Advanced
Security Analysis of the Lightweight Cryptosystem TWINE in the Internet of Things
Security Analysis of the Lightweight Cryptosystem TWINE in the Internet of Things
KSII Transactions on Internet and Information Systems (TIIS). 2015. Feb, 9(2): 793-810
Copyright © 2015, Korean Society For Internet Information
  • Received : August 20, 2014
  • Accepted : December 16, 2014
  • Published : February 28, 2015
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Wei Li
Shanghai Key Laboratory of Integrate Administration Technologies for Information Security Shanghai, 200240, China
Wenwen Zhang
School of Computer Science and Technology, Donghua University Shanghai, 201620, China
Dawu Gu
Department of Computer Science and Engineering, Shanghai Jiao Tong University Shanghai, 200240, China
Zhi Tao
School of Computer Science and Technology, Donghua University Shanghai, 201620, China
Zhihong Zhou
School of Information Security Engineering, Shanghai Jiao Tong University Shanghai, 200240, China
Ya Liu
Department of Computer Science and Engineering, University of Shanghai for Science and Technology Shanghai, 200093, China
Zhiqiang Liu
Department of Computer Science and Engineering, Shanghai Jiao Tong University Shanghai, 200240, China

Abstract
The TWINE is a new Generalized Feistel Structure (GFS) lightweight cryptosystem in the Internet of Things. It has 36 rounds and the key lengths support 80 bits and 128 bits, which are flexible to provide security for the RFID, smart cards and other highly-constrained devices. Due to the strong attacking ability, fast speed, simple implementation and other characteristics, the differential fault analysis has become an important method to evaluate the security of lightweight cryptosystems. On the basis of the 4-bit fault model and the differential analysis, we propose an effective differential fault attack on the TWINE cryptosystem. Mathematical analysis and simulating experiments show that the attack could recover its 80-bit and 128-bit secret keys by introducing 8 faulty ciphertexts and 18 faulty ciphertexts on average, respectively. The result in this study describes that the TWINE is vulnerable to differential fault analysis. It will be beneficial to the analysis of the same type of other iterated lightweight cryptosystems in the Internet of Things.
Keywords
1. Introduction
T oday’s information security engineers are facing with the problem of building a trustworthy system from untrustworthy components. Security experts claim that the only workable solutions demand some minimal number of trustworthy components to date. For ensuring the security of an overall system, these trustworthy components are required to provide some services such as authentication, encryption/decryption, cryptographic tokens and so on. Typically, the security of an overall system is provided at the level of softwares (cryptographic algorithms). Traditional cryptographic protocol designs assume that input and output messages are available to attackers, but other information about keys remains unknown. During the last two decades a new class of attacks against cryptographic devices have become public. These attacks exploit easily accessible side-channel information like input-output behavior under malfunctions, power consumption, running time, and can be mounted by anyone using low-cost equipments [1 - 4] . These side-channel attacks amplify and evaluate leaked information with the help of statistical methods, and are often much more powerful than classical cryptanalysis [5 - 9] , especially in the Internet of Things. As a representative of the informationization tide, the Internet of Things has been playing a vital part in the daily activities of human society, such as intelligent transportation, modern logistics, food safety, environmental monitoring, etc. However, the traditional cryptographic algorithms are not suitable for solving the increasingly prominent security problems of the Internet of Things, since the application components used in the Internet of Things, such as RFID, smart cards and other highly-constrained devices, are mainly microprocessing equipments with weak computing ability and limited storage capacity. In this case, the lightweight cryptographic algorithms and the related side channel attacks have been widely applied to security analysis of the Internet of Things.
