Differential Fault Attack on KASUMI Cipher Used in GSM

The confidentiality of GSM cellular telephony depends on the security of A5 family of cryptosystems. As an algorithm in this family survived from cryptanalysis, A5/3 is based on the block cipher KASUMI. This paper describes a novel differential fault attack on KAUSMI with a 64-bit key. Taking advantage of some mathematical observations on the FL, FO functions, and key schedule, only one 16-bit word fault is required to recover all information of the 64-bit key. The time complexity is only 2 encryptions. We have practically simulated the attack on a PCwhich takes only a fewminutes to recover all the key bits.The simulation also experimentally verifies the correctness and complexity.


Introduction
These years witness the rapid development of computer and network communication.The requirement of privacy and authentication in open access environment promote the developments of cryptography as well.Various cryptosystems have been proposed as well as some new studies [1,2].Fast encryption method can be used in real-time communications [3,4].GSM (Global System for Mobile Communications) is a widely used real-time communication system which is also the stander for mobile telephony.The confidentiality of GSM depends on the security of A5 family of cryptosystems.The first two members of this family, A5/1 and A5/2, are stream ciphers which were designed 20 years ago in an opaque process and were kept secret until they were reverse engineered in 1999 [5].Since then, many cryptanalytic results on these two ciphers have been proposed.It becomes clear that A5/2 provides almost no security and A5/1 is too weak to prevent adversary from eavesdropping on GSM conversations [6,7].Even emulating a mobile phone to make calls and send text messages is possible [8,9].
In response to these attacks, GSM association has vowed to switch to the much more secure A5/3 cipher since 2010.A5/3 is a cryptosystem based on block cipher KASUMI [10], which has eight Feistel rounds with a 64-bit block size.KASUMI accepts 128-bit key in the specification, but the key length needs to be reduced in some cases.In practice, A5/3 cryptosystem supports a 64∼128-bit session key.We denote KASUMI with 64-bit key by KASUMI-64 and A5/3 with 64bit session key by A5/3-64, respectively.
Lots of attacks on variants of KASUMI have been proposed in the past years with a variety of techniques [11][12][13][14].Among them, Jia et al. give a result on KASUMI-64 with only 1152 chosen plaintexts and a time complexity of 2 62.75 encryptions.Dunkelman et al. also show that they could derive the complete 128-bit key with data complexity of 2 26 , 2 32 encryptions, and 2 30 bytes of memory under the related key setting [12].
Differential attack was proposed by Biham and Shamir to analyze DES [15].This powerful method has been successfully applied to evaluate cryptosystems and ciphers in subsequent works [16][17][18].Combined with side channel attack and engineering, differential fault analysis (DFA) is a wellknown threat to cryptographic devices.Utilizing differential information between correct and faulty ciphertexts, DFA recovers key efficiently.Fault is injected by giving external 2 Mathematical Problems in Engineering impact on a device with voltage variation, glitch, laser, and so forth.Since the first DFA on DES proposed by Biham and Shamir [19], this technique has been successfully applied to many other block ciphers, for example, AES [20][21][22][23], CLEFIA [24,25], SM4 [26], and ARIA [27].
In 2011, Jeong et al. proposed the first fault injection attack on A5/3-64 [28].Their attack is based on the fault assumption in [29], which assumes that the implementation of a symmetric cipher in the PIC assembly language has the following format: In this paper, a novel DFA on KASUMI with a 64-bit key is proposed.The method is also applicable to A5/3-64.Based on some mathematical observations on the FL, FO functions, and the key schedule, we show that only one 16-bit word fault is enough to perform an efficient key recovery with 2 32 encryptions.We highlight that the attack is practical.The attacking procedure is simulated on a PC where the correct key is recovered in a few minutes.The simulation experimentally verifies the correctness and complexity.Compared with the attack proposed by Kitae Jeong, our method is more flexible and has lower time complexity.
The remainder of the paper is organized as follows.Section 2 gives a brief description of KASUMI.Section 3 shows some important observations useful to our DFA method.The detailed attack procedure is described in Section 4. In Section 5, we show some simulation results.Finally, we conclude this paper in Section 6.

