A Novel Di ff erential Fault Analysis on the Key Schedule of SIMON Family

As a family of lightweight block ciphers, SIMON has attracted lots of research attention since its publication in 2013. Recent works show that SIMON is vulnerable to differential fault analysis (DFA) and existing DFAs on SIMON assume the location of induced faults are on the cipher states. In this paper, a novel DFA on SIMON is proposed where the key schedule is selected as the location of induced faults. Firstly, we assume a random one-bit fault is induced in the fourth round key KT−4 to the last. Then, by utilizing the key schedule propagation properties of SIMON, we determine the exact position of induced fault and demonstrate that the proposed DFA can retrieve 4 bits of the last round key KT−1 on average using one-bit fault. Till now this is the largest number of bits that can be cracked as compared to DFAs based on random bit fault model. Furthermore, by reusing the induced fault, we prove that 2 bits of the penultimate round key KT−2 could be retrieved. To the best of our knowledge, the proposed attack is the first one which extracts a key from SIMON based upon DFA on the key schedule. Finally, correctness and validity of our proposed attack is verified through detailed simulation and analysis.


Introduction
In 2013, a family of lightweight block ciphers called SIMON was presented by the National Security Agency (NSA), based upon the Feistel structure.Compared with other ciphers, SIMON can provide a better performance for both hardware and software.The block size of SIMON is denoted as 2n (the n represents the word size) with n = 16, 24, 32, 48, or 64.For each block size, it supports 3 key sizes.Thus, SIMON can be implemented on a wide range of devices [1].Since the publication of SIMON, many cryptanalysis papers about it have been presented, such as integral attack [2,3], differential attack [4][5][6], and linear attack [6,7].In addition, other attacks, such as differential fault analysis (DFA), have also been proposed to retrieve the secret keys from SIMON [8].
As one of the typical fault attacks (FA) [9], DFA was first proposed by Biham and Shamir in 1997 to obtain the secret key from DES cryptosystem [10].The idea of DFA is to make use of some erroneous calculations caused by inducing some unexpected faults to retrieve the secret keys of a cipher algorithm.DFA has been greatly developed and poses a serious threat to the security of many cipher algorithms, including block cipher algorithms [8,[11][12][13].
In FDTC 2014, Tupsamudre et al. proposed DFA on SIMON family for the first time [8].In this attack, the authors induced the faults into L T−2 (the left half input of the penultimate round) and proposed two fault models: random bit fault model and random byte fault model.Through theoretical analysis and experiments, they proved that it could retrieve 2 bits and one byte of the last round key K T−1 by using one random bit-flip and one-byte fault, respectively.Later, Takahashi et al. proposed a random n-bit fault model against the SIMON family where the n represents the word size.They successfully retrieved the entire key of SIMON family through both, that is, theoretical computations and experimental simulations.For the data complexity (the data complexity refers to the number of the fault injections), they also presented a detail analysis [14].
After that, Vasquez et al. proposed an improved DFA on SIMON family [15].Similarly to [8], they also assumed a random bit fault model.However, the location of induced fault is in L T−3 .Because more depth of induced fault lead to more efficient diffusion of the induced fault, this scheme can retrieve 3.5 bits of K T−1 on average by inducing one-bit fault.Furthermore, by reusing the induced one-bit fault, 2 bits of the penultimate round key K T−2 on average could be retrieved.As a result, they could break the entire key of SIMON96/96 and SIMON128/128 using only one round faults.
In a following work, another improved DFA on SIMON family was presented by Chen et al. in FDTC 2016 [16].The authors injected faults into L T−m−1 based on a random byte fault model, where the m represents the key words of SIMON family.They presented a detail analysis about the data complexity in theory and shown that the entire key of SIMON could be recovered.For retrieving the entire secret key of SIMON, they successfully break 6 instances of SIMON by using only one round faults.
This paper proposes a novel DFA on SIMON family.Different from existing DFAs on SIMON family where faults are induced into the cipher state, we induce faults into the key schedule for the first time.Based on a random bit fault model, we prove that 4 bits of K T−1 and 2 bits of K T−2 could be retrieved on average when inducing only one-bit fault into the fourth round key K T−4 to the last.Compared to [8], which also uses random bit fault model, we can recover the entire key of SIMON family through half number of the fault locations.Compared to the previous works, our contributions in this paper are mainly as following: 1.
Selection of the key schedule as the location of induced fault.Different from these existing DFAs on SIMON family ( [8,[14][15][16]) where all select the cipher state as the location of induced fault, our DFA on SIMON is the first one which selects the key schedule as the location of induced fault.Thus, we have provided a new train of thought and method for using DFA to crack keys of the SIMON family.

