ExtPFA - Extended Persistent Fault Analysis for Deeper Rounds of Bit Permutation Based Ciphers with a Case Study on GIFT.

Persistent fault analysis (PFA) has emerged as a potent fault analysis technique that can recover the secret key by influencing ciphertext distribution. PFA employs the persistent fault model that alters algorithm constants such as Sbox elements, and the fault endures until the system restarts. As the PFA fault model does not require high precision and controllability to carry out the attack, it has gained considerable attention from the cryptography research community. However, most of the research work highlights its application for investigating only the last round, albeit a persistent fault impacts all internal rounds too. In this work, we present an extension of the original PFA to recover deeper round keys of Substitution bit-Permutation Network (SbPN) based ciphers by leveraging its capability to affect every round. We use GIFT cipher as a case study and show the effectiveness of the proposed approach through simulation. We could recover the full master keys of both the GIFT cipher versions by retrieving the round keys up to the depth 2 and 4 for GIFT-128 and GIFT-64, respectively. We also analyzed the success rate of our approach on both the versions in two dimensions: Depth-wise and Hamming distance-wise . We observed that the number of ciphertexts required to recover the round key increases exponentially as we move deeper from the final round. Furthermore, the number of required ciphertexts to recover the key increases exponentially with Hamming distance between indexes of two identical elements in faulty Sbox. In GIFT-64, for Hamming distance of value 1 between the indexes, the round keys can be recovered in approximately 110, 290, and 750 ciphertexts for round number 28, 27, and 26, respectively, with a 100% success rate. For round 25, around 2000 ciphertexts are sufficient to recover the round key in 90% of the cases out of 1000 experiments. For GIFT-128, around 200 ciphertexts are enough to extract the last round key for the Hamming distance of value 1. For 39 th round, the round key can be recovered with a 100% success rate in roughly 380, 575, and 1100 ciphertexts for the Hamming distance 1, 2, and 3, respectively. However, for the same round with Hamming distance of value 4, the success rate is 75% for around 2000 ciphertexts.