1) PRESENT Encryption Process

For PRESENT, the encryption process can be divided into three parts: the round key or layer, the nonlinear S-box substitution layer and the linear P permutation layer.

1. Round key xor layer: the input of the $i^{\mathrm {th}}$ round $B_{i} =b_{63}^{i} b_{62}^{i} \cdots b_{2}^{i} b_{1}^{i} b_{0}^{i}$ and the 64-bit round key $K_{i} =k_{63}^{i} k_{62}^{i} \cdots k_{2}^{i} k_{1}^{i} k_{0}^{i}$ of the $i^{\mathrm {th}}$ round carries out xor operation, and the output is $B_{i}^{\prime }$ .

   $$\begin{equation*} B_{i}^{\prime } =B_{i} \oplus K_{i},\quad (0\le i\le 31)\tag{1}\end{equation*}$$ View Source\begin{equation*} B_{i}^{\prime } =B_{i} \oplus K_{i},\quad (0\le i\le 31)\tag{1}\end{equation*}

2. Nonlinear S-box substitution layer: divide the above 64-bit output $B_{i}^{\prime }$ into 16 4-bit nibbles represented by $W_{15} W_{14} \cdots W_{0}$ , where $W_{j} =b_{4j+3} \vert \vert b_{4j+2} \vert \vert b_{4j+1} \vert \vert b_{4j},(0\le j\le 15)$ . PRESENT requires 16 identical 4-bit S-boxes with 4-bit inputs and 4-bit outputs. And $W_{j}$ were substituted with the 16 S-boxes respectively, to obtain $S(W_{j})$ . The calculation results of S-box can be obtained from Table 1:

3. Linear P permutation layer: after obtaining the S-box substitution value, each bit is linearly rearranged according to the P permutation table to obtain $P(\cdot)$ . The permutation result of the P permutation layer can be obtained the Table 2 below.

TABLE 1 S-Box Substitution of PRESENT

TABLE 2 P Permutation Layer of PRESENT

2) GIFT Encryption Process

For GIFT, the encryption process can also be divided into three layers: the nonlinear S-box substitution layer, the linear P permutation layer, the key and constant xor layer. The S-box substitution layer and P permutation layer of GIFT are similar to the PRESENT transformation rule. Except for the transformation value, the S-box substitution table and P layer replacement table of GIFT are given, as shown in Table 3 and Table 4 respectively:

TABLE 3 S-Box Substitution of GIFT

TABLE 4 P Permutation Layer of GIFT

For the key and constant xor layer of GIFT, it contains two parts which are round key and round constant. Round key xor means that 32 bits are selected from the 128-bit key set as the round key for xor operation, and the extracted key is divided into two parts, which are expressed as:

View Source\begin{equation*} K_{i} =U_{i} \vert \vert V_{i} =u_{15}^{i} \cdots u_{0}^{i} \vert \vert v_{15}^{i} \cdots v_{0}^{i}\tag{2}\end{equation*}

Perform xor operation between $U_{i}$ and $V_{i}$ on the output of P permutation layer respectively, namely:

View Source\begin{equation*} b_{4j+1}^{i} \!\leftarrow \! b_{4j+1}^{i} \!\oplus \! u_{r}^{i},\quad b_{4j}^{i} \!\leftarrow \! b_{4j}^{i} \!\oplus \! v_{r}^{i},~0\!\le \! r\!\le \! 15\tag{3}\end{equation*}

The cyclic constant xor operation refers to the xor bit 63, bit 23, bit 19, bit 15, bit 11, bit 7 and bit 3 from the P permutation layer between a bit value “1” and a length of 6 bits round constant $L_{i} =l_{5}^{i} l_{4}^{i} l_{3}^{i} l_{2}^{i} l_{1}^{i} l_{0}^{i}$ , namely:

View Source\begin{align*} b_{63}^{i}\leftarrow&b_{63}^{i} \oplus 1,\quad b_{23}^{i} \leftarrow b_{23}^{i} \oplus l_{5}^{i} \\ b_{19}^{i}\leftarrow&b_{19}^{i} \oplus l{}_{4}^{i},\quad b_{15}^{i} \leftarrow b_{15}^{i} \oplus l{}_{3}^{i} \\ b_{11}^{i}\leftarrow&b_{11}^{i} \oplus l{}_{2}^{i},\quad b_{7}^{i} \leftarrow b_{7}^{i} \oplus l{}_{1}^{i} \\ b_{3}^{i}\leftarrow&b_{3}^{i} \oplus l{}_{0}^{i}\tag{4}\end{align*}

