Improved Differential Fault Attack on LEA by Algebraic Representation of Modular Addition

Recently, as the number of IoT (Internet of Things) devices has increased, the use of lightweight cryptographic algorithms that are suitable for environments with scarce resources has also increased. Consequently, the safety of such cryptographic algorithms is becoming increasingly important. Among them, side-channel analysis methods are very realistic threats. In this paper, we propose a novel differential fault attack method on the Lightweight Encryption Algorithm (LEA) cipher which became the ISO/IEC international standard lightweight cryptographic algorithm in 2019. Previously proposed differential fault attack methods on the LEA used the Single Bit Flip model, making it difficult to apply to real devices. The proposed attack method uses a more realistic attacker assumption, the Random Word Error model. We demonstrate that the proposed attack method can be implemented on real devices using an electromagnetic fault injection setup. Our attack method has the weakest attacker assumption among attack methods proposed to date. In addition, the number of required fault-injected ciphertexts and the number of key candidates for which exhaustive search is performed are the least among all existing methods. Therefore, when implementing the LEA cipher on IoT deivces, designers must apply appropriate countermeasures against fault injection attacks.


I. INTRODUCTION
Side-channel analysis (SCA) uses additional information, such as power consumption, electromagnetic emission, and sound that occurs while a cryptographic algorithm is operating on a real device [1]. With the recent development of IoT technology, numerous IoT devices are being used extensively around the world, and the importance of lightweight cryptographic algorithms suitable for resource-scarce environments is increasing. Naturally, various threats to lightweight cryptographic algorithms have been considered, and SCA has been seriously considered as a real threat. Among various SCA methods, this paper deals with the differential fault attack (DFA), which is an attack method that uses the difference between the normal ciphertext and fault-injected ciphertexts generated by injecting artificial faults while a cryptographic The associate editor coordinating the review of this manuscript and approving it for publication was Mohamad Afendee Mohamed . algorithm is running on a real device [2]. This paper targets the ARX-based lightweight block cipher LEA [3]. When operating cryptographic algorithms in resource-scarce environments, the LEA has proven to be much more advantageous than the AES [4]- [6]. The LEA is guarantee security against traditional cryptanalysis [7], [8]; however, its vulnerability to SCA needs more consideration. Two DFA methods on the LEA have been proposed [9], [10]. These attacks use the fault model that flips the random single bit of the input words. The fault model used in DFAs is an important consideration. In order to flip a single bit in an actual microcontroller, strong attacker assumptions such as decapsulation or laser fault injection are required. Therefore, attackers are eager to find an attack method that uses a more relaxed fault model. If there is such an attack, the attacker can easily carry it out; thus, so it can be fatal. We propose a novel DFA method for the LEA. The proposed method uses a relaxed fault model by employing a transformation mechanism that relies on the algebraic principle of a modular addition operation. In addition, we argue that this attack method is an extremely threatening DFA method on the LEA cipher by experimentally proving that it can operate in a realistic environment.

A. OUR CONTRIBUTIONS
The primary contributions of this paper are as follows: • First, we propose a novel DFA method on the LEA cipher. This attack uses Random Word Error as a fault model; therefore, compared to existing attack methods, it has a relaxed attacker assumption. In addition, the proposed method requires approximately 70.97% fewer fault-injected ciphertexts and the smallest number of key candidates to perform the exhaustive search, compared to previously proposed attacks.
• Second, we show that the proposed attack can be applied to real IoT devices. The existing attack methods showed that a DFA on the LEA cipher is theoretically possible through simulation. However, we constructed an electromagnetic fault injection environment on an actual microcontroller and were able to reveal the secret key through this attack.
• Finally, our DFA method is applicable to other cryptographic algorithms that use modular addition operations, such as SPARX [11] and CHAM [12]. This method is not dependent on the configuration of operations used in the cryptographic algorithm; it is an attack against the modular addition operation itself. Thus this method serves as a DFA that is not limited to a specific cryptographic algorithm.

A. DIFFERENTIAL FAULT ATTACKS
DFAs are a type of semi-invasive attack within SCA that combine differential analysis and the fault injection attack. The first DFA method was proposed in 1997 by Biham et al. on the DES [2]. Subsequently, DFA methods on various cryptographic algorithms have been studied [13]- [15]. Generally, in DFAs, it is assumed that fault-injected ciphertexts can be obtained by injecting artificial faults into particular registers while an encryption is operating with chosen plaintexts. An attacker guesses some information about the secret key using the differential between the normal ciphertext and fault-injected ciphertexts. The degree of difficulty of an attack method is determined by the type of faults injected and the number of fault-injected ciphertexts required. The commonly used fault injection models are as follows: • Chosen Bit Flip: The attacker can target a chosen single bit or multiple bits of a specific word, and flip them.
• Single Bit Flip: The attacker can target a specific word and flip a single unknown bit.
• Random Byte Error: The attacker can target a specific word and change a specific byte.
• Random Word Error: The attacker can target a specific word and change its value to any unknown value. When performing an actual fault injection attack, the fault injection model, either selectively or dealing with a single bit, causes difficulty performing it. Therefore, an attack method that uses a relaxed fault injection model would be extremely dangerous.

