Security of several AES implementations against delay faults Olivier FAURAX1,2 , Julien FRANCQ1 1´ ´ Ecole des Mines de St Etienne - Site Georges Charpak, Laboratoire SESAM, Avenue des An´emones, 13120 GARDANNE, FRANCE 2 Universit´e de la M´editerran´ee, ”Syst`emes Informatiques Communicants”, 13288 MARSEILLE, FRANCE {faurax,francq}@emse.fr

Abstract Among fault attacks, Differential Fault Analysis is the most studied attack scheme, but some corresponding fault model are presented as unrealistic (ex: one bit-flip only). Glitches on the power supply, if they induce delays on the whole circuit, may lead to such fault model, depending on the accuracy of the glitch duration and on the design. In this paper, the sensitivity of several AES implementations towards delay faults is analysed. It appears that some fault cryptanalysis can easily be applied to the most sensitive implementations and that designers have to consider even the most unrealistic threats.

1

Introduction

Because integrated circuits dedicated to security applications contain and process private and/or critical information, intruders can attack them in order to recover all or part of these embedded secrets. Dedicated attacks are particularly efficient on several symmetric (DES, AES) and asymmetric (RSA, ECC) cryptographic algorithms. In addition of being safe towards mathematical cryptanalysis, these ciphers, when implemented in hardware, have to be resistant against different attacks, including fault attacks. This kind of attack enables an attacker to recover the secret information stored in the device by injecting faults [SA02]. This perturbation induces a change of behaviour [BECN+ 04] that leads to a faulty ciphertext. With several of these (and the corresponding correct ciphertexts), the attacker infers some information about the secret key. Several publications present fault attacks on different cryptosystems: RSA [BDL97][YJ00], DES [BS97] and AES [Gir04][BS03][DLV03][PQ03][MSS06]. In circuits, a signal needs time to propagate through gates. So, the combinational part takes time to perform the correct computation. In synchronous circuits, the clock period has to be greater than the critical path. A physical deterioration (permanent), a glitch on the power supply or an optical injection (transient) can slow down signal propagation and induce computation of faulty results. Permanent delays can be detected using relevant test patterns and a clock at real speed [LR87]. In the case of a glitch on 1

the power supply, a transient delay is added to the whole circuit. The critical path can be exceeded and the circuit thus computes incorrect results. In order to design cryptographic circuits, one needs to analyze their delays to know which parts are the most sensitive to delay faults. This will allow to anticipate their behaviour [FTFB07] and evaluate if fault attacks can successfully be performed. AES implementations were chosen as a case study regarding the fact that AES is the current standard for symmetric secret key encryption. This paper is organized as follows: the cipher algorithm is presented in section 2. We describe the different chosen implementations in section 3. The delay analysis of these implementations are shown and discussed in section 4. Finally, conclusion and future works take place in section 5.

2

AES standard

Figure 1: AES algorithm (credits: Enrique Zabala) The Rijndael AES algorithm [DR98] is a secret-key block cipher accepted for standard by NIST [Sta01]. It is a Substitution-Permutation Network (SPN) block cipher whose operations are based on binary extension fields. It processes a 128-bit plaintext and a key that can have 128, 192 or 256 bits to produce a 128-bit ciphertext. In this paper, we only consider a 128-bit key AES. The AES encryption algorithm is divided into two 2

