The Security Weakness of Block Cipher Piccolo against Fault Analysis

Piccolo is a 64-bit lightweight block cipher which is able to be implemented in constrained hardware environments such as a wireless sensor network. Fault analysis is a type of side channel attack and cube attack is an algebraic attack finding sufficiently low-degree polynomials in a cipher. In this paper, we show a fault analysis on the Piccolo by using cube attack. We find 16 linear equations corresponding to a round function F by cube attack, which are used to fault analysis. Our attack has the complexity of 28.49 and 29.21 encryptions with fault injections of target bit positions into Piccolo-80 and Piccolo-128, respectively. And our attack needs 220.86 and 221.60 encryptions with random 4-bit fault injections for Piccolo-80 and Piccolo-128, respectively.

In CHES 2011, Piccolo was introduced by Shibutani et al. in [18].Piccolo is a block cipher which supports 80-bit and 128-bit secret key size.In this paper, we analyze two versions of Piccolo [18] with fault analysis by using cube attack.In ISPEC 2012, fault analysis using cube attack was introduced by Abdul-Latip et al. in [16].In this paper, we apply this method on Piccolo-80 and Piccolo-128.As a result, we find 16 linear equations corresponding to a round function  by cube attack, which are used to fault analysis.
Piccolo is analyzed by various techniques.In ISPEC 2012, Wang et al. suggest biclique cryptanalysis of reduced round Piccolo in [19].They analyze reduced version of Piccolo-80 without postwhitening keys XOR and reduced 28-round Piccolo-128 without prewhitening keys XOR.In 2013, Song et al. suggest biclique cryptanalysis of full rounds of Piccolo [20].And also Jeong suggests a differential fault analysis of full rounds of Piccolo [9].
In this paper, we show a fault analysis on the Piccolo by using cube attack.We find 16 linear equations corresponding to a round function  of Piccolo by using cube attack.These equations are used to our attack.In this paper, we describe the case that an adversary injects random 4-bit faults.Our attack has the complexity of 2 20.86 and 2 21.60 encryptions for Piccolo-80 and Piccolo-128, respectively, while the assumption of [9] is an adversary that injects random byte faults.Reference [9] has the complexity of 2 24 and 2 40 encryptions for Piccolo-80 and Piccolo-128, respectively.Our attack has a lower computational complexity than [9], even though the assumption of fault injection in our attack differs from [9].
In Section 2, we briefly describe the procedures of cube attack and cube tester.And then we describe the brief specifications of Piccolo in Section 3. In Section 4, a method of fault analysis of Piccolo by using cube attack is presented.Finally, our conclusions are in Section 5.