B. LEA
In this section we describe the lightweight symmetric block cipher LEA, introduced by Hong et al. [3]. The LEA became the ISO/IEC international standard lightweight cryptographic algorithm in 2019 [16], which increased interest in its usage in IoT environments [17], [18]. The LEA has an ARX-based (Addition, Rotation, XOR) GFN (Generalized Feistel Network) TYPE-III structure with 32-bit words. This has 128 bits in block size and 128, 192, and 256 bits in key sizes, is consisted of 24, 28, and 32 rounds, respectively. The LEA cipher is described according to the notations listed in Table 1, and the round function is as follows: The key scheduling process of the LEA cipher is described for the LEA-128. The scheduling process for the LEA-192 and LEA-256, is described in the literature [3]. The key schedule consists of modular addition and rotation opera- Here, it is evident that each word is generated independently during the key scheduling process. is based on estimating a candidate group for the secret value through equations to calculate the differences between normal ciphertext and fault-injected ciphertexts. This attack uses the Single Bit Flip model. It injects faults into the three input words of the last round, and requires 300 fault-injected ciphertexts to reveal the secret key. Consequently, this attack reduces the number of key candidates to 2 35 against the LEA-128. The second method was proposed by Jap et al. in 2015 [10]. This attack focuses on the carry-bits that occur in modular addition operations. The attacker can observe the changes in the carry-bit between the normal ciphertext and fault-injected ciphertexts and reveal the secret key bits sequentially from the LSB. This attack greatly reduced attack complexity by attacking the penultimate round. Similar to the attack proposed by Park et al., this attack is also based on the Single Bit Flip model and injects faults into two input words. If the attacker can determine the location of the injected faults, 62 fault-injected ciphertexts are required, and if not, approximately 258 fault-injected ciphertexts are required. In the paper proposing this attack method [10], the authors state that the four bits of the round key are not determined. However, as a result of our review, it was correct that seven bits are not determined due to the 1-bit rotation operation in the key scheduling process. See STEP 4 in Section III-B for details.

D. ALGEBRAIC REPRESENTATION OF MODULAR ADDITION
Courtois et al. used an algebraic representation of the modular addition operation to analyze the resistance of the stream cipher Snow 2.0 against algebraic attacks [19]. The modular addition operation over GF (2 n ) can be partly or totally linearized when the output value is fixed. In particular, it can be converted to a bit-wise equation system over the binary field GF (2), without carry variables. Here, we define binary representations for n-bit words A, B, and C as A = (a n−1 , a n−2 , . . . , a 0 ), B = (b n−1 , b n−2 , . . . , b 0 ), and C = (c n−1 , c n−2 , . . . , c 0 ), where 0 indicates the index of the LSB. The specific algebraic representation of the modular addition operation A B = C over GF 2 32 is as follows: . . . c n−1 = a n−1 + b n−1 + a n−2 b n−2 + (a n−2 + b n−2 ) (a n−2 From the above set of equations (3), it is evident that each carry-bit is generated by the information of the previous bit.

E. GRÖBNER BASES
A Gröbner bases is a subset of multivariate polynomials that make it easy to calculate the various properties of the polynomial ideal. The Gröbner bases was first defined by Buchberger, who also proposed an algorithm to calculate it [20]. Gröbner bases is widely used to find polynomial solutions in modern computing environments. In particular, some studies have used it for cryptanalysis methods [21], [22]. The definitions and theories required for this paper are as follows: • Monomial Ordering A monomial ordering of all monomials in the polynomial ring R [x 1 , . . . , x n ] is a relation that is a total order on monomials. As well as respecting multiplication, monomial orders are required to be well-ordering. The three most common monomial orders are lexicographic, graded lex, and graded reverse lex.

• Gröbner Bases
Define the finite subset G = {g 1 , . . . , g s } of ideal I under the specified monomial order. If LT (g 1 ) , . . . , LT (g s ) = LT (I ) is satisfied, then G is defined as the Gröbner base of I . LT is a function that returns the leading term.

• Elimination Ideal
For . , x m ], and the elimination ideals differ according to the monomial order.

