&RONTSIDE ,ASER &AULT )NJECTION ON #RYPTOSYSTEMS
n !PPLICATION TO THE !%3 LAST ROUND n
#YRIL 2OSCIAN∗*EAN-AX $UTERTRE∗ AND !SSIA 4RIA†
∗ %COLE
|
∗† $|EPARTEMENT
3YST{EMES ET !RCHITECTURES 3|ECURIS|EES 3!3
|
.ATIONALE 3UP|ERIEURE DES -INES DE 3AINT%TIENNE
%.3-3% † #%! 4%#( 'ARDANNE &RANCE
{ROSCIAN DUTERTRE} EMSEFR
{ASSIATRIA} CEAFR
!BSTRACT,ASER FAULT INJECTION THROUGH THE FRONT SIDE AND
CONSEQUENTLY THE METALF LLS OF AN )# IS OFTEN PERFORMED WITH
MEDIUM OR SMALL LASER BEAMS FOR THE PURPOSE OF INJECTING
BYTEWISE FAULTS 7E HAVE INVESTIGATED IN THIS PAPER THE PROPERTIES
OF FAULT INJECTION WITH A LARGER LASER BEAM IN THE μM RANGE
7E HAVE ALSO CHECKED WHETHER THE BITSET OR BITRESET FAULT TYPE
STILL HOLDS OR WHETHER THE BITF IP FAULT TYPE MAY BE ENCOUNTERED
,ASER INJECTION EXPERIMENTS WERE PERFORMED DURING THE LAST
ROUND OF THE !DVANCED %NCRYPTION 3TANDARD !%3 ALGORITHM
RUNNING ON AN !3)# 4HE GATHERED DATA ALLOWED TO INVESTIGATE THE
OBTAINED FAULT MODELS TO CONDUCT TWO USUAL $IFFERENCIAL &AULT
!TTACK $&! SCHEMES AND TO PROPOSE A SIMPLE VERSION OF A THIRD
$&! )NDEX 4ERMS$&! LASER FAULT INJECTION FAULT MODEL !%3
OF THE EXPERIMENTAL SETTINGS IE THE USE OF A LARGE LASER SPOT
THROUGH THE FRONT SIDE AND ITS METALF LLS
4HE PAPER IS ORGANIZED AS FOLLOWS 4HE F RST PART IS A
REMINDER OF THE DIFFERENT EFFECTS OF LASER ON SILICON IT EM
PHASIZES ON THE NOTION OF LASERSENSITIVE AREAS AND ALSO GIVES
A DESCRIPTION OF THE FAULT INJECTION PROCESS 4HE LASER SET
UP AND THE DEVICE USED FOR THE TEST ARE DESCRIBED IN THE
SECOND PART FOLLOWED BY THE DISPLAY OF THE EXPERIMENTAL RESULTS
AND THEIR ANALYSIS ABOUT THE OBSERVED FAULT MODEL AND ITS
JUSTIF CATION 4HE THIRD PART REPORTS THE USE OF TWO USUAL $&!
ON THE EXPERIMENTAL RESULTS AND THE SIMPLIF CATION OF A THIRD
$&! TO ENHANCE THE EFF CIENCY &INALLY ALL THESE RESULTS ARE
SUMMARIZED IN THE CONCLUSION WITH SOME PERSPECTIVES
) ) .42/$5#4)/.
3ECURE CIRCUITS ARE PRONE TO A WIDE RANGE OF PHYSICAL
ATTACKS !MONG THEM FAULT ATTACKS &! ARE BASED ON THE
DISTURBANCE OF THE CHIP ENVIRONMENTAL CONDITIONS IN ORDER TO
INDUCE FAULTS INTO ITS COMPUTATIONS &AULT INJECTION MAY BE
ACHIEVED BY USING LASER EXPOSURE ;= ;= VOLTAGE ;= OR CLOCK
GLITCHES ;= ELECTROMAGNETIC PERTURBATION ETC )T EXISTS A VERY
EFF CIENT METHOD CALLED $IFFERENTIAL &AULT !TTACK $&! APPLIED
TO ENCRYPTION ALGORITHMS THAT TAKES ADVANTAGE OF A COMPARISON
BETWEEN CORRECT AND FAULTED CIPHERTEXTS TO RETRIEVE THE SECRET
KEY USED DURING THE CIPHERING PROCESS 4HESE DIFFERENT ATTACK
SCHEMES INVOLVE STRONG CONSTRAINTS ON THE FAULTS LOCATION
RANGE AND INJECTIONTIME .EVERTHELESS LASER INJECTION IS OFTEN
CONSIDERED AS ONE OF THE BEST MEANS TO INJECT FAULTS IN ORDER TO
PERFORM A $&! )NDEED A LASER SOURCE ALLOWS A PRECISE CONTROL
ON REPEATABILITY TIMINGS OF INJECTION THE SHOT INSTANT AND PULSE
DURATION AND FOCALIZATION )T APPEARS AS A SUITABLE TOOL TO MEET
THE CONSTRAINTS OF THE VARIOUS $&! SCHEMES (OWEVER SINCE THE
TECHNOLOGY OF )NTEGRATED #IRCUITS )# IS CONTINUOUSLY EVOLVING
MORE TRANSISTORS ARE INSIDE THE EFFECT AREA OF A GIVEN LASER
BEAM AND MORE METALF LLS ARE REF ECTING IT THIS STATEMENT HAS
TO BE CHECKED
)N THIS PAPER WE STUDIED THE EFFECT OF A LARGE LASER SPOT
TO INJECT FAULTS INTO THE CALCULATIONS OF OUR TARGET AN !3)#
IMPLEMENTING THE !%3 ;= ALGORITHM 7E ALSO ANALYSED THE
EFFECTS OF FRONT SIDE INJECTION ON THE PROPERTIES OF THE INJECTED
FAULTS FAULT TYPE REPEATABILITY FAULT RANGE ETC 4HE OBTAINED
DATA WERE USED TO PERFORM TWO USUAL $&! ;=;= 4HEN WE
SIMPLIF ED AN EXISTING $&! ;= THAT ALLOWED US TO PERFORM THE
ANALYSIS WITH LESS COMPLEXITY 4HIS APPROACH TOOK ADVANTAGE
c
978-1-4799-0601-7/13/$31.00 2013
IEEE
)) &!5,4 ).*%#4)/.
7)4( !
