Skip to main content

The differential fault analysis on block cipher FeW


Feather weight (FeW) cipher is a lightweight block cipher proposed by Kumar et al. in 2019, which takes 64 bits plaintext as input and produces 64 bits ciphertext. As Kumar et al. said, FeW is a software oriented design with the aim of achieving high efficiency in software based environments. It seems that FeW is immune to many cryptographic attacks, like linear, impossible differential, differential and zero correlation attacks. However, in recent work, Xie et al. reassessed the security of FeW. More precisely, they proved that under the differential fault analysis (DFA) on the encryption states, an attacker can completely recover the master secret key. In this paper, we revisit the block cipher FeW and consider the DFA on its key schedule algorithm, which is rather popular cryptanalysis for kinds of block ciphers. In particular, by respectively injected faults into the 30th and 29th round subkeys, one can recover about 55/80 ≈ 69% bits of master key. Then the brute force searching remaining bits, one can obtain the full master secret key. The simulations and experiment results show that our analysis is practical.


Modern cryptographic techniques, including encryption (Wang et al. 2022) and digital signature schemes (Bruinderink and Pessl 2018), are often needed in modern computer networks to guarantee the confidentiality of transmitted messages and authenticity of communication parties. However, many computational efforts caused by the algorithms in cryptographic schemes may be prohibitive for many practical resource-constrained devices (Sadhukhan et al. 2017). For example, in smart transport system, internet of medical things, etc., many devices only have battery life and thus are sensitive to energy consumption. In these cases, the design of cryptographic algorithms should be lightweight. This is also the reason why lightweight cryptography has emerged as a vast research direction. In fact, when the famous Rijndael was selected as Advanced Encryption Standard (AES), there was also a need for lightweight ciphers for specific applications (Zhang et al. 2019). Since then, many lightweight cryptographic algorithms, such as LBlock (Wang et al. 2019), PRESENT (Cnudde and Nikova 2017), GIFT (Xie et al. 2021), Espresso (Bathe et al. 2021), KLEIN (Xiao and Wang 2022), et al., were successively proposed. Inspired by these block ciphers, many researchers intend to design new and more efficient schemes.

FeW cipher, which is a software-oriented design with the aim of achieving high efficiency in software-based environments, was proposed by Kumar et al. (2019). In FeW, the plaintext and ciphertext lengths are both 64 bits, but the key size is 80 or 128 bits. Hence, we call them FeW-80 and FeW-128, respectively. In fact, in FeW, Kumar et al. used a mix Feistel and generalized Feistel structures to enhance its security against several basic cryptographic attacks like differential, linear, impossible differential as well as zero correlation attacks. In addition, the key schedule of FeW is designed in a similar way as PRESENT, which has been chosen as the lightweight encryption standard by International Organisation of Standardisation (ISO).

In fact, after designing FeW, Kumar et al. evaluated its security against differential cryptanalysis, impossible differential cryptanalysis, linear cryptanalysis, zero correlation cryptanalysis, and related key cryptanalysis. However, they ignored the differential fault analysis (DFA), which is a quite effective attack to lightweight block ciphers. In fact, DFA is a kind of side-channel attacks, which uses some induced errors to disturb the actual implementation of devices when they are running the encryption or decryption algorithms. The classical ways of inducing faults includes voltage variation, glitch, lazer, etc. (Kim 2012). How to physically induce faults is out of scope of this paper. By analyzing the input–output differentials of S-box as well as the correct/faulty ciphertexts, one can greatly reduce the size of key space. Then the brute force searching can help to find out the true key. Many facts show that DFA is not only effective to block ciphers, but also fatal to many public key cryptographic systems and stream ciphers (Deng and Luo 2021).

In 2020, Xie et al. discussed the DFA security of FeW in the single byte random fault model (Xie et al. 2020). More specifically, they introduced the single byte random fault on the encryption state of FeW and then analyzed the key recovery based on the input–output differentials as well as statistical characteristics of S-box. From their experiment results, one can know that the complete recoveries of master secret keys need an average 47 and 79 fault injections for the two versions of FeW. Moreover, if 210 exhaustive searching is considered for their attack, then the needed numbers of fault injections can be further reduced to 24 and 41, respectively, which shows that the DFA on encryption states of FeW is very effective.