III. IMPROVED DIFFERENTIAL FAULT ATTACK ON LEA
In this section, we describe the proposed DFA method. This attack uses the Random Word Error model. With this fault model, the attacker assumptions are mitigated, compared to traditional attacks using the bit error model. The attack scheme is detailed using the LEA-128 as an example. The LEA-192 and LEA-256 can be applied in the same way to recover the secret key.

A. ANALYSIS OF MODULAR ADDITION
The proposed attack targets the 32-bit modular addition operation. This attack is designed based on the algebraic representation of modular addition introduced in Section II-D.
The modular addition value C of the 32-bit variables A and B is expressed as C = A B. If the attacker injects a fault into variable B, the fault-injected B is represented by B and the fault value is represented by B. As a result, by injecting the fault into B, the fault is propagated to C, which can be denoted C . The fault-injected modular addition equation can be expressed as follows: Suppose the attacker injects a fault n times into an encryption process that uses a fixed plaintext. If the i-th fault injection equation is expressed as A (B ⊕ B i ) = C⊕ C i where 0 < i ≤ n, n fault injections are expressed by the following system of equations (5).
Only the rotation operation after the modular addition is performed in each branch of the round function of the LEA cipher; thus, the attacker can calculate the values of B i and C i (= C ⊕ C i ) through inverse operation from the ciphertexts. Therefore, in the system of equations (5), only A and B are unknown. This system of equations can be solved using the theories introduced in Sections II-D and II-E. First, each equation is represented as a binary-system of equations over GF (2). The system of equations (5), which was composed of (n + 1) equations over GF 2 32 , is transformed into a binary-system of equations composed of 32 × (n + 1) equations over GF (2) as shown in the system of equations (6).
. . .   In the system of equation (6), only 64 variables a 0 , a 1 , . . .,  a 31 and b 0 , b 1 , . . ., b 31 are unknowns. It is recommended that the Gröbner bases and elimination theorem be used to solve the modified system of equations. Denote the lower tth bit of A as a t where 0 ≤ t < 32. Here, equation (6) is a binary-system over GF (2); therefore, the simplest form of elimination ideal that can be generated may take the form a t = 0 or a t +1 = 0. When a t = 0 is expressed, a t is regarded as 0, and when a t + 1 = 0 is expressed, a t is regarded as 1. If n is sufficiently large, the lower 31 bits of A and B can be determined, excluding MSBs that lack information.

B. PROPOSED DFA SCHEME
The proposed attack requires ciphertexts with faults injected into each of the three parts X 22 [0], X 23 [1], and X 23 [2]. The attacker's assumption that fault-injected ciphertexts are required in each of the three parts may seem strong. However, if the fault is injected into the last and penultimate rounds of the LEA cipher, it is easy to identify words with an injected fault from the indexes of the ciphertext words affected by the fault, as shown in Table 2. Therefore, the attacker assumption for the proposed attack is realistic and reproducible. After acquiring the ciphertexts with faults injected into the desired word, the attack process consists of the following five steps.
[STEP 1] Analyze RK 23 [0] from ciphertexts with faults injected into X 22 [0]. At this step, analysis is performed using ciphertexts whose faults are injected into the 0-th input word of the penultimate round, X 22 [0], as shown in Figure 1. The modular addition that uses RK 23 In addition, C and C can be calculated through ciphertexts. The attacker can reveal the lower VOLUME 8, 2020    [2] from ciphertexts with faults injected into X 22 [1]. This step uses the ciphertexts where the fault is injected into the 1-st input word of the last round, X 23 [1], as shown in Figure 2. The modular addition that uses RK 23 [2] and RK 23 [3] is analyzed.
In addition, C and C can be calculated through ciphertexts. As in STEP 1, the attacker can use the attack scheme to determine the lower 31 bits of B. As a result, the attacker can reveal the lower 31 bits of RK 23 [4] from ciphertexts with faults injected into X 23 [2]. In STEP 3, the attacker uses the ciphertexts with the fault injected into the 2-nd input word of the last round, X 23 [2], as shown in Figure 3. The modular addition that uses RK 23 [4] and RK 23 [5] is analyzed. X 23 [3] ⊕ RK 23 [5] is substituted for A, X 23 [2] ⊕ RK 23 [4] is substituted for B, and ROL 3 (X 24 [2]) is substituted for C. STEP 3 is performed in the same way as STEP 2. As a result, the attacker can reveal the lower 31 bits of RK 23 [3] ⊕ RK 23 [4]. [STEP 4] Reduce the number of candidates for RK 23 [5].
The attacker has no information about RK 23 [5]. Therefore, RK 23 [5] must be estimated. To reduce RK 23 [5] candidates, the attacker needs to know information about X 23 [3]. Therefore, we need to perform the analysis in the penultimate round by reusing the ciphertexts used in STEP 1, as shown in Figure 1. The attacker analyzes the modular addition that uses X 22 [3]. [STEP 5] Reveal the master key.
Since RK 23 [1], RK 23 [3], and RK 23 [5] are the same in the LEA-128, the attacker can confirm all bits except the seven bits of the last round key through the previous steps. The attacker performs a brute force attack against uncertain bits. At this time, the attacker can obtain the correct secret key in a short time because seven bits can be investigated in a realistic time.
C. ATTACK PERFORMANCE Figure 4 shows the average number of revealed bits of A and B according to the number of fault-injected ciphertexts when the analysis of A B = C is performed. If the attacker acquires more than six fault-injected ciphertexts, 31 bits of round key can be fully analyzed, excluding the MSB. In our proposed DFA method, analysis was performed on the four modular additions, two of which could utilize same ciphertexts whose faults were injected into the same input VOLUME 8, 2020 word. Therefore, the attacker can successfully execute the attack proposed in this paper by using at least 18 fault-injected ciphertexts. The proposed attack can obtain four candidates for RK 23 [0], RK 23 [1] ⊕ RK 23 [2], and RK 23 [3] ⊕ RK 23 [4] and obtain two candidates for RK 23 [5]. Therefore, there are 2 7 candidates for the LEA-128 because RK 23 [1], RK 23 [3], and RK 23 [5] are the same.

