在物联网应用场景中，为实现微型设备间的安全通信，对信息提供保密性和完整性的双重保障，需要用到轻量级认证加密。基于轻量级分组密码算法的轻量级认证加密算法能够在功耗低、实现效率高的同时提供足够的安全性，很适合在上述资源受限的环境中使用。为防止认证加密算法在实际应用中泄露密钥，需要对算法及其基层原语进行密码分析。差分故障分析是进行密码分析时的一种常用方法，对硬件设备进行故障诱导，致使算法计算过程出现错误以获取错误密文，并利用其与正确密文之间的差分信息实现密钥恢复。为讨论差分故障分析对认证加密算法密钥恢复的影响，准确评估算法的安全性能，本文针对两种不同结构的基于轻量级分组密码的轻量级认证加密算法LAC和ForkAE进行了结合差分故障分析的密钥恢复攻击，主要成果如下：

研究了基于轻量级分组密码LBlock-s设计的串联结构的关联数据认证加密算法LAC。通过研究LAC的基层原语LBlock-s的结构特点，本文发现：在算法第28轮输入左半部分的单个半字节处注入故障之后，可以获得共9个半字节的轮密钥可能取值。利用这一发现，本文首次提出对LBlock-s的基于随机半字节故障模型的4种差分故障分析，通过在第28轮输入左半部分的若干个位置处重复注入故障，结合对无法唯一确定的数值的不同程度的穷举，最终由密钥扩展算法推算出全部64 bit的主密钥。4种攻击方法的复杂度分别为：平均5.55次故障注入及2²⁰次穷举；2次故障注入及平均2^43.79次穷举；平均7.93次故障注入及2⁸次穷举；3次故障注入及平均2^35.76次穷举。在对LBlock-s完成的复杂度较低的差分故障分析的基础上，本文首次提出对LAC的密钥恢复攻击。通过对LAC算法的标签生成阶段进行差分故障分析，理论上共需要1次对正确加密机的询问、3次对故障加密机的询问以及平均2^35.76次对认证机的询问即可恢复初始密钥。

研究了基于轻量级分组密码族SKINNY和叉形密码结构设计的并联结构关联数据认证加密算法ForkAE。通过研究ForkAE的基层原语SKINNY族内算法的结构特点，本文发现：对族内所有算法，在任意一轮列混淆操作前的状态矩阵的任意列第0行注入故障之后，可以获得共4个半字节的轮密钥可能取值，重复注入故障并获取多个位置的信息后，可以恢复单轮的轮密钥；对SKINNY-n-n和SKINNY-n-2n算法，恢复单轮轮密钥之后便可根据密钥扩展算法恢复出主密钥；对SKINNY-n-3n算法，需要额外对倒数第五轮进行攻击，才能够获取足够的信息恢复出主密钥。根据上述发现，本文给出一种对所有类型SKINNY均适用的差分故障分析，分析结果如下：对SKINNY-64-64和SKINNY-64-128，理论上注入9.84次随机半字节故障可以恢复全部64 bit的主密钥；对SKINNY-128-128和SKINNY-128-256，理论上注入12.76次随机字节故障可以恢复全部128 bit的主密钥；对SKINNY-64-192和SKINNY-128-384，理论上分别通过19.68次随机半字节故障注入和25.52次随机字节故障注入可以恢复各自的全部主密钥。本文所述方法所需的故障注入次数是目前已知攻击中最少的。在对SKINNY完成的差分故障分析的基础上，本文提出一种对ForkAE的密钥恢复的攻击。理论上仅需要1次对正确加密机的询问以及1次包含20次故障注入的对故障加密机的询问即可恢复ForkAE的初始密钥。

为验证差分故障分析的效果，本文分别对LBlock-s、SKINNY-64-128和SKINNY-128-256三种算法进行了模拟攻击实验，实验结果与理论分析结果相符，验证了本文提出的差分故障分析的有效性，说明LBlock-s算法和SKINNY族内算法对差分故障分析的抵抗性较弱。本文提出的对两种轻量级认证加密算法的密钥恢复攻击均只要求分析者拥有对加密机进行故障注入的能力，对分析者的权限限制较低。研究结果表明，差分故障分析能够对认证加密算法的密钥恢复起到积极作用，在实际应用中需要着重对认证加密算法的软硬件实现进行保护。

