Ciphertext-Only Fault Attacks on PRESENT

In this work, we introduce fault attacks on PRESENT with faulty ciphertexts-only. In contrast to current diffrential fault attacks on PRESENT, which are mostly chosen-plaintext attacks, our fault attacks do not require the knowledge of the plaintexts to recover the secret key. This is a typical scenario when plaintexts are not easily accessible for the attacker, like in the case of smart devices for the upcoming Internet-of-Things (IoT) era where input data are mostly assembled within the cryptographic device, or when protocol-level countermeasures are deployed to prevent chosen-plaintext attacks explicitly. Our attacks work under the assumption that the attacker is able to bias the (nibble-wise) distribution of intermediate states in the nal rounds of PRESENT by careful fault injections. To support our statements, we provide a detailed simulation analysis to estimate the practical attack complexities of (faulty) ciphertext-only fault attacks on PRESENT-80 discussing different fault injection scenarios. In the best case analysis (worst-case security scenario), only two faulty ciphertexts and negligible computational time are required to recover the entire secret key.      «

In this work, we introduce fault attacks on PRESENT with faulty ciphertexts-only. In contrast to current diffrential fault attacks on PRESENT, which are mostly chosen-plaintext attacks, our fault attacks do not require the knowledge of the plaintexts to recover the secret key. This is a typical scenario when plaintexts are not easily accessible for the attacker, like in the case of smart devices for the upcoming Internet-of-Things (IoT) era where input data are mostly assembled within the crypto...     »