Differential Fault Analysis of LEX

Jianyong Huang, Willy Susilo and Jennifer Seberry

Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Wollongong NSW 2522, Australia {jyh33, wsusilo, jennie}@uow.edu.au

Abstract. LEX is a stream cipher based on the round transformation of the AES block cipher, and it was selected for the final phase evalua- tion of the eSTREAM project. LEX is 2.5 times faster than AES both in software and in hardware. In this paper, we present a differential fault attack on LEX. The fault model assumes that the attacker is able to flip a random bit of the internal state of the cipher but cannot control the exact location of the induced fault. Our attack requires 40 faults, and recovers the secret key with 216 operations.

Keywords: LEX, stream cipher, AES, cryptanalysis, differential fault analysis.

1 Introduction

The aim of the eSTREAM project was to stimulate work in the area of stream ciphers. The call for primitives was released in 2004 and 34 proposals were sub- mitted to the project. The competition was completed in 2008 and seven ciphers were selected in the eSTREAM portfolio. LEX [4] was one of the candidates of the eSTREAM final phase evaluation. LEX is based on a design principle known as a leak extraction from a block cipher. In this construction, the output key stream is extracted from parts of the internal state of a block cipher at certain rounds (possibly after passing an additional filter function). The extracted parts of the internal state need to be selected carefully because leaking the wrong part of the state may endanger the security of the cipher. The underlying block cipher of LEX is AES [7], and the key stream is generated by extracting 32 bits from each round of AES in the Output Feedback (OFB) mode. LEX has a simple and elegant structure and is fast in software and hardware (2.5 times faster than AES). There are two types of attacks against the security of cryptosystems: direct attacks and indirect attacks. In direct attacks, the cryptanalyst targets to exploit any theoretical weakness in the algorithm used in the cipher, and examples of direct attacks include differential cryptanalysis [1] and linear cryptanalysis [13]. In indirect attacks, the attacker tries to obtain information from the physical im- plementation of a cryptosystem, and aims to break the system by making use of the gained information. Instances of indirect attacks include timing attacks [11], 2 Jianyong Huang, Willy Susilo and Jennifer Seberry power attacks [12] and fault attacks [6]. The concept of fault analysis was first introduced by Boneh, DeMillo and Lipton [6] in 1996, and the attack was used to target certain implementations of RSA and Rabin signatures by taking advan- tage of hardware faults. Fault analysis was also used to attack block ciphers such as DES [2]. It was showed in [10] that a fault attack is a powerful cryptanalytic tool which can be employed to attack stream ciphers. After LEX was submitted to the eSTREAM project, a few attacks against this cipher have been proposed. The resynchronization of LEX is vulnerable to a slide attack [15], and the attack needs 260.8 random IVs and 20,000 keystream bytes generated from each IV. A generic attack, which requires 265.7 resynchro- nizations, was published in [9]. A differential attack [8] can recover the secret key of LEX in time of 2112 operations by using 236.3 bytes of key stream produced by the same key (possibly under many different IVs). A related key attack was shown in [14], and the attack requires 254.3 keystream bytes and can recover the secret key with 2102 operations. These four proposed attacks on LEX belong to direct attacks. In this paper, we describe a differential fault attack on LEX. The fault model assumes that the attacker can flip a random bit of the internal state of the cipher and she can carry out the operation many times for the same internal state. However, the attacker is not supposed to know the exact location of the flipped bit. The proposed attack requires 40 faults and recovers the secret key of LEX with 216 operations. This paper is organized as follows. Section 2 describes the AES block cipher and the LEX stream cipher. Section 3 provides the details of the differential fault analysis of LEX. The paper is concluded in Section 4.

2 Descriptions of AES and LEX

We briefly describe the AES block cipher in Section 2.1. The LEX stream cipher is described in Section 2.2. We provide the notations used throughout this paper in Section 2.3.

2.1 The AES Block Cipher

The Advanced Encryption Standard [7] is a block cipher with a 128-bit block length and supports key lengths of 128, 192 or 256 bits. For encryption, the input is a plaintext and a secret key, and the output is a ciphertext. The plaintext is first copied to a four-by-four array of bytes, which is called the state. After an initial round key addition, the state array is transformed by performing a round function 10, 12, or 14 times (for 128-bit, 192-bit or 256-bit keys respectively), and the final state is the ciphertext. Each round of AES consists of the following four transformations (the final round does not include the MixColumns operation).

– SubBytes (SB). It is a non-linear byte substitution that operates indepen- dently on each byte of the state using a substitution table. Differential Fault Analysis of LEX 3

– ShiftRows (SR). The bytes of the state are cyclically shifted over different numbers of bytes. Row i is shifted to the left i byte cyclicly, 0 ≤ i ≤ 3. – MixColumns (MC). It operates on the state column-by-column. The columns are treated as polynomials and multiplied by a constant 4 × 4 matrix over GF (28). – AddRoundKey (ARK). A round key is added to the state by a simple bitwise exclusive or (XOR) operation. The AES round keys are derived from the cipher key by employing the key schedule. The cipher key is first expanded into an expanded key. The round keys are selected from this expanded key in the following way: the first round key consists of the first Nb (the number of columns comprising the state) words, the second one of the following Nb words, and so on. The expanded key is an array of 4-byte words and is denoted by W [Nb ∗ (Nr + 1)], where Nr is the number of rounds. The first Nk (number of 32-bit words comprising the cipher key) words contain the cipher key. All other words are defined recursively in terms of words with smaller indices. The pseudocode for key expansion for 128-bit cipher keys is shown below, where Key is the cipher key, SW (x) applies the substitution operation to each byte of the word, RW (x) cyclically shifts the word to the left 8 bits, and Rcon is an array of predefined constants. for(i = 0; i < Nk; i++) W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);

for(i = Nk; i < Nb * (Nr + 1); i++) temp = W[i-1]; if (i % Nk == 0) temp = SW(RW(temp)) ^ Rcon[i/Nk]; W[i] = W[i-Nk] ^ temp;

2.2 The LEX Stream Cipher Two versions of LEX, the original version [3] and the tweaked version [5], were submitted to the eSTREAM project. We only provide the description of the tweaked version in this paper. LEX uses the building blocks of the AES block cipher. First, a standard AES key schedule for a secret 128-bit key K is per- formed. Then, a given 128-bit IV is encrypted by a single AES encryption, S = AESK (IV ). The 128-bit result S and the secret key K comprise a 256-bit secret state of the stream cipher. Under the key K, S is repeatedly encrypted in the OFB mode. In each round of the encryption, 32 bits are extracted from the intermediate state to form the key stream. The positions of the extracted 32 bits are shown in Fig. 1. The IV is replaced after 500 encryptions and the secret key is changed after 232 different IVs are used.

