Feasibility of Fault Analysis Based on Intentional Electromagnetic Interference

Junko Takahashi #1, Yu-ichi Hayashi ∗2, Naofumi Homma ∗3, Hitoshi Fuji #4, and Takafumi Aoki ∗5 # NTT Secure Platform Laboratories, Nippon Telegraph and Telephone Corporation, 3-9-11 Midori-cho, Musashino-shi, Tokyo 180-8585, Japan {1takahashi.junko, 4fuji.hitoshi}@lab.ntt.co.jp ∗ Tohoku University, 6-6-05, Aramaki Aza Aoba, Aoba-ku, Sendai-shi, 980-8579, Japan {2yu-ichi@m, [email protected], 5aoki@ecei}.tohoku.ac.jp

Abstract—This paper presents the feasibility of fault analysis test capabilities to generate waveforms, and understanding the using intentional electromagnetic interference (IEMI). Fault anal- effects of IEMI on equipment, systems, communications, and ysis (FA) is a kind of implementation attack that intentionally measurements [4]. extracts a secret key embedded in a secure device such as a smart card. An attacker injects a computational fault during Previous studies of IEMI showed that devices can be the cryptographic calculation and he can extract a secret key. permanently damaged or destroyed by the effects of IEMI [4], Recently, Hayashi et al. showed that temporal faults could be [5]. On the other hand, Hayashi et al. recently showed that remotely injected during the cryptographic calculation using temporal faults could be remotely injected into a target device IEMI. They showed a case study in which an Advanced Standard of an attack without any damage to the device using IEMI Encryption (AES) secret key could be extracted through fault analysis. However, the characteristics of faults that can be techniques [6], [7], [8]. They showed that the temporal faults induced by IEMI were not described. And, a threat of various could be induced during the cryptographic calculation of the FAs was not clear. In this paper, we examine in detail how the target device by adjusting the frequency of the electromagnetic IEMI fault injection affects the fault occurrence of intermediate wave. They also presented a case study in which an Advanced states in a cryptographic module and investigate the distribution Encryption Standard (AES) [9] secret key could be extracted of the IEMI generated faults. Furthermore, we classify previous FAs with respect to an attack model such as the type of faults through fault analysis (FA). FA is a kind of implementation needed to achieve a successful attack, and discuss the feasibility attack in which an attacker intentionally injects faults into of FAs using IEMI based on the experimental results. a device during the cryptographic calculation and extracts a secret key using the faulty outputs. FA represents a major ntroduction I. I threat to embedded security devices because more efficient Electromagnetic interference (EMI) is a major problem in attacks with lower attack costs have become possible and a the field of Electromagnetic Compatibility (EMC) and many secret key can be extracted within a feasible calculation time. studies on EMI suppression or reduction have been conducted In the field of IEMI, the effects of electromagnetic interfer- in order to protect the origin device or other electronic ence on the occurrence of faults in devices are a major concern devices [1]. EMI is usually considered as a disturbance noise and the feasibility of FA using the faulty outputs obtained that affects an electrical circuit due to either conducted or through IEMI must be investigated. However, characteristics radiated emissions from other devices. As a result, some EMC- of the temporal faults induced through IEMI such as the related committees have set standards regarding the immunity distribution of the number of the faulty bytes or the faulty against radiated and conducted noise and established voluntary bits in the intermediate states and the type of faults were not compliance programs [2], [3]. Current electronic devices are described in previous studies [6], [7], [8]. Also, the feasibility usually implemented in such a way as to satisfy such EMC of various types of FAs has not yet been examined in detail. standards, which basically ensures that electric devices are In this paper, we examine the type of faults induced through immune to unintentional EMI. IEMI and present which FAs can be applied if the attacker On the other hand, intentional EMI (IEMI) is an emerging exploits faults induced using IEMI. This is the first study in EMC topic and has drawn much attention from researchers and which the feasibility of various types of FAs is examined. designers of electronic circuits. IEMI is defined as intentional In order to examine fault occurrences during a cryptographic malicious generation of electromagnetic energy that introduces calculation on a device, we evaluate a type of fault such as noise or signals into electric and electronic systems, thus dis- a single byte fault (1-byte fault) or a multi-byte fault (more- rupting, confusing or damaging these systems for the purpose than-2-byte fault) during the cryptographic calculation. Then, of terrorism or crime [4], [5]. IEMI can cause severe damage we classify previous FAs with respect to the kind of attack, and or disorder even to devices that comply with the existing public evaluate the feasibility of the FAs using IEMI. The results of standards. In an attempt to address this issue, many efforts this study give perspective to which FA yields a higher threat have been made toward classification of IEMI waveforms, level using the IEMI techniques.