1) Round Key Update Scheme of PRESENT

The key expansion method of PRESENT includes cyclic shift and S-box substitution. Firstly, the initial key $K_{0} =k_{79}^{0} k_{78}^{0} \cdots k_{2}^{0} k_{1}^{0} k_{0}^{0}$ is saved in the shift register. The round key of the $i^{\mathrm {th}}$ round is to take the left 64bit in the current register:

View Source\begin{equation*} K_{i} =k_{63}^{i} k_{62}^{i} \cdots k_{2}^{i} k_{1}^{i} k_{0}^{i} =k_{79}^{i} k_{78}^{i} \cdots k_{21}^{i} k_{20}^{i} k_{19}^{i}\tag{5}\end{equation*}

The specific steps are as follows:

1. First, loop the key to the left 61 bits in the register:

   $$\begin{equation*} K\ll < 61\tag{6}\end{equation*}$$ View Source\begin{equation*} K\ll < 61\tag{6}\end{equation*}

2. Then, the left 4-bit value was used for S-box substitution operation:

   $$\begin{equation*} K[{79-76}]\leftarrow S(K[{79-76}])\tag{7}\end{equation*}$$ View Source\begin{equation*} K[{79-76}]\leftarrow S(K[{79-76}])\tag{7}\end{equation*}

3. Finally, operate the bitwise xor on $k_{19} k_{18} k_{17} k_{16} k_{15}$ in the round key and the counter number:

   $$\begin{equation*} K[{19-15}]\leftarrow K[{19-15}]\oplus RC^{i}\tag{8}\end{equation*}$$ View Source\begin{equation*} K[{19-15}]\leftarrow K[{19-15}]\oplus RC^{i}\tag{8}\end{equation*}

2) Round Key Update Scheme of GIFT

a: Round Key

The round key extraction rule of GIFT is extracted first and then updated. The updating method is as follows:

$$\begin{equation*} t_{7} \vert \vert t_{6} \vert \vert \cdots \vert \vert t_{1} \vert \vert t_{0} \leftarrow t_{1} \gg >2\vert \vert t_{0} \gg >12\vert \vert \cdots \vert \vert t_{3} \vert \vert t_{2}\tag{9}\end{equation*}$$ View Source\begin{equation*} t_{7} \vert \vert t_{6} \vert \vert \cdots \vert \vert t_{1} \vert \vert t_{0} \leftarrow t_{1} \gg >2\vert \vert t_{0} \gg >12\vert \vert \cdots \vert \vert t_{3} \vert \vert t_{2}\tag{9}\end{equation*} where $t$ is a 16-bit word.

b: Round Constant

The initial value of the 6-bit round constant is 0, which needs to be updated through a 6-bit shift register. The update function is as follows:

$$\begin{equation*} (l_{5},l_{4},l_{3},l_{2},l_{1},l_{0})\leftarrow (l_{4},l_{3},l_{2},l_{1},l_{0},l_{5} \oplus l_{4} \oplus l_{1})\tag{10}\end{equation*}$$ View Source\begin{equation*} (l_{5},l_{4},l_{3},l_{2},l_{1},l_{0})\leftarrow (l_{4},l_{3},l_{2},l_{1},l_{0},l_{5} \oplus l_{4} \oplus l_{1})\tag{10}\end{equation*}

Round constants of different rounds are in the Table 5.

TABLE 5 Round Constants of GIFT

1) S-Box Differential Property

If there are $\Delta \alpha =\Gamma _{2}^{4}$ , $\Delta \beta =\Gamma _{2}^{4}$ , $m=\Gamma _{2}^{4}$ . $\Delta \alpha$ is the differential input of S-box, and $\Delta \beta$ is the differential output of S-box, which satisfy: $S(m\oplus \Delta \alpha)\oplus S(m)=\Delta \beta$ . Through calculation, the S-box differential property of PRESNET is obtained as shown in Table 6. Num($\Delta \alpha, \Delta \beta$ ) is the number of $m$ that satisfy the equation $S(m\oplus \Delta \alpha)\oplus S(m)=\Delta \beta$ .

