Keywords

1 Introduction

In recent years, Internet of Things (IoT) as a new information network technology is booming, accompanied by an endless stream of new devices including Smart-Home devices, wearable devices, medical implants and other battery operated portable equipments. These devices always produce, process, transfer and store private information such as wearable equipments, or even security-critically control over people’s lives like heart pacemakers. Inevitably, there is growing concern about their actual security. Fortunately, the cryptographic technique is a reliable way to meet these security requirements. As a result, the resource-constrained devices like RFID tags and sensing nodes used in the IoT have drawn a great attention on the lightweight cipher, which is featured with low latency, small areas, low energy consumption and hardware-friendly design. In this flourishing field, several lightweight block ciphers have been proposed in the last few years, including HIGHT [1], CLEFIA [2], PRESENT [3], KATAN [4], PRINCE [5], LED [6], Piccolo [7], SIMON/SPECK [8], Midori [9] and so on.

Midori is published in the ASIACRYPT 2015 by Banik [9] et al. with two variants Midori-64 and Midori-128, both of them optimized with the energy consumption criterion. The optimizing work mainly consist of replacing the 8-bit Sboxes with 4-bit Sboxes and using almost MDS (Maximum Distance Separable) binary matrices instead of MDS matrices. By adopting this energy-efficient architecture, Midori seems to be a promising cipher with low latency and small areas at the same time. However, the security (mathematical security and practical security) of lightweight cipher is vital as it is the key to protect our security-sensitive information inside the IoT devices from attackers. On one hand, several literatures have studied the mathematical security of Midori by means of classical cryptanalysis, including differential/linear cryptanalysis [9], impossible differential cryptanalysis [10], meet-in-middle attack [11], truncated differential and related-key differential attacks [12]. Nonetheless, these cryptanalysis haven’t identified any serious weakness with respect to mathematical properties. On the other hand, the practical security also plays a key role for security, but for Midori, there is no public literature studied its practical security so far.

Other than classical cryptanalysis, differential fault attack (DFA) is a typical cryptanalysis on cryptographic devices (implementations). It was first proposed by Biham and Shamir [13] against DES-like cryptosystem. After that, several similar attacks have been proposed to analyze the AES [14,15,16], Triple-DES [17], SMS4 [18, 19], LED [20] et al. In essence, the DFA exploits the subtle relationships between the secret key and the behavior information under malfunctions to launch a key recovery attack. Typically, it derives information about the secret key by the differential between correct and faulty ciphertext (with the same plaintext). Thus, besides selecting a suitable fault model, the key to a DFA in practical is to determine whether the success of fault injection. All these aforementioned DFA methods haven’t pointed out how to filter the proper faulty ciphertexts. As the DFA method described in [16], although it only need one faulty ciphertext to recover the 128-bit secret key, there is a huge difficulty to discriminate and sort out the applicable faulty ciphertext. On the other hand, the determination of the fault location also influences the analysis complexity. If it is unknown, the exhaustive method is needed to cover all possibilities, thus the computational complexity will be multiplied. Therefore, if the precise positions could be deduced straightly by the faulty and correct ciphertexts, the attacking complexity would be decreased dramatically. For Midori, the almost MDS matrix used in its permutation-layer gives us an unexpected convenience to solve both filtering and positioning problems, thus from a security point of view, this feature poses the great threat to its practical security against attacks like DFAs.

In this paper, we firstly illustrate an crucial vulnerability in Midori caused by the almost MDS binary matrix. We begin with investigating the fault propagation property of single fault induced in the antepenultimate round of encryption, then examine the differential of correct and faulty ciphertext, and analyze the positions of nonzero differentials. Some distinct patterns emerge, which connects the faulty position and the nonzero-differential positions, and these patterns could be exploited to deduce the corrupted positions. This fact also suggests that the tradeoffs must be taken between security and the performance metrics like latency, energy consumption by (lightweight) cipher designers. Based on this observation, we propose a new cell-oriented differential fault analysis method against both Midori-64 and Midori-128, as they adopt the same overall structure. Our attack adopts cell-oriented fault model, and the fault injection position could be inferred only using correct and faulty ciphertext. By retrieving the related subkeys, our method reduces the secret key search space by \(2^{48}\) and \(2^{96}\) only using two faulty ciphertexts for Midori-64 and Midori-128, respectively.

The rest of this paper is organized as follows. Section 2 briefly introduces the block cipher Midori. Section 3 investigates the cell-oriented fault propagation of Midori. Then Sect. 4 proposes our DFA method, and Sect. 5 summarizes the attacking complexity and experiments. Finally Sect. 6 concludes the paper.