processes: datapath and “KeySchedule”. The words processed by these two parts are viewed as two 4x4 matrices of bytes called states. As you can see on figure 1, AES has an iterative structure. The datapath is a sequence of ten sub-processes called rounds. A regular round is composed of four transformations called “SubBytes”, “ShiftRows”, “MixColumns” and “AddRoundKey”. Before the first round, an AddRoundKey between the key and the data is performed. The last round uses all but the MixColumns tranformation. SubBytes transformation is a non-linear byte substitution that operates independently on each byte of the state using a substitution table (S-box). ShiftRows transformation is a cyclic permutation on the state rows. MixColumns is a matrix product of the current state S by a constant matrix C over GF (28 ):     s0 ,0 s0 ,1 s0 ,2 s0 ,3 02 03 01 01 01 02 03 01 s1 ,0 s1 ,1 s1 ,2 s1 ,3     C•S=  01 01 02 03 • s2 ,0 s2 ,1 s2 ,2 s2 ,3  s3 ,0 s3 ,1 s3 ,2 s3 ,3 03 01 01 02 The AddRoundKey transformation adds (using a bitwise XOR) the round data to the round key processed by the “KeySchedule”. Each round key is derived from the previous one through the operation described on figure 2. The first round key (round key 0) is the secret key (for a 128-bit long key). For each round two transformations, RotWord and SubBytes are applied to the last column of the round key state. This column is then added to a round constant (RCon). The next round key state is obtained columnwise: the next first column is the result of a XOR operation between this modified column and the former first one. Each following column of the former state is added with the column computed just before. RCon

Round key

RotWord

D7

01

D6

D6

D2

DA

AB

00

AB

AA

AF

A6

76

00

76

74

72

78

FE

00

FE

FD

FA

F1

00 04 08 0C

00

04

08

0C

01 05 09 0D

01

05

09

0D

02 06 0A 0E

02

06

0A

0E

03 07 0B 0F

03

07

0B

0F

SubBytes

00 04 08 0C

0C

0D

D7

D6

D2

DA

D6

D6 D2 DA D6

01 05 09 0D

0D

0E

AB

AA

AF

A6

AB

AA AF A6 AB

02 06 0A 0E

0E

0F

76

74

72

78

76

74 72 78 76

03 07 0B 0F

0F

0C

FE

FD

FA

F1

FE

FD FA F1 FE

SBOX

Figure 2: RotWord and SubBytes applied to the last column of the round key (left), computation of the next Round Key (right)

3

3

AES implementations

In all the following implementations, data is latched after AddRoundKey in the datapath process. In the KeySchedule, memorization is performed at the end of each round key computation. ShiftRows is a cyclic permutation of the state bytes, thus its implementation just crosses wires, and AddRoundKey is a bitwise XOR addition. Therefore, it seems difficult to optimize the hardware descriptions of these transformations. Consequently, in the following, we will focus only on SubBytes and MixColumns transformations. These implementations have been chosen as they are the best trade-offs between size and speed, and are suitable for embedded devices.

3.1

SubBytes implementations

SubBytes is used both in AES datapath and KeySchedule. Three different S-Box implementations have been tested: the first computes the result thanks to a Look-Up Table (LUT), the second leads to an ”and-or tree”, and the third uses the fact that the finite field GF (28 ) is an extension of GF (24 ). 3.1.1

LUT

This implementation gives directly the result of a S-Box computation. In this version, the S-Box input byte is represented as ’xy’, where ’x’ and ’y’ denote respectively the 4 most- and the 4 least-significant bits. The output byte is at row ’x’ and column ’y’ of a table given in the standard [Sta01]. 3.1.2

And-or tree

This structure is divided in two parts. The first part computes the 256 possible combinaisons from the eight S-Box input bits, thanks to AND logical gates (noted ’.’). Let’s note b7 b6 b5 b4 b3 b2 b1 b0 , a S-Box input byte, and Vj , the ANDing of each bit of this byte of decimal value j. Thus, the first part computes V255 , V254 , ..., V0 (respectively b7 . b6 . b5 . b4 . b3 . b2 . b1 . b0 , b7 . b6 . b5 . b4 . b3 . b2 . b1 . b0 , ..., b7 . b6 . b5 . b4 . b3 . b2 . b1 . b0 ). Let’s note SBV (i) the set of different values of S-Box input byte, such that S-Box output bit i is equal to 1. The second part fills each set SBV (i) with an ORing of 128 Vj values. Thus, if one of the elements Vj is equal to 1, the output will also be set to 1. 3.1.3

