 3, we propose a random multiple fault attack model. In

Section 4, we provide a detailed calculation for the model. In

Section 5, we describe the experimental results. In the last section, we conclude this paper.

## 3. Random Multi-Fault Attack Model

Space particle radiation, aging of electronics and electromagnetic interference can disturb the current inside a chip. Faults are classified into intentional injection faults and unintentional injection faults. Faults can also be classified as transient faults, permanent faults and persistent faults. Compared with persistent fault injection [

20], transient fault injection causes less damage to the chip. Therefore, most of the fault attacks are transient fault attacks. Although the position of the internal bit flip is related to the accuracy of the fault injection tool, the faults mentioned above have more random faults in the actual fault injection and attackers do not know. The electromagnetic waves radiated by the probe can disturb the clock circuit and the surrounding registers. Data transmission and data exchange in the chip are clock synchronized. In data transmission, setup-time and hold-time must be stable. In the process of electromagnetic fault injection, clock stability rapidly decreases, so setup-time and hold-time deviate, as shown in

Figure 3. The occurrence of random multiple faults is complicated and ubiquitous. In the process of actual fault attacks analysis, we encounter very complex problems.

A suitable attack model is important for security analysis. If a fault attack model cannot effectively analyze actual faults, the analysis of a cryptosystem will encounter many difficulties. At present, models for multiple fault attacks are lacking. Liao et al. [

32] proposed a multiple fault attack model with no more than three bytes. Using matrix diagonals, Saha et al. [

19] analyzed multiple byte faults, but with relatively few types of faults. To the best of our knowledge, no random multiple fault attack model against Midori has yet been proposed. From the perspective of engineering, in this paper, a general random multiple fault model is proposed. The random multiple fault analysis model can be applied to most of the random fault attacks and improve the security of lightweight cryptosystems in IoT networks.

#### 3.1. Fault Attacks Hypothesis

This paper does not deal with the physical implementation of the attack. Fault attacks against Midori can be implemented based the following assumptions: An attacker is able to inject faults in the 14th round data register of Midori-64 and the number of the faults is no more than six. There is no fault injection in other memory elements of the crypto-hardware. After fault injection, the value of fault registers changes and the fault location is unknown. The attacker can obtain the correct and the faulty ciphertexts after each fault injection. The attacker does not need to know the correct plaintext, so this is a ciphertext-only attack. An attacker injects multiple random faults in the 14th round of cryptosystem. As can be seen from

Figure 2, the fault injection is the same in SubCell, ShuffleCell, and Round Constants. Assuming an electromagnetic fault is injected, there are four to six nibble faults. Random faults in data registers are shown in

Figure 4,

Figure 5 and

Figure 6. The black circle indicates the fault point.

Figure 4,

Figure 5 and

Figure 6 describe the distributions of four to six faults. The faults in

Figure 4,

Figure 5 and

Figure 6 indicate that the probability of fault occurrence of each position of the column is the same; there are zero-four faults in each column.

#### 3.2. Analysis of Random Multiple Fault Attack Models

Figure 7 shows how faults propagate when random multiple faults are injected into the 14th round. The fault state in the dashed box can be replaced by any state in

Figure 4,

Figure 5 and

Figure 6. According to the fault injection assumption mentioned above, the number of random faults in each column of the

$\Delta {X}_{}^{15}$,

$\Delta {Y}_{}^{15}$ and

$\Delta {Z}_{}^{15}$ is 0 to 4. To successfully implement random multiple fault attacks, we explain the two problems.

Problem 1: The location of no faults in each column of $\Delta {\mathrm{X}}_{}^{15}$, $\Delta {\mathrm{Y}}_{}^{15}$ and $\text{}\Delta {\mathrm{Z}}_{}^{15}$ is unknown. There are four positions in a column. We estimate all four fault positions as fault-free, and then take the union of the estimated invariant space in the column.

Problem 2: As the location and number of each fault injection are unknown, there may be 0–4 faults in a certain column of $\Delta {Z}_{}^{15}$. After injecting random multiple faults two or three times into the cryptosystem, an adversary takes a fault-free union at each position of $\Delta {Z}_{}^{15}$. It is possible that the number of faults in a column is four. If the adversary predicts this column as fault-free, an error will occur. To avoid mistakes, the adversary can inject faults two or three times into the cryptosystem. In other words, the adversary avoids mistakes by taking the unions multiple times. We provide a detailed explanation using the following differential fault attack equations.

## 4. Analysis of Fault Difference Equations

The analysis of the multiple differential fault path is shown in

Figure 7. We perform the inverse operation through the inverse output differential of the 16th round S-box.

By observing the

Figure 7, we obtain the following differential equations:

We can further obtain Equations (5)–(8) by expanding Equation (4).

where

j = 1

$,2,3,4$ and

$\mathrm{l}=0,1,2,3$.

The relationship between

$\Delta {Z}^{15}$ and

$\Delta {Y}^{15}$ is shown in

Table 2.