, !3%2 3/52#%
,ASER SHOTS ON )#S WERE F RSTLY USED TO SIMULATE RADIATION
INDUCED FAULTS ;= -ORE RECENTLY THE USE OF A LASER TO INJECT
FAULTS INTO THE COMPUTATIONS OF A SECURE DEVICE WAS INTRODUCED
BY 3 3KOROBOGATOV AND 2 !NDERSON ;= )N THE FOLLOWING
WE F RST REMIND THE MAIN PROPERTIES OF THE PHOTOELECTRIC EFFECT
CREATED BY A LASER PASSING THROUGH SILICON BEFORE DESCRIBING
THE RESULTING FAULT INJECTION PROCESS
! ,ASER EFFECTS ON
)#S
AND CONSEQUENCES
4HE PHOTOELECTRIC EFFECT IS GENERATED BY A LASER BEAM PASSING
THROUGH SILICON PROVIDED THAT ITS PHOTONS ENERGY IS GREATER THAN
THE SILICON BANDGAP ;= 4HIS EFFECT CREATES ELECTRONHOLE PAIRS
ALONG THE LASER PATH 'ENERALLY THESE PAIRS RECOMBINE AND THERE
IS NO NOTICEABLE EFFECT ON THE )#S BEHAVIOUR (OWEVER UNDER
SPECIF C CONDITIONS SOME UNDESIRED EFFECTS MAY APPEAR THE
SOCALLED 3INGLE %VENT %FFECTS 3%%
! 3%% HAPPENS WHEN THE CHARGE CARRIERS IE ELECTRONS
AND HOLES CREATED BY THE LASER BEAM ARE DRIFTED IN OPPOSITE
DIRECTIONS BY THE ELECTRICAL F ELD FOUND IN THE 0.JUNCTIONS OF
#-/3 TRANSISTORS INSTEAD OF RECOMBINING !S A CONSEQUENCE
A TRANSIENT CURRENT IE MOVING CHARGE CARRIERS IS GENERATED
THROUGH THE STRUCK JUNCTION 4HIS PHENOMENON IS DEPICTED
IN THE LEFT PART OF &IG WHERE THE 0.JUNCTION OF AN
.-/3 TRANSISTOR IN ITS hTURNED /&&v STATE IS DRAWN !FTER
THE CREATION OF THE ELECTRONHOLE PAIRS ALONG THE LASER BEAM
TWO PHENOMENA LEAD TO THE CREATION OF THE TRANSIENT CURRENT
THE PROMPT CHARGE COLLECTION OR FUNNELLING AND THE DIFFUSION
4HE F RST PHENOMENON STRETCHES THE DEPLETION REGION HENCE THE
EXTENSION OF THE ELECTRIC F ELD ALONG THE LASER BEAM WITHIN
119
A FEW PICOSECONDS THE CHARGES NEARBY ARE COLLECTED GIVING A
CURRENT PEAK 4HEN IN A SECOND TIME THE REMAINING CHARGES
ARE COLLECTED IN A LONGER DIFFUSING SCHEME THE DIFFUSION 4HE
RIGHT PART OF &IG SHOWS THE TRANSIENT CURRENT ASSOCIATED WITH
THESE TWO PHENOMENA AS GIVEN IN ;=
&IG 0HOTOELECTRIC EFFECT OF A LASER BEAM THROUGH A 0.JUNCTION LEFT
4RANSIENT CURRENT RESULTING FROM CHARGE COLLECTION AFTER A LASER SHOT ;=
RIGTH
)T EXISTS A STRONG ELECTRIC F ELD SUFF CIENT TO CREATE A TRANSIENT
CURRENT AS EXPLAINED ABOVE IN ANY 0.JUNCTION OF THE TRANSIS
TORS USED IN #-/3 LOGIC REGARDLESS OF THEIR STATE IE TURNED
h/.v OR h/&&v (OWEVER SUCH A TRANSIENT CURRENT MAY OR
MAY NOT HAVE AN EFFECT ON THE TARGETS LOGIC SIGNALS DEPENDING
ON BOTH ITS LOCATION AND THE DATA HANDLED BY THE LOGIC 4HESE
DEPENDENCIES ARE USUALLY EXPLAINED BY CONSIDERING THE INVERTER
CASE SEE &IG 6DD
6DD
#LOAD
'ND
&IG 'ND
#LOAD
'ND
'ND
)NVERTERS SCHEMATIC WITH ITS DATADEPENDENT SENSITIVE AREAS
#ONSIDER THE LEFT PART OF &IG WHERE THE INVERTERS INPUT
IS AT A LOW LOGICAL LEVEL ITS 0-/3 TRANSISTOR IS TURNED h/.v
AND ITS .-/3 TRANSISTOR IS TURNED h/&&v (ENCE THE INVERTERS
OUTPUT IS AT A HIGH LOGICAL LEVEL AND ITS OUTPUTS CAPACITIVE LOAD
DOTTED IN &IG IS CHARGED 4HE INVERTER HAS FOUR 0.JUNCTIONS
WHICH ARE LIKELY TO GIVE RISE TO A TRANSIENT CURRENT IF STRUCK
BY A LASER THE DRAINS AND SOURCES OF BOTH 0-/3 AND .-/3
TRANSISTORS .EVERTHELESS ONLY A TRANSIENT CURRENT ORIGINATED IN
THE .-/3 DRAIN WILL RESULT IN A DISTURBANCE OF THE INVERTERS
OUTPUT POINTED OUT BY A F LLED GREY ELLIPSE )N THAT CASE THE
TRANSIENT CURRENT IS F OWING FROM THE DRAIN TO THE SUBSTRATE
WHICH IS GROUNDED AS DRAWN IN THE TOP PART OF &IG (ENCE
THE CAPACITIVE LOAD IS DISCHARGED PROVIDED THAT THE TRANSIENT
CURRENT IS BIG ENOUGH TO OVERCOME A CHARGING CURRENT F OWING
THROUGH THE h/.v 0-/3 TRANSISTOR !S A RESULT THE OUTPUT OF
THE INVERTER PASSES TEMPORARILY TO A LOW LOGICAL LEVEL 7HEN THE
TRANSIENT CURRENT VANISHES THE CAPACITIVE LOAD IS CHARGED AGAIN
VIA THE TURNED h/.v 0-/3 TRANSISTOR 4HUS DUE TO THE TRANSIENT
CURRENT GENERATED IN THE .-/3 DRAIN THE OUTPUT VOLTAGE OF THE
INVERTER UNDERGOES A TRANSIENT VOLTAGE INVERSION 4HIS TRANSIENT
VOLTAGE MAY THEN PROPAGATE THROUGH THE DOWNSTREAM LOGIC A
SOCALLED 3INGLE %VENT 4RANSIENT 3%4 !NY TRANSIENT CURRENT
120
CREATED IN THE .-/3 SOURCE HAS NO EFFECT ON THE OUTPUT
