## Fault injection attacks

-

# from practice to theory

SERICS Autumn School on Hardware Security

**Brice Colombier** 

October 30, 2025



## Who am I?

Finished engineering school in 2014
PhD in microelectronics in 2017
Background in electrical engineering, embedded systems and digital design

Associate professor at Université Jean Monnet in Saint-Étienne, France



Q SESAM<sup>[1]</sup> team in Laboratoire Hubert Curien



https://bcolombier.fr

## Who are you?

- 1 What is the field you are the most familiar with?
  - Physics / Microelectronics
  - Embedded systems / Digital design
  - Computer science / Programming
  - Mathematics / Cryptography

## Who are you?

- 1 What is the field you are the most familiar with?
  - Physics / Microelectronics
  - Embedded systems / Digital design
  - Computer science / Programming
  - Mathematics / Cryptography
- What do you know about fault injection attacks?
  - Never heard of it before today
  - Heard a few things about it, but not more
  - Read a lot about it, but never practiced it myself
  - Practiced it myself already

## Modus operandi

No practical session this morning...

→ But this afternoon yes!

Let's make this presentation interactive. Feel free to:

- make comments
- ask questions



#### Fault:

deviation from the normal operation of the device.

#### Fault:

deviation from the normal operation of the device.

#### Fault injection:

deliberate attempt to deviate from the normal operation of the device.

#### Fault:

deviation from the normal operation of the device.

#### Fault injection:

deliberate attempt to deviate from the normal operation of the device.

#### Fault attack:

exploitation of a given fault for malicious purposes in a given security context.

#### Fault:

deviation from the normal operation of the device.

#### Fault injection:

deliberate attempt to deviate from the normal operation of the device.

#### Fault attack:

exploitation of a given fault for malicious purposes in a given security context.

#### Fault injection attack:

deliberate attempt to deviate from the normal operation of the device and exploit it for malicious purposes.

## Fault model

**Fault model:** self-contained description of the effect of the fault



# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- 5 Perspectives
- **6** Conclusion

# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- 5 Perspective
- 6 Conclusion

# Starting from reliability

Ever since electronic systems have been manufactured, we want them to be realiable.

Elsevier Microelectronics Reliability<sup>[2]</sup> has been in existence since 1962. The IEEE Reliability Society celebrated its 75th anniversary this year.

#### Example article from 1968<sup>[3]</sup> by Texas Instrument:

- General survey of integrated circuits failure mode
- Reliability requirements
- Reliability prediction
- 4 ...

<sup>[2]</sup> https://www.sciencedirect.com/journal/microelectronics-reliability

<sup>[3]</sup> W. Workman. "Failure Modes of Integrated Circuits and Their Relationship to Reliability". In: Microelectronics Reliability (196/2100)

# First published attacks

First publication<sup>[4]</sup> took ideas from pay-TV hackers (and others):

- alter the clock signal temporarily (5 MHz → 20 MHz)
- bridge a blown fuse with microprobe needles
- target set/reset EEPROM signals with microprobe needles to reprogram it
- constant data remanence in memory
- blocking some signals in protocols

## Attackers taxonomy

#### Three classes of attackers<sup>[5]</sup> can be considered:

- Clever outsiders
  - Insufficient knowledge of the system under attack
  - Moderately sophisticated equipment
  - Use existing weaknesses of the system
- 2 Knowledgeable insiders
  - Substantial specialized technical education and experience
  - Access to the full system description
  - Highly sophisticated equipment
- 3 Funded organisations
  - Teams of experts
  - Great funding
  - Sophisticated attack paths

# Reliability meets cryptography

First publication by Boneh *et al.* at EUROCRYPT 1997<sup>[6]</sup> of the so-called Bellcore attack

Only theoretical: "the attack described in this paper is currently theoretical".

#### Faults considered:

- Causes:
  - "some miraculous event"
  - "a miraculous fault" x2
  - "register fault": low-probability bit-flip in the processor's registers
- Consequences:
  - Faulty decomposition in RSA-CRT
  - Faulty computation of a product in Fiat-Shamir identification scheme
  - Faulty computation in the Schnorr's identification scheme

## Reliability meets cryptography in practice

Attack put in practice (and published) three years later<sup>[7]</sup>.

#### Experimental setup:

- target: a smart-card
- fault injection technique: voltage glitches
  - 90 % repeatability



#### Lots of interesting insights:

- Fault model (error scenario) discussion: data corruption, arithmetic errors,
- Perform side-channel analysis beforehand for synchronization,
- Software countermeasures are not sufficient: hardware ones are needed.

## The IoT

#### Nowadays:

- 10<sup>9</sup> Billions of devices
- Connected to the Internet
- Mandling sensitive data
- Out there in the open
- \$ Experimental equipment is accessible and getting cheaper by the day

## The IoT

#### Nowadays:

- 10<sup>9</sup> Billions of devices
- Connected to the Internet
- Mandling sensitive data
- Out there in the open
- \$ Experimental equipment is accessible and getting cheaper by the day

Fault injection attacks are more and more relevant

# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- 6 Perspective
- **6** Conclusion

# Techniques: restricted fault model



This talk: microcontrollers only (FPGAs and ASICs are too specific).

# Techniques

For every technique, we will examine:

- 🏗 the attacker model
- its history
- \* the experimental setup
- the experimental parameters
- the fault model

# Techniques: Voltage glitch

## Voltage glitch: Attacker model

**Hypothesis:** every electronic device is powered by an external power source:

- Battery
  - Power supply
- → Dedicated connection on the board and input pin on the device.

## Voltage glitch: Attacker model

**Hypothesis:** every electronic device is powered by an external power source:

- Battery
  - Power supply
- → Dedicated connection on the board and input pin on the device.

An attacker can tamper with the power supply of the device and perform:

- × Overpowering
- Underpowering

Only momentarily to inject the fault over a short period of time.

# Voltage glitch: History

#### Introduced in 2008<sup>[8]</sup>:

- a 130 nm ASIC with a nominal voltage of 1.2 V.
- below 700 mV: I/O crashes
- single-bit errors around 800 mV

Used a controllable power supply with sub-millivolt accuracy.