2.3 Notations An AES intermediate state, as well as an AES round key, is represented as a four-by-four array of bytes. A byte of an intermediate state is written as bi,j, 4 Jianyong Huang, Willy Susilo and Jennifer Seberry     b0,0 b0,1 b0,2 b0,3  b0,0 b0,1  b0,2 b0,3 b0,0  b0,1 b0,2  b0,3 b1,0 b1,1 b1,2 b1,3  b1,0 b1,1  b1,2 b1,3 b1,0  b1,1 b1,2  b1,3 b2,0 b2,1 b2,2 b2,3  b2,0 b2,1  b2,2 b2,3 b2,0  b2,1 b2,2  b2,3

b3,0 b3,1 b3,2 b3,3 b3,0 b3,1 b3,2 b3,3 b3,0 b3,1 b3,2 b3,3

Odd Round Even Round

Fig. 1. The positions of the leak in the even and odd rounds

′ the corresponding faulty byte is denoted by bi,j, and the difference of bi,j and ′ ≤ ≤ bi,j is represented as ∆bi,j, 0 i, j 3. A key byte of Round x is denoted by x ≤ ≤ Ki,j, 0 i, j 3. The symbol ? stands for an unknown byte. In all figures, a keystream byte of LEX is surrounded by a circle.

3 The Differential Fault Analysis

The fault model used in this paper assumes that the attacker can flip a random bit of the internal state of the cipher during the keystream generation and obtain the corresponding faulty key stream. Another assumption is that the attacker can reset the state back to its original status and repeat the fault injection process many times. However, the attacker is not supposed to know the exact location of the injected fault. Based on the fault model, we first describe a method to determine the fault position and then we show that the attacker can recover the secret key of LEX by analyzing the original and faulty key stream.

3.1 The Fault Position Determination Method Since the attacker does not know the exact fault position in our fault model, we need to determine the fault location first. The idea is that we can find out the fault position by observing the changes of the key stream after the fault is injected. We show that we can identify into which byte the random bit fault is injected. We divide all possible cases into two categories. In the first category, the fault is injected into the state after the MC or ARK transformation, and in the second category, the fault is injected into the state after the SB or SR transformation. We use Fig. 2 to describe the position determination method. Suppose the three-round diagram starts with an odd round, i.e., i is an odd number (we can also do the analysis by using the same idea if i is an even number). The keystream bytes are g0,0, g0,2, g2,0 and g2,2 in Round i, l0,1, l0,3, l2,1 and l2,3 in Round i + 1 and s0,0, s0,2, s2,0 and s2,2 in Round i + 2. 1. Category 1. The fault is injected into the state after the MC or ARK trans- formation. We only focus on cases where the fault is injected into the state after the MC transformation, and we can use the same idea to analyze cases Differential Fault Analysis of LEX 5

  e e e e g g g g d0,0 d0,1 d0,2 d0,3 0,0 0,1 0,2 0,3 f0,0 f0,1 f0,2 f0,3  0,0 0,1  0,2 0,3

d1,0 d1,1 d1,2 d1,3 e1,0 e1,1 e1,2 e1,3 f1,0 f1,1 f1,2 f1,3 g1,0 g1,1 g1,2 g1,3 SB→ SR→ MC→ ARK→   e e e e g g g g d2,0 d2,1 d2,2 d2,3 2,0 2,1 2,2 2,3 f2,0 f2,1 f2,2 f2,3  2,0 2,1  2,2 2,3

d3,0 d3,1 d3,2 d3,3 e3,0 e3,1 e3,2 e3,3 f3,0 f3,1 f3,2 f3,3 g3,0 g3,1 g3,2 g3,3

Round i   y y y y h0,0 h0,1 h0,2 h0,3 0,0 0,1 0,2 0,3 j0,0 j0,1 j0,2 j0,3 l0,0  l0,1 l0,2  l0,3

h1,0 h1,1 h1,2 h1,3 y1,0 y1,1 y1,2 y1,3 j1,0 j1,1 j1,2 j1,3 l1,0 l1,1 l1,2 l1,3 SB→ SR→ MC→ ARK→   y y y y h2,0 h2,1 h2,2 h2,3 2,0 2,1 2,2 2,3 j2,0 j2,1 j2,2 j2,3 l2,0  l2,1 l2,2  l2,3

h3,0 h3,1 h3,2 h3,3 y3,0 y3,1 y3,2 y3,3 j3,0 j3,1 j3,2 j3,3 l3,0 l3,1 l3,2 l3,3

Round i + 1   o o o o q q q q r r r r s s s s 0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3  0,0 0,1  0,2 0,3 o1,0 o1,1 o1,2 o1,3 q1,0 q1,1 q1,2 q1,3 r1,0 r1,1 r1,2 r1,3 s1,0 s1,1 s1,2 s1,3 SB→ SR→ MC→ ARK→   o o o o q q q q r r r r s s s s 2,0 2,1 2,2 2,3 2,0 2,1 2,2 2,3 2,0 2,1 2,2 2,3  2,0 2,1  2,2 2,3 o3,0 o3,1 o3,2 o3,3 q3,0 q3,1 q3,2 q3,3 r3,0 r3,1 r3,2 r3,3 s3,0 s3,1 s3,2 s3,3

Round i + 2 Fig. 2. The three-round diagram

where the fault is injected into the state after the ARK operation. Suppose the fault is induced to the state after the MC transformation in Round i. We further divide all possible cases of this category into four groups and each group contains four bytes. – Group 1. This group includes four bytes: f0,0, f2,0, f0,2 and f2,2. – Group 2. This group has four bytes: f1,0, f2,1, f3,2 and f0,3. – Group 3. This group comprises four bytes: f3,0, f0,1, f1,2 and f2,3. – Group 4. This group consists of four bytes: f1,1, f3,1, f1,3 and f3,3. The relation between the fault position and the changes of the keystream bytes is summarized in Table 1. For example, if a fault is induced to f0,0 (see the first entry of Group 1 in Table 1) in Fig. 2, we can see the change of g0,0 from the key stream in Round i. Since g0,0 is changed, h0,0, y0,0, j0,0, j1,0, j2,0, j3,0, l0,0, l1,0, l2,0, l3,0 are changed in Round i + 1. However, we cannot see the changes from the key stream in Round i + 1 because the keystream bytes of this round are l0,1, l0,3, l2,1 and l2,3. In Round i + 2, all 16 bytes are changed after the MC transformation and we can see that all four keystream bytes s0,0, s0,2, s2,0 and s2,2 are changed. The difference among Group 1, Group 2, Group 3 and Group 4 is that the changes of the keystream bytes in Round i and Round i + 1 take place at different positions. 2. Category 2. The fault is injected into the state after the SB or SR trans- formation. We only concentrate on cases where the fault is injected into the 6 Jianyong Huang, Willy Susilo and Jennifer Seberry

Table 1. Four groups of fault positions

Group 1 Group 2 Fault i i + 1 i + 2 Fault i i + 1 i + 2 f0,0 g0,0 None s0,0, s0,2, s2,0, s2,2 f1,0 None l0,3, l2,3 s0,0, s0,2, s2,0, s2,2 f2,0 g2,0 None s0,0, s0,2, s2,0, s2,2 f2,1 None l0,3, l2,3 s0,0, s0,2, s2,0, s2,2 f0,2 g0,2 None s0,0, s0,2, s2,0, s2,2 f3,2 None l0,3, l2,3 s0,0, s0,2, s2,0, s2,2 f2,2 g2,2 None s0,0, s0,2, s2,0, s2,2 f0,3 None l0,3, l2,3 s0,0, s0,2, s2,0, s2,2 Group 3 Group 4 Fault i i + 1 i + 2 Fault i i + 1 i + 2 f3,0 None l0,1, l2,1 s0,0, s0,2, s2,0, s2,2 f1,1 None None s0,0, s0,2, s2,0, s2,2 f0,1 None l0,1, l2,1 s0,0, s0,2, s2,0, s2,2 f3,1 None None s0,0, s0,2, s2,0, s2,2 f1,2 None l0,1, l2,1 s0,0, s0,2, s2,0, s2,2 f1,3 None None s0,0, s0,2, s2,0, s2,2 f2,3 None l0,1, l2,1 s0,0, s0,2, s2,0, s2,2 f3,3 None None s0,0, s0,2, s2,0, s2,2

state after the SR transformation, and we can use the same idea to analyze cases where the fault is injected into the state after the SB transformation. Assume that the fault is induced to the state after the SR transformation in Round i. We split all possible cases of this category into three groups.