978-1-4673-2060-3/12/$31.00 ©2012 IEEE 782 TABLE I The remainder of this paper is organized as follows. We Typical Types of FAs describe the previous FAs in Section II. In Section III, we describe the experimental results of the IEMI fault injection. Attack Method Location of Fault Injection We present the feasibility of the previous FAs based on the Differential fault analysis Data calculation part experimental results in Section IV. Finally, we conclude the Safe-error attack Data calculation part ff paper in Section V. Ine ective fault analysis Data calculation part Round reduced fault analysis Instruction part II. Description of Previous Fault Analysis In this section, we overview previous FAs. FA comprises two attack steps. The first step is to inject cryptanalysis, a cryptanalytic technique against block a fault into the target device to induce a temporal fault or ciphers that was proposed by Biham and Shamir [16]. a permanent fault during the cryptographic calculation. The Most DFA methods employ a random fault model, i. e., an second step is to analyze the faulty outputs obtained based intermediate state is randomly corrupted by the injected on the injected fault in the first step to extract a secret key. faults. The attacker needs to induce faults in the first step in order • Safe-Error Attack (SEA) is an attack that targets the to satisfy the attack conditions, such as the type of fault and cryptographic algorithm with a dummy operation such as location of the injected fault, used in the analysis in the second the add-and-double-always algorithm [17], [18]. A SEA step. We describe three typical fault injection methods below. is based on the observation that some faults will not change the results if faults are induced during the dummy • Laser beam is a powerful but expensive method for operations. The attacker needs to extract the bits of the injecting faults such as one-bit flips at the exact timing secret key one-by-one using this attack method. of the cryptographic calculation. As an example, in [10], • Ineffective Fault Analysis (IFA) is an attack that exploits fault injection using laser beam was shown and the simple information whether or not the injected fault yields authors showed that laser beam enables a precise and a faulty output [19], [20], [21]. IFA employs a stuck-at localized fault injection. Using a laser beam, it can cause fault model. An attacker sets an intermediate variable to a the stuck-at fault that an intermediate variable to a fixed fixed value such as zero. The fixed value is either known value. to the attacker or it can be guessed. If the output has • Supplying underpowered voltage is a simple and in- a fault or if a fault occurrence is detected, the attacker expensive method for injecting faults [11]. It provokes knows that the original value of an intermediate state was byte-oriented faults because it takes a longer time to fix different from the induced value. Using this information, the output of a combinational logic circuit than usual and the attacker can guess the secret key. it causes a set-up time violation in which the processed • Round Reduced Fault Analysis is an attack that is values are not fixed before one set-up time point ahead executed against round reduced block ciphers using a of the next clock edge. In [11], approximately 16 % of fault injection [22], [23]. The attacker needs to induce the collected faulty outputs were suitable for application faults into the instruction step such as the counter for to FA on AES [12]. Using an underpowered voltage, the number of rounds of block ciphers and skip the transient faults can be induced, i.e., we can reset the round operation of the cryptographic algorithm. Using the device to its original state, and then induce faults into output after reducing the number of rounds, the attacker the same device. applies differential cryptanalysis [16] and he can guess • Supplying over-clocking is also a simple and inexpensive the secret key. method that employs underpowered voltage. It induces byte-oriented faults at the exact timing during the cryp- In Table I, we categorize the attack methods in terms of tographic calculation through a set-up time violation. the location of the fault injection during the cryptographic Some experimental methods for the fault injection into the calculation. In DFA, SEA, and IFA, the faults must be induced block-cipher algorithm [13] and the RSA algorithm [14] into an intermediate state during data calculation. On the other were proposed to induce faults