General Extensions and Improvements of Algebraic Persistent Fault Analysis

Abstract

Algebraic persistent fault analysis (APFA) combines algebraic analysis with persistent fault analysis, providing a novel approach for examining block cipher implementation security. Since its introduction, APFA has attracted considerable attention. Traditionally, APFA has assumed that fault injection occurs solely within the S-box during the encryption process. Yet, algorithms like PRESENT and AES also utilize S-boxes in the key scheduling phase, sharing the same S-box implementation as encryption. This presents a previously unaddressed challenge for APFA. In this work, we extend APFA’s fault injection and analysis capabilities to encompass the key scheduling stage, validating our approach on PRESENT. Our experimental findings indicate that APFA continues to be a viable approach. However, due to faults arising during the key scheduling process, the number of feasible candidate keys does not converge. To address this challenge, we expanded the depth of our fault analysis without increasing the number of faulty ciphertexts, effectively narrowing the key search space to near-uniqueness. By employing a compact S-box modeling approach, we were able to construct more concise algebraic equations with solving efficiency improvements ranging from tens to hundreds of times for PRESENT, SKINNY and CRAFT block ciphers. The efficiency gains became even more pronounced as the depth of the fault leakage increased, demonstrating the robustness and scalability of our approach.

1. Introduction

Information security has become a focal point, and cryptographic techniques are increasingly prevalent. Under resource constraints, lightweight block ciphers are widely used due to their simple architecture, high efficiency, and ease of implementation. Common lightweight block ciphers include PRESENT [1], GIFT [2], SKINNY [3], LED [4], CRAFT [5], etc.

Fault analysis (FA) is a specialized form of side-channel analysis that can be considered an active analysis method targeting physical cryptographic embedded devices [6]. It involves executing fault injection on a device to force it into an abnormal state and analyzing the collected faulty ciphertexts to recover keys using knowledge of the cryptographic algorithm. Fault injection can be achieved by altering power voltage [7], external clock frequency [8], or temperature [9], or exposing circuits to lasers [10] during key scheduling or encryption. There is also the permanent fault model, where attackers employ more aggressive means to damage cryptographic devices, resulting in persistent faults [10]. In 2024, Grandamme et al. demonstrated that laser fault injection can be performed on powered-off devices [11]. In 2017, Wagner et al. discussed side-channel attacks targeting the key scheduling phase [12], highlighting the necessity of paying sufficient attention to key scheduling in fault analysis.

Fault injection and its accompanying analysis techniques are among the most effective methods for analyzing cryptographic devices. The most renowned analysis technique in this field was the differential fault analysis (DFA), which utilizes the differences between the correct and faulty ciphertexts from fixed inputs to recover keys [13]. In 2010, Courtois et al. proposed algebraic fault analysis (AFA) [14], combining fault analysis with algebraic analysis. It translates differential fault information into algebraic equations and integrates them with encryption algorithms. Wagner et al. discussed side-channel attacks targeting the key scheduling phase [12], highlighting the necessity of paying sufficient attention to key scheduling in fault analysis. In 2018, Zhang et al. introduced a novel fault analysis method called persistent fault analysis (PFA) [15]. This approach was later improved and validated through physical experiments under traditional fault injection schemes [16], demonstrating the feasibility and generality of PFA on Substitution–Permutation Network (SPN) block ciphers. Their fault model lies between transient and permanent faults. Faults are injected into algorithm constants stored in Read-Only Memory (ROM), such as an element within an S-box. Unless the ROM is refreshed, the fault persists through all subsequent encryptions, affecting rounds accessing the specific faulty S-box element, and disappears once the fault-injected device is reset. PFA primarily conducts statistical analysis on the value distribution of ciphertext bytes and can be used as a ciphertext-only cryptanalysis method. In 2025, Nguyen et al. demonstrated that simple instruction skipping can be leveraged to mount PFA against AES [17].

In 2022, Zhang et al. introduced APFA [18], merging the persistent fault model with algebraic fault analysis. Faults are injected into S-boxes stored in memory, causing a deviation in one element. Since S-box data are bijective, data passing through the S-box during encryption deviate after fault injection, significantly enhancing the solving success rate and efficiency of algebraic analysis. Fang et al. decomposed 4-bit S-boxes into two 2-bit S-boxes, reducing intermediate variable usage and effectively enhancing solving efficiency [19].

The equation systems constructed in APFA are in the satisfiability problem (SAT) form that can be solved by off-the-shelf SAT solvers, such as CryptoMiniSAT (CryptoMiniSAT is available open access at https://github.com/msoos/cryptominisat, accessed on 16 October 2024) [20]. The SAT inputs consist of clauses in conjunctive normal form (CNF), where clauses are connected by the conjunction ∧. Each clause comprises literals connected by the disjunction ∨, with each literal being either a positive or negative variable. Additionally, CryptoMiniSAT supports XOR syntax inputs, offering convenience in equation transformation. Previous APFA research describes S-boxes by Tseitin transformation to decompose higher-degree terms into linear combinations. Conjunctive normal form is then used to depict the Boolean relationships of all valid input–output pairs [21]. This approach necessitates numerous intermediate variables to construct data relationships before and after S-boxes [18,19].

