Single-Byte Error-Based Practical Differential Fault Attack on Bit-Sliced Lightweight Block Cipher PIPO

With the recent development of the Internet of Things (IoT), related device use is increasing rapidly. As a result, accessing and hijacking the devices is an increasing security threat. The challenges of side-channel security of IoT devices are having a way of coming to the surface due to this physical accessibility. Accordingly, there is active research on lightweight block ciphers to provide security even in resource-scarce environments situations such as IoT. The bit-sliced structure increases memory and time efﬁciency using an implementation method that replaces a lookup table with a bit-wise operation. Therefore, it is a widely-used design technique for lightweight block ciphers. In this paper, we show a differential fault attack study, a type of side-channel analysis, targeting bit-sliced block ciphers. In particular, it proposes a novel attack rationale on the recently proposed lightweight block cipher PIPO and shows that it applies sufﬁciently to other bit-sliced block ciphers. The proposed attack is based on a more alleviated attacker’s assumption than the previously proposed attack, and it shows that less than 32 fewer fault ciphertext may fully recover the 128-bit of the PIPO 64/128 secret key. It proves that the attack is practical by verifying the attack through the actual electromagnetic fault injection. It also discusses the applicability of various bit-sliced block ciphers and shows how redundancy-based countermeasures might improve fault-robustness. Therefore, when using the bit-sliced block ciphers on IoT devices, we recommend applying appropriate countermeasures against fault injection attacks.


I. INTRODUCTION
Side-channel analysis (SCA) is a type of cryptanalysis that uses physical information, such as power consumption, electromagnetic emission, and timing, that can be may occur when cryptographic algorithms run on real hardware [1]. Even if cryptography is mathematically secure, the vulnerability of physical information is a critical issue because cryptographic algorithms always operate on real devices. SCA necessitates direct or indirect device access. With the advancement of IoT and smart devices, the use of these devices has increased, naturally providing attackers with several opportunities to gain access to or hijack devices.
The associate editor coordinating the review of this manuscript and approving it for publication was Mohamad Afendee Mohamed .
In this context, SCA security has become critical factor to consider.
Differential fault attack (DFA) is a type of SCA in which a secret key is analyzed using difference information generated by inducing a fault in the operation of the device [2]. Easy access to the device further highlights the significance of DFA in particular. This is because access to the target device and fault induction problems, which is the critical problem of DFA, is solved. Naturally, various studies on DFA, especially efforts to realize DFA is in progress. The difficulty of DFA depends on the attacker's assumption, and from the attacker's point of view, DFA methods that can analyze the secret key are required even if the attacker's assumption is weak. The weak attacker's assumption we consider implies that there is no fault-inducing capability at the precise time and no single-bit fault-inducing capability. If there is logic to attack in this environment, it can be a fatal threat because the spectrum of attackers becomes wide. Realizing the DFA requires performing a fault injection (FI) attack. Example of FI attacks include laser fault injection (laser-FI) [3], electromagnetic wave fault injection (EM-FI) [4], clock/power glitch [5], [6], and others. Advances in FI technology have accelerated the realization of DFA. Now, when a novel cipher is designed, a security analysis for DFA is inevitable.
With the advent of the lightweight era, various lightweight block ciphers are being designed, and security test for lightweight block ciphers is essential [7], [8]. Plug-In Plug-Out (PIPO) is a bit-sliced lightweight block cipher designed with the concept of SCA resilient-friendly [9]. The PIPO has the advantage of having less overhead when applying statistical SCA countermeasures such as masking, so it can achieve two goals: SCA security and lightweight. The PIPO is being actively studied from the perspective of security analysis, optimization implementation, and countermeasure design [10]- [13]. Bit-sliced implementations have advantages in lightweight environments such as IoT because they reduce the memory burden required to store the substitution table and improve speed through parallelization of the substitution layers. Compared to the interest in the security of lightweight cryptography, the studies on DFA, especially the bit-sliced implementation, are insufficient. Therefore, additional security evaluations are required for DFA against bit-sliced ciphers. Unlike the S-Box of other SPN-based ciphers, the S-Layer of the bit-sliced implementation has a characteristic that when an error occurs in one byte, it propagates to all bytes. We conducted a study on the DFA method that can overcome these difficulties. Therefore, in this paper, we propose the logic of the DFA, which can pose a real threat to the PIPO among bit-sliced block ciphers.
The primary contributions of this paper are as follows: • Proposing the practical model-based DFA on the lightweight block cipher PIPO. The logic we propose is based on single-byte errors at random positions and is a practical attack that requires fewer fault ciphertexts while alleviating the attacker's assumption compared to the previously proposed DFA.
• Showing the applicability of the proposed DFA against other bit-sliced ciphers. The proposed DFA is designed to fit the bit-sliced structure. We demonstrate how the proposed DFA can be simply applied to other bit-sliced block ciphers.
• Validating of the proposed DFA with EM-FI. We demonstrated the practical applicability of the proposed attack with direct EM-FI attacks. It shows that the proposed attack is a critical threat to the level that can be performed on a real device.
• Demonstrating the robustness of FI for PIPO to which the countermeasure is applied. We implemented a redundancy-based countermeasure for the PIPO and demonstrated its effectiveness against FI attacks. This emphasizes the need to devise countermeasures while using PIPO in the real world.
Section II of the paper begins with a description of PIPO, DFA, and EM-FI. It also introduces a DFA logic that has been previously studied against bit-sliced block ciphers. Section III describes the logic of the novel DFA on PIPO and shows improvements compared to previous studies. Section IV shows how to apply the proposed logic to other bit-sliced block ciphers. Section V shows the EM-FI evaluation results for the real device, and section VI shows the redundancy-based countermeasure and the FI results when applied. Finally, Section VII concludes the paper with a conclusion and future works.

