Abstract
Fault injection attacks on cryptographic modules pose significant threats. However, conventional fault injection methods typically require physical access to the target device. This study proposes a novel fault injection method utilizing intentional electromagnetic interference (IEMI) to induce temporary faults in cryptographic modules without intrusion, proximity, or synchronization with the encryption process. The proposed method carefully selected a frequency that could induce faults sorely in the target cryptographic modules without disrupting other modules in the device. Furthermore, faults suitable for secret key analysis were efficiently generated even when EM waves were injected asynchronously into the cryptographic operation. To demonstrate the effectiveness of the proposed method, an experiment was conducted in which EM waves were irradiated from an antenna positioned 2 m from a cryptographic device with an advanced encryption standard (AES) implementation, inducing faults. The secret key was successfully retrieved by applying differential fault analysis (DFA) to the obtained faulty ciphertexts. In addition, the fault occurrence mechanism was elucidated by monitoring the electrical variations in the cryptographic module caused by IEMI. The proposed method can be applied to devices previously believed to be immune to fault injection attack threats owing to challenges associated with conventional scenarios. This suggests a wider range of applicability for addressing security concerns in such devices. Consequently, even devices already in circulation could become susceptible to these threats, highlighting the need to implement measures to protect such equipment against potential attacks. In our strategy to counteract this threat, we suggest and showcase the capability to significantly reduce the transmission efficiency of EM waves by broadening the concept of EM shielding. This, in turn, significantly decreases the occurrence rate of faults. Finally, we delve into the applicability of the proposed fault injection method to different secret key analysis methods and the limitations of the method in alternative attack scenarios.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Fault injection attacks on cryptographic modules have evolved as a powerful offensive technique, undergoing numerous evaluations and refinements over time. Initially, attackers inject faults into the encryption processes to extract secret information from multiple faulty ciphertexts. These attacks were first focused on public key cryptosystems but have expanded to include symmetric key cryptosystems in a refined manner [8].
Thenceforth, numerous variations and countermeasures for fault injection attacks have been presented, with the continuous development of innovative propositions continuing to emerge in the present day [3, 7, 47], all characterized by a refined approach. Fault injection attacks have expanded to encompass easy-to-handle devices like smart cards, mobile phones [6, 12, 48], and security mechanisms used in servers and clouds [34, 38]. In recent years, cryptocurrency wallets have been hacked through fault injection attacks, significantly impact on society [41].
Fault injection methods are being considered to evaluate their potential in response to these attacks and to develop countermeasures. For example, methods, such as optical emission [50] and laser shots [9] can be used to attack by stripping the surface of the encryption module and operating close to the module. These techniques can cause local faults and extract the secret key inside the module. However, performing these without leaving traces of the attack is challenging because it requires opening the package or getting close to the module [2].
Further, under-powering or over-clocking can cause a fault in the setup time without damaging the cryptographic module, which could be exploited to cause a setup time violation fault [26]. However, these injection methods typically assume access to the target device’s power voltage or oscillator for manipulation. A fault caused by a setup time violation can also be induced by overlaying a glitch signal on the clock signal [31, 53], making it possible to inject a fault at any time and potentially extracting the secret key by synchronizing the glitch signal insertion timing with encryption processes. However, glitch injection is often assumed to require an attacker access to the cryptographic module and is controllable. Therefore, implementing simple countermeasures to prevent direct access or intrusion can effectively neutralize these fault injection methods.
To address this issue, research on Intentional Electromagnetic Interference (IEMI) without invading the cryptographic module has been studied [13, 14, 16, 19, 35]. Based on studies on IEMI, non-invasive glitches can be induced into cryptographic modules by using high-voltage pulses. However, the use of such high voltage pulses requires proximity to the cryptographic module, even with a high voltage of about 100 V [13, 35], which can pose challenges in execution if countermeasures are employed to prevent attacker access.