Logic Friday, a widely used digital logic design and optimization tool, utilizes the Quine–McCluskey algorithm to simplify Boolean expressions and generate CNF descriptions [22], as well as the Espresso algorithm to simplify its sum-of-products representations [23]. In contrast, the Tseitin transformation introduces auxiliary variables to convert complex Boolean expressions or logic circuits into CNF for SAT solver applications. Studies have shown that CNF clauses generated by Logic Friday exhibit significant advantages in SAT solvers, reducing clause redundancy compared to the traditional Tseitin transformation [24].

Motivations. Prior APFA research overlooked the implications of faulty S-boxes during the key scheduling process. Our investigation reveals that prominent cryptographic standards like AES [25] and PRESENT [1] incorporate S-boxes into their key scheduling algorithms, leveraging the same S-box implementation as the encryption stage. Specifically, Shahbazi et al. [26] and Lu et al. [27] highlight the reuse of the S-boxes in AES, where they are shared between the key scheduling and encryption phases. Similarly, Rolfes et al. [28] and Hanley et al. [29] discuss the shared S-box architecture in the PRESENT cipher, demonstrating its utilization in both key scheduling and encryption processes. This previously unaddressed challenge necessitates a comprehensive extension of APFA to encompass the key scheduling phase. In this paper, we present our investigation and findings on extending algebraic persistent fault analysis to encompass the key scheduling stage of cryptographic algorithms.

Our Contributions

We extend fault injection and analysis to the key scheduling stage, discovering that algebraic persistent fault analysis remains applicable, but find that it comes with two challenges. Firstly, it introduces uncertainty. Deviating from the definition of bijection of S-box, round keys can no longer be traced back to a unique master key, making it difficult to reduce the key search space to a single solution. Secondly, the constructed algebraic equations are larger and more complex, demanding higher solving efficiency. Increasing the depth of fault analysis can reduce uncertainty and consequently shrink the key search space, thus leveraging the first problem. However, increased depth results in larger algebraic equations, necessitating improved solving efficiency to address the second problem. Our main contributions are as follows:

• Using the 80-bit version of PRESENT as an example, we extend APFA fault injection and analysis to the S-box in the key scheduling stage with compact S-box modeling. Experiments demonstrate that algebraic persistent fault analysis remains applicable when delving into the key scheduling stage. The key search space is difficult to reduce to a single solution; increasing fault analysis depth can shrink the key search space. Experiments show that when the fault analysis encompasses the entire key scheduling and encryption processes, the key search space can approach uniqueness.
• Since the descriptions of S-boxes account for significant computational resources consumed to solve the SAT problem in APFA, we propose a truth table-based optimization method for S-box modeling. By representing S-boxes with optimized truth tables and utilizing the Logic Friday (version 1.1.4) tool, S-boxes are converted into CNF representation, reducing clause count and eliminating the need for auxiliary variables. Compared to previous construction methods, our algebraic construction significantly enhances solving efficiency in APFA, especially in high-complexity scenarios. For PRESENT, SKINNY, and CRAFT encryption algorithms, the required number of variables and clauses to establish complete algebraic equations is nearly halved, with solving efficiency improved by tens or even hundreds of times. Additionally, we discovered that if solving time is constrained, improved efficiency also translates to higher solving success rates.

2. Background

2.1. Notation Table

Table 1. Notations used in this paper.

Notations	Definitions	Notations	Definitions
n	The block size	$S^{\prime }$	The faulty S-box
w	The size of S-box	l	The fault location in the faulty S-box
r	The round index	f	The fault value in the faulty S-box
R	The total number of rounds	U	$S\left[l\right]$
$X^r$	The r-th round data block	V	$S\left[l\right]\oplus f$, i.e., $S^{\prime }\left[l\right]$
$X_i^r$	The i-th element of $X^r$	$N_c$	The number of ciphertexts
$K^r$	The r-th round key	$N_r$	The depth of fault leakages
C	The ciphertext	$N_v$	The total number of variables
F	The round function	$N_e$	The total number of equations
S	The S-box	$N_k$	Size of the key search space

defines the notations used in this paper.

2.2. Lightweight Block Ciphers in SPN Structure

We use PRESENT [1], SKINNY [3], and CRAFT [5] as our target block ciphers. PRESENT and SKINNY are well-established lightweight algorithms, with PRESENT being the ISO/IEC lightweight block cipher standard [30] and SKINNY being the ISO/IEC tweakable block cipher standard [31]. CRAFT was chosen to establish a new benchmark, as it has not been extensively examined in previous studies. The SPN is an iterative core structure used in block ciphers, achieving encryption strength through alternating nonlinear substitution (Substitution) and linear permutation (Permutation) operations over multiple rounds. A standard SPN structure consists of R iterative rounds, each comprising three core operations:

RoundKey (AK): The round key is XORed with the intermediate state, introducing key dependency.

Substitution Layer (SB): The parallel S-boxes perform nonlinear transformations on fixed-length data blocks. Typically, a 4-bit S-box is used in lightweight block ciphers.

Permutation Layer (PL): The substituted bits are deterministically rearranged to achieve diffusion across S-boxes. Common strategies include the following: (1) ShiftRows: Cyclic shifts by rows (e.g., SKINNY). (2) Bit Permutation: Fixed position mapping (e.g., PRESENT’s 64-bit permutation matrix). (3) MixColumns: Linear transformation based on a finite field (e.g., CRAFT’s $4\times 4$ MDS matrix can be implemented using XOR operations).

