The TWINE is a new Generalized Feistel Structure (GFS) lightweight cryptosystem in the Internet of Things. It has 36 rounds and the key lengths support 80 bits and 128 bits, which are flexible to provide security for the RFID, smart cards and other highlyconstrained devices. Due to the strong attacking ability, fast speed, simple implementation and other characteristics, the differential fault analysis has become an important method to evaluate the security of lightweight cryptosystems. On the basis of the 4bit fault model and the differential analysis, we propose an effective differential fault attack on the TWINE cryptosystem. Mathematical analysis and simulating experiments show that the attack could recover its 80bit and 128bit secret keys by introducing 8 faulty ciphertexts and 18 faulty ciphertexts on average, respectively. The result in this study describes that the TWINE is vulnerable to differential fault analysis. It will be beneficial to the analysis of the same type of other iterated lightweight cryptosystems in the Internet of Things.
1. Introduction
T
oday’s information security engineers are facing with the problem of building a trustworthy system from untrustworthy components. Security experts claim that the only workable solutions demand some minimal number of trustworthy components to date. For ensuring the security of an overall system, these trustworthy components are required to provide some services such as authentication, encryption/decryption, cryptographic tokens and so on. Typically, the security of an overall system is provided at the level of softwares (cryptographic algorithms). Traditional cryptographic protocol designs assume that input and output messages are available to attackers, but other information about keys remains unknown. During the last two decades a new class of attacks against cryptographic devices have become public. These attacks exploit easily accessible sidechannel information like inputoutput behavior under malfunctions, power consumption, running time, and can be mounted by anyone using lowcost equipments
[1

4]
. These sidechannel attacks amplify and evaluate leaked information with the help of statistical methods, and are often much more powerful than classical cryptanalysis
[5

9]
, especially in the Internet of Things. As a representative of the informationization tide, the Internet of Things has been playing a vital part in the daily activities of human society, such as intelligent transportation, modern logistics, food safety, environmental monitoring, etc. However, the traditional cryptographic algorithms are not suitable for solving the increasingly prominent security problems of the Internet of Things, since the application components used in the Internet of Things, such as RFID, smart cards and other highlyconstrained devices, are mainly microprocessing equipments with weak computing ability and limited storage capacity. In this case, the lightweight cryptographic algorithms and the related side channel attacks have been widely applied to security analysis of the Internet of Things.
The TWINE is a new lightweight cryptosystem to provide security for the highlyconstrained devices in the Internet of Things
[10]
. Its block size is 64 bits, and the supported key sizes are 80 bits in the TWINE80 and 128 bits in the TWINE128, respectively. It repeats 36 rounds and every round consists of the 4bit to 4bit Sboxes and the linear transformations. Since its introduction, the TWINE has been the target of classical cryptanalytic efforts. The designers of the TWINE, focus on the impossible differential and saturation attacks, which are regarded as the most critical attacks to the TWINE
[10]
. Then the biclique cryptanalysis of the TWINE has been proposed in
[11

12]
. Later M. Coban et al make use of the slow diffusion of both the encryption and the key schedule to describe the mutidimensional meetinthemiddle attacks on the reduced round of the TWINE
[13]
.
Different from the classical cryptanalysis, differential fault analysis, also called DFA, is one type of sidechannel attacks in the Internet of Things
[14

15]
. It was proposed on the DES cryptosystem by E. Biham and A. Shamir for its strong attacking ability, fast speed, simple implementation and other characteristics
[16]
. The similar attacks have been applied to AES
[17

21]
, IDEA
[22]
, and ARIA
[23]
etc. The DFA attack is based on deriving information about the secret key by examining the differences between a cipher resulting from a correct operation and a cipher of the same initial message resulting from a faulty operation.
In the literature, little research has been devoted to the security of the TWINE against the DFA. The TWINE takes the generalized Feistelbased structure, and has neither a bit permutation nor a GaloisField matrix. Its basic components include the 4bit Sboxes, the XOR and the 4bitwise permutation (shuffle). And the diffusion layer is smaller than other ciphers with the same structure. Thus, it has a rather long diffusion path and maximizes the avalanche effect of the linear transformation. This kind of designing strengthens the security of the TWINE against the DFA attack. It makes the path of fault propagation more difficult to be analyzed. Thus, it is difficult to derive the relationship between the fault and the secret key of the TWINE.
