Differential Fault Analysis

Final Report

Jörn-Marc Schmidt
June 16, 2008

joern-marc.schmidt@iaik.tugraz.at
Differential Fault Analysis
Final Report
 Abstract

This report presents the results of the Differential Fault Analysis

(DFA) Project. The project was funded by Secure Business Austria
(SBA) and A-SIT. Its objective was to perform basic steps in the field
of fault injection. The effect of faults was investigated in theory as
well as in practice. The first part of this report concentrates on the-
oretical fault models. New fault attacks on public key cryptography
are presented.
The second part deals with practical fault injection. Methods
to inject faults can be divided into three different groups: non-
invasive, semi-invasive and invasive attacks. This report focuses
on semi-invasive methods. Therefore, as first step the decapsula-
tion of packages is shown. The second step is to inject faults using
laser diodes and electromagnetic fields. It is demonstrated that
fault injection is possible with low cost equipment.

iii
 Contents

Contents iv

List of Figures v

1 Introduction 1
1.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Structure of this Report . . . . . . . . . . . . . . . . . . . . . 2

2 Faults and Their Impacts 4

2.1 Attacks on CRT-RSA . . . . . . . . . . . . . . . . . . . . . . . 7

3 Injecting Faults 13
3.1 Decapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Optical Fault Injection 16

4.1 Standard Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2 Low Cost Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Electromagnetic Fault Induction 19

5.1 Characterization of Injected Current . . . . . . . . . . . . . 20
5.2 Electromagnetic Fault-Injection Attacks . . . . . . . . . . . 21

6 Conclusions and Further Work 24

Index 25

Bibliography 26

iv
 List of Figures

2.1 Shamir’s trick and BOS countermeasure . . . . . . . . . . . . 8

3.1 Decapsulation procedure. . . . . . . . . . . . . . . . . . . . . . 15

3.2 Rear side and front side decapsulated chips. . . . . . . . . . 15

4.1 Microscope with laser diode. . . . . . . . . . . . . . . . . . . . . 17

4.2 Light attack on a microcontroller . . . . . . . . . . . . . . . . . 18

5.1 Spark-gap burst right above the surface of a microcontroller 20

5.2 Induced voltage of three different decapsulation methods 22
5.3 Variance of the induced voltages . . . . . . . . . . . . . . . . . 22
5.4 Power-consumption trace during EM fault-injections . . . . 23

v
 Chapter
1
Introduction

During the last years, microchips became more and more part of the
every days life of many people, sometimes even without being rec-
ognized. In Austria every member of the compulsory health insur-
ance receives a so-called eCard containing a microchip that stores
information about the insured person. Most electronic-cash cards
include a microchip containing information about former money
transactions. Modern traveling documents also use chips to protect
them against forgery. All those chips store valuable information.
Thus, these devices should be protected against unauthorized ac-
cess. This is done by implementing cryptographic algorithms on the
devices. Attacks that do not focus on the algorithm itself but on its
realization in hardware are called implementation attacks.
Those attacks are among the most powerful attacks against cryp-
tographic devices nowadays. In contrast to traditional cryptanal-
ysis, implementation attacks do not treat the cryptographic algo-
rithm as a black box. The way of implementing an algorithm and
the device it runs on may lead to information leakage although the
algorithm is cryptographically secure. An adversary can use so-
called side channels to gain information about inner states of the
device or influence its behavior. As a change of the behavior is not
intended in common usage, it is referred to as fault. In 1997 Dan
Boneh et al. [BDL97] and Eli Biham and Adi Shamir [BS97] showed
that the occurrence of faults is a serious threat to cryptographical
devices. Their attacks exploit faults within the computation of a
cryptographic algorithm to reveal secret information.
Such faults can be provoked by an adversary in several ways.

1
 Results

One method to inject faults is to insert peaks into the clock supply.
These peaks may corrupt data transferred between registers and
memory [KK99]. This is called a glitch attack. As no modification
of the device is needed, glitch attacks belong to the non-invasive
attacks. In contrast to non-invasive methods, invasive and semi-
invasive ones are also targeting data storage and not only its trans-
fer. Both attack methods require direct access to the chip. Mostly,
a decapsulation procedure has to be applied to expose it. Semi-
invasive attacks inject faults without electrical contact to the chip
surface.
A conventional semi-invasive attack uses light [SA03], result-
ing in transient faults, or electromagnetic fields [QS02], resulting
in transient or permanent faults. Invasive attacks establish direct
contact to the chip. The behavior of the device can be permanently
changed in this way. Using a probing needle, the content of EEPROM
cells can be manipulated [Koc96]. It is also possible to injected per-
manent faults by modifying the device itself and cutting some wires
using a laser cutter or a focused ion beam (FIB) [KK99].

