An improved differential fault analysis on Camellia

The S-box lookup is an important operation in block cipher design, and is also an effective part to prevent traditional linear and differential attacks, however, when the physical implementation of the algorithm is considered, it becomes the weakest part of cryptosystems. This paper studies fault attacks on block ciphers with S-box, and presents an improved differential fault analysis method on Camellia. Firstly, it summarizes the differential fault analysis on block cipher with S-box into computing the S-box input and output differential problem, and presents a basic differential fault analysis model and then evolves it into two models for SPN and Feistel structure block ciphers. Secondly, it proposes an improved differential fault analysis method on Camellia, makes the attack complexity analysis, and then verifies it through software simulation. Experiments demonstrate: due to its reversible permutation function and Feistel structure, Camellia is vulnerable to deep differential fault analysis, 16 and 24 faulty ciphertexts are enough to retrieve Camellia-128 and Camellia-192/256 key effectively. Finally, the contradictions between traditional cryptography and implementation attacks are analyzed, the state of the art and future directions of the fault attacks on Block ciphers are discussed.