The typical algorithm structure is $F^r=PL\left(SB\left(AK(X^r,K^r)\right)\right),1\le r\le R$.

Table 2. Comparison of algorithm parameters.

Property	PRESENT [1]	SKINNY-64 [3]	CRAFT [5]
Block length (bit)	64	64	64
Master key length (bit)	80/128	64/128/192	128
Number of rounds	31	32/36/40	32
S-box width	4-bit	4-bit	4-bit
Key scheduling S-box	Reuse encryption S-box	-	-

compares the core parameters of PRESENT, SKINNY, and CRAFT. All three use 4-bit S-boxes, with the specific input–output mappings shown in

Table 3. S-box definitions.

X	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
S[X]-PRESENT	c	5	6	b	9	0	a	d	3	e	f	8	4	7	1	2
S[X]-SKINNY	c	6	9	0	1	a	2	b	3	8	5	d	4	e	7	f
S[X]-CRAFT	c	a	d	3	e	b	f	7	8	9	1	5	0	2	4	6

. CRAFT’s tweak key ($TK$) is used alongside the master key ($MK$) in key scheduling.

The key scheduling algorithm for PRESENT-80, with a key size of 80 bits, is shown in Algorithm 1.

Algorithm 1 Key schedule of PRESENT-80 [1].
Input: 80-bit master key $MK=k_{79}{k}_{78}\dots k_0$
Output: 64-bit round keys $K^1,K^2,\dots ,K^{32}$
1: $K\leftarrow MK$
2: for $r=1$ to 31 do
3:     $K^r\leftarrow K[79:16]$
4:     $K\leftarrow K⋘61$	▹ Cyclic left shift by 61 bits
5:     $K[79:76]\leftarrow S\left(K\right[79:76\left]\right)$	▹ Substitute the top 4 bits
6:     $K[19:15]\leftarrow K[19:15]\oplus {\mathrm{bin}}_5\left(r\right)$	▹ XOR with 5-bit round counter
7: end for
8: $K^{32}\leftarrow K[79:16]$

2.3. Algebraic Persistent Fault Analysis

The construction of APFA [18] algebraic equations should launch multiple encryptions using the same key, as is illustrated in Figure 1. APFA is a ciphertext-only cryptanalysis method, operating as follows:

1.

An attacker injects a small fault into the S-box of an encryption device, affecting the output of one of its mappings and rendering the S-box’s mapping unbalanced. The faulty S-box ($S^{\prime }$) persists through multiple encryption rounds. The fault information in $S^{\prime }$ includes the fault location (l) and fault value (f), where $S^{\prime }\left[l\right]=S\left[l\right]\oplus f$.

2.

The victim encrypts multiple plaintexts using a fixed key on the faulty encryption device.

3.

The attacker collects ciphertexts containing fault information and establishes a system of algebraic equations based on the relationship between the key, encryption process, and fault information of the S-box.

4.

SAT solving tools are used to solve the equations. If successful, the solution reveals the master key.

For the faulty S-box $S^{\prime }$, assume the fault occurs at $S\left[l\right]$ (fault location l, i.e., the l-th byte of S), causing $S\left[l\right]=U$ to become $S^{\prime }\left[l\right]=V$. Consequently, for each round’s $S{B}^{\prime }$, it holds that $S^{\prime }\left[X_i^r\right]\ne U$. This inequality is represented by CNF in Equations (1) and (2), where $d_{\left(j\right)}$ means the j-th bit of d. Since $d_{\left(j\right)}$s can not be 0 simultaneously, there must be at least one bit $d_i$ that is not zero, indicating that $S^{\prime }\left[X_i^r\right]\ne U$.

$$\begin{array}{c}\hfill d_{\left(j\right)}\oplus S^{\prime }{\left[X_i^r\right]}_{\left(j\right)}\oplus U_{\left(j\right)}=0,0\le j<w\end{array}$$

(1)

$$\begin{array}{c}\hfill d_{\left(0\right)}\vee d_{\left(1\right)}\vee \dots \vee d_{(w-1)}=1\end{array}$$

(2)

3. Extending APFA to the Key Scheduling Phase

In this section, we explore the effects of extending the faulty S-box to the key scheduling phase. Our experiments and analyses confirm that APFA remains effective when fault injection and analysis are extended to the key scheduling process.

3.1. Implementation with Shared S-Box

When translating encryption algorithms from theory to practice, circuit implementations vary according to specific requirements. If throughput is prioritized, designs may consider executing the same operations in parallel, such as replicating S-boxes to allow parallel data processing through multiple S-boxes, thus enhancing efficiency. Conversely, to minimize the area of implementation circuits, reducing the number of implemented S-boxes is a viable approach. In circuit implementations of encryption devices, a single instance of an S-box may suffice, reducing circuit scale, with all related data passing through the S-box sequentially. Designs for AES [26,27] and PRESENT [28,29,32] reflect such considerations.

Practical circuits balance throughput and area based on requirements. For the PRESENT encryption algorithm’s implementation, we assume a single S-box instance is used, with the key scheduling and encryption phases serially utilizing this S-box. A simplified representation of the data flow in its serial circuit construction is shown in Figure 2, where r denotes the current round.