2.
Compared with existing attacks based on the random bit fault model, our attack is more efficient.
For the random bit fault model, paper [15] is the only one which could retrieve two round keys by using one induced round location.In other words, paper [15] can retrieve on average 3.5 bits of K T−1 and 2 bits of K T−2 by using one-bit fault induced into the (T−3)th round.Up to now, this is the most efficient method.However, selection of the key schedule especially K T−4 as the location of induced fault, our attack can retrieve 4 bits of K T−1 and 2 bits of K T−2 on average using one-bit fault.
The rest of this paper is arranged as follows.Section 2 presents some necessary notation and a brief introduction for SIMON.Then Section 3 proposes and discusses our DFA on SIMON key schedule.In this section, we present the assumption of the proposed attack, then discuss how to determine the position of the induced fault and retrieve K T−1 as well as K T−2 .Extended analysis includes the detailed data complexity assessment and scheme to crack the entire secret key of the SIMON family.Simulation results and comparisons are carried out in Section 4. Finally, concluding remarks are given in Section 5.As a lightweight block cipher, SIMON applies a Feistel structure with a n-bit word and a m-bit word key, which is denoted as SIMON 2n/mn.In the SIMON family, n should be 16, 24, 32, 48, or 64, and m = 2, 3, or 4. The parameters of the SIMON family with different (n, m) combinations are described in Table 1.

Key Schedule Function
The SIMON key schedule generates a sequence of T key from an input key, where T is the round number.For SIMON 2 n/mn, the T key words (K 0 , . . ., K T−1 ) depend on the value of m and it can be generated using the formulas (1), where c is a constant value and c = 2 n − 4 = 0xff . . .fc.The z j represents 5 constant sequences denoted as z 0 , z 1 , z 2 , z 3 and z 4 , respectively.More detailed descriptions about the key schedule function and z j can be obtained in [1].
j%n j%n j%n (j-3)%n (j-4)%n In Figure 1, the red thick line in K T−4 represents the induced j%n bit of K T−4 .Both the red thick line in L T−3 and R T−2 represent the corrupted bits.The two yellow thick lines in K T−3 represent the bit (j-3)%n and (j-4)%n of K T−3 respectively, which are all corrupted by the j%n bit of K T−4 .And the thick lines show the cipher states and round keys which are necessary to retrieve K T−1 and K T−2 .The gray in cipher states and round keys represent the faulty intermediate states and faulty round keys, respectively.

DFA on The (T−4) Round Key
In FDTC 2014, Tupsamudre et al. proposed the following formula to retrieve K T−1 :

Round Function
The SIMON round function for i ∈ {0, . . ., T−1}.From (2), it can be known that the jth bit of L i affects 3 distinct bits of F(L i ): 3. The Proposed Attack on SIMON Key Schedule

Assumption of the Proposed Attack
Different from these existing DFAs on SIMON, we assume the adversary induces a random one-bit fault into the key schedule, and the exact position of the induced fault is in K T−4 .(L T *, R T *) is denoted as the faulty output when inducing fault.K T−4 is randomly corrupted by a random one-bit fault, the fault propagation process is as shown in Figure 1.
In Figure 1, the red thick line in K T−4 represents the induced j%n bit of K T−4 .Both the red thick line in L T−3 and R T−2 represent the corrupted bits.The two yellow thick lines in K T−3 represent the bit (j−3)%n and (j−4)%n of K T−3 respectively, which are all corrupted by the j%n bit of K T−4 .And the thick lines show the cipher states and round keys which are necessary to retrieve K T−1 and K T−2 .The gray in cipher states and round keys represent the faulty intermediate states and faulty round keys, respectively.