II. BACKGROUNDS A. PIPO
PIPO is a lightweight block cipher with an SPN structure proposed by Kim et al. in 2020 [9]. It is designed for bit-sliced implementation to increase memory and time efficiency by processing the S-Box in parallel as a bit-wise operation. And it encrypts 64-bit blocks and can efficiently apply the SCA countermeasure, which has the advantage of less overhead generated when masking is applied compared to other block ciphers. Depending on the key size, it is divided into the PIPO 64/128 and the PIPO 64/256 and consists of 13 rounds and 17 rounds, respectively. Table 1 shows the notations used to explain the algorithms and attacks in this paper, and Figure 1 shows the overall structure of the PIPO. The PIPO consists of a structure in which S-Layer, R-Layer, and AddRoundKey are repeated after the whitening key is added. The intermediate value 64-bit of the PIPO can be expressed in the 8 × 8 matrix, as show in Figure 2. As stated in the following equation, each  byte is divided and stored in row units, and the bit-sliced implemented S-Layer is accomplished by bit-wise operation between rows.
On the other hand, the S-Box operation is performed in column units from the S-Box perspective. That is, the a j col value of Figure 2 is used as an input to the S-Box. When a bit-slicing operation that turns over the storage scheme between rows and columns are defined as BitS, the S-Layer operation is expressed as follows: The PIPO's key schedule has a simple structure in which the secret key is divided by 64-bit and repeatedly used, with round constants added for each round. The key schedule of PIPO 64/128 is expressed as follows: DFA is a type of semi-invasive attack within SCA that combines traditional differential analysis and FI attacks. The DFA mechanism was first proposed in 1997 by Biham and Shamir [2]. Starting with DES, research on the DFA has been steadily conducted for various cryptographic algorithms [14]- [17]. In the DFA, the attacker can cause malfunction by injecting artificial faults at specific times during an encryption operation. Additionally, he can observe and collect fault ciphertexts that have occurred. The attacker deduces secret information by comparing and using the difference values between the normal and fault ciphertext. When performing the DFA in a real world, the feasibility of the attack depends on the fault model. According to the FI scale and its positioning capability, the fault model is classified as follows: • FI Scale -Bit flip: A single-bit of the precise position desired by the attacker belonging to a specific byte/word is flipped. -Byte Error: A specific byte is altered to a random value that the attacker does not know. -Word Error: A specific word is altered to a random value that the attacker does not know.  The smaller the FI scale, the stronger the attacker's assumption. Furthermore the attacker's assumption is strong when the fault position must be specified. The DFA can be performed in a real environment using techniques such as a row-hammer attack, laser-FI, and EM-FI, among others. Although EM-FI has difficulties realizing a strong fault model, relatively practical attacks are possible. This paper proposes DFA logic for the PIPO based on a relaxed attacker's assumption at a reproducible level through EM-FI.

