SoK: On DFA Vulnerabilities of Substitution-Permutation Networks

Mustafa Khairallah, Xiaolu Hou, Zakaria Najm, Jakub Breier, Shivam Bhasin, Thomas Peyrin

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review


Recently, the NIST launched a competition for lightweight cryptography and a large number of ciphers are expected to be studied and analyzed under this competition. Apart from the classical security, the candidates are desired to be analyzed against physical attacks. Differential Fault Analysis (DFA) is an invasive physical attack method for recovering key information from cipher implementations. Up to date, almost all the block ciphers have been shown to be vulnerable against DFA, while following similar attack patterns. However, so far researchers mostly focused on particular ciphers rather than cipher families, resulting in works that reuse the same idea for different ciphers. In this article, we aim at bridging this gap, by providing a generic DFA attack method targeting Substitution-Permutation Network (SPN) based families of symmetric block ciphers. We provide the overview of the state-of-the-art of the fault attacks on SPNs, followed by generalized conditions that hold on all the ciphers of this design family. We show that for any SPN, as long as the fault mask injected before a non-linear layer in the last round follows a non-uniform distribution, the key search space can always be reduced. This shows that it is not possible to design an SPN-based cipher that is completely secure against DFA, without randomization. Furthermore, we propose a novel approach to find good fault masks that can leak the key with a small number of instances. We then developed a tool, called Joint Difference Distribution Table (JDDT) for pre-computing the solutions for the fault equations, which allows us to recover the last round key with a very small number of pairs of faulty and non-faulty ciphertexts. We evaluate our methodology on various block ciphers, including PRESENT-80, PRESENT-128, GIFT-64, GIFT-128, AES-128, LED-64, LED-128, SKINNY-64-64, SKINNY-128-128, PRIDE and PRINCE. The developed technique would allow automated DFA analysis of several candidates in the NIST competition.

Original languageEnglish
Title of host publicationAsiaCCS 2019
Subtitle of host publicationProceedings of the 2019 ACM Asia Conference on Computer and Communications Security
Place of PublicationNew York
PublisherAssociation for Computing Machinery (ACM)
Number of pages12
ISBN (Electronic)978-1-4503-6752-3
Publication statusPublished - 2019
Event2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019 - Auckland, New Zealand
Duration: 9 Jul 201912 Jul 2019


Conference2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019
CountryNew Zealand


  • differential fault analysis
  • Fault attack
  • Substitution-permutation network

Fingerprint Dive into the research topics of 'SoK: On DFA Vulnerabilities of Substitution-Permutation Networks'. Together they form a unique fingerprint.

Cite this