TABLE 6 S-Box Differential Distribution Property of PRESENT

When $Num(\Delta \alpha,\Delta \beta)=0$ is satisfied, $S(m\oplus \Delta \alpha)\oplus S(m)=\Delta \beta$ has no solution. As can be seen from Table 6, of having no solution is 62.1%. Similarly, the probability of the equation having two solutions is 28.2%, the probability of the equation having four solutions is 9.3%, and the probability of the equation having 16 solutions is 0.4%. If we only consider the case where the equation has solutions, namely $Num(\Delta \alpha,\Delta \beta)\ne 0$ , we can get that 74.2% of the probability equation has two solutions, 24.1% of the probability equation has four solutions, and 1.1% of the probability equation has 16 solutions. Therefore, the average number of solutions can be calculated to be 2.648(= 1.484 + 0.998 + 0.276).

2) P Permutation Layer Property

Every four consecutive nibbles are divided into a group(from left to right are Group1, Group 2, Group 3 and Group 4), then each nibble will spread to four different nibbles after P permutation layer. In addition, 4 nibbles from the same group will be diffused to the same four nibbles, and nibbles diffused by different groups will not cross and repeat, so the position of nibble fault can be determined by positions of the diffusion. The specific diffusion locations for each group of nibbles are shown in Table 7:

TABLE 7 P Layer Law of PRESENT

According to the characteristics of four nibbles diffusion positions in each group, the import position of the fault can be determined. Therefore, this article proposes a method of nibble DFA on PRESENT in Chapter IV.

1) S-Box Differential Property

In the same way that PRESENT differential properties were analyzed, GIFT’s S-box differential distribution law can be obtained, as shown in Table 8.

TABLE 8 S-Box Differential Distribution Property of GIFT

Similarly, when $Num(\Delta \alpha,\Delta \beta)=0$ is satisfied, $S(m\oplus \Delta \alpha)\oplus S(m)=\Delta \beta$ has no solution. As can be seen from Table 8, of having no solution is 61.3%. And then, the probability of the equation having two solutions is 30.5%, the probability of the equation having four solutions is 3.1%, the probability of the equation having four solutions is 0.8%, and the probability of the equation having 16 solutions is 0.4%. If we only consider the case where the equation has solutions, namely $Num(\Delta \alpha,\Delta \beta)\ne 0$ , we can get that 78.8% of the probability equation has two solutions, 18.2% of the probability equation has four solutions, 2.0% of the probability equation has four solutions, and 1.0% of the probability equation has 16 solutions. Therefore, the average number of solutions can be calculated to be 2.584(= 1.576 + 0.728 + 0.120 + 0.160).

2) Permutation Layer Property

According to Table 4, the displacement law of P permutation layer of GIFT is analyzed. The specific diffusion locations for each group of nibbles are shown in Table 9:

TABLE 9 P Layer Law of GIFT

According to the characteristics of four nibbles diffusion positions in each group, the import position of the fault can be determined. Therefore, this article proposes a method of nibble DFA on GIFT in Chapter IV.

1) Attack Model and Principle of PRESENT

Because PRESENT’s S-box is a nonlinear substitution of 4-bit input and output, this article chooses to import a nibble fault to construct attack model. Depending on the attack hypothesis and the actual situation, we usually only get the last round of ciphertext. Therefore, we first chose to import random failure in the 31^th round before the S-box operation.

After randomly choosing a set of plaintext and key and get the correct ciphertext by encryption. The fault is imported in the any nibble group of the 31^th round, and some features of ciphertext are obtained by combining the characteristics of DFA. Furthermore, through the reverse process of the encryption, the partial round key is deduced. By repeating the process several times with the same ciphertext, the partial key will be recovered in a unique value. And then, attack the other three groups of nibbles of the 31^th round in the same way until the 64-bit round key is recovered. We can reverse the ciphertext of the 30^th round according to the key of 31^th round, and then use the same attack method to recover the key of the 30^th round. According to the PRESENT key update scheme, the complete 80-bit original key can be derived by two consecutive round keys.