IV. EXPERIMENT FOR REAL DEVICE
In this section, through experiments performed in an actual electromagnetic fault injection environment, we demonstrate that the proposed attack method is effective for real devices. First, we observed the electromagnetic trace that occurs when the LEA-128 cipher is operated. Base on observation of the electromagnetic traces, we inject faults during operation the LEA-128 using the appropriate parameters. We can obtain a sufficient number of fault-injected ciphertexts and reveal the secret key using the proposed DFA method.
A. EXPERIMENTAL ENVIRONMENT Figure 5 shows the environment setup for the electromagnetic fault injection attack. In the figure, solid-lines denote required configurations and dotted-lines indicate optional configurations. The oscilloscope is responsible for collecting the electromagnetic traces generated when the cryptographic algorithm is operating and observing the trigger signal. Riscure's Spider [23] controls the target board and the EM-FI Transient Probe [24]. The EM-FI Transient Probe moves along the XYZ-axis and injects electromagnetic faults. The Control PC uses the Inspector software [25] to control the electromagnetic fault injection environment, and to process and analyze the collected data. In our experiment environment, we used the Riscure Piñata board [26], which uses an Arm Cortex-M4F microcontroller [27]. The LEA-128 cryptographic algorithm was implemented on the Piñata board using 32-bit intermediate variables, and was compiled using the GNU Arm Embedded Toolchain version 4.8 [28]. The electromagnetic faults were injected using a probe tip with a diameter of 1.5 mm and a positive polarity. The delay was set such that faults were injected randomly between the start of the 21st round and the end of the last round. Table 3 shows some of the experimental results of the Inspector software. Case x is an information of ciphertexts injected with faults in the 0-th input word of the penultimate round, and case y is an information of ciphertexts injected with faults in the 1-st input word of the last round. In addition, case z is an information of ciphertexts with faults injected into the 2-nd input word of the last round. In each of the three cases, it was possible to obtain more than ten ciphertexts with injected faults. To analyze modular addition, the elim and slimgb functions of the SINGULAR library [29] were used. It takes approximately one second to analyze one modular addition operation, and the number of candidates of the last round key is reduced to 2 7 . Finally, we were able to confirm the correct secret key through a brute-force attack. Table 4 compares previously proposed attacks with the proposed attack, showing the used fault models, the injected fault positions, the number of required fault-injected ciphertexts, and the number of key candidates for which exhaustive search should be conducted. While the number of key candidates is  the same as a previous study [10], the number of fault-injected ciphertexts is significantly less.

V. CONCLUSION
In this paper, we have proposed a novel DFA on the ARX-based lightweight block cipher LEA. For this attack, we used an algebraic representation of modular addition and Gröbner bases. As a result, we were able to reduce the number of required fault-injected ciphertexts by approximately 70.97% and use a relaxed fault model compared to the previously proposed attacks. The attack methods that use the Single Bit Flip model are difficult to perform on real devices because they require some strong attacker assumptions such as chip decapsulation. However, our proposed attack uses the Random Word Error model. In addition, using an electromagnetic fault injection setup, it is demonstrated experimentally that our attack can be performed on real devices. When using lightweight cryptography, such as the LEA cipher in IoT devices, the practical attack method we proposed is fatal; therefore, it is essential to apply appropriate countermeasures against fault injection attacks [30], [31]. In future work, we will expand the use of our attack technique to various block ciphers using modular addition operations and design appropriate countermeasures for resource scarce environments such as IoT devices.