SCADFA: Combined SCA+DFA Attacks on Block Ciphers with Practical Validations

We present the first practically realizable side-channel assisted fault attack on any block-ciphers having bit-permutation with optimal diffusion, that can retrieve the round key efficiently using random nibble faults. The attack demonstrates how side-channel leakage can allow the adversary to precisely determine the fault mask resulting from a nibble fault injection instance. We first demonstrate the viability of such attack model via side-channel analysis experiments on top of a laser-based fault injection setup, targeting a PRESENT-80 and GIFT-128 (two popular block-ciphers based on bit-permutation having optimal diffusion) implementation on an ATmega328P microcontroller. Subsequently, we present a differential fault analysis (DFA) exploiting the knowledge of the output fault mask in the target round to recover multiple last round keys nibbles independently and in parallel. We show that the combined attack can recover the last round key of PRESENT-80 and GIFT-128 with 4 random nibble fault injections in the best case. In the average case, the number of random nibble faults required for PRESENT-80 and GIFT-128 are 9-18 and 6-9 respectively.