1.1 Results
At the beginning of this project, knowledge how to decapsulate mi-
crochips had to be acquired. First setups for optical fault injection
where built up. Later on, these setups were improved by using a
microscope to increase the precision of the fault. Subsequently, EM
fault injection was performed. We published low cost attacks on
CRT-RSA using light as well as electromagnetic fields [SH07]. Be-
sides the practical fault injection, theoretical work on fault models
and analyzing faults was done.

1.2 Structure of this Report

This report demonstrates methods how to attack devices in prac-
tice. It consists of two parts. Chapter 2 considers theoretical attacks
as well as underlying fault models. The second part, consisting of
Chapter 3, 4 and 5 describes how a fault can be injected.

Chapter 2 starts off by giving an approach over fault attacks in

theory. It elaborates on different fault models and their impacts on
CRT-RSA.

Chapter 3 introduces the basic considerations of fault attacks.

Furthermore, we show how to decapsulate a device for launching

2
 Structure of this Report

semi-invasive attacks.

Chapter 4 presents optical fault injection. A low cost variant and

a more expensive and therefore more precise fault injection method
is shown.

Chapter 5 considers using electromagnetic fields for inducing

faults. Thereby, impacts of different package modifications are in-
vestigated.

3
 Chapter
2
Faults and Their Impacts

In order to launch a successful fault attack, the algorithm and the

impact a fault can have on it must be investigated. Hence, beside
the practical considerations of how to inject a fault, it is important to
know how to benefit from faulty results. So-called fault models pro-
vide an interface between the practical fault injection and its impact
on an algorithm for dealing with this theoretical part of a fault at-
tack. Hence, such fault models are often motivated by real attacks.
According to the assumed capabilities of an adversary, different pa-
rameters of the models have to be set. Based on those models fault
attacks are developed and countermeasures evaluated.
The most important parameter of a fault model is the fault type.
A very common type is the bit flip fault. It always changes the target
bits. A bit set or reset fault, on the other hand, only changes target
bits in one direction. A bit set or reset fault always sets a bit to
one or zero, respectively, independent from its former value. Thus,
the fault only influences the computation in half of the cases. This
is similar to a stuck-at fault, while such a fault is permanent. In
contrast to the bit set or reset fault, it influences a computation
more than one time the same way.
Besides the just mentioned fault type, other parameters have to
be chosen [Ott05]:

ˆ Control on the fault location. An adversary who can choose

the bits to attack free at his will has full control on the fault lo-
cation. In practice this is rarely the case. Mostly, it is possible
to attack a specified variable or range of bits, called loose con-

4
 trol. Otherwise, an attacker has no control.
ˆ Control on the timing. An adversary is said to have full
control, if it is possible to target an operation at his will. Loose
control would mean an operation within a specified block. If
only an operation out of the whole execution can be attacked.
An adversary has no control on the timing of the attack, if an
attack can only be triggered by hand, for example.
ˆ Number of affected bits. An attack can target single bits, a
few bits, e.g. a byte or a random number of bits, which may
be bounded by the size of the affected variable.
ˆ Duration. Depending on the type the fault, it can be tran-
sient, where it only affects the variable only once, e.g. in one
computation; next time the variable is accessed it has its cor-
rect value. Permanent faults in contrast retain the faulty value
throughout a whole execution of the algorithm. Once injected,
destructive faults affect all following computations of the de-
vice.
ˆ Probability. For some attacks also a success probability has
to be defined. A fault or a fault within the specific range only
occurs with a special probability.
As attacks in a destructive fault model are presented in the follow-
ing, we will elaborate on it in more detail.

A Destructive Fault Model - Non-Volatile Faults. We propose

a model for so-called Non-Volatile Faults. They are a kind of de-
structive faults. The value δ of the fault is unknown. This δ is added
to a variable in the memory. The set of possibly affected variables
is known, but not the specific affected variable itself. Only one of
these variables is actually affected. Thus the control of the fault
location of an attacker is loose. As non-volatile memory is changed
by the fault, once injected, the same fault occurs in all following
computations.
Osman Kocar showed that it is possible to change an EEPROM
cell using a probe station [Koc96]. To reprogram a memory cell,
18 V have to be applied between the source and the control gate of
the cell for about 10 ms. The polarity determines if the memory cell
contains one or zero after the procedure. Thus, it is feasible to set
or reset bits in EEPROM, opening up even more opportunities than
considered here.
In contrast to transient faults, a non-volatile fault can be injected
before the device is connected to the power supply or put into a

5
card reader. Therefore, it is not necessary to adjust the time when
a fault is injected, which can be challenging for transient fault in-
jection. Here, computing the faulty ciphertexts can be totally sepa-
rated from the fault injection setup, thus computing a faulty cipher-
text is as costly as computing a normal encryption after the fault
was injected.