Table 2. Three groups of fault positions

Group 5 Fault i i + 1 i + 2 e0,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e1,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e2,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e3,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2

Group 6 Fault i i + 1 i + 2 e0,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e1,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e2,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e3,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2

Group 7 Fault i i + 1 i + 2 e0,1 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e1,1 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e2,1 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e3,1 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e0,3 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e1,3 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e2,3 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2 e3,3 None l0,1, l0,3, l2,1, l2,3 s0,0, s0,2, s2,0, s2,2

– Group 5. This group has four bytes: e0,0, e1,0, e2,0 and e3,0. – Group 6. This group is made up of four bytes: e0,2, e1,2, e2,2 and e3,2. – Group 7. This group contains eight bytes: e0,1, e1,1, e2,1, e3,1, e0,3, e1,3, e2,3 and e3,3. The relation between the fault position and the changes of the keystream bytes is described in Table 2. For instance, if a fault is injected into byte Differential Fault Analysis of LEX 7

e0,0 (see the first entry of Group 5 in Table 2) in Fig. 2, g0,0, g1,0, g2,0 and g3,0 are changed and we can observe the changes of g0,0 and g2,0 from the key stream in Round i. In Round i + 1, all 16 bytes are changed after the MC transformation and we can see the changes of l0,1, l0,3, l2,1 and l2,3 from the key stream. Similarly, all 16 bytes are changed starting from the SB operation in Round i + 2, and we can see the changes of s0,0, s0,2, s2,0 and s2,2 from the key stream. By watching the changes of the keystream bytes listed in Table 1 and Table 2, we can identify the fault position. In this paper we are only interested in cases where a fault is injected into a byte which is listed in Table 1.

3.2 Recovering 4 Key Bytes of Round i + 2 We first show that we are able to recover the actual values of 12 bytes after the SR transformation in Round i + 2 by using 8 faults. Then, we describe the idea of recovering 4 key bytes of Round i + 2 by using the 12 known values. We provide an observation which is used to identify the position of a faulty byte in the MC transformation. Observation 1 In the MixColumns transformation, for each 0 ≤ i ≤ 3, if we know three out of four input differences (∆y0,i, ∆y1,i, ∆y2,i and ∆y3,i) are zero and one input difference is non-zero and we also know two output differences (∆j0,i and ∆j2,i), the two unknown output differences (∆j1,i and ∆j3,i) and the position and the difference of the non-zero input can be uniquely determined.     ∆y ∆j  0,i   0,i           ∆y1,i   ∆j1,i    −→MC       .  ∆y   ∆j   2,i   2,i 

∆y3,i ∆j3,i

Suppose a fault is injected into a byte which is f0,3, f1,0, f2,1 or f3,2 (Group 2 in Table 1). We use Fig. 3 to demonstrate the progress. We establish a formula, Formula (1), by using the input and out differences of the MC operation in Round i + 1. We create another formula, Formula (2), with the input and out differences of the MC transformation in Round i + 2.     0 0 0 ∆y 0 0 0 ∆j  0,3   0,3           0 0 0 ∆y1,3   0 0 0 ∆j1,3    −→MC       (1)  0 0 0 ∆y   0 0 0 ∆j   2,3   2,3 

0 0 0 ∆y3,3 0 0 0 ∆j3,3     0 0 0 ∆q ∆r ∆r ∆r ∆r  0,3   0,0 0,1 0,2 0,3           0 0 ∆q1,2 0   ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3    −→MC       (2)  0 ∆q 0 0   ∆r ∆r ∆r ∆r   2,1   2,0 2,1 2,2 2,3 

∆q3,0 0 0 0 ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3 8 Jianyong Huang, Willy Susilo and Jennifer Seberry

1. We use Formula (1) to decide the values of ∆l1,3 and ∆l3,3 by performing the following steps. Since ∆j0,3 is equal to ∆l0,3 and ∆j2,3 is equal to ∆l2,3 (∆l0,3 and ∆l2,3 can be calculated from the key stream), we know the values of ∆j0,3 and ∆j2,3. In the fourth columns of the input and output, there are 5 known bytes (3 zero bytes, ∆j0,3 and ∆j2,3) and 3 unknown bytes (the non-zero input byte, ∆j1,3 and ∆j3,3). Although we know there are three zero inputs and one non-zero input, we do not know the exact layout of the four input bytes. We can determine the 2 unknown output bytes (∆j1,3 and ∆j3,3) and the position and the difference of the non-zero input byte by using Observation 1 (a similar method is described in [8], in which the authors used 4 known bytes to calculate the values of 4 unknown bytes). In Fig 3, we assume the faulty byte is f1,0. As ∆l1,3 is equal to ∆j1,3 and ∆l3,3 is equal to ∆j3,3, we know the values of ∆l1,3 and ∆l3,3. 2. In Formula (2), ∆q3,0 and ∆q1,2 can be deduced as follows. (a) Because ∆r0,0 is equal to ∆s0,0 and ∆r2,0 is equal to ∆s2,0 (∆s0,0 and ∆s2,0 can be computed from the key stream), we know the values of ∆r0,0 and ∆r2,0. In the first columns of the input and output, there are 5 known bytes (3 zero bytes, ∆r0,0 and ∆r2,0) and 3 unknown bytes (∆q3,0, ∆r1,0 and ∆r3,0). Here we know the positions of the three zero inputs and the non-zero input (see the first column of the input in Formula (2)). The 3 unknown bytes can be deduced from the 5 known bytes. (b) Similarly, there are 5 known bytes (3 zero bytes, ∆r0,2 and ∆r2,2) and 3 unknown bytes (∆q1,2, ∆r1,2 and ∆r3,2) in the third columns of the input and output. The values of 3 unknown bytes can be computed by making use of the 5 known bytes.

