

181

An Embedded Digital Sensor Against EM and BB Fault Injection

> David El-Baze, Jean-Baptiste Rigaud, Philippe Maurine







- Context
- Fault Model
- Detector Design
- EM and BB Detection Results
- Optimisation
- Next Steps
- Conclusion



[1] A. Dehbaoui et al. Injection of transient faults using electromagnetic pulses - Practical results on a cryptographic system, IACR 2012

- [2] K. Tobich et al. Yet Another Fault Injection Technique: by Forward Body Biasing Injection
- [3] S. P. Skorobogatov et R. J. Anderson Optical fault induction attacks, CHES 2002
- [4] L. Zussa et al. "Efficiency of a glitch detector against electromagnetic fault injection," in Proceedings of DATE 2014
- [5] Possamai Bastos et al. A bulk built-in sensor for detection of fault attacks. In HOST 2013





- Context
- Fault Model
- Detector Design
- EM and BB Detection Results
- Optimisation
- Next Steps
- Conclusion



• D-type Flip Flops are one of the most sensitive gates against ElectroMagnetic Attacks [6]



Windows where D-type Flip Flop are the most sensitive.

[6] S. Ordas, CARDIS 2014, PHISIC 2015, FDTC 2015

CryptArchi 2016 - La Grande Motte



• D-type Flip Flops are one of the most sensitive gates against ElectroMagnetic Attacks [6]



Windows where DFF of the detector are the most sensitive.Windows where DFF of the protected circuit are the most sensitive.

[6] S. Ordas, CARDIS 2014, PHISIC 2015, FDTC 2015

CryptArchi 2016 – La Grande Motte





- Context
- Fault Model
- Detector Design
- EM and BB Detection Results
- Optimisation
- Next Steps
- Conclusion







- 4 self looped DFFs
- Specific initialisation values
- A set and a reset network



Cover all the transitions and phase opposition











### **EM & BB Test Bench**







### **Test Bench**

| FPGA (Xilinx)   | Tech. Node | Frequency (Period) | # of detectors |
|-----------------|------------|--------------------|----------------|
| Virtex 5        | 65 nm      | 100 MHz (10ns)     | 36             |
| Virtex II Pro   | 90 nm      | 100 MHz (10ns)     | 34             |
| Spartan 3E 1600 | 90 nm      | 50 MHz (20ns)      | 36             |



- 34 detectors regulary spreading
- AES as a circuit to protect
- UART as communication system





- Context
- Fault Model
- Detector Design
- EM and BB Detection Results
- Optimisation
- Next Steps
- Conclusion





#### **EM Results**



Probability to inject a fault in AES or in detectors Spartan3 1600E / 50 Mhz

CryptArchi 2016 - La Grande Motte





- **GP** (Good Position) : # of positions where the detectors are efficient : the detection could block the output of the cipher (faulted or not).
- **BP** (Bad Position) : # of positions where the AES can be faulted without triggering alarm.
- SR (Success Rate) : Ratio of Good Positions over the total # of active positions = where something happens.

$$SR = \frac{GP}{GP + BP}$$



- Wide Detection Area, no sensor detection range.

SR = 94%

CryptArchi 2016 – La Grande Motte







Successful attacks not detected : 47/467 = 10%

NSPIRING



- Wide Detection Area, NO undetected faults.

SR = 100%

CryptArchi 2016 – La Grande Motte







Table summarizing the success rates by attack and model of FPGA:

|               | Injection at rising edge |          |                  | Injection at falling edge |          |                  |
|---------------|--------------------------|----------|------------------|---------------------------|----------|------------------|
|               | Spartan3<br>1600E        | Virtex 5 | Virtex II<br>Pro | Spartan3<br>1600E         | Virtex 5 | Virtex II<br>Pro |
| EM Front-side | 78 %                     |          |                  | 88 %                      |          |                  |
| EM Back-side  |                          | 94 %     | 86 %             |                           | 95 %     | 94 %             |
| RBBI          |                          | 100 %    | 100 %            |                           | 100 %    | 100 %            |





- Context
- Fault Model
- Detector Design
- EM and BB Detection Results
- Optimisation
- Next Steps
- Conclusion







Virtex 5 Floorplan. Colors means number of triggering per sensor for a full map.





# of injections detected by detector



Selecting the most active detector





# of injections detected by detector



 Generation of the histogram of activity by ignoring the attacks detected by the previous sensors "fixed"





# of injections detected by detector



• Iterate again until all the detections are catched.





• Results of optimisation against EM Injections:

- 11 detectors / 36 are enough to detect a the attacks









- Tests against Power Glitches Injections (finalizing the experiments)
- Tests against Laser Injections
- Development of a Test Chip (ASIC).





### Conclusion

- Proposal of an enhanced detector
  - Fully Digital and fully compliant with ASIC design flow
  - Small : 35 nand eq. / detector
- Efficient against at least two injection fault methods:
  - ElectroMagnetic Injections
  - Body-Biasing Injections
  - Power Glitch Injections (First results being analyzed)



### Thank you !