DFA on The (T−4) Round Key
In FDTC 2014, Tupsamudre et al. proposed the following formula to retrieve K T−1 : Thus, in order to make use of the induced random bit faults in K T−4 to retrieve K T−1 , we need to establish the relationship between induced faults and L T−2 .We suppose the position of induced fault is the jth bit of K T−4 .From Figure 1, it can be deduced that: Therefore, we can derive the following equation from the xor of L T and L T *: If we move F(R T )⊕F(R *) in the Equation ( 6) to the left side, the Equation ( 6) can be rewritten as:

Determining the Position of Induced Fault
In this part, we will show how to determine the position of the induced fault based on Equation (7).From Figure 1, the induced bit fault in K T−4 that will corrupt the same position bit in L T−3 can be known, in other words, the jth bit of L T−3 is flipped.According to the Formula (3), we can identify that 3 distinct bits of F(L T−3 ) may be affected: (j + 1)%n, (j + 2)%n and (j + 8)%n.To further illustrate the affected bits, the function F(.) defined in Equation ( 2) needs further analysis.Assuming the jth bit of L i is induced, according to the Formula (3), it can be deduced that: From the Equation ( 8), we can know that once the jth bit of L i is flipped, the (j + 2)%n bit of F(L i ) is also flipped.Due to the jth bit of L T−3 is flipped, it can be identified that the two bits (j + 1)%n and (j + 8)%n of F(L T−3 ) may be affected, and the bit (j + 2)%n of F(L T−3 ) must be affected.
According to the Formula (1) and the principle of the SIMON key schedule, we can obtain the following equation no matter the value of m (that is m = 2, 3, or 4): Equation ( 9) shows that one fault bit of K T−4 will affect 2 distinct bits of K T−3 .In other words, the jth bit of K T−4 affects the bits (j − 3)%n and (j − 4)%n of K T−3 .
Further, the bit (j − 3)%n of K T−3 will affect the bits (j − 6)%n and (j − 7)% of K T−2 , the bit (j − 4)%n of K T−3 will affect the bits (j − 7)%n and (j − 8)% of K T−2 .As a result, the bits (j − 3)%n and (j − 4)%n of K T−3 will affect the bits (j − 6)%n and (j − 8)% of K T−2 .Through similar analysis, we can deduce the affected bits in K T−1 .The jth bit of K T−4 affects the bits of K T−3 , K T−2 and K T−1 are given in Table 2: For simplicity, (j − x)%n writes as j − x, where x ∈ {0, . . .,n}.
Table 2.The jth bit of K T−4 affects the bits of K T−3 , K T−2 and K T−1 .

The Position of Induced Fault
Key Words: m Affected Bits By combining the Equation ( 7), Table 2 and the analysis above, it can be identified some bits value in (L T ⊕L T* ⊕F(R T )⊕F(RT*)).For convenience, we write (L T ⊕L T* ⊕F(R T )⊕F(RT*)) as "LFR", thus when key words m = 4 (only take m = 4 for example, when m = 3 or 2, the processes of discussion remain the same), we can get: (11) as well as the following equations: Through the Equation ( 11), it can be seen that 4 contiguous bits (j − 9)%n, (j − 10)%n, (j − 11)%n and (j − 12)%n of LFR are all 1.In fact, when m = 3, or 2, there are all 4 consecutive bits (j − 9)%n, (j − 10)%n, (j − 11)%n and (j − 12)%n be 1 in LFR.We present statistics on the value of bits in LFR under different conditions in Table 3.As can be seen in Table 3, there exists only one group of 4 contiguous 1 in LFR no matter if m = 4, 3 or 2, and this is a very important property.In fact, the idea for deducing the position j is based on this property.
To determine the position of induced fault, Algorithm 1 has been proposed.Here, the value of constant A depends on the word size n: (A, n) = {(F400, 16), (F40000, 24), . . .}. F(.) represents the non-linear function defined in Equation (2).The position of j can be determined by Algorithm 1, in other words, we can accurately determine the position of induced fault: jth bit of K T−4 .
After retrieving K T−1 , we can reuse L T−2 with similar operations to those described in Section 3.2.2 to retrieve K T−2 .
Now we obtain L T−2 , because R T−1 = L T−2 and L T−1 = R T , in other words the output of the T−2 round of SIMON: (L T−1 , R T−1 ) is obtained.As shown in Figure 1, because could be recovered.Based on the Equation ( 12), there are 2 bits (j − 7)%n and (j + 7)%n of L T−3 could be deduced, therefore two bits of K T−2 can be recovered when inducing one-bit fault in K T−4 .