Focusing on the PRESENT encryption algorithm, where the key scheduling process requires the same S-box as used in encryption, we extend APFA fault injection to the key scheduling phase, assuming only one S-box instance in the circuit. Fault injection into the S-box affects both the encryption and key scheduling SB operations.

The use of a faulty S-box in the key scheduling phase significantly increases the scale and complexity of the algebraic system. We propose a new algebraic construction method for the S-box that greatly improves solving efficiency. Due to the structure of this paper, the introduction and effects of this method are discussed in Section 4.2 and Section 5, respectively.

Our primary focus is on the feasibility of extending APFA to the key scheduling phase. Given the superior performance of our algebraic construction method, this section discusses extending APFA to the key scheduling phase using our proposed S-box modeling method exclusively.

3.2. Experimental Setup

We assume the key scheduling and encryption processes use the same faulty S-box instance. For the PRESENT encryption algorithm, we inject a 1-bit fault at location $l=0$ with a fault value of $f=0x0001$. As a result, the faulty S-box value becomes $S^{\prime }\left[0\right]=0xd$, (whereas the original value is $S\left[0\right]=0xc$). Compared to the initial APFA, extending to the key scheduling phase requires reflecting the S-box fault information during key scheduling. The complete process is detailed in Algorithm 2.

Algorithm 2 APFA on 80-bit PRESENT (key schedule using faulty S-box).
Input: $\mathbb{C},l,f,N_r$
Output: $MK$	▹ Output: Recovered master key
1: $U\leftarrow S\left[l\right]$	▹ Store original S-box value
2: $S^{\prime }\left[l\right]\leftarrow S\left[l\right]\oplus f$	▹ Inject fault at S-box position l
3: for $r\leftarrow 0$; $r<R$; $r++$ do
4:     $genKeyScheduleConstraints(r,K^r)$	▹ Normal key scheduling constraints
5:     $genKeyScheduleFaultConstraints(r,K^r,U)$	▹ Faulty S-box constraints
6: end for
7: for $C\in \mathbb{C}$ do
8:     for $r\leftarrow R-N_r$; $r\le R$; $r++$ do	▹ Analyze the last $N_r$ encryption rounds
9:           $genSBoxConstraints\left(X^r\right)$	▹ S-box substitution constraints
10:         $genFaultSBoxConstraints(X^r,U)$	▹ Faulty S-box constraints
11:         $genPermutationLayerConstraints\left(X^r\right)$	▹ Permutation layer constraints
12:         $genAddRoundKeyConstraints\left(X^r\right)$
13:     end for
14:     $X^R\leftarrow C$	▹ Bind ciphertext to final state
15: end for
16: $MK\leftarrow RunAPFASolver\left(\right)$	▹ Invoke solver to recover key

Here, “genKeyScheduleFaultConstraints” and “genFaultSBoxConstraints” represent constraints related to the faulty S-box during key scheduling and encryption, respectively, i.e., $S^{\prime }\left[X\right]\ne U$.

Extending APFA to the key scheduling phase, the algebraic equation system includes the following constraints:

• Multiple encryptions use the same key.
• Constraints of the key scheduling process (using the faulty S-box). Since multiple encryptions use the same key, this constraint needs to be added only once.
• Constraints of the encryption process (using the faulty S-box).
• Additional constraints on the faulty S-box (the mapped value of the original S-box at the fault location $S\left[l\right]$ cannot appear in the data output through the faulty S-box, i.e., $S^{\prime }\left[l\right]\ne S\left[l\right]$). This additional constraint must be added whenever data pass through a faulty S-box.

3.3. Results with Faulty S-Box in Key Schedule

In our experiments, we simulated fault injection using software and employed CryptoMiniSAT v5.11.22 as the SAT solver to resolve algebraic equations. For fairness, we configured the solver to execute in a single-threaded mode. The experiments were conducted on a PC equipped with 32 GB of memory and a 3.5 GHz Intel(R) Core(TM) i5-13600KF CPU (Intel Corporation, Santa Clara, CA, USA), utilizing an Ubuntu 24.04.4 virtual machine (Canonical Ltd., London, UK). The virtual machine was allocated 16 GB of memory and 8 processors.

To best simulate real-world conditions, all timing statistics were measured using randomly generated sets of required faulty ciphertexts for each APFA experiment. Each experiment was repeated more than 10 times, with the maximum and minimum values discarded and the average of the remaining results taken as the final value. For $N_v$ and $N_e$, their values remain the same under identical experimental conditions and can be directly obtained from the program.

In our experiments, we considered a ciphertext quantity of ($N_C=30$) as a parameter that balances complexity and solving rate. We set out to use 30 faulty ciphertexts for our analysis. We measured the size of the master key search space after solving. As the depth of fault analysis increased from 5 to all encryption rounds, the average number of master key search space solutions obtained is shown in Figure 3. As the fault depth increases, the size of the master key search space decreases. When fault analysis covers the entire encryption and key scheduling process, the key search space approaches uniqueness.

Since APFA is a ciphertext-only cryptanalysis method, it focuses solely on the last few rounds (equivalent to the fault analysis depth) of the encryption process. When constructing the system of algebraic equations, we include all key scheduling processes and the constraint equations corresponding to the last few rounds of encryption. Assuming a fault analysis depth of $N_r$, if no faults exist in the key scheduling process, the round key for the $(R-N_r+1)$-th round, $K^{R-N_r+1}$, can be deduced uniquely and the unique master key ($K^1$) can be recovered accordingly.

