Ciphertext-Only Fault Attacks on PRESENT

  • Fabrizio De SantisEmail author
  • Oscar M. Guillen
  • Ermin Sakic
  • Georg Sigl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8898)


In this work, we introduce fault attacks on PRESENT with faulty ciphertexts-only. In contrast to current differential fault attacks on PRESENT, which are mostly chosen-plaintext attacks, our fault attacks do not require the knowledge of the plaintexts to recover the secret key. This is a typical scenario when plaintexts are not easily accessible for the attacker, like in the case of smart devices for the upcoming Internet-of-Things (IoT) era where input data are mostly assembled within the cryptographic device, or when protocol-level countermeasures are deployed to prevent chosen-plaintext attacks explicitly. Our attacks work under the assumption that the attacker is able to bias the (nibble-wise) distribution of intermediate states in the final rounds of PRESENT by careful fault injections. To support our statements, we provide a detailed simulation analysis to estimate the practical attack complexities of (faulty) ciphertext-only fault attacks on PRESENT-80 discussing different fault injection scenarios. In the best case analysis (worst-case security scenario), only two faulty ciphertexts and negligible computational time are required to recover the entire secret key.


Fault Model Fault Injection Final Round Cryptographic Operation Fault Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. This work has been funded in part by the German Federal Ministry of Education and Research 163Y1200D (HIVE).

Supplementary material


  1. 1.
    Akyildiz, I., Su, W., Sankarasubramaniam, Y., Cayirci, E.: A survey on sensor networks. IEEE Commun. Mag. 40(8), 102–114 (2002)CrossRefGoogle Scholar
  2. 2.
    Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)CrossRefzbMATHGoogle Scholar
  3. 3.
    Avoine, G., Kara, O. (eds.): LightSec 2013. LNCS, vol. 8162. Springer, Heidelberg (2013) zbMATHGoogle Scholar
  4. 4.
    Bagheri, N., Ebrahimpour, R., Ghaedi, N.: New differential fault analysis on present. EURASIP J. Adv. Signal Process. 2013(1), 1–10 (2013). CrossRefGoogle Scholar
  5. 5.
    Balasch, J., Gierlichs, B., Verbauwhede, I.: An in-depth and black-box characterization of the effects of clock glitches on 8-bit MCUs. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 105–114, September 2011Google Scholar
  6. 6.
    Barenghi, A., Bertoni, G., Breveglieri, L., Pellicioli, M., Pelosi, G.: Low voltage fault attacks to aes. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 7–12, June 2010Google Scholar
  7. 7.
    Barenghi, A., Hocquet, C., Bol, D., Standaert, F.-X., Regazzoni, F., Koren, I.: Exploring the feasibility of low cost fault injection attacks on sub-threshold devices through an example of a 65nm AES implementation. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 48–60. Springer, Heidelberg (2012). Google Scholar
  8. 8.
    Bassi, A., Horn, G.: Internet of things in 2020: A roadmap for the future. European Commission: Information Society and Media (2008)Google Scholar
  9. 9.
    Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  10. 10.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). CrossRefGoogle Scholar
  11. 11.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  12. 12.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). CrossRefGoogle Scholar
  13. 13.
    Fischer, W., Schmidt, J.M. (eds.): 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, 20 August 2013. IEEE (2013)Google Scholar
  14. 14.
    Fuhr, T., Jaulmes, E., Lomne, V., Thillard, A.: Fault attacks on aes with faulty ciphertexts only. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 108–118, August 2013Google Scholar
  15. 15.
    Gu, D., Li, J., Li, S., Ma, Z., Guo, Z., Liu, J.: Differential fault analysis on lightweight blockciphers with statistical cryptanalysis techniques. In: Bertoni, G., Gierlichs, B. (eds.) 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography, Leuven, Belgium, 9 September 2012, pp. 27–33. IEEE (2012)Google Scholar
  16. 16.
    Guilley, S., Sauvage, L., Danger, J.L., Selmane, N.: Fault injection resilience. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 51–65, August 2010Google Scholar
  17. 17.
    Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  18. 18.
    Hutter, M., Schmidt, J.M.: The temperature side channel and heating fault attacks. Cryptology ePrint Archive, Report 2014/190 (2014).
  19. 19.
    ISO: Information technology – security techniques – lightweight cryptography – part 2: Block ciphers. ISO/IEC 29192–2:2012, International Organization for Standardization, Geneva, Switzerland (2012)Google Scholar
  20. 20.
    Junod, P.: Statistical cryptanalysis of block ciphers. Ph.D. thesis, IC, Lausanne (2005)Google Scholar
  21. 21.
    Li, J., Gu, D.: Differential fault analysis on present. In: CHINACRYPT 2009, pp. 3–13 (2009)Google Scholar
  22. 22.
    Maistri, P.: Countermeasures against fault attacks: the good, the bad, and the ugly. In: Proceedings of the 2011 IEEE 17th International On-Line Testing Symposium, IOLTS 2011, p. 134137. IEEE Computer Society, Washington, DC (2011).
  23. 23.
    Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., Encrenaz, E.: Electromagnetic fault injection: towards a fault model on a 32-bit microcontroller. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 77–88. IEEE (2013)Google Scholar
  24. 24.
    Mukhopadhyay, D.: An improved fault based attack of the advanced encryption standard. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 421–434. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  25. 25.
    Neve, M., Peeters, E., Samyde, D., Quisquater, J.J.: Memories: a survey of their secure uses in smart cards. In: Proceedings of the Second IEEE International Security in Storage Workshop, 2003, SISW 2003, pp. 62–62. IEEE (2003)Google Scholar
  26. 26.
    Piret, G., Quisquater, J.-J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  27. 27.
    Rivain, M.: Differential fault analysis on DES middle rounds. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 457–469. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  28. 28.
    Schmidt, J.M., Hutter, M.: Optical and em fault-attacks on crt-based rsa: concrete results. In: Karl C. Posch, J.W. (ed.) Austrochip 2007, 15th Austrian Workhop on Microelectronics, Proceedings, Graz, Austria, 11 October 2007, pp. 61–67. Verlag der Technischen Universität Graz (2007)Google Scholar
  29. 29.
    Schmidt, J.M., Hutter, M., Plos, T.: Optical fault attacks on aes: a threat in violet. In: Naccache, D., Oswald, E. (eds.) 6th Workshop on Fault Diagnosis and Tolerance in Cryptography - FDTC 2009, pp. 13–22. IEEE-CS Press (2009)Google Scholar
  30. 30.
    Skorobogatov, S.: Flash memory ‘bumping’ attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 158–172. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  31. 31.
    Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  32. 32.
    Wang, G., Wang, S.: Differential fault analysis on present key schedule. In: Proceedings of the 2010 International Conference on Computational Intelligence and Security, CIS 2010, pp. 362–366. IEEE Computer Society, Washington, DC (2010).
  33. 33.
    Zhao, X., Guo, S., Wang, T., Zhang, F., Shi, Z.: Fault-propagate pattern based dfa on present and printcipher. Wuhan Univ. J. Nat. Sci. 17(6), 485–493 (2012). CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Fabrizio De Santis
    • 1
    Email author
  • Oscar M. Guillen
    • 1
  • Ermin Sakic
    • 1
  • Georg Sigl
    • 1
  1. 1.Lehrstuhl für Sicherheit in der InformationstechnikTechnische Universität MünchenMunichGermany

Personalised recommendations