Cube Attack and Cube Tester
Algebraic attack is to find a solution, which is the key, of a system of equations that represent target cipher with 2 International Journal of Distributed Sensor Networks given plaintext and the corresponding ciphertext, that is representing cipher as a system of equations with multiple variables defined over finite field where each key bit is represented as a variable in the system.Solving the system is equivalent to finding the secret key of the target cipher.Cube attack is an algebraic attack finding sufficiently low-degree polynomials in cipher.
2.1.Cube Attack.Cube attack was introduced by Dinur and Shamir in [15].Cube attack is a chosen plaintext attack.The main idea of cube attack is to find linear equations consisting of secret variables by using cube sum.Let (V 1 , . . ., V  ,  1 , . . .,   ) be a polynomial derived from a cipher, where V 1 , . . ., V  are public variables and  1 , . . .,   are secret variables.In other words, each secret variable is considered a bit in secret key and each public variable is considered a bit in plaintext or internal state.Let  = { 1 , . . .,   } ⊆ {1, . . ., } be a set and let   be the monomial   1   2 . . .   .Note that the set in terms of  is called cube index.Then the polynomial  is represented by three polynomials   ,  () , and  as the following form: where  is not consisting of a monomial which has a factor   .Cube attack is required to check the linearity of  () which is called superpoly.A superpoly  () is called a maxterm if  () is linear.We use the following cube sum to find a  () : where plaintext bits except cube index (V  ,  ∈ {1, . . ., } − ) are fixed as constants.
As the above representation, cube is completed with the sum total 2  pairs of plaintext and ciphertext for a cube index  = { 1 , . . .,   }.To check whether  () is a maxterm, linearity test is required.Let  () ( 1 , . . .,   ) be a polynomial of  variables over GF (2).Let  be the number of tests.The following is a procedure of linearity test.
If  () ( 1 , . . .,   ) is linear, the above equation in Step 2 is always correct for all inputs ,  ∈ GF(2)  .Because checking all inputs is impossible, an upper bound of number of linearity tests has to be set.If there are at most  1 elements in a cube index for testing linearity, at most 2  1 ×(3×+1) pairs of plaintext and ciphertext are needed.Cube attack consists of preprocessing phase and online phase.Preprocessing phase is to find a system of linear equations by using cube sum and linearity test.Online phase is recovering the master key stored by using an encryption oracle.The following are details for the two phases.
Preprocessing Phase.After finding a polynomial from a cipher, find a cube, that is, a maxterm, by using linearity test.Since we know output after all plaintext bits are entered in encryption oracle, fix plaintext except cube index as a constant.Fixed constants of every cube do not have to be equal.Let   be a maxterm which consists of only secret variables  1 , . . .,   and let   be the value of the maxterm   which is found from online phase.We consider the following system of equations: In the preprocessing phase, find enough maxterms to recover the master key and precalculate this system of equations by using Gaussian elimination.If we find  linear independent maxterms, then recover all the master keys with  3 operations for recovery by using Gaussian elimination.In general, it is lower than complexity  × 2  1 × (3 ×  + 1) for finding  maxterms.Let  1 , . . .,   be linearly independent.Then the master keys are represented as the following system: where  , ∈ GF(2).
Online Phase.In online phase, calculate the value of cube sum from an encryption oracle by using the cube that has been found in the preprocessing phase.Let each plaintext bit not in the cube be constant.The calculated value is   , that is, the value of the maxterm.By substituting the value   into (4), we recover the master key.Let cube index found at preprocessing phase have at most  2 elements.Then the complexity of online phase is  × 2  2 .

Cube Tester.
Cube attack finds a maxterm by testing linearity of  () of a given polynomial  and cube index .Cube tester distinguishes a polynomial from a random polynomial by many tests including linearity test.There are some other tests using cube sum in [21].In cube attack, a plaintext bit not in the cube is fixed as a constant.However all bits not in the cube have to be considered variables in the cube tester.Since the purpose of using the cube tester is getting information, which are properties of polynomial, we use the low-degree test that is in [21].The degree  is determined by low-degree test.Let  be a cube index, let J be the number of bits not in the cube index (i.e.,  =  +  − ;  () consists of  variables), and  is the number of tests.Since low-degree test is valid only when (0) = 0 for the given polynomial p, we define  * () () =  () () +  () (0).Then low-degree test for the polynomial  * () () is as follows.
If  = 1, then the low-degree test is similar to the linearity test.We use the idea of the cube tester which uses every bit not in the cube index (consisting of plaintext and the master key) as a variable.

Description of Piccolo
Piccolo is a 64-bit block cipher with 80-and 128-bit key size.The structure of Piccolo is a Feistel network.Piccolo-80 consists of 25 rounds and Piccolo-128 consists of 31 rounds.Figure 1 illustrates the working processing of Piccolo.Each round consists of two functions, round function  and round permutation RP.The round functions  and RP are as follows.
where   is the transposition of .() is the 4-bit -box and  is the diffusion matrix as follows (see Table 1): The multiplications between  and vectors are defined by an irreducible polynomial  4 +  + 1 over GF (2 4 ).
Round Permutation RP.The round permutation RP is defined by where   is byte.
For description of Piccolo and our attack, we denote intermediate variables before -round as Let the 64-bit plaintext and ciphertext be  and , respectively.Encryption of Piccolo is defined as follows: (1) International Journal of Distributed Sensor Networks Key schedule of Piccolo consists of the following. Piccolo-80: for  ← 0 to 24 do if  mod 5 = 0 or 2, then if  mod 5 = 1 or 4, then if  mod 5 = 3, then where con 80  is the round constant. Piccolo-128: for  ← 0 to 61 do if ( + 2) mod 8 = 0, then where con 128  is the round constant.
Since key schedule of Piccolo is just performing XOR determined constants to the master key, recovering the round key and recovering the master key are the same.Table 2 is showing the master key used for the round key of Piccolo.Detailed descriptions of Piccolo are in [18].