We thus propose an effective DFA method to recover the secret key of the TWINE. It adopts the 4bit fault model. In the DFA attack, the attackers could induce a random error into the 64bit layer of the encryption, and thus obtain a faulty ciphertext. By differential analysis, the last subkey could be recovered. Then the attackers could decrypt the right ciphertext to obtain the input of the last round, which is the output of the penultimate round. They repeat the above procedure to recover more subkeys until the secret key is obtained by the key schedule. On this fault model and attacking procedure, our method can recover the secret key of the TWINE. The experiments show that using 8 errors and 18 faults on average could recover the 80bit and 128bit secret keys, respectively. To the best of our knowledge, it is the first work that a differential fault attack on the TWINE has been successfully put into practice. Compared with the classical cryptanalysis, the differential fault attack on the TWINE has a good performance in data complexity, time complexity and memory complexity, as
Table 1
shows.
Cryptanalysis of the TWINE
Cryptanalysis of the TWINE
This paper is organized as follows. Section 2 briefly introduces the TWINE. The next section describes the fault model and basic assumption, and proposes our DFA analysis to recover the secret key. Section 4 and 5 summarize the attacking complexity and the experimental results. Finally section 6 concludes the paper.
2. Description of the TWINE
The TWINE is a 64bit lightweight block cipher with two primary instances taking 80bit and 128bit secret keys. It has 36 rounds and is composed of the encryption, the decryption and the key schedule as
Fig. 1
shows
[10]
.
The structure of the TWINE
 2.1 Encryption
The encryption algorithm of the TWINE80 and the TWINE128 is described as
Table 2
shows.
The encryption of the TWINE
The encryption of the TWINE
Let
P
∈ ({0,1}
^{4}
)
^{16}
be the plaintext and
C
∈ ({0,1}
^{4}
)
^{16}
be the ciphertext, respectively. Let
RK
∈ ({0,1}
^{32}
)
^{36}
represent the concentration of 36 subkeys, and
RK^{i}
∈ ({0,1}
^{4}
)
^{8}
represent the
i
th subkey from the secret key
K
, with 1 ≤
i
≤ 36, respectively. Let
X^{i}_{j}
∈ {0,1}
^{4}
denote the
j
th 4bit input value in the
i
th round, with 1 ≤
i
≤ 36 and 0 ≤
j
≤ 15.
The round function consists of a substitution layer
S
using 8 4×4 Sboxes and a diffusion layer
π
permuting 16 blocks.
 2.2 Decryption
The decryption is the same as the encryption, including the subkeys with the reverse order.
 2.3 Key schedule
The secret key
K
is the input of a key schedule to produce the subkeys for every round. It divides an 80bit secret key and a 128bit secret key into 36 subkeys as
Table 3
and
Table 4
show, where
CON^{r}
and
represent 3bit constants with 1≤
r
≤ 35.
The key schedule for the TWINE80
The key schedule for the TWINE80
The key schedule for the TWINE128
The key schedule for the TWINE128
3. Differential Fault Analysis on the TWINE
 3.1 Notations
The following notations are used to describe the TWINE and its analysis.
Let
C
^{*}
∈ ({0,1}
^{4}
)
^{16}
and Δ
C
∈ ({0,1}
^{4}
)
^{16}
be the faulty ciphertext and the ciphertext difference, respectively.
Let Δ
X^{i}_{j}
∈ ({0,1}
^{4}
) represent the
j
th 4bit input difference in the
i
th round, with 1 ≤
i
≤ 36 and 0 ≤
j
≤ 15.
Let
A^{i}_{j}
,
B^{i}_{j}
, Δ
A^{i}_{j}
and Δ
B^{i}_{j}
denote the
j
th 4bit input, output, input difference and output difference of the substitution layer in the
i
th round with 1 ≤
i
≤ 36 and 0 ≤
j
≤ 7, respectively.
For the substitution layers, the relationships between the input differences and output differences of the Sbox layers are defined as follows:
where 1 ≤
i
≤ 36 and 0 ≤
j
≤ 7.