In order to realize the secure communication among micro devices and guarantee both the confidentiality and the integrity of information in the application scenario of the Internet of Things, lightweight authenticated encryption (AE) is urgently needed. Lightweight AE algorithms based on the lightweight block cipher have low power consumption and high implementation efficiency, which fits the resource-constrained application scenario well. To prevent AE algorithms from key-leaking in practical applications, it is necessary to conduct cryptanalysis on the AE and its basic primitive. Differential fault analysis (DFA) is a common method for cryptanalysis, which induces faults in hardware devices, resulting in errors through the encryption algorithm to obtain incorrect ciphertext. DFA uses the differential information between the incorrect ciphertext and the correct ciphertext to recover the key. In order to discuss the impact of DFA on the key recovery of AE algorithms and evaluate the security performance of AE algorithms accurately, two key recovery attacks combining differential fault analysis on LAC and ForkAE, which are two lightweight authenticated encryption algorithms based on lightweight block cipher utilizing different structures, are given in this thesis. The main results are as follows.

The lightweight AE algorithm LAC, which is a cascade structure based authenticated encryption with associated data (AEAD) utilizing the lightweight block cipher LBlock-s, is studied in this thesis. By studying the structural characteristics of LBlock-s, it is observed that the possible value of total 9 nibbles of the round key can be obtained after injecting a fault to single nibble of the left-half input of the 28th round. On this basis, this thesis proposes four differential fault analyses on LBlock-s based on random nibble fault model for the first time. By repeatedly injecting faults to several positions in the left-half input of the 28th round and combining the exhaustion search in varying degrees for values that cannot be uniquely determined, the full 64 bit master key can be deduced according to the key schedule algorithm. The complexity of the four attack methods is: 5.55 fault injections on average and 2²⁰ exhaustion searches, 2 fault injections and 2^43.79 exhaustion searches on average, 7.93 fault injections on average and 2⁸ exhaustion searches, 3 fault injections and 2^35.76 exhaustion searches on average, respectively. Using the DFA with low complexity of LBlock-s above, and a key recovery attack on LAC is given. Through the DFA on the label generation stage during the LAC algorithm, in theory, the initial key of LAC can be recovered within a total of 1 query to the encryptor, 3 queries to the fault-injected encryptor and 2^35.76 queries to the authenticator on average.

The lightweight AE algorithm ForkAE, which is a parallel structure based AEAD utilizing fork ciphers and lightweight block cipher family SKINNY is studied in this thesis. By studying the structural characteristics of SKINNY, it is observed that, for all algorithms within SKINNY, the possible value of total 4 nibbles of the round key can be obtained after injecting a fault to the 0th row of any column in the state matrix before the Mix-Columns operation of any round. By injecting faults repeatedly and obtaining information of multiple locations, one round tweakey can be recovered. For SKINNY-n-n and SKINNY-n-2n, the master key can be deduced according to the key schedule algorithm after single round tweakey is recovered. With an additional attack on the penultimate round, sufficient information for the SKINNY-n-3n can be obtained to recover the master key. On this basis, DFA on all algorithms within SKINNY is given in this thesis. Theoretically, 9.84 random nibble fault injections are needed to recover the full 64-bit master key for SKINNY-64-64 and SKINNY-64-128, and 12.76 random byte fault injections are needed to recover the full 128-bit master key for SKINNY-128-128 and SKINNY-128-256. For SKINNY-64-192 and SKINNY-128-384, full master key can be recovered theoretically through 19.68 random nibble fault injections and 25.52 random byte fault injections, respectively. The method described in this thesis requires the least number of fault injections among currently known attacks. Using the DFA of SKINNY above, a key recovery attack on ForkAE is given. The initial key of ForkAE can be recovered within 1 query to the encryptor and 1 query with 20 fault injections to the fault-injected encryptor theoretically.

To evaluate the complexity of the DFA above, simulation attack experiments are conducted on LBlock-s, SKINNY-64-128 and SKINNY-128-256. The simulation results are consistent with the theoretical analysis results, which verifies the effectiveness of the DFA and indicates that these algorithms have weak resistance to DFA. The key recovery attacks on two lightweight AE algorithms described in this thesis only require the analyst to have the capability to inject faults into the encryptor, which is a relatively low permission restriction for the analyst. The research results indicate that differential fault analysis can play a positive role in key recovery of AE algorithms, and it is necessary to focus on the protection during the software and hardware implementation of AE algorithms in practical applications.