This study introduces a novel fault injection method utilizing IEMI to induce temporary faults in a target device without invading or modifying the target device, even if filtering components such as voltage regulators and bypass capacitors are present in the device by irradiating Continuous Waves (CW) ranging from several watts to tens of watts from an antenna at a certain distance from the cryptographic device. This innovative approach challenges the traditional notion that devices with clear security boundaries are immune to fault injection attacks. Additionally, pulse waves, which contain multiple frequency components, may propagate to other modules on the device, disrupting their operations. However, selecting susceptible interference frequencies only to the cryptographic module makes it possible to induce faults only in the cryptographic module, not affect other modules on the device. This allows to avoid situations such as system shutdown or unobtainable fault information.
To validate the effectiveness of this method, we conducted a fault injection attack using CW irradiation from a log-periodic antenna on an Advanced Encryption Standard (AES) module implemented on an evaluation board.
1.1 Contributions
The contributions of this study are as follows:
-
Introduction of a novel remote fault injection method utilizing IEMI with CW irradiated from an antenna to induce faults into a cryptographic module without physically tampering with the module.
-
EM irradiation from a distance could potentially cause faults in all the modules mounted on a device. Hence, the proposed method selects a frequency that can cause faults only in the target cryptographic module by observing output faulty ciphertexts.
-
Proposal of a method for determining the appropriate frequency and intensity to generate faults suitable for secret key analysis, even in cases where faults are injected asynchronously into the cryptographic module’s operation.
-
Proposition of a countermeasure that changes the EM environment of the device on which the cryptographic module is installed, thereby reducing sensitivity to frequencies that induce faults and increasing the complexity of potential attacks.
1.2 Related work
Related research has explored remote fault injection attacks via the network on cloud servers located at a sufficient distance from the attacker [1, 24, 30, 32].
However, these attacks depend on shared computing resources and are not universally applicable to all devices with cryptographic modules. In addition, implementing the circuitry necessary for the attack in the cloud server is difficult to apply in cases where there are countermeasures such as mechanisms to detect the implementation of attack circuits by analyzing the bitstream [23]. In contrast, the proposed method enables fault injection into a target device, regardless of its type within the range of the EM waves irradiated by the antenna.
Previous research proposed a method for injecting faults into a cryptographic module by propagating EM waves through the power cable of the equipment [27]. While the power cable serves as a conductor facilitating efficient EM wave propagation at low power, the frequency band for efficient propagation is limited [11], thereby restricting the choice of effective frequencies for fault induction in the cryptographic module. Previous studies failed to offer a method for remotely selecting frequencies that specifically induce faults in cryptographic modules.
In contrast, the proposed method involves irradiating EM waves into space using an antenna and propagating them to a cryptographic module for fault induction. The frequency band for efficient propagation in space is wider than that for propagation through a conductor [10]. This allows for a wider range of frequencies to induce faults in cryptographic modules. However, the higher the irradiation frequency, the higher the attenuation rate in air due to shorter wavelength, so the higher the irradiation frequency used for fault injection, the higher the irradiated intensity is required.
Further, the proposed method identified a technique for selecting effective frequencies to induce faults in a cryptographic module based on the frequency of fault occurrence, indicating that such frequencies can be selected remotely. Furthermore, the proposed method holds potential for attacking devices without power cables.
1.3 Structure
This paper is structured as follows.
Section 2 explains how the attacker achieves the remote fault injection attack via IEMI from an antenna. Section 3 demonstrates the remote fault injection attack against a cryptographic module via IEMI from an antenna. In the case study, we demonstrate DFA on AES. Section 4 discusses the countermeasure against the proposed fault injection method via IEMI. Section 5 delves into the applicability of the proposed fault injection method to different secret key analysis methods and the limitations of the method in alternative attack scenarios. Section 6 concludes this study.
2 Remote fault injection method based on IEMI
2.1 Threat model
This threat model focuses on cryptographic devices designed with a security boundary, thus making them resistant to intrusion or physical access by attackers. Additionally, we presume the attacker can obtain the cipher text output from the cryptographic device via channels such as communication pathways.