Note that, the encryption algorithm and the key schedule algorithm are both embedded into the hardware devices. Then the random fault injection (of side channel attack) may also occur in the key schedule part. Therefore, considering the DFA on key schedule of block cipher is also necessary. In fact, many important works just discussed this for many famous block ciphers, like AES (Takahashi and Fukunaga 2007), ITUbee (Fu et al. 2017), LBlock (Wei et al. 2018), KLEIN (Gong et al. 2011) et al. Generally speaking, the induced faults can affect the current and subsequent round subkeys, which will further change the encryption states. Hence, the study of DFA on key schedule becomes more complicated than that of encryption state. Then a natural and interesting question arises: If the DFA occurs in the process of key schedule of FeW, then what will happen? In other words, whether FeW is still secure when the attacker launches the fault injections into the key schedule of FeW?

In this paper, we give a positive answer to this question. In particular, for the first time, we consider the DFA on the key schedule of the block cipher FeW. According to the key schedule of FeW, the faulty bits of the previous round subkey will quickly spread to the following keys and encryption states. Thus, we can only analyze the short-key version of FeW: FeW-80, in which we can mix the differential analysis and brute force searching techniques to recover the master secret key. But for Few-128, we do not know how to obtain the master key because the exhaustive searching is still infeasible after the differential analysis. Here, we leave it as an interesting open problem. Hence, we only focus on the discussions about the DFA on the key schedule of FeW-80. Our contributions can be concluded as follows.

  • For the first time, we discuss the DFA security of FeW-80 when the random nibble faults are injected into the process of key schedule. In other words, our analysis is in the random nibble model and each fault is induced by half-byte.

  • Our differential analysis combines the partial recovery of the master key with brute force searching. More concretely, after injecting faults into the 30th and 29th round subkeys, one can easily recover 55 bits of master secret key. For the remaining 25 bits (of master secret key), we can find out them by exhaustive searching all the possible values.

  • Finally, we simulate the encryption, decryption and key schedule processes. The experiment results show that our DFA on FeW’s key schedule is practical.

Related works In EUROCRYPT’97, Boneh et al. first considered the faulty analysis on the famous RSA signature (Boneh et al. 1997). At the same time, Biham and Shamir proposed the notion of DFA (Biham and Shamir 1997), which combines fault analysis with differential attack simultaneously, and applied it to DES (Data Encryption Standard). In addition, they also suggested that, in general, the DFA may occur in any process of encryption devices, which naturally includes encryption states as well as the generation of round subkeys. In the following work, Ali et al. discussed the DFA on AES’ key schedule algorithm and also showed that their attack is the most efficient (Ali et al. 2013). In 2018, Shibayama et al. analyzed the security of 12 rounds FeW, which has the complexity of 263 (Shibayama et al. 2018). Aayush and Girish also presented the security analysis of FeW based on machine learning approach, which involves using artificial neural network to find the inherited biases present in the design of FeW (Aayush and Girish 2018).

Organizations The rest of this paper is organized as follows. First, we present the symbols and explanations for next parts in Table 1, and in "Review of FeW" section, we review the algorithms of the lightweight cipher FeW. In "Proposed DFA on the key schedule of FeW" section, we propose our DFA on FeW, which introduces the basic principle of DFA on key schedule, the recoveries of round subkeys and master secret key. In "Simulations and discussions" section, we will give the simulations and discussions on the practical FeW block cipher. Finally, conclusions of this paper are given in "Conclusions" section.

Table 1 Symbols and explanations

Review of FeW

In this section, we review the construction of FeW, including the algorithms of encryption and decryption as well as key schedule. In FeW, the plaintext length equals to 64-bit, and the ciphertext with the same size is generated based on 80/128 bits key. The total encryption round is 32. The design of FeW is based on the general Feistel structure, which needs fewer computations than SPN structure (used in AES), since only half of the input block is processed through round function in each round.

Encryption algorithm

First, the encryption algorithm parses the 64-bit plaintext P into two 32-bit strings P0 and P1. For the right-hand string P1, it will first become the left-hand one in the next round. Then its XOR with the round key RK0 will be given to the F-function, whose output is XORed with the left-hand string P0. The result is set as the right-hand string of the next round. After 32 round transformations, the output of encryption algorithm is just the ciphertext of P, which has the same length (i.e. 64 bits) with P. The overall structure of FeW is presented in Fig. 1.