In Fig. 4, we know the values of ∆o1,3 and ∆o3,3 since we know ∆q1,2 and ∆q3,0 and the SR operation is just a permutation. Now we know the input differences (∆l1,3, ∆l3,3) and the corresponding output differences (∆o1,3, ∆o3,3) ′ to the SB operation, and we can deduce 4 actual values for o1,3, o1,3, o3,3 and ′ o3,3 by using a lookup table, which contains all possible input differences and their corresponding output differences of the SB operation. Here we encounter ′ a 1-in-2 situation: although we already have 4 actual values for o1,3, o1,3, o3,3 ′ and o3,3, we cannot distinguish the correct values (o1,3 and o3,3) from the faulty ′ ′ ones (o1,3 and o3,3). To address this problem, we need one more fault injected into f1,0 and repeat the above steps since the correct values will appear twice in ′ both keystream processing. After we get the actual values of o1,3, o1,3, o3,3 and ′ ′ ′ o3,3, we know the actual values of q1,2, q1,2, q3,0 and q3,0 after the SR operation. As we know the actual values of l0,1, l0,3, l2,1 and l2,3 from the key stream, we know the actual values of q0,1, q0,3, q2,1 and q2,3 after the SB and SR operations. So far, we know the actual values of 6 bytes, q1,2, q3,0, q0,1, q0,3, q2,1 and q2,3, after the SR transformation in Round i + 2:   ? q0,1 ? q0,3    ?? q1,2 ?      . ? q2,1 ? q2,3

q3,0 ??? Differential Fault Analysis of LEX 9   e e e e g g g g d0,0 d0,1 d0,2 d0,3 0,0 0,1 0,2 0,3 f0,0 f0,1 f0,2 f0,3  0,0 0,1  0,2 0,3 ′ ′ d1,0 d1,1 d1,2 d1,3 e1,0 e1,1 e1,2 e1,3 f1,0 f1,1 f1,2 f1,3 g1,0 g1,1 g1,2 g1,3 SB→ SR→ MC→ ARK→   e e e e g g g g d2,0 d2,1 d2,2 d2,3 2,0 2,1 2,2 2,3 f2,0 f2,1 f2,2 f2,3  2,0 2,1  2,2 2,3

d3,0 d3,1 d3,2 d3,3 e3,0 e3,1 e3,2 e3,3 f3,0 f3,1 f3,2 f3,3 g3,0 g3,1 g3,2 g3,3

Round i   y y y y ′ ′ h0,0 h0,1 h0,2 h0,3 0,0 0,1 0,2 0,3 j0,0 j0,1 j0,2 j0,3 l0,0  l0,1 l0,2  l0,3 ′ ′ ′ ′ h1,0 h1,1 h1,2 h1,3 y1,0 y1,1 y1,2 y1,3 j1,0 j1,1 j1,2 j1,3 l1,0 l1,1 l1,2 l1,3 SB→ SR→ MC→ ARK→   y y y y ′ ′ h2,0 h2,1 h2,2 h2,3 2,0 2,1 2,2 2,3 j2,0 j2,1 j2,2 j2,3 l2,0  l2,1 l2,2  l2,3 ′ ′ h3,0 h3,1 h3,2 h3,3 y3,0 y3,1 y3,2 y3,3 j3,0 j3,1 j3,2 j3,3 l3,0 l3,1 l3,2 l3,3

Round i + 1   o o o ′ q q q ′ ′ ′ ′ ′ ′ ′ ′ ′ 0,0 0,1 0,2 o0,3 0,0 0,1 0,2 q0,3 r0,0 r0,1 r0,2 r0,3  s0,0 s0,1  s0,2 s0,3 ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ o1,0 o1,1 o1,2 o1,3 q1,0 q1,1 q1,2 q1,3 r1,0 r1,1 r1,2 r1,3 s1,0 s1,1 s1,2 s1,3 SB→ SR→ MC→ ARK→   o o o ′ q ′ q q ′ ′ ′ ′ ′ ′ ′ ′ 2,0 2,1 2,2 o2,3 2,0 q2,1 2,2 2,3 r2,0 r2,1 r2,2 r2,3  s2,0 s2,1  s2,2 s2,3 ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ o3,0 o3,1 o3,2 o3,3 q3,0 q3,1 q3,2 q3,3 r3,0 r3,1 r3,2 r3,3 s3,0 s3,1 s3,2 s3,3 Round i + 2

Fig. 3. Computing the values of ∆l1,3, ∆l3,3, ∆q1,2 and ∆q3,0

∆l1,3 ∆o1,3 ∆q1,2 ARK−→ −→SB −→SR

∆l3,3 ∆o3,3 ∆q3,0

Round i + 1 Round i + 2 Round i + 2

Fig. 4. Deducing the actual values of q1,2 and q3,0

We use the same idea to recover the actual values of q0,0, q2,2, q1,0, q3,2, q2,0 and q0,2. The details are listed as follows.

1. We are able to obtain the actual values of q0,0 and q2,2 by using 2 faults which are injected into f0,0, or f2,2. The procedure is shown in Appendix A. 2. We can recover the actual values of q1,0 and q3,2 by using 2 faults which are induced on f0,1, f1,2, f2,3 or f3,0. The steps are described in Appendix B. 3. We can get the actual values of q2,0 and q0,2 by using 2 faults which are injected into f0,2 or f2,0. The details are presented in Appendix C. 10 Jianyong Huang, Willy Susilo and Jennifer Seberry   q q q q r r s s 0,0 0,1 0,2 0,3 0,0 ? 0,2 ?  0,0 ?  0,2 ? q1,0 ? q1,2 ? r1,0 ? r1,2 ? ? ? ? ? −→SR −→MC ARK−→   q q q q r r s s 2,0 2,1 2,2 2,3 2,0 ? 2,2 ?  2,0 ?  2,2 ? q3,0 ? q3,2 ? r3,0 ? r3,2 ? ? ? ? ?

i+2 i+2 K0,0 K0,2

i+2 i+2 K2,0 K2,2

Round i + 2 Fig. 5. Recovering 4 key bytes

Since we now know the actual values of the 12 bytes after the SR transfor- mation in Round i + 2 in Fig. 5, we can compute the actual values of the first column (r0,0, r1,0, r2,0 and r3,0) and third column (r0,2, r1,2, r2,2 and r3,2) of the MC transformation. By XORing (r0,0, r0,2, r2,0, r2,2) with (s0,0, s0,2, s2,0, i+2 i+2 i+2 i+2 s2,2), we finally recover 4 round key bytes: K0,0 , K0,2 , K2,0 and K2,2 .

3.3 Retrieving 16 Key Bytes in Round i − 1, i, i + 1 and i + 3

By using the same techniques as described in Section 3.2, we can recover 16 i−1 i−1 i−1 i−1 i i i i i+1 i+1 i+1 i+1 (K0,1 , K0,3 , K2,1 , K2,3 , K0,0, K0,2, K2,0, K2,2, K0,1 , K0,3 , K2,1 , K2,3 , i+3 i+3 i+3 i+3 − K0,1 , K0,3 , K2,1 and K2,3 ) more key bytes in Round i 1, i, i + 1 and i + 3 (see Fig. 7) with 32 faults. The details of recovering these 16 key bytes are provided as follows. We use Fig. 6 to describe the complete details.