As noted above, cryptographic devices that are challenging to approach physically may be deemed exempt from fault analysis and may not have fault injection countermeasures. In such scenarios, it is possible to procure faults apt for secret key analysis by tuning the parameters of EM waves irradiated from outside the security boundary.
While the aforementioned attack model primarily targets devices without implemented countermeasures, analysis methods that enable key extraction are being considered even when measures are in place [20, 33]. If it is possible to cause specific faults, a similar threat model could potentially be viable even against cryptographic devices with implemented countermeasures.
2.2 Transmission efficiency of EM waves to devices determined by frequency and intensity
The concept of fault injection using IEMI from outside a specific device with a printed circuit board (PCB) containing a cryptographic module is shown in Fig. 1. EM waves radiating from the attacker’s antenna are influenced by the spatial propagation of the EM waves and the frequency characteristics of the PCB and its components, such as integrated circuits. The EM waves propagating on the PCB are transmitted through parasitic coupling between the wiring and components [44], resulting in temporal variations in the EM waves that cause voltage fluctuations.
When a clock signal with a superimposed CW is introduced to the cryptographic module, the module interprets the clock signal as rising faster than the regular clock cycle, leading to overclocking and faults in the encryption process. Because the overclocking induced by the attack is temporary, the EM wave irradiation leaves no traces of the attack.
An image of fault injection based on IEMI
Various components and structures can be mounted on electronic device substrates, allowing externally incoming EM waves to propagate on the substrate through parasitic coupling between them. The transmission efficiency of EM waves propagating on the device and substrate varies with frequency. To successfully launch an attack without disrupting communication, a frequency that propagates efficiently only to the cryptographic module while having low transmission efficiency to other modules should be selected.
In the example shown in Fig. 1, selecting the frequency \(f_{\text {inj}}\) results in high transmission efficiency to the cryptographic module and low transmission efficiency to the other modules, enabling the injection of faults solely into the cryptographic module. However, because the attacker cannot predict the frequency with optimal transmission efficiency to the cryptographic module in advance, they must estimate the frequency that propagates efficiently to the cryptographic module based on the remotely obtained information.
An image of the number of fault rounds varying with the irradiation intensity of EM waves
2.3 Determining the frequency and intensity of EM waves suitable for fault analysis
In this section, we propose a method for determining the irradiation frequency and intensity of EM waves that effectively induce faulty ciphertexts suitable for fault analysis.
When a cryptographic module is irradiated with EM waves at a specific frequency, the waves propagating in the device result in voltage fluctuations owing to the superimposition of the CW onto the clock signal. The intensity of the superimposed CW varies with variations in the intensity of the irradiated EM waves (Fig. 2). For the superimposed CW to be interpreted as irregularly increasing signals, they must surpass the threshold voltage of the input circuit. However, because the irradiated EM waves and clock signals of the cryptographic module are not synchronized, the induction of overclocking is randomly determined.
On the other hand, when the superimposed CW with high intensity is inserted, a larger proportion of them cross the threshold voltage of the input circuit, thereby increasing the probability of over-clocking occurrence as shown in Fig. 2d. In such cases, over-clocking is more likely to occur across multiple cycles of the encryption process.
Conversely, when the superimposed CW with low intensity is inserted, over-clocking is more likely to occur in only a single cycle as shown in Fig. 2c. Therefore, when applying secret key analysis techniques such as Differential Fault Analysis (DFA) [22, 43] to this fault injection method, it is necessary to search the state as shown in Fig. 2c, that cause over-clocking in only a single cycle.