Operations in GF (24 )

In this structure, presented in [WOL02], an element a ∈ GF (28 ) is represented as a linear polynomial with coefficients in GF (24 ), a ∼ = ah .x + al , a ∈ GF (28 ), ah , al ∈ GF (24 ) and will be denoted by the pair [ah , al ]. Both coefficients of such a polynomial have four bits. Addition of two-term polynomials is performed coefficient-wise. Multiplication and inversion of two-term polynomials require a modular reduction step to ensure that the result is a two-term polynomial too. The irreducible polynomial needed for the modular 4

reduction is given by n(x) = x2 + x + e. The multiplication of two-term polynomials involves multiplications in GF (24 ) which requires an irreducible polynomial of degree 4 which is m4 (x) = x4 + x + 1. The structure which results from these formulations is given in figure 3. In this figure, the component “map” allows the transition into GF (24 ). “⊕” denotes an addition in GF (24 ), “∧ − 1” an inversion in GF (24 ), and “⊗” a multiplication in GF (24 ). These two latters must be computed with respect to m4 (x). “∧ 2” and “⊗e” are two special cases of the GF (24 ) multiplication component. “map−1 ” executes the inverse transition of map, to come back into GF (28 ). This kind of transformation can also be applied to MixColumns. a

a

ah

4

map

b 8

8

8

map ah al

al

4

4

∧2

∧2

⊗

⊗{e}

⊕

⊕

map bh bl

4

4

⊕

⊕

4

⊕ ⊗

⊗

⊗

∧ -1

⊗ a0h

map−1

⊗{e} ⊗

⊕

a0l

ch

⊕ map−1

cl

8

8

a−1

c

Figure 3: S-Box (left) and MixColumns (right) using operators in GF (24 )

3.2

MixColumns implementations

In AES encryption scheme, multiplications in GF (28 ) are computed with three different values: ’01’, ’02’ and ’03’. A byte, named b, can be noted in its polynomial form: b(x) = b7 .x7 + b6 .x6 + b5 .x5 + b4 .x4 + b3 .x3 + b2 .x2 + b1 .x + b0 . Four different structures for multiplications are shown: one of them uses operations in GF (24 ), two are based on the addition, conditional or not, of the polynomial m(x) defined in the AES standard, the last one computes directly each multiplication output bit by classical reduction. 3.2.1

Operations in GF (24 )

In this structure, two elements a and b ∈ GF (28 ) (defined by the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1) are represented as a linear polynomial with coefficients in GF (24 ), a ∼ = ah + al , (respectively b ∼ = bh + bl ), a ∈ GF (28 ) (b ∈ GF (28 )), ah , al 4 4 ∈ GF (2 ) (bh , bl ∈ GF (2 )), and will be denoted by the pairs [ah , al ] and [bh , bl ]. If two 5

input bytes a and b are multiplied in this representation, a multiplication over GF (28 ) can be accomplished by means of 3 general multiplications, 4 additions and one constant multiplication, all over GF (24 ) [SU96]. The structure resulting from these formulations is given in figure 3. It is built with the same basis components than the S-Box based on operations in GF (24 ). 3.2.2

Conditional addition

Multiply a byte by ’01’ keeps the byte value. Multiply a byte by ’02’ is equivalent to multiply the byte in polynomial form by x: x.b(x) = b7 .x8 + b6 .x7 + b5 .x6 + b4 .x5 + b3 .x4 + b2 .x3 + b1 .x2 + b0 .x. The result of this multiplication can be obtained by reducing it modulo m(x) = x8 + x4 + x3 + x + 1, that is 1{1b} in hexadecimal. If b7 = 0, the result is already in reduced form. If b7 = 1, the reduction is accomplished by substracting the polynomial m(x). It follows that multiplication by ’02’ can be implemented at byte level as a left shift and a subsequent conditional bitwise XOR with ’1b’. This operation on bytes is denoted by xtime() in the AES standard. A byte multiplication by ’03’ can be computed thanks to: 03.b(x) = (02 ⊕ 01).b(x) = 02.b(x) ⊕ 01.b(x) = 02.b(x) ⊕ b(x). Thus, multiplication by ’03’ can be calculated using one xtime() component. 3.2.3