i−1 i−1 i−1 i−1 3.3.1 Computing K0,1 , K0,3 , K2,1 and K2,3

1. Inject 2 faults into θ0,1 or θ2,3, and use these 2 faulty bytes to determine the actual values of z0,1 and z2,3. 2. Induce 2 faults on θ0,2 or θ2,1, and employ these 2 faulty values to calculate the actual values of z0,3 and z2,1. 3. Inject 2 faults into θ0,0, θ1,1, θ2,2 or θ3,3, and use these 2 faulty bytes to decide the actual values of z1,3 and z3,1. 4. Induce 2 faults on θ0,2, θ1,3, θ2,0 or θ3,1, and employ these 2 faulty values to find out the actual values of z1,1 and z3,3. 5. Apply the MC operation to (z0,1, z1,1, z2,1, z3,1) and (z0,3, z1,3, z2,3, z3,3) to get the actual values of β0,1, β1,1, β2,1, β3,1, β0,3, β1,3, β2,3 and β3,3. XOR β0,1 with λ0,1, β0,3 with λ0,3, β2,1 with λ2,1, and β2,3 with λ2,3 to recover i−1 i−1 i−1 i−1 K0,1 , K0,3 , K2,1 and K2,3 . Differential Fault Analysis of LEX 11 n n σ0,0 σ0,1 σ0,2 σ0,3 η0,0 η0,1 η0,2 η0,3 θ0,0 θ0,1 θ0,2 θ0,3 µ0,0 µ0,1 µ0,2 µ0,3

σ1,0 σ1,1 σ1,2 σ1,3 η1,0 η1,1 η1,2 η1,3 θ1,0 θ1,1 θ1,2 θ1,3 µ1,0 µ1,1 µ1,2 µ1,3 SB→ SR→ MC→ ARK→ n ni − 3 σ2,0 σ2,1 σ2,2 σ2,3 η2,0 η2,1 η2,2 η2,3 θ2,0 θ2,1 θ2,2 θ2,3 µ2,0 µ2,1 µ2,2 µ2,3

σ3,0 σ3,1 σ3,2 σ3,3 η3,0 η3,1 η3,2 η3,3 θ3,0 θ3,1 θ3,2 θ3,3 µ3,0 µ3,1 µ3,2 µ3,3 n n ρ0,0 ρ0,1 ρ0,2 ρ0,3 α0,0 α0,1 α0,2 α0,3 ϕ0,0 ϕ0,1 ϕ0,2 ϕ0,3 ψ0,0 ψ0,1 ψ0,2 ψ0,3

ρ1,0 ρ1,1 ρ1,2 ρ1,3 α1,0 α1,1 α1,2 α1,3 ϕ1,0 ϕ1,1 ϕ1,2 ϕ1,3 ψ1,0 ψ1,1 ψ1,2 ψ1,3 SB→ SR→ MC→ ARK→ n n i − 2 ρ2,0 ρ2,1 ρ2,2 ρ2,3 α2,0 α2,1 α2,2 α2,3 ϕ2,0 ϕ2,1 ϕ2,2 ϕ2,3 ψ2,0 ψ2,1 ψ2,2 ψ2,3

ρ3,0 ρ3,1 ρ3,2 ρ3,3 α3,0 α3,1 α3,2 α3,3 ϕ3,0 ϕ3,1 ϕ3,2 ϕ3,3 ψ3,0 ψ3,1 ψ3,2 ψ3,3 n n a0,0 a0,1 a0,2 a0,3 z0,0 z0,1 z0,2 z0,3 β0,0 β0,1 β0,2 β0,3 λ0,0 λ0,1 λ0,2 λ0,3

a1,0 a1,1 a1,2 a1,3 z1,0 z1,1 z1,2 z1,3 β1,0 β1,1 β1,2 β1,3 λ1,0 λ1,1 λ1,2 λ1,3 SB→ SR→ MC→ ARK→ n ni − 1 a2,0 a2,1 a2,2 a2,3 z2,0 z2,1 z2,2 z2,3 β2,0 β2,1 β2,2 β2,3 λ2,0 λ2,1 λ2,2 λ2,3

a3,0 a3,1 a3,2 a3,3 z3,0 z3,1 z3,2 z3,3 β3,0 β3,1 β3,2 β3,3 λ3,0 λ3,1 λ3,2 λ3,3 n n d0,0 d0,1 d0,2 d0,3 e0,0 e0,1 e0,2 e0,3 f0,0 f0,1 f0,2 f0,3 g0,0 g0,1 g0,2 g0,3

d1,0 d1,1 d1,2 d1,3 e1,0 e1,1 e1,2 e1,3 f1,0 f1,1 f1,2 f1,3 g1,0 g1,1 g1,2 g1,3 SB→ SR→ MC→ ARK→ n n i d2,0 d2,1 d2,2 d2,3 e2,0 e2,1 e2,2 e2,3 f2,0 f2,1 f2,2 f2,3 g2,0 g2,1 g2,2 g2,3

d3,0 d3,1 d3,2 d3,3 e3,0 e3,1 e3,2 e3,3 f3,0 f3,1 f3,2 f3,3 g3,0 g3,1 g3,2 g3,3 n n h0,0 h0,1 h0,2 h0,3 y0,0 y0,1 y0,2 y0,3 j0,0 j0,1 j0,2 j0,3 l0,0 l0,1 l0,2 l0,3

h1,0 h1,1 h1,2 h1,3 y1,0 y1,1 y1,2 y1,3 j1,0 j1,1 j1,2 j1,3 l1,0 l1,1 l1,2 l1,3 SB→ SR→ MC→ ARK→ n ni + 1 h2,0 h2,1 h2,2 h2,3 y2,0 y2,1 y2,2 y2,3 j2,0 j2,1 j2,2 j2,3 l2,0 l2,1 l2,2 l2,3

h3,0 h3,1 h3,2 h3,3 y3,0 y3,1 y3,2 y3,3 j3,0 j3,1 j3,2 j3,3 l3,0 l3,1 l3,2 l3,3

o0,0 o0,1 o0,2 o0,3 q0,0 q0,1 q0,2 q0,3 r0,0 r0,1 r0,2 r0,3 s0n,0 s0,1 s0n,2 s0,3

o1,0 o1,1 o1,2 o1,3 q1,0 q1,1 q1,2 q1,3 r1,0 r1,1 r1,2 r1,3 s1,0 s1,1 s1,2 s1,3 SB→ SR→ MC→ ARK→ i + 2 o2,0 o2,1 o2,2 o2,3 q2,0 q2,1 q2,2 q2,3 r2,0 r2,1 r2,2 r2,3 s2n,0 s2,1 s2n,2 s2,3

o3,0 o3,1 o3,2 o3,3 q3,0 q3,1 q3,2 q3,3 r3,0 r3,1 r3,2 r3,3 s3,0 s3,1 s3,2 s3,3 n n t0,0 t0,1 t0,2 t0,3 u0,0 u0,1 u0,2 u0,3 v0,0 v0,1 v0,2 v0,3 γ0,0 γ0,1 γ0,2 γ0,3

t1,0 t1,1 t1,2 t1,3 u1,0 u1,1 u1,2 u1,3 v1,0 v1,1 v1,2 v1,3 γ1,0 γ1,1 γ1,2 γ1,3 SB→ SR→ MC→ ARK→ n ni + 3 t2,0 t2,1 t2,2 t2,3 u2,0 u2,1 u2,2 u2,3 v2,0 v2,1 v2,2 v2,3 γ2,0 γ2,1 γ2,2 γ2,3

t3,0 t3,1 t3,2 t3,3 u3,0 u3,1 u3,2 u3,3 v3,0 v3,1 v3,2 v3,3 γ3,0 γ3,1 γ3,2 γ3,3

Fig. 6. The seven-round diagram

− − i 1 i 1 Ki Ki i+1 i+1 i+2 i+2 i+3 i+3 K0,1 K0,3 0,0 0,2 K0,1 K0,3 K0,0 K0,2 K0,1 K0,3