 3.2 Fault model and basic assumption
The DFA analysis exploits the differences between a normal ciphertext and a faulty ciphertext stemming from encryptions of the same plaintext. Our proposed fault model includes the following two assumptions: the attackers have the capability to choose one plaintext to encrypt and obtain the corresponding right and faulty ciphertexts (Chosen Plaintext Attack, CPA). Furthermore, the attackers could induce a 4bit error to one round of the encryption. In fact, the attackers could assume that the error is one bit or half a byte, and one bit is a special case of half a byte. It does not influence the attacking procedure. Both the value and the location of the error in this round are random. As for the attack, they could analyze a fault occurring near the end of the algorithm and assume the general random fault model where the fault modifies the processed data in a random way.
The attacking procedure is as follows: the right ciphertext is obtained when a plaintext is encrypted with a secret key. The attackers induce a random error in some round of the encryption and thus obtain a faulty ciphertext. The faults could be injected by either using the simulation in software implementation, or using radiation, Xray and microprobe in hardware implementation. By differential fault analysis, the value of the last subkey can be recovered. Then the attackers could decrypt the right ciphertext to obtain the input of the last round, which is the output of the penultimate round. At last they repeat the above procedure to deduce more subkeys until the secret key is obtained by the key schedule.
 3.3 Attacking Procedure
In this subsection, we apply the above basic idea and propose a novel differential fault analysis to recover the secret keys of the TWINE80 and the TWINE128. The analysis is split into the following successive steps for the TWINE.
Step
1. A ciphertext
C
is derived when an arbitrary plaintext
P
is encrypted with a secret key
K
.
Step
2. This step aims at recovering the last subkey
RK
^{36}
. A fault may be induced on either the input or the output of
F
function in the 31st round whereas the approach is identical in either case. Assume that the error is induced in the first
F
function in this round. Note that any modification of one 4bit error provokes the XORdifferences
These alter the original ciphertext
C
into the faulty ciphertext
C
^{*}
. There is no diffusion layer in the last round, so the input and output difference of the Sboxes in this round can be calculated as follows:
where
j
∈ {0,1,5,6}.The above equations, in conjunction with a pair of right faulty ciphertexts, allow to infer the relationship between input differences and output differences of the Sboxes. Thus, the differential transformation of Sboxes in the last round has
where
j
∈ {0,1,5,6}.The
j
th 4bit value of
A
^{36}
satisfies
Then the attackers do bruteforce search for the value of
to deduce
where
j
∈ {0,1,5,6}. This procedure leads to a list of candidates
and the value of
could be deduced as follows:
where
j
∈ {0,1,5,6}. Then the attackers could choose the inputs of other
F
functions in the 31st round to induce errors. So other values of the last subkey could be deduced by the similar method.
Table 5
lists the relationship between the fault locations of the
j
’th
F
function in the 31st round and the affected
j
th 4bit values in the last two subkeys, with 0 ≤
j
’ ≤ 7 and 0 ≤
j
≤ 7 .
The relationship between the fault locations and the affected 4bit values in the last two rounds.
The relationship between the fault locations and the affected 4bit values in the last two rounds.
Step
3. In this step, there are no errors induced. The attackers could make advantage of the errors in the previous step to deduce the penultimate subkey. They could decrypt the right ciphertext by the last subkey to obtain the output of the penultimate round. The input and output differences of the Sboxes in the penultimate round could be derived as follows:
and the value of
satisfies
where
j
∈ {0,5,6}. The attackers do bruteforce search for the value of
to deduce the input
of Sboxes in the penultimate round. The values of
could be deduced as below:
where
j
≤ {0,5,6}. So other values of the penultimate subkeys could be deduced by the similar method.
Table 5
lists the relationship between the fault locations of the
j
’th F function in the 31st round and the affected
j
th 4bit values in the penultimate subkey with 0 ≤
j
’ ≤ 7 and 0 ≤
j
≤ 7 . If the key size is 80 bits, then the attacking procedure jumps step 5; else it jumps step 4.
Step
4. The attackers could make advantage of the previous two steps to derive the output of the 34th round, and induce faults the similar locations into the 29th round. After computing the input differences and output differences of the Sboxes, all bytes of
RK
^{34}
and
RK
^{33}
could be deduced.