SINCE IT IS ISOLATED FROM THE OUTPUT BY THE TURNED h/&&v
.-/3 2EGARDING THE TRANSIENT CURRENTS CREATED IN THE 0-/3 DIFFUSIONS THEY CREATE A LEAKAGE PATH TO THE .WELL WHICH IS
BIASED AT THE CORE SUPPLY VOLTAGE IE 6DD (ENCE THEY HAVE
NO DISCHARGING EFFECT ON THE OUTPUTS CAPACITIVE LOAD 4O SUM
UP THE ONLY LASER OR 3%% SENSITIVE AREA OF AN INVERTER WHEN
ITS INPUT IS IN A LOW LOGICAL STATE IS THE DRAIN OF THE h/&&v
.-/3 TRANSISTOR
,IKEWISE WHEN CONSIDERING AN INVERTER WITH ITS INPUT AT
HIGH LEVEL RIGHT PART OF &IG A SIMILAR REASONING MAY BE
CONDUCTED )T RESULTS THAT THE ONLY LASER OR 3%% SENSITIVE AREA
OF AN INVERTER WHEN ITS INPUT IS IN A HIGH LOGICAL STATE IS THE
DRAIN OF THE h/&&v 0-/3 UNDERLINED IN GREY
!S A CONCLUSION THE LASER SENSITIVE AREA OF A #-/3 INVERTER
IS THE DRAIN OF THE h/&&v TRANSISTOR WHOSE LOCATION IS CHANGING
WITH THE LOGICAL LEVEL OF THE INVERTERS INPUT )N A MORE GENERAL
WAY THE LASER SENSITIVE AREAS OF #-/3 )#S ARE DATADEPENDENT
4HE OCCURRENCE OF A LASERINDUCED FAULT DEPENDS ON THE HANDLED
DATA
" ,ASER FAULT INJECTION MECHANISM
!S REMINDED IN THE PREVIOUS SECTION THE LASER ILLUMINATION OF
AN )#S SENSITIVE AREA RESULTS IN THE PROPAGATION OF A TRANSIENT
VOLTAGE IN ITS LOGIC 4HIS 3%4 MAY TURN INTO A COMPUTATIONAL
FAULT ACCORDING TWO MECHANISMS
4HE F RST MECHANISM IS ILLUSTRATED IN &IG 4HE 3%4
BECOMES A FAULT AS IT IS LATCHED INTO A REGISTER OR $ F IPF OP
$&& IN PLACE OF THE CORRECT DATA )F IT REACHES THE $&& S INPUT
OUTSIDE ITS LATCHING WINDOW AROUND THE RISING EDGE OF THE
CLOCK THE 3%4 VANISHES WITHOUT ANY EFFECT ON $&&S OUTPUT
VALUE AND THEN ON THE TARGETS CALCULATIONS DENOTED 1st CASE
IN &IG /N THE CONTRARY IF IT REACHES THE $&&S INPUT DURING
THE LATCHING WINDOW IT IS LATCHED A FAULT IS ACTUALLY INJECTED
DENOTED 2nd CASE IN &IG AND CHANGE THE $&&S OUTPUT VALUE
ST
#ASE
ND
#ASE
#,+
$
,OGIC
1
$&&
CLOCK
&IG $
1
&AULT INJECTION MECHANISM DUE TO A
3%4
4HE SECOND MECHANISM HAPPENS WHEN THE 3%4 IS GENERATED
INSIDE A $&& OR AN 32!- 4HESE MEMORY ELEMENTS ARE INDEED
MADE OF CROSSCOUPLED INVERTERS !S A CONSEQUENCE THE 3%4
WILL PROPAGATE FROM THE STRUCK INVERTERS OUTPUT TO ITS OWN INPUT
BY PASSING THROUGH THE CROSSCOUPLED INVERTER !S A RESULT
THE MEMORISED DATA IS INVERTED A FAULT IS INJECTED 4HIS FAULT
INJECTION MECHANISM IS CALLED A 3INGLE %VENT 5PSET 3%5
&AULT INJECTION ACCORDING THESE TWO MECHANISMS IS ALSO
TIMEDEPENDENT 4HIS STATEMENT IS OBVIOUS REGARDING THE PROP
AGATION OF AN 3%4 AS EXEMPLIF ED IN &IG ! SIMILAR BEHAVIOUR
TAKES PLACE FOR 3%5S 4HE RESULTING FALSE DATA WHICH IS
STORED IN A $&& HAS TO PROPAGATE AND TO INDUCE AT LEAST ONE
2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)
MISCALCULATION IN THE LOGIC 4HEN IT HAS TO BE LATCHED INTO THE
SUBSEQUENT REGISTERS BANK TO BE TURNED INTO AN ACTUAL FAULT 4HIS
PROCESS HAS TIMING REQUIREMENTS IF THE 3%5 ARISES BEFORE AND
TO CLOSE TO THE CLOCK RISING EDGE IT WILL BE SOON OVERWRITTEN BY
A CORRECT DATA 4HUS IT MAY NOT HAVE THE TIME TO REACH THE NEXT
REGISTER BANK BEFORE THE CLOCK RISING EDGE #ONSEQUENTLY THE
FALSE DATA MAY PROPAGATE THROUGH THE DOWNSTREAM LOGIC NEARLY
FOLLOWED BY A CORRECT DATA IT MAY BE OVERWRITTEN BEFORE BEING
LATCHED AT THE NEXT CLOCK RISING EDGE
# $ISCUSSION ON THE LASER FAULT MODEL
4HE PROPERTIES OF LASERINDUCED FAULTS REVIEWED IN SUBSEC
TIONS ))! AND ))" WERE ESTABLISHED UNDER THE ASSUMPTION
THAT THE EFFECT RANGE OF THE CONSIDERED LASER SPOTS WAS CIR
CUMSCRIBED TO ONE SENSITIVE AREA 5NDER THIS ASSUMPTION THE
FAULT INJECTION PROCESS IS DATADEPENDENT -ORE PRECISELY THE
SENSITIVE AREAS ARE CHANGING WITH THE DATA &OR A GIVEN LASER
SETTING LOCATION OF THE LASER SPOT ENERGY LEVEL TIMING OF THE
INJECTION THE FAULT MAY OCCUR OR NOT DEPENDING OF THE DATA
PROCESSED BY THE TARGET 4HIS BEHAVIOUR MAY BE DESCRIBED AS
A BITSET OR A BITRESET FAULT TYPE ;= ! DATA BIT SUFFERS FROM
A BITSET RESP A BITRESET FAULT IF IT IS CHANGED FROM TO
RESP FROM TO THUS CREATING A CALCULATION ERROR /N
THE CONTRARY IT REMAINS UNFAULTED IF ITS LOGICAL VALUE WAS YET
A RESP A 4HIS FAULT TYPE IS VERY WORRYING AS IT MAKES