Non-conditional addition

In the previous version, xtime() component computes multiplication with conditional addition of ’1b’ in hexadecimal notation. This conditional addition can be avoided. Multiplication by ’02’ can be substituted by a sum of two intermediate values named mix2 and carr. mix2 left shifts the input byte, and fill it with a 0 00 : mix2 = b6 b5 b4 b3 b2 b1 b0 0. carr is equal to ’1b’ if b7 is equal to 1, 0 otherwise: carr = 000b7 b7 0b7 b7 . Thus, byte multiplication by ’02’ can be achieved by XORing these two values: 02.b = mix2 ⊕ carr = b6 b5 b4 b3 b2 b1 b0 0 ⊕ 000b7 b7 0b7 b7 . Byte multiplication by ’03’ leads to: 03.b = 02.b ⊕ b = (mix2 ⊕ carr) ⊕ b. 3.2.4

Classical reduction

This multiplier version processes the inputs in polynomial form. Thus, if two operands a and b are multiplied in their respective polynomial form a(x) and b(x), it leads to: a(x) • b(x) = (a7 .x7 + ... + a0 .x0 ) • (b7 .x7 + ... + b0 .x0 ) = a7 .b7 .x14 + ... + a0 .b0

(1)

The polynomial terms of degree greater than or equal to 8 have to be reduced thanks to m(x): x8 = x.x7 = x4 + x3 + x + 1, ..., x14 = x7 + x4 + x3 + x. If the different powers of x are replaced in (1), it can be obtained: a(x) • b(x) = a7 .b7 .(x7 + x4 + x3 + x) + ... + a0 .b0 .x0 = K7 .x7 + ... + K0 =

7 X i=0

6

(Ki .xi )

SubBytes

Look-up table (LUT)

And-or tree

Operations in GF (24 )

MixColumns Conditional addition Non-conditional addition Classical reduction Operations in GF (24 ) Conditional addition Non-conditional addition Classical reduction Operations in GF (24 ) Conditional addition Non-conditional addition Classical reduction Operations in GF (24 )

Total Area (mm2 ) 1281 1288 1284 1397 1220 1224 1215 1341 810 804 803 916

Critical delay (ns) 12.77 13.21 13.68 18.45 13.75 13.30 13.01 18.71 23.17 23.12 22.85 28.27

Table 1: Area of different AES implementations Thus, each multiplication output bit Ki can be computed separately.

3.3

Area of different implementations

Different AES implementations using the previously shown SubBytes and MixColumns structures have been synthesized. An ASIC digital standard cells library has been used, which is “C35 CORELIB” from AMS. Each synthesis was done by Synopsys Design Vision, with “medium-effort” constraint. The total area is the sum of combinational, noncombinational, and net interconnect areas. The results are listed in table 1. This table shows that all the structures which implement SubBytes using operations in GF (24 ) are smaller. However, for each different SubBytes structure, the implementation of MixColumns using operations in GF (24 ) increases the total area of the circuit. The other MixColumns structures need less gates. Moreover, the implementation of components based on GF (24 ) operations increases the critical delay. These results about AES implementations match previous works [WOL02][SU96].

4

Delay analysis

Our fault model is based on a glitch on the power supply. A delay is added to the whole circuit, affecting all propagation paths. Indeed, some paths will exceed the clock period and latch incorrect result. If the clock is generated internally (PLL), a glitch can have a similar effect if the perturbation does not occur during a raise or a fall of this internal clock.