Description of KASUMI
As depicted in Figure 1, KASUMI is a Feistel structure with 8 rounds.It works on a 64-bit block and uses a 128-bit key.Each round is made up of an FL function and an FO function.The order of the two functions depends on the round number: in odd numbered rounds the FL function precedes the FO function, whereas in even numbered rounds the FO function precedes the FL function.
FL is a simple key-dependent Boolean function, which accepts  as well as round key  as input and output  (Figure 1(d))., , and  are all 32-bit words which can be divided into two halves.We denote the most significant half by subscript  and the other by subscript .Subscript  is used to denote the th round.Then the inputs of the FL function of the th round are   =  , ‖  , ,   = ( ,1 ,  ,2 ) and the output is   =  , ‖  , ("‖" is the concatenating operation).FL is defined as follows: where the "∧" and "∨" denote bitwise AND and OR, respectively." ⋘ " implies that  rotates left by  bits.As shown in Figure 1(b), the FO function is a three-round Feistel structure which consists of three FI functions and key adding stages.A 96-bit round key enters FO function in each round (48 subkey bits  used in FI and 48 subkey bits  in the key adding stage).The FI function is another four-round Feistel structure that uses two nonlinear S-boxes S7 and S9 (where S7 is a 7-bit to 7-bit permutation and S9 is a 9-bit to 9-bit permutation).We define half of FI function as FI, which is a 16-bit to 16-bit permutation.The structure of FI and FI is illustrated in Figure 1(c).
The key schedule of KASUMI is very simple.More precisely, a 128-bit key is divided into 16-bit words: ( 1 ,  2 , . . .,  8 ).Round keys are linearly derived from these eight key words (see Table 1).Since the key length needs to be reduced in some cases, the key words should be cyclically repeated to fill 128 bits.The eight key words of KASUMI-64, in particular, are listed as follows: ( 1 ,  2 ,  3 ,  4 ,  1 ,  2 ,  3 ,  4 ).

Some Observations of KASUMI
In this section, several observations of KASUMI are given, which are bases of our DFA.
Observation 1 (see [30]).Let ,   be -bit values, and Δ =  ⊕   .Then there are two difference properties of ADD and OR operations, such that (2) Observation 2. Given the output difference Δ = Δ  ‖ Δ  and the key value  = ( 1 ,  2 ) of FL function, the corresponding input difference can be calculated by This observation is deduced from Observation 1 and the definition of the FL function easily.Observation 3.For both S7 and S9, let (⋅) be the S-box and consider the following equation: where  and  are randomly given input and output difference correspondingly.On average, there is a solution .
Actually, for both S7 and S9, the number of solution of (4) could only be 0 and 2. The probabilities of each case are both 1/2.This property could be verified by traversing every value  under any possible  and .So on average, for a randomly given pair of  and , only one solution is found.In practice, we build a look-up table indexed by  and  to help us solve this kind of equation.
Observation 4. Given an input difference Δ and an output difference Δ of FI, one could deduce the possible input and output values.On average, there is one input value matching the difference.FI is made up of an S7 and an S9.From Δ and Δ, we calculate the input and output difference of both S7 and S9.Thus, this observation is derived from Observation 3 normally.
Observation 5. Given an input difference Δ and an output difference Δ under random key  of the FI function, there are possible input and output values.On average, only one input value can be found under .
Given the input difference Δ and the output difference Δ, traverse all input values V, and leave those that satisfy the following equation: Then the possible input values are deduced.As there are 2 16 output differences in total, for any V, the equation holds with probability 1/2 16 .Noting that there are also 2 16 different Vs, one could find 2 16 × 1/2 16 = 1 possible input value on average.

DFA on KASUMI
In this section, we describe the DFA on KASUMI in detail, including fault model, attack procedure, and complexity analysis.

Fault Model and Basic Assumption.
As the computing unit of FO and FL function is 16-bit word, the basic storage cell of KASUMI is usually double bytes.So we assume that an attacker can induce a fault to a selected state making a 16-bit word corrupted.The location of the corrupted word may be known.For example, Fukunaga and Takahashi showed that they could control the location of a corrupted byte in [31].Even if the attacker does not know which word is corrupted, he can repeat injecting until the target 16-bit word corrupted.
The assumption is generic and reasonable for devices in which the intermediate values of the encryption are stored.