Combined Faults. For attacking some sophisticated countermea-

sures, combined faults are necessary. In this expanded model, an
adversary can inject a transient byte fault during the computation
in addition to the non-volatile one. Thus, the result of a computation
is xored with an unknown byte. Such a fault can be injected using
non-invasive methods like a glitch attack. Unlike the other attack
methods, two faults within one computation are assumed.

6
 Attacks on CRT-RSA

2.1 Attacks on CRT-RSA

One of the most popular public key cryptosystem is RSA. In or-
der to speed up the computation of the signature generation, the
Chinese Remainder Theorem (CRT) can be used. Unfortunately,
this way of computing the RSA is very vulnerable to fault attacks
[BDL97, Len96]. In the following, the basic ideas behind fault at-
tacks on CRT-RSA and some countermeasures against them will be
given. Afterwards, two new attacks on those countermeasures will
be presented.

RSA and the Chinese Remainder Theorem

The RSA cryptosystem is based on the assumption that factoring
the product of two large prime numbers is a hard problem. In the
cryptosystem factoring the modulus n = pq, consisting of the two
prime numbers p and q, is equivalent to computing the private key
d ∈ φ(n), while φ(·) denotes Euler’s totient function. The corre-
sponding public key to the private key d is e = d−1 mod φ(n). An
RSA signature S of a message m is calculated by S = md mod n.
The signature S is verified by comparing m̃ = Se mod n and the
message m.
In order to increase the performance of an RSA implementation,
the Chinese Remainder Theorem (CRT) can be used. It states the
existence of an isomorphism between (Zp , Zq ) and Zn . One way to
calculate the map from (Zp , Zq ) to Zn is Gauss algorithm [MvOV97]:

(Zp , Zq ) → Zn
(, y) → CRT(p,q)→n (, y) =  · cp + y · cq mod n,

with cp = q (q−1 mod p) and cq = p (p−1 mod q). Its inverse opera-
tion is

Zn → (Zp , Zq )
z → (z mod p, z mod q).

Thus, it is possible to compute an RSA signature in a fast way by

cd = CRT(p,q)→n ((cd ) mod p, (cd ) mod q). The application of the CRT
can speed up an implementation up to a factor of four. However,
Dan Boneh et al. showed that factoring an RSA modulus is possible
if a fault Δ occurs in one part of the computation [BDL97]:

S̃ = CRT(p,q)→n ((md ) mod p, (md ) mod q + Δ)

= md + Δp (p−1 mod q) mod n
⇒ p = gcd(S̃ − md , n).

7
 Attacks on CRT-RSA

Shamir’s trick BOS countermeasure

Input m Input m
In memory d, r, rp, rq, n In memory d, pt1 , qt2 , n, nt1 t2 , t1 , t2 , et1 , et2

1. Sp = md mod pt1
1. Srp = md mod rp
2. Sq = md mod qt2
2. Srq = md mod rq
3. S = CRT(pt1 ,qt2 )→nt1 t2 (Sp , Sq )
3. S = CRT(p,q)→n (Sp mod p, Sq mod q)
et
4. c1 = m − S 1 + 1 mod t1
4. if(Sp mod r == Sq mod r)
output S et
5. c2 = m − S 2 + 1 mod t2

6. output Sc1 c2 mod n

Figure 2.1: Shamir’s trick and BOS countermeasure

Arjen Lenstra extended the attack and demonstrated that it is also

possible to factorize the modulus knowing a message m and its
faulty signature S̃ [Len96]:

p = gcd(S̃e − m, n).

In order to prevent these attacks, different countermeasures have

been proposed. One of them is Shamir’s trick. It uses a smaller
additional prime r to check whether the signature parts are erro-
neous, see Figure 2.1. All faults in one of the computations that
are not multiples of r are detected. Another countermeasure was
proposed by Blömer et al. [BOS03]. Its basic idea is to check the
output in two smaller subgroups and disturbing the correlation be-
tween fault and output by an exponentiation in case of a fault. The
algorithm works as shown in Figure 2.1, where t1 and t2 are primes,
and et = d−1 mod φ(t ) for  ∈ {1, 2}. For an error free computation
c1 = c2 = 1 and the correct signature is outputted. In case of an er-
ror, at least one of the values c1 and c2 is unequal one and random
for an adversary, as t1 and t2 are secret in the implementation.

A new attack on CRT-RSA

A simple observation motivates the attack on CRT-RSA. If combining
the two partial signatures with the CRT is done incorrectly, the mod-
ulus can be easily factored knowing the fault’s value. As Shamir’s
countermeasure secures only the computation of the partial sig-
natures and not the combination step, a fault that impacts on the
combination step remains undetected.
The set of variables that may be affected by the fault is {cp , cq }.
Let m 6= 0 mod n be a message, S = md mod n its RSA signature and
S̃ an erroneous signature with a fault δ < n in the CRT constant cq .