IT POSSIBLE TO MOUNT SAFE ERROR ATTACKS AGAINST CRYPTOSYSTEMS
;=
4HE ABILITY TO OBTAIN A BITSET OR BITRESET FAULT IN FORMER
TECHNOLOGIES IS WELL ESTABLISHED ;= (OWEVER THIS ABILITY
IS QUESTIONABLE IN ADVANCED #-/3 PROCESSES 4HE F RST
REASON IS THAT THE MINIMAL DIAMETER OF A LASER SPOT COULD
NOT BE SUCCESSFULLY DECREASED TO SMALLER THAN μM DUE TO
OPTICAL CONSTRAINTS (ENCE IN ADVANCED TECHNOLOGIES THE LASER
SPOT COULD ENCOMPASS SEVERAL TRANSISTORS VIOLATING OUR F RST
ASSUMPTION AND INDUCE A BIT F IP FAULT TYPE WHICH REFER TO AN
INVERSION OF THE FAULTED BIT REGARDLESS OF ITS VALUE OR IMPACT
SEVERAL BITS -OREOVER AS TECHNOLOGIES ARE EVOLVING THE METAL
DENSITY OVER )#S INCREASES DUE TO METALF LL REQUIREMENTS
;= -ETAL LINES OR F LLS ARE REF ECTING LASER BEAMS MAKING
IT MORE AND MORE DIFF CULT TO ACCESS TO SENSITIVE AREAS FROM
THE FRONT SIDE 4HE MAIN CONSEQUENCE IS THAT MOST OF LASER
FAULT INJECTION ARE CARRIED OUT THROUGH THE REAR SIDE WITH A
SMALL SPOT SIZE 4HIS METHOD IS NOT EASY TIME CONSUMING
AND A PROPER PREPARATION OF THE CHIP IE DEPACKAGING IS
NEEDED )N THE OTHER SIDE LASER FAULT INJECTION IN FRONT SIDE
WITH A LARGE SPOT IS EASIER TO PERFORM BUT SEEMS TO BE NOT
CONSISTENT WITH BITSET OR BITRESET FAULT INJECTION 4HIS IS ONE
POINT WE HAVE CONSIDERED TO EXPLORE IN THIS WORK THE EFFECT
OF A LARGE LASER SPOT ∼ 125μm ∗ 125μm THROUGH THE METAL
COVERAGE ON THE FAULT PROPERTIES 4HE BITF IP FAULT TYPE WAS
ALSO CONSIDERED IN THIS WORK
))) % 80%2)-%.4!, 3 %450
! 4HE ,ASER TEST BENCH
4HE FAULT INJECTION EXPERIMENTS REPORTED IN THIS PAPER WERE
PERFORMED FRONT SIDE WITH A GREEN LASER SOURCE OF NM
WAVELENGTH 4HE LASER PULSES IT PRODUCES HAVE A CONSTANT
DURATION OF NS /PTICAL SETTINGS WERE CHOSEN TO OBTAIN A
SQUARE LASER SPOT OF 125μm∗125μm 4HE ENERGY WAS TUNED TO
N* PER SHOT (ENCE GIVEN THE TRANSMISSION COEFF CIENT OF THE
OPTICS AN ENERGY DENSITY OF P*μm2 WAS ACHIEVED UNDER THE
LASER BEAM &OR THE SAKE OF SIMPLICITY A TRIGGER SIGNAL ISSUED
FROM THE TEST CHIP WAS USED TO SYNCHRONIZE THE LASER SHOTS WITH
THE !%3 ENCRYPTIONS )T MADE IT POSSIBLE TO TARGET THE BEGINNING
OF THE !%3 LAST ROUND WITH A JITTER OF +
− 5ns
&IG 4HE
!%3 128
TARGET DEVICE WITH ITS SHOOTING SECTORS
" 4HE TARGET DEVICE
4HE TARGET DEVICE IS AN !3)# IMPLEMENTING THE !%3 AL
GORITHM ;= IN ITS BITS KEY LENGTH VERSION !%3128
4HE !%3128 IS A SUBSTITUTION AND PERMUTATION ALGORITHM )T
CONSISTS OF IDENTICAL ROUNDS AFTER A SHORT INITIAL ROUND
EACH ROUND IS A SUCCESSION OF FOUR DIFFERENT TRANSFORMATION
)N OUR IMPLEMENTATION ONE ROUND NEEDS ONLY ONE CLOCK CYCLE
TO BE ACHIEVED 4HE ENTIRE ENCRYPTION IS PERFORMED IN CLOCK CYCLES 4HE !3)# WAS OPERATED AT -(Z DURING OUR
EXPERIMENTS ALTHOUGH ITS MAXIMUM ALLOWABLE FREQUENCY IS
-(Z ! PICTURE OF THE SILICON CHIP IS GIVEN IN &IG )T
WAS DESIGNED IN A METAL LAYERS μM TECHNOLOGY .ONE
OF THE CIRCUITS FUNCTIONAL BLOCKS IS IDENTIF ABLE AT SIGHT THE
WHOLE DESIGN WAS SCRAMBLED GLUE LOGIC &IG ALSO SHOWS
THE PARTITIONING OF THE TARGETS SURFACE INTO SHOOTING SECTORS
CORRESPONDING OF THE LASER SPOTS SIZE ,ASER FAULT INJECTIONS
WERE DONE ACCORDING THIS PARTITIONING
# %XPERIMENTAL RESULTS
)N THE FOLLOWING THE OBTAINED FAULTS ARE CLASSIF ED AND
ANALYSED AT BYTE LEVEL BECAUSE THEY WERE INDUCED DURING THE
!%3 LAST ROUND CORRESPONDING CRYPTANALYSES OF WHICH ARE
CONSIDERED BYTEWISE SEE SECTION )6
! LARGE FAULT INJECTION EXPERIMENT WAS CONDUCTED &OR EVERY
SHOOTING SECTOR OF &IG ENCRYPTIONS WERE RAN WITH
RANDOM PLAINTEXTS BUT THE SAME KEY $URING THESE EXPERIMENTS
NO LATCHUP OR RESET OF THE COMPONENT HAVE BEEN REPORTED
3IMULTANEOUSLY THE LASER WAS F RED AND THE OUTPUT CIPHERTEXT
FAULTED OR NOT WAS RETRIEVED )T WAS THEN ANALYSED TO ESTABLISH
WHETHER IT WAS ERRONEOUS OR NOT )N CASE OF AN ERROR THE INJECTED
2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)
121
FAULT WAS RECOVERED BY REVERSING THE ENCRYPTION OF THE FAULTED
CIPHERTEXT AND ALSO BY COMPARISON WITH A CORRECT ENCRYPTION
THE KEY AND THE PLAINTEXTS WERE KNOWN $ESPITE THE LARGE
