Abstract
Fault injection attacks have been widely investigated in both academia and industry during the past decade. In this attack approach, the adversary intentionally induces computational faults in the security components of the integrated circuit (IC) for deducing the confidential information processed or stored inside the device. However, the internal architecture of real-world devices is typically unknown to the attacker and the insufficient information about the device internals often cannot satisfy requirements of a practical fault injection attack. In this paper, we target Field Programmable Gate Array (FPGA) that is widely used in hardware security applications. By analyzing the faulty outputs of implemented algorithms, the scale of logic arrays and the sensitive logic cells can be precisely profiled. Using the outcome of this work, practical attacks can be significantly accelerated, without a need of time-consuming chip-scale injection scan. In addition, the observed fault models are compatible with most of the previously proposed fault models for differential or algebraic fault attacks (DFA/AFA). Moreover, a low-cost and highly sensitive logic-level countermeasure for predicting the laser fault injection attempt is described, which can be applied into any digital IC with a minimal overhead.
Similar content being viewed by others
References
Agoyan M, Dutertre JM, Mirbaha AP, Naccache D, Ribotta AL, Tria A (2010) Single-bit DFA using multiple-byte laser fault injection. In: 2010 IEEE international conference on HST, pp 113–119
Alderighi M, Casini F, d’Angelo S, Mancini M, Pastore S, Sechi GR (2007) Evaluation of single event upset mitigation schemes for sram based FPGAs using the FLIPPER fault injection platform. In: 22nd IEEE international symposium on defect and fault-tolerance in VLSI systems, 2007. DFT’07. pp 105–113. IEEE
Anderson R (2001) Security engineering: a guide to building dependable distributed systems
Bagheri N, Ebrahimpour R, Ghaedi N (2013) New differential fault analysis on PRESENT. EURASIP J Advances Signal Process 2013(1):1–10
Bagheri N, Ghaedi N, Sanadhya SK (2015) Differential fault analysis of SHA-3. In: Progress in cryptology–INDOCRYPT 2015, pp 253–269. Springer
Beutler J (2015) Visible light lvp on bulk silicon devices. In: 41st international symposium for testing and failure analysis (November 1-5, 2015), pp 1–8. Asm
Biham E, Shamir A (1997) Differential fault analysis of secret key cryptosystems. In: Advances in cryptology-CRYPTO’97, pp 513–525. Springer
Bogdanov A, Knudsen LR, Leander G, Paar C, Poschmann A, Robshaw MJB, Seurin Y, Vikkelsoe C (2007) Present: An ultra-lightweight block cipher. In: Paillier P, Verbauwhede I (eds) Cryptographic hardware and embedded systems - CHES 2007: 9th international workshop, Vienna, Austria, September 10-13, 2007. Proceedings, pp 450–466. Springer Berlin Heidelberg, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74735-2_31
Boneh D, DeMillo RA, Lipton RJ (2001) On the importance of eliminating errors in cryptographic computations. J Cryptol 14(2):101–119
Breier J, Jap D (2015) Testing feasibility of back-side laser fault injection on a microcontroller. In: Proceedings of the WESS’15, pp 5:1–5:6
Buchner S, Miller F, Pouget V, McMorrow D (2013) Pulsed-laser testing for single-event effect investigations. IEEE Trans Nucl Sci 60(3):1852–1875
Canivet G, Maistri P, Leveugle R, Cldire J, Valette F, Renaudin M (2011) Glitch and laser fault attacks onto a secure AES implementation on a SRAM-based FPGA. J Cryptol 24(2):247–268
Courbon F, Loubet-Moundi P, Fournier JJ, Tria A (2014) Adjusting laser injections for fully controlled faults. In: International workshop on constructive side-channel analysis and secure design, pp 229–242. Springer
Courtois NT, Jackson K, Ware D (2010) Fault-algebraic attacks on inner rounds of des. In: e-Smart’10 proceedings: the future of digital security technologies
Dutertre JM, Mirbaha AP, Naccache D, Tria A (2010) Reproducible single-byte laser fault injection. In: 2010 conference on PRIME, pp 1–4
He W, Breier J, Bhasin S (2016) Cheap and cheerful: a low-cost digital sensor for detecting laser fault injection attacks. In: Security, privacy, and applied cryptography engineering - 6th international conference, SPACE 2016, Hyderabad, India, December 14-18, 2016, Proceedings, pp 27–46. https://doi.org/10.1007/978-3-319-49445-6_2