8
 Attacks on CRT-RSA

For an error in cp the attack is the same. Let kq , kp denote elements

of the natural numbers with 0 ≤ md − kq q < q and 0 ≤ md − kp p < p.
Using this notation, the erroneous signature S̃ is

S̃ = ((cq + δ)(md mod q) + cp (md mod p)) mod n

= ((cq + δ)(md − kq q) + cp (md − kp p)) mod n
= (cq (md − kq q) + cp (md − kp p)) + δmd − δkq q mod n
= (1 + δ)md − δkq q mod n
= ((1 + δ)md − q(δkq )) mod n. (2.1)

If δ is a multiple of p, the modulus can be easily factored by gcd(S̃ −

md , n) = p. For m = 1 mod n or kq = 0 mod p, δ can be computed,
but in most implementations the message one is forbidden. Hence,
without loss of generality, p - δ, kq 6= 0 and m 6= 1 is assumed. For
known δ computing gcd(S̃−(1+δ)md , n) = q factors the modulus. To
deal with an unknown δ the attack has to be expanded. Therefore,
(2.1) is rewritten to

S̃(m−d ) = (1 + δ) − q((m−d )δkq ) mod n.

Let md1 , md2 be two correct signed messages and S˜1 , S˜2 their corre-
sponding erroneous signatures.

S˜1 m−d
1
− S˜2 m−d
2
= q(−(m−d
1
)δkq1 + (m−d
2
)δkq2 ) mod n

is obtained and for −(m−d

1
)δkq1 + (m−d
2
)δkq2 6= 0 mod p the modulus
can be factored by

gcd(S˜1 (m−d
1
) − S˜2 (m−d
2
), n) = q.

Iff δ((m−d
1
)kq1 − (m−d
2
)kq2 ) = 0 mod p, it is not possible to factor the
modulus this way. In that case, (m−d 1
)kq1 (md2 ) = kq2 mod p holds,
as p - δ. All variables in this equation depend on the secret values
d, p and q. Thus, they are random for an adversary. For each
selection of m1 , kq1 and m2 , there is one value kq2 ∈ Zp that fulfills
the equation. As p is a prime number in the size of 512 bit, the
probability that the equation holds is negligible.

Modification. Using only a device with a permanent fault, it is

also possible to attack the CRT-RSA. Knowing two inputs and the
corresponding erroneous outputs is sufficient. Lenstra’s method to
extend Boneh’s attack on CRT-RSA [Len96] can be applied. Let m1 ,

9
 Attacks on CRT-RSA

m2 be two messages and their erroneous signatures S̃1 and S̃2 . For
 ∈ {1, 2} and some Δ ∈ Zp
e
S̃ = ((1 + δ)md − q(δkq ))e mod n
= (1 + δ)e m − q(Δ) mod n

holds and by applying gcd(S̃e1 m2 − S̃e2 m1 , n) = q, if Δ 6= 0 mod p, n

can be factored.

A new attack on the BOS Scheme.

The BOS scheme is attacked in the expanded combined fault model.
Affected by the non-volatile fault is one of the variables in the set
{pt1 , qt2 }. A fault in the variables of the set results in the corruption
of either Sp or Sq . In the following a change of Sp by the value δ
is assumed, a change in Sq leads to the same attack. Thus, S̃ =
0 mod q and S̃ 6= 0 mod p. In addition the occurrence of a transient
byte fault δt within the calculation of c1 , respectively c2 in case
of a fault in Sq , is assumed. Using two faults prevents the need
of knowing c1 the output is diffused with. For an attack without the
knowledge if Sp or Sq is affected by the fault, injecting consecutively
faults in c1 and c2 is necessary. Applying the scheme leads to some
unknown Δ, δ̃ and δ2 depending on m and δt .

S˜p = S + δ = md + δ mod pt1

Sq = md mod qt2
S̃ = CRT(pt1 ,qt2 )→nt1 t2 (S˜p , Sq )
= CRT(pt1 ,qt2 )→nt1 t2 (Sp , Sq ) +
δt2 q ((t2 q)−1 mod t1 p) mod nt1 t2
= S + δ̃q mod nt1 t2
c1 = m − S̃et2 + 1 + δt mod t2
= δ2 + δt mod t2
c2 = m − S̃et1 + 1 mod t1
= 1 mod t1
˜ = S̃δ2 +δt mod n
Sg
= (S + δ̃q)δ2 +δt mod n
= Sδ2 +δt + qΔ mod n

Note that qΔ consists of all the terms from the exponentiation with
δ2 + δt containing a q, so even a small change of δt will significantly
alter Δ. As δ2 , δt and Δ are unknown, q cannot be recovered directly
˜
from Sg. Using the transient fault, it is possible to compute two

10
 Attacks on CRT-RSA

˜ 1 and Sg
erroneous signatures Sg ˜ 2 for the same m with different δ1
t
and δ2t ;