through over-clocking. hand, for round reduced fault analysis, the faults must occur Faults were successfully injected in units of bytes into any in the instruction part in which the operation code is executed intermediate state during the cryptographic calculation for the round function of the block ciphers. and the secret key was extracted. Transient faults can also III. IEMI Fault Injection Experiments be induced using this method. In this section, we briefly review the experimental configu- We also describe four typical types of analysis below. ration for the IEMI fault injection and show the results of the • Differential Fault Analysis (DFA) is the most well- fault injection. known FA attack [15]. The principle of DFA is to exploit the differences between correct and faulty outputs based A. Experimental Configuration for Fault Injection on the injected fault and guess the secret key. The method Basically, we employ the same configuration for the fault for extracting the secret key is based on differential injection experiments as that in [6], [7], [8]. Fig. 1 shows an

783 Other modules Cryptographic module image of the IEMI fault injection, where the cryptographic Sinusoidal wave Injection probe module is mounted on a common device, i.e., a printed circuit board (PCB), equipped with a twisted-pair power cable. A block diagram of the experimental configuration for fault injection is shown in Fig. 2. As we evaluate the characteristics System GND Signal generator of an IEMI fault occurrence, we target a cryptographic module Fig. 1. IEMI fault injection implemented in a field-programmable gate array (FPGA) on side-channel attack standard evaluation board (SASEBO-G), which is a standard evaluation board for side-channel analysis Clock Clock [24]. The clock frequency and the supply voltage on SASEBO- (24 MHz) (24 MHz) RS232C G are 24 MHz and 3.3 V, respectively. FPGA 1 FPGA 2 level Bus converter We use an AES module, which includes a composite field 1.5 V 1.5 V based S-Box [25], implemented in an FPGA on SASEBO- G. The size of the secret key employed in the experiments SASEBO-G is 128 bits. The AES algorithm is specified as the number Regulator Regulator 3.3 V 3.3 V of repetitions for transformation called rounds that convert the input (plaintext) into the output (ciphertext). The AES DC RS232C module is based on a loop architecture where one round Power supply is processed every clock cycle. Note that the loop archi- Injection probe (FCC F-140) tecture is a typical architecture for a compact hardware PC implementation. A single encryption operation requires 11 DC Amplifier Synthesized clock cycles for 10 rounds of the AES algorithm and one (ZHL-2-12) signal generator / (MG3641A) additional clock cycle for data I O. The correct and faulty Power supply +25 dB ciphertexts obtained from the experiments are stored in a PC for the evaluation described in the next subsection. We attempt Fig. 2. Block diagram of experimental configuration to induce faults during 39,354 AES encryptions using a fixed plaintext (0x4aef198560c45d4e52748c514e19ebe0) and a fixed secret key (0x2b7e151628aed2a6abf7158809cf4f3c). B. Experimental Results We also attempt to induce faults during 64,077 AES en- cryptions using random plaintexts and a fixed secret key We investigate how the IEMI fault injection affects the fault (0x000102030405060708090a0b0c0d0e0f). Although we em- occurrence during AES encryption by observing the number ploy an AES module in the experiments, we believe that the of faulty bytes. results will help us to examine the distribution of the IEMI We calculate the inverse of the encryption using the secret fault occurrences for other cryptographic algorithm modules key, correct ciphertexts and faulty ciphertexts to examine the that have a loop architecture. number of faulty bytes observed in the intermediate states In order to inject the faults into the cryptographic module during one encryption. In the calculation, we examine the on SASEBO-G, we use a signal generator (MG3641A) to appearance of the minimum number of faults in a round generate sinusoidal waves, after which the waves are amplified through the inverse of the encryption, and then, we assume by the amplifier (ZHL-2-12) shown in Fig. 2. The generated the minimum number of faults as the number of faulty bytes. sinusoidal waves are introduced via an injection probe (FCC We assume that the faults do not occur during the calculation F-140) into a power cable attached to SASEBO-G during of the round key from a secret key during the