# Voltage glitch: Experimental setup



# Voltage glitch: Experimental setup

## ChipWhisperer Nano:



## Voltage glitch: Parameters

- delay
- duration (of the glitch)
- depth (w.r.t V<sub>cc</sub>)



## Voltage glitch: Parameters

- delay
- duration (of the glitch)
- depth (w.r.t V<sub>cc</sub>)



Further works have shown that the shape of the glitch matters too [10].



Hardware-dependent parameters:

- duration
- depth

Program-dependent parameters:

delay

# Voltage glitch: Fault model – physical level

**Physical level:** A lower supply voltage has two effects:

- descreases switching speed of transistors
- increases the time needed to charge parasitic capacitances on wires

Both effect sum up to increase propagation times.

# Voltage glitch: Fault model – digital level

#### Digital level: timing constraints may be violated



Fig. 2. Critical paths of the AES' rounds when subject to: (a) underpowering, (b) a negative power supply glitch, (c) overpowering.[11]

[11] L. Zussa et al. "Analysis of the Fault Injection Mechanism Related to Negative and Positive Power Supply Glitches Using an On-Chip Voltmeter". In: HOST. 2014.

# Voltage glitch: Fault model – binary level

#### **Binary level:** binary data is not / partially updated:

- Previous data may be kept in the registers:
  - fully
  - partially
- Because of precharge logic, data in the registers may be fully / partially:
  - set
  - reset
  - Consistent critical bits over multiple instructions
- Because of microarchitecural features, some extra data may still be present
  - Skip with forwarding<sup>[12]</sup>

## Voltage glitch: Fault model – execution level

Difference between the data width when fetched and the instruction length<sup>[13]</sup>

#### Several fault models:

- Single instruction skip (2.a)
- Double instruction skip (2.b)
- Double instruction corruption (3.a)
- New instruction execution (3.b-c)



Fig. 2: Fetching aligned instructions.



(a) Fetching the bottom half of a 32-bit instruction and the top half of another 32-bit instruction.



(b) Fetching one 16-bit instruction and the top half of a 32-bit instruction.



(c) Fetching the bottom half of a 32-bit instruction and one 16-bit instruction.

Fig. 3: Fetching misaligned instructions.

# Voltage glitch: Fault model



#### Voltage glitch: Remarks

In practice, it might not be so easy:

- Internal voltage filtering / regulation
- Power management systems

# Techniques: Clock glitch

#### Clock glitch: Attacker model

**Hypothesis:** every electronic chip is clocked by an external clock signal:

- quartz
- PLL
- → Dedicated input pin / component on the board and input pin on the device.

#### Clock glitch: Attacker model

**Hypothesis:** every electronic chip is clocked by an external clock signal:

- quartz
- PI I
- → Dedicated input pin / component on the board and input pin on the device.

An attacker can tamper with the clock of the device and perform:

- X Clock cycles skip
- ✓ Clock cycles shortening (a.k.a clock glitches)

Only momentarily to inject the fault over a short period of time.

### Clock glitch: History

Overclocking is not usable since it is not precise.

Solution<sup>[14][15]</sup>: target a single clock cycle.

- Delay the main clock by a percentage of the period.
- XOR it with the main clock and a trigger signal.
- "Easily" feasible with a standard delay-locked loop, found in most FPGAs.

#### Clock glitch: Experimental setup

An advanced function generator or... ChipWhisperer Lite:



#### Clock glitch: Parameters

- delay
- duration (of the glitch)
- shift (w.r.t the closest clock rising edge)



- Hardware-dependent parameters:
  - shift
  - (duration)
- Program-dependent parameters:
  - delay

### Clock glitch: Fault model

Physical level: N/A

Digital level: timing constraints may be violated

**Binary & execution level:** same as for voltage glitches

### Clock glitch: Fault model



#### Clock glitch: Remarks

In practice, it might not be so easy:

- Clock management systems (PLLs, DLLs, frequency scaling)
- Multiple clock domains

## Techniques: Electromagnetic

### Electromagnetic: Attacker model

An attacker can bring an injection probe sufficiently close to the chip package.

Much weaker than the previously considered ones:

- Voltage glitches: modify the power supply
- Clock glitches: modify the clock signal
- → What happens if it is processed again inside?

#### Electromagnetic: History

In 2002<sup>[16]</sup>: induce eddy currents inside the target chip by:

 wound a wire around a needle and connect it to the contacts of a camera flash gun without a bulb.

In 2007<sup>[17]</sup>: create sparks near the chip



[17] J.-M. Schmidt et al. "Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results". In: Austrian Workshop on Microelectronics. 2007.

#### Electromagnetic: History

Problem: both methods suffer from very large jitter. Fixed in 2012 by using a controllable pulse generator<sup>[18]</sup>



[18] A. Dehbaoui et al. "Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES". In: FDTC. 2012.

### Electromagnetic: Experimental setup – DIY







### Electromagnetic: Experimental setup - Commercial

Commercial setups exist too (e.g. by Langer<sup>[19]</sup> or NewAE<sup>[20]</sup>)





<sup>[19]</sup> https://www.langer-emv.de/en/category/fault-injection/116

#### Electromagnetic: Parameters

- Hardware-dependent parameters:
  - Probe position (x, y, z)
  - Probe design (geometry, number of turns, etc)
  - Rise/fall times
  - Pulse width
  - Pulse amplitude

- Software-dependent parameters:
  - delay

## Electromagnetic: Fault model - physical level

#### Physical level: several phenomenon occur

- local voltage drop<sup>[21]</sup>
- voltage drop on the clock distribution network<sup>[22][23]</sup>
- alteration of the sampling capability of flip-flops<sup>[24][25]</sup>

41/100

<sup>[21]</sup> S. Ordas et al. "Evidence of a Larger EM-Induced Fault Model". In: CARDIS. 2015.

<sup>[22]</sup> M. Ghodrati et al. "Inducing Local Timing Fault through EM Injection". In: DAC. 2018.

<sup>[23]</sup> R. Nabhan et al. "A Tale of Two Models: Discussing the Timing and Sampling EM Fault Injection Models". In: FDTC. 2023.

<sup>[24]</sup> S. Ordas et al. "Electromagnetic Fault Injection: The Curse of Flip-Flops", In: Journal of Cryptographic Engineering (2017). [25] S. Ordas et al. "Evidence of a Larger EM-Induced Fault Model". In: CARDIS. 2015.