(Sδ2 +δt + Δ1 q)
1

˜ 1 (Sg
˜ 2) −1
Sg = mod n
(Sδ2 +δt + Δ2 q)
2

Sδ2 +δt
2

δ1t −δ2t
Δ1
= S ( ) + q( ) mod n
(Sδ2 +δt + Δ2 q) (Sδ2 +δt + Δ2 q)
2 1

Sδ2 +δt + Δ2 q − Δ2 q
2

δ1t −δ2t
= S ( )+
(Sδ2 +δt + Δ2 q)
2

Δ1
q( ) mod n
(Sδ2 +δt + Δ2 q)
1

1 2

δ1t −δ2t
(−Sδt −δt Δ2 + Δ1 )
= S +q mod n.
(Sδ2 +δt + Δ2 q)
2

If the difference between δ1t and δ2t is known, q can be computed by

1 2
q = gcd(Sg ˜ 2 )−1 − Sδt −δt , n)
˜ 1 (Sg

or with the same argument used to modify the last attack:

1 2
q = gcd((Sg ˜ 2 )−1 )e − mδt −δt , n)
˜ 1 (Sg

δ1 2
t −δt
(−S Δ2 +Δ1 )
as long as δ2 +δ2
6= 0 mod p. The remaining task is to deal
(S +Δ2 q)t

with the difference δ1t −δ2t .

As a unknown byte fault is assumed, the difference between δ1t
and δ2t is a byte. A list containing all erroneous results is set up.
While no suitable factorization of n is found, a new faulty signature
˜  (Sg
S̃ is generated, gcd(Sg ˜  )−1 − S, n), gcd(Sg
˜  (Sg
˜  )−1 − S, n) for
all signatures S in the list is computed and S added to the list.
After 25 fault injections a success probability of more than 93% is
achieved. By using different precomputed values for the difference
(δ1t − δ2t ) and comparing them with new faulty signatures, the num-
ber of needed fault injections can be decreased by increasing the
computation effort.
Recently, another attack on the BOS scheme was proposed by
David Wagner [Wag04]. His attack is based on a transient byte fault.
In order to be successful, an adversary has to guess c2 , the value
the output is diffused with. As long as it is not reduced by the prime
t2 , the value of c2 is independent from t2 and can be predicted.

11
 Attacks on CRT-RSA

Therefore, assuming a 1024-bit RSA with an 80-bit prime t2 , about

4% of the faults are useful to attack the scheme. Our attack uses
two different faults. In contrast to Wagner’s attack, every byte fault
of the c2 value is useful for the attack.

12
 Chapter
3
Injecting Faults

In order to perform attacks in practice, it is necessary to realize the

former presented fault models. In the following, different methods
how to inject faults into devices are presented. These methods dif-
fer in the precision that can be achieved and the necessary equip-
ment. In general, there are three different types of fault attacks:

ˆ Non-Invasive Attacks. Non-invasive fault injection methods

do not modify the package of the device. Faults are provoked
by manipulating the conditions the device runs. This can be
done by injecting peaks in to the clock or the power supply,
which is called glitch or spike attack, respectively. Another pos-
sibility is to in- or decrease the temperature over the specified
conditions. On the one hand, these methods are inexpensive
and easy to perform. On the other hand, only a limited pre-
cision can be achieved, as those attacks impact on the whole
chip at once.

ˆ Semi-Invasive Attacks. Semi-invasive methods require di-

rect access to the chip surface. Thus, a decapsulation pro-
cedure has to be applied in most cases. Afterwards, the be-
havior of the device is influenced without electrical contact to
the chip. Such attacks require sophisticated equipment, like
chemicals for the decapsulation procedure.

ˆ Invasive Attacks. Invasive methods establish direct electri-

cal contract to the surface of the chip. Thus, the device itself
can be modified. These attacks need very expensive equip-

13
 Decapsulation

ment like a probe station, a laser cutter, or a focused ion beam

(FIB).

These methods can be realized by different kinds of attackers. Sim-

ilar to estimating the capabilities of an adversary in theory by defin-
ing fault models, different categories for attackers in practice exist.
For that purpose, Dennis Abraham et al. defined three kinds of ad-
versaries [ADDS91]:

ˆ Clever Outsider. Intelligent, but has only a limited knowledge

about the system; has only a small founding and limited access
to tools and equipment.

ˆ Knowledgeable Insider. Specialized education, knowledge

and experience; has access to internal information and sophis-
ticated access to equipment and tools.

ˆ Knowledgeable Company. Team of specialists, almost un-

limited access to internal information, equipment and tools.

According to the assumptions of the capabilities of possible adver-

saries, countermeasures have to be designed. The following chap-
ters aim to give a idea about possibilities and requirements in terms
of knowledge and equipment different semi-invasive attacks.