The TWINE is a new lightweight cryptosystem to provide security for the highly--constrained devices in the Internet of Things [10] . Its block size is 64 bits, and the supported key sizes are 80 bits in the TWINE-80 and 128 bits in the TWINE-128, respectively. It repeats 36 rounds and every round consists of the 4-bit to 4-bit S-boxes and the linear transformations. Since its introduction, the TWINE has been the target of classical cryptanalytic efforts. The designers of the TWINE, focus on the impossible differential and saturation attacks, which are regarded as the most critical attacks to the TWINE [10] . Then the biclique cryptanalysis of the TWINE has been proposed in [11 - 12] . Later M. Coban et al make use of the slow diffusion of both the encryption and the key schedule to describe the mutidimensional meet-in-the-middle attacks on the reduced round of the TWINE [13] .
Different from the classical cryptanalysis, differential fault analysis, also called DFA, is one type of side-channel attacks in the Internet of Things [14 - 15] . It was proposed on the DES cryptosystem by E. Biham and A. Shamir for its strong attacking ability, fast speed, simple implementation and other characteristics [16] . The similar attacks have been applied to AES [17 - 21] , IDEA [22] , and ARIA [23] etc. The DFA attack is based on deriving information about the secret key by examining the differences between a cipher resulting from a correct operation and a cipher of the same initial message resulting from a faulty operation.
In the literature, little research has been devoted to the security of the TWINE against the DFA. The TWINE takes the generalized Feistel-based structure, and has neither a bit permutation nor a Galois-Field matrix. Its basic components include the 4-bit S-boxes, the XOR and the 4-bit-wise permutation (shuffle). And the diffusion layer is smaller than other ciphers with the same structure. Thus, it has a rather long diffusion path and maximizes the avalanche effect of the linear transformation. This kind of designing strengthens the security of the TWINE against the DFA attack. It makes the path of fault propagation more difficult to be analyzed. Thus, it is difficult to derive the relationship between the fault and the secret key of the TWINE.
We thus propose an effective DFA method to recover the secret key of the TWINE. It adopts the 4-bit fault model. In the DFA attack, the attackers could induce a random error into the 64-bit layer of the encryption, and thus obtain a faulty ciphertext. By differential analysis, the last subkey could be recovered. Then the attackers could decrypt the right ciphertext to obtain the input of the last round, which is the output of the penultimate round. They repeat the above procedure to recover more subkeys until the secret key is obtained by the key schedule. On this fault model and attacking procedure, our method can recover the secret key of the TWINE. The experiments show that using 8 errors and 18 faults on average could recover the 80-bit and 128-bit secret keys, respectively. To the best of our knowledge, it is the first work that a differential fault attack on the TWINE has been successfully put into practice. Compared with the classical cryptanalysis, the differential fault attack on the TWINE has a good performance in data complexity, time complexity and memory complexity, as Table 1 shows.
Cryptanalysis of the TWINE
PPT Slide
Lager Image
Cryptanalysis of the TWINE
This paper is organized as follows. Section 2 briefly introduces the TWINE. The next section describes the fault model and basic assumption, and proposes our DFA analysis to recover the secret key. Section 4 and 5 summarize the attacking complexity and the experimental results. Finally section 6 concludes the paper.
2. Description of the TWINE
The TWINE is a 64-bit lightweight block cipher with two primary instances taking 80-bit and 128-bit secret keys. It has 36 rounds and is composed of the encryption, the decryption and the key schedule as Fig. 1 shows [10] .
PPT Slide
Lager Image
The structure of the TWINE
- 2.1 Encryption
The encryption algorithm of the TWINE-80 and the TWINE-128 is described as Table 2 shows.
The encryption of the TWINE
PPT Slide
Lager Image
The encryption of the TWINE
Let P ∈ ({0,1} 4 ) 16 be the plaintext and C ∈ ({0,1} 4 ) 16 be the ciphertext, respectively. Let RK ∈ ({0,1} 32 ) 36 represent the concentration of 36 subkeys, and RKi ∈ ({0,1} 4 ) 8 represent the i -th subkey from the secret key K , with 1 ≤ i ≤ 36, respectively. Let Xij ∈ {0,1} 4 denote the j -th 4-bit input value in the i -th round, with 1 ≤ i ≤ 36 and 0 ≤ j ≤ 15.