However, if faults are injected and the analysis is extended to the key scheduling process, uncertainty is also introduced into this process. Consequently, we are unable to make the search space for $K^{R-N_r+1}$ converge, which further complicates reducing the search space for the master key to a single solution. The inability for candidate key convergence under certain fault conditions is acknowledged, and we constructively address this limitation by extending the analysis depth.

Since the rules of key scheduling are deterministic, increasing the depth of fault analysis allows for a more in-depth examination, gradually eliminating the interference caused by faulty S-boxes. This deeper analysis is crucial for effectively locking in the correct key candidates, thereby enhancing the practical applicability of APFA. Ultimately, when $N_r=R$, meaning the fault analysis covers the entire key scheduling and encryption processes, the search space for the master key is reduced to approach uniqueness.

It still remains difficult to fully converge because, for the first S-box encountered in the key scheduling process, resolving its fault information requires the ciphertext to provide sufficient data that can collide with the fault of that S-box. This necessitates a high number of ciphertexts, and the potential benefit may only shift the key search space from being nearly unique to uniquely identifying the key, resulting in an imbalance between the effort required and the gains achieved.

4. Algebraic Construction of the S-Box

The solving efficiency of APFA is influenced by the scale of the algebraic equation system. In constructing the algebraic system, addition operations can be directly represented using XOR, while permutation operations are realized through variable mapping. The core challenge lies in the algebraic representation of the S-box, as its complexity directly impacts the processing efficiency of the SAT solver [20]. This section introduces a novel method for S-box construction, with its innovation highlighted in Section 4.2.

4.1. Classical ANF-CNF Conversion Method

The classical approach models the S-box by converting Algebraic Normal Form (ANF) to CNF. Taking the 4-bit S-box used in PRESENT as an example, assume $X_i=(x_0,x_1,\dots ,x_{w-1})$ and $Y_i=(y_0,y_1,\dots ,y_{w-1})$ are the S-box input and output, respectively. The ANF representation of the S-box is expressed in Equation (3) [18]. The AND operation is denoted by “·”, which may be omitted.

$$\begin{array}{cc}\hfill y_0& =x_0\oplus x_2\oplus x_3\oplus x_1{x}_2\hfill \\ \hfill y_1& =x_1\oplus x_3\oplus x_1{x}_3\oplus x_2{x}_3\oplus x_0{x}_1{x}_2\oplus x_0{x}_1{x}_3\oplus x_0{x}_2{x}_3\hfill \\ \hfill y_2& =1\oplus x_2\oplus x_3\oplus x_0{x}_1\oplus x_0{x}_3\oplus x_1{x}_3\oplus x_0{x}_1{x}_3\oplus x_0{x}_2{x}_3\hfill \\ \hfill y_3& =1\oplus x_0\oplus x_1\oplus x_3\oplus x_1{x}_2\oplus x_0{x}_1{x}_2\oplus x_0{x}_1{x}_3\oplus x_0{x}_2{x}_3\hfill \end{array}$$

(3)

Each nonlinear term $x_0{x}_1\dots x_{w-1}$ requires the introduction of an intermediate variable $I_t$, establishing constraints as shown in Equation (4) [18]. Each term can be considered an independent CNF clause.

$$(x_0\vee {\overline{I}}_t)\wedge (x_1\vee {\overline{I}}_t)\wedge \dots \wedge (x_{w-1}\vee {\overline{I}}_t)\wedge ({\overline{x}}_0\vee {\overline{x}}_1\vee \dots \vee {\overline{x}}_{w-1}\vee I_t)=1$$

(4)

For an S-box with n nonlinear terms, $O\left(n\right)$ intermediate variables and $O\left(n\right)$ CNF clauses are required. The original S-box in the PRESENT encryption algorithm requires 8 intermediate variables and 28 clauses for representation.

Assume a 1-bit fault is injected into the S-box at fault location $l=0$ with fault value $f=0x0001$. Its algebraic representation requires 11 intermediate variables and 43 clauses.

While this method accurately models the S-box, the introduction of intermediate variables significantly increases the problem’s dimensionality, leading to a substantial expansion of the SAT solving space.

4.2. Truth Table-Based Optimized S-Box Modeling Method

We propose a direct modeling method based on truth table optimization. Let the S-box input be $X=(x_0,\dots ,x_{w-1})$ and output $Y=(y_0,\dots ,y_{w-1})$. Define a boolean function $P:{\{0,1\}}^w\times {\{0,1\}}^w\to \{0,1\}$, as shown in Equation (5).

$$P(X,Y)=\left\{\begin{array}{cc}1\hfill & \mathrm{if}Y=S\left(X\right)\hfill \\ 0\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(5)

For a given faulty S-box, convert it into a truth table of a Boolean function, where possible patterns have a value of 1 and impossible patterns have a value of 0. This truth table is input into the Logic Friday software. This truth table is input into the Logic Friday software to generate and simplify the CNF representation.

For the PRESENT encryption algorithm, using the faulty S-box $S^{\prime }\left[0\right]=0xd$ (note that originally $S\left[0\right]=0xc$), the truth table input to the Logic Friday tool is shown in

Table 4. Truth table of the boolean function constructed from a faulty S-box.