Step
5. As for the TWINE80, the last two subkeys could be recovered as follows:
So the remaining 16 bits of
WK
_{5}

WK
_{7}

WK
_{8}

WK
_{17}
could be derived by the bruteforce search. The 80bit secret key is calculated by
As for the TWINE128, the attackers could derive the last four subkeys as follows:
So the remaining 8 bits of
WK
_{1}

WK
_{15}
could only be derived by the bruteforce search. Eventually the 128bit secret key is calculated by
4. Attacking Complexity
We summarize the attacking procedure to select subkey candidates for a secret key. The time complexity of bruteforce search for one fault injection is
where
σ
denotes the size of the substitution layer and
ω
denotes the input size of one Sbox. In addition, an estimation of the number of faults necessary for the attack to be successful is vital. In the attacking procedure, the number of faulty ciphertexts to recover a subkey depends on the fault location and the fault model.
We take the derivation of
RK
^{36}
as an example. On the definition of an Sfunction, if
A
^{36}
is a candidate,
A
^{36}
⊕ Δ
A
^{36}
may be another subkey candidate. In other words, if the input candidates set of Sboxes is not null, the input
A
^{36}
may have several candidates. It indicates
RK
^{36}
may have some possible elements.
In the fault model, a random error could be induced at any round of the encryption. If the fault occurs in the last round, only 4 bits in the input of the Sbox will change, which could recover at most 4 bits of the last subkey by DFA. To recover the last subkey, it is necessary to induce many errors into different
F
functions.
If the fault is induced at an ideal location before the last round, then the input difference and output difference of the Sboxes in this round contain only one nonzero 4bit value. However, the output difference of
π
has multibytes owing to the diffusion of linear transformation. Thus, the input difference of the Sboxes in the last round contains multibytes after the computation of the last several rounds. The above idea is applied in the attacking procedure to improve the efficiency of fault injection.
Since at least two faults can make one element in the intersection of
RK
^{36}
, the attackers continue deriving intersection of subkey candidates sets until the intersection has only one element. Thus, at least two faulty ciphertexts are required to derive multibytes of one subkey. The theoretical minimum number of faulty ciphertexts to recover one subkey is defined as
where
σ
represents the size of the substitution layer, and
τ
represents the maximum number of bits in a subkey derived by two faulty ciphertexts. To derive the subkey, the value of
τ
equals the number of bits in the nonzero output difference of the nonlinear transformation in this round. If
τ
= 0 , then there is no bits of a subkey derived and thus
ϕ
= 0 .
To recover a secret key, the time complexity is
the data complexity is
chosen plaintextciphertext pairs, and the memory complexity is
where
δ
denotes the number of subkeys to recover a secret key,
σ
represents the size of the substitution layer,
ω
denotes the input size of one Sbox,
τ
represents the maximum number of bits in a subkey derived by two faulty ciphertexts,
v
denotes the size of the secret key, and
η
represents the number of bits in the secret key derived by the DFA. If
τ
= 0 , then there is no bits of a subkey derived and thus
η
= 0 .
To recover the 80bit secret key in theory, the time complexity is 2
^{16.59}
, the data complexity is 2
^{3.17}
chosen plaintextciphertext pairs, and the memory complexity is 2
^{16.01}
, where
ω
=4,
σ
= 64,
τ
= 16,
δ
=2,
η
=64,
v
=80 and
ϕ
=8. To recover the 128bit secret key in theory, the time complexity is 2
^{16.01}
, the data complexity is 2
^{4.09}
chosen plaintextciphertext pairs, and the memory complexity is 2
^{8.98}
, where
ω
=4,
σ
=64,
τ
=16,
δ
=4,
η
=120,
v
=128 and
ϕ
=8.
5. Experimental Results
We implemented our attack on a PC using Visual C++ 8.0 Compiler on a 2.53 GHz celeron with 2GB memory. The fault induction was simulated by computer software. In this situation, we ran the attacking algorithm to 1000 encryption units with different random generated keys. The experiments are divided as 5 groups in average, denoted as G
_{1}
, G
_{2}
, G
_{3}
, G
_{4}
and G
_{5}
.