The round function consists of a substitution layer S using 8 4×4 S-boxes and a diffusion layer π permuting 16 blocks.
- 2.2 Decryption
The decryption is the same as the encryption, including the subkeys with the reverse order.
- 2.3 Key schedule
The secret key K is the input of a key schedule to produce the subkeys for every round. It divides an 80-bit secret key and a 128-bit secret key into 36 subkeys as Table 3 and Table 4 show, where CONr and
PPT Slide
Lager Image
represent 3-bit constants with 1≤ r ≤ 35.
The key schedule for the TWINE-80
PPT Slide
Lager Image
The key schedule for the TWINE-80
The key schedule for the TWINE-128
PPT Slide
Lager Image
The key schedule for the TWINE-128
3. Differential Fault Analysis on the TWINE
- 3.1 Notations
The following notations are used to describe the TWINE and its analysis.
Let C * ∈ ({0,1} 4 ) 16 and Δ C ∈ ({0,1} 4 ) 16 be the faulty ciphertext and the ciphertext difference, respectively.
Let Δ Xij ∈ ({0,1} 4 ) represent the j -th 4-bit input difference in the i -th round, with 1 ≤ i ≤ 36 and 0 ≤ j ≤ 15.
Let Aij , Bij , Δ Aij and Δ Bij denote the j -th 4-bit input, output, input difference and output difference of the substitution layer in the i -th round with 1 ≤ i ≤ 36 and 0 ≤ j ≤ 7, respectively.
For the substitution layers, the relationships between the input differences and output differences of the S-box layers are defined as follows:
PPT Slide
Lager Image
where 1 ≤ i ≤ 36 and 0 ≤ j ≤ 7.
- 3.2 Fault model and basic assumption
The DFA analysis exploits the differences between a normal ciphertext and a faulty ciphertext stemming from encryptions of the same plaintext. Our proposed fault model includes the following two assumptions: the attackers have the capability to choose one plaintext to encrypt and obtain the corresponding right and faulty ciphertexts (Chosen Plaintext Attack, CPA). Furthermore, the attackers could induce a 4-bit error to one round of the encryption. In fact, the attackers could assume that the error is one bit or half a byte, and one bit is a special case of half a byte. It does not influence the attacking procedure. Both the value and the location of the error in this round are random. As for the attack, they could analyze a fault occurring near the end of the algorithm and assume the general random fault model where the fault modifies the processed data in a random way.
The attacking procedure is as follows: the right ciphertext is obtained when a plaintext is encrypted with a secret key. The attackers induce a random error in some round of the encryption and thus obtain a faulty ciphertext. The faults could be injected by either using the simulation in software implementation, or using radiation, X-ray and micro-probe in hardware implementation. By differential fault analysis, the value of the last subkey can be recovered. Then the attackers could decrypt the right ciphertext to obtain the input of the last round, which is the output of the penultimate round. At last they repeat the above procedure to deduce more subkeys until the secret key is obtained by the key schedule.
- 3.3 Attacking Procedure
In this subsection, we apply the above basic idea and propose a novel differential fault analysis to recover the secret keys of the TWINE-80 and the TWINE-128. The analysis is split into the following successive steps for the TWINE.
Step 1. A ciphertext C is derived when an arbitrary plaintext P is encrypted with a secret key K .
