Advertisement

Adjusting Laser Injections for Fully Controlled Faults

  • Franck CourbonEmail author
  • Philippe Loubet-Moundi
  • Jacques J. A. Fournier
  • Assia Tria
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8622)

Abstract

Hardware characterizations of integrated circuits have been evolving rapidly with the advent of more precise, sophisticated and cost-efficient tools. In this paper we describe how the fine tuning of a laser source has been used to characterize, set and reset the state of registers in a 90 nm chip. By adjusting the incident laser beam’s location, it is possible to choose to switch any register value from ‘\(0\)’ to ‘\(1\)’ or vice-versa by targeting the PMOS side or the NMOS side. Plus, we show how to clear a register by selecting a laser beam’s power. With the help of imaging techniques, we are able to explain the underlying phenomenon and provide a direct link between the laser mapping and the physical gate structure. Thus, we correlate the localization of laser fault injections with implementations of the PMOS and NMOS areas in the silicon substrate. This illustrates to what extent laser beams can be used to monitor the bits stored within registers, with adverse consequences in terms of security evaluation of integrated circuits.

Keywords

Laser fault injection Registers attacks Bit set and reset Fault model 

Notes

Acknowledgment

We gratefully acknowledge technical support and knowledge sharing of Pascal Moitrel. We also would like to thank Francis Olivier for proofreading this paper.

References

  1. 1.
    Anderson, R., Kuhn, M.: Low cost attacks on tamper resistant devices (1997)Google Scholar
  2. 2.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. IACR Cryptology ePrint Archive, p. 100 (2004)Google Scholar
  3. 3.
    Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S.P., Anderson, R.J.: Chip and skim: cloning emv cards with the pre-play attack. CoRR (2012)Google Scholar
  4. 4.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  5. 5.
    Dehbaoui, A., Dutertre, J.M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of aes. In: FDTC, pp. 7–15 (2012)Google Scholar
  6. 6.
    Dutertre, J.M., Mirbaha, A.P., Naccache, D., Ribotta, A.L., Tria, A., Vaschalde, T.: Fault round modification analysis of the advanced encryption standard. In: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 140–145 (2012)Google Scholar
  7. 7.
    Giraud, C.: DFA on AES. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 27–41. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  8. 8.
    Habing, D.: The use of lasers to simulate radiation-induced transients in semiconductor devices and circuits. IEEE Trans. Nucl. Sci. 12(5), 91–100 (1965)CrossRefGoogle Scholar
  9. 9.
    Hériveaux, L., Clédière, J., Anceau, S.: Electrical modeling of the effect of photoelectric laser fault injection on bulk cmos design. In: ISTFA 2013 (2013)Google Scholar
  10. 10.
    Johnston, A.: Charge generation and collection in p-n junctions excited with pulsed infrared lasers. IEEE Trans. Nucl. Sci. 40(6), 1694–1702 (1993)CrossRefMathSciNetGoogle Scholar
  11. 11.
    Kaeslin, H.: Digital Integrated Circuit Design: From VLSI Architectures to CMOS Fabrication, 1st edn. Cambridge University Press, New York (2008)CrossRefGoogle Scholar
  12. 12.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  13. 13.
    Leveugle, R., Ammari, A., Maingot, V., Teyssou, E., Moitrel, P., Mourtel, C., Feyt, N., Rigaud, J.B., Tria, A.: Experimental evaluation of protections against laser-induced faults and consequences on fault modeling. In: Proceedings of the Conference on Design, Automation and Test in Europe, DATE 2007, pp. 1587–1592. EDA Consortium, San Jose (2007)Google Scholar
  14. 14.
    Loubet-Moundi, P., Vigilant, D., Olivier, F.: Static fault attacks on hardware des registers. IACR Cryptology ePrint Archive 2011, 531 (2011)Google Scholar
  15. 15.
    Marc Joye, P.P., Yen, S.M.: Secure evaluation of modular functions (2001)Google Scholar
  16. 16.
    Mayer-Sommer, R.: Smartly analyzing the simplicity and the power of simple power analysis on smartcards. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 78–92. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  17. 17.
    Roscian, C., Sarafianos, A., Dutertre, J.M., Tria, A.: Fault model analysis of laser-induced faults in sram memory cells. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 89–98 (2013)Google Scholar
  18. 18.
    Sarafianos, A., Roscian, C., Dutertre, J.M., Lisart, M., Tria, A.: Electrical modeling of the photoelectric effect induced by a pulsed laser applied to an SRAM cell. Microelectronics Reliability 53(9–11), 1300–1305 (2013). (european Symposium on Reliability of Electron Devices, Failure Physics and Analysis)CrossRefGoogle Scholar
  19. 19.
    Sarafianos, A.: Injection de fautes par impulsion laser dans des circuits sécurisés. These, Ecole Nationale Supérieure des Mines de Saint-Etienne (2013)Google Scholar
  20. 20.
    Skorobogatov, S.P., Anderson, R.J.: Optical fault induction attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 2–12. Springer, Heidelberg (2003) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Franck Courbon
    • 1
    • 2
    Email author
  • Philippe Loubet-Moundi
    • 1
  • Jacques J. A. Fournier
    • 3
  • Assia Tria
    • 3
  1. 1.GEMALTO, Security LabsLa CiotatFrance
  2. 2.Ecole des Mines de Saint-Etienne, CMP-GC/LSASGardanneFrance
  3. 3.CEA, CEA Tech Region, DPACA/LSASGardanneFrance

Personalised recommendations