### Electromagnetic: Fault model – digital level

#### Digital level: several fault models coexist

- timing faults: timing constraints are violated on the critical path by
- reset signal assertion on D flip-flops<sup>[26]</sup>
- sampling faults: around the clock edge, error in a sampling window<sup>[27]</sup>

### Electromagnetic: Fault model – binary & execution level

Progressive **Bit-set** on data and instruction fetched from Flash memory<sup>[28]</sup>:

- Instruction corruption
- Data corruption

| Pulse voltage     | Loaded value          | Occurrence rate |
|-------------------|-----------------------|-----------------|
| 170 V             | 1234 5678 (no fault)  | 100%            |
| $172 \mathrm{~V}$ | 1234 5678 (no fault)  | 100%            |
| 174 V             | <del>9</del> 234 5678 | 73%             |
| 176 V             | FE34 5678             | 30%             |
| 178 V             | FFF4 5678             | 53%             |
| 180 V             | FFFD 5678             | 50%             |
| 182 V             | FFFF 7F78             | 46%             |
| 184 V             | FFFF FFFB             | 40%             |
| 186 V             | FFFF FFFF             | 100%            |
| 188 V             | FFFF FFFF             | 100%            |
| 190 V             | FFFF FFFF             | 100%            |

### Electromagnetic: Fault model



Techniques:

Laser



### Laser: History

Laser has been used (for a long time) to simulate the effect of radiations<sup>[29][30]</sup>.

Laser fault injection was introduced by Skorobogatov in 2002<sup>[31]</sup>: "We have carried them out using a flashaun bought second-hand from a camera store for

\$30 and with an \$8 laser pointer"

<sup>[29]</sup> D. H. Habing. "The Use of Lasers to Simulate Radiation-Induced Transients in Semiconductor Devices and Circuits". In: IEEE Transactions on Nuclear Science (1965).
[30] A. Johnston. "Charge Generation and Collection in P-n Junctions Excited with Pulsed Infrared Lasers". In: IEEE Transactions on Nuclear Science (1993).

#### Laser: Attacker model

**Hypothesis:** every electronic device is made of silicon.

An attacker can access the backside of the device and shine a laser spot on it.

#### Sample preparation:

- mechanical polishing,
- chemical etching
  - hydrofluoric acid,
  - etc.



#### **Custom board:**



#### Laser: Experimental setup – laser source

Laser wavelength is related to the bandgap of the target material (1.12 eV for silicon)

An near-infrared laser source is needed:

- 980 nm
- 1064 nm

Major drawback: we (humans) cannot see it:

- need an IR camera for positioning,
- ▲ no palpebral reflex: 🖍



### Laser: Experimental setup – optical path



- Optical fibers guide the laser,
- Multiple objective lenses are available,
  - different laser spot sizes,
  - different absorption.
- The **device** moves (XYZ).

#### Laser: Experimental setup – commercial setups

S-LMS by ALPhANOV<sup>[33]</sup>



DS1101A by KEYSIGHT<sup>[34]</sup>



[34] https://www.alphanov.com/en/products-services/double-laser-fault-injection

[34] https://www.keysight.com/us/en/product/DS1101A/fault-injection-laser-system

#### Laser: Parameters

- x position on the die
- y position on the die
- duration
- power
- delay



#### Laser: Parameters

- x position on the die
- y position on the die
- duration
- power
- delay

#### Example:

- 25 mm<sup>2</sup> chip (5 mm  $\times$  5 mm)
- laser spot size: 5 μm
- 1 value of power
- 100 values of delay



 $5 \times 10^9$  possibilities trials Assume 10 trials per second

#### Laser: Parameters

- x position on the die
- y position on the die
- duration
- power
- delay

#### Example:

- 25 mm<sup>2</sup> chip (5 mm  $\times$  5 mm)
- laser spot size: 5 µm
- 1 value of power
- 100 values of delay



5 × 10<sup>9</sup> possibilities trials Assume 10 trials per second → 4 months

#### Laser: Fault model - physical level

**Physical level:** photoelectric effect: photons are absorbed and electrons are emitted.



Only happens at a given wavelength related to the material bandgap:

- 1.12 eV for silicon
- $\lambda \simeq 1100 \, \mathrm{nm}$

[35]

#### Laser: Fault model – digital level : SRAM cells

**Digital level:** an electric current is created by the electric field found in PN junctions.

SRAM cells can be set or reset: sensitive areas are the drains of the OFF transistors<sup>[36]</sup>



### Laser: Fault model – digital level : D flip-flops

**Digital level:** an electric current is created by the electric field found in PN junctions.

D flip-flops follow a similar pattern<sup>[37]</sup>



<sup>[37]</sup> C. Champeix et al. "SEU Sensitivity and Modeling Using Pico-Second Pulsed Laser Stimulation of a D Flip-Flop in 40 Nm CMOS Technology". In: DFT. 2015

### Laser: Fault model – digital level : Flash memory cells

**Digital level:** an electric current is created by the electric field found in PN junctions.

Flash memory cells can behave as if the floating was not charged<sup>[38]</sup>

The other way around, at write time, is feasible too<sup>[39]</sup>



<sup>[39]</sup> B. Colombier et al. "Laser-Induced Single-bit Faults in Flash Memory: Instructions Corruption on a 32-Bit Microcontroller". In: HOST, 2019

<sup>[39]</sup> R. Viera et al. "Permanent Laser Fault Injection into the Flash Memory of a Microcontroller". In: NEWCAS. 2021

### Laser: Fault model – binary level

#### **Binary level:** data stored in D flip-flops and SRAM cells can be:

- set
- reset
- flipped

#### Data / instruction fetched from Flash memory can be:

- reset<sup>[40]</sup>
  - set<sup>[41]</sup>

at a single-bit level, depending on the sense amplifier implementation.