Fig. 2
and
Fig. 3
show the number of bits recovered in the 80bit and 128bit versions in intersections of candidates to recover the secret keys. The xcoordinate represents the number of experiments and the ycoordinate represents the number of the recovered bits of the secret key. In
Fig. 2
, the colored lines denote the number of the recovered bits of the secret key in the 3rd, 6th, 9th and 12th intersections of TWINE80, respectively. In
Fig. 3
, the colored lines denote the number of the recovered bits of the secret key in the 3rd, 6th, 9th, 12th, 15th, 18th, 21st and 24th intersections of TWINE128, respectively. We define accuracy, reliability and latency for evaluating the experimental results in detail.
Number of bits recovered in TWINE–80
Number of bits recovered in TWINE128
Accuracy is a metric that defines how close the number of the secret key is to the true number of subkey candidates. Basically, the closer the experimental number of the secret key candidates is to the true number, the more accurate the experiment is. Thus, we consider the Root MeanSquare Error (RMSE) to measure the accuracy, where RMSE is given by
where
N
denotes the number of experiments in a set,
e
represents the index of the experiment,
h_{true}
denotes the number of bits in the secret key, and
h_{measured}
represents the number of bits recovered in the secret key candidates. As we know, the values of
h_{true}
are 64 bits for the 80bit version and 120 bits for the 128bit version. The closer the RMSE value is to 0, the more accurate the experiments are. The RMSE values for every intersections of subkey candidates are shown in
Table 6
and
Table 7
, where
N
=200,
e
∈{1, …, 1000} and
h_{true}
∈{64,120}. For example, to compute the RMSE value of G
_{1}
in the 3rd intersection, it is observed that
h_{measured}
(
e
) represents the values of the red line shown in
Fig. 2
,
N
=200,
e
∈{1, …, 200} and
h_{true}
=64. Thus，the RMSE value of G
_{1}
in the 3rd intersection is 5.57. In the same way, all values of RMSE could be derived in
Table 6
. Eventually, the values of RMSE in 12th intersection for the 80bit version and in the 24th intersection for the 128bit version are both zero, so we could derive the secret keys in the corresponding intersections. That is, at most 13 and 25 faulty ciphertexts are required to recover secret keys for the two versions, respectively. Furthermore, the accuracy in every group for the same interaction is similar or equal.
Accuracy by RMSE for the the TWINE–80
Accuracy by RMSE for the the TWINE–80
Accuracy by RMSE for the the TWINE–128
Accuracy by RMSE for the the TWINE–128
Reliability is the ratio of successful experiments out of all experiments made. If the attackers could derive only one secret key, we consider that the experiment is successful. Referring to
Table 8
and
Table 9
, one can observe the ratios of successful experiments in every intersection for the 80bit and the 128bit versions. The experimental results show that 12 intersections are enough to recover the secret key for the 80bits version and 24 intersections are enough for the 128bits version. That is, the reliability is 100% if the attackers induce at most 13 and 25 random faults to break a secret key for the two versions, respectively. Furthermore, the reliability in every group for the same interaction is similar or equal.
Reliability for the the TWINE–80
Reliability for the the TWINE–80
Reliability for the the TWINE–128
Reliability for the the TWINE–128
Latency is the time to the recovery the secret key in our software simulation. It is measured in seconds for the 80bit version and in 0.01 seconds for the 128bit version.
Fig. 4
and
Fig. 5
show the time of 1000 experiments. The DFA could break the TWINE by recovering 64 bits of the 80bit secret key and 120 bits of the 128bit secret key, respectively. The bruteforce search could be applied in deriving the remaining 16 bits of the 80bit secret key and the remaining 8 bits of the 128bit secret key, respectively. According to the experiment results, the whole attacking procedure requires 4.4s and 0.046s on average to recover the secret keys. The time in the bruteforce search of the remaining 16 bits is more than that of the remaining 8 bits. Thus, the whole time of breaking the TWINE80 is more than that of breaking the TWINE128.
Latency in attacking the TWINE–80
Latency in attacking the TWINE–128
Referring to the experimental results, breaking the TWINE80 requires at least 6 faulty ciphertexts and at most 13 faulty ciphertexts. The average number of the faulty ciphertexts of the TWINE80 is 8. And breaking the TWINE128 requires at least 12 ciphertexts and at most 25 faulty ciphertexts. The average number of the faulty ciphertexts of the TWINE128 is 18.