7

SubBytes Look-up table (LUT) And-or tree Operations in GF (24 ) Look-up table (LUT) And-or tree Operations in GF (24 ) Look-up table (LUT) And-or tree Operations in GF (24 ) Look-up table (LUT) And-or tree Operations in GF (24 )

MixColumns Conditional addition

Non-conditional addition

Classical reduction

Operations in GF (24 )

Attack Frame (ns) 1.76 1.91 2.39 1.39 1.59 1.65 0.88 1.08 2.15 7.39 7.00 7.43

Table 2: Attack frames of our AES implementations We computed the delays of several AES implementations based on the blocks presented in section 3. We considered circuit delays before “place and route”, with estimation of interconnection delays included in the gate delay model. For each gate, we took the mean between the typical delays for raise and fall.

4.1

Fault location of delay faults

In AES, the datapath theorically requires more operations than the KeySchedule. So, the delays of the datapath bits are higher than the KeySchedule ones. When injecting a delay on the overall circuit, it is the datapath bits that will be perturbated first. If the delay is sufficient, the KeySchedule ones will also be perturbated. In these cases, it is possible to disturb only some datapath bits but not KeySchedule ones only. This leads to consider attacks on the datapath only. For example, the second attack described in [Gir04] or the one in [CY03], that require KeySchedule fault injections, will not be suitable on these implementations by delay faults. To disturb only the datapath bits, we need some accuracy in the amount of added delay. We computed the differences between the maximum of the delays of the datapath and the maximum of the delays of the KeySchedule. These differences are noted “Attack Frame” in table 2. These values do not give the capability to inject a fault on one desired bit. They only point out the accuracy required to inject at least one fault on the datapath. The datapath uses MixColumns, while KeySchedule does not: that is why attack frames are usually similar given a MixColumns. For example, the MixColumns with operations in GF (24 ) are slow and the delay added on the datapath is high. A delay added on these circuits, even inaccurate in duration, could touch only the bits of the datapath.

8

SB

LUT

And-or

GF (24 )

MC Cond. Non-cond. Reduc. GF (24 ) Cond. Non-cond. Reduc. GF (24 ) Cond. Non-cond. Reduc. GF (24 )

Bit 0 12.54 12.87 13.13 16.43 12.68 13.07 12.26 17.05 22.60 22.84 22.48 26.88

Bit 1 12.53 12.77 13.19 17.45 12.67 12.88 12.63 18.14 22.71 23.12 22.72 27.62

Bit 2 11.98 12.65 13.17 17.48 12.45 12.84 12.95 18.09 22.06 22.29 21.82 27.68

Bit 3 12.32 12.78 13.20 16.98 12.85 13.30 13.01 18.11 22.93 23.12 22.77 28.13

Bit 4 12.77 12.82 13.35 18.11 13.75 13.25 12.82 18.27 23.17 23.12 22.78 28.27

Bit 5 11.71 12.68 12.74 17.79 11.98 12.03 12.05 18.10 21.96 23.03 22.85 27.98

Bit 6 11.80 13.17 13.68 17.34 12.27 12.03 12.18 17.67 21.99 23.00 22.85 27.39

Bit 7 11.94 13.21 13.20 18.45 12.72 12.89 12.22 18.71 23.08 23.12 22.66 28.16

Diff. 0.23 0.03 0.33 0.34 0.90 0.05 0.06 0.44 0.09 0.00 0.00 0.11

Table 3: Max delays of bits of each datapath byte (in ns) However, for the MixColumns on classical reduction, frames are not similar. The synthesizer performed optimizations in order to reuse some computations of the SubBytes for the MixColumns because we made a flatten synthesis. The design with the LUT adds only 0.88 ns on the datapath, when the design with GF (24 ) adds 2.15 ns. So, these frames show the delay added by MixColumns but take into account the “optimization compatibility” between the two designs.