<sup>[40]</sup> D. S. V. Kumar et al. "An In-Depth and Black-Box Characterization of the Effects of Laser Pulses on ATmega328P". In: CARDIS. 2019

<sup>[41]</sup> B. Colombier et al. "Laser-Induced Single-bit Faults in Flash Memory: Instructions Corruption on a 32-Bit Microcontroller".
In: HOST. 2019.
55 / 100

#### Laser: Fault model – execution level

**Execution level:** Single-bit set/reset on instruction or data from Flash



[43] D. S. V. Kumar et al. "An In-Depth and Black-Box Characterization of the Effects of Laser Pulses on ATmega328P". In: CARDIS.

[43] B. Colombier et al. "Laser-Induced Single-bit Faults in Flash Memory: Instructions Corruption on a 32-Bit Microcontroller". In: HOST, 2019

56 / 100

## Laser: Fault model



# Techniques: Summary

| Technique                                     | Туре | Main fault model                                                                        | Cost                     |
|-----------------------------------------------|------|-----------------------------------------------------------------------------------------|--------------------------|
| Clock glitch<br>Voltage glitch<br>EM<br>Laser |      | Instruction skip Instruction skip Instruction skip / data corruption Single-bit bit set | \$<br>\$<br>\$\$<br>\$\$ |

# Techniques: The trigger

**Big Question:** "When should the fault be injected"?

→ Inside the sensitive program!

## Techniques: The trigger

- **Big Question:** "When should the fault be injected"?
- → Inside the sensitive program!
- **Big Question bis:** "When does the sensitive program start (and stop)"?
- → Use a trigger signal 😉

# Techniques: The trigger

- **Big Question:** "When should the fault be injected"?
- → Inside the sensitive program!
- Big Question bis: "When does the sensitive program start (and stop)"?
- → Use a trigger signal 😉

Trigger signal generation:

- Use a dedicated pin: 0 → 1 → 0 \_\_\_\_\_ (strong assumption...)
- Match data on a communication bus (UART, USB analyzer, ...)
  - plaintext,
  - key,
  - start command
- Match a pattern (approximately) on the power consumption side-channel.
  - sum-of-absolute-differences module in ChipWhisperer [44]

## Techniques: the ones that did not make it to this talk



- Temperature:
  - "a 50-watt spotlight bulb" [45]
- Body-bias<sup>[46]</sup>
- X-ravs<sup>[47]</sup>
- FIB (Focused Ion Beam)

<sup>[45]</sup> S. Govindavajhala et al. "Using Memory Errors to Attack a Virtual Machine". In: SP. 2003.

<sup>[46]</sup> P. Maurine et al. "Yet Another Fault Injection Technique: By Forward Body Biasing Injection". In: YACC. 2012.

<sup>[47]</sup> S. Anceau et al. "Nanofocused X-Ray Beam to Reprogram Secure Circuits". In: CHES. 2017.

# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- Perspectives
- 6 Conclusion

# Attacks:

VerifyPIN

## Attacks on VerifyPIN:

## Attacks on VerifyPIN:

Your turn

# Attacks:

AES

### Attacks on AES: Reminder

return C

```
Input: P (128-bit plaintext) and K (128-bit secret key)
K^1, ..., K^{10} \leftarrow \text{KeySchedule}(K);
S \leftarrow P \oplus K:
for r \in [1...10] do
    S \leftarrow SubBytes(S);
    S \leftarrow ShiftRows(S):
    if r \neq 10 then
         S \leftarrow MixColumns(S);
    end
    S \leftarrow S \oplus K^r:
end
C \leftarrow S:
```

### Attacks on AES: Safe-error

Published in 2003<sup>[48]</sup>, relies on an asymmetric fault model.

Without loss of generality, let's consider a bit-set  $(0 \rightarrow 1)$  fault model.

```
key: ? ? ? ... ? ? ?
```

### Attacks on AES: Safe-error

Published in 2003<sup>[48]</sup>, relies on an asymmetric fault model.

Without loss of generality, let's consider a bit-set  $(0 \rightarrow 1)$  fault model.



Key bits are recovered one-by-one: 128 faulty ciphertexts are needed for AES-128

# Attacks on AES: Faulting the last AddRoundKey

Input: S (the AES state after a round) and  $K^r$  (128-bit round key) for  $col \in [0...3]$  do

| for  $row \in [0...3]$  do

|  $S_{4 \times col + row} = S_{4 \times col + row} \oplus K^r_{4 \times col + row}$ end

end

Bit-set on the loop counter increment constant  $(+1 \rightarrow +5)^{[49]}$  for early exit

| $C_0$                 | C <sub>4</sub>        | C <sub>8</sub>        | C <sub>12</sub> |            | $C_0$         | $\tilde{C}_4$ | $\tilde{C}_8$    | $\tilde{C}_{12}$ | 0              | $K_4^{10}$ | $K_8^{10}$    | $K_{12}^{10}$ |
|-----------------------|-----------------------|-----------------------|-----------------|------------|---------------|---------------|------------------|------------------|----------------|------------|---------------|---------------|
| $C_1$                 | <b>C</b> <sub>5</sub> | <b>C</b> <sub>9</sub> | C <sub>13</sub> | $\bigcirc$ | $\tilde{C}_1$ | $\tilde{C}_5$ | $\tilde{C}_9$    | $\tilde{C}_{13}$ | <br>$K_1^{10}$ | $K_5^{10}$ | $K_9^{10}$    | $K_{13}^{10}$ |
| $C_2$                 | C <sub>6</sub>        | C <sub>10</sub>       | C <sub>14</sub> | $\bigcirc$ | $\tilde{C}_2$ | $\tilde{C}_6$ | $\tilde{C}_{10}$ | $\tilde{C}_{14}$ | <br>$K_2^{10}$ | $K_6^{10}$ | $K_{10}^{10}$ | $K_{14}^{10}$ |
| <b>C</b> <sub>3</sub> | C <sub>7</sub>        | C <sub>11</sub>       | C <sub>15</sub> |            | $\tilde{C}_3$ | $\tilde{C}_7$ | $\tilde{C}_{11}$ | $\tilde{C}_{15}$ | $K_3^{10}$     | $K_7^{10}$ | $K_{11}^{10}$ | $K_{15}^{10}$ |

<sup>[49]</sup> B. Colombier et al. "Laser-Induced Single-bit Faults in Flash Memory: Instructions Corruption on a 32-Bit Microcontroller". In: HOST. 2019.