Fig. 1
figure 1

The overall structure of FeW encryption process

The round function F takes 32-bit string \(X_{i}^{R}\) and round key \(RK_{i}\) as inputs, and outputs a 32-bit string. That is

$$F:\{ 0,1\}^{32} \times \{ 0,1\}^{32} \to \{ 0,1\}^{32} .$$

Now, we describe its inner structure in detail. In fact, it includes a permutation \(P\), 8 parallel S-box and two linearly diffuse function \(L_{1}\) and \(L_{2}\). The permutation P and S-box S are given as follows (see Table 2 and 3).

Table 2 The permutation P appeared in encryption process of FeW
Table 3 The S-box S appeared in encryption process of FeW

The remaining linear functions \(L_{1}\) and \(L_{2}\) are from {0, 1}16 to {0, 1}16, and given by the following two equations.

$$L_{1} (x) = x \oplus (x < < < 1) \oplus (x < < < 5) \oplus (x < < < 9) \oplus (x < < < 12),$$
$$L_{2} (x) = x \oplus (x < < < 4) \oplus (x < < < 7) \oplus (x < < < 11) \oplus (x < < < 15).$$

For 32-bit input Y, the calculation of F is presented in Fig. 2.

Fig. 2
figure 2

The F-function of FeW

Decryption algorithm

Since FeW is a balance design with Feistel structure, the decryption algorithm does not need the inversion of round function. In fact, each round subkey is used in the reverse order to obtain the last plaintext. More precisely, for a given 64-bit ciphertext C, which contains two halves C0 and C1. Perform the following steps.

  1. 1.

    First apply the round function on the right half C1 and the round key RK31, and XOR it with C0 to set the string C2. That is

    $$C_{2} = C_{0} \oplus F(C_{1} \oplus RK_{31} ).$$
  2. 2.

    Circularly perform step (1) (using the corresponding round key RKi) to get the last string C32 and C33.

  3. 3.

    Finally, swap the two strings C32, C33 to obtain the 64-bit plaintext P0||P1 = C33||C32.

The correctness of the decryption process can be easily checked.

Key schedule algorithm

This algorithm is used to generate round subkeys for each round from the 80-bit master secret key MK. Parse MK as 80 bits:

$$MK = k_{0} k_{{1}} k_{{2}} \ldots k_{{{78}}} k_{{{79}}} .$$

Then the round subkey RKi is computed according to the following Algorithm 1.

figure a

Next, we take the last three round subkeys as examples to show the relationship of their bits. More precisely, assume that

$$MK_{{{58}}} = k_{0} k_{{1}} k_{{2}} \ldots k_{{{79}}} .$$

Then it naturally holds that

$$K_{{{58}}} = k_{0} k_{{1}} k_{{2}} \ldots k_{{{15}}} ,$$


$$MK_{{{59}}} = S\left[ {k_{{{13}}} k_{{{14}}} k_{{{15}}} k_{{{16}}} } \right]k_{{{17}}} k_{{{18}}} \ldots k_{{{76}}} S[k_{{{77}}} k_{{{78}}} k_{{{79}}} k_{0} ]([k_{{1}} k_{{2}} k_{{3}} k_{{4}} k_{{5}} k_{{6}} k_{{7}} k_{{8}} ] \oplus [59]_{{2}} )S\left[ {k_{{9}} k_{{{1}0}} k_{{{11}}} k_{{{12}}} } \right].$$

Hence, we have

$$RK_{{{29}}} = K_{{{58}}} \left| {\left| {K_{{{59}}} = k_{0} k_{{1}} k_{{2}} \ldots k_{{{15}}} } \right|} \right|S\left[ {k_{{{13}}} k_{{{14}}} k_{{{15}}} k_{{{16}}} } \right]k_{{{17}}} k_{{{18}}} \ldots k_{{{28}}} .$$