4.2

Sensitivity of bits

Some attacks on datapath assume a fault model with at most one faulty bit by byte before the last SubBytes [Gir04]. For each design, we computed the maximum of the delay on each bit in order to see if some bits are more sensitive. The results are shown in table 3, the last column is the difference between the two highest maxima. When a bit number has a greater maximum delay than all others, this means that it is possible to induce a delay that will disturb at most this bit on all bytes. Regarding to attacks with this fault model, the safer SubBytes is the one with operations in GF (24 ) and the safer MixColumns uses the non-conditionnal addition. The SubBytes with LUT is almost always quite sensitive, while the one with the and-or tree is very sensitive or not, depending on the MixColumns. This analysis has to be performed bytewise to find out if all the bytes can be attacked. At last, the remaining secret is no longer 128-bit long. [BK06] also requires one faulty bit, but located at the output of the SubBytes. The tested structures do not enable the attacker to get this model with delay faults.

9

16.92 17.83 18.04 17.29 0.21 1.12

LUT 16.80 16.81 18.07 18.07 18.45 18.44 17.44 17.43 0.39 0.37 1.65 1.63

16.52 17.64 16.68 17.62 0.02 1.12

18.23 17.62 17.59 18.71 0.47 1.11

And-or Tree 17.36 17.36 18.02 18.02 18.11 18.11 17.96 17.93 0.09 0.09 0.75 0.75

16.98 17.17 17.37 16.27 0.21 1.10

26.50 27.37 28.27 28.16 0.12 1.77

GF (24 ) 26.10 26.10 27.69 27.69 28.15 28.15 27.50 27.49 0.46 0.46 2.05 2.05

26.98 27.27 26.77 27.90 0.63 1.13

Table 4: Max delays of bytes on datapath for MixColumns with GF (24 ) (in ns) and relevant differences for known attacks

4.3

Sensitivity of bytes

Due to the AES structure, there are attacks that use faults on one or more bytes of columns. The attack described in [PQ03] needs a single faulty byte on a column to recover the corresponding key bytes. Another attack that uses faults on bytes [MSS06] assumes a perturbation on 2 or 3 bytes. For the circuits with MixColumns in GF (24 ), the results are shown in table 4. The two last lines present the difference between the two highest delay of a column (attack of [PQ03]) and the difference between the highest and the lowest (attack of [MSS06]). The MixColumns with operations in GF (24 ) is the most sensitive to attacks on byte using delay faults. The sensitivities of other MixColumns (not shown) are similar, even if the non-conditionnal addition MixColumns is a bit better. Some SubBytes performed well with a given MixColumns, but there are not trends on the sensitivity of SubBytes.

5

Conclusion

In this paper, the robustness of several AES implementations against the delay fault model has been discussed. Three SubBytes and four MixColumns structures were analyzed. The SubBytes proposed by [WOL02] that uses operations in GF (24 ) is not only the smallest but also the most robust towards delay faults at bit as well as byte level. The two other implementations have about the same number of gates; the LUT one seems less sensitive against byte-oriented attacks while the and-or tree performances depend on the associated MixColumns. Contrary to the SubBytes, the MixColumns implementation using operations in GF (24 ) induces more area as well as more security flaws (mainly at byte level). Performances of other implementations are quite similar, even if the sensitivity of the nonconditionnal addition MixColumns seems lower. Moreover, attacks based on a one-bit fault can be relevant, depending of the accuracy of the added delay. Therefore, designers have to take into account the fact that such a

10

fault model is physically suitable. Future works will be a further analysis on other possible flaws on these implementations, as well as an analysis of protected AES schemes based on the same structure. Other AES structures will also be studied and other ciphers (DES, RSA, ECC) will be considered.

References [BDL97]

Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of checking cryptographic protocols for faults. Lecture Notes in Computer Science, 1233:37–51, 1997.