2) Specific Steps of Attack

1. Generate plaintext $B$ and a round key $K$ randomly, and the correct ciphertext $C_{31}$ is obtained after 31 rounds of encryption by PRESENT.

2. Use the original plaintext $B$ and key $K$ for encryption. In the 31^th round of encryption, a random nibble fault is induced in the S-box of PRESENT. The wrong ciphertext $C_{31}^{\ast }$ is obtained and the differential operation with the correct ciphertext in the 31^st round is performed to obtain the differential error ciphertext:

   $$\begin{equation*} \Delta C_{31}^{\ast } =C_{31} \oplus C_{31}^{\ast }\tag{11}\end{equation*}$$ View Source\begin{equation*} \Delta C_{31}^{\ast } =C_{31} \oplus C_{31}^{\ast }\tag{11}\end{equation*}

   Import a fault in the first nibble on the left side $x^{15}_{31}$ of Group 1 as an example, and output the differential result in the form of ($\Delta c_{15,31}^{\ast }$ , 0, 0, 0, $\Delta c_{11,31}^{\ast }$ , 0, 0, 0, $\Delta c_{7,31}^{\ast }$ , 0, 0, 0, $\Delta c_{3,31}^{\ast }$ , 0, 0, 0).

3. Through the correct ciphertext and the wrong ciphertext, find the fault S-box, and differential output:

   $$\begin{equation*} \Delta Y_{31} =P^{-1}(\Delta C_{31}^{\ast })\tag{12}\end{equation*}$$ View Source\begin{equation*} \Delta Y_{31} =P^{-1}(\Delta C_{31}^{\ast })\tag{12}\end{equation*}

4. Because it is a fault attack on the input of the first S-box, $\Delta Y_{31}$ has only one non-zero nibble $\Delta y_{31}^{15}$ . List the S-box differential equation:

   $$\begin{equation*} \Delta y_{31}^{15} =S(x_{31}^{15})\oplus S(x_{31}^{15} \oplus \Delta x_{31}^{15})\tag{13}\end{equation*}$$ View Source\begin{equation*} \Delta y_{31}^{15} =S(x_{31}^{15})\oplus S(x_{31}^{15} \oplus \Delta x_{31}^{15})\tag{13}\end{equation*}

   $\Delta x_{31}^{15}$ has 2⁴ = 16 possible values, and then 16 values are exhausted and solve the values of $x_{31}^{15}$ , which satisfy (13). Furthermore, store the calculated $x_{31}^{15}$ in a set M₁.

5. According to the analysis of the S-box property of PRESENT(Table 6), there may be more than one matching result, so attack steps (2)~(4) will be continuously repeated until set M₁ to reserve only one nibble, which is the correct $x_{31}^{15}$ .

6. Repeat (2)~(5), and attack the other three nibbles in Group 1 in the same way to get other 4-bit input differential value of S-box $x_{31}^{11},x_{31}^{7}$ and $x_{31}^{3}$ .

7. Repeat (2)~(6), and attack other nibbles in Group 2, Group 3 and Group 4 in turn to until the 64-bit input differential value of S-box $\Delta X_{31}$ is recovered.

8. Through the following formula, 64-bit round key $K_{31}$ is obtained.

   $$\begin{equation*} K_{31} =P(S(\Delta X_{31}))\oplus C_{31}\tag{14}\end{equation*}$$ View Source\begin{equation*} K_{31} =P(S(\Delta X_{31}))\oplus C_{31}\tag{14}\end{equation*}

9. Similarly, DFA on PRESENT in the 30^th round, and steps (2)~(8) are repeated to recover the key $K_{30}$ .

10. Based on the recovered two successive rounds of key $K_{30}$ and $K_{31}$ , the PRESENT original 80-bit key is rolled out.

1) Attack Model and Principle of GIFT

Because GIFT’s S-box is a nonlinear substitution of 4-bit input and output, this article chooses to import a nibble fault to construct attack model. Similar to PRESENT, we first chose to import random failure in the 28^th round before the S-box operation.

