Comprehensive Laser Sensitivity Profiling and Data Register Bit-Flips for Cryptographic Fault Attacks in 65 Nm FPGA

  • Wei HeEmail author
  • Jakub Breier
  • Shivam Bhasin
  • Dirmanto Jap
  • Hock Guan Ong
  • Chee Lip Gan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10076)


FPGAs have emerged as a popular platform for security sensitive applications. As a practical attack methodology, laser based fault analyses have drawn much attention in the past years due to its superior accuracy in fault perturbation into security-critical Integrated Circuits (ICs). However, due to the insufficient device information, the practical injections work are not so efficient as expected. In this paper, we thoroughly analyze the laser fault injections to data flip-flops, instead of the widely studied configuration memory bits, of a modern nanoscale FPGA. A profiling campaign based on laser chip scan is performed on an exemplary 65 nm Virtex-5 FPGA, through the delayered silicon substrate, to identify the laser sensitivity distribution of the resource array and the fundamental logic cells. The sophisticated flip-flop bit flips are realized by launching fine-grained laser perturbations on an identified Configurable Logic Block (CLB) region. The profiled laser fault sensitivity map to FPGA resource significantly facilitate high-precision logic navigation and fault injection in practical cryptographic fault attacks. We show that the observed single- and multiple-bit faults are compatible with most proposed differential or algebraic fault analyses (DFA/AFA). Finally, further discussions on capability of reported fault models to bypass fault countermeasures like parity and dual-rail logic are also given.


Cryptographic fault attack Laser fault injection Data bit-flip FPGA 


  1. 1.
    Agoyan, M., Dutertre, J.M., Mirbaha, A.P., Naccache, D., Ribotta, A.L., Tria, A.: Single-bit DFA using multiple-byte laser fault injection. In: 2010 IEEE International Conference on HST, pp. 113–119 (2010)Google Scholar
  2. 2.
    Alderighi, M., Casini, F., d’Angelo, S., Mancini, M., Pastore, S., Sechi, G.R.: Evaluation of single event upset mitigation schemes for sram based FPGAs using the FLIPPER fault injection platform. In: 22nd IEEE International Symposium on Defect and Fault-Tolerance in VLSI Systems, DFT 2007, pp. 105–113. IEEE (2007)Google Scholar
  3. 3.
    Anderson, R.: Security engineering: A guide to building dependable distributed systems (2001)Google Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997). doi: 10.1007/BFb0052259 CrossRefGoogle Scholar
  5. 5.
    Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptology 14(2), 101–119 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Breier, J., Jap, D.: Testing feasibility of back-side laser fault injection on a microcontroller. In: Proceedings of the WESS 2015, pp. 5:1–5:6 (2015)Google Scholar
  7. 7.
    Canivet, G., Maistri, P., Leveugle, R., Cldire, J., Valette, F., Renaudin, M.: Glitch and laser fault attacks onto a secure AES implementation on a SRAM-based FPGA. J. Cryptology 24(2), 247–268 (2011)CrossRefzbMATHGoogle Scholar
  8. 8.
    Courbon, F., Loubet-Moundi, P., Fournier, J.J.A., Tria, A.: Adjusting laser injections for fully controlled faults. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 229–242. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-10175-0_16 Google Scholar
  9. 9.
    Courtois, N.T., Jackson, K., Ware, D.: Fault-algebraic attacks on inner rounds of des. In: e-Smart’10 Proceedings: The Future of Digital Security Technologies (2010)Google Scholar
  10. 10.
    Dutertre, J.M., Mirbaha, A.P., Naccache, D., Tria, A.: Reproducible single-byte laser fault injection. In: 2010 Conference on PRIME, pp. 1–4 (2010)Google Scholar
  11. 11.
    Green, M.A.: Self-consistent optical parameters of intrinsic silicon at 300 k including temperature coefficients. Solar Energy Mater. Solar Cells 92(11), 1305–1310 (2008)CrossRefGoogle Scholar
  12. 12.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_25 CrossRefGoogle Scholar
  13. 13.
    Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. Smartcard 99, 9–20 (1999)Google Scholar
  14. 14.
    Lima Kastensmidt, F., Tambara, L., Bobrovsky, D.V., Pechenkin, A.A., Nikiforov, A.Y.: Laser testing methodology for diagnosing diverse soft errors in a nanoscale sram-based fpga. Nucl. Sci. IEEE Trans. 61(6), 3130–3137 (2014)CrossRefGoogle Scholar
  15. 15.
    Maurine, P.: Techniques for em fault injection: equipments and experimental results. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 3–4. IEEE (2012)Google Scholar
  16. 16.
    Pouget, V., Douin, A., Lewis, D., Fouillat, P., Foucard, G., Peronnard, P., Maingot, V., Ferron, J., Anghel, L., Leveugle, R., Velazco, R.: Tools and methodology development for pulsed laser fault injection in SRAM-based FPGAs. In: 8th LATW 2007), p. Session 8. IEEE Computer Society, Cuzco, Peru (2007)Google Scholar
  17. 17.
    Quisquater, J.J., Samyde, D.: Eddy current for magnetic analysis with active sensor. In: Esmart 2002, Nice, France (2002)Google Scholar
  18. 18.
    Roscian, C., Dutertre, J.M., Tria, A.: Frontside laser fault injection on cryptosystems - Application to the AES’ last round. In: 2013 IEEE International Symposium on HOST, pp. 119–124 (2013)Google Scholar
  19. 19.
    Roscian, C., Sarafianos, A., Dutertre, J.M., Tria, A.: Fault model analysis of laser-induced faults in SRAM memory cells. In: 2013 Workshop on FDTC, pp. 89–98 (2013)Google Scholar
  20. 20.
    Schmid, P.E.: Optical absorption in heavily doped silicon. Phys. Rev. B 23, 5531–5536 (1981)CrossRefGoogle Scholar
  21. 21.
    Selmke, B., Brummer, S., Heyszl, J., Sigl, G.: Precise laser fault injections into 90nm and 45nm SRAM-cells. In: CARDIS, pp. 1–13 (2015)Google Scholar
  22. 22.
    Trimberger, S.M., Moore, J.J.: Fpga security: Motivations, features, and applications. Proc. IEEE 102(8), 1248–1265 (2014)CrossRefGoogle Scholar
  23. 23.
    Tunstall, M., Mukhopadhyay, D., Ali, S.: Differential fault analysis of the advanced encryption standard using a single fault. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 224–233. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21040-2_15 CrossRefGoogle Scholar
  24. 24.
    Wang, H., Liu, X., Zhang, Z.: Absorption coefficients of crystalline silicon at wavelengths from 500 nm to 1000 nm. Int. J. Thermophys. 34(2), 213–225 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Wei He
    • 1
    • 4
    Email author
  • Jakub Breier
    • 1
    • 4
  • Shivam Bhasin
    • 1
    • 4
  • Dirmanto Jap
    • 1
    • 2
  • Hock Guan Ong
    • 3
    • 4
  • Chee Lip Gan
    • 3
    • 4
  1. 1.Lab of Physical Analysis and Cryptographic EngineeringNanyang Technological UniversitySingaporeSingapore
  2. 2.School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  3. 3.School of Materials Science and EngineeringNanyang Technological UniversitySingaporeSingapore
  4. 4.Temasek LaboratoriesNanyang Technological UniversitySingaporeSingapore

Personalised recommendations