2 Description of Block Cipher Midori

Midori consists of two variants, Midori-64 and Midori-128. Their block sizes n are 64-bit and 128-bit respectively, and the key sizes are 128-bit for both. Midori adopts a typical Substitution-Permutation Network structure, its state matrix is a 4\(\,\times \,\)4 cell-matrix, where the cell sizes m are 4-bit and 8-bit for Midori-64 and Midori-128, respectively. The state matrix S is defined as follows:

$$\begin{aligned} S = \left( \begin{array}{cccc} s_{0} \ &{}s_{4} \ &{}s_{8} \ &{}s_{12} \\ s_{1} \ &{}s_{5} \ &{}s_{9} \ &{}s_{13} \\ s_{2} \ &{}s_{6} \ &{}s_{10} \ &{}s_{14} \\ s_{3} \ &{}s_{7} \ &{}s_{11} \ &{}s_{15} \end{array} \right) , \end{aligned}$$

where \(s_0, s_1,\ldots , s_{15}\) are sixteen cells. Midori is composed of encryption, decryption and key schedule, its overall structure of encryption is depicted as Fig. 1. And the comparison of two variants of Midori is tabulated as Table 1.

Fig. 1.
figure 1

Overall structure of Midori (Encryption), R = 16 for Midori-64 and R = 20 for Midori-128. WK is the whitening key and \(RK_i\) is the round key.

Full size image
Table 1. The comparison of two Midori variants
Full size table

2.1 Encryption and Decryption

For Midori, its encryption and decryption consist of R rounds of round function. Each of it consists of four transformations including SubCell, ShuffleCell, MixColumn and KeyAdd. The plaintext is divided into 16 cells and rearranged into the state matrix S. The overall structure of encryption is pictured as Fig. 1 and these four transformations are described in the following.

  • SubCell ( SuC ): For Midori-64, apply the 4-bit Sb\(_0\) to the state matrix S for each cell: \(s_i\leftarrow Sb_0(s_i)\). Similarly, for Midori-128, the 4-bit Sb\(_0\) is replaced by 8-bit Sboxes (composed by two 4-bit Sb\(_1\) and two bit-permutations [9]): SSb\(_0\), SSb\(_1\), SSb\(_2\), SSb\(_3\), namely, \(s_i\leftarrow SSb_{i\ mod\ 4}(s_i)\), where \(0\le i\le 15\).

  • ShuffleCell ( ShC ): Each cell of the state S is permuted as follows: \((s_0,s_1,\ldots ,s_{15})\leftarrow (s_{0},s_{10},s_{5},s_{15},s_{14},s_{4},s_{11},s_{1},s_{9},s_{3},s_{12},s_{6},s_{7},s_{13},s_{2},s_{8})\)

  • MixColumn ( MC ): M is applied to every 4m-bit column of the state matrix S, i.e., \(^{t}(s_{i},s_{i+1},s_{i+2},s_{i+3})\leftarrow M\cdot ^{t}(s_{i},s_{i+1},s_{i+2},s_{i+3})\) and \(i=0,4,8,12\). Here M and its inverse matrix \(M'\) are defined as:

    $$\begin{aligned} M = M' = \left( \begin{array}{cccc} 0 \ &{}1 \ &{}1 \ &{}1 \\ 1 \ &{}0 \ &{}1 \ &{}1 \\ 1 \ &{}1 \ &{}0 \ &{}1 \\ 1 \ &{}1 \ &{}1 \ &{}0 \end{array} \right) \end{aligned}$$

  • KeyAdd ( AK ): The i-th n-bit round key \(RK_{i}\) is XORed to a state matrix S.

Table 2. 4-bit bijective Sbox Sb\(_0\) and Sb\(_1\) in hexadecimal form [9]
Full size table

The decryption procedure shares the whole structure with encryption except that the ShuffleCell is replaced by its inverse and the order of the round keys \(RK_i\) is from R to 0 (Fig. 1).

2.2 Key Schedule

For Midori-64, the 128-bit secret key K is the concatenation of two 64-bit keys \(K_0\) and \(K_1\), thus the \(WK=K_0\oplus K_1\) and the round key \(RK_{i}=K_{(i-1)\ mod\ 2}\oplus \alpha _{i-1}\), where \(1\le i\le 15\). For Midori-128, \(WK=K\) and \(RK_{i}=K\oplus \beta _{i-1}\), where \(1\le i\le 19\). Note that \(\alpha _{i},\beta _{i}\) are both constants, and \(\alpha _{i}=\beta _{i}\) for \(0\le i\le 14\).