Similarly, we can calculate the round subkeys RK30 and RK31, which equal to

$$S(k_{{{26}}} k_{{{27}}} k_{{{28}}} k_{{{29}}} )k_{{{3}0}} k_{{{31}}} \ldots k_{{{41}}} ||S(k_{{{39}}} k_{{{4}0}} k_{{{41}}} k_{{{42}}} )k_{{{43}}} k_{{{44}}} \ldots k_{{{54}}} ,$$


$$S(k_{{{52}}} k_{{{53}}} k_{{{54}}} k_{{{55}}} )k_{{{56}}} k_{{{57}}} \ldots k_{{{67}}} ||S(k_{{{65}}} k_{{{66}}} k_{{{67}}} k_{{{68}}} )k_{{{69}}} k_{{{7}0}} \ldots k_{{{76}}} S(k_{{{77}}} k_{{{78}}} k_{{{79}}} k_{0} ),$$


Obviously, the two round subkeys RK30 and RK31 contain 55 bits of master secret key. Hence, there are at least 25 bits (of master secret key) that cannot be recovered by computing RK30 and RK31.

Proposed DFA on the key schedule of FeW

In this section, we describe the DFA on the key schedule of FeW. First, we would like to give the basic principle of DFA on block cipher. Then, present how to apply it to the concrete process of FeW and how to recover the master secret key based on the induced differential faults.

Basic principle of DFA

Since the S-box is the non-linear part of block cipher, the input–output differentials can be used to recover the secret key if the input contains its information. The basic principle is as follows. Let S be an S-box of some block cipher, whose input is the XOR of previous round output and the round key. Figure 3 shows one such example. More concretely, assume that in is the output of previous round and RK is the round subkey. If one fault is injected into the state in or key RK, which causes an input-difference \(\alpha\), then the output of S-box will also have a difference \(\beta\). Now, if the value \(in \oplus RK\) is replaced by X, then we can easily obtain the following equation.

$$S(X \oplus \alpha ) \oplus S(X) = \beta .$$
Fig. 3
figure 3

Difference across S-box of block cipher

According to the property of S-box of FeW (see Table 3), we know that, for a pair fix and known value \((\alpha ,\beta )\), the above Eq. (1) has 0, 2 or 4 possible solutions for X. Since X is the XOR of in and RK, one can easily get the possible solutions for round key RK if in is known. Finally, other induced faults can be used to find out the true round subkey RK, which is further to be used to recover the master secret key.

Recovery of the last round subkey

In this subsection, we first discuss the recovery of the last round subkey RK31 by inducing fault on the generation of RK30 in the key schedule algorithm. In fact, we have the following two basic assumptions on the fault model.

Assumption 1

The attacker is allowed to choose any plaintext and get the correct/faulty ciphertexts. That is, this attack is the so-called chosen plaintext attack (CPA).

Assumption 2

The adversary is allowed to induce nibble fault(s) in the process of generating the round keys. But the fault-value induced in some position is unknown.

Now, we first assume that the fault is injected into first nibble of RK30, which causes the differential p. The process of fault propagation is presented in Fig. 4. More specifically, after going through the S-box and L1-function, the fault will become four “new” ones p1, p2, p3, p4, which will affect the left half of \(X_{31}^{R} .\) Then the four differentials are reserved to the left half \(X_{32}^{L}\) and affect all the nibbles of the right half \(X_{32}^{R}\) the final ciphertext.

Fig. 4
figure 4

The fault propagation process on \(RK_{30}^{0}\)

Next, we introduce how to obtain partial round subkey based on these differentials. In fact, this analysis mainly focuses on the final round of encryption process. For the ith S-box Si, denote by \(in_{i}\) and \(in_{i}^{*}\) its correct and faulty input, respectively. Then its correct/faulty output (of the S-box) is denoted by \(out_{i} {/}out_{i}^{*}\). Define

$$out_{i} \oplus out_{i}^{*} = y_{4i} y_{4i + 1} y_{4i + 2} y_{4i + 3} .$$

Moreover, we can easily know that

$$p_{1} = in_{0} \oplus in_{0}^{*} = X_{32,0}^{L} \oplus X_{32,0}^{L,*} ,$$
$$p_{2} = in_{1} \oplus in_{1}^{*} = X_{32,1}^{L} \oplus X_{32,1}^{L,*} .$$