SPOT SIZE 125μm ∗ 125μm MOST OF THE INDUCED FAULTS WERE
SINGLEBIT FAULTS 4ABLE ) REPORTS A SYNTHESIS OF THESE RESULTS &OR
EVERY BYTE OF THE !%3 STATE THE FAULTS OF THE SHOOTING SECTOR
CORRESPONDING TO THE HIGHEST ERROR RATE ARE REPORTED 4HE RATES
OF THE SINGLEBIT AND MOST COMMON FAULTS ARE ALSO GIVEN EG
CONSIDER BYTE0 ENCRYPTIONS WERE FAULTED AMONGST THEM
79% WERE SINGLEBIT FAULTS AND THE MOST ENCOUNTERED FAULT
APPEARED WITH A 74% RATE
4!",% )
% 80%2)-%.4!, 2%35,43
BYTE %RROR INJECTION
RATE
3INGLEBIT ERROR
RATE
-OST COMMON FAULT
RATE
! SECOND SET OF EXPERIMENTS WAS CONDUCTED FOR A LOCATION
OF THE LASER BEAM THAT GAVE RISE TO A RELATIVELY HIGH ERROR
OCCURRENCE RATE ON BYTE NUMBER ENCRYPTIONS WITH THE
SAME PREVIOUS CONSTANT KEY AND RANDOM PLAINTEXTS WERE DONE
SIMULTANEOUSLY WITH LASER INJECTION )TS RESULTS ARE REPORTED IN
TABLE ))
4!",% ))
, !3%2 ).*%#4)/. /. "94% .5-"%2 2!.$/- 0,!).4%843 &AULTS OCCURRENCE
RATE
/CCURRENCE RATE
OF FAULT X
/CCURRENCE RATE
OF OTHER FAULTS
/NE OF THE PREVIOUS PLAINTEXTS RELATED TO AN ACTUAL INJECTION
OF FAULT WAS THEN SELECTED TO CONDUCT ANOTHER SET OF ENCRYPTIONS IE THE WHOLE EXPERIMENTAL SETTINGS WERE THE
SAME FOR EACH ATTEMPT 4ABLE ))) DISPLAYS ITS STATISTICS
4!",% )))
3 4!4)34)#3 /& &!5,4 ).*%#4)/. /. ! #/.34!.4 0,!).4%84
&AULTS OCCURRENCE
RATE
/CCURRENCE RATE
OF FAULT X
/CCURRENCE RATE
OF OTHER FAULTS
$ !NALYSIS OF THE LASERINDUCED FAULTS
4HE FAULT OCCURRENCE RATE REPORTED IN TABLE ))) FOR ONE
GIVEN PLAINTEXT IS APPROXIMATELY TWICE THE RATE REPORTED IN
122
TABLE )) FOR SEVERAL RANDOM PLAINTEXTS 4HE EXPLANATION LIES
IN THE DATADEPENDENT NATURE OF LASERINDUCED FAULTS ! DEEPER
ANALYSIS OF THE SINGLEBIT FAULT IE X INJECTED DURING THESE
EXPERIMENTS REVEALED THAT THE FAULTED BIT WAS ALWAYS A TURNED
INTO A -OREOVERAMONG THE ENCRYPTIONS OF TABLE )) NO
FAULT WAS INJECTED WHEN THE ORIGINAL VALUE OF THE FAULTED BIT IE
THE CORRECT OR NONE FAULTED BIT VALUE WAS A 4HESE RESULTS
REVEAL A BITSET FAULT TYPE -OREOVER THE FAULTS OCCURRENCE RATE
GROWS FROM 7.1% TO 14.2% WHEN ONLY THE FAULT INJECTION
ATTEMPTS CONSISTENT WITH A BITSET ARE CONSIDERED
(OWEVER A 16% FAULTS OCCURRENCE RATE IS STILL LOW AS LASER
FAULT INJECTION IS OFTEN CONSIDERED AS DETERMINISTIC 4HE JITTER OF
THE LASER SETUP IS PROBABLY AN INCOMPLETE EXPLANATION GIVEN
THE TIMEDEPENDENT NATURE OF THE FAULT INJECTION MECHANISM
SEE SUBSECTION ))" 4HE FACT THAT SEVERAL LASERSENSITIVE AREAS
ARE UNDER THE LASER SPOT IS ANOTHER HYPOTHESIS THAT WOULD BE
WORTH STUDYING
!MONG THE LARGE AMOUNT OF DATA WE HAVE PROCESSED WE ALSO
REPORT HERE A FURTHER ANALYSIS OF THE RESULT OBTAINED ON BYTE DURING THE F RST EXPERIMENT 4HEY ARE EXTENSIVELY REPORTED IN
TABLE )6 !T BITLEVEL THE FAULT OCCURRENCE RATES OF BITS b2
AND b1 WERE RESPECTIVELY 34.3% AND 66% ! DEEPER ANALYSIS
REVEALED THAT THE FAULT TYPES OF BITS b2 AND b1 WERE RESPECTIVELY
A BITSET AND A BITF IP
4!",% )6
&!5,43 ).*%#4%$ /. "94% .5-"%2 &AULT VALUE
b7 ...b4 b3 b2 b1 b0
0000 0110
0000 0010
0000 1110
0000 1000
0000 0100
0000 0001
0000 1001
0000 0011
OF OCCURRENCE
4HESE EXPERIMENTS SHOWED THAT THE BITSET OR BITRESET AND
BITF IP FAULT TYPES ARE BOTH ATTAINABLE FOR LASER FAULT INJECTION
WITH A LARGE SPOT FROM THE FRONT SIDE OF THE TARGET /UR
EXPLANATION IS THAT THE METALF LLS ACT AS SHUTTERS THAT ALLOW TO
STIMULATE ONLY A FEW LASERSENSITIVE AREAS )N SOME CASES IT IS
CONSISTENT WITH THE BITSET OR BITRESET FAULT TYPE &OR OTHERS TWO
SENSITIVE AREAS RELATED TO A COMMON DATA BIT ARE SIMULTANEOUSLY
STIMULATED ONE BY A BITSET FAULT TYPE THE SECOND BY A BIT
RESET !S A RESULT A BITF IP FAULT TYPE IS ACHIEVED !N INTENDED
APPLICATION OF THIS PHENOMENON IS REPORTED IN ;=
)6
$&! /& 4(% !%3 ,!34 2/5.$
4WO SCHEMES OF $&! ARE BASED ON AN ANALYSIS OF THE !%3
LAST ROUND IN THE PRESENCE OF FAULTS ;= ;= THEY MAKE IT
POSSIBLE TO RETRIEVE ITS LAST ROUND KEY )N THIS SECTION WE
STUDY THE RELEVANCE OF USING THESE TECHNIQUES TO PROCESS OUR
EXPERIMENTAL DATA ESPECIALLY WITH THE DATA WHERE THE SINGLEBIT
FAULT OCCURRENCE RATE OR REPEATABILITY ARE LOW 7E ALSO REPORT