C. ELECTROMAGNETIC FAULT INJECTION ATTACK
EM-FI attacks can equally induce logic timing violations similar to those caused by clock glitch attacks, and can also cause transistor malfunctions that voltage glitchs and laser-FI attacks can cause. The probe tip used for EM-FI has a form in which a copper coil is coiled around a ferrite. The EM field is formed around the coil by allowing an instantaneous current to flow in this coil. The generated EM pulse penetrates the metal layer of the target chip and can induce voltage glitches and eddy currents in circuit loops. As a result, the transistor may malfunction, allowing for attacks such as altering data stored in memory or skipping instruction. In the case of the EM-FI attack, unlike the laser-FI attack, it is possible to inject faults by scanning the surface of the target board without a decapsulation process. Unlike row-hammer attack, it does not necessitate an accurate memory address. Therefore it can be practically used for attack.

D. PREVIOUS DFA ON THE BIT-SLICED BLOCK CIPHERS
The block ciphers proposed for the purpose of bit-sliced implementation include ROBIN [21], RECTANGLE [22], PRIDE [23], PIPO, etc. The DFA logic on each cipher has been proposed, but it is often targeted at a table lookup implementation of that cipher [24]. DFA research on actual bit-sliced implementation block ciphers is lacking. Sinha and Karmakar proposed the DFA on bit-sliced implemented RECTANGLE-80 in 2018 [18]. They observed the exhaustive searching range according to the fault model based on forcing the bit to be 0, the continuous bits flip, and the entire bit flip, etc. However, the strong fault model with coerciveness and continuity deal is impractical, and the relatively weak fault model has a limitation in that the exhaustive search range is large. In other words, there is no logic to fully analyzing the secret key. Lac et al. proposed a bit flip-based DFA for LS-Design-based cipher SCREAM in 2017 [19]. And, Lim et al. first proposed the DFA on PIPO in 2021 [20]. Their proposed logic is based on a single-bit flip model. Since FI must be performed for all bits, they presume that the attacker can determine the byte position where the faults are injected. Table 2 shows a comparison of previous DFA studies on bit-sliced block ciphers. Most of the previous studies require precise fault based on bit flip, and only one has carried out an actual FI attack. Therefore, we explored the DFA logic based on the byte error model to perform an easier FI attack based on the alleviated attacker's assumption. In particular, the detailed comparison with [20], which targets the same cipher PIPO, is made in Section III-C.

III. PROPOSED DFA ON PIPO
In this section, we describe the proposed DFA method for the PIPO. This attack uses the random byte error model. With this fault model, the attacker's assumption is mitigated, compared with previous attack using the single-bit flip model. Using the PIPO 64/128 as an example, the attack strategy is described in detail. The same attack is repeated on additional rounds to fully retrieve the secret key for the PIPO 64/256.

A. ATTACKER'S ASSUMPTION
The attacker can gain access to or acquire a device that encrypts using the PIPO and can cause a fault with respect to a single-byte when the PIPO operates encryption. However, the attacker cannot specify the position of the byte where the fault occurs, and the target byte changes to an arbitrary value that the attacker is unaware of. He can observe normal and fault ciphertexts and collect as many fault ciphertexts as needed to perform the attack. Faults are injected into the S-Layer input of the lower round, and normal and fault ciphertext occurs. He does not need to know the precise memory location information required for the attack. However, the round operation starting point can be identified through simple power analysis, allowing the approximate FI timing can be regulated.
B. PROPOSED DFA SCHEME Figure 4 shows an overview of the proposed DFA on the PIPO 64/128. First, the Fault 1 procedure analyzes RK 13 by injecting a fault into a random single-byte of the last round S-Layer input. Then, using the secret information obtained from Fault 1, Fault 2 is carried out. This process injects a fault into a random single-byte of the penultimate round S-Layer input and is performed similarly to Fault 1. Each procedure consists of 4 steps, and the detailed attack process is as follows and is described based on Fault 1.