Next, we delve into the methodology for determining the frequency and intensity of the irradiated EM waves required to generate a state akin to that shown in Fig. 2c. As previously indicated in Fig. 2d, a high intensity of superimposed CW is anticipated to result in faults spanning multiple encryption cycles. Therefore, the probability of observing consecutive faults increased under these circumstances, as shown in Fig. 3a. By reducing the intensity of the irradiated EM waves, the intensity of the superimposed CW changed from Fig. 2d to c and then to Fig. 2b. Consequently, the occurrence of faults across multiple cycles decreased, and the frequency of the observed fault transitioned to those shown in Fig. 3b and c. Therefore, as shown in the flowchart in Fig. 4, the occurrence of faults suitable for key analysis can be estimated by observing the change in the frequency of fault occurrence when the irradiation frequency and intensity are manipulated and searching for only one IEMI parameter that occurs faults discontinuously.
Next, we examine the method used in determining the frequency of the irradiated EM waves that efficiently propagate only to the cryptographic module. As mentioned in Sect. 2.1, the frequency of the irradiated EM waves are crucial in ensuring that only the cryptographic module is impacted, avoiding disruptions to other modules that could lead to communication failures or device malfunctions. Therefore, the frequency that efficiently propagates only to the cryptographic modules should be remotely estimated.
Occurrence frequency of faulty ciphertext varying with the irradiation intensity of EM waves
Flowchart of the proposed IEMI fault injection to determine the irradiation frequency and intensity
To estimate this frequency, we can utilize the same method employed to determine the intensity of the irradiated EM waves. When an irradiation frequency that disrupts modules other than the cryptographic modules is applied, faults may occur outside of the cryptographic process, resulting in a continuous output of invalid values equipment operation stoppage. In the latter case, the occurrence of consecutive faults, as shown in Fig. 3a, is observed, making it challenging to differentiate from scenarios where faults occur frequently during encryption.
Therefore, when outputs, such as those shown in Fig. 3a are observed at multiple irradiation frequencies, the irradiation intensity is reduced. By selecting the frequency at which the frequency of fault occurrence decreases, as shown in Fig. 3b, we can determine the irradiation frequency of EM waves that propagate efficiently only to the cryptographic module.
Also, the time required to obtain the faults necessary for the secret key extraction can be calculated as the product of the number of sweep points of the IEMI parameters (frequency and intensity), the number of encryption processes for each combination of the IEMI parameter and the time required for one encryption process. However, even though it is possible to identify the IEMI parameter at which a fault can occur discontinuously, it does not necessarily mean that a fault suitable for key extraction has been occurred. By making the sweep points of the IEMI parameters finer, it is possible to increase the likelihood that a fault suitable for key extraction will occur. Therefore, there is a trade-off between the time required for fault injection and the feasibility of secret key analysis.
3 Efficacy confirmation for the proposed approach via an actual cryptographic device
3.1 Experimental setup
The actual image of the board with the built-in cryptographic module used in this experiment, known as the side-channel attack standard evaluation board (SASEBO-G) is shown in Fig. 5. SASEBO-G is composed of two field-programmable gate arrays (FPGAs) referred to as FPGA 1 and FPGA 2. In FPGA 1, we implemented composite field S-Box AES [46] as a cryptographic module. In FPGA 2, a communication module between the PC and FPGA 1 was implemented. Both FPGAs operated at a clock frequency of 24 MHz. Notably, these clock signals are asynchronously generated from two onboard crystal oscillators. And both FPGAs are independently powered, each from power supply (PS) via 30 cm power cables.
Actual photograph of SASEBO-G
Environment for remote fault injection experiment using an antenna
The actual photograph shown in Fig. 6a, with the block diagram of the experimental environment is shown in Fig. 6b. The equipment used in the experiment are listed in Table 1. A log-periodic antenna was selected as the antenna for irradiating EM waves. This antenna has a wide bandwidth, which makes it suitable for implementing the proposed method, which requires searching for a suitable irradiation frequency for IEMI fault injection. In addition, its high directionality can suppress unintended propagation of EM waves to peripheral devices other than cryptographic devices.
