Fault Analysis of the Prince Family of Lightweight Ciphers

Abstract

Privacy is one of the most fundamental aspects of the digital age that we live in. With the advent of the Internet and the advances in both nanoscale electronics and communication technologies, data has become the new oil. And wherever there is data there is a notion of its privacy. Whether data is at rest or in motion, privacy and authenticity have always been the hallmark of modern day communication. Cryptography provides us the necessary tools and primitives that help us achieve among others, the goals of privacy, integrity authenticity in isolation and more recently even simultaneously. While conventional crypto tackles most of the problems efficiently, it has been seen to be particularly, not suitable for resource constrained environments which are being increasingly prevalent in present-day Internet-of-Thing (IoT) environments, RFID tags so on and so forth. This is primarily attributed to the fact that traditional crypto is “heavy-weight” in terms of the computational resources that it demands, be it in terms of chip-area, power-consumption, throughputs etc and hence become unusable or overwhelming for devices that operated on limited resources. This points us in the direction of a new typo of crypto which is referred to as “Lightweight” crypto. Lightweight Cryptographic algorithms are tailored for resource starved settings and hence perform better in such environments. The importance of lightweight crypto is evidence by the on-going multi-year global competition by NIST for standardizing the next generation lightweight authenticated ciphers and presently in the final round. This work consists cryptanalysis of two lightweight block ciphers namely PRINCE, and PRINCEv2 which are based on the SPN design philosophy. PRINCE has been around for some time and is proposed keeping in mind unrolled implementations. PRINCEv2 is the new version of PRINCE which was reported in SAC 2020. In the current work, we introduce a new fault attack on PRINCE based on the random bit-model where faults are injected in the input of 10 th round. The attack is able to uniquely recover the key using 7 faults. It is interesting to see that the random bit-fault model which is a popular fault model has not yet been explored independently on PRINCE. Though Song and Fu [SH13] have explored the random-nibble fault and mentioned the bit-model to be a special case, they actually fail to capture the full scenario. Herein lies the motivation of the current work. We look at the bit-model in isolation and in-depth and conclude that it is more effective both in terms of the point at which the fault is injected as well as the complexity of the resulting DFA. In terms of the point of fault injection it is important to emphasize that in the attack reported in [SH13], the fault is actually injected before/during the SubByte-Inverse operation in the 10 th round which is the last operation of the 10 th round. Thus it will be more appropriate to state the fault injection point to be 10.5 rounds at best instead of 10 rounds as claimed by the authors in [SH13] (Refer Fig. 3.7). We touch upon this aspect in details in the discussion section later in this work. On the contrary, the random bit-flip DFA proposed here actually induces the fault at the input of 10 th round. The work further gives a classification of fault-invariants that are generated at the end of 11 th round due to a random bit-fault at the beginning of 10 th round. Further, PRINCEv2 was introduced with many modifications primarily in the key-schedule to thwart many classical attacks on PRINCE. We investigated PRINCEv2 in the light of the current work and found that PRINCEv2 is equally vulnerable to all attacks reported here. Finally, we look at PRINCE-like ciphers in general and comment on the impact of the -reflection property on the amplification of the scope of fault injection.