Fault Analysis on the Piccolo
In this section, we show the fault analysis for Piccolo-80 and Piccolo-128.We assume that an adversary is able to make 4-bit errors in a maximum at a time on a round during an encryption process.By using cube sum, find system of linear equations in the common  of Piccolo-80 and Piccolo-128.And use the system to represent the phase recovering the master key of Piccolo-80 and Piccolo-128.Analysis of a round function  in Section 4.1 is corresponding to the preprocessing phase of cube attack.The attack in Sections 4.2 and 4.3 is the case of an encryption oracle that is given and is corresponding to online phase.

Equations of Round Function 𝐹. Since round function 𝐹
is the same for Piccolo-80 and Piccolo-128, the results of fault injection attack on  are the same in the both algorithms.Let () = ( 0 (), . . .,  15 ()), where  = ( 0 ,  1 , . . .,  15 ) is an 16-bit intermediate value and each   () is a bit ( : GF(2) 16 → GF(2) 16 ).We test all possible cubes of degree 1 to degree 4 and all possible inputs for each cube.We get many linear polynomials and choose 16 appropriate polynomials for recovering the master key.Table 3 shows our selected 16 polynomials, cube index, and output bit (  ).  2 is for the last 4 rounds of Piccolo-80.The following is the attack on Piccolo-80.
Step 3. We recover  0 ,  Use the above 3 steps to recover all the master keys used for Piccolo-80.This needs the assumption that we inject fault into at most 4 bits in the same time.Thus in this paper we consider the following as an analyzing way.Under Assumption 1, we need 133 encryptions for recovering 32-bit master key ( 2 ,  3 ).We exclusively search to recover remaining 48-bit master key.Therefore, we need total 133 + 2 48 ≈ 2 48 encryptions for recovering the master key under Assumption 1.
Under Assumption 3, we need 133+(132+67/25) encryptions for recovering  2 ,  3 ,  48 , and  49 .Given ciphertext, calculating  22 1 is equivalent to 2.5 round encryption.We need 44 + 39 + {(44 + 39) × 2.5 + 1 × 3}/25 encryptions for recovering 32-bit round keys  44 ,  45 .Therefore, we need total 133 + (132 + 67/25) + (83 + 210.5/25) ≈ 2 8.49 encryptions for recovering the master key under Assumption 3. Table 4 is showing encryption complexity needed for recovering the master key of each assumption.Step 1. First, we analyze the last round (i.e., round 25).In a similar way with Step 1 in analysis of Piccolo-80, recover  31 0 ,  31  2 by using the cube in Table 3  Step 5.This step is similar to Step 3 in analysis of Piccolo-80.We want to recover  28 3 .Given ciphertext , we calculate  28 0 ,  28 2 ,  28 1 , and  28 3 .Since  27 0 =  27 0 = ( 28 3 )  | ( 28 1 )  ,  27 2 =  27 2 = ( 28 1 )  | ( 28 3 )  , we recover left 8 bits of  27 0 and right 8 bits of  27 2 .To recover left 8 bits of  27 0 , inject fault into bits corresponding to cube index of first 8 equations in Table 3.For recovering right 8 bits of  27  2 , inject fault into bits corresponding to cube index of last 8 equations in Table 3.Then we recover  28  3 .And we recover  55 ( 1 ) since  28 3 ⊕ ( 28  2 ) ⊕  55 =  28 3 .Use the above 5 steps to recover all the master keys used for Piccolo-128.This needs the assumption that we inject fault into at most 4 bits in the same time.Assume that we analyze only Steps 1, 2, 3, and 4 such as Piccolo-80.Even though we analyze only Steps 1, 2, 3, and 4, since at least 32 bits of 128-bit master key are recovered, we recover all the master keys with less operations than brute-force attack.Table 5 is showing encryption complexity needed for recovering the master key of each assumption.4.4.Improved Attack.The attacks described in Sections 4.2 and 4.3 are valid under the assumption that an adversary is able to control the injecting time and bit positions to inject fault and the number of bits of fault injection.However it is difficult to control bit positions where faults are injected.Therefore, in this section, we explain the way of attack under the assumption that an adversary is not able to control bit positions to inject faults.That is, an adversary is able to inject  bits of random faults into Piccolo-80 and Piccolo-128.The attack of Section 4.4 is similar to the attack of Sections 4.   Assume that we inject  bits of random fault into last round.In some cases, we determine fault position.Then, the following is how to determine position of fault injection for 3 cases.(Each case with 4 fault bits is described in Figures 4, 5,  and 6).