On the basis of the number of faulty ciphertexts in our simulated experiments, the overall time complexities are
and
to break the TWINE80 and TWINE128, respectively.
The data complexities in practice are
and
chosen plaintextcipertext pairs to break the TWINE80 and TWINE128 by the DFA, respectively.
The memory complexities in practice are
and
to break the TWINE80 and TWINE128 by the DFA, respectively.
6. Conclusion
As for the fault analysis on lightweight block ciphers, current studies have been published regarding mathematical analysis on cryptographic algorithms, fault injection on cryptographic algorithm in software implementation, fault injection on cryptographic algorithm in hardware implementation. This paper examines fault injection on the TWINE in software implementation. It shows that the TWINE is vulnerable to the differential fault analysis. In the 4bit fault model, only 8 and 18 ciphertexts on average is required to obtain the 80bit and 128bit secret keys of the TWINE, respectively. Our work provides a new reference to fault analysis on other lightweight cryptosystems.
In consequence, we are working on fault injection and detection on the TWINE in hardware implementation. Furthermore, future analysis should be able to support more fault locations of the TWINE, such as the key schedule.
BIO
Wei Li is currently an associate professor in School of Computer Science and Technology, Donghua University. She was awarded as B.S. degree in engineering from Anhui University in 2002, and her M.S. degree and Ph.D. degree in engineering in 2006 and 2009, both from Shanghai Jiao Tong University. She serves as the member for CACR (China Association of Cryptologic Research), CCF (China Computer Federation) and ACM. Her research interests include the design and analysis of symmetric ciphers.
Wenwen Zhang is currently a Master candidate in School of Computer Science and Technology, Donghua University. Her research interests include security analysis of symmetric ciphers .
Dawu Gu is a professor at Shanghai Jiao Tong University in Computer Science and Engineering Department. He was awarded a B.S. degree in applied mathematics in 1992, and a Ph.D. degree in cryptograpgy in 1998, both from Xidian University of China. He serves as technical committee members for CACR (China Association of Cryptologic Research) and CCF (China Computer Federation), also as the members of ACM, IACR, IEICE. He was the winner of New Century Excellent Talent Program made by Ministry of Education of China in 2005. He has been invited as Chairs and TPC members for many international conferences like EForensics, ISPEC, ICIS, ACSA, CNCC, etc. His research interests cover cryptology and computer security. He has got over 100 scientific papers in academic journals and conferences.
Zhi Tao is currently a Master candidate in School of Computer Science and Technology, Donghua University. His research interests include security analysis of lightweight ciphers.
Zhihong Zhou is a lecturer in Shanghai Key Laboratory of Integrate Administration Technologies for Information Security, Shanghai Jiao tong Univeristy. He was awarded his Ph.D. degree from Zhejiang Univeristy in 2005. His research interests include security analysis of the Internet of Things.
Ya Liu is currently a lecturer in Department of Computer Science and Engineering, University of Shanghai for Science and Technology. She was awarded her Ph.D. degree from Shanghai Jiao Tong University in 2013. Her research interests include the design and analysis of symmetric ciphers and computational number theory.
Zhiqiang Liu is now a Postdoc in the department of Computer Science and Engineering, Shanghai Jiao Tong University. He received his B.S. degree and M.S. degree in Mathematics, and Ph.D. degree in Cryptography from Shanghai Jiao Tong University in 1998, 2001 and 2012 respectively. From 2001 to 2008, he worked in ZTE, Alcatel and VLI in the realm of NextGeneration Network (NGN)/IP Multimedia Subsystem (IMS). Currently, his research interests include cryptanalysis and design of block ciphers and hash functions.
Kocher P.
“Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems,”
in Proc. of 16th Annual Int. Cryptology Conf
August 1822, 1996
104 
113
Kocher P.
,
Jaffe J.
,
Jun B.
“Differential power analysis,”
in Proc. of 19th Annual Int. Cryptology Conf.
August 1519, 1999
388 
397
Kim H. C.
,
Quisquater J.J.
2007
“Faults, injection methods, and fault attacks,”
IEEE Des. Test Comput.
24
(6)
544 
545
DOI : 10.1109/MDT.2007.186
Joye M.
,
Quisquater J. J.
,
Yen S. M.
,
Yung M.