General Idea.
Only four 16-bit key words are used in KASUMI-64.The general idea is to reduce the number of key candidates by fault injection.More precisely, injecting a 16-bit word fault to the output of the last but one round and making the most of the correct and faulty ciphertexts, the 64-bit key is determined by 32 bits.The possible key space is reduced from 2 64 to 2 32 .Then the correct key can be obtained through exhaustive search.

Attacking Procedure and Complexity Analysis.
For better understanding of our method, some notifications are introduced.As illustrated in Figure 2,  and  are the inputs of the last round and   and   are the ciphertexts.We denote the inputs of FI  and FL by  FI  and  FL , respectively.The corresponding outputs are denoted by  FI  and  FL ., , and  stand for the intermediate states as shown in Figure 2. Δ is used to define the difference between the correct and faulty values of a state.Now the attack procedures are described as follows.
Step 1 (obtain the correct and faulty ciphertexts).For a randomly chosen plaintext, obtain the corresponding ciphertext under the unknown key.For the same plaintext, inject a 16bit word fault to the position as shown in Figure 2, so that the left 16-bit word of  is corrupted.Store the faulty ciphertext.
Noting that  =   , the corrupted value is known.
Step 2 (guess  2 and  4 and deduce Δ FI 1 ).The injected fault does not affect the value of .So we have Δ = 0 and Δ FL = Δ  .For any guesses of  2 and  4 , as presented in Observation 2, Δ FL as well as Δ are deduced.As only the left 16-bit word of  is corrupted, we have Δ = 0. Thus the input and output differences of FI 2 are both 0. Because Δ FI 1 is determined by the guessing of  2 and  4 .
Step 3 (match the input and output difference of FI 1 and calculate  1 ).From the key schedule of KASUMI, we can see that, in the last round,   4 is used as  1 .However,  4 has been guessed in Step 2. Hence for FI 1 , the input and output differences as well as  1 are all determined.As shown in Observation 5, there is a value  FI 1 matching the input and output difference on average.Since  =   and ( 1 ⋘ 5) =   ⊕  FI 1 , the possible  1 s are calculated.
Step 4 (deduce the correct and corrupted inputs of FI 3 , and determine  3 ). 1 ,  2 , and  4 have been guessed or deduced in the above steps.So the correct and corrupted inputs of FI 3 are known.As shown in Figure 3,  is only affected by the input value of FI 3 .So  is calculated and the input difference of the FI is deduced.Note that the output difference of FI is known by Δ FL which has been calculated in Step 2. Through Observation 4, the possible input value  FI is known.So  3 is obtained by  3 =  FI ⊕ .Indeed,  3 is   3 in the last round.Thus  3 is also determined.Until now, all the information of key is determined by the guessing of  2 and  4 .
Step 5 (verify the correctness of the guessed key).Encrypt the plaintext with the key obtained in the above steps and check the correctness.If the key is not right, go back to Step 2 with another guess of  2 and  4 .
We will order the above description in Algorithm 1 where a look-up table indexed by the output difference of FI 1 is established before the guessing of  2 to reduce the computing complexity.To evaluate the complexity of Algorithm 1, we count the number of KASUMI encryptions.As we do checking operation for 2 16+16 = 2 32 times on average, the computing complexity is 2 32 encryptions.The memory requirement is 2 17 bytes since a table containing 2 16 16-bit words should be stored.

Simulation Results
We simulate our DFA on KASUMI-64 with a random key for 1000 times.Each time is denoted as a sample.For each sample, the correct key can be recovered within a few minutes.The number of checking operations for every sample is illustrated in Figure 4.All the numbers are around 2 32 and the correctness and complexity of our method are verified in practice.

Conclusion
This paper describes a DFA attack on KASUMI-64 which is the base of A5/3 cryptosystem used in GSM telephony.We show that only one 16-bit word fault is enough to perform a successful key recovery attack.More impressively, both the computing and memory complexity are practical and the secret key can be recovered in a few minutes.The correctness and complexity are further verified by the simulation results.We emphasize that when applying KASUMI-64, the last two rounds should be specially designed to protect against fault injection.This paper also demonstrates the efficiency

Figure 1 :
Figure 1: The structure and building blocks of block cipher KASUMI.

Figure 2 :
Figure 2: DFA on KASUMI.(Red lines are affected by the fault while the blues are not.)

Figure 3 :
Figure 3: FI 3 in the last round.

Table 1 :
The key schedule of KASUMI.