Jean-Max Dutertre

When clocks fail: on critical paths and clock faults

Whilst clock fault attacks are known to be a serious security threat, an in-depth explanation of such faults still seems to be put in order. This work provides a theoretical analysis, backed by practical experiments, explaining when and how clock faults occur. Understanding and modeling the chain of events following a transient clock alteration allows to accurately predict faulty circuit behavior. A prediction fully confirmed by injecting variable-duration faults at predetermined clock cycles. We illustrate the process by successfully attacking an fpga aes implementation using a dll-based fpga platform (one-bit fault attack).

Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES

This paper considers the use of electromagnetic pulses (EMP) to inject transient faults into the calculations of a hardware and a software AES. A pulse generator and a 500 um-diameter magnetic coil were used to inject the localized EMP disturbances without any physical contact with the target. EMP injections were performed against a software AES running on a CPU, and a hardware AES (with and without countermeasure) embedded in a FPGA. The purpose of this work was twofold: (a) reporting actual faults injection induced by EMPs in our targets and describing their main properties, (b) explaining the coupling mechanism between the antenna used to produce the EMP and the targeted circuit, which causes the faults. The obtained results revealed a localized effect of the EMP since the injected faults were found dependent on the spatial position of the antenna on top of the circuits surface. The assumption that EMP faults are related to the violation of the targets timing constraints was also studied and ascertained thanks to the use of a countermeasure based on monitoring such timing violations.

Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells

The use of a laser to inject faults into SRAM memory cells is well known. However, the corresponding fault model is often unknown or misunderstood: the induced faults may be described as bit-flip or bit-set/reset faults. We have investigated in this paper whether the bit-set/reset fault model or bit-flip fault model may be encountered in SRAMs. First, the fault model of a standalone SRAM was considered. Experiments revealed that the relevant fault model was the bit-set/reset. This result was further investigated through electrical simulations based on the use of an electrical model of MOS transistors under laser illumination. Then, fault injections have been performed on the RAM memory of a micro-controller to check the validity of the previous results based on experiments and simulations.

How to flip a bit

This note describes laser fault experiments on an 8-bit 0.35μm microcontroller with no countermeasures. We show that reproducible single-bit faults, often considered unfeasible, can be obtained by careful beam-size and shot-instant tuning.

Efficiency of a glitch detector against electromagnetic fault injection

The use of electromagnetic glitches has recently emerged as an effective fault injection technique for the purpose of conducting physical attacks against integrated circuits. First research works have shown that electromagnetic faults are induced by timing constraint violations and that they are also located in the vicinity of the injection probe. This paper reports the study of the efficiency of a glitch detector against EM injection. This detector was originally designed to detect any attempt of inducing timing violations by means of clock or power glitches. Because electromagnetic disturbances are more local than global, the use of a single detector proved to be inefficient. Our subsequent investigation of the use of several detectors to obtain a full fault detection coverage is reported, it also provides further insights into the properties of electromagnetic injection and into the key role played by the injection probe.

Frontside laser fault injection on cryptosystems - Application to the AES' last round -

Laser fault injection through the front side (and consequently the metal-flls) of an IC is often performed with medium or small laser beams for the purpose of injecting bytewise faults. We have investigated in this paper the properties of fault injection with a larger laser beam (in the 100/im range). We have also checked whether the bit-set (or bit-reset) fault type still holds or whether the bit-fip fault type may be encountered. Laser injection experiments were performed during the last round of the Advanced Encryption Standard (AES) algorithm running on an ASIC. The gathered data allowed to investigate the obtained fault models, to conduct two usual Differencial Fault Attack (DFA) schemes and to propose a simple version of a third DFA.

A side-channel and fault-attack resistant AES circuit working on duplicated complemented values

Cryptographic circuits can be subjected to several kinds of side-channel and fault attacks in order to extract the secret key. Side-channel attacks can be carried by measuring either the power consumed or the EM waves emitted by the cryptographic module and trying to find a correlation between the given side-channel and the data manipulated [1]. Concerning fault attacks, in the case of differential fault attacks (DFA) [2], a cryptographic calculation is corrupted in such a way as to retrieve information about the secret key. Faults can be induced by different means such as lasers, voltage glitches, electromagnetic perturbations or clock skews. Several counter-measures, like in [3], have been separately proposed to tackle either kind of attack. In this paper, we describe the implementation of an AES chip where duplicated and complemented data paths provide resistance against both side-channel and fault attacks.

Building the electrical model of the pulsed photoelectric laser stimulation of an NMOS transistor in 90nm technology

This paper presents measurements of pulsed photoelectrical laser stimulation of an NMOS transistor in 90nm technology. The laser power was able to trig the NPN parasitic bipolar Drain/Psubstrate/Source. An electrical model is proposed in order to simulate effects induced by the laser. Results extracted from the electrical simulator are compared to measurements.

A DFA on AES Based on the Entropy of Error Distributions

Differential fault analysis (DFA) techniques have been widely studied during the past decade. To our best knowledge, most DFA techniques on the Advanced Encryption Standard (AES) either impose strong constraints on the fault injection process or require numerous faults in order to recover the secret key. This article presents a simple methodology based on information theory which allows to adapt the number of required faults for the analysis to the fault injection process. With this technique, the constraints on the fault model to recover the last round key are considerably lowered. Additionally, entropy is proposed as a tool to apprehend the most complex fault models in DFA. A practical realization and simulations are presented to illustrate our methodology.

Electromagnetic glitch on the AES round counter

This article presents a Round Addition Analysis on a software implementation of the Advanced Encryption Standard (aes) algorithm. The round keys are computed on-the-fly during each encryption. A non-invasive transient fault injection is achieved on the aes round counter. The attack is performed by injecting a very short electromagnetic glitch on a 32-bit microcontroller based on the arm Cortex-M3 processor. Using this experimental setup, we are able to disrupt the round counter increment at the end of the penultimate round and execute one additional round. This faulty execution enables us to recover the encryption key with only two pairs of corresponding correct and faulty ciphertexts.