Extended Analysis
According to the Equation (18), we can obtain 4 bits of K T−1 which could be retrieved in theory by inducing one-bit fault in K T−4 .Furthermore, 2 bits of K T−2 could be retrieved on an average by reusing the induced one-bit fault.When considering the random bit fault model, paper [8] can recover only 2 bits of K T−1 .Although paper [15] can also recover 2 bits of K T−2 , but it can only recover 3.5 bits of K T−1 on average, Thus, our proposed one-bit fault attack for SIMON is more efficient.
As in the similar discussion in [15], when m = 2, the whole keys of SIMON (96/96 and 128/128) might also be retrieved by using only one round key faults.Indeed, for m = 2 and k = i −2, according to the Formula (1), we can obtain: So, for m = 2, by using only continuous two round keys of SIMON, the entire key of SIMON could be retrieved.As discussed in Sections 3.2.2 and 3.2.3,K T−1 and K T−2 can be retrieved by inducing faults in K T−4 ; thus we can retrieve the whole keys of SIMON (96/96 and 128/128) using only one round key faults.Similarly, considering m = 3 and m = 4, the following equations by the Formula (1) could be obtained: From the Equation (20), for m = 3, we know that if we can obtain K T−2 and K T−3 , then the entire key of SIMON could be recovered.Therefore, we need to induce faults in two round keys: K T−4 and K T−6 .The first inducing faults in K T−4 are used to retrieve both K T−1 and K T−2 , the second inducing faults in K T−6 are used to only retrieve K T−3 .For m = 4, we also need to induce faults in two round keys: K T−4 and K T−6 .However, it is different from the case when m = 3, in this case, we need to induce faults in K T−6 to retrieve two round keys: K T−3 and K T−4 .The key retrieving for SIMON family and specific fault locations are shown in Tables 8-10.As shown in Table 8, when considering the random bit fault model, our proposed attack needs the least average number of fault inductions.Compared with the number of fault inductions in theory, the average number of fault inductions is much more, this is because we assume the position of the induced fault is random, so the faults can affect the same position many times.However, if we control precisely the position of induced faults, then the average number of fault inductions is very close to the number in theory.
As shown in Tables 9 and 10, comparing the fault locations between the proposed attack and existing ones, our proposed attack is the only one which selects the round keys as the fault locations.When considering the random bit model, the proposed attack requires only half number of the fault locations compared with [8], and the numbers are as the same required in [15].Except the random n-bit model [14] and the random byte model [16], the number of the fault inductions required in the proposed attack is least than required in [8,15].Especially, when the key words m = 3, the number required in the proposed attack is much less than required in [15], this is because we induce faults in K T−6 to retrieve only K T−3 instead of retrieving both K T−3 and K T−4 , so our proposed attack is more efficient.

Conclusions
This paper proposes a novel DFA on SIMON family by exploiting the leaked information by the AND operation used in the F(L T−3 ).We show how to retrieve 4 bits of K T−1 and 2 bits of K T−2 on average based on only one-bit fault induced in K T−4 .Furthermore, we have proved that the entire key of SIMON96/96 and SIMON128/128 could be retrieved by using only one round faults.
Compared with existing works, the proposed attack in this paper is the first one which selects the SIMON key schedule as the location of induced faults.Considering the random bit fault model, our attack is the most efficient one up to data.When considering the random n-bit model [14] and random byte model [16], our attack requires a higher average number of fault inductions; this is because the different fault models are selected.
In the future, we will try to crack more bits by conferring whether the bit (j + 1)% and (j + 8)% of L T−2 have been flipped.Further, we aim to explore the attack based upon different models such as the random n-bit model and random byte model so as to further reduce the required average number of fault inductions.Besides, how to apply our ideas on the block cipher SPECK will also be explored.

Figure 1 .
Figure 1.Fault propagation when the jth bit K T−3 is randomly corrupted.

Figure 1 .
Figure 1.Fault propagation when the jth bit K T−4 is randomly corrupted.

Table 3 .
The jth bit of K T−4 affects the bits of LFR.The Position of Induced Fault Key Words: m The Value of Bits in LFR(LFR = L T ⊕L T *⊕F(R T )⊕F(RT*) jth bit of K T−4

Table 1 .
Parameters of the SIMON family.

Table 8 .
Experiment results for the average number of the fault inductions to retrieve K T−1 /L T−2 .

Table 9 .
Comparison of the experimental results of the fault inductions.

Table 10 .
Comparison of the fault locations of differential fault analysis (DFA) on SIMON family.