key expansion. the cryptographic calculation. We place the injection probe Because the calculation time for the key expansion is much approximately 60 cm away from SASEBO-G. Furthermore, we shorter than that for the cipher in the architecture, faults do do not employ any information such as a trigger signal to inject not likely occur during the calculation for the key expansion faults into a specific timing of the cryptographic calculation compared to that for the cipher. Furthermore, we assume that in order to assume a more practical attack situation. The fault the faults do not occur in more than one round. injections are performed at arbitrary timing during continuous Fig. 3 and Fig. 4 give the number of faulty bytes in the cryptographic calculation. We evaluate the distribution of the output of any round from the 1st to the 10th round using fault occurrences and types of faults induced by IEMI under random plaintexts and a fixed secret key, and a fixed plaintext the above conditions. and a fixed secret key, respectively. In the experiments, we employ sinusoidal waves with a In both figures, we only describe the number of occurrences frequency of 170 MHz because the transfer functions for from 1 byte to 12 bytes because these numbers of occurrences transfers from the injection probe to the points near FPGA 1 of the faulty bytes are reliable. From the experimental results shown in Fig. 2 have the lowest decrease rate. We find that we for more than 13-byte faults, we find that the faults may be can generate faults with high probability based on the previous caused by communication errors where the encryption is no experimental results [6], [7], [8]. longer executed; however, we cannot verify whether or not the

784 Fig. 3. Number of occurrences of faulty bytes using random plaintexts and Fig. 5. Number of bit flips that occur when a one-byte fault occurs in the a fixed secret key output of any round using random plaintexts and a fixed secret key

Fig. 4. Number of occurrences of faulty bytes using a fixed plaintext and a fixed secret key Fig. 6. Number of bit flips that occur when a one-byte fault occurs in the output of any round using a fixed plaintext and a fixed secret key faults are caused by communication errors using the above calculation. Therefore, more than 13-byte faults are deemed identify a one-byte fault injected into either the 9th round or most likely to include communication errors and the data for the 10th round in our calculation. This is because the number more than 13-byte faults are eliminated from Fig. 3 and Fig. of faulty bytes at the 9th round output is equal to that at the 4. 10th round due to the no MixColumns operation that causes ff We note that any byte of the output in any round is corrupted di usion of a one-byte fault to a four-byte fault at the 10th by IEMI and that there are many faults with less than five round. This fact is reflected in these figures and the number bytes in both figures. We consider that the IEMI based faults of occurrences in the 9th or 10th round output is divided into would occur as a result of a set-up time violation. In addition, half. In Fig. 5 using random plaintexts and a fixed secret key, a it seems that the transmission of a sinusoidal wave of a single bit flip is likely to occur in all rounds and a multiple bit frequency affects the clock signal or power supply fed into flip also occurs in all rounds. In Fig. 6, almost all bit flips are the cryptographic module. Therefore, IEMI would frequently single bit flips using a fixed plaintext and a fixed secret key. generate faults of less than five bytes on the longer paths. These figures show that IEMI generates single-bit flips more frequently than multi-bit flips. We note that the locations of In the case that a byte fault is induced as shown in Fig. 3 bit flips are almost the same in a byte when we use a fixed or Fig. 4, it is considered that one or more bits are flipped in a plaintext and a fixed secret key. byte. In order to investigate the type of faulty bits, we examine the numbers of flipped bits when a one-byte fault occurs. Fig. 5 IV. Evaluation of Fault Analysis and Fig. 6 show the number of single bit flips (1-bit flip) and multi-bit flips (more-than-2-bit flip) in each round output using In this section, we discuss the feasibility of the FAs that are random plaintexts and a fixed secret key, and a fixed plaintext classified in Section II, based on the experimental results in and a fixed secret key, respectively. In both figures, we cannot Section III.