## Attacks on AES: Round-modification (1)

Perform only one round of AES<sup>[50]</sup>:

$$\tilde{C} = MC(SR(SB(P \oplus K))) \oplus K^1$$

Let two faulty ciphertexts (no correct ciphertext required):

$$ilde{\mathsf{C}}^a = \mathsf{MC}(\mathsf{SR}(\mathsf{SB}(\mathsf{P}^a \oplus \mathsf{K}))) \oplus \mathsf{K}^1 \qquad \qquad ilde{\mathsf{C}}^b = \mathsf{MC}(\mathsf{SR}(\mathsf{SB}(\mathsf{P}^b \oplus \mathsf{K}))) \oplus \mathsf{K}^1$$

By XORing them together:

$$\tilde{C}^a \oplus \tilde{C}^b = MC(SR(SB(P^a \oplus K))) \oplus MC(SR(SB(P^b \oplus K)))$$

 $extit{MC}^{-1}( ilde{\mathcal{C}}^a\oplus ilde{\mathcal{C}}^b)= extit{SB}( extit{P}^a\oplus extit{K})\oplus extit{SB}( extit{P}^b\oplus extit{K})$  for every key byte

The last equation holds only for two key byte values: 2<sup>16</sup> complexity for full key.

# Attacks on AES: Round-modification (2)

Skip the last full round (9) of AES<sup>[51]</sup>:

$$c = SR(SB[MC(SR(SB(S^8))) \oplus K^9]) \oplus K^{10}$$

$$\tilde{C} = SR(SB(S^8)) \oplus K^{10}$$

Combining them:

$$SB^{-1}(SR^{-1}(c \oplus K^{10})) = MC(\tilde{C} \oplus K^{10}) \oplus K^9$$

Repeating it for another (correct, faulty) pair and XORing with the previous equation:

$$SB^{-1}(SR^{-1}(C^a \oplus K^{10})) \oplus SB^{-1}(SR^{-1}(C^b \oplus K^{10})) = MC(\tilde{C}^a \oplus \tilde{C}^b)$$

Similarly, this holds only for two key byte values: 2<sup>16</sup> complexity for full key.

**Differential fault analysis:** in 1997<sup>[52]</sup> on DES, adapted to AES in 2003/4<sup>[53][54]</sup>.

Fault model: **single-bit bit-flip** at the end of the 9th round.



[54] C. Giraud. "DFA on AES". In: International Conference on Advanced Encryption Standard. 2004.

<sup>[52]</sup> E. Biham et al. "Differential Fault Analysis of Secret Key Cryptosystems". In: Annual International Cryptology Conference. 1997.

<sup>[53]</sup> G. Piret et al. "A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad". In: CHES. 2003.



Ciphertext byte:  $C_i = SR(SB(M_i^9)) \oplus K_i^{10}$ 



Ciphertext byte:  $C_i = SR(SB(M_i^9)) \oplus K_i^{10}$ 



Faulty ciphertext byte:  $\tilde{C}_i = SR(SB(M_i^9 \oplus e_i)) \oplus K_i^{10}$ 



Ciphertext byte:  $C_i = SR(SB(M_i^9)) \oplus K_i^{10}$ 



Faulty ciphertext byte: 
$$\tilde{C}_i = SR(SB(M_i^9 \oplus e_i)) \oplus K_i^{10}$$

$$C_i \oplus \tilde{C}_i = SB(M_i^9) \oplus SB(M_i^9 \oplus e_i)$$

$$C_i \oplus \tilde{C}_i = SB(M_i^9) \oplus SB(M_i^9 \oplus e_i)$$
 (1)

**return** the  $M_i^9$  value with the highest score

#### **Next steps:**

- Recover all 16 bytes  $M_{i \in [0.15]}^9$  (take ShiftRow into account for other rows)
  - Possibly simultaneously (independence)
- Use  $C_i = SR(SB(M_i^9)) \oplus K_i^{10}$  to recover  $K_i^{10}$
- Reverse the AES key schedule to recover the secret key K.

#### Success rate:

- After 1 fault: the number of possible values for  $M_i^9$  drops from 256 to 14 at most
- After 2 faults: 50 % chances to get a single  $M_i^9$
- After 3 faults: 97 % chances to get a single  $M_i^9$

#### Attack feasibility:

- $\blacksquare$  Encrypt the same plaintext *n* times, one correct and n-1 faulty
- Single-bit bit-flip fault
- Random position in the byte
- Successful injection is easy to detect
- **Time** is on your side
  - "using a microscope, a modified camera flash and a computer" [55]
  - continuous underpowering<sup>[56]</sup>

**Improvement:** rool-back further (end of 8<sup>th</sup> round) to attack 4 bytes at a time<sup>[57]</sup>.



Can go even further<sup>[58]</sup> (beginning of 8<sup>th</sup> round) at the cost of more hypotheses (2<sup>32</sup>)

<sup>[57]</sup> C. Giraud. "DFA on AES". In: International Conference on Advanced Encryption Standard, 2004.

<sup>[58]</sup> M. Tunstall et al. "Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault". In: WISTP. 2724 100

# Attacks on AES: Fault sensitivity analysis

Fault sensitivity analysis<sup>[59]</sup> requires no faulty ciphertexts, only faulty behaviours.

#### **Hypotheses:**

- device behaviour is data-dependent
  - delay, etc.
- therefore, fault sensitivity is data-dependent
  - Hamming weight sensitivity

Idea: perform a correlation power analysis on the fault sensitivity information.

## Attacks on AES: Statistical fault analysis

Statistical fault analysis<sup>[60]</sup> requires no correct ciphertexts, only faulty ones.