AND DISCUSS THE USE OF A $&! SCHEME ON THE !%3 LAST ROUND
RECENTLY INTRODUCED BY ;= WITH THESE DATA
2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)
! .OTATIONS
)N THE FOLLOWING M, C, D, K AND E DENOTE RESPECTIVELY THE
PLAINTEXT THE CORRECT CIPHERTEXT THE FAULTY CIPHERTEXT THE SECRET
KEY AND THE ERROR VALUE CALCULATED BY 8ORING C AND D
$EPENDING ON THE CONTEXT THEY MAY REFER TO THE WHOLE !%3
STATE BYTES OR TO A GIVEN SINGLE BYTE CORRESPONDING TO
THE FAULT LOCATION 4HE 3UB"YTE TRANSFORMATION OF THE !%3 IS
DENOTED SB 4HE !%3 STATE AT THE BEGINNING OF THE j th ROUND
WILL BE DENOTED BY M j − 1 EG M 9 DENOTES THE STATE AT THE
START OF THE LAST ROUND Kj REFERS TO THE ROUND KEY OF THE j th
ROUND &OR THE SAKE OF CLARITY THE 3HIFT2OWS TRANSFORMATION IS
LEFT OUT IN THE FOLLOWING EQUATIONS ! SUBSCRIPT INDEX i MAY
BE USED TO POINT TO A GIVEN ENCRYPTION AMONG OTHERS !S THERE
IS NO -IX#OLUMNS TRANSFORMATION DURING THE !%3 LAST ROUND
THE CRYPTANALYSES ARE PERFORMED BYTEWISE
" !PPLICATION OF THE 'IRAUDS
$&!
'IRAUD ;= HAS INTRODUCED THE F RST $&! AGAINST THE !%3 LAST
ROUND )T IS BASED ON A SINGLEBIT FAULT MODEL WHOSE FAULTS
HAVE TO TARGET M 9 4HE ATTACK IS PERFORMED BYTEWISE A BYTE
OF K10 IS RETRIEVED WITH A SUCCESS RATE OF 97% FROM THREE PAIRS
OF CORRECT AND FAULTY CIPHERTEXTS Ci , Di BY SOLVING EQUATIONS
AND Ci = K10 ⊕ SB(M 9i )
Ci ⊕ Di = SB(M 9i ) ⊕ SB(M 9i ⊕ E)
7ITH THE EXPERIMENTAL RESULTS PRESENTED IN )))# ONLY THREE
BYTE OF THE !%3 STATE ARE COMPLIANT WITH THE SINGLEBIT FAULT
MODEL OF 'IRAUDS $&! BYTES AND IN TAB ) BYTES ARE CLOSE OR BEYOND A SINGLEBIT OCCURRENCE RATE OF 80%
(ENCE A HIGHER NUMBER OF Ci , Di PAIRS IS NEEDED TO F ND THE
CORRESPONDING KEY BYTES (OWEVER THE ATTACK IS STILL FEASIBLE
9ET TWO BYTES HAVE SINGLEBIT RATES AROUND 65% AND BYTE IS BELOW 50% &OR BYTES PRESENTING THESE STATISTICS 'IRAUDS
$&! MAY NOT BE THE MOST EFF CIENT SCHEME
# !PPLICATION OF THE 2OCHE ET AL
4HE EXPERIMENTAL DATA GATHERED IN OUR EXPERIMENTS WERE
ANALYSED ACCORDING THIS $&! SCHEME 'IVEN THE FAULT RE
PEATABILITY IE THE MOST COMMON FAULT RATE OF TABLE )S LAST
COLUMN BYTES REQUIRED OR LESS Ci , Di PAIRS TO RETRIEVE
THE CORRESPONDING KEY BYTES BECAUSE THEIR FAULT REPEATABILITY
WAS HIGHER THAN 90% &OUR BYTES REVEALED A FAULT REPEATABILITY
AROUND 50% THEY REQUIRED Ci , Di PAIRS ON AVERAGE TO
DISCOVER THEIR ROUND KEY BYTES
,IKEWISE 'IRAUDS $&! THIS SCHEME MAKES IT POSSIBLE
TO RETRIEVE THE SECRET KEY $ESPITE THIS REQUIRED MORE DATA
TO SUCCEED (OWEVER THE CORRESPONDING FAULT MODEL IS LESS
CONSTRAINT THAN THE SINGLEBIT REQUIREMENT OF 'IRAUDS $&! )T
MAY SUCCEED WHERE 'IRAUDS $&! WILL FAIL
$ 3IMPLIF CATION OF AN EXISTING
,ASHERMES ET AL ;= HAVE INTRODUCED A $&! SCHEME THAT
MAKES USE OF FAULTS INJECTED ON M 9 AT THE BEGINNING OF THE !%3
LAST ROUND )TS ORIGINALITY COMPARED WITH THE $&! SCHEMES OF
'IRAUD AND 2OCHE ET AL RESIDES IN THE BYTEWISE ANALYSIS OF THE
INJECTED FAULTS &ROM THE EQUATIONS OF THE CORRECT CIPHERTEXT Ci
AND THE FAULTED CIPHERTEXT Di EQUATIONS AND RESPECTIVELY
Ci
=
K10 ⊕ SB(M 9i )
Di
=
K10 ⊕ SB(M 9i ⊕ Ei )
WHERE Ei IS THE INJECTED FAULT THE EXPRESSION OF Ei EQ IS
OBTAINED
Ei = SB −1 (Ci ⊕ K10) ⊕ SB −1 (Di ⊕ K10)
SB(SB −1 (Ci ⊕ K10) ⊕ E9) ⊕ K10 ⊕ E10 = Di
WHERE E9 E10 AND K10 ARE UNKNOWN 4HE CRYPTANALYSIS
IS CONDUCTED BYTEWISE 4HE SUCCESS RATE IN RETRIEVING K10 IS
HIGHER THAN 90% WITH THREE PAIRS Ci , Di 4HIS TECHNIQUE WAS ALSO EXTENDED TO NONECONSTANT FAULTS
AS THE FAULT REPEATABILITY IS DECREASING THE NUMBER OF Ci , Di PAIRS INCREASES -OREOVER WITHOUT ANY LACK OF GENERALITY
THIS ATTACK MAY BE EXPANDED TO THE FAULT MODEL USED IN OUR
EXPERIMENTS IE FAULTS INJECTED ON M 9 BY NULLIFYING E10 IN
EQ )N EQ Ci AND Di ARE KNOWN AND Ei AND K10 ARE UNKNOWN
4HE $&! CONSISTS IN BUILDING AN ERROR TABLE SEE TABLE 6
ITS COLUMNS REPRESENT THE 256 ROUND KEY FEASIBLE VALUES IE
HYPOTHESES k FOR EACH LINE CALLED A REALIZATION OF INDEX i
THE CORRESPONDING VALUES OF THE INJECTED FAULT ei,k = Ei ARE
CALCULATED FROM EQ THE Ci Di PAIRS AND THE KEY HYPOTHESIS
k
$&!