3.1 Decapsulation
A chip can be accessed from the front or the rear side. The ladder
case does not include chemical treatment, but gives access to the
substrate only.
In order to access the chip from the front side, three steps have
to be performed. First, a hole is milled into the package. After-
wards it is filled with fuming nitric acid for about 10-30 seconds and
cleaned in acetone by ultrasonic treatment. The last two steps are
repeated until the chip is exposed to needs of the attack. The three
steps are shown in Figure 3.1.
The rear-side decapsulation of the chip can be carried out with-
out the need of chemicals. It is possible to mill a hole into the
rear-side of the package. Under the substrate layer of the chip
exists a copper plate that can be easily removed using a screw
driver [Sko05].

14
 Decapsulation

Figure 3.1: Decapsulation procedure.

Figure 3.2: Rear side and front side decapsulated chips.

15
 Chapter
4
Optical Fault Injection

The idea of optical fault injection was presented by Sergei Sko-

robogatov and Ross Anderson in 2003 [SA03]. They showed that
it is possible to change content of static memory by light. For fo-
cusing the light beam, a microscope was used. In this section a
setup for optical fault injection will be described as well as a low
cost alternative, which is less precise but does not need an expen-
sive microscope.
For injecting faults with light the same principle as for solar cells
is used. If a photon with energy of more than 1.1 eV hits an electron
in a metal, the photon is absorbed and the electron shot out of its
position. Thus, an pair of an electron and a whole is created. If this
happens where an electric field is present, like near an np junction,
electron and hole get separated, which results in current [TTO97].
This effect is called optical induced current (OBIC). If this happens
more than once, the injected current may be enough for an transis-
tor to switch.

4.1 Standard Setup

A laser diode as light source was used. In order to focus the laser
beam emitted by the diode, the laser diode was mounted onto the
camera port of an microscope as shown in Figure 4.1. The output
of the diode is transformed into parallel light by a collimator optic.
In this way it is possible to flip single bits of the static memory of a
device.

16
 Low Cost Setup

Figure 4.1: Microscope with laser diode.

4.2 Low Cost Setup

In contrast to the standard setup, the low cost variant does not
include an expensive microscope. Therefore, it is much cheaper
but less accurate. A fiber-optic light guide has been attached onto
the laser diode using an according light-guide port. The light guide
has a cross-section dimension of 1 mm. As trigger signal for the
light diode a output port of a microcontroller can be used. It is
also possible to set the trigger manually using an on/off-switch. The
whole setup can be bought for about 15 e.

17
 Low Cost Setup

Figure 4.2: Light attack on a microcontroller using a fiber-optic light

guide

18
 Chapter
5
Electromagnetic Fault
Induction

Electromagnetic (EM) Fault Induction is the more powerful brother of

optical fault induction, as the induced current is much higher. With
electromagnetic fields it is possible to influence encapsulated chips
or to change non-volatile memory. The first article that discusses
electromagnetic investigations on cryptographic devices using EM
fault-injections has been published by Jean-Jacques Quisquater and
David Samyde [QS02]. They pointed out that it is possible to influ-
ence devices using a simple self-made EM probe. They used a cam-
era flash-gun to inject a high voltage into the coil of the probe. This
high voltage causes a magnetic field that then again generates a
so-called eddy current on the surface of the chip. This current leads
to faulty computations.
The approach followed here is quite different. It uses high-
frequency spark gaps. Those sparks involve a very fast change
of the flowing current. In addition, they lead to a very strong elec-
tromagnetic burst and radiation, respectively, which can be mea-
sured even at a very long distance. The characterization of such
high-frequency EM pulses is a rather difficult task and needs ap-
propriate measurement setups. In the following a measurement
setup is described. With its the differences between three differ-
ent decapsulation scenarios (capsulated, rear-side capsulated, and
front-side capsulated) were investigated. Afterwards the influence
of the spark burst on an RSA signature generation is demonstrated.

19
 Characterization of Injected Current

Figure 5.1: Spark-gap burst right above the surface of a microcon-

troller

5.1 Characterization of Injected Current

The whole electromagnetic measurement was carried out on an
Earth Reference Plane (ERP); an aluminum plate that has a length
of about two meters and a width of about 1 meter. Every device
involved in the measurement has been placed on top of this plate.
The plate itself was connected to the earth ground in order to pro-
vide the same capacitive potential for all devices. The following
devices were used for the measurement: the microcontroller board
(device under attack), power supply, PC, spark-gap generator, and
a digital oscilloscope. The used microcontroller has an 8-bit archi-
tecture. The spark-gap generator consists of a simple gas lighter
that can be bought at almost every tool store. Of course, the gas
has been removed so as to provide only the spark-generation as-
sembling. Further, a coaxial cable was attached to our spark gen-
erator. The end piece of the coaxial cable consists of two cables
that form an air gap which in fact constitutes the spark gap. Fig-
ure 5.1 shows a generated spark gap right above the surface of a
microcontroller. However, the greater the spacing of the gap the
stronger will be the EM burst. If the spacing of the gap is greater
than the distance to a surrounding conductor, i.e. the decapsulated
chip-surface, the generated spark is discharged into the die of the
chip. Our experiments showed that this can lead to a total destruc-
tion of the chip.
In addition to our ERP plate, another smaller aluminum plate was
mounted at right angle to the ERP plate. This plate serves as an ad-
ditional shield against electromagnetic radiation that is caused by
the spark-generator. At the front side of the shield, a PLCC socket
including the microcontroller was placed. Moreover, the shield con-