Step 2. This step aims at recovering the last subkey RK 36 . A fault may be induced on either the input or the output of F function in the 31st round whereas the approach is identical in either case. Assume that the error is induced in the first F function in this round. Note that any modification of one 4-bit error provokes the XOR-differences
PPT Slide
Lager Image
PPT Slide
Lager Image
PPT Slide
Lager Image
These alter the original ciphertext C into the faulty ciphertext C * . There is no diffusion layer in the last round, so the input and output difference of the S-boxes in this round can be calculated as follows:
PPT Slide
Lager Image
where j ∈ {0,1,5,6}.The above equations, in conjunction with a pair of right faulty ciphertexts, allow to infer the relationship between input differences and output differences of the S-boxes. Thus, the differential transformation of S-boxes in the last round has
PPT Slide
Lager Image
where j ∈ {0,1,5,6}.The j -th 4-bit value of A 36 satisfies
PPT Slide
Lager Image
Then the attackers do brute-force search for the value of
PPT Slide
Lager Image
to deduce
PPT Slide
Lager Image
where j ∈ {0,1,5,6}. This procedure leads to a list of candidates
PPT Slide
Lager Image
and the value of
PPT Slide
Lager Image
could be deduced as follows:
PPT Slide
Lager Image
where j ∈ {0,1,5,6}. Then the attackers could choose the inputs of other F functions in the 31st round to induce errors. So other values of the last subkey could be deduced by the similar method. Table 5 lists the relationship between the fault locations of the j ’-th F function in the 31st round and the affected j -th 4-bit values in the last two subkeys, with 0 ≤ j ’ ≤ 7 and 0 ≤ j ≤ 7 .
The relationship between the fault locations and the affected 4-bit values in the last two rounds.
PPT Slide
Lager Image
The relationship between the fault locations and the affected 4-bit values in the last two rounds.
Step 3. In this step, there are no errors induced. The attackers could make advantage of the errors in the previous step to deduce the penultimate subkey. They could decrypt the right ciphertext by the last subkey to obtain the output of the penultimate round. The input and output differences of the S-boxes in the penultimate round could be derived as follows:
PPT Slide
Lager Image
and the value of
PPT Slide
Lager Image
satisfies
PPT Slide
Lager Image
where j ∈ {0,5,6}. The attackers do brute-force search for the value of
PPT Slide
Lager Image
to deduce the input
PPT Slide
Lager Image
of S-boxes in the penultimate round. The values of
PPT Slide
Lager Image
could be deduced as below:
PPT Slide
Lager Image
where j ≤ {0,5,6}. So other values of the penultimate subkeys could be deduced by the similar method. Table 5 lists the relationship between the fault locations of the j ’-th F function in the 31st round and the affected j -th 4-bit values in the penultimate subkey with 0 ≤ j ’ ≤ 7 and 0 ≤ j ≤ 7 . If the key size is 80 bits, then the attacking procedure jumps step 5; else it jumps step 4.
Step 4. The attackers could make advantage of the previous two steps to derive the output of the 34th round, and induce faults the similar locations into the 29th round. After computing the input differences and output differences of the S-boxes, all bytes of RK 34 and RK 33 could be deduced.
Step 5. As for the TWINE-80, the last two subkeys could be recovered as follows:
PPT Slide
Lager Image
So the remaining 16 bits of WK 5 || WK 7 || WK 8 || WK 17 could be derived by the brute-force search. The 80-bit secret key is calculated by
PPT Slide
Lager Image
As for the TWINE-128, the attackers could derive the last four subkeys as follows:
PPT Slide
Lager Image
So the remaining 8 bits of WK 1 || WK 15 could only be derived by the brute-force search. Eventually the 128-bit secret key is calculated by
PPT Slide
Lager Image
4. Attacking Complexity
We summarize the attacking procedure to select subkey candidates for a secret key. The time complexity of brute-force search for one fault injection is
PPT Slide
Lager Image
where σ denotes the size of the substitution layer and ω denotes the input size of one S-box. In addition, an estimation of the number of faults necessary for the attack to be successful is vital. In the attacking procedure, the number of faulty ciphertexts to recover a subkey depends on the fault location and the fault model.
We take the derivation of RK 36 as an example. On the definition of an S-function, if A 36 is a candidate, A 36 ⊕ Δ A 36 may be another subkey candidate. In other words, if the input candidates set of S-boxes is not null, the input A 36 may have several candidates. It indicates RK 36 may have some possible elements.
In the fault model, a random error could be induced at any round of the encryption. If the fault occurs in the last round, only 4 bits in the input of the S-box will change, which could recover at most 4 bits of the last subkey by DFA. To recover the last subkey, it is necessary to induce many errors into different F functions.