[BECN+ 04] Hagai Bar-El, Hamid Choukri, David Naccache, Michael Tunstall, and Claire Whelan. The sorcerer’s apprentice guide to fault attacks. Cryptology ePrint Archive, Report 2004/100, 2004. [BK06]

Johannes Bl¨ omer and Volker Krummel. Fault based collision attacks on aes. In Luca Breveglieri, Israel Koren, David Naccache, and Jean-Pierre Seifert, editors, FDTC, volume 4236 of Lecture Notes in Computer Science, pages 106–120. Springer, 2006.

[BS97]

Eli Biham and Adi Shamir. Differential fault analysis of secret key cryptosystems. In Burton S. Kaliski Jr., editor, Advances in Cryptology CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 1997, Proceedings, volume 1294 of Lecture Notes in Computer Science, pages 513–525. Springer, 1997.

[BS03]

J. Blomer and J.P. Seifert. Fault Based Cryptanalysis of the Advanced Encryption Standard (AES). Seventh International Financial Cryptography Conference (FC 2003), 2003.

[CY03]

Chien-Ning Chen and Sung-Ming Yen. Differential fault analysis on AES key schedule and some countermeasures. In R. Safavi-Naini and J. Seberry, editors, Information Security and Privacy − ACISP 2003, volume 2727 of Lecture Notes in Computer Science, pages 118–129. Springer, 2003.

[DLV03]

P. Dusart, G. Letourneux, and O. Vivolo. Differential fault analysis on a.e.s. Cryptology ePrint Archive, Report 2003/010, 2003. http://eprint.iacr.org/.

[DR98]

J. Daemen and V. Rijmen. Aes proposal: Rijndael, 1998.

[FTFB07]

Olivier Faurax, Assia Tria, Laurent Freund, and Fr´ed´eric Bancel. Robustness of circuits under delay-induced faults : test of aes with the pafi tool. In 13th IEEE International On-Line Testing Symposium (IOLTS 2007), 8-11 July 2007, Heraklion, Crete, Greece, pages 185–186. IEEE Computer Society, 2007. 11

[Gir04]

Christophe Giraud. Dfa on aes. In Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa, editors, Advanced Encryption Standard - AES, 4th International Conference, AES 2004, Bonn, Germany, May 10-12, 2004, Revised Selected and Invited Papers, volume 3373 of Lecture Notes in Computer Science, pages 27–41. Springer, 2004.

[LR87]

C.J. Lin and SM Reddy. On Delay Fault Testing in Logic Circuits. Computer-Aided Design of Integrated Circuits and Systems, IEEE Transactions on, 6(5):694–703, 1987.

[MSS06]

Amir Moradi, Mohammad T. Manzuri Shalmani, and Mahmoud Salmasizadeh. A generalized method of differential fault attack against aes cryptosystem. In Louis Goubin and Mitsuru Matsui, editors, CHES, volume 4249 of Lecture Notes in Computer Science, pages 91–100. Springer, 2006.

[PQ03]

Gilles Piret and Jean-Jacques Quisquater. A differential fault attack technique against spn structures, with application to the aes and khazad. In Cryptographic Hardware and Embedded Systems − CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 77–88. Springer, 2003.

[SA02]

S. Skorobogatov and R. Anderson. Optical fault induction attacks. In Cryptographic Hardware and Embedded Systems − CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 2–12. Springer, 2002.

[Sta01]

N.F. Standard. Announcing the ADVANCED ENCRYPTION STANDARD (AES). Federal Information Processing Standards Publication, 197, 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

[SU96]

E. Soljanin and R. Urbanke. An Efficient Architecture for Implementation of a Multiplier and Inverter in GF (28 ). Bell-Labs Technical Memo, BLO11217960308-O8TM, 1996.

[WOL02]

J. Wolkerstorfer, E. Oswald, and M. Lamberger. An ASIC implementation of the AES SBoxes. Proc. RSA Conference, 2002.

[YJ00]

Sung-Ming Yen and Marc Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. Comput., 49(9):967–970, 2000.

12