4HE $&! RECENTLY INTRODUCED BY 2OCHE ET AL ;= WAS
ORIGINALLY BASED ON THE INJECTION OF CONSTANT FAULTS ON THE 9th
AND 10th ROUND KEYS &ROM THE EQUATIONS OF A CORRECT AND
A FAULTY CIPHERTEXTS Ci AND Di RESPECTIVELY EQUATION IS
OBTAINED
$&!
4!",% 6
% 22/2 4!",%
2EALIZATION i
···
X
e0,0
e1,0
e2,0
···
+ HYPOTHESIS k
X X · · ·
e0,1
e0,2 · · ·
e1,1
e1,2 · · ·
e2,1
e2,2 · · ·
···
··· ···
X&&
e0,255
e1,255
e2,255
···
/NLY ONE COLUMN OF THE ERROR TABLE CORRESPONDS TO THE
CORRECT KEY BYTE K10 4HIS COLUMN ALSO GIVES THE FAULTS
THAT HAVE BEEN ACTUALLY INJECTED ;= PROVIDES A COMPLETE
METHODOLOGY BASED ON THE CALCULATION OF THE ENTROPY OF THE
ERRORS TO DISCRIMINATE THE RIGHT KEY BYTE IE THE RIGHT COLUMN
4ABLE 6) REPORTS THE ERROR TABLE OBTAINED FROM THE FAULT
INJECTION ATTEMPTS ON BYTE CF TAB )6
)T IS THEREFORE EASY TO ASCERTAIN THAT THE CORRESPONDING VALUE
OF THE KEY BYTE IS X#$ 4HE FAULTS VALUES IN EVERY COLUMNS
APPEAR RANDOM EXCEPT FOR THE KEY HYPOTHESIS X#$ WHERE
2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)
123
4!",% 6)
% 22/2 4!",% /& "94% 2EALIZATION i
···
···
···
X
X
X"
X#
···
X
···
X&
···
X
+ HYPOTHESIS k
X · · · X#$
X · · · X
X! · · · X
X"& · · · X
···
···
···
X&& · · · X
···
···
···
X · · · X
···
···
···
X" · · · X!
···
···
···
···
···
···
···
···
···
···
X&&
X
X
X%
···
X!
···
X
···
X
THE FAULTS OUTLINED IN BOLD ARE RESTRICTED TO THE FOUR LEAST
SIGNIF CANT BITS SEE 4ABLE )6 4HIS RESULT IS CONSISTENT WITH THE
DESIGN OF OUR TARGET )# ONLY FOUR BITS OF BYTE WERE AFFECTED
BY THE LASER BEAM BECAUSE ITS LOGIC BLOCKS ARE SCRAMBLED
/NLY A FEW Ci Di PAIRS MAY BE SUFF CIENT TO F ND K10S
BYTE &IG EXCERPTED FROM ;= GIVES THE AVERAGE NUMBER OF
FAULTS NEEDED TO SUCCEED AS A FUNCTION OF THE FAULTS ENTROPY
!VERAGEBESTATTACK
)NJECTIONENTROPY
&IG !VERAGE MINIMUM NUMBER OF FAULTS NEEDED TO F ND THE KEY FOR A
GIVEN INJECTION ENTROPY ;=
4HE FAULT INJECTION PROCESS ON BYTE HAS AN ENTROPY OF
1.3 4HUS 3.5 FAULTS ON AVERAGE ARE NEEDED TO SUCCESSFULLY
RETRIEVING THE RIGHT KEY BYTE 'IVEN THE STATISTICS OF BYTE ∼
50% REPEATABILITY AND SINGLEBIT OCCURRENCE RATE THIS APPROACH
APPEARS MORE EFF CIENT THAN 'IRAUDS AND 2OCHE ET ALS $&! REALIZATIONS ARE NEEDED FOR THE LATTER (OWEVER THIS STATEMENT
CANNOT BE GENERALISED )T HOLDS WHEN THE INJECTED FAULS HAVE A
DISTINCTIVE PATTERN AND A LOW REPEATABILITY
6 # /.#,53)/.
!.$
$ )3#533)/.