If the fault is induced at an ideal location before the last round, then the input difference and output difference of the S-boxes in this round contain only one nonzero 4-bit value. However, the output difference of π has multibytes owing to the diffusion of linear transformation. Thus, the input difference of the S-boxes in the last round contains multibytes after the computation of the last several rounds. The above idea is applied in the attacking procedure to improve the efficiency of fault injection.
Since at least two faults can make one element in the intersection of RK 36 , the attackers continue deriving intersection of subkey candidates sets until the intersection has only one element. Thus, at least two faulty ciphertexts are required to derive multibytes of one subkey. The theoretical minimum number of faulty ciphertexts to recover one subkey is defined as
PPT Slide
Lager Image
where σ represents the size of the substitution layer, and τ represents the maximum number of bits in a subkey derived by two faulty ciphertexts. To derive the subkey, the value of τ equals the number of bits in the nonzero output difference of the nonlinear transformation in this round. If τ = 0 , then there is no bits of a subkey derived and thus ϕ = 0 .
To recover a secret key, the time complexity is
PPT Slide
Lager Image
the data complexity is
PPT Slide
Lager Image
chosen plaintext-ciphertext pairs, and the memory complexity is
PPT Slide
Lager Image
where δ denotes the number of subkeys to recover a secret key, σ represents the size of the substitution layer, ω denotes the input size of one S-box, τ represents the maximum number of bits in a subkey derived by two faulty ciphertexts, v denotes the size of the secret key, and η represents the number of bits in the secret key derived by the DFA. If τ = 0 , then there is no bits of a subkey derived and thus η = 0 .
To recover the 80-bit secret key in theory, the time complexity is 2 16.59 , the data complexity is 2 3.17 chosen plaintext-ciphertext pairs, and the memory complexity is 2 16.01 , where ω =4, σ = 64, τ = 16, δ =2, η =64, v =80 and ϕ =8. To recover the 128-bit secret key in theory, the time complexity is 2 16.01 , the data complexity is 2 4.09 chosen plaintext-ciphertext pairs, and the memory complexity is 2 8.98 , where ω =4, σ =64, τ =16, δ =4, η =120, v =128 and ϕ =8.
5. Experimental Results
We implemented our attack on a PC using Visual C++ 8.0 Compiler on a 2.53 GHz celeron with 2GB memory. The fault induction was simulated by computer software. In this situation, we ran the attacking algorithm to 1000 encryption units with different random generated keys. The experiments are divided as 5 groups in average, denoted as G 1 , G 2 , G 3 , G 4 and G 5 .
Fig. 2 and Fig. 3 show the number of bits recovered in the 80-bit and 128-bit versions in intersections of candidates to recover the secret keys. The x-coordinate represents the number of experiments and the y-coordinate represents the number of the recovered bits of the secret key. In Fig. 2 , the colored lines denote the number of the recovered bits of the secret key in the 3rd, 6th, 9th and 12th intersections of TWINE-80, respectively. In Fig. 3 , the colored lines denote the number of the recovered bits of the secret key in the 3rd, 6th, 9th, 12th, 15th, 18th, 21st and 24th intersections of TWINE-128, respectively. We define accuracy, reliability and latency for evaluating the experimental results in detail.