− − i 1 i 1 Ki Ki i+1 i+1 i+2 i+2 i+3 i+3 K2,1 K2,3 2,0 2,2 K2,1 K2,3 K2,0 K2,2 K2,1 K2,3

Round i − 1 Round i Round i + 1 Round i + 2 Round i + 3 Fig. 7. The recovered key bytes 12 Jianyong Huang, Willy Susilo and Jennifer Seberry

i i i i 3.3.2 Determining K0,0, K0,2, K2,0 and K2,2

1. Induce 2 faults on ϕ0,0 or ϕ2,2, and employ these 2 faulty values to compute the actual values of e0,0 and e2,2. 2. Inject 2 faults into ϕ0,2 or ϕ2,0, and use these 2 faulty values to calculate the actual values of e0,2 and e2,0. 3. Induce 2 faults on ϕ0,3, ϕ1,0, ϕ2,1 or ϕ3,2, and use these 2 faulty values to decide the actual values of e1,2 and e3,0. 4. Inject 2 faults into ϕ0,1, ϕ1,2, ϕ2,3 or ϕ3,0, and employ these 2 faulty bytes to determine the actual values of e1,0 and e3,2. 5. Apply the MC operation to (e0,0, e1,0, e2,0, e3,0) and (e0,2, e1,2, e2,2, e3,2) to get the actual values of f0,0, f1,0, f2,0, f3,0, f0,2, f1,2, f2,2 and f3,2. XOR f0,0 with g0,0, f0,2 with g0,2, f2,0 with g2,0, and f2,2 with g2,2 to retrieve the i i i i actual values of K0,0, K0,2, K2,0 and K2,2.

i+1 i+1 i+1 i+1 3.3.3 Calculating K0,1 , K0,3 , K2,1 and K2,3

1. Inject 2 faults into β0,1 or β2,3, and use these 2 faulty bytes to decide the actual values of y0,1 and y2,3. 2. Induce 2 faults on β0,3 or β2,1, and employ these 2 faulty bytes to compute the actual values of y0,3 and y2,1. 3. Inject 2 faults into β0,0, β1,1, β2,2 or β3,3 and use these 2 faulty bytes to determine the actual values of y1,3 and y3,1. 4. Induce 2 faults on β0,2, β1,3, β2,0 or β3,1, and employ these 2 faulty bytes to calculate the actual values of y1,1 and y3,3. 5. Apply the MC transformation to (y0,1, y1,1, y2,1, y3,1) and (y0,3, y1,3, y2,3, y3,3) to obtain the actual values of j0,1, j1,1, j2,1, j3,1, j0,3, j1,3, j2,3 and j3,3. XOR j0,1 with l0,1, j0,3 with l0,3, j2,1 with l2,1, and j2,3 with l2,3 to recover i+1 i+1 i+1 i+1 K0,1 , K0,3 , K2,1 and K2,3 .

i+3 i+3 i+3 i+3 3.3.4 Recovering K0,1 , K0,3 , K2,1 and K2,3

1. Use 2 faulty bytes which are j0,1 or j2,3 to determine the actual values of u0,1 and u2,3. 2. Employ 2 faulty bytes which are j0,3 or j2,1 to retrieve the actual values of u0,3 and u2,1. 3. Make use of 2 faulty bytes which are j0,0, j1,1, j2,2 or j3,3 to calculate the actual values of u1,3 and u3,1. 4. Employ 2 faulty bytes which are j0,2, j1,3, j2,0 or j3,1 to compute the actual values of u1,1 and u3,3. 5. Apply the MC operation to (u0,1, u1,1, u2,1, u3,1) and (u0,3, u1,3, u2,3, u3,3) to get the actual values of v0,1, v1,1, v2,1, v3,1, v0,3, v1,3, v2,3 and v3,3. We can i+3 i+3 i+3 i+3 retrieve K0,1 , K0,3 , K2,1 and K2,3 (see Fig. 7) by XORing v0,1 with γ0,1, v0,3 with γ0,3, v2,1 with γ2,1, and v2,3 with γ2,3. Differential Fault Analysis of LEX 13

− − i 1 i 1 Ki Ki i+1 i+1 i+2 i+2 i+3 i+3 K0,1 K0,3 0,0 0,2 K0,1 K0,3 K0,0 K0,2 K0,1 K0,3

− − i 1 i 1 Ki Ki i+1 i+1 i+2 i+2 i+3 i+3 K2,1 K2,3 2,0 2,2 K2,1 K2,3 K2,0 K2,2 K2,1 K2,3

Round i − 1 Round i Round i + 1 Round i + 2 Round i + 3 ⇓

Ki Ki i+2 i+2 0,1 0,3 K0,1 K0,3

Ki i+1 i+2 i+2 i+2 1,3 K1,3 ? K1,1 K1,2 K1,3

Ki Ki i+2 i+2 2,1 2,3 K2,1 K2,3

Ki i+1 i+2 i+2 i+2 3,3 K3,3 ? K3,1 K3,2 K3,3 Round i Round i + 1 Round i + 2 Fig. 8. The deduced key bytes

3.4 Deducing 10 more Key Bytes in Round i + 2

By employing the definition and the properties of the AES key schedule, we use the 20 recovered key bytes to deduce 10 more key bytes in Round i+2 (see Fig. 8). The steps of deducing these 10 key bytes are listed as follows, where SB−1 is the inverse of the byte substitution transformation and Rconi represents the round constant used to generate round key Ki.

i+2 i+2 i+2 i+2 1. Deduce K0,1 , K2,1 , K0,3 and K2,3 .

i+2 i+1 ⊕ i+2 K0,1 = K0,1 K0,0 , i+2 i+1 ⊕ i+2 K2,1 = K2,1 K2,0 , i+2 i+1 ⊕ i+2 K0,3 = K0,3 K0,2 , i+2 i+1 ⊕ i+2 K2,3 = K2,3 K2,2 .

i+2 i+2 2. Calculate K3,3 and K1,3 .

i+3 i+3 ⊕ i+2 i+2 ⊕ i+3 ⊕ i+2 ⊕ i+2 K2,1 = K2,0 K2,1 = SB(K3,3 ) RCON (2) K2,0 K2,1 i+2 ⊕ i+3 ⊕ i+1 = SB(K3,3 ) Rcon (2) K2,1 , i+2 −1 i+3 ⊕ i+3 ⊕ i+1 K3,3 = SB (K2,1 Rcon (2) K2,1 ), i+3 i+3 ⊕ i+2 i+2 ⊕ i+3 ⊕ i+2 ⊕ i+2 K0,1 = K0,0 K0,1 = SB(K1,3 ) Rcon (0) K0,0 K0,1 i+2 ⊕ i+3 ⊕ i+1 = SB(K1,3 ) Rcon (0) K0,1 , i+2 −1 i+3 ⊕ i+3 ⊕ i+1 K1,3 = SB (K0,1 Rcon (0) K0,1 ). 14 Jianyong Huang, Willy Susilo and Jennifer Seberry