785 TABLE III A. DFA Summary of Possible FAs Using IEMI Regarding DFAs, we need to generate one or more byte random faults of the intermediate state to apply the previous Attack Method Possibility of Attacks ff DFA on block ciphers or some stream ciphers. One or more Di erential fault analysis Applicable Safe-error attack Not applicable† bits of the intermediate state need to be flipped to apply Ineffective fault analysis Not applicable the previous DFAs on some stream ciphers or asymmetric Round reduced fault analysis Not applicable‡ ciphers. Table II shows a summary of the previous DFAs † In the case without any trigger on various ciphers in which faults need to be induced during ‡ In the case of hardware implementation the calculation of the cipher (not key expansion part). In the table, the fault number represents the number of bytes or bits of the intermediate state that need to be corrupted. The C. IFA number of output pairs represents the number of correct and Regarding IFAs, we need to generate a stuck-at fault in faulty outputs, i.e., the number of fault injections, in order which an intermediate state is permanently set to a fixed value. to achieve a successful attack. Furthermore, in the table, more Based on the experimental results, we can generate random efficient attacks with lower attack costs are indicated using the faults in which a value of an intermediate state is randomly minimum number of output pairs. We discuss the feasibility corrupted by IEMI; however, we cannot generate a permanent of FAs using the IEMI-based fault injection below. fault to fix the intermediate state to any value such as zero a) Attacks against block ciphers: Based on the exper- using IEMI. Thus, it is difficult to apply IFA using the faults imental results in Fig. 3, faults with less than 5 bytes are generated by IEMI. likely to occur using IEMI. In Table II, the theoretical DFAs often use a fault model in which less than 5 bytes of the D. Round Reduced Fault Analysis intermediate states are randomly corrupted. Then, we can say Regarding round reduced fault analysis, we need to generate that the faults induced by IEMI satisfy the attack condition faults into the instruction part that controls the number of for DFAs on block ciphers and the theoretical DFA on block rounds during the cryptographic calculation. As described in ciphers can be applied. Section III, the faults using IEMI would occur due to a set-up b) Attacks against stream ciphers: In the same manner time violation. This means that the fault can hardly occur in as the attack against block ciphers, the DFA on stream ciphers the instruction part, i.e., round counter since the timing path such as RC4, Rabbit, Snow3G, and MUGI must induce one- is usually shorter than that for the data calculation part (the or-more-byte faults so that they can be applied using the faulty encryption part) in the hardware implementation. Thus, it is outputs by IEMI. Based on the experimental results in Fig. 5 difficult to apply round reduced fault analysis using IEMI for and Fig. 6, single bit flips can occur in any round. Then, it hardware implementations. is possible that a single bit flip occurs to satisfy the attack Table III shows a summary of the possible FAs using IEMI condition of the theoretical DFAs on stream ciphers such as from the above discussion. We showed that since DFA utilizes Grain-128 and Trivium [32], [33]. Therefore, we can say that a fault model that an IEMI fault injection can generate, it the IEMI-induced faults satisfy the attack condition for DFAs becomes a more feasible attack to exploit an IEMI fault on stream ciphers. occurrence. c) Attacks against asymmetric ciphers: In the attack against RSA-CRT or ECC, we need to induce one or more bit V. Conclusion flips in the intermediate state. From the experimental results This paper described the feasibility of FAs using IEMI. We in Fig. 5 and Fig. 6, at least one bit flip can be induced in investigated the distribution of IEMI fault occurrences during any round output. Thus, we can say that the faults induced an AES calculation on an evaluation board as an example. We by IEMI satisfy the attack condition for DFAs on asymmetric found that faults of less than 5 bytes can be injected into the ciphers. intermediate states more frequently during an AES encryption Therefore, all DFAs on ciphers as shown in Table II can be and single bits are likely to be flipped when a one-byte fault applied if we exploit an IEMI fault occurrence. occurs. Since DFAs employ a fault model that can be applied B. SEA when IEMI is used for fault injection, from the examination Regarding SEAs, we need to generate continuous faults of the previous FAs, we showed that DFA is a more feasible during the cryptographic calculation with a dummy operation attack to exploit an IEMI fault occurrence. and need to know the exact timing of the induced faults. Using References the IEMI techniques, we can induce one or more byte faults [1] R. C. Paul, “Introduction to electromagnetic compatibility,” Wiley- into any round output from the experimental results; however, Interscience, 2006. we cannot know the exact timing of the fault injection so long [2] “Federal Communications Commission (FCC),” [Online]. Available: as we inject the faults without any trigger for the encryption. http://www.fcc.gov/ [3] “International Special Committee on Radio Interference (CISPR),” Thus, SEA may not be applied in the attack situation used in [Online]. Available: http://www.iec.ch/dyn/www/f?p=103:7:0::::FSP these experiments. ORG ID:1298

786 TABLE II Previous DFAs on Various Ciphers

Cipher Algorithm Fault Number Number of Output Pairs References Symmetric ciphers Block ciphers DES 4 bytes (Random†) 2 [15] AES-128 1 byte (Random) 1 [26] Camellia-128 1 bytes (Random) 4 [27] CLEFIA-128 4 bytes (Random) 2 [28] IDEA 2 bytes (Random) 10 [29] Stream Ciphers RC4 1 bytes (Random) 210 [30] Rabbit 4 bytes (Random) 32 [31] Grain-128 1 bit 6 – 90 [32] Trivium 1 bit 43 [33] Snow3G 4 bytes (Random) 22 [34] MUGI 1 byte (Random) 13 [35] Asymmetric ciphers RSA-CRT One or more bits 1 [36] ECC One or more bits Order of n∗ [37] † Random: Intermediate state is randomly corrupted. ∗ Depending on the binary length of secret multiplier n.