“Observability analysisdetecting when improved cryptosystems fail,”
in Proc. of Cryptographer's Track RSA Conf.
February 1822, 2002
17 
29
Lin I. C.
,
Chang C. C.
2007
“Security enhancement for digital signature schemes with fault tolerance in RSA,”
Inform. Sciences
177
(19)
4031 
40369
DOI : 10.1016/j.ins.2007.03.035
Kelsey J.
,
Schneier B.
,
Wagner D.
,
Hall C.
“Side channel cryptanalysis of product ciphers,”
in Proc. of 5th European Symp. Research Comp. Security
September 1618, 1998
97 
110
Erich W.
,
Johann G.
“An 8bit AVRbased elliptic curve cryptographic RISC processor for the internet of things,”
in Proc. of 45th Annual Int. Symposium on Microarchitecture
December 15, 2012
39 
46
Zhang K.
,
Ding L.
,
Li J.
2012
“Real time related key attack on Hummingbird2,”
KSII T. Internet Inf.
6
(8)
1946 
1963
Cui T.
,
Jin C.
2013
“Finding impossible differentials for Rijndaellike and 3Dlike Structures,”
KSII T. Internet Inf.
7
(3)
509 
521
Suzaki T.
,
Minematsu K.
,
Morioka S.
,
Kobayashi E.
“TWINE: a lightweight block cipher for multiple platforms,”
in Proc. of 19th Int. Conf. Selected Areas in Cryptography
August 1516, 2012
339 
354
Karako F.
,
Demirci H.
,
Harmanc A. E.
2013
“Biclique cryptanalysis of LBlock and TWINE,”
Infor. Processing Letters
113
(12)
423 
429
DOI : 10.1016/j.ipl.2013.03.011
Coban M.
,
Karako F.
,
Boztas O.
“Biclique cryptanalysis of TWINE,”
in Proc. of 11th Int. Conf. Cryptology Network Security
December 1214, 2012
43 
45
Coban M.
,
Karako F.
,
Boztas O.
“Multidimensional meetinthemiddle attacks on reducedround TWINE128,”
in Proc. of 2nd Int. Workshop on Lightweight Cryptography for Security and Privacy
May 67, 2013
55 
67
Boneh D.
,
DeMillo R. A.
,
Lipton R. J.
“On the importance of checking cryptographic protocols for faults,”
in Proc. of Int. Conf. Theory Application Cryptographic Techniques
May 1115, 1997
37 
51
Boneh D.
,
DeMillo R. A.
,
Lipton R. J.
2001
“On the importance of eliminating errors in cryptographic computations,”
J. CRYPTOL
14
(2)
101 
119
DOI : 10.1007/s001450010016
Biham E.
,
Shamir A.
“Differential fault analysis of secret key cryptosystems,”
in Proc. of 17th Annual Int. Cryptology Conf.
August 1519, 1997
513 
525
Bertoni G.
,
Breveglieri L.
,
Koren I.
,
Maistri P.
,
Piuri V.
2003
“Error analysis and detection procedures for a hardware implementation of the Advanced Encryption Standard,”
IEEE T. Comput.
52
(4)
492 
505
DOI : 10.1109/TC.2003.1190590
Dusart P.
,
Letourneux G.
,
Vivolo O.
“Differential fault analysis on A.E.S,”
in Proc. of 1st Int. Conf. Applied Cryptography and Network Security
October 1619, 2003
293 
306
Giraud C.
“DFA on AES,”
in Proc. of 4th Int. Conf. Advanced Encryption Standard
May 1012, 2004
27 
41
Moradi A.
,
Shalmani M. T. M.
,
Salmasizadeh M.
“A generalized method of differential fault attack against AES cryptosystem,”
in Proc. of 8th Int. Workshop on Cryptographic Hardware and Embedded Systems
October 1013, 2006
91 
100
Gilles P.
,
Quisquater J. J.
“A differential fault attack technique against SPN structures, with application to the AES and KHAZAD,”
in Proc. of 5th Int. Workshop on Cryptographic Hardware and Embedded Systems
September 810, 2003
77 
88
Christophe C.
,
Benedikt G.
,
Ingrid V.
“Fault analysis study of IDEA,”
in Proc. of Cryptographers' Track at the RSA Conf.
April 811, 2008
247 
287