SIMON系列轻量级分组密码故障立方攻击

针对SIMON密码按位与&运算特性以及现有立方攻击与故障攻击的不足，给出一种故障立方攻击方法.根据线性和二次多项式数量确定候选故障注入轮；利用差分特征表确定故障注入的具体位置；利用离线阶段求得的大量低次多项式，恢复部分轮密钥，并结合密钥猜测攻击恢复全轮密钥.结果表明：对SIMON32/64进行故障立方攻击，需要平均注入故障69次，计算复杂度为247.91，优于现有立方攻击；相比于差分故障攻击，采用故障立方攻击方法确定故障位置更有效，故障模型更易实现，且整个攻击过程具有自动化程度高的特点.该方法可为核心运算次数较低的轻量级分组密码提供借鉴.
Abstract: A fault-cube method was given aiming at the special property of And operation (&) in SIMON and the problem in previous cube attack and fault attack. The round-candidates for fault injection were identified according to the number of linear and quadratic equations. Positions for fault injection were determined by using a difference-characteristics table. Some round-keys were recovered by extracting low-degree equations during the off-line phase. Then, the entire round-keys were obtained with combination of guess-and-determine attack. The experimental results show that the attack on SIMON32/64 needs 69 fault injections on average and requires a compute complexity of 247.91, which is better than the previous cube attack. Compared to differential fault attack, the fault-cube method is more effective in determining fault positions. Moreover, using the fault model is easier to realize and the attack process is of high automation. The fault-cube method will provide some ideas on other lightweight block ciphers with low-degree core operations as well.