He W, Otero A, de la Torre E, Riesgo T (2014) Customized and automated routing repair toolset towards side-channel analysis resistant dual rail logic. Microprocess Microsyst 38(8):899–910
Kocher PC, Jaffe J, Jun B (1999) Differential power analysis. CRYPTO 99:388–397
Kömmerling O, Kuhn MG (1999) Design principles for tamper-resistant smartcard processors. Smartcard 99:9–20
Lima Kastensmidt F, Tambara L, Bobrovsky DV, Pechenkin AA, Nikiforov AY (2014) Laser testing methodology for diagnosing diverse soft errors in a nanoscale sram-based fpga. IEEE Trans Nucl Sci 61(6):3130–3137
Lohrke H, Scholz P, Boit C, Tajik S, Seifert JP (2016) Automated detection of fault sensitive locations for reconfiguration attacks on programmable logic, pp 1–6
Maurine P (2012) Techniques for em fault injection: equipments and experimental results. In: 2012 workshop on fault diagnosis and tolerance in cryptography (FDTC), pp 3–4. IEEE
Merli D, Schuster D, Stumpf F, Sigl G (2011) Semi-invasive em attack on fpga ro pufs and countermeasures. In: Proceedings of the workshop on embedded systems security, WESS ’11, pp 2:1–2:9. ACM, New York, NY, USA. https://doi.org/10.1145/2072274.2072276
Moradi A, Immler V (2014) Early propagation and imbalanced routing, how to diminish in fpgas. In: Cryptographic hardware and embedded systems–CHES 2014, pp 598–615. Springer
Phang J, Chan D, Palaniappan M, Chin J, Davis B, Bruce M, Wilcox J, Gilfeather G, Chua C, Koh L, Ng H, Tan S (2004) A review of laser induced techniques for microelectronic failure analysis. In: Proceedings of the 11th international symposium on the physical and failure analysis of integrated circuits. IPFA 2004, pp 255–261. https://doi.org/10.1109/IPFA.2004.1345617
Pouget V, Douin A, Lewis D, Fouillat P, Foucard G, Peronnard P, Maingot V, Ferron J, Anghel L, Leveugle R, Velazco R (2007) Tools and methodology development for pulsed laser fault injection in SRAM-based FPGAs. In: 8th LATW’07), p. Session 8. IEEE Computer Society, Cuzco, Peru
Quisquater JJ, Samyde D (2002) Eddy current for magnetic analysis with active sensor. In: Esmart 2002, Nice, France
Roscian C, Dutertre JM, Tria A (2013) Frontside laser fault injection on cryptosystems - Application to the AES’ last round. In: 2013 IEEE international symposium on HOST, pp 119–124
Roscian C, Sarafianos A, Dutertre JM, Tria A (2013) Fault model analysis of laser-induced faults in SRAM memory cells. In: 2013 workshop on FDTC, pp 89–98
Selmane N, Bhasin S, Guilley S, Graba T, Danger JL (2009) WDDL is protected against setup time violation attacks. In: FDTC, pp 73–83
Selmke B, Brummer S, Heyszl J, Sigl G (2015) Precise laser fault injections into 90nm and 45nm SRAM-cells. In: CARDIS, pp 1–13
Swierczynski P, Becker GT, Moradi A, Paar C (2017) Bitstream fault injections (bifi)—automated fault attacks against sram-based fpgas. IEEE Trans Comput PP(99):1–14. https://doi.org/10.1109/TC.2016.2646367
Tajik S, Lohrke H, Ganji F, Seifert JP, Boit C (2015) Laser fault attack on physically unclonable functions. In: 2015 workshop on fault diagnosis and tolerance in cryptography (FDTC), pp 85–96. https://doi.org/10.1109/FDTC.2015.19
Tunstall M, Mukhopadhyay D, Ali S (2011) Differential fault analysis of the advanced encryption standard using a single fault. In: 5th IFIP WG, WISTP, pp 224–233
Wu K, Karri R, Kuznetsov G, Goessel M (2004) Low cost concurrent error detection for the advanced encryption standard. In: Test conference, 2004. Proceedings. ITC 2004. International, pp 1242–1248. IEEE
Zhang F, Guo S, Zhao X, Wang T, Yang J, Standaert FX, Gu D (2016) A framework for the analysis and evaluation of algebraic fault attacks on lightweight block ciphers. IEEE Trans Inf Forensics Secur 11(5):1039–1054. https://doi.org/10.1109/TIFS.2016.2516905
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an extension of the paper entitled “Comprehensive Laser Sensitivity Profiling and Data Register Bit-Flips for Cryptographic Fault Attacks in 65 nm FPGA,” presented at SPACE’16 conference. This version contains an extended related work, covers chip preparation in more details, discusses compatibility with cryptographic fault injection attacks, and presents a countermeasure against laser profiling.
Rights and permissions
About this article
Cite this article
Breier, J., He, W., Bhasin, S. et al. Extensive Laser Fault Injection Profiling of 65 nm FPGA. J Hardw Syst Secur 1, 237–251 (2017). https://doi.org/10.1007/s41635-017-0016-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-017-0016-z