[4] W. A. Radasky, C. E. Baum, and M. W. Wik, “Introduction to the special [21] B. Robisson and P. Manet, “Differential Behavioral Analysis,” in Proc. issue on high-power electromagnetics (HPEM) and intentional electro- CHES 2007, 2007, LNCS vol.4727, p. 413-426. magnetic interference (IEMI),” IEEE Transactions on Electromagnetic [22] H. Choukri and M. Tunstall, “Round Reduction Using Faults,” in Proc. Compatibility, 2004, vol.46, no.3, p. 314-321. FDTC 2005, 2005, p.13-24. [5] IEC/TR 61000-1-5 Ed. 1.0 (2004-11) : Electromagnetic compatibility [23] J. Park, S. Moon, D. Choi, Y. Kang, and J. C. Ha, “Differential Fault (EMC) - Part 1-5 : High power electromagnetic (HPEM) effects on Analysis for Round-Reduced AES by Fault Injection,” ETRI Journal, civil systems. vol. 33, p. 434-442, Number 3, June 2011. [6] Y. Hayashi, N. Homma, T. Sugawara, T. Mizuki, T. Aoki, and H. Sone, [24] Side-channel Attack Standard Evaluation Board SASEBO-G Specifica- “Non-Invasive EMI-Based Fault Injection Attack against Cryptographic tion – Version 1.0 –, 2008. [Online]. Available: http://staff.aist.go.jp/ Modules,” in Proc. EMC 2011, 2011, IEEE, p.763-767. akashi.satoh/SASEBO/pdf/SASEBO-G Spec Ver1.0 English.pdf. [7] Y. Hayashi, S. Gomisawa, Y. Li, N. Homma, K. Sakiyama, T. Aoki, and [25] Cryptographic Hardware Project, Aoki Laboratory, Graduate School K. Ohta, “Intentional Electromagnetic Interference for Fault Analysis on of Information Sciences, Tohoku University, [Online]. Available: http: AES Block Cipher IC,” in Proc. EMCCOMPO’11, 2011, IEEE, p.235- //www.aoki.ecei.tohoku.ac.jp/crypto/web/cores.html 240. [26] M. Tunstall, D. Mukhopadhyay, and S. Ali, “Differential Fault Analysis [8] Y. Hayashi, N. Homma, T. Sugawara, T. Mizuki, T. Aoki, and H. Sone, of the Advanced Encryption Standard using a Single Fault,” Cryptology “Non-invasive Trigger-free Fault Injection Method Based on Intentional ePrint Archive 2009/575, [Online]. Available: http://eprint.iacr.org/2009/ Electromagnetic Interference,” in Proc. NIAT 2011, 2011. 575.pdf [9] Advanced Encryption Standard (AES), Federal Information Processing [27] Z. Xin-jie, W. Tao, “Further Improved Differential Fault Analysis on Standard Publication 197, November 26, 2001. [Online]. Available: http: Camellia by Exploring Fault Width and Depth,” Cryptology ePrint //csrc.nist.gov/publications/fips/fips197/fips-197.pdf Archive: Report 2010/026. [Online]. Available: http://eprint.iacr.org/ [10] E. Trichina and R. Korkikyan, “Multi Fault Laser Attacks on Protected 2010/026 CRT-RSA,” in Proc. FDTC 2010, 2010, IEEE Computer Society, p.75- [28] J. Takahashi and T. Fukunaga, “Improved Differential Fault Analysis on 86. CLEFIA,” in FDTC 2008, 2008, IEEE Computer Society, p.25-39. [11] N. Selmane, S. Guilley, and J.