Fault bits
Error bits  Therefore, we determine the position of fault injection for these 3 cases.Table 3 is the table of optimal cubes that are used for the attack in Sections 4.2 and 4.3.Therefore, there are many cubes except cubes in Table 3.Because there are too many cubes, we do not describe all cubes in this paper.For example, suppose that we get 16 ciphertexts for cube sum of {0, 1, 3, 4}.Then we calculate all of subcubes of {0, 1, 3, 4}.So, we use cubes in Table 6 and recover 1st, 2nd, 5th, and 7th bit of whitening key.
By the same method, we use sufficient cubes for recovering  2 and  3 of Piccolo-80 and Piccolo-128 and recover  2 and  3 .Since we know  2 and  3 , calculate intermediate values   0 ,   2 for given ciphertext.Therefore, we inject faults into ( − 1)th round, determining position of fault injection by 3 cases that described this section.And we recover ( − 1)th round key.This process is the same with Step 2 in Section 4.  Table 7: Necessary positions of fault injections for Table 3.

Conclusions
In this paper, we present the security weakness of Piccolo against fault analysis.Our attack fully exploits the structure of Piccolo, which is a Feistel network.We describe an attack for fault injection of target bit positions on Piccolo-80 and Piccolo-128.The master key of Piccolo-80 and Piccolo-128 is recovered by fault analysis by using cube attack with injecting faults 2 8.44 and 2 9.14 , respectively.Our attack has the complexity of 2 8.49 and 2 9.21 encryptions for Piccolo-80 and Piccolo-128, respectively, which are practical complexities.And finally, an attack for random four bits fault injection for Piccolo-80 and Piccolo-128 is presented.This attack needs 2 20.86 and 2 21.60 encryptions with four bits of random fault injections for Piccolo-80 and Piccolo-128, respectively.
Round Function .The round function  is defined by

2 and 4 . 3 .
But this attack adds the process that determines fault position before each Step of Sections 4.2 and 4.3.International Journal of Distributed Sensor Networks
2 and Step 2 in Section 4.3 except determining position of fault injection.By the same way, we recover all the master keys of Piccolo-80 and Piccolo-128 using Steps in Sections 4.2 and 4.3 with determining position of fault injection, respectively.
Piccolo-80.We explain how to recover all the master keys of Piccolo-80.By key schedule of Piccolo-80, recovering  2 ,  3 ,  44 ,  48 , and  49 is equal to recovering all the master keys of Piccolo-80.Let plaintext  be given and let  In this paper, we recover the master key of Piccolo-80 by recovering some be intermediate values for plaintext .  s. Figure

Table 2 :
Round key of Piccolo.

Table 4 :
Attack complexity of Piccolo-80.We inject fault into at most 4 bits in the same time.But, apply this to only last round.Assumption 2. We inject fault into at most 4 bits in the same time.But, apply this to only rounds 24 and 25.Assumption 3. We inject fault into at most 4 bits in the same time.That is, suppose that we analyze only Step 1 or Steps 1 and 2.Even though we analyze only Steps 1 and 2, since at least 32 bits of 80-bit master key are recovered, we recover all the master keys with less operations than brute-force attack.To recover    , inject fault into 11 bits among 16 bits of internal state    by using injections 66 times.To recover left 8 bits and right 8 bits of    (i.e., (   )  , (   )  ), we inject fault into 8 bits and 10 bits among 16 bits of    , respectively.Then (   )  , (   )  are recovered by using injections 44 and 39 times, respectively.
. Piccolo-128 recovers the master key in a similar way to Piccolo-80.Figure3is for the last 5 rounds of Piccolo-128.The following is how Piccolo-128 recovers the master key.
1.There are  bits error in   0 (  2 ) after fault injection.There are  bits error in   0 and  −  bits error in 2after fault injection.In a similar way to Case 1, fault injection position in   0 must be same with changed  bits after fault injection in   0 .And fault injection position in   2 must be same with changed - bits after fault injection in   2 .Case 3.There are  −  bits error in   0 (  2 ) and j bits error in   3 (  1 ).And there is no error in   2 (  0 ).If there are j bits error