1) [STEP 1] CALCULATE S-LAYER INPUT DIFFERENCE
The S-layer output difference ( m) can be calculated without knowing the round key. At this time, R-Layer is a linear VOLUME 10, 2022 Therefore, the S-Layer output difference can only be calculated with information about the pair of normal and fault ciphertexts without round key information. If the difference is caused by injecting a fault into a specific byte of the S-Layer input, the output difference occurs in the column containing the bit in which the difference propagates due to the bit-sliced implementation characteristic. Figure 5 shows an example of the relationship between the S-Layer input and output difference. If a fault is injected into the second byte of the S-Layer input and bit flip occurs at indexes 0, 4, 6, and 7 of that byte, the output difference occurs in each column respectively (marked in red). This is because S-Box operations are conducted in column units (marked in blue). However, there is no difference that occurs in the other columns (marked in green). As a result, while computing the S-Layer output difference in the preceding process using the pair of normal and fault ciphertexts, it is possible to estimate the S-Layer input difference by observing whether each column is 0 or not. In Figure 5, the input difference can be estimated as 0xd1.   = {a 0 , a 1 , a 2 , a 3 , a 4 , a 5 , a 6 , a 7    non-zero output differences. The proposed algorithm produces 8 elements array A. The index of an element with a value of 1 among elements of A denotes a byte index at which it is determined that a fault has been injected. Figure 6 shows an example of FOBISA procedure. When the fault is injected, the bit in which the difference occurs is arbitrary, and the probability that the S-Box input difference is uniquely determined by the algorithm varies according to the number of flipped bits. Table 3 shows the probability that the fault-occurring byte position is uniquely determined based on the number of bits flipped in a single S-Layer input byte. When a single-byte error occurs at a random position, the fault-occurring position for the S-Layer input is uniquely determined with about 88.4% probability.

3) [STEP 3] DETERMINE S-LAYER INPUT CANDIDATES
When STEP 2 is completed, the S-Box input and output difference pair are accurately determined. Candidates for the S-Box input x j col satisfying equation 6 can be minimized using the pair. Multiple different information in which an error occurs in the same column is required to confirm with only one candidate. That is, it determines the S-Box input value that is commonly satisfied for multiple S-box input and output difference pairs. The S-Box input can be uniquely predicted by 3 pairs with about 89.1% probability and 4 pairs with about 98.8% probability.

4) [STEP 4] RECOVER ROUND KEY
STEP 1 to STEP 3 should be repeated to analyze the S-Layer input by column unit (S-Box unit). When all columns have been analyzed, all 64-bit of the S-Layer can be confirmed, and the last round key may be recovered as shown in the equation below:

5) RECOVER SECRET KEY
The RK 13 was recovered by following the STEP 1 to STEP 4 method on Fault 1 The RK 12 is recovered by repeating the STEP 1 to STEP 4 method on Fault 2 as shown in Figure 4. The recovered RK 13 is used to calculate the penultimate round S-Layer output difference. In this process, only additional overhead that occurs in the intermediate value calculation is necessary, and no new logic is required. Finally,the inverse key schedule is performed on the recovered RK 13 and RK 12 as follows: As a result, all 128-bit of the secret key of PIPO 64/128 can be acquired.

C. ATTACK PERFORMANCE
Analyzing all bytes of the secret key requires analyzing on all columns of the S-Layer input. In other words, the attack needs error information for each column. The flipped bit-position of the fault ciphertext may be reliably recognized using the proposed DFA STEP 1 method. It is also simple to filter out the fault ciphertext needed for analysis. Since the FI attack is repeatedly performed numerous times, the probability of obtaining information about all columns approaches 1. The random byte error model affects several bits of stored memory. There are variations depending on the device environment, but 3∼4 bits are most likely to change on average. Additionally, because there is a filtering process, a set containing error information for all columns can be collected, and approximately four fault ciphertexts are sufficient to satisfy this. As shown in STEP 3 of the proposed DFA, when analyzing each column, if more than 3 or 4 errors for different byte positions are used, one column can be uniquely determined by high probability. Finally, the proposed DFA can recover the round key using up to about 16 fault ciphertexts. Because Fault 1 and Fault 2 follow the same method, fewer than 32 fault ciphertexts are sufficient to analyze the secret key.

IV. APPLYING THE PROPOSED DFA TO OTHER BIT-SLICED BLOCK CIPHERS
This section discusses the applicability of the proposed DFA to various bit-sliced block ciphers such as ROBIN, FANTOMAS, and RECTANGLE, etc. The operating-unit and S-Box size of each cipher is different but can be expressed in the form of a matrix as shown in Figure 2. And the constructed functions operate in row units, and from S-Box viewpoint, they operate in column units. Other bit-sliced block ciphers shown in Figure 7 have a structure in which the substitution layer, permutation layer, and key addition layer all repeat. Accordingly, when executing FI, the attacker can calculate the output difference of the substitution layer using the ciphertext difference. At this point, the output difference occurs in several columns, demonstrating that the relationship as shown in Figure 5 exists equally. Through Algorithm 1, the attacker can analyze the last round key by identifying the fault-occurring byte index. Since the size of the S-Box varies depending on the cipher, the number of fault-occurring columns required to reduce it to one candidate varies. However, various faults occur in FI attacks, and the attackers can sufficiently filter fault ciphertexts that are favorable to them. Consequently, the proposed attack is designed to be suitable for the bit-sliced structure, allowing it to be easily applied to several bit-sliced block ciphers.

V. EVALUATION OF PROPOSED DFA USING EM-FI
This section shows that the proposed DFA can be practically performed in real devices using actual EM-FI attack experiments. First, we identify the time to inject the faults by observing the electromagnetic wave generated when the PIPO 64/128 operates. Then the EM-FI attack was repeatedly performed by setting the parameters, and the fault ciphertexts were collected. More details will be described in the subsections.
A. EM-FI ATTACK ENVIRONMENT Figure 8 shows the experimental environment, which used EM-FI equipment provided by Riscure. In the figure, solid lines represent essential configurations and dotted lines indicate optional configurations. The experimental equipment consists of EM-FI Transient Probe [25], Spider [26], PC,  oscilloscope, and target device. The Control PC uses Inspector software [27] to control the experimental environment and to process and analyze collected data. It controls the target board's encryption operation through UART communication and receives ciphertexts. The Spider and EM-FI Transient Probe receive operating parameters from the PC through USB communication, and the operation is controlled based on the received information. The Spider controls the reset signal and trigger signal to the target board and controls the signal and power required for the EM-FI Transient Probe to inject a fault. The EM-FI Transient Probe moves along the coordinates of the XYZ-table and injects EM faults. An oscilloscope is used to observe trigger signals, observe EM traces that  occur when the encryption algorithm operates and determine when faults are injected. We experimented with Riscure's Piñata board [28], which uses an Arm Cortex-M4F microcontroller [29]. The PIPO 64/128 was implemented on the Piñata board based on 8-bit variables, and was compiled using the GNU Arm Embedded Toolchain version 4.8 [30].
B. EM-FI ATTACK RESULTS Figure 10 shows the EM traces generated when PIPO 64/128 is operated in an I/O trigger environment. The green signal in the figure represents PIPO 64/128 encryption, the blue signal represents the trigger, and the red signal represents the FI.
Simple EM analysis [1] can be used to distinguish each round of PIPO 64/128. We could predict the expected start times of the last and penultimate rounds of the S-Layer. We then set delays to inject faults at the identified times. When attacking the last round, a random delay of roughly 66,000 ns was applied, and when attacking the penultimate round, roughly 62,000 ns was applied. When a fault is injected into a specific byte of the S-Layer input, the error is propagated to all columns containing the modified bits. Therefore, the greater the Hamming weight of the S-Layer input difference, the higher the probability of errors propagating to all bytes of the ciphertext. Figure 9 shows the results of the EM-FI attack on PIPO 64/128. The red square box area of the target device was scanned and the fault ciphertexts were filtered into four types. The green type is the normal ciphertexts, the yellow type is the abnormal behaviors, the red type is when the difference occurs in some bytes of the ciphertexts, and the magenta type is when the difference occurs in all bytes of the ciphertexts. The experiment resulted in 3,362 red types, and 3,116 magenta types being filtered. However, both types of fault ciphertexts contain unidentified causes. Therefore, before performing the proposed DFA, it is important to filter the fault ciphertexts in which a single-byte error occurred.
In this experiment, we built Algorithm 2 to filter ciphertexts in which the fault-occurring byte was determined to be merely one. Algorithm 1 was utilized for this. Except for duplicates, 164 types were among the 3,362 red type fault ciphertexts, and 110 fault ciphertexts were validated as single-byte errors after filtering. For the magenta type, 241 of the 3,116 fault ciphertexts existed except for duplicates and 139 after the filtering. Table 5 shows examples of fault ciphertexts and if cnt == 1 then 12: fault-occurring byte positions derived by filtering the two classifications. Table 6 shows the number of fault ciphertexts obtained based on the error type. Since the degree of vulnerability for each register varies based on the target board, there is a difference in the success rate of fault induction for each byte. However, more than 10 fault ciphertexts were obtained for each byte.

C. PROPOSED DFA RESULTS
The proposed DFA was carried out using the fault ciphertexts obtained from the Section V-B experiment. The  fault ciphertexts classified in magenta differ in all bytes, so when the fault is injected, many bits are flipped in the fault-occurring byte of the S-Layer input. Therefore, we first selected the magenta type fault ciphertexts and used them for analysis. However, in the filtering through Algorithm 2, it was considered a single-byte error, but there were fault ciphertexts that prevented analysis as a false positive. Therefore, when the proposed DFA was applied among the filtered fault ciphertexts we searched for the optimal set determined by only one key and were able to uniquely determine the correct last round key through 7 fault ciphertexts. After that, the same process was performed for the penultimate round. As a result, we could fully recover 128-bit of the secret key of PIPO 64/128 with fewer than 32 fault ciphertexts.