From Fig. 4, we know that

$$\begin{aligned} & p_{1}^{\prime } ||p_{2}^{\prime } ||p_{3}^{\prime } ||p_{4}^{\prime } = L_{1} (out_{0} ||out_{1} ||out_{2} ||out_{3} ) \oplus L_{1} (out_{0}^{*} ||out_{1}^{*} ||out_{2} ||out_{3} ) \\ & \quad = L_{1} (out_{0} \oplus out_{0}^{*} ||out_{1} \oplus out_{1}^{*} ||00000000) \\ & \quad = L_{1} (y_{0} y_{1} y_{2} y_{3} y_{4} y_{5} y_{6} y_{7} 00000000) \\ & \quad = (y_{0} y_{1} y_{2} y_{3} y_{4} y_{5} y_{6} y_{7} 00000000) \oplus (y_{1} y_{2} y_{3} y_{4} y_{5} y_{6} y_{7} 00000000y_{0} ) \\ & \quad \quad \oplus (y_{5} y_{6} y_{7} 00000000y_{0} y_{1} y_{2} y_{3} y_{4} ) \oplus (0000000y_{0} y_{1} y_{2} y_{3} y_{4} y_{5} y_{6} y_{7} 0) \\ & \quad \quad \oplus 0000y_{0} y_{1} y_{2} y_{3} y_{4} y_{5} y_{6} y_{7} 0000) \\ & \quad = (y_{0} \oplus y_{1} \oplus y_{5} )||(y_{1} \oplus y_{2} \oplus y_{6} )|| \cdots ||(y_{0} \oplus y_{4} ). \\ \end{aligned}$$

For \(1 \le i \le 4,\) define \(p_{i}^{\prime }\) as the bit-form: \(p_{i,1}^{\prime } ||p_{i,2}^{\prime } ||p_{i,3}^{\prime } ||p_{i,4}^{\prime } .\) Then from Eq. (4), we obtain the following equations.

$$\left\{ {\begin{array}{*{20}l} {y_{0} = p_{1,4}^{\prime } \oplus p^{\prime}_{4,3} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{1} = p^{\prime}_{3,1} \oplus p^{\prime}_{1,4} \oplus p^{\prime}_{4,3} \oplus p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{2} = p^{\prime}_{4,2} \oplus p^{\prime}_{3,3} \oplus p^{\prime}_{4,3} \oplus p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{3} = p^{\prime}_{4,3} \oplus p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{4} = p^{\prime}_{1,4} \oplus p^{\prime}_{4,3} \oplus p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{5} = p^{\prime}_{3,2} \oplus p^{\prime}_{4,2} \oplus p^{\prime}_{3,3} \oplus p^{\prime}_{4,3} \oplus p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{6} = p^{\prime}_{3,3} \oplus p^{\prime}_{4,3} \oplus p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} ,} \hfill \\ {y_{7} = p^{\prime}_{4,4} \oplus p^{\prime}_{3,4} .} \hfill \\ \end{array} } \right.$$

As a result, we can compute and obtain the eight bits \(y_{0} ,y_{1} , \ldots ,y_{7} ,\) which are just the bits in \(out_{0} \oplus out_{0}^{*}\) and \(out_{1} \oplus out_{1}^{*} .\) Therefore, we can get the output differentials of the two S-boxes S0 and S1.

Finally, according to the correspondences of the input–output differentials (i.e. Table 4), we can obtain the candidate values for the inputs \(in_{0}\) and \(in_{1}\), which can be used to recover the 1st byte of RK31 (i.e. \(RK_{31}^{0} ||RK_{31}^{1}\)). Similar analysis on the S-boxes S6 and S7 can be made to get the candidate value of the 2nd byte in the round key RK31 (i.e.\(RK_{31}^{2} ||RK_{31}^{3}\)). The pseudorandom code of recovering the tuple \((RK_{31}^{0} ,RK_{31}^{1} )\) is given in the following Algorithm 2.

Table 4 The correspondences of input–output differentials for S-Box of FeW
figure b

In addition, we can also similarly analyze the process of fault propagation if the fault is injected into other nibbles of the round subkey \(RK_{30}\). In fact, the analysis processes on the nibbles \(RK_{30}^{0} ,RK_{30}^{1} , \ldots ,RK_{30}^{6}\) are same, which are different from that of the last nibble \(RK_{30}^{7}\). The reason is as follows. If the fault occurs on \(RK_{30}^{7}\), then it will affect the “correctness” of last round subkey \(RK_{31}^{0}\). That is, the induced differential \(p\) on \(RK_{30}^{7}\) leads to the new differential \(p^{\prime}\) on \(RK_{31}^{0}\) (see Fig. 5). As a result, the input differential of the S-box \(S_{0}\) becomes \(p_{1} + p^{\prime}\), which makes the analysis on the L1 function more difficulty. Nevertheless, it does not affect the analysis on the last two S-boxes \(S_{6} ,S_{7}\), and thus we can still get the candidate values for the two nibbles \(RK_{31}^{2} ,RK_{31}^{3}\) by analyzing their input–output differentials.

