Fault Analysis on a New Block Cipher DBlock with at Most Two Fault Injections

DBlock is a new family of block ciphers proposed by Wu et al. in Science China in 2015, which consists of three variants specified as DBlock-128/192/256. DBlock-n employs a 20-round Feistel-type structure with n-bit block size and n-bit key size. We propose the first fault analysis on DBlock and show that no more than 2 pairs of correct/faulty ciphertexts are needed to retrieve the master key. In the attack, a byte-oriented fault is injected in round 16, and three properties including differential distribution of the Sbox, bijection nature of the linear function and Feistel-type key scheduling are fully utilized to distinguish between the correct and wrong keys. A fault position guessing strategy based on known intermediates is adopted, which efficiently makes the known-fault attack apply to the random fault model. The experimental results show that, with a pair of ciphertexts, 11.820-bit exhaustive search is needed to derive the whole 128-bit key on average. With 2 pairs of ciphertexts, the unique key can be determined within 6.5 minutes.