${\mathit{x}}_3$	${\mathit{x}}_2$	${\mathit{x}}_1$	${\mathit{x}}_0$	${\mathit{y}}_3$	${\mathit{y}}_2$	${\mathit{y}}_1$	${\mathit{y}}_0$	$\mathit{Prob}$
0	0	0	0	1	1	0	1	1
0	0	0	1	0	1	0	1	1
0	0	1	0	0	1	1	0	1
0	0	1	1	1	0	1	1	1
0	1	0	0	1	0	0	1	1
0	1	0	1	0	0	0	0	1
0	1	1	0	1	0	1	0	1
0	1	1	1	1	1	0	1	1
1	0	0	0	0	0	1	1	1
1	0	0	1	1	1	1	0	1
1	0	1	0	1	1	1	1	1
1	0	1	1	1	0	0	0	1
1	1	0	0	0	1	0	0	1
1	1	0	1	0	1	1	1	1
1	1	1	0	0	0	0	1	1
1	1	1	1	0	0	1	0	1

.

After data transformation and reduction by the tool, the resulting CNF data are shown in Figure 4, where the “Minimized Product of Sums” represents the required CNF data.

This algebraic construction method for the S-box does not require the introduction of additional auxiliary variables, and the results can be directly viewed as conforming to the format required by SAT solvers such as CryptoMiniSAT.

A comparison of the number of variables and clauses required for different S-box modeling methods is shown in

Table 5. Comparison of variable and clause requirements for different S-box construction methods.

Algorithm	S-Box	Traditional Method		Proposed Method
		Intermediate Variables	Clauses	Intermediate Variables	Clauses
PRESENT	Original	8	31	-	26
	Faulty	11	43	-	27
SKINNY	Original	8	30	-	22
	Faulty	8	33	-	23
CRAFT	Original	8	31	-	22
	Faulty	11	43	-	22

. For the faulty S-box, we uniformly assume a 1-bit fault is injected at location $l=0$ with fault value $f=0x0001$.

5. APFA with Compact S-Box Modeling

We applied APFA to the PRESENT, SKINNY, and CRAFT encryption algorithms, utilizing our algebraic representation of the S-box and comparing it to the traditional method. For the faulty S-box used in the encryption process, we assumed a 1-bit fault was injected at fault location $l=0$ with fault value $f=0x0001$.

For consistency, we used the same experimental environment as described in Section 3.3.

5.1. APFA on PRESENT

We assumed that the S-boxes used in the key scheduling and encryption phases of PRESENT reside in different memory units, with only the S-box in the encryption phase being faulty. The S-box used in the encryption phase has a single instance, through which all data are processed sequentially.

We implemented APFA on both the 80-bit and 128-bit versions of the PRESENT encryption algorithm. For the S-box, we employed two different algebraic construction methods.

Using our S-box algebraic construction method, the number of variables and clauses required to construct the complete algebraic expression is significantly reduced under different fault analysis depths and numbers of faulty ciphertexts. For the 80-bit version of PRESENT, we set parameters $N_r\in [5,12]$, $N_c=30$. The comparison with the original APFA is shown in

Table 6. APFA on PRESENT-80 with compact S-box modeling.

${\mathit{N}}_{\mathit{r}}$	${\mathit{N}}_{\mathit{c}}$	${\mathit{N}}_{\mathit{v}}$			${\mathit{N}}_{\mathit{e}}$			$\mathit{Time}\left(\mathit{s}\right)$
		New	Origin	Ratio	New	Origin	Ratio	New	Origin	Ratio
5	30	27,164	48,532	56.0%	73,846	104,721	70.6%	2.55	55.37	4.6%
6	30	32,924	59,572	55.3%	91,126	129,681	70.4%	3.64	105.2	3.5%
7	30	38,684	70,612	54.7%	108,406	154,641	70.1%	3.78	127.15	2.9%
8	30	44,444	81,652	54.4%	125,686	179,601	70.0%	3.90	151.58	2.6%
9	30	50,204	92,692	54.2%	142,966	204,561	70.0%	4.39	272.03	1.6%
10	30	55,964	103,732	53.9%	160,246	229,521	69.8%	6.73	262.09	2.6%
11	30	61,724	114,772	53.8%	177,526	254,481	69.8%	7.85	387.34	2.0%
12	30	67,484	125,812	53.6%	194,806	279,441	69.7%	9.10	423.07	2.2%

.

For the 128-bit version, we set parameters $N_r\in [5,12]$, $N_c=80$. The comparison with the original APFA is shown in

Table 7. APFA on PRESENT-128 with compact S-box modeling.

${\mathit{N}}_{\mathit{r}}$	${\mathit{N}}_{\mathit{c}}$	${\mathit{N}}_{\mathit{v}}$			${\mathit{N}}_{\mathit{e}}$			$\mathit{Time}\left(\mathit{s}\right)$
		New	Origin	Ratio	New	Origin	Ratio	New	Origin	Ratio
5	80	72,136	128,952	56.0%	196,252	278,482	70.5%	9.81	62.06	15.8%
6	80	87,496	158,392	55.2%	242,332	345,042	70.2%	13.31	120.12	11.1%
7	80	102,856	187,832	54.8%	288,412	411,602	70.1%	14.26	228.93	6.2%
8	80	118,216	217,272	54.4%	334,492	478,162	69.9%	19.22	390.37	4.9%
9	80	133,576	246,712	54.1%	380,572	544,722	69.9%	27.28	671.98	4.1%
10	80	148,936	276,152	53.9%	426,652	611,282	69.8%	29.34	691.83	4.2%
11	80	164,296	305,592	53.8%	472,732	677,842	69.7%	26.25	1051.61	2.5%
12	80	179,656	335,032	53.6%	518,812	744,402	69.7%	26.41	1682.77	1.6%

.