7E HAVE DESCRIBED IN THIS PAPER EXPERIMENTS OF LASER FAULT
INJECTION THROUGH THE FRONT SIDE OF AN )# IMPLEMENTING THE
!%3 "ECAUSE OF THE REF ECTIVE EFFECT OF ITS METAL F LLS A
LARGE LASER BEAM 125 ∗ 125μm2 WAS USED )NJECTION WITH
A LASER BEAM OF A FEW MICROMETERS WOULD HAVE BEEN TIME
OVERCONSUMING
7E HAVE OBSERVED TWO FAULT TYPES BITF IP AND BITSET OR
BITRESET 4HE LATTER TYPE WAS UNEXPECTED BECAUSE IT SEEMED
MORE CONSISTENT WITH THE USE OF A SMALLER BEAM AFFECTING ONLY
ONE LASERSENSITIVE AREA 4HE BITF IP TYPE IS EXPLAINABLE BY THE
SIMULTANEOUS ILLUMINATION OF TWO SENSITIVE AREAS CORRESPONDING
RESPECTIVELY TO A BITSET AND A BITRESET 4HESE RESULTS ARE
124
!#+./7,%$'%-%.4
4HE RESEARCH WORK OF #YRIL 2OSCIAN WAS PARTLY FUNDED BY
THE v#ONSEIL 2EGIONAL 0!#!v 4HE AUTHORS ALSO WOULD LIKE TO
THANK 2ONAN ,ASHERMES FOR HIS HELP AND HIS SUPPORT
2 %&%2%.#%3
OBTAINED BECAUSE THE METAL F LLS BEHAVE AS SHUTTERS AT BYTE
LEVEL ONLY ONE OR VERY FEW SENSITIVE AREAS ARE EXPOSED TO
THE LASER -OREOVER A LARGE PART OF THE INDUCED FAULTS WERE
SINGLEBIT DESPITE THE SIZE OF THE LASER BEAM 4HIS PRECISION
WAS ACHIEVED THANKS TO THE METAL COVERAGE 4HE ANALYSIS OF
THE INJECTED FAULTS HAD ALSO CORROBORATED THE DATADEPENDENT
AND TIMEDEPENDENT NATURE OF LASER INJECTION
4HESE FAULT INJECTION EXPERIMENTS WERE PERFORMED AT THE
BEGINNING OF THE !%3 LAST ROUND 4HE FAULTS STATISTICS ALLOWED
TO RECOVER THE SECRET KEY BY USING EITHER 'IRAUDS $&! ;= OR
2OCHE ET AL $&! ;= (OWEVER FOR FAULTS WITH A LOW SINGLEBIT
OCCURRENCE RATE ANDOR A LOW REPEATABILITY THESE TWO SCHEMES
OF $&! ARE NOT THE MOST EFF CIENT 7E F NALLY PROPOSED A SIMPLE
APPLICATION OF THE $&! SCHEME INTRODUCED BY ,ASHERMES ET AL
;= THAT MAKES IT POSSIBLE TO RECOVER THE SECRET KEY IN A MORE
EFF CIENT WAY
;= 3KOROBOGATOV 3 !NDERSON 2 /PTICAL FAULT INDUCTION ATTACKS )N
#RYPTOGRAPHIC (ARDWARE AND %MBEDDED 3YSTEMS #(%3 6OLUME
OF ,ECTURE .OTES IN #OMPUTER 3CIENCE n
;= VAN 7OUDENBERG * 7ITTEMAN - -ENARINI & 0RACTICAL OPTICAL FAULT
INJECTION ON SECURE MICROCONTROLLERS )N &AULT $IAGNOSIS AND 4OLERANCE
IN #RYPTOGRAPHY &$4# 7ORKSHOP ON n
;= "LOMER * 3EIFERT *0 &AULT BASED CRYPTANALYSIS OF THE ADVANCED
ENCRYPTION STANDARD AES )N #OMPUTER !IDED 6ERIF CATION 6OLUME
OF ,ECTURE .OTES IN #OMPUTER 3CIENCE n
;= !GOYAN - $UTERTRE * .ACCACHE $ 2OBISSON " 4RIA ! 7HEN
CLOCKS FAIL /N CRITICAL PATHS AND CLOCK FAULTS 3MART #ARD 2ESEARCH AND
!DVANCED !PPLICATION n
;= .)34 !NNOUNCING THE !DVANCED %NCRYPTION 3TANDARD !%3 &EDERAL
)NFORMATION 0ROCESSING 3TANDARDS 0UBLICATION N ;= 'IRAUD # $FA ON AES )N !DVANCED %NCRYPTION 3TANDARD n !%3
6OLUME OF ,ECTURE .OTES IN #OMPUTER 3CIENCE n
;= 2OCHE 4 ,OMN|E 6 +HALFALLAH + #OMBINED FAULT AND SIDECHANNEL
ATTACK ON PROTECTED IMPLEMENTATIONS OF AES )N 3MART #ARD 2ESEARCH
AND !DVANCED !PPLICATIONS n
;= ,ASHERMES 2 2EYMOND ' $UTERTRE *- &OURNIER * 2OBISSON "
4RIA ! ! DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS )N TH
7ORKSHOP ON &AULT $IAGNOSIS AND 4OLERANCE IN #RYPTOGRAPHY &$4#
;= (ABING $( 4HE USE OF LASERS TO SIMULATE RADIATIONINDUCED TRANSIENTS
IN SEMICONDUCTOR DEVICES AND CIRCUITS )N .UCLEAR 3CIENCE )%%%
4RANSACTIONS ON 6OLUME n
;= 7ANG & !GRAWAL 6 3INGLE EVENT UPSET !N EMBEDDED TUTORIAL )N
0ROC OF ST )NTERNATIONAL #ONFERENCE ON 6,3) $ESIGN PP n
;= /TTO $ &AULT !TTACKS AND #OUNTERMEASURES 0H$ THESIS 0ADERBORN
5NIVERSITY 'ERMANY ;= ,OUBET-OUNDI 0 6IGILANT $ /LIVIER & 3TATIC FAULT ATTACKS ON
HARDWARE DES REGISTERS #RYPTOLOGY E0RINT !RCHIVE 2EPORT ;= 0OUGET 6 &OUILLAT 0 ,EWIS $ ,APUYADE ( 3ARGER , 2OCHE
& $UZELLIER 3 %COFFET 2 !N OVERVIEW OF THE APPLICATIONS OF A
PULSED LASER SYSTEM FOR SEU TESTING )N /N,INE 4ESTING 7ORKSHOP
0ROCEEDINGS TH )%%% )NTERNATIONAL n
;= "ALASUBRAMANIAN ! -C-ORROW $ .ATION 3 "HUVA " 2EED 2
-ASSENGILL , ,OVELESS 4 !MUSAN / "LACK * -ELINGER * "AZE
- &ERLET#AVROIS 6 'AILLARDIN - 3CHWANK * 0ULSED LASER SINGLE
EVENT EFFECTS IN HIGHLY SCALED CMOS TECHNOLOGIES IN THE PRESENCE OF DENSE
METAL COVERAGE .UCLEAR 3CIENCE )%%% 4RANSACTIONS ON n
2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)
© Copyright 2026 Paperzz