20
 Electromagnetic Fault-Injection Attacks

tains a tiny hole, which is used to connect the socket of the micro-
controller with the rest of the board, i.e. the power-supply connec-
tors, the crystal oscillator, and the serial-interface circuit. The de-
vice under attack was placed on front of the shield; the rest of the
devices were placed behind the shield. Furthermore, all involved
cables were fixed with a copper tape, which has a contact to the
ERP plate as well. For contact-based high-voltage protection, fer-
rite cores that are plugged onto cables which are connected to the
PC, the digital oscilloscope, and the power-supply unit were used.
This shielded environment avoids the measurement of interfering
signals caused by the generated sparks.
The induced voltage of three different chip capsulation scenarios
was characterized. First, a standard capsulated microcontroller was
used. Second, the rear-side of the microcontroller was removed
and the induced voltage was measured. The third scenario uses a
front-side decapsulated microcontroller for fault-injection analysis.
Next, a measuring bar in front of the chip surface was used in or-
der to vary the distance between the chip and the generated spark
gap. Figure 5.2 shows the results of the experiment. As expected,
the most current has been injected in the front-side decapsulated
microcontroller. Notice that the success probability of our attacks
was higher than using the capsulated or rear-side decapsulated mi-
crocontroller. A lower voltage has been induced into the standard-
capsulated microcontroller. However, after about 10 mm from the
surface of the chip, the same voltage is induced in all three package
scenarios. In Figure 5.3, the variance of the different measurement
scenarios is shown. It turns out that the variance of the induced
voltages decreases the higher the distance to the surface of the
chip.

5.2 Electromagnetic Fault-Injection Attacks

In Figure 5.4, the power consumption during the computation of
the CRT-based RSA is shown. The black signal denotes the power
consumption whereas the gray line indicates the trigger signal. The
computation of the signatures Sq and Sp and the computation of the
CRT are clearly discernable. After approximately 600 milliseconds
from the beginning of the RSA computation, an EM spark has been
generated on the front-side of the chip. The EM power-injection is
clearly observable as a peak in the power consumption trace. Thus,
the computation of Sq has been disturbed while the computation of
Sp remained correct. However, this single fault has led to a success-
ful attack and the modulus n of the faulty signature computation

21
 Electromagnetic Fault-Injection Attacks

Figure 5.2: Induced voltage of three different decapsulation meth-

ods

Figure 5.3: Variance of the induced voltages of three different de-

capsulation methods

has been successfully factorized.

Other experiments showed that the faults can affect program
flow as well as the SRAM content. During the research we have
also injected errors that affected the flash memory. For a couple of
hours, various bytes of the memory have not been programmable
any more. The chip recovered completely after tens of hours.

22
 Electromagnetic Fault-Injection Attacks

Figure 5.4: Power-consumption trace during EM fault-injections

23
 Chapter
6
Conclusions and Further Work

In this report, we discussed fault attacks in theory and practice. In

Chapter 2 we presented an overview of fault models and demon-
strated how to use them to model fault attacks on CRT-RSA. We
also showed different countermeasures against fault injection and
how to attack them.
In Chapter 3, 4 and 5 practical fault injection has been discussed.
Chapter 3 gives general overview about fault injection and shows
how to decapsulate a plastic package. Optical fault injection is con-
sidered in Chapter 4, while Chapter 5 presents a low cost method
using electromagnetic fields for an attack.
As shown in this report, fault attacks pose a serious threat to
cryptographic implementations. Nevertheless, modern smart cards
include different countermeasures. An exhaustive study of hard-
ware as well as software countermeasures will be part of further
work. In addition, the impact of small process technologies on prac-
tical fault attacks and possible combinations of active and passive
implementation attacks is part of further research.

24
 Index

Attack on BOS scheme, 10

Attack on CRT-RSA, 7, 8
Attackers, 14

BOS scheme, 8

CRT, 7

Decapsulation, 14

Earth reference plate, 20

EM attacks, 21
EM fault induction, 19

Fault models, 4

Implementation attack, 1
Injected current, 20
Injection methods, 13

Non-volatile faults, 5

OBIC, 16
Optical fault injection, 16

Practical fault injection, 13

Rear-side decapsulation, 14
Results, 2

Sample preparation, 14
Shamir’s trick, 8
Spark gap, 19

25
 Bibliography

[ADDS91] Dennis G. Abraham, George M. Dolan, Glen P. Double,

and James V. Stevens. Transaction Security System. IBM
Systems Journal, 30(2):206–229, June 1991.

