Appl. Math. Inf. Sci. 6-3S, No. 3, 951-957 (2012) 951 Applied Mathematics & Information Sciences An International Journal ⃝c 2012 NSP Natural Sciences Publishing Cor. Fault Detection of the Camellia Cipher against Single Byte Differential Fault Analysis Wei Li1;2;3, Xiaoling Xia1 and Yi Wang4 1 School of Computer Science and Technology, Donghua University, Shanghai 201620, China 2 Shanghai Key Laboratory of Integrate Administration Technologies for Information Security, Shanghai 200240, China 3 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China 4 Department of Information Science and Technology, East China University of Political Science and Law, Shanghai 201601, China Received: Jul 8, 2011; Revised Oct. 4, 2011; Accepted Oct. 6, 2011 Abstract: The Camellia is a 128-bit block cipher published by NTT and Mitsubishi in 2000. Since the research of differential fault analysis against Camellia was proposed, much work has been devoted to realizing a more efficient different fault analysis. It is a very strong analysis for ciphers when a single fault is injected into the last several rounds of encryption and the whole secret key could be recovered. Thus, how to detect the faults injected into the Camellia cipher with low overhead of complexity is an open problem. This paper gives an answer to this problem by presenting a fault detection of the Camellia block cipher in the single-byte fault model. Our result in this study could detect the faults with negligible cost when faults are even injected into the last three rounds. Keywords: Cryptanalysis, Fault Detection, Camellia. 1. Introduction setting which takes into consideration side–channel attack- s [5, 6]. During the last twenty years a new class of attacks against As one of side channel attacks, differential fault anal- cryptographic devices has become public. These attacks ysis was first proposed by E. Biham and A. Shamir as an exploit easily accessible information like power consump- attack on DES in 1997 [7]. The similar attacks have been tion, running time, input–output behavior under malfunc- applied to AES [8-12], ARIA [13] and Camellia [14-16] tions, and can be mounted by anyone only using low–cost etc. The DFA attack is based on deriving information about equipment [1-3]. These side–channel attacks amplify and the secret key by examining the differences between a ci- evaluate leaked information with the help of statistical meth- pher resulting from a correct operation and a cipher of the ods, and are often much more powerful than classical crypt- same initial message resulting from a faulty operation. analysis. Examples show that a very small amount of side– channel information is enough to completely break a cryp- As a 128-bit block cipher, Camellia was jointly de- tosystem [4]. While many previously–known cryptanalytic veloped by Nippon Telegraph and Telephone Corporation attacks can be analyzed by studying algorithms, the vul- (NTT) and Mitsubishi Electric Corporation (Mitsubishi) in nerabilities of side–channel attacks result from electrical 2000 [17]. It has now been selected as an international s- behavior of transistors and circuits of an implementation. tandard by ISO/IEC, and adopted by cryptographic evalu- This ultimately compromises cryptography, and shifts the ation projects such as NESSIE and CRYPTREC, as well top priority in cryptography from the further improvement as the standardization activities at IETF. In 2009, Camellia of algorithms to the prevention of such attacks by reducing was integrated into the OpenSSL 1.0.0 (beta1) and grad- variations in timing, power and radiation from the hard- ually became one of the most worldwide used block ci- ware, reduction of observability of system behavior after phers. Therefore, the strength of Camellia against various fault injection. Therefore, it extends theoretically the cur- cryptanalytic techniques has been analyzed, including d- rent mathematical models of cryptography to the physical ifferential fault analysis, differential cryptanalysis, linear ∗ Corresponding author: Xiaoling Xia, e-mail: [email protected] ⃝c 2012 NSP Natural Sciences Publishing Cor. 952 Wei Li et al : Fault Detection of the Camellia Cipher ... cryptanalysis, impossible differential cryptanalysis, colli- sion attack and so on [18-19]. In the literature, some work has been published on the security of Camellia implementations against differential fault analysis [14-16]. These attacks are based on the byte- oriented fault model. They could recover the secret key of Camellia since the error occurs randomly at any position in the last three