#### **Hypotheses:**

- the fault model is biased:
  - "stuck at" fault model

**Idea:** make hypotheses on the key byte and compute a distinguisher for the faulty intermediate value:

- maximum likelihood (assuming the fault distribution is perfectly known)
- mean Hamming weight bias
- distance to the uniform distribution

## Attacks on AES: Persistent fault analysis

**Persistent fault:** persists until the next reboot<sup>[61]</sup>

Fault injection in the S-Box to make it slightly surjective → bias





One S-Box output is never present ( $SB_{min}$ )

- 1 Record ciphertexts and observe which ciphertext byte is never present  $(c_{min})$
- 2 Recover the key byte:  $k_i = SB_{min} \oplus c_{min}$  after 1.5k trials approximately

## Attacks on AES: Persistent fault analysis in practice

In practice, a permanent fault can be injected by multiple means:

- Faulting data in RAM
  - Rowhammer<sup>[62]</sup>
  - laser<sup>[63]</sup>
- Removing charges from the floating gate in Flash memory cells:
  - laser: local heating<sup>[64]</sup>
  - X-rays: charges creation  $\rightarrow V_{th}$  shift<sup>[65]</sup>

<sup>[62]</sup> F. Zhang et al. "Persistent Fault Analysis on Block Ciphers". In: TCHES (2018).

<sup>[63]</sup> F. Zhang et al. "Persistent Fault Attack in Practice". In: TCHES (2020).
[64] P. Grandamme et al. "Switching Off Your Device Does Not Protect Against Fault Attacks". In: TCHES (2024).

<sup>[65]</sup> P. Grandamme et al. "X-Ray Fault Injection in Non-Volatile Memories on Power OFF Devices". In: PAINE. 2023.

# Attacks:

Post-quantum cryptography

# Attacks on PQC: Fujisaki-Okamoto transform

The Fujisaki-Okamoto transform<sup>[66]</sup> is used to prevent chosen-ciphertext attacks.

After decryption, encrypt again and check for a match.

ACRYPT, 2021.

Widely used, widely attackable by skipping the equality test<sup>[67]</sup>.

77 / 100

## Attacks on PQC: Classic McEliece

#### Classic McEliece<sup>[68]</sup> is a **Key Encapsulation Mechanism**

- KeyGen()  $\rightarrow$  ( $\mathbf{H}_{\text{pub}}$ ,  $\mathbf{k}_{\text{priv}}$ )
- Encaps( $\mathbf{H}_{\text{pub}}$ )  $\rightarrow$  ( $\mathbf{s}$ ,  $k_{\text{session}}$ )
- Decaps( $\mathbf{s}$ ,  $k_{priv}$ )  $\rightarrow$  ( $k_{session}$ )

Encaps (Niederreiter encryption<sup>[69]</sup>) encapsulates a secret value to be shared.

• Encaps( $\mathbf{H}_{pub}$ )  $\rightarrow$  ( $\mathbf{s}$ ,  $k_{session}$ )

Generate a random vector  $\mathbf{e} \in \mathbb{F}_2^\mathbf{n}$  of Hamming weight  $\mathbf{t}$  ((n;  $\mathbf{t}$ ): security parameters) Compute  $\mathbf{s} = \mathbf{H}_{\text{pub}}\mathbf{e}$ 

Compute the hash:  $k_{session} = H(1, \mathbf{e}, \mathbf{s})$ 

<sup>[68]</sup> M. R. Albrecht et al. Classic McEliece: Conservative Code-Based Cryptography. 2022.

<sup>[69]</sup> H. Niederreiter. "Knapsack-Type Cryptosystems and Algebraic Coding Theory". In: Problems of Control and Information Theory (1986).

## Attacks on PQC: Classic McEliece

#### Classic McEliece<sup>[68]</sup> is a **Key Encapsulation Mechanism**

- KeyGen()  $\rightarrow$  ( $\mathbf{H}_{pub}$ ,  $k_{priv}$ )
- Encaps( $\mathbf{H}_{pub}$ )  $\rightarrow$  ( $\mathbf{s}$ ,  $k_{session}$ )
- Decaps( $\mathbf{s}$ ,  $k_{priv}$ )  $\rightarrow$  ( $k_{session}$ )

Encaps (Niederreiter encryption<sup>[69]</sup>) encapsulates a secret value to be shared.

• Encaps( $\mathbf{H}_{pub}$ )  $\rightarrow$  ( $\mathbf{s}$ ,  $k_{session}$ )

Generate a random vector  $\mathbf{e} \in \mathbb{F}_2^\mathbf{n}$  of Hamming weight  $\mathbf{t}$  ((n;  $\mathbf{t}$ ): security parameters) Compute  $\mathbf{s} = \mathbf{H}_{\text{puh}}\mathbf{e}$ 

Compute the hash:  $k_{session} = H(1, \mathbf{e}, \mathbf{s})$ 

<sup>[68]</sup> M. R. Albrecht et al. Classic McEliece: Conservative Code-Based Cryptography. 2022.

## Attacks on PQC: Classic McEliece – parameters



| n    | k    | t   | Security level |
|------|------|-----|----------------|
| 3488 | 2720 | 64  | 128            |
| 4608 | 3360 | 96  | 196            |
| 6688 | 5024 | 128 | 256            |
| 6960 | 5413 | 119 | 256            |
| 8192 | 6528 | 128 | 256            |
|      |      |     |                |

## Attacks on PQC: Classic McEliece - Matrix-vector mult.

The  $\mathbf{s} = \mathbf{H}_{\text{pub}}\mathbf{e}$  multiplication is performed over  $\mathbb{F}_2$ .

```
Input: H, e

s = [0, ..., 0];

for r \in [0...n - k] do

| for c \in [0...n - k] do

| s[r] \triangleq H[r][c] \& e[c]

end

end

return syn
```

## Attacks on PQC: Classic McEliece - Matrix-vector mult.

The  $\mathbf{s} = \mathbf{H}_{\text{pub}}\mathbf{e}$  multiplication is performed over  $\mathbb{F}_2$ .

```
Input: H, e

s = [0, ..., 0];

for r \in [0...n - k] do

| for c \in [0...n - k] do

| s[r] \stackrel{\wedge}{=} H[r][c] & e[c]

end

end

return syn
```

## Attacks on PQC: Classic McEliece – Matrix-vector mult.

Targeting the XOR operation, considering the Thumb instruction set.

| range ting the Nort operation, considering the Thamb histraction set. |    |    |    |    |    |    |   |   |   |   |    |   |   |     |   |   |
|-----------------------------------------------------------------------|----|----|----|----|----|----|---|---|---|---|----|---|---|-----|---|---|
| bits                                                                  | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5  | 4 | 3 | 2   | 1 | 0 |
| EORS: $Rd = Rm \oplus Rn$                                             | 0  | 1  | 0  | 0  | 0  | 0  | 0 | 0 | 0 | 1 | Rm |   |   | Rdn |   |   |
| EORS: R1 = $R0 \oplus R1$                                             | 0  | 1  | 0  | 0  | 0  | 0  | 0 | 0 | 0 | 1 | 0  | 0 | 0 | 0   | 0 | 1 |

Laser fault injection in flash memory: mono-bit, bit-set fault model<sup>[70][71]</sup>.