[BDL97] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton.

On the Importance of Checking Cryptographic Protocols
for Faults (Extended Abstract). In Walter Fumy, edi-
tor, Advances in Cryptology - EUROCRYPT ’97, Interna-
tional Conference on the Theory and Application of Cryp-
tographic Techniques, Konstanz, Germany, May 11-15,
1997, Proceedings, volume 1233 of Lecture Notes in
Computer Science, pages 37–51. Springer, 1997.

[BOS03] Johannes Blömer, Martin Otto, and Jean-Pierre Seifert.

A New CRT-RSA Algorithm Secure Against Bellcore At-
tacks. In Sushil Jajodia, Vijayalakshmi Atluri, and Trent
Jaeger, editors, Proceedings of the 10th ACM Conference
on Computer and Communications Security, CCS 2003,
Washington, DC, USA, October 27-30, 2003, pages 311–
320. ACM, October 2003.

[BS97] Eli Biham and Adi Shamir. Differential Fault Analysis of

Secret Key Cryptosystems. In Burton S. Kaliski Jr., editor,
Advances in Cryptology - CRYPTO ’97, 17th Annual Inter-
national Cryptology Conference, Santa Barbara, Califor-
nia, USA, August 17-21, 1997, Proceedings, volume 1294
of Lecture Notes in Computer Science, pages 513–525.
Springer, 1997.

[KK99] Oliver Kömmerling and Markus G. Kuhn. Design Prin-

ciples for Tamper-Resistant Smartcard Processors. In
USENIX Workshop on Smartcard Technology (Smartcard
’99), pages 9–20, May 1999.

26
[Koc96] Osman Kocar. Hardwaresicherheit von Mikrochips in
Chipkarten. Datenschutz und Datensicherheit, (7):421–
424, July 1996.

[Len96] Arjen K. Lenstra. Memo on RSA Signature Generation in

the Presence of Faults, September 1996. Available online
at http://cm.bell-labs.com/who/akl/.

[MvOV97] Alfred J. Menezes, Paul C. van Oorschot, and Scott A.

Vanstone. Handbook of Applied Cryptography. Series
on Discrete Mathematics and its Applications. CRC Press,
1997. ISBN 0-8493-8523-7, Available online at http:
//www.cacr.math.uwaterloo.ca/hac/.

[Ott05] Martin Otto. Fault Attacks and Countermeasures. PhD

thesis, Universitt Paderborn, 2005.

[QS02] Jean-Jacques Quisquater and David Samyde. Eddy Cur-

rent for Magnetic Analysis with Active Sensor. In Pro-
ceedings of Esmart, pages 185–194, 2002.

[SA03] Sergei P. Skorobogatov and Ross J. Anderson. Optical

Fault Induction Attacks. In Burton S. Kaliski Jr., Çetin
Kaya Koç, and Christof Paar, editors, Cryptographic Hard-
ware and Embedded Systems – CHES 2002, 4th Interna-
tional Workshop, Redwood Shores, CA, USA, August 13-
15, 2002, Revised Papers, volume 2523 of Lecture Notes
in Computer Science, pages 2–12. Springer, 2003.

[SH07] Jörn-Marc Schmidt and Michael Hutter. Optical and EM

Fault-Attacks on CRT-based RSA: Concrete Results. In
Karl Christian Posch and Johannes Wolkerstorfer, editors,
Proceedings of the Austrochip 2007, pages 61–67. Verlag
der Technischen Universität Graz, October 2007. ISBN
978-3-902465-87-0.

[Sko05] Sergei P. Skorobogatov. Semi-invasive attacks - A new

approach to hardware security analysis. PhD the-
sis, University of Cambridge - Computer Laboratory,
2005. Available online at http://www.cl.cam.ac.uk/
TechReports/.

[TTO97] K.T. Tan, S.H. Tan, and S.H. Ong. Functional failure anal-
ysis on analog device by optical beam induced current
technique. In Physical & Failure Analysis of Integrated

27
 Circuits, 1997., Proceedings of the 1997 6th Interna-
tional Symposium on, pages 296–301. IEEExplore, July
1997.

[Wag04] David Wagner. Cryptanalysis of a Provably Secure CRT-

RSA Algorithm. In Vijayalakshmi Atluri, Birgit Pfitzmann,
and Patrick Drew McDaniel, editors, Proceedings of the
11th ACM Conference on Computer and Communications
Security, CCS 2004, Washington, DC, USA, October 25-
29, 2004, pages 92–97. ACM, October 2004.

28