In the same way, the failure is imported at the 28^th round of the GIFT encryption process and the 32-bit round key is recovered using the same method as PRESENT. According to the GIFT key update scheme, a complete 128-bit original key can be derived by four consecutive round keys. Therefore, the 128-bit original key of GIFT is derived by using the same steps to obtain their round keys for the 25^th, 26^th and 27^th rounds respectively.

2) Specific Steps of Attack

1. Generate plaintext $B$ and a round key $K$ randomly, and the correct ciphertext $C_{28}$ is obtained after 28 rounds of encryption by GIFT.

2. Use the original plaintext $B$ and key $K$ for encryption. In the 28^th round of encryption, a random nibble fault is induced in the S-box of GIFT. The wrong ciphertext $C_{28}^{\ast }$ is obtained and the differential operation with the correct ciphertext in the 28^th round is performed to obtain the differential error ciphertext:

   $$\begin{equation*} \Delta C_{28}^{\ast } =C_{28} \oplus C_{28}^{\ast }\tag{15}\end{equation*}$$ View Source\begin{equation*} \Delta C_{28}^{\ast } =C_{28} \oplus C_{28}^{\ast }\tag{15}\end{equation*}

   Import a fault in the first nibble on the left side $x^{15}_{28}$ of Group 1 as an example, and output the differential result in the form of ($\Delta c_{15,28}^{\ast }$ , 0, 0, 0, $\Delta c_{11,28}^{\ast }$ , 0, 0, 0, $\Delta c_{7,28}^{\ast }$ , 0, 0, 0, $\Delta c_{3,28}^{\ast }$ , 0, 0, 0).

3. Through the correct ciphertext and the wrong ciphertext, find the fault S-box, and differential output:

   $$\begin{equation*} \Delta Y_{28} =P^{-1}(\Delta C_{28}^{\ast })\tag{16}\end{equation*}$$ View Source\begin{equation*} \Delta Y_{28} =P^{-1}(\Delta C_{28}^{\ast })\tag{16}\end{equation*}

4. Because it is a fault attack on the input of the first S-box, $\Delta Y_{28}$ has only one non-zero nibble $\Delta y_{28}^{15}$ . List the S-box differential equation:

   $$\begin{equation*} \Delta y_{28}^{15} =S(x_{28}^{15})\oplus S(x_{28}^{15} \oplus \Delta x_{28}^{15})\tag{17}\end{equation*}$$ View Source\begin{equation*} \Delta y_{28}^{15} =S(x_{28}^{15})\oplus S(x_{28}^{15} \oplus \Delta x_{28}^{15})\tag{17}\end{equation*}

   $\Delta x_{28}^{15}$ has 2⁴ = 16 possible values, and then 16 values are exhausted and solve the values of $x_{28}^{15}$ , which satisfy (17). Furthermore, store the calculated $x_{28}^{15}$ in a set M₂.

5. According to the analysis of the S-box property of GIFT(Table 8), there may be more than one matching result, so attack steps (2)~(4) will be continuously repeated until set M₂ to reserve only one nibble, which is the correct $x_{28}^{15}$ .

6. Repeat (2)~(5), and attack the other three nibbles in Group 1 in the same way to get other 4-bit input differential value of S-box $x_{28}^{14},x_{28}^{13}$ and $x_{28}^{12}$ .

7. Repeat (2)~(6), and attack other nibbles in Group 2, Group 3 and Group 4 in turn to until the 64-bit input differential value of S-box $\Delta X_{28}$ is recovered.

8. Through the following formula, round key $K_{28}$ is obtained.

   $$\begin{equation*} K_{28} =P(S(\Delta X_{28}))\oplus C_{28}\tag{18}\end{equation*}$$ View Source\begin{equation*} K_{28} =P(S(\Delta X_{28}))\oplus C_{28}\tag{18}\end{equation*}

9. Similarly, DFA on GIFT in the 27^th, 26^th and 25^th rounds, and steps (2)~(8) are repeated to recover the keys $K_{27}$ , $K_{26}$ and $K_{25}$ .

10. Based on the recovered four successive rounds of key $K_{25}$ , $K_{26}$ , $K_{27}$ and $K_{28}$ , the GIFT original 128-bit key is rolled out.