<sup>[70]</sup> B. Colombier et al. "Laser-Induced Single-bit Faults in Flash Memory: Instructions Corruption on a 32-Bit Microcontroller". In: HOST, 2019.

<sup>[71]</sup> A. Menu et al. "Single-Bit Laser Fault Model in NOR Flash Memories: Analysis and Exploitation". In: FDTC. 2020.

# Attacks on PQC: Classic McEliece - ILP

Consider  $\mathbf{H}_{\text{pub}}\mathbf{e} = \mathbf{s}$  as an optimization problem and solve it.

## Integer syndrome decoding problem (N-SDP)

```
Input: a matrix \mathbf{H}_{\mathsf{pub}} \in \mathcal{M}_{n-k,n}(\mathbb{N}) with h_{i,j} \in \{0,1\} for all i,j a vector \mathbf{s} \in \mathbb{N}^{n-k} and a scalar t \in \mathbb{N}^+
```

Output: a vector **e** in  $\mathbb{N}^n$  with  $x_i \in \{0, 1\}$  for all i and with a Hamming weight  $HW(\mathbf{x}) \leq t$  such that:  $\mathbf{H}_{\text{pub}}\mathbf{e} = \mathbf{s}$ 

## ILP problem

Let 
$$\mathbf{b} \in \mathbb{N}^n$$
,  $\mathbf{c} \in \mathbb{N}^m$  and  $\mathbf{A} \in \mathcal{M}_{m,n}(\mathbb{N})$ :

 $\min\{\mathbf{b}^{\mathsf{T}}\mathbf{x}\mid \mathbf{A}\mathbf{x}=\mathbf{c},\mathbf{x}\in\mathbb{N}^n,\mathbf{x}\geq 0\}$  with  $\mathbf{b}=(1,1,...,1)$  and  $\mathbf{x}\in\{0,1\}^n$ 

Solved by integer linear programming (e.g. Scipy.optimize.linprog)

## Attacks on PQC: Classic McEliece – ILP



# Attacks on PQC: Classic McEliece – summary



# Attacks: Secure boot

## Attacks on Secure boot

**Secure boot:** verification of the authenticity of a boot image.

**Authenticity:** hash the image and compare with a reference.

Hash comparison is performed, and auth=1 if they match<sup>[72]</sup>

Skipping the branching instruction allows to load a modified image.

### Challenges:

- Complex hardware target
- Complex software target

# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- Perspective
- **6** Conclusion

## Countermeasures

Countermeasures aim at preventing faults and/or attacks by:

- **neutralizing** the effect
  - → normal behaviour
- spreading the effect
  - unexploitable behaviour
- **hiding** the effect
  - no behaviour

A countermeasure has an effect at a given level of abstraction in the fault model.



# Countermeasures coming from reliability

"many techniques of reliability have been ported as such to security applications. Nonetheless the objectives of reliability and security do differ" [73]

#### If an error/fault occurs:

Reliability: detect the error and act accordingly

- raise an alarm, fallback to emergency mode, etc.
- recover

Security: "the computation result, if erroneous, carries no information about secret involved"

- seems very restrictive
- does not need to preserve correct behaviour
- actually an alarm could be exploited (safe-error context)

# Countermeasures: physical level

Physical-level countermeasures modify the integrated circuit or its package.

- Make the attack harder (integrity check, fault detection)
  - Add a metallic shield inside the device<sup>[74]</sup>
  - Add a metallic shield on top of the device<sup>[75]</sup>
- Detect the physical phenomenon
  - bulk current with a Bulk Built-In Current Sensor (BBICS)<sup>[76]</sup>
  - electromagnetic field with LC oscillators<sup>[77]</sup>
  - voltage drop<sup>[78]</sup>

[78] L. Zussa et al. "Analysis of the Fault Injection Mechanism Related to Negative and Positive Power Supply Glitches Using an On-Chip Voltmeter". In: HOST. 2014.

<sup>[74]</sup> S. Briais et al. "Random Active Shield". In: FDTC. 2012.

<sup>[75]</sup> C. Gaine et al. "Active Shielding Against Physical Attacks by Observation and Fault Injection: ChaXa". In: JHSS (2023).

<sup>[76]</sup> R. P. Bastos et al. "A Bulk Built-in Sensor for Detection of Fault Attacks". In: HOST. 2013.

<sup>[77]</sup> N. Homma et al. "Design Methodology and Validity Verification for a Reactive Countermeasure Against EM Attacks". In: Journal of Cryptology (2017).

# Countermeasures: digital level

Digital-level countermeasures modify the way logic gates interact.

- Specific logic styles (dual-rail with precharge, etc)<sup>[79][80]</sup>
- Digital sensors:
  - Sampling faults aginst EM fault injection



IR drop against laser fault injection<sup>[82]</sup>

<sup>[79]</sup> K. Tiri et al. "A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation". In: DATE. 2004.

<sup>[80]</sup> S. Guilley et al. "Fault Injection Resilience". In: FDTC. 2010.

<sup>[81]</sup> D. El-Baze et al. "A Fully-Digital EM Pulse Detector". In: DATE, 2016.

<sup>[82]</sup> M. Ebrahimabadi et al. "DELFINES: Detecting Laser Fault Injection Attacks via Digital Sensors". In: TCAD (2024).

# Countermeasures: binary level

#### Binary-level countermeasures make sure 0s and 1s are correct:

- Error-detection/correction codes
  - Parity bits<sup>[83]</sup>
    codes<sup>[84]</sup>
- Hashes<sup>[85]</sup>

Often not enough, especially against instruction skip

<sup>[83]</sup> G. Bertoni et al. "Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard". In: IEEE Transactions on Computers (2003).