For the differential characteristics of the inverse S-box, as shown in

Table 3, one input difference corresponds to multiple output differences. However, in a fault attack, the plaintext and secret key are always the same; that is, we can uniquely determine

${Y}_{}^{16}$ and

${Y}_{}^{15}$ by the estimation of S-box outputs.

The adversary estimates

$\Delta {W}^{15}$ are listed in

Table 2. Predicting the locations of multiple faults is impossible due to the complexity of random multiple fault injection. When the differential faults propagate to

$\Delta {Z}_{}^{15}$, the adversary estimates the fault-free position of

$\Delta {Z}_{}^{15}$, using Equations (5)–(9). Invariant space

${Y}_{}^{16}$ is reduced by excluding non-zero nibbles in each column of

$\Delta {Z}_{}^{15}$. According to the explanations of Problems 1 and 2 above, when the adversary injects faults two or three times, the fault-free difference must exist in some columns of

$\Delta {Z}^{15}$. After a fault attack, each column of candidate

${Y}^{16}$ can be expressed by the Equations (10)–(12). According to Problems 1 and 2 discussed above, the attackers independently induce faults two or three times at the 14th round and take the union of

$\varnothing $, as shown in Equation (10).

where

$3m-2$,

$3m-1$ and

$3m$ represent the number of fault attacks and

$m$ represents the number of

$\varnothing $ unions. The attacker can obtain the set of estimated

${Y}^{16}$, as shown in Equations (11) and (12).

where

$p$ and

$q$ are the number of intersections. The attacker injects faults repeatedly until the element in

${\omega}_{q}$ is unique. During fault attacks, the elements of the set

$\theta $ may be an empty set for various reasons. When

$\theta $ is empty, the attacker cancels

$\rho $ and re-injects random faults. Therefore, the adversary will eventually obtain a unique

${Y}^{16}$ by constantly injecting faults.

Then,

$WK$ can be obtained according to the following formula:

According to the key schedule of Midori, the adversary makes further derivations to obtain

${K}_{0}$. The equations are shown in Equations (15) to (19).

With the method proposed above, we do not need to inject the fault again; the unique

${Y}^{15}$ can be recovered by the same fault attack data.

${K}_{0}$ can be obtained using Equation (19).

## 5. Experimental Analysis and Results

The random multiple fault attacks experiments were performed on a PC with a Core^{TM} i3 CPU with 4GB of RAM, using MATLAB language.

Information entropy is a method used to measure the estimation of source data. Sakiyama et al. [

33] theoretically analyzed information entropy of the key leakage on S-box. However, in the multi-fault analysis for lightweight Midori, reports are absent on the secret key leakage relationship between the number of fault attacks and leak information content. To determine the relationship between the number of fault attacks and information content, we simulated 32,000 random multiple faults.

Figure 8 shows a total of 32,000 curves, each colored line representing a fault attack process of the recovery secret key. Midori-64 initially needed to determine the 64-bit secret key without fault injection. With our proposed algorithm, when the intersection of the secret key space was taken about 10 times, the amount of undefined information content was reduced to five. We continued to intersect the secret key space set

$\rho $; the remainder of the information content gradually reduced until all the secret keys were recovered.

To identify the relationship between predicted fault injection and the amount of information to be predicted, we took the mode (black dot) simulation fitting during 32,000 fault attacks and obtained the functional relationship as shown below. Compared with

Figure 8, the fitted graph in

Figure 9 perfectly depicts the entire fault analysis process. The red curve in

Figure 9 shows the boundary values of the data during the prediction process. The relationship between the number of intersections and remaining information content secret key bits is shown in

Figure 9. We obtained the following formula by computer fitting:

where

$y$ is the remaining information content;

$n$ is the number of intersections; and

$a$,

$b$ and

$c$ are constants. The ranges of

$a$,

$b$ and

$c$ are:

$a=105.4\text{}\left(78.25,\text{}132.6\right),b=-10.85\text{}\left(-14.56,-7.142\right)$ and

$c=14.9\text{}\left(13.18,16.63\right)$.

Equation (20) shows good agreement with the experimental results. The adversary can obtain the remaining information content by taking the number of intersections into Equation (20). The remaining information content shrinks with the intersection, as shown in

Figure 9. When the remaining information content is 1 bit, more faults need to be injected to make the information content 0 bit. To further explain the existence of a large number of 1-bits, we counted the remaining information content of each column during the attacks. As shown in

Figure 10, the number of intersections is around 20.

To reduce the number of fault injections and improve attack efficiency, the attacker stops fault injection when there is 1 bit left. We took the undetermined secret key into Midori-64 for verification.

As shown in

Figure 11, we counted the number of fault attacks before and after optimization. After optimization, the number of fault attacks reduced considerably, and most of attacks could be implemented within 20 times.

Figure 12 shows the time distribution of fault attack. Most of the security keys can be recovered within 80 s. The efficiency after optimization greatly improved compared to before optimization.