2.3 Notations

The following notations were used throughout the rest of the paper.

  • \(X^i, X^{i}_{j}\): \(X^i\) is the output of the (i)-th round, \(i=1,2,\ldots ,R\), thus \(X^0\) is defined as the plaintext and \(X^{R}=C\) is the ciphertext. \(X^{i}_{j}\) is the j-th cell of \(X^i\), \(j=0,1,\ldots ,15\).

  • \(SuC^i, ShC^i, MC^i, AK^i\): these are the state matrix after SubCell, ShuffleCell, MixColumn and KeyAdd of the i-th round, respectively. Namely, \(AK^R = X^R\) is the ciphertext.

  • \(RK^{i}\): the round key used in the i-th round function, \(i=1,2,\ldots ,R-1\), and \(RK^{0}=WK,\ RK^{R}=WK\).

  • \(\varDelta X\): the difference of two state matrixes X and \(X'\).

3 Cell-Oriented Fault Propagation Analysis

In this section, we investigate the propagation of one cell-oriented fault induced into the input of (R-2)-th round function.

3.1 Fault Propagation in Last Three Rounds

Due to the simple diffusion pattern of inducing fault into the input of last round and penultimate round, we focus on the single cell-oriented random fault injected into the input of antepenultimate round. As depicted in Fig. 2, the single cell fault f induced before the antepenultimate round is changed into \(f'\) after SubCell, and remains unchanged after ShuffleCell, then the other three cells in the same column are infected with identical differential \(f'\), which stay the same after KeyAdd transformation. The refreshing of differential values in the (R-1)-th round is similar to (R-2)-th round, and then trivial in R-th round because of omitted permutation-layer in the last round. Thus the output differentials equal to the XOR of correct ciphertext and faulty ciphertext or two faulty ciphertexts.

Fig. 2.
figure 2

The fault propagation of last three rounds, fault is induced into the first cell of state matrix. \(f, f', F_i, \) and \(F_{i,j}\) are the differentials of two corresponding intermediates, where \(i,j=1,2,3\).

Full size image

3.2 Cell-Oriented Fault Propagation Patterns

Distinct association patterns could be observed between the positions of nonzero-differentials and the position of single cell-oriented fault. Specifically, as pictured in Fig. 3, each cell of faults induced in the input of antepenultimate round results in nine faulty cells with unique patterns. Apparently, these patterns could be straightforwardly inferred only requiring the correct ciphertext and faulty ciphertext. That is, the position of corrupted cell in state matrix S could be uniquely determined. The essential reason of this pattern is caused by the almost MDS matrix applied in the permutation layer of Midori. The fault propagation patterns of four cells in the first state matrix column are depicted as Fig. 3 (fault position j = 0 is detailed in Fig. 2).

Fig. 3.
figure 3

The fault propagation patterns of four cells in the first column, f is the faulty differential and its position is corresponding to the fault injection position.

Full size image

In Midori, all design choices are made to save energy consumption, including using \(4\times 4\) almost MDS binary matrices instead of \(4\times 4\) MDS matrices. However, because the branch number of almost MDS matrices [9] is 4, one nonzero active input leads to three nonzero active outputs in the same column, and nine nonzero active outputs after two rounds transformations. As a result, the diffusing effect is weak enough to find distinct patterns of faulty positions. Compared to MDS matrix applied in the AES (Advanced Encryption Standard), after two rounds of round function, one nonzero active input leads to sixteen nonzero active outputs, therefore, no obvious association patterns between the fault injection position and nonzero differential positions in output.

In the view of practical security, this energy-efficient almost MDS matrix gives rise to a vulnerability, especially faced with differential fault attacks. This fact demonstrates that the tradeoffs must be taken between security and the performance metrics like latency, energy consumption by (lightweight) cipher designers. For practical security, the full diffusion MDS matrix is evidently more preferable than almost MDS matrix for SPN-structure ciphers.