Fig. 5
figure 5

The fault propagation process on \(RK_{30}^{7}\)

The above discusses on the recovery of the last round subkey are listed in the following Table 5.

Table 5 The discussions on the recovery of the last round subkey

Recovery of the round subkey RK30

In this subsection, we discuss how to further recover the round subkey RK30 based on the above recovery of RK31. Now, we need to induce fault into the generation of round subkey RK29 in the key schedule. More precisely, for the 8 nibbles in RK29, we consider the differentials induced by the faults and their propagations. A typical case on the fault propagation is described in Fig. 6, in which the fault is induced into the round subkey \(RK_{29}^{1}\). Here, we remark that the induced fault does not affect the next two round subkeys RK30 and RK31.

Fig. 6
figure 6

The fault propagation process on \(RK_{29}^{1}\)

Now, based on the recovered round subkey RK31, we can decrypt the correct and faulty ciphertexts to obtain the states X31, \(X_{31}^{*}\) after the 31 rounds encryptions. Performing similar analysis as in "Recovery of the last round subkey" section, one can easily get the candidate values of the nibbles \(RK_{30}^{0} ,RK_{30}^{1} ,RK_{30}^{2} ,RK_{30}^{3}\) in RK30. If the faults are induced into other nibbles (of RK29), such as \(RK_{29}^{2} ,RK_{29}^{3} , \ldots ,RK_{29}^{7}\), then the analysis process is also similar.

Next, we further analyze the remaining case. That is, the injected fault occurs in the first nibble of RK29. Still assume that the induced differential is p, which is parsed into \(p = b||\overline{p}\). Here, b is its first bit. According to the two possible values of b, we divide our analysis into the following two cases.

  • Case 0. If b = 0, then decrypt the final ciphertexts with the help of the recovered last round subkey RK31.

  • Case 1. If b = 1, then define the last nibble of RK31 as \(S\left( {k_{77} k_{78} k_{79} (k_{0} \oplus 1)} \right)\) and decrypt the final ciphertexts by using the updated round subkey RK31.

The decrypted states (under the round subkey RK31) will be used to further analyze the recovery of the round subkey RK30 by using previous steps.

Finally, we explain why our above analysis will give correct recovery of the round subkey RK30. According to the key schedule of FeW, the last nibble of RK31 equals to S(k77k78k79k0) if the first nibble of RK29 is k0k1k2k3. If b = 0, then the induced differential p does not affect the last round subkey RK31, which can be used to correctly decrypt the final ciphertexts to obtain the states of the 31 round encryptions. If b = 1, then the induce differential p changes the bit k0 into \(k_{0} \oplus 1\), which will also appear in the last round subkey RK31. Thus, the last round subkey, which will be used to recover the inner states of encryption process, needs to be updated according to the induced differential.

The above discusses on the recovery of the round subkey RK30 are listed in the following Table 6.

Table 6 The discussions on the recovery of round subkey RK30

Recovery of the master key

According to the key schedule, we can easily know that the master key can be recovered from any intermediate key state MKi, which consists of 29 bits of RK31, 26 bits of RK30, and 25 bits of RK29. If we can recover all the bits of RK31 and RK30 from the above discussions, then the remaining 25 bits can be obtained by brute force searching, whose time complexity is 225. In addition, we remark that, in the process of recovering the round subkey RK30, the two cases on the first bit of induced differential p increases the total complexity from 225 to 226. Therefore, by inducing several nibble faults into the key schedule of FeW, one can finally recover the master key based on the differential analysis on RK31 and RK30, as well as the brute force searching. The total time complexity equals to 226, which is much lower than the original 280.