rounds. To improve the attacking efficiency, the location of fault injection is not same as the location of subkeys which will be recovered. For example, to re- cover the subkeys in the last round, they induce errors in the penultimate round. This kind of fault injection could derive multiple bytes of one subkey and avoids decreasing the efficiency of fault injection. In order to resist the above attacks, we propose a fault detection technique to protect Camellia against the previ- ous attacks. Our work not only helps to detect the errors with low overhead of space and time tolerance, but also can be applied in hardware or software implementation. The idea of this attack and the related countermeasure are naturally suitable for other Feistel block ciphers. The rest of this paper is organized as follows. Section 2 briefly introduces the Camellia cipher. The next two sec- tions propose the differential fault analysis and the previ- ous fault detections. Then section 5 shows our fault de- Figure 1 The structure of Camellia. tection and simulation on Camellia. Finally section 6 con- cludes the paper. erroneous bytes in 4Y , 4YL and 4YR. The key schedule 2. Description of Camellia part generates the subkeys kr, klv and kwt from the secret key K, where 1 ≤ r ≤ d; 1 ≤ t ≤ 4 and 1 ≤ v ≤ 4 (or ≤ ≤ For simplicity, Camellia-128/192/256 are denoted as the 1 v 6 for Camellia-192/256). three versions of Camellia that use 128, 192 and 256 bit- s of the secret keys, respectively. Camellia is a d-round Feistel block cipher, where d is 18 for Camellia-128 and 2.2. Structure 24 for Camellia-192/256 [17]. It has 128-bit XOR opera- tions before the first round and after the last round, called a Camellia is composed of three procedures: encryption, de- prewhitening layer and a postwhitening layer, respective- cryption and the key schedule. The encryption procedure ly. In every round, the round function F is composed of a is described as follows: nonlinear S-function and a linear P -function. After the 6th and 12th rounds (and 18th round for Camellia-192/256), Step 1. Camellia has the F L=F L−1 function (See Fig. 1). For the rest of this paper, we will use Camellia to the 128-bit secret L0jjR0 = X ⊕ (kw1jjkw2): (1) key version, unless otherwise stated. Step 2. For r = 1 to d do the following: If r = 6 or 12 (or 18 for Camellia–192/256), ⊕ 2.1. Notations Lr = Rr−1 F (Lr−1; kr); (2) Rr = Lr−1; (3) The following notations are used to describe the Camellia Lr = FL(Lr; klr=3−1); (4) cipher: −1 Let X 2 (f0; 1g8)16 be the plaintext and Y 2 (f0; 1g8)16 Rr = FL (Rr; klr=3): (5) be the ciphertext. Let k 2 (f0; 1g8)16 denote the r-th else r ⊕ subkey from the secret key K, with 1 ≤ r ≤ d: Let Lr = Rr−1 F (Lr−1; kr); (6) ∗ ∗ ∗ − Y = (YL ;YR) be the faulty ciphertexts. Let Lr−1 and Rr = Lr 1: (7) Rr−1 be the left and the right halves of the r-th round input Step 3. with 1 ≤ r ≤ d: Let M − be the input of F -function with r 1 ⊕ jj ⊕ 1 ≤ r ≤ d: Let j4Y j, j4YLj and j4YRj be the number of Y = (Rd kw3) (Ld kw4): (8) ⃝c 2012 NSP Natural Sciences Publishing Cor. Appl. Math. Inf. Sci. 6-3S, No. 3, 951-957 (2012) / www.naturalspublishing.com/Journals.asp 953 The round function F is defined below: 3.2. Basic procedure 7! ⊕ (Lr−1; kr) Cr = P (S(Lr−1 kr)); (9) The basic procedure of this attack is as follows: the right where S and P are defined as follows: ciphertext is obtained when a plaintext is encrypted with a secret key. We induce a random error in some round of the 8 8 7! 8 8 S :(F2 ) (F2 ) ; (10) encryption, and thus obtain a faulty ciphertext. By differ- ential fault analysis, the XOR value of the last subkey can (a jja jj · · · jja ) 7! (b jjb jj · · · jjb ); (11) be recovered. Then we could decrypt the right ciphertext 1;r 2;r 8;r 1;r 2;r 8;r to obtain the input of the last round, which is the output of the penultimate round. At last we repeat the above proce- b1;r = s1(a1;r); (12) dure to deduce more related values about subkeys until the b2;r = s2(a2;r); (13) secret key is obtained by the key schedule. b3;r = s3(a3;r); (14) b = s (a ); (15) 4;r 4 4;r 4. Differential fault detections on Camellia b5;r = s2(a5;r); (16) b6;r = s3(a6;r); (17) Countermeasures against fault attacks could help a cryp- tographic algorithm to avoid, detect or correct faults. In b7;r = s4(a7;r); (18) practice, many proposed schemes are based on fault de- b = s (a ); (19) 8;r 1 8;r tection, including code-based technique and redundancy- where s1, s2, s3 and s4 are the 8 × 8 boxes. based technique [20-26]. 8 8 7! 8 8 P :(F2 ) (F2 ) ; (20) (b1;rjjb2;rjj · · · jjb8;r) 7! (c1;rjjc2;rjj · · · jjc8;r); (21) 4.1.