VI. COUNTERMEASURE
Various countermeasures have been proposed for robustness against FI attacks. There are hardware-level countermeasures, such as using abnormal EM or power detection  modules [31], and software-level countermeasures, such as the redundancy technique, which repeats and verifies the same operations [32]- [34]. Lac et al. proposed an efficient FI countermeasure for lightweight cryptography based on SIMD instructions in 2018 [35]. They proposed an internal redundancy countermeasure (IRC) that encrypts and compares two bytes from the reference block and two bytes from the data block in conjunction. Additionally, using SIMD instructions, ciphers based on an 8-bit process were parallelized to 32-bit process operation types. In this paper, the fault-robustness of the IRC PIPO applied the aforementioned countermeasure to PIPO was validated. Figure 11 shows the overall layout of the IRC PIPO. SIMD instructions offer simple parallelization of the Addroundkey and S-Layer, but do not support rotation operations. Therefore, we performed the parallelization of the R-Layer using masking. The reconstructed R-layer is shown in the following equation: ((a 0 , a 1 , . . . , a 7 )) The use of 32-bit processes is inevitable and increases the overall memory overhead, but the time overhead mainly occurs in the operation of comparing redundancy. Table 7 shows an encryption performance comparison between the normal PIPO and the PIPO to which a countermeasure is applied. The comparison was carried out on ARM Cortex-M4 boards that have been subject to FI. Figure 12 shows the results of performing FI attacks on each. The normal PIPO was 446 out of 8,000 times when performed on the same area, and faults occurred in approximately 5.6% of the cases. On the other hand, it was confirmed that IRC PIPO did not create any faults and was completely filtered as abnormal behaviors (yellow type) when faults occurred. In conclusion, it can be seen that the countermeasure used improved the FI-robustness. To attack this redundancy-based countermeasure, not only FI for key acquisition is necessary, but also FI for skipping the fault checking area. Therefore, the attacker needs high-level techniques to inject multiple faults during single encryption.

VII. CONCLUSION
This paper proposed a DFA on the PIPO based on a single-byte error model in a random position. The proposed DFA could fully recover 128-bit of the secret key of the PIPO 64/128 with overwhelming probability using less than 16 fault ciphertexts each in two rounds. Compared to the previously proposed DFA, our DFA is a practical attack that requires half the fault ciphertext while also alleviating the attacker's assumption. Additionally, the proposed attack logic is designed to be suitable for the bit-sliced structure-agnostic; thus, it may be simply applied to bit-sliced block ciphers other than the PIPO. We used EM-FI to evaluate the proposed DFA. By proposing an algorithm capable of filtering the fault ciphertexts, it was possible to obtain the fault ciphertexts required to analyze the secret key. In reality, we derived the result of accurately recovering the last round key using 7 fault ciphertexts. Consequently, the proposed attack demonstrates to be a practical attack that may be used in the real world. This paper contributes to raising awareness about FI security for bit-sliced block ciphers that are being considered in the IoT environment. Various countermeasures are being applied to construct a safe environment against FI attacks. As an example, there is a countermeasure based on redundancy to defend FI. We applied a redundancy-based countermeasure to the PIPO and demonstrated its FI-robustness. This paper experimentally showed that IRC PIPO prevents attackers from acquiring the necessary fault ciphertexts for a single-FI attack. Consequently, our experimental results emphasize the need for countermeasures when operating the PIPO in the real world. In the future, we intend to apply the proposed DFA to various bit-sliced block ciphers and upload the PIPO to various test boards to undertake EM-FI attacks. In particular, we plan to perform FI attacks on lightweight block ciphers in the hardware environment. This plan will show that the proposed DFA is a highly scalable attack applicable to various target bit-sliced ciphers and environments. Additionally, we plan to launch double-FI attacks on IRC PIPO. Double-FI attack strategies are necessary to attack the block cipher against which countermeasures are applied. For a double-FI attack to be successful, it must bypass checking for redundancy at the last point, as well as the induce faults in the true encrypt operation. In other words, continuous FI at different time points is required, and a more precise attack execution capability is required. Therefore, in the future, we plan to study attack methods against IRC PIPO by trying various methods such as FI using heterogeneous fault sources [36] as well as basic multiple-FI.