PPT Slide
Lager Image
Number of bits recovered in TWINE–80
PPT Slide
Lager Image
Number of bits recovered in TWINE-128
Accuracy is a metric that defines how close the number of the secret key is to the true number of subkey candidates. Basically, the closer the experimental number of the secret key candidates is to the true number, the more accurate the experiment is. Thus, we consider the Root Mean-Square Error (RMSE) to measure the accuracy, where RMSE is given by
PPT Slide
Lager Image
where N denotes the number of experiments in a set, e represents the index of the experiment, htrue denotes the number of bits in the secret key, and hmeasured represents the number of bits recovered in the secret key candidates. As we know, the values of htrue are 64 bits for the 80-bit version and 120 bits for the 128-bit version. The closer the RMSE value is to 0, the more accurate the experiments are. The RMSE values for every intersections of subkey candidates are shown in Table 6 and Table 7 , where N =200, e ∈{1, …, 1000} and htrue ∈{64,120}. For example, to compute the RMSE value of G 1 in the 3rd intersection, it is observed that hmeasured ( e ) represents the values of the red line shown in Fig. 2 , N =200, e ∈{1, …, 200} and htrue =64. Thus,the RMSE value of G 1 in the 3rd intersection is 5.57. In the same way, all values of RMSE could be derived in Table 6 . Eventually, the values of RMSE in 12th intersection for the 80-bit version and in the 24th intersection for the 128-bit version are both zero, so we could derive the secret keys in the corresponding intersections. That is, at most 13 and 25 faulty ciphertexts are required to recover secret keys for the two versions, respectively. Furthermore, the accuracy in every group for the same interaction is similar or equal.
Accuracy by RMSE for the the TWINE–80
PPT Slide
Lager Image
Accuracy by RMSE for the the TWINE–80
Accuracy by RMSE for the the TWINE–128
PPT Slide
Lager Image
Accuracy by RMSE for the the TWINE–128
Reliability is the ratio of successful experiments out of all experiments made. If the attackers could derive only one secret key, we consider that the experiment is successful. Referring to Table 8 and Table 9 , one can observe the ratios of successful experiments in every intersection for the 80-bit and the 128-bit versions. The experimental results show that 12 intersections are enough to recover the secret key for the 80-bits version and 24 intersections are enough for the 128-bits version. That is, the reliability is 100% if the attackers induce at most 13 and 25 random faults to break a secret key for the two versions, respectively. Furthermore, the reliability in every group for the same interaction is similar or equal.
Reliability for the the TWINE–80
PPT Slide
Lager Image
Reliability for the the TWINE–80
Reliability for the the TWINE–128
PPT Slide
Lager Image
Reliability for the the TWINE–128
Latency is the time to the recovery the secret key in our software simulation. It is measured in seconds for the 80-bit version and in 0.01 seconds for the 128-bit version. Fig. 4 and Fig. 5 show the time of 1000 experiments. The DFA could break the TWINE by recovering 64 bits of the 80-bit secret key and 120 bits of the 128-bit secret key, respectively. The brute-force search could be applied in deriving the remaining 16 bits of the 80-bit secret key and the remaining 8 bits of the 128-bit secret key, respectively. According to the experiment results, the whole attacking procedure requires 4.4s and 0.046s on average to recover the secret keys. The time in the brute-force search of the remaining 16 bits is more than that of the remaining 8 bits. Thus, the whole time of breaking the TWINE-80 is more than that of breaking the TWINE-128.
PPT Slide
Lager Image
Latency in attacking the TWINE–80
PPT Slide
Lager Image
Latency in attacking the TWINE–128
Referring to the experimental results, breaking the TWINE-80 requires at least 6 faulty ciphertexts and at most 13 faulty ciphertexts. The average number of the faulty ciphertexts of the TWINE-80 is 8. And breaking the TWINE-128 requires at least 12 ciphertexts and at most 25 faulty ciphertexts. The average number of the faulty ciphertexts of the TWINE-128 is 18.
On the basis of the number of faulty ciphertexts in our simulated experiments, the overall time complexities are
PPT Slide
Lager Image
and
PPT Slide
Lager Image
to break the TWINE-80 and TWINE-128, respectively.
The data complexities in practice are
PPT Slide
Lager Image
and
PPT Slide
Lager Image
chosen plaintext-cipertext pairs to break the TWINE-80 and TWINE-128 by the DFA, respectively.
The memory complexities in practice are
PPT Slide
Lager Image
and
PPT Slide
Lager Image
to break the TWINE-80 and TWINE-128 by the DFA, respectively.