i+2 i+2 3. Determine K3,1 and K1,1 . i i−1 ⊕ i K0,3 = K0,3 K0,2, i i−1 ⊕ i K2,3 = K2,3 K2,2, i+1 i+1 ⊕ i i ⊕ i+1 ⊕ i ⊕ i K2,1 = K2,0 K2,1 = SB(K3,3) Rcon (2) K2,0 K2,1 i ⊕ i+1 ⊕ i ⊕ i ⊕ i−1 = SB(K3,3) Rcon (2) K2,0 K2,0 K2,1 i ⊕ i+1 ⊕ i−1 = SB(K3,3) Rcon (2) K2,1 , i −1 i+1 ⊕ i+1 ⊕ i−1 K3,3 = SB (K2,1 Rcon (2) K2,1 ), i+2 i ⊕ i+2 K3,1 = K3,3 K3,3 , i+1 i+1 ⊕ i i ⊕ i+1 ⊕ i ⊕ i K0,1 = K0,0 K0,1 = SB(K1,3) Rcon (0) K0,0 K0,1 i ⊕ i+1 ⊕ i−1 = SB(K1,3) Rcon (0) K0,1 , i −1 i+1 ⊕ i+1 ⊕ i−1 K1,3 = SB (K0,1 Rcon (0) K0,1 ), i+2 i ⊕ i+2 K1,1 = K1,3 K1,3 . i+2 i+2 4. Decide K3,2 and K1,2 . i i−1 ⊕ i K0,1 = K0,1 K0,0, i i−1 ⊕ i K2,1 = K2,1 K2,0, i+2 i+2 ⊕ i+1 i+1 ⊕ i+2 ⊕ i+1 ⊕ i+1 K2,1 = K2,0 K2,1 = SB(K3,3 ) Rcon (2) K2,0 K2,1 i+1 ⊕ i+2 ⊕ i = SB(K3,3 ) Rcon (2) K2,1, i+1 −1 i+2 ⊕ i+2 ⊕ i K3,3 = SB (K2,1 Rcon (2) K2,1), i+2 i+1 ⊕ i+2 K3,2 = K3,3 K3,3 , i+2 i+2 ⊕ i+1 i+1 ⊕ i+2 ⊕ i+1 ⊕ i+1 K0,1 = K0,0 K0,1 = SB(K1,3 ) Rcon (0) K0,0 K0,1 i+1 ⊕ i+2 ⊕ i = SB(K1,3 ) Rcon (0) K0,1, i+1 −1 i+2 ⊕ i+2 ⊕ i K1,3 = SB (K0,1 Rcon (0) K0,1), i+2 i+1 ⊕ i+2 K1,2 = K1,3 K1,3 . In summary, we recover 14 key bytes of Round i + 2, and the 2 unknown key i+2 i+2 bytes (K1,0 and K3,0 , represented by a question mark) can be determined by exhaustive search with 216 operations.

4 Conclusions

We described a differential fault attack on LEX in this paper. We presented a method to decide the fault position by observing the changes of the key stream after a fault is injected. The attack makes use of the differential properties of the AES round transformations, the AES key schedule properties and the structural features of LEX. The proposed attack needs 40 faults and recovers the secret key of LEX with 216 time complexity. Differential Fault Analysis of LEX 15

References

1. Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993) 2. Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513-525. Springer, Heidelberg (1997) 3. Biryukov, A.: A New 128-bit Key Stream Cipher LEX. ECRYPT stream cipher project report 2005/013. http://www.ecrypt.eu.org/stream (2005) 4. Biryukov, A.: The Design of a Stream Cipher LEX. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 67-75. Springer, Heidelberg (2006) 5. Biryukov, A.: The Tweak for LEX-128, LEX-192, LEX-256. ECRYPT stream ci- pher project report 2006/037. http://www.ecrypt.eu.org/stream (2006) 6. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the Importance of Checking Cryp- tographic Protocols for Faults (Extended Abstract. In: Fumy, W. (ed.) EURO- CRYPT 1997. LNCS, vol. 1233, pp. 37-51. Springer, Heidelberg (1997) 7. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002) 8. Dunkelman, O., Keller, N.: A New Attack on the LEX Stream Cipher. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 539-556. Springer, Heidelberg (2008) 9. Englund, H., Hell, M., Johansson, T.: A Note on Distinguishing Attacks. In: Pre- proceedings of State of the Art of Stream Ciphers workshop (SASC 2007). Bochum, Germany, pp. 7378 (2007) 10. Hoch, J.J., Shamir, A.: Fault Analysis of Stream Ciphers. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 240-253. Springer, Heidelberg (2004) 11. Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104-113. Springer, Heidelberg (1996) 12. Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388-397. Springer, Heidelberg (1999) 13. Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386-397. Springer, Heidelberg (1993) 14. Mondal, M., Mukhopadhyay, D.: Related Key Cryptanalysis of the LEX Stream Cipher. http://eprint.iacr.org/2010/011 (2010) 15. Wu, H., Preneel, B.: Resynchronization Attacks on WG and LEX. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 422-432. Springer, Heidelberg (2006)

A Calculating the actual values of q0,0 and q2,2

Assume a fault is induced on f0,0 or f2,2 (Group 1 in Table 1), and suppose the faulty byte is f0,0. We create a formula, Formula (3), by employing the input and out differences of the MC operation in Round i + 1. We build another formula, Formula (4), with the input and out differences of the MC transformation in Round i + 2.     ∆y 0 0 0 ∆j 0 0 0  0,0   0,0           0 0 0 0   ∆j1,0 0 0 0    −→MC       (3)  0 0 0 0   ∆j 0 0 0     2,0 

0 0 0 0 ∆j3,0 0 0 0 16 Jianyong Huang, Willy Susilo and Jennifer Seberry

    ∆q 0 0 0 ∆r ∆r ∆r ∆r  0,0   0,0 0,1 0,2 0,3           0 0 0 ∆q1,3   ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3    −→MC       (4)  0 0 ∆q 0   ∆r ∆r ∆r ∆r   2,2   2,0 2,1 2,2 2,3 

0 ∆q3,1 0 0 ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3

1. In Formula (3), ∆y0,0 can be computed from the key stream of Round i ′ by using the values of g0,0 and g0,0. In the first columns of the input and output, there are 4 known bytes (∆y0,0 and 3 zero bytes) and 4 unknown bytes (∆j0,0, ∆j1,0, ∆j2,0 and ∆j3,0). The 4 unknown bytes can be decided by using the 4 known bytes. After ∆j0,0, ∆j1,0, ∆j2,0 and ∆j3,0 are decided, we know the values of ∆l0,0, ∆l1,0, ∆l2,0 and ∆l3,0. 2. In Formula (4), ∆r0,0 can be computed from the key stream of Round i + 2 ′ by using the values of s0,0 and s0,0. Similarly, we get the value of ∆r2,0. In the first columns of the input and output, there are 5 known bytes (∆r0,0, ∆r2,0 and 3 zero bytes) and 3 unknown bytes (∆q0,0, ∆r1,0 and ∆r3,0). We get the values of ∆q0,0, ∆r1,0 and ∆r3,0 by using the 5 known bytes. By using the same method to analyze the third columns of the input and output, we can deduce the values of ∆q2,2, ∆r1,2 and ∆r3,2 by employing the 5 known bytes (∆r0,2, ∆r2,2 and 3 zero bytes). 3. We know ∆o0,0 and ∆o2,0 because ∆q0,0 is equal to ∆o0,0 and ∆q2,2 is equal to ∆o2,0. Now we know the input differences (∆l0,0, ∆l2,0) and the corresponding output differences (∆o0,0, ∆o2,0) to the SB operation, and we ′ ′ can deduce 4 actual values for o0,0, o0,0, o2,0 and o2,0. Although we have ′ ′ 4 actual values for o0,0, o0,0, o2,0 and o2,0, we are not able to separate the ′ ′ correct values (o0,0 and o2,0) from the faulty ones (o0,0 and o2,0). To overcome this problem, we need one more fault induced on f0,0 and repeat the steps mentioned above to make the correct values emerge twice. After knowing ′ ′ the actual values of o0,0, o0,0, o2,0 and o2,0, we obtain the actual values of ′ ′ q0,0, q0,0, q2,2 and q2,2 after the SR operation.