SASEBO-G was positioned on a 75 cm high wooden table in the anechoic chamber, with the PC controlling SASEBO-G installed outside the anechoic chamber to eliminate any electrical interference from setups other than the target SASEBO-G. In addition, SASEBO-G is driven by a power supply system independent of other experimental equipment and is not connected to any measuring instruments via ports in fault injection experiments, thereby eliminating the influence of unintended external noise from the measuring instruments.
As continuous sinusoidal wave was generated by a signal generator, amplified by an amplifier, and then irradiated to SASEBO-G through a log-periodic antenna located 2 m away. The log-periodic antenna was set at the same height as SASEBO-G. The irradiation frequency of the sinusoidal wave was swept in 10 MHz increments from 80 to 1000 MHz, following IEC 61000-4-3 [10], an immunity test for radiated EM fields. The intensity was swept in the range of 30-47 dBm. The secret key used was 0x2b7e151628aed2a6abf7158809cf4f3c, as specified in the algorithm documentation [40]. The input plaintext value was randomly generated for each encryption process. However, to maintain consistent experimental conditions for each combination of irradiation frequency and intensity, the plaintext dataset was generated in advance and used consistently throughout.
3.2 Fault injection experiment
First, to determine the irradiation frequency at which faults are likely to occur in the cryptographic module, the irradiation frequency was swept, and the intensity was fixed. 50 encryption processes were performed for each irradiation frequency, and the fault occurrence frequency was monitored.
The occurrence frequency of a fault when the irradiation frequency was swept in 10 MHz increments from 380 to 580 MHz, with the irradiation intensity fixed at 37 dBm is shown in Fig. 7a. The white squares represent successful execution of the encryption process, whereas the black squares represent unsuccessful attempts. Based on the results, faults occurred sparsely at approximately 420 MHz. However, faults occurred continuously at approximately 520 and 540 MHz.
Distribution of the fault occurrence for 50 encryption trials
The irradiation frequencies around 520 and 540 MHz, where the faults are occurring continuously, are too efficient in transmitting to the cryptographic module and may contain faults across multiple cycles of the encryption process, or may be interfering with other modules such as the communication module. Figure 7b then shows the results at 36 dBm, where the frequency to be swept remains the same but the irradiation intensity is 1 dB lower. In Fig. 7a, faults were continuously observed at 520 and 540 MHz, but no more faults were observed at these irradiation frequencies in Fig. 7b. This suggests that these frequencies may have induced errors other than the cryptographic module, such as the communication module.
On the other hand, when the irradiation intensity is decreased around 420 MHz, where faults were sparsely observed in Fig. 7a, the intervals at which faults occur are more sparse than in Fig. 7a. Based on the method proposed in Sect. 2, it is likely that the irradiation frequency is interfering with the cryptographic module. When the irradiation intensity was further reduced to 35 dBm as shown in Fig. 7c, the faults occurring around 420 MHz were found to be even more sparse. Thus, it can be estimated that fault occurs in a single cycle of the encryption process at 35 dBm in this frequency range.
3.3 Case study (DFA on AES)
In this section, Piret’s DFA [43], a widely used method for analyzing secret keys in symmetric key cryptography, is utilized as a case study to validate the effectiveness of the proposed method.
Piret’s DFA of AES-128 assumes the occurrence of a one-byte fault in the input intermediate value of the eighth or ninth round. By using the faulty ciphertexts that align with this assumption and the corresponding correct ciphertexts, the potential secret key candidates can be narrowed down. The correct key can then be uniquely extracted from all key candidates through a series of iterative narrowing-down processes.
For example, we consider the case using a one-byte fault in the input intermediate value of the eighth round (8R1B fault). In this case, a set of approximately 1,000 candidate keys can be obtained by narrowing down the secret key using a pair of faulty ciphertexts satisfying the 8R1B fault and their corresponding correct ciphertext. Next, secret key refinement is performed using another ciphertext pair, and the set of candidate keys is obtained in the same manner. After that, the secret key candidates that overlap between the two sets of candidate keys can be obtained.