-L. Danger, “Practical Setup Time Viola- [29] C. Clavier, B. Gierlichs and I. Verbauwhede, “Fault analysis study of tion Attacks on AES,” in Proc. EDCC 2008, 2008, IEEE, p.91-96. IDEA,” Proceedings of the 2008 The Cryptopgraphers’ in Proc. CT-RSA [12] G. Piret and J. J. Quisquater, “A Differential Fault Attack Technique 2008, 2008, LNCS vol. 4964, p. 274-287. Against SPN Structures, with Application to the AES and Khazad,” in [30] E. Biham, L. Granboulan, and P. Q. Nguyen, “Impossible Fault Analysis Proc. CHES 2003, 2003, LNCS vol.2779, pp.77-88. of RC4 and Differential Fault Analysis of RC4,” in Proc. FSE 2005, [13] T. Fukunaga and J. Takahashi, “Practical Fault Attack on a Crypto- 2005, LNCS 3557, p.359-367. graphic LSI with ISO/IEC 18033-3 Block Ciphers,” in Proc. FDTC [31] A. Berzati, C. C.-Dumas, and L. Goubin, “Fault Analysis of Rabbit: 2009, 2009, IEEE Computer Society, p.84-92. Toward a Secret Key Leakage,” in Proc. Indocrypt 2009, 2009, LNCS [14] S. Endo, T. Sugawara, N. Homma, T. Aoki, and A.Satoh, ”A config- vol. 5922, p.72-87. urable on-chip glitchy-clock generator for fault injection experiments,” [32] A. Berzati, C. Canovas, G. Castagnos, B. Debraize, L. Goubin, A. IEICE Transactions on Fundamentals of Electronics, Communications Gouget, P. Paillier, and S. Salgado, “Fault Analysis of GRAIN-128,” and Computer Sciences, Vol. E95-A, No. 1 pp. 263–266, January 2012. in Proc. HOST 2009, 2009, IEEE Computer Society, p.7-14. ff [15] E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key [33] M. Hojsik, and B. Rudolf, “Di erential Fault Analysis of Trivium,” in Cryptosystems,” Technion - Computer Science Department - Technical Proc. FSE 2008, 2008, LNCS vol. 5086, p.158-172. Report CS0901.revised - 1997. [34] B. Debraize, and I. M. Corbella, “Fault Analysis of the Stream Cipher [16] E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryp- Snow 3G,” in Proc. FDTC 2009, 2009, IEEE Computer Society, p.103- tosystems,” Journal of Cryptology, 4(1), p.3-72, 1991. 110. ff [17] M. Joye and S.-M. Yen, “The Montgomery Powering Ladder,” in Proc. [35] J. Takahashi, T. Fukunaga, and K. Sakiyama,“Di erential Fault Analysis CHES 2002, 2002, LNCS vol. 2523, p.291-302. on Stream Cipher MUGI,” IEICI Trans. Fundamentals. vol. E95-A, [18] S. M. Yen and M. Joye, “Checking Before Output May Not Be Enough NO.1, January 2012. Against Fault-Based Cryptanalysis,” IEEE Trans. Computers, vol. 49, [36] D. Boneh, R. DeMillo, and R. Lipton, “On the importance of checking no. 9, p.967-970, 2000. cryptographic protocols for faults,” Journal of Cryptology, Springer- Verlag, vol.14, No.2, p. 101-119, 2001. [19] J. Blomer and J.-P. Seifert, “Fault Based Cryptanalysis of the Advanced ff Encryption Standard,” in Proc. FC 2003, 2003, LNCS vol. 2742, p.162- [37] I. Biehl, B. Meyer, and V. Muller,¨ “Di erential Fault Attacks on Elliptic 181. Curve Cryptosystems (Extended Abstract),” in Proc. CRYPTO 2000, [20] C. Clavier, “Secret External Encodings Do Not Prevent Transient Fault 2000, LNCS vol. 1880, p.131-146. Analysis,” in Proc. CHES 2007, 2007, LNCS vol. 4727, p. 181-194.

787