Simulations and discussions

In this section, we present the simulations and discussions on the differential fault attack on FeW. Specifically, we will choose a fix plaintext “0×1234567890ABCDEF” and several randomly master secret keys, and compute the ciphertexts under these keys. Then by simulating the fault-injections into the 29th and 30th round subkeys, we get the corresponding faulty ciphertexts. Based on the correct and faulty ciphertext, one can recover the round subkeys RK31 and RK30, respectively. Finally, the remaining unknown bits of master secret key is found out by brute force searching. The concrete simulation process is given as follows.

  • Step 1. Randomly choose a master secret key and compute the round subkeys according to key schedule.

  • Step 2. Generate the correct ciphertexts under the master secret key.

  • Step 3. Simulate the fault-injection into RK30 and obtain faulty ciphertexts.

  • Step 4. Search the candidate values for the nibbles of RK31.

  • Step 5. Simulate the fault-injection into RK29 and obtain faulty ciphertexts.

  • Step 6. Search the candidate values for the nibbles of RK30.

  • Step 7. Exhaustive search the remaining bits (of MK29) by re-encrypting and decrypting.

  • Step 8. Compute the master secret key by reversing the key schedule of FeW.


The whole simulation of FeW, including the encryption and decryption algorithms, is in the C programming language and based on a desktop with the configuration of Intel(R) Core (TM) i5-10210U CPU @1.60 GHz and 16 GB RAM. We simulate the DFA process 10 times to get significant data. Since their final results are similar, we only show five typical examples in the following Table 7, which presents the number of needed faults and their running time of recovering master secret key. Here, we remark that the factors including the positions of induced faults, the input–output differentials of S-box, and the particular master secret key, can affect the simulation results. Therefore, in each simulation, the needed number of faults may be different from other ones.

Table 7 Five typical examples

From the above simulation, one can easily know that our proposed differential fault attack, which reduces the key space from 280 to 226, is a rather practical attack for the block cipher FeW. In average, the recoveries of the two round subkeys RK31 and RK30 need 12.6 induced faults, and the exhaustive searching time for the remaining bits needs 5.3 min.

Finally, we remark that the value 226 is the lower bound of our proposed DFA on FeW. We explain it as follows. According to our attack, the two models of induced faults can only be used to recover the last two round subkeys, which contain 55 bits of master secret key, although the faults also affect the round subkey RK29. But we do not know how to recover the remaining bits based on the existing differentials. A natural idea is to induced additional faults into the previous round subkey RK28, which may descend the lower bound by recovering additional bits of RK29. However, this will make the analysis much complicated. The reason is as follows. The induced differentials on RK28 will also affect the bits of RK31. But the quantitative differentials on RK31 cannot be calculated. As a result, only from correct/faulty ciphertexts, one cannot decrypt them with the help of “faulty” round subkey RK31.


In this subsection, we present the comparison with Xie et al.’s work (Xie et al. 2020) since it also consider the DFA on the same FeW algorithm. As we discussed in Introduction, the main difference between them lies in that Xie et al.’s work induces single byte random faults on the encryption state while our paper considers the random nibble faults on the key schedule. The concrete comparisons are listed in the following Table 8.

Table 8 The comparisons with Xie et al.’s work

Here, we remark that this table only gives the average numbers of needed faults for both works.


Differential fault analysis is a popular side channel attack to block cipher. In this paper, we apply the DFA to the lightweight block cipher FeW. More specifically, in the nibble model, we consider the DFA to the key schedule of FeW-80. By inducing faults into the 30th and 29th round subkeys, and analyzing the input–output differentials of S-box, one can easily obtain the candidate values for the nibbles of RK31 and RK30. Then brute force searching the remaining bits can finally recover the original master secret key. However, it seems that this technique only works for 80 bits FeW. For FeW-128, the only recoveries of last round subkeys seem to be not enough because its key space is too large. Thus, it may be an interesting work to investigate the DFA on key schedule of FeW-128. Finally, the proposed simulations show that our proposed attack is rather practical for FeW-80.

Availability of data and materials

Not applicable.


