Fault Template Attacks on Block Ciphers Exploiting Fault Propagation

  • Sayandeep SahaEmail author
  • Arnab BagEmail author
  • Debapriya Basu Roy
  • Sikhar Patranabis
  • Debdeep Mukhopadhyay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12105)


Fault attacks (FA) are one of the potent practical threats to modern cryptographic implementations. Over the years the FA techniques have evolved, gradually moving towards the exploitation of device-centric properties of the faults. In this paper, we exploit the fact that activation and propagation of a fault through a given combinational circuit (i.e., observability of a fault) is data-dependent. Next, we show that this property of combinational circuits leads to powerful Fault Template Attacks (FTA), even for implementations having dedicated protections against both power and fault-based vulnerabilities. The attacks found in this work are applicable even if the fault injection is made at the middle rounds of a block cipher, which are out of reach for most of the other existing fault analysis strategies. Quite evidently, they also work for a known-plaintext scenario. Moreover, the middle round attacks are entirely blind in the sense that no access to the ciphertexts (correct/faulty) or plaintexts are required. The adversary is only assumed to have the power of repeating an unknown plaintext several times. Practical validation over a hardware implementation of SCA-FA protected PRESENT, and simulated evaluation on a public software implementation of protected AES prove the efficacy of the proposed attacks.


Fault attack Fault propagation Masking 



Debdeep Mukhopadhyay would like to acknowledge Synopsys Inc, USA (for partial support through the grant entitled “Formal Methods for Physical Security Verification of Cryptographic Designs Against Fault Attacks”), Defence Research and Development Organisation (DRDO), India (for partial support through the grant entitled, “Secure Resource-constrained Communication Framework for Tactical Networks using Physically Unclonable Functions”), and Department of Science and Technology (DST), Government of India (for partial support through the Swarnajayanti Fellowship grant).

Supplementary material

495523_1_En_22_MOESM1_ESM.pdf (807 kb)
Supplementary material 1 (pdf 806 KB)


  1. 1.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). Scholar
  2. 2.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997). Scholar
  3. 3.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). Scholar
  4. 4.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). Scholar
  5. 5.
    Reparaz, O., Bilgin, B., Nikova, S., Gierlichs, B., Verbauwhede, I.: Consolidating masking schemes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 764–783. Springer, Heidelberg (2015). Scholar
  6. 6.
    Nikova, S., Rechberger, C., Rijmen, V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 529–545. Springer, Heidelberg (2006). Scholar
  7. 7.
    Gross, H., Mangard, S., Korak, T.: An efficient side-channel protected AES implementation with arbitrary protection order. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 95–112. Springer, Cham (2017). Scholar
  8. 8.
    Guo, X., Mukhopadhyay, D., Jin, C., Karri, R.: Security analysis of concurrent error detection against differential fault analysis. J. Cryptogr. Eng. 5(3), 153–169 (2014). Scholar
  9. 9.
    Kulikowski, K., Karpovsky, M., Taubin, A.: Robust codes for fault attack resistant cryptographic hardware. In: FDTC, pp. 1–12 (2005)Google Scholar
  10. 10.
    Tupsamudre, H., Bisht, S., Mukhopadhyay, D.: Destroying fault invariant with randomization. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 93–111. Springer, Heidelberg (2014). Scholar
  11. 11.
    Schneider, T., Moradi, A., Güneysu, T.: ParTI – towards combined hardware countermeasures against side-channel and fault-injection attacks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 302–332. Springer, Heidelberg (2016). Scholar
  12. 12.
    Dobraunig, C., Eichlseder, M., Korak, T., Mangard, S., Mendel, F., Primas, R.: SIFA: exploiting ineffective fault inductions on symmetric cryptography. In: TCHES, pp. 547–572 (2018)Google Scholar
  13. 13.
    Dobraunig, C., Eichlseder, M., Gross, H., Mangard, S., Mendel, F., Primas, R.: Statistical ineffective fault attacks on masked AES with fault countermeasures. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 315–342. Springer, Cham (2018). Scholar
  14. 14.
    Zhang, F., et al.: Persistent fault analysis on block ciphers. In: TCHES, pp. 150–172 (2018)Google Scholar
  15. 15.
    Pan, J., Zhang, F., Ren, K., Bhasin, S.: One fault is all it needs: breaking higher-order masking with persistent fault analysis. In: 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1–6. IEEE (2019)Google Scholar
  16. 16.
    Niemi, V., Nyberg, K.: UMTS Security. Wiley, Hoboken (2006)Google Scholar
  17. 17.
    Poschmann, A., Moradi, A., Khoo, K., Lim, C.W., Wang, H., Ling, S.: Side-channel resistant crypto for less than 2,300 GE. J. Cryptol. 24(2), 322–345 (2011). Scholar
  18. 18.
    Korkikian, R., Pelissier, S., Naccache, D.: Blind fault attack against SPN ciphers. In: FDTC, pp. 94–103. IEEE (2014)Google Scholar
  19. 19.
    Yen, S.M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput. 49(9), 967–970 (2000)CrossRefGoogle Scholar
  20. 20.
    Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 320–334. Springer, Heidelberg (2010). Scholar
  21. 21.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). Scholar
  22. 22.
    ISO/IEC 29192–2:2012: information technology-security techniques-lightweight cryptography-part 2: block ciphers.
  23. 23.
    Ullrich, M., De Canniere, C., Indesteege, S., Küçük, Ö., Mouha, N., Preneel, B.: Finding optimal bitsliced implementations of 4\(\times \) 4-bit S-boxes. In: SKEW 2011 Symmetric Key Encryption Workshop, Copenhagen, Denmark, pp. 16–17 (2011)Google Scholar
  24. 24.
    Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Y., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). Scholar
  25. 25.
    Jati, A., Gupta, N., Chattopadhyay, A., Sanadhya, S.K., Chang, D.: Threshold implementations of \(\mathtt GIFT\) : a trade-off analysis. IEEE Trans. Inf. Forensics Secur. 15, 2110–2120 (2020)Google Scholar
  26. 26.
  27. 27.
    Trichina, E.: Combinational logic design for AES subbyte transformation on masked data. IACR Cryptology ePrint Archive 2003/236 (2003)Google Scholar
  28. 28.
    Saha, S., Jap, D., Basu Roy, D., Chakraborty, A., Bhasin, S., Mukhopadhyay, D.: A framework to counter statistical ineffective fault analysis of block ciphers using domain transformation and error correction. IEEE Trans. Inf. Forensics Secur. 15, 1905–1919 (2020)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringIndian Institute of Technology, KharagpurKharagpurIndia
  2. 2.Department of Computer ScienceETH ZurichZürichSwitzerland
  3. 3.Technische Universität MünchenMunichGermany

Personalised recommendations