<sup>[84]</sup> M. Karpovsky et al. "Robust Protection against Fault-Injection Attacks on Smart Cards Implementing the Advanced Encryption Standard". In: DSN, 2004.

<sup>[85]</sup> J.-L. Danger et al. "CCFI-Cache: A Transparent and Flexible Hardware Protection for Code and Control-Flow Integrity". In: DSD. 2018.

## Countermeasures: execution level

Execution-level countermeasures checks that the program execution is correct.

#### Code and Control flow integrity: security properties

- Code integrity
- Code authenticity
- Control flow integrity
- Control signals integrity

Add metadata alongside the instructions[86][87]

Hardware + software (compiler) support is the key: many RISC-V based proposals.

Extra properties can be added: code confidentiality, data confidentiality, etc

[86] O. Savry et al. "Confidaent: Control FLow Protection with Instruction and Data Authenticated Encryption". In: DSD. 2020.
[87] T. Chamelot et al. "MAFIA: Protecting the Microarchitecture of Embedded Systems Against Fault Injection Attacks". In: TCAD (2023).

# Countermeasures: application level

Application-level countermeasures involve dealing with the algorithm:

- Encrypt+decrypt to check for correctness (cf. FO transform)
- Make the ciphertext impossible to exploit (infective countermeasures)<sup>[88][89]</sup>

<sup>[88]</sup> B. Gierlichs et al. "Infective Computation and Dummy Rounds: Fault Protection for Block Ciphers without Check-before-Output". In: LATINCRYPT, 2012. [89] S. Patranabis et al. "Fault Tolerant Infective Countermeasure for AES". In: SPACE. 2015.

# Countermeasures: perspectives

#### Combined countermeasures against SCA and FIA:

- Merge masking and error detection<sup>[90]</sup>
- Combined attacks exist too!

## Countermeasures against fault injection can help side-channel analysis [91]

#### Countermeasures can be attacked too:

- Do not assume that the countermeasure part is protected
- Use randomness to make analysis harder<sup>[92]</sup>

[92] V. Lomné et al. "On the Need of Randomness in Fault Attack Countermeasures - Application to AES". In: FDTC. 2012. 93 / 100

<sup>[90]</sup> T. Schneider et al. "ParTI – Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks".

<sup>[91]</sup> L. Cojocar et al. "Instruction Duplication: Leaky and Not Too Fault-Tolerant!" In: CARDIS. 2018.

# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- 5 Perspectives
- 6 Conclusion

#### Perspective #1 fault injection attacks are marginal

- Software attacks are still the vast majority
- Physical access to the device is very restrictive

#### However...

- Computing devices are more and more physically accessible
- More and more sensitive data is being handled by them
- Attack equipment can be expensive (but it is getting cheaper)

#### **Perspective #2** no countermeasure is perfect:

- they all come at a cost
  - area / logic resources
  - execution time
- no silver bullet
- they can be attacked too<sup>[93]</sup>

#### **Perspective #3** Other targets exist (besides crypto):

- neural networks<sup>[94][95]</sup>: misclassification, interesting fault models (memory effect)
- analog parts (RO<sup>[96]</sup>, PLL<sup>[97]</sup>, etc)
- random number generators<sup>[98][99]</sup>
- anything that is part of the security system / handling sensitive data

#### Domain knowledge is the key to efficient attacks.

- [94] J. Breier et al. "Practical Fault Attack on Deep Neural Networks". In: CCS. 2018.
- [95] C. Gaine et al. "Fault Injection on Embedded Neural Networks: Impact of a Single Instruction Skip". In: DSD. 2023.
- [96] P. Bayon et al. "Contactless Electromagnetic Active Attack on Ring Oscillator Based True Random Number Generator". In:
- [97] L. Dubois et al. "PLL Over-Clocking Through Repeated Fault Injections". In: IOLTS. 2025.
- [98] A. T. Markettos et al. "The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators". In: CHES.
- [99] M. Madau et al. "The Impact of Pulsed Electromagnetic Fault Injection on True Random Number Generators". In: FDTC. 907400

## **Perspective #4** The physical access requirement may not be relevant after all<sup>[100]</sup>:

- Rowhammer<sup>[101]</sup>
- Heat generators in FPGAs<sup>[102]</sup>
- Reliability/performance interfaces in complex systems
  - Delay lines calibration<sup>[103]</sup>
  - Processor frequency and voltage<sup>[104]</sup>

<sup>[100]</sup> A. M. Shuvo et al. A Comprehensive Survey on Non-Invasive Fault Injection Attacks. 2023. URL: https://eprint.iacr. ora/2023/1769 (visited on 10/29/2025). Pre-published.

<sup>[101]</sup> Y. Kim et al. "Flipping Bits in Memory without Accessing Them: An Experimental Study of DRAM Disturbance Errors". In: ISCA, 2014. [102] M. Happe et al. "Eight Ways to Put Your FPGA on Fire — A Systematic Study of Heat Generators". In: ReConFig. 2012.

<sup>[103]</sup> J. Gravellier et al. "FaultLine: Software-Based Fault Injection on Memory Transfers". In: HOST. 2021.

<sup>[104]</sup> K. Murdock et al. "Plundervolt: Software-based Fault Injection Attacks against Intel SGX". In: IEEE Symposium on Security and Privacy. 2020.

**Perspective #5** The evaluation should be done as early as possible (pre-silicon)

- Formal verification to the rescue
- Large blocks can be efficiently checked:<sup>[105]</sup>
  - 3 faults on AES
  - bit-flip on the OpenTitan<sup>[106]</sup> secure element

# Agenda

- 1 History
- 2 Techniques
- 3 Attacks
- 4 Countermeasures
- 5 Perspectives
- **6** Conclusion

## Conclusion

### Conferences / journals / workshops to follow:

- FDTC (Workshop on Fault Detection and Tolerance in Cryptography)<sup>[107]</sup>
- TCHES (IACR Transactions on Cryptographic Hardware and Embedded Systems)<sup>[108]</sup>
- JAIF (Journée thématique sur les attaques par injection de fautes)<sup>[109]</sup>

```
[107] https://fdtc-workshop.eu/FDTC/
[108] https://tches.iacr.org/
```

# Questions

# – Questions? –

How could that apply to your research topic?