6. Conclusion
As for the fault analysis on lightweight block ciphers, current studies have been published regarding mathematical analysis on cryptographic algorithms, fault injection on cryptographic algorithm in software implementation, fault injection on cryptographic algorithm in hardware implementation. This paper examines fault injection on the TWINE in software implementation. It shows that the TWINE is vulnerable to the differential fault analysis. In the 4-bit fault model, only 8 and 18 ciphertexts on average is required to obtain the 80-bit and 128-bit secret keys of the TWINE, respectively. Our work provides a new reference to fault analysis on other lightweight cryptosystems.
In consequence, we are working on fault injection and detection on the TWINE in hardware implementation. Furthermore, future analysis should be able to support more fault locations of the TWINE, such as the key schedule.
BIO
Wei Li is currently an associate professor in School of Computer Science and Technology, Donghua University. She was awarded as B.S. degree in engineering from Anhui University in 2002, and her M.S. degree and Ph.D. degree in engineering in 2006 and 2009, both from Shanghai Jiao Tong University. She serves as the member for CACR (China Association of Cryptologic Research), CCF (China Computer Federation) and ACM. Her research interests include the design and analysis of symmetric ciphers.
Wenwen Zhang is currently a Master candidate in School of Computer Science and Technology, Donghua University. Her research interests include security analysis of symmetric ciphers .
Dawu Gu is a professor at Shanghai Jiao Tong University in Computer Science and Engineering Department. He was awarded a B.S. degree in applied mathematics in 1992, and a Ph.D. degree in cryptograpgy in 1998, both from Xidian University of China. He serves as technical committee members for CACR (China Association of Cryptologic Research) and CCF (China Computer Federation), also as the members of ACM, IACR, IEICE. He was the winner of New Century Excellent Talent Program made by Ministry of Education of China in 2005. He has been invited as Chairs and TPC members for many international conferences like E-Forensics, ISPEC, ICIS, ACSA, CNCC, etc. His research interests cover cryptology and computer security. He has got over 100 scientific papers in academic journals and conferences.
Zhi Tao is currently a Master candidate in School of Computer Science and Technology, Donghua University. His research interests include security analysis of lightweight ciphers.
Zhihong Zhou is a lecturer in Shanghai Key Laboratory of Integrate Administration Technologies for Information Security, Shanghai Jiao tong Univeristy. He was awarded his Ph.D. degree from Zhejiang Univeristy in 2005. His research interests include security analysis of the Internet of Things.
Ya Liu is currently a lecturer in Department of Computer Science and Engineering, University of Shanghai for Science and Technology. She was awarded her Ph.D. degree from Shanghai Jiao Tong University in 2013. Her research interests include the design and analysis of symmetric ciphers and computational number theory.
Zhiqiang Liu is now a Post-doc in the department of Computer Science and Engineering, Shanghai Jiao Tong University. He received his B.S. degree and M.S. degree in Mathematics, and Ph.D. degree in Cryptography from Shanghai Jiao Tong University in 1998, 2001 and 2012 respectively. From 2001 to 2008, he worked in ZTE, Alcatel and VLI in the realm of NextGeneration Network (NGN)/IP Multimedia Subsystem (IMS). Currently, his research interests include cryptanalysis and design of block ciphers and hash functions.