4 Cell-Oriented Differential Fault Analysis on Midori

As pictured in Fig. 2, the fault propagation patterns are clear. Let us denote the correct ciphertext \(C = X^{R} = AK^{R}\) and faulty ciphertext \(C' = X'^{R} = AK'^{R}\), then we have the differential \(\triangle C\) that

$$\begin{aligned} \triangle C = C\oplus C' = X^{R} \oplus X'^{R} \end{aligned}$$
(1)

For the (R-1)-th round, the output differential has three nonzero values which equal to \(F_1, F_2, F_3\), respectively. Thus, due to the involution property of Sboxes applied in the Midori, for \(F_1\), we have following four equations:

$$\begin{aligned} \begin{aligned} F_1&= SuC(C_{4}\oplus RK^{R}_{4})\oplus SuC(C'_{4}\oplus RK^{R}_{4}) \\ F_1&= SuC(C_{5}\oplus RK^{R}_{5})\oplus SuC(C'_{5}\oplus RK^{R}_{5}) \\ F_1&= SuC(C_{6}\oplus RK^{R}_{6})\oplus SuC(C'_{6}\oplus RK^{R}_{6}) \\ 0&= SuC(C_{7}\oplus RK^{R}_{7})\oplus SuC(C'_{7}\oplus RK^{R}_{7}) \end{aligned} \end{aligned}$$
(2)

where \(F_1\in \mathbb {F}_{2^m}\), \(m=4\) for Midori-64 and \(m=8\) for Midori-128. These four equations can be solved for three subkey cells \(RK^R_4, RK^R_5, RK^R_6\). The key search space of this triple of key cells is reduced to an expected value of \(2^m\) from \((2^m)^3 = 2^{3m}\). Similar equations could be deduced for \(F_2\) and \(F_3\), thus after combination of these three classes of equations, the whole key search space related to \(F_1, F_2\) and \(F_3\) is reduced to \(2^{3m}\) from \(2^{9m}\).

By continuing this method, and \(X^{R-2}\) is the output of (R-2)-th round, then its first column is:

$$\begin{aligned} \begin{aligned} X^{R-2}_0 =&\ SuC(SuC(C_{1}\oplus RK^{R}_{1})\oplus RK^{R-1}_{1}\oplus SuC(C_{2}\oplus RK^{R}_{2}) \\&\oplus RK^{R-1}_{2} \oplus SuC(C_{3}\oplus RK^{R}_{3})\oplus RK^{R-1}_{3}) \\ X^{R-2}_1 =&\ SuC(SuC(C_{4}\oplus RK^{R}_{4})\oplus RK^{R-1}_{4}\oplus SuC(C_{5}\oplus RK^{R}_{5}) \\&\oplus RK^{R-1}_{5} \oplus SuC(C_{6}\oplus RK^{R}_{6})\oplus RK^{R-1}_{6}) \\ X^{R-2}_2 =&\ SuC(SuC(C_{12}\oplus RK^{R}_{12})\oplus RK^{R-1}_{12}\oplus SuC(C_{13}\oplus RK^{R}_{13}) \\&\oplus RK^{R-1}_{13} \oplus SuC(C_{15}\oplus RK^{R}_{15})\oplus RK^{R-1}_{15}) \\ X^{R-2}_3 =&\ SuC(SuC(C_{8}\oplus RK^{R}_{8})\oplus RK^{R-1}_{8}\oplus SuC(C_{10}\oplus RK^{R}_{10}) \\&\oplus RK^{R-1}_{10} \oplus SuC(C_{11}\oplus RK^{R}_{11})\oplus RK^{R-1}_{11}) \\ \end{aligned} \end{aligned}$$
(3)

Thus considering its cell-oriented differentials in the output of (R-2)-th round:

$$\begin{aligned} \begin{aligned} 0&= \triangle X^{R-2}_0 = X^{R-2}_0\oplus X'^{R-2}_0 \\ f'&= \triangle X^{R-2}_1 = X^{R-2}_1\oplus X'^{R-2}_1 \\ f'&= \triangle X^{R-2}_2 = X^{R-2}_2\oplus X'^{R-2}_2 \\ f'&= \triangle X^{R-2}_3 = X^{R-2}_3\oplus X'^{R-2}_3 \end{aligned} \end{aligned}$$
(4)

Consequently, the interrelation between subkey cells in the equations further reduce the subkey search space. Apparently, for the first cell output of (R-3)-th round and its nonzero differential are:

$$\begin{aligned} \begin{aligned} X^{R-3}_0&= SuC(X^{R-2}_1\oplus RK^{R-2}_1\oplus X^{R-2}_2\oplus RK^{R-2}_2\oplus X^{R-2}_3\oplus RK^{R-2}_3) \\ f&= X^{R-3}_0 \oplus X'^{R-3}_0 \end{aligned} \end{aligned}$$
(5)

With combination of equations Eqs. 2, 4 and 5, only twelve cells of subkey essentially involve nonzero differential operations, resulting that the key search space is reduced to an expected decrease value of \(2^{12m}\).