B Computing the actual values of q1,0 and q3,2

Suppose a fault is induced on a byte which is f0,1, f1,2, f2,3 or f3,0 (Group 3 in Table 1). By using the input and out differences of the MC operation in Round i + 1, we establish a formula, Formula (5). By employing the input and out differences of the MC transformation in Round i + 2, we build another formula, Formula (6).     0 ∆y 0 0 0 ∆j 0 0  0,1   0,1           0 ∆y1,1 0 0   0 ∆j1,1 0 0    −→MC       (5)  0 ∆y 0 0   0 ∆j 0 0   2,1   2,1 

0 ∆y3,1 0 0 0 ∆j3,1 0 0     0 ∆q 0 0 ∆r ∆r ∆r ∆r  0,1   0,0 0,1 0,2 0,3           ∆q1,0 0 0 0   ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3    −→MC       (6)  0 0 0 ∆q   ∆r ∆r ∆r ∆r   2,3   2,0 2,1 2,2 2,3 

0 0 ∆q3,2 0 ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3 Differential Fault Analysis of LEX 17

1. In Formula (5), ∆j0,1 can be computed from the key stream of Round i + 1 ′ by using the values of l0,1 and l0,1, and ∆j2,1 can be computed from the ′ key stream of Round i + 1 by using the values of l2,1 and l2,1. In the second columns of the input and output, we employ Observation 1 and use the 5 known bytes (∆j0,1, ∆j2,1 and 3 zero input bytes) to decide the 2 unknown output bytes (∆j1,1 and ∆j3,1) and the position and the difference of the non-zero input byte. Assume the recovered non-zero input byte is ∆y2,1. 2. In Formula (6), ∆r0,0 can be computed from the key stream of Round i + 2 ′ by using the values of s0,0 and s0,0. Similarly, we get the value of ∆r2,0. In the first columns of the input and output, we use the 5 known bytes (∆r0,0, ∆r2,0 and 3 zero bytes) to decide the 3 unknown bytes (∆q1,0, ∆r1,0 and ∆r3,0). By using the same method to analyze the third columns of the input and output, we can deduce the values of 3 unknown bytes (∆q3,2, ∆r1,2 and ∆r3,2) by employing the 5 known bytes (∆r0,2, ∆r2,2 and 3 zero bytes). 3. We know ∆o1,1 and ∆o3,1 because ∆q1,0 is equal to ∆o1,1 and ∆q3,2 is equal to ∆o3,1. We now know the input differences (∆l1,1, ∆l3,1) and the corresponding output differences (∆o1,1, ∆o3,1) to the SB operation, and we ′ ′ can deduce 4 actual values for o1,1, o1,1, o3,1 and o3,1. Although we have 4 ′ ′ actual values for o1,1, o1,1, o3,1 and o3,1, we cannot distinguish the correct ′ ′ values (o1,1 and o3,1) from the faulty ones (o1,1 and o3,1). To address this issue, we need one more fault injected into f2,3 and repeat the above steps to make the correct values appear twice in both keystream processing. After ′ ′ knowing the actual values of o1,1, o1,1, o3,1 and o3,1, we know the actual ′ ′ values of q1,0, q1,0, q3,2 and q3,2 after the SR operation.

C Deducing the actual values of q2,0 and q0,2

Assume a fault is injected into a byte which is f0,2 or f2,0 (Group 1 in Table 1), and assume the faulty byte is f2,0. We create a formula, Formula (7), with the input and out differences of the MC operation in Round i + 1. We establish another formula, Formula (8), by employing the input and out differences of the MC transformation in Round i + 2.     0 0 0 0 0 0 ∆j 0    0,2           0 0 0 0   0 0 ∆j1,2 0    −→MC       (7)  0 0 ∆y 0   0 0 ∆j 0   2,2   2,2 

0 0 0 0 0 0 ∆j3,2 0     0 0 ∆q 0 ∆r ∆r ∆r ∆r  0,2   0,0 0,1 0,2 0,3           0 ∆q1,1 0 0   ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3    −→MC       (8)  ∆q 0 0 0   ∆r ∆r ∆r ∆r   2,0   2,0 2,1 2,2 2,3 

0 0 0 ∆q3,3 ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3

1. In Formula (7), ∆y2,2 can be computed from the key stream of Round i ′ by using the values of g2,0 and g2,0. In the third columns of the input and 18 Jianyong Huang, Willy Susilo and Jennifer Seberry

output, we use 4 known bytes (∆y2,2 and 3 zero bytes) to decide 4 unknown bytes (∆j0,2, ∆j1,2, ∆j2,2 and ∆j3,2). The values of ∆l0,2, ∆l1,2, ∆l2,2 and ∆l3,2 are also decided. 2. In Formula (8), ∆r0,0 can be computed from the key stream of Round i + 2 ′ by using the values of s0,0 and s0,0. Similarly, we get the value of ∆r2,0 by ′ using the values of ∆s2,0 and ∆s2,0. In the first columns of the input and output, we can use the 5 known bytes (∆r0,0, ∆r2,0 and 3 zero bytes) to decide the 3 unknown bytes (∆q2,0, ∆r1,0 and ∆r3,0). Similarly, we can use the 5 known bytes (∆r0,2, ∆r2,2 and 3 zero bytes) to decide the 3 unknown bytes (∆q0,2, ∆r1,2 and ∆r3,2) in the third columns of the input and output. 3. We know ∆o0,2 and ∆o2,2 because ∆q0,2 is equal to ∆o0,2 and ∆q2,0 is equal to ∆o2,2. We now know the input differences (∆l0,2, ∆l2,2) and the corresponding output differences (∆o0,2, ∆o2,2) to the SB operation, and we ′ ′ can deduce 4 actual values for o0,2, o0,2, o2,2 and o2,2. Although we have ′ ′ 4 actual values for o0,2, o0,2, o2,2 and o2,2, we cannot separate the correct ′ ′ values (o0,2 and o2,2) from the faulty ones (o0,2 and o2,2). To overcome this obstacle, we need one more fault injected into f2,0 and repeat the above steps because the correct values will emerge twice in both keystream processing. ′ ′ After knowing the actual values of o0,2, o0,2, o2,2 and o2,2, we know the actual ′ ′ values of q0,2, q0,2, q2,0 and q2,0 after the SR operation.