We consider these parameters representative. In experiments, both S-box construction methods with these parameters can solve successfully in a relatively short time, facilitating comparison.

Our algebraic representation significantly reduces the solving time for APFA, and as $N_r$ increases, the advantage becomes more pronounced due to the expanding scale of the algebraic system.

5.2. APFA on SKINNY-64

We conducted APFA on three versions of the SKINNY-64 encryption algorithm. When the key length is 64 bits, both the original and our S-box construction methods successfully solve in a short time. For key lengths of 128 and 192 bits, due to our computational resource limitations, the original S-box construction method’s solving efficiency becomes highly unstable, often failing to solve within 24 hours. We only perform comparisons on SKINNY-64-64.

Using our S-box algebraic construction method, for a key length of 64 bits, we set parameters $N_r\in [5,12]$, $N_c=20$. The comparison with the original APFA is shown in

Table 8. APFA on SKINNY-64-64 with compact S-box modeling.

${\mathit{N}}_{\mathit{r}}$	${\mathit{N}}_{\mathit{c}}$	${\mathit{N}}_{\mathit{v}}$			${\mathit{N}}_{\mathit{e}}$			$\mathit{Time}\left(\mathit{s}\right)$
		New	Origin	Ratio	New	Origin	Ratio	New	Origin	Ratio
5	20	23,608	36,408	64.8%	55,544	71,544	77.7%	1.70	27.83	6.1%
6	20	27,828	43,188	64.4%	66,164	85,364	77.5%	3.87	47.86	8.1%
7	20	32,028	49,948	64.1%	76,764	99,164	77.4%	6.03	101.35	5.9%
8	20	36,248	56,728	63.9%	87,384	112,984	77.3%	7.69	186.41	4.1%
9	20	40,468	63,508	63.7%	98,004	126,804	77.3%	8.03	293.41	2.7%
10	20	44,688	70,288	63.6%	108,624	140,624	77.3%	10.76	623.49	1.7%
11	20	48,928	77088	63.5%	119,264	154,464	77.2%	11.55	1054.14	1.1%
12	20	53,168	83,888	63.4%	129,904	168,304	77.2%	11.78	1277.21	0.9%

.

Using our S-box algebraic construction method, we set the parameters as follows: for a key length of 128 bits, $N_r\in [7,12]$ and $N_c=120$; for a key length of 192 bits, $N_r\in [8,12]$ and $N_c=300$. The algebraic construction and the average solving time are detailed in

Table 9. APFA on SKINNY-64-128/192 with compact S-box modeling.

Key Lengths	${\mathit{N}}_{\mathit{r}}$	${\mathit{N}}_{\mathit{c}}$	${\mathit{N}}_{\mathit{v}}$	${\mathit{N}}_{\mathit{e}}$	$\mathit{Time}\left(\mathit{s}\right)$
128	7	120	187,320	455,992	22.67
	8	120	212,880	519,952	30.52
	9	120	238,320	583,792	41.39
	10	120	263,640	647,512	67.19
	11	120	288,840	711,112	79.31
	12	120	314,160	774,832	111.38
192	8	300	530,696	1,298,504	186.55
	9	300	594,296	1,458,104	453.96
	10	300	657,896	1,617,704	678.18
	11	300	721,796	1,777,604	1015.61
	12	300	785,696	1,937,504	1451.63

. For a key length of 192 bits, when $N_r$ is set to 7, the key can always converge to a single-digit value, but it does not consistently converge to a unique value.

5.3. APFA on CRAFT

CRAFT uses a 128-bit key and a 64-bit tweak to generate four 64-bit round keys, which are cycled through during encryption. The key information is obfuscated by the tweak key; thus, multiple possible keys exist, with the correct key among them. Alternatively, we can recover the total 256-bit round key, which is determinable, but multiple combinations of master key and tweak key can produce this round key.

We do not consider finding a unique solution as the termination condition. In the experiment, we increase $N_c$ or $N_r$ as much as possible, ultimately reducing the key search space to 16, marking this as a successful solution.

For the CRAFT encryption algorithm, we set the parameters $N_r\in [5,12]$ and $N_c=80$. The comparison with the original APFA is shown in

Table 10. APFA on CRAFT with compact S-box modeling.