5 Attacking Complexity and Experimental Results

5.1 Attacking Complexity

In essence, differential fault analysis utilizes the interrelationship of input differential and output differential in the SubCell. For Midori, its relationship is defined as follows [18]:

$$\begin{aligned} \begin{aligned} INs(\triangle x, \triangle y) =&\ \{zi|zi\in \mathbb {F}_{2^m}, SuC(zi)\oplus SuC(zi\oplus \triangle x) = \triangle y\} \\ Ns(\triangle x, \triangle y) =&\ \#\{zi|zi\in \mathbb {F}_{2^m}, SuC(zi)\oplus SuC(zi\oplus \triangle x) = \triangle y\} \end{aligned} \end{aligned}$$
(6)

then for Midori’s last round SubCell, using the first equation of Eq. 2, \(\triangle x = C_{4}\oplus C'_{4}\), \(\triangle y =F_1\), then the candidates of subkey cell could be recovered using \(RK^{R}_{4} = C_4\oplus INs\). Candidates of other subkey cells could be derived similarly.

Note that the maximum differential probability [9] of SubCell are \(2^{-2}\), namely, maximum of Ns equals to \(16\times 2^{-2}=4\) for Midori-64 and \(256\times 2^{-2}=64\) for Midori-128. That is, for fixed \(\triangle x, \triangle y\), the maximum number of subkey cell candidates should be 4 and 64 for Midori-64 and Midori-128, respectively. Specifically, for \(Sb_0, Sb_1\) separately used in Midori-64 and Midori-128, if \(Ns(\triangle x, \triangle y)\) is not null, then it equals 2 with probability of 75.0% (72/96) and 85.71% (90/105) for \(Sb_1\). Due to the SubCell of Midori-128 is constructed by \(Sb_1\), if it is divided into two of \(Sb_1\), the attacking complexity could be reduced dramatically.

Since at least two faults are required to uniquely determine the subkey cell candidates in equations Eq. 2, we derive intersection of subkey cell candidates using multiple faults induced in the same rounds (optional). Given that two faults are induced in the same cell position of (R-2)-th input, three nonzero differentials are obtained by pairing combination. Therefore, for Midori-128, at least two faulty ciphertexts are required to recover nine cells of \(RK^{R}\) and three cells of \(RK^{R-1}\). Considering that \(RK^{R-1}= RK^{R-1}\oplus \beta _{R-2}\) and \(K = WK = RK^{R}\), hence twelve cells of secret key K could be deduced, its secret key search space is reduced to \(2^{32}\) from \(2^{128}\) at best. For Midori-64, two faulty ciphertexts could only recover nine cells of \(RK^{R}\) and three cells of \(RK^{R-1}\), thus secret key search space decreases by an expected value of \(2^{48}\) (\(=2^{12m}\)).

5.2 Experimental Results

We implemented our attack on a PC using Matlab R2014b (64-bit) with 2.60 GHz CPU and 4 GB memory. The fault injection was simulated by software commands. We use the equations similar to Eq. 2 to illustrate our attack which is applied to Midori-64. Two simulated faults were induced into the first cell of (R-1)-th input, namely \(X^{R-2}_0\) and the corrupted value is kept unknown.

Table 3. Subkey cell recovery for \(RK^{R}_1,RK^{R}_2\) and \(RK^{R}_3\) using two faulty ciphertexts
Full size table

Considering that \(Ns(\triangle x,\triangle y)\) of \(Sb_0\), the number of nonzero input \(\triangle x\) equals 15, thus all combinations of two distinct differentials only have 105 (\(=15\times 14/2\)) elements. In consequence, as tabulated in Table 3, three subkey cells of \(RK^{R}\) could be recovered with over 80% probability only using two faulty ciphertexts.

On the basis of above experiments, for Midori-128, the attacking complexity in practice is estimated to \(2^9\cdot (3e^2+3e)\) \((=12\cdot C^2_{(e+1)}\cdot 2^8)\), where e denotes the number of faults induced in the same cell position. For Midori-64, with the same setting, the attacking is estimated to \(2^5\cdot (3e^2+3e)\).

6 Conclusions

In this paper, based on the cell-oriented fault propagation patterns existing in Midori, we presented a differential fault analysis method against its two variants Midori-64 and Midori-128. Our method straightly exploits these patterns to uniquely determine the corrupted positions, resulting in its low attacking complexity. Especially, secret key search space is reduced from \(2^{128}\) to \(2^{32}\) for Midori-128 and from \(2^{128}\) to \(2^{80}\) for Midori-64, respectively. In addition, our experimental results confirms that the almost MDS matrix used in its permutation layer resulting in a vulnerability, which could be utilized by practical attacks like DFAs. This result evidently provides a new design advice to cipher designers.