References
Kocher P. “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems,” in Proc. of 16th Annual Int. Cryptology Conf August 18-22, 1996 104 - 113
Kocher P. , Jaffe J. , Jun B. “Differential power analysis,” in Proc. of 19th Annual Int. Cryptology Conf. August 15-19, 1999 388 - 397
Kim H. C. , Quisquater J.-J. 2007 “Faults, injection methods, and fault attacks,” IEEE Des. Test Comput. 24 (6) 544 - 545    DOI : 10.1109/MDT.2007.186
Joye M. , Quisquater J. J. , Yen S. M. , Yung M. “Observability analysis-detecting when improved cryptosystems fail,” in Proc. of Cryptographer's Track RSA Conf. February 18-22, 2002 17 - 29
Lin I. C. , Chang C. C. 2007 “Security enhancement for digital signature schemes with fault tolerance in RSA,” Inform. Sciences 177 (19) 4031 - 40369    DOI : 10.1016/j.ins.2007.03.035
Kelsey J. , Schneier B. , Wagner D. , Hall C. “Side channel cryptanalysis of product ciphers,” in Proc. of 5th European Symp. Research Comp. Security September 16-18, 1998 97 - 110
Erich W. , Johann G. “An 8-bit AVR-based elliptic curve cryptographic RISC processor for the internet of things,” in Proc. of 45th Annual Int. Symposium on Microarchitecture December 1-5, 2012 39 - 46
Zhang K. , Ding L. , Li J. 2012 “Real time related key attack on Hummingbird-2,” KSII T. Internet Inf. 6 (8) 1946 - 1963
Cui T. , Jin C. 2013 “Finding impossible differentials for Rijndael-like and 3D-like Structures,” KSII T. Internet Inf. 7 (3) 509 - 521
Suzaki T. , Minematsu K. , Morioka S. , Kobayashi E. “TWINE: a lightweight block cipher for multiple platforms,” in Proc. of 19th Int. Conf. Selected Areas in Cryptography August 15-16, 2012 339 - 354
Karako F. , Demirci H. , Harmanc A. E. 2013 “Biclique cryptanalysis of LBlock and TWINE,” Infor. Processing Letters 113 (12) 423 - 429    DOI : 10.1016/j.ipl.2013.03.011
Coban M. , Karako F. , Boztas O. “Biclique cryptanalysis of TWINE,” in Proc. of 11th Int. Conf. Cryptology Network Security December 12-14, 2012 43 - 45
Coban M. , Karako F. , Boztas O. “Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128,” in Proc. of 2nd Int. Workshop on Lightweight Cryptography for Security and Privacy May 6-7, 2013 55 - 67
Boneh D. , DeMillo R. A. , Lipton R. J. “On the importance of checking cryptographic protocols for faults,” in Proc. of Int. Conf. Theory Application Cryptographic Techniques May 11-15, 1997 37 - 51
Boneh D. , DeMillo R. A. , Lipton R. J. 2001 “On the importance of eliminating errors in cryptographic computations,” J. CRYPTOL 14 (2) 101 - 119    DOI : 10.1007/s001450010016
Biham E. , Shamir A. “Differential fault analysis of secret key cryptosystems,” in Proc. of 17th Annual Int. Cryptology Conf. August 15-19, 1997 513 - 525
Bertoni G. , Breveglieri L. , Koren I. , Maistri P. , Piuri V. 2003 “Error analysis and detection procedures for a hardware implementation of the Advanced Encryption Standard,” IEEE T. Comput. 52 (4) 492 - 505    DOI : 10.1109/TC.2003.1190590
Dusart P. , Letourneux G. , Vivolo O. “Differential fault analysis on A.E.S,” in Proc. of 1st Int. Conf. Applied Cryptography and Network Security October 16-19, 2003 293 - 306
Giraud C. “DFA on AES,” in Proc. of 4th Int. Conf. Advanced Encryption Standard May 10-12, 2004 27 - 41
Moradi A. , Shalmani M. T. M. , Salmasizadeh M. “A generalized method of differential fault attack against AES cryptosystem,” in Proc. of 8th Int. Workshop on Cryptographic Hardware and Embedded Systems October 10-13, 2006 91 - 100
Gilles P. , Quisquater J. J. “A differential fault attack technique against SPN structures, with application to the AES and KHAZAD,” in Proc. of 5th Int. Workshop on Cryptographic Hardware and Embedded Systems September 8-10, 2003 77 - 88
Christophe C. , Benedikt G. , Ingrid V. “Fault analysis study of IDEA,” in Proc. of Cryptographers' Track at the RSA Conf. April 8-11, 2008 247 - 287
Li W. , Gu D. , Li J. 2008 “Differential fault analysis on the ARIA algorithm,” Inform. Sciences 178 (19) 3727 - 3737    DOI : 10.1016/j.ins.2008.05.031