  • Aayush J, Girish M (2018) Analysis of lightweight block cipher FeW on the basis of neural network. In: Harmony search and nature inspired optimization algorithms. Springer, Berlin, pp 1041–1047

  • Ali S, Mukhopadhyay D, Tunstall M (2013) Differential fault analysis of AES: towards reaching its limits. J Cryptogr Eng 3:73–97

    Article  Google Scholar 

  • Bathe B, Tiwari S, Anand R, et al (2021) Differential fault attack on Espresso. In: INDOCRYPT’21. Springer, Berlin, pp 271–286

  • Biham E, Shamir A (1997) Differential fault analysis of secret key cryptosystem. In: Proceedings of CRYPTO, pp 513–525

  • Boneh D, Demillo R, Lipton R (1997) On the importance of checking cryptographic protocols for faults. In: EUROCRYP’97. Springer, Berlin, pp 37–51

  • Bruinderink L, Pessl P (2018) Differential fault attacks on deterministic lattice signatures. In: eprint IACR’2018, vol 335, pp 1–25

  • Cnudde T, Nikova S (2017) Securing the PRESENT block cipher against combined side-channel analysis and fault attack. IEEE Trans Very Large Scale Integrat Syst 25:3291–3301

    Article  Google Scholar 

  • Deng Y, Luo H (2021) A distributed identity authentication scheme for differential fault attack. In: ICCT’21. IEEE, pp 731–735

  • Fu S, Xu G, Pan J, Wang Z, Wang A (2017) Differential fault attack on ITUbee block cipher. ACM Trans Embedded Comput Syst 16(2):1–10

    Article  Google Scholar 

  • Gong Z, Nikova S, Law Y (2011) KLEIN: a new family of lightweight block ciphers. In: RFIDSec’11. Amherst, USA, pp 1–18

  • Kim C (2012) Improved differential fault analysis on AES key schedule. IEEE Trans Inf Forensics Secur 7(1):41–50

    Article  Google Scholar 

  • Kumar M, Pal S, Panigrahi A (2019) FeW: a lightweight block cipher. Turk J Math Comput Sci 11(2):73–58

    Google Scholar 

  • Sadhukhan R, Patranabis S, Ghoshal A et al (2017) An evaluation of lightweight block ciphers for resource-constrained applications: area, performance, and security. J Hardw Syst Secur 4:1–16

    Google Scholar 

  • Shibayama N, Igarashi Y, Kaneko T (2018) A new higher order differential of FeW. In: CANDARW, LoS Alamitos, pp 466–471

  • Takahashi J, Fukunaga T (2007) DFA mechanism on the AES key schedule. In: FDTC’07. IEEE Computer Society, pp 62–74

  • Wang H, Feng L, Ji Y, Shao B, Xue R (2022) Toward usable cloud storage auditing, revisited. IEEE Syst J 16(1):693–700

    Article  Google Scholar 

  • Wang T, Wang Y, Gao Y et al (2019) Differential fault attack on lightweight block cipher LBlock. J Cryptol Res 6(1):18–26

    Google Scholar 

  • Wei Y, Rong Y, Fan C (2018) Differential fault attacks on lightweight cipher LBlock. Fundam Inform 157(1–2):125–139

    Article  MathSciNet  Google Scholar 

  • Xiao H, Wang L (2022) The differential fault analysis on block cipher KLEIN-96. J Inf Secur Appl 67:103205

    Google Scholar 

  • Xie M, Li J, Tian F (2020) Differential fault attack on FeW. J Commun 41(4):143–149

    Google Scholar 

  • Xie M, Tian F, Li J (2021) Differential fault attack on GIFT. Chin J Electron 30(4):669–675

    Article  Google Scholar 

  • Zhang J, Wu N, Li J (2019) A novel differential fault analysis using two bytes fault model on AES key schedule. IET Circut Dev Syst 13(5):661–666

    Article  Google Scholar 

Download references


The authors would like thank the anonymous reviewers for their invaluable suggestions and comments.


This work is supported in part by the Foundation of State Key Laboratory of Information Security under Grant 2021-MS-04, and in part by the Natural Science Foundation of Shaanxi Province under grant 2022-JM-365.

Author information

Authors and Affiliations



HX and LW proposed the DFA on FeW and implemented the algorithms proposed in this paper. JC participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Jinyong Chang.

Ethics declarations

Ethics approval and consent to participate

Ethics approval was not required for this research.

Competing interests

Authors declare that they have no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Xiao, H., Wang, L. & Chang, J. The differential fault analysis on block cipher FeW. Cybersecurity 5, 28 (2022).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: