Skip to main content

A Study of Persistent Fault Analysis

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 11947)


Persistent faults mark a new class of injections that perturb lookup tables within block ciphers with the overall goal of recovering the encryption key. Unlike earlier fault types persistent faults remain intact over many encryptions until the affected device is rebooted, thus allowing an adversary to collect a multitude of correct and faulty ciphertexts. It was shown to be an efficient and effective attack against substitution-permutation networks. In this paper, the scope of persistent faults is further broadened and explored. More specifically, we show how to construct a key-recovery attack on generic Feistel schemes in the presence of persistent faults. In a second step, we leverage these faults to reverse-engineer AES- and PRESENT-like ciphers in a chosen-key setting, in which some of the computational layers, like substitution tables, are kept secret. Finally, we propose a novel, dedicated, and low-overhead countermeasure that provides adequate protection for hardware implementations against persistent fault injections.


  • Fault analysis
  • PFA
  • Feistel networks
  • Reverse engineering
  • AES
  • Countermeasures

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-35869-3_4
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-35869-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   74.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.


  1. Banik, S., Bogdanov, A., Regazzoni, F.: Exploring energy efficiency of lightweight block ciphers. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 178–194. Springer, Cham (2016).

    CrossRef  Google Scholar 

  2. Banik, S., Bogdanov, A., Regazzoni, F.: Compact circuits for combined AES encryption/decryption. J. Cryptogr. Eng. 9(1), 69–83 (2019).

    CrossRef  Google Scholar 

  3. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

  4. Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007).

    CrossRef  Google Scholar 

  5. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

  6. Clavier, C., Isorez, Q., Marion, D., Wurcker, A.: Complete reverse-engineering of AES-like block ciphers by SCARE and FIRE attacks. Cryptogr. Commun. Discrete Struct. Boolean Funct. Seq. 7(1), 121 (2015)

    MathSciNet  MATH  Google Scholar 

  7. Daemen, J., Rijmen, V.: The block cipher Rijndael. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 277–284. Springer, Heidelberg (2000).

    CrossRef  Google Scholar 

  8. Des: Data Encryption Standard. In: FIPS PUB 46, Federal Information Processing Standards Publication 46–2 (1977)

    Google Scholar 

  9. Dutta, A., Paul, G.: Deterministic hard fault attack on trivium. In: Yoshida, M., Mouri, K. (eds.) IWSEC 2014. LNCS, vol. 8639, pp. 134–145. Springer, Cham (2014).

    CrossRef  Google Scholar 

  10. Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: a remote software-induced fault attack in JavaScript. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 300–321. Springer, Cham (2016).

    CrossRef  Google Scholar 

  11. Hernandez-Castro, J.C., Peris-Lopez, P., Aumasson, J.-P.: On the key schedule strength of PRESENT. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM/SETOP 2011. LNCS, vol. 7122, pp. 253–263. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  12. Le Bouder, H., Guilley, S., Robisson, B., Tria, A.: Fault injection to reverse engineer DES-like cryptosystems. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS -2013. LNCS, vol. 8352, pp. 105–121. Springer, Cham (2014).

    CrossRef  Google Scholar 

  13. Pan, J., Bhasin, S., Zhang, F., Ren, K.: One Fault is All it Needs: Breaking Higher-Order Masking with Persistent Fault Analysis. Cryptology ePrint Archive, Report 2019/008 (2019).

  14. San Pedro, M., Soos, M., Guilley, S.: FIRE: fault injection for reverse engineering. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 280–293. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  15. Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-Box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

  16. Zhang, F., et al.: Persistent fault analysis on block ciphers. IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 150–172 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Subhadeep Banik .

Editor information

Editors and Affiliations



A Calculation of Low-Diffusion Keys

Algorithm 7 depicts the routine that calculates all 16 low-diffusion keys for PRESENT.

figure g

B Proof of Lemma 1


The access pattern follows from a simple calculation of the intermediate round key words. Set \(K_0 = \mathtt {0x01000000}\), \(K_1 = \mathtt {0x02000000}\), \(K_2 = \mathtt {0x02000000}\), \(K_3 = |a,a,a,a|\) and \(S(a) = 0\).

$$\begin{aligned} W_0&= K_0 = \mathtt {0x01000000} \\ W_1&= K_1 = \mathtt {0x02000000} \\ W_2&= K_2 = \mathtt {0x02000000} \\ W_3&= K_3 = |a, a, a, a| \\ W_4&= W_0 \oplus S(R(W_3)) \oplus rc_1 = \mathtt {0x00000000} \\ W_5&= W_1 \oplus W_4 = \mathtt {0x02000000} \\ W_6&= W_2 \oplus W_5 = \mathtt {0x00000000} \\ W_7&= W_3 \oplus W_6 = |a, a, a, a| \\ W_8&= W_4 \oplus S(R(W_7)) \oplus rc_2 = \mathtt {0x02000000} \\ W_9&= W_5 \oplus W_8 = \mathtt {0x00000000} \\ W_{10}&= W_6 \oplus W_9 = \mathtt {0x00000000} \\ W_{11}&= W_7 \oplus W_{10} = |a, a, a, a| \\ W_{12}&= W_8 \oplus S(R(W_{11})) \oplus rc_3 = \mathtt {0x06000000} \\ W_{13}&= W_9 \oplus W_{12} = \mathtt {0x06000000} \\ W_{14}&= W_{10} \oplus W_{13} = \mathtt {0x06000000} \\ W_{15}&= W_{11} \oplus W_{14} = |a \oplus \mathtt {0x06}, a, a, a| \\ W_{16}&= W_{12} \oplus S(R(W_{15})) \oplus rc_4 = |\mathtt {0x0e}, 0, 0, S(a \oplus \mathtt {0x06})| \\ W_{17}&= W_{13} \oplus W_{16} = |a \oplus \mathtt {0x08}, 0, 0, S(a \oplus \mathtt {0x06})| \\ W_{18}&= W_{14} \oplus W_{17} = |a \oplus \mathtt {0x0e}, 0, 0, S(a \oplus \mathtt {0x06})| \\ W_{19}&= W_{15} \oplus W_{18} = |a \oplus \mathtt {0x08}, a, a, a \oplus S(a \oplus \mathtt {0x06})| \\ W_{20}&= W_{16} \oplus S(R(W_{19})) \oplus rc_5 = |\mathtt {0x1e}, 0, S(a \oplus S(a \oplus \mathtt {0x06})), S(\mathtt {0x0b})| \\ W_{21}&= W_{17} \oplus W_{20} = |\mathtt {0x16}, 0, S(a \oplus S(a \oplus \mathtt {0x06})), S(\mathtt {0x0b}) \oplus S(a \oplus \mathtt {0x06})| \\ W_{22}&= W_{18} \oplus W_{21} = |\mathtt {0x18}, 0, S(a \oplus S(a \oplus \mathtt {0x06})), S(\mathtt {0x0b})| \\ W_{23}&= W_{19} \oplus W_{22} = |\mathtt {0x1a}, a, a \oplus S(a \oplus S(a \oplus \mathtt {0x06})), a \oplus S(a \oplus \mathtt {0x06}) \oplus S(\mathtt {0x0b})| \end{aligned}$$

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Caforio, A., Banik, S. (2019). A Study of Persistent Fault Analysis. In: Bhasin, S., Mendelson, A., Nandi, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2019. Lecture Notes in Computer Science(), vol 11947. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35868-6

  • Online ISBN: 978-3-030-35869-3

  • eBook Packages: Computer ScienceComputer Science (R0)