${\mathit{N}}_{\mathit{r}}$	${\mathit{N}}_{\mathit{c}}$	${\mathit{N}}_{\mathit{v}}$			${\mathit{N}}_{\mathit{e}}$			$\mathit{Time}\left(\mathit{s}\right)$
		New	Origin	Ratio	New	Origin	Ratio	New	Origin	Ratio
5	80	86,368	142,688	60.6%	183,456	290,976	63.0%	29.45	557.76	5.3%
6	80	104,768	175,168	59.8%	226,176	360,576	62.7%	52.68	1339.34	3.9%
7	80	123,088	207,568	59.3%	268,816	430,096	62.5%	84.42	2349.01	3.6%
8	80	141,328	239,888	59.0%	311,376	499,536	62.3%	189.31	10,393.15	1.8%
9	80	159,488	272,128	58.6%	353,856	568,896	62.2%	291.77	81,903.38	0.4%
10	80	177,728	304,448	58.4%	396,416	638,336	62.1%	132.69	124,123.62	0.1%
11	80	195,888	336,688	58.2%	438,896	707,696	62.0%	481.63	/	/
12	80	214,128	369,008	58.0%	481,456	777,136	62.0%	1026.81	/	/

. When $N_r$ reaches 11, using the original construction of the S-box, we are unable to find a solution within 5 days.

5.4. Exploration with Limited Solving Time

In practice, due to limitations in computing resources, we often cannot invest unlimited time in automated analysis. Typically, a maximum time is set, and if unsolved within this timeframe, it is considered a failure.

We set the SAT solver’s solving time to 3600 s and conducted APFA on both versions of PRESENT. We gradually increased the fault analysis depth and recorded the number of ciphertexts required for successful solving within the time limit. The results are shown in Figure 5 and Figure 6.

Under the time constraint, it can be observed that as the fault analysis depth increases, the number of ciphertexts required for solving using the original S-box construction method tends to rise. In contrast, using our model to construct the S-box, the number of ciphertexts required remains stable.

At the same fault analysis depth, based on the principle of Boolean function equivalence, the algebraic properties of different S-box construction methods are essentially the same, as both describe the S-box [33]. Theoretically, as the fault analysis depth increases, due to deeper analysis, the number of faulty ciphertexts required for successful solving using both S-box construction methods should decrease or remain stable, but should not rise.

With a constraint on solving time, aiming for a unique solution, an increase in faulty ciphertexts also means an increase in known conditions, which can improve solving efficiency and success rate. An increase in fault depth represents deeper exploration of faulty ciphertext information, which can also improve solving efficiency and success rate to some extent. However, both an increase in faulty ciphertexts and fault analysis depth lead to an increase in equation scale, requiring the solver to spend more time handling additional algebraic equations. These equations may not be necessary for successful solving, but the solver still needs to invest resources to verify them to ensure the results are not refuted by this information.

An increase in faulty ciphertexts has a linear impact on known conditions and equation scale. An increase in fault analysis depth has a linear impact on deep information exploration, but an exponential impact on equation scale. Each increase in fault analysis depth multiplies the complexity of the equation scale. Therefore, we believe there is a critical value for the impact of fault analysis depth on solving time. When the fault analysis depth is less than this value, an increase in depth means more efficient use of faulty ciphertexts, improving the success rate within the time limit, which is our main focus; when the depth exceeds this value, we focus more on the increase in solving time it brings.

Due to the relatively complex algebraic construction of the S-box in the original model, the problem scale becomes too large to solve within a limited time, necessitating an increase in ciphertext quantity to provide more “cost-effective” valid information. Using our S-box model, its algebraic construction is more conducive to the SAT solver extracting the key information contained within, and the critical value of fault analysis depth is much higher than that of the original S-box model, thus performing better in higher complexity scenarios.

6. Conclusions

In this paper, we validated the feasibility of extending APFA fault injection and analysis to the key scheduling phase. Injecting faults into the key scheduling process presents challenges for cryptanalysis, making it difficult to recover the correct key. In such cases, increasing the depth of fault analysis can reduce the search space for the master key. For the 80-bit version of the PRESENT encryption algorithm, using 30 faulty ciphertexts in our experiments, we observed that as the fault analysis depth increased, the key search space decreased. When fault analysis covered the entire encryption process, the key search space converged to near uniqueness.

We proposed an optimized algebraic representation for S-boxes in APFA, utilizing a truth table-based optimized S-box modeling method that eliminates the need for auxiliary variables and offers superior performance. We implemented this improvement across various SPN-based block ciphers, achieving significant enhancements in APFA solving efficiency, with improvements ranging from tens to hundreds of times, and better adaptability to high-complexity scenarios.

This work highlights the potential of our improved algebraic persistent fault analysis (APFA) method in enhancing the applicability and efficiency of fault-based cryptanalysis, especially when fault injection is extended to the key scheduling phase.

Future Work

In practice, using multiple identical S-boxes in parallel to increase throughput is a common practice. Moreover, some cryptographic algorithms, such as AES, employ larger S-boxes (e.g., 8-bit S-boxes) rather than 4-bit ones. Furthermore, S-boxes can also be constructed using logic gates instead of lookup tables, which poses new challenges for the algebraic representation of the S-box.

Future research can further explore the application of APFA under different cryptographic algorithms, circuit implementations, and fault models. The compact S-box modeling method proposed in this paper aligns well with differential fault analysis (DFA), as both approaches involve constructing equations to analyze cryptographic vulnerabilities. By applying our compact S-box modeling technique within the DFA framework, we may gather more information to effectively reduce the key space. This integration of techniques, such as DFA, could lead to a more effective utilization of faults in cryptographic systems.

Moreover, future research can investigate the application of APFA to post-quantum cryptographic algorithms, such as Kyber, particularly focusing on their compact implementations in lightweight devices [34]. Furthermore, the examination of implementation security in post-quantum cryptography is an emerging area of interest [35], where APFA could play a important role.