Skip to Content
MDPIMDPI
Search
by
  • Hanbing Li 1,2,
  • Kexin Qiao 1,* and
  • An Wang 1
  • et al.

Reviewer 1: Adriana Borodzhieva Reviewer 2: Anonymous Reviewer 3: Anonymous

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

Algebraic Persistent Fault Analysis (APFA) combines algebraic analysis with persistent fault analysis, providing a novel approach for examining block cipher implementation security. In this paper, the authors validated the feasibility of extending APFA fault injection and analysis to the key scheduling phase, presenting challenges for cryptanalysis, making it difficult to recover the correct key. In such cases, increasing the depth of fault analysis can reduce the search space for the master key that as proven by the authors for the 80-bit version of the PRESENT encryption algorithm, using 30 faulty ciphertexts in the experiments. When fault analysis covered the encryption process, the key search space converged to near uniqueness.

The authors proposed an optimized algebraic representation for S-boxes in APFA, utilizing a truth table-based optimized S-box modeling method that eliminates the need for auxiliary variables and offers superior performance. They implemented this improvement across various SPN-based block ciphers, such as PRESENT, SKINNY, and CRAFT, achieving significant enhancements in APFA solving efficiency, with improvements ranging from tens to hundreds of times, and better adaptability to high-complexity scenarios. This work highlights the potential of the authors' improved APFA method in enhancing the applicability and efficiency of fault-based cryptanalysis, particularly when fault injection extends to the key scheduling phase. 

 

Some recommendations for improving the manuscript: "General Extensions and Improvements of Algebraic Persistent Fault Analysis"
Please, check that you have followed all the requirements of the manuscript formatting template!
Please, check that you have described all abbreviations at their first occurrence – for example, SPN. It is customary to interpret abbreviations for the reader at their first occurrence in the text, even if they are well-known.
Please, specify for formulas/figures/tables/algorithms whether they are original or borrowed from literature sources - if borrowed, please cite the relevant literature source (reference).
Line 25: It is good to cite a literature source for the GIFT cipher as well. It would be good to describe the mentioned block ciphers in one or two sentences.
"the encryption stage [19–23]" – it is not good practice to cite multiple sources in one place – it is good to specify the difference in each of them.
I would recommend that the authors look for more recent literature sources – only 3 are from the last 5 years.
It would be good to include a section on future work, indicating the limitations of the current development.
According to authors: "We use PRESENT[1], SKINNY[2], and CRAFT[4]" – is there any justification for this choice, why did you choose these three block ciphers for your work?
Line 128: Please explain the symbol used – circle!
I would recommend that the authors include one or two explanatory sentences about the software they used in their work – for example, about the Logic Friday tool, SAT solvers, such as CryptoMiniSAT, etc. In my opinion, it is good to include screenshots of the execution of the algorithm with the software mentioned, to get a better idea!
According to the authors: "For PRESENT, SKINNY, and CRAFT encryption algorithms, the required number of variables and clauses to establish complete algebraic equations are nearly halved, with solving efficiency improved by tens or even hundreds of times." – could you provide a comparative table to confirm this statement? Which of the tables is a proof of this?
Fig. 2 – Plaint – maybe it would be good to write out the whole word!
It would be good to say one sentence about some terms used, such as "Espresso algorithm", "Tseytin transformation", etc., which are used in the development.
Please specify how (what software) the results from Fig. 3, Fig. 4, and Fig. 5, and Tables 5…10 were obtained.
Overall, the article is well-written and structured. The topic is very relevant and useful! In my opinion, it can be published in the Journal after reflecting the remarks in the reviews.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

    • How does extending APFA to the key scheduling stage help address previously unexamined vulnerabilities in block cipher implementations?

    • Given that many ciphers reuse S-boxes in both encryption and key scheduling, how does this work improve the real-world applicability of APFA?

    • Could neglecting the key scheduling phase in fault analysis lead to an incomplete or misleading understanding of a cipher’s security?

    • What are the implications of deepening the fault analysis without increasing the number of faulty ciphertexts—does this offer a practical trade-off between efficiency and data collection?

    • How does compact S-box modeling contribute to improving the efficiency and scalability of algebraic equation solving in fault analysis?

    • What specific techniques were responsible for the observed efficiency gains, and can they be generalized to other lightweight cipher families beyond PRESENT, SKINNY, and CRAFT?

    • As fault leakage depth increases, how does the performance of this approach hold up—are there diminishing returns or continued gains?

    • In what ways does this study address the challenge of non-converging key candidates during key scheduling faults, and are there scenarios where this issue remains problematic?

    • Can these results encourage broader use of APFA in constrained environments like IoT, where efficient, lightweight cryptographic solutions are critical?

    • What potential adaptations would be needed to apply this method to block ciphers with more complex or non-unified S-box implementations in their key schedule?

  • In 2-3 sentences, talk about security aspects of your work including connections with publications “Kyber on ARM64: Compact implementations of Kyber on 64-bit ARM Cortex-A processors, 2021” and “Algorithmic security is insufficient: A comprehensive survey on implementation attacks haunting post-quantum security, 2023”, 

  • "The inability of candidate key convergence under certain fault conditions is acknowledged and constructively addressed by extending analysis depth—showing a practical awareness of APFA limitations." Can you explain more?

  • "Future research could explore adapting this approach to ciphers with more complex or variable key scheduling schemes, expanding its utility beyond those with shared S-box structures." Add to future works.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The proposed integration of key scheduling faults and the development of a novel S-box algebraic model are technically significant and demonstrate promising efficiency gains. However, upon thorough analysis and comparison with recent literature, this paper requires major revision prior to consideration for publication.

 

  1. The manuscript must clearly delineate under what conditions (e.g., fault location, S-box reuse configuration) the master key search space fails to converge. Provide quantitative metrics (e.g., number of equivalent keys) and suggest practical thresholds or hybrid techniques (e.g., integrating statistical filtering or hybrid DFA-PFA) to mitigate ambiguity.
  2. The authors should implement the proposed APFA method on a hardware-based cryptographic platform (e.g., FPGA or ARM-based microcontroller) to demonstrate its feasibility and performance under realistic side-channel conditions. Such validation is critical to justify practical applicability and security claims.
  3. Extend and test the proposed S-box modeling approach on algorithms using larger S-boxes (e.g., AES, LED) and provide comparative CNF metrics. This will substantiate the modeling approach as a broadly applicable algebraic optimization rather than a PRESENT-specific enhancement.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 3 Report

Comments and Suggestions for Authors

The authors have satisfactorily modified their manuscript according to my previous criticisms. Therefore, I recommend the publication of this manuscript.