According to [22], it is shown that the correct key can be uniquely narrowed down with a probability of 92 %. However, due to the property of the Piret’s DFA algorithm, a single DFA attempt may output multiple secret key candidates including the wrong secret key in addition to the correct secret key. Therefore, DFA in which both faulty ciphertexts satisfy the 8R1B Fault is performed multiple times, and the key candidates extracted multiple times are estimated as the correct secret key.
On the other hand, if both faulty ciphertexts do not satisfy the 8R1B fault, the DFA process is unsuccessful, and the secret key cannot be uniquely narrowed down. However, since faults occur randomly in the attack scenario using the proposed method, the attacker cannot identify which ciphertext satisfies the 8R1B fault. Therefore, under the assumption that obtained N faulty ciphertexts are all 8R1B faults, it is necessary to perform \( _N C_2\) times DFA in a brute force manner.
In this analysis, we used 27 faulty ciphertexts that were obtained by executing 3,000 encryption operations at 420 MHz and 35 dBm, which are the irradiation frequency and intensity of the EM waves identified in Sect. 3.2. Next, DFA was performed for all combinations (351 patterns) of two from the 27 faulty ciphertexts. As a result, multiple candidate secret keys were obtained in three DFA trials, and no candidate secret key was obtained in the remaining 348 trials.
Table 2 shows the retrieved secret key candidates and their number of occurrences in three DFA trials. From Table 2, it is confirmed that only the correct key value used in the experiment is commonly obtained in the three DFA trials. From this result, we demonstrated that the faulty ciphertext obtained with the irradiated frequency and intensity that are identified by the proposed method can be used to uniquely narrow down the correct key.
3.4 Characteristics of faults induced by IEMI
In the previous section, we explored the parameters of the irradiated EM waves within a limited range to efficiently generate faulty ciphertexts suitable for secret key analysis using DFA. In this section, based on this result, we examine the number of occurrence of 8R1B faults necessary for the DFA in the obtained faulty ciphertexts. To evaluate this, we describe a method to estimate the round in which a fault occurs and the number of faulty bytes under conditions in which the secret key is known. We should note that this method is intended solely for evaluation and cannot be used by an attacker.
The conceptual representation of the estimation method is shown in Fig. 8. First, the obtained faulty ciphertext and corresponding fault-free ciphertext are rewritten using the same procedure as that used for decryption. Subsequently, the exclusive OR operation is applied to the fault-free and faulty intermediate values for each round to determine the number of bytes.
Notably, faults introduced during the MixColumns operation can propagate and increase the number of faulty bytes in subsequent rounds. Similarly, when decoding is performed from the round in which the fault occurs, the number of faulty bytes increases owing to the reverse MixColumn operation. Therefore, the round with the smallest number of bytes with different values indicates the round of fault occurrence, with the smallest value representing the number of faulty bytes.
However, this method may not accurately differentiate between faults occurring in multiple rounds and multiple-byte faults in a single round. This section, however, specifically addresses single-byte faults that occur in a single round, allowing for the estimation of the round in which the fault occurred without being hindered by the aforementioned application limitations.
Conceptual image of the method for estimating fault occurrence round, with the number of faulty bytes indicated
Distribution of the number of fault occurrences and required DFA trials for each irradiation intensity
The results shown in Fig. 9a were obtained by precisely varying the irradiation intensity and examining the number of fault occurrences. These results indicate a direct correlation between fault occurrence frequency and intensity value, with a sensitivity of 0.5 dB difference in intensity value. The results for the number of 8R1B faults estimated using the aforementioned method are shown in Fig. 9b. Although the intensity value at which faults begin to occur in Fig. 9a is around 32 dBm, the intensity value at which 8R1B faults are observed is 35 dBm. From this, obtaining faults for analysis at a location where the intensity value is increased by a few dB after searching for a value where faults are sparse is desirable. Furthermore, when the value of irradiation intensity is set higher, the occurrence frequency of 8R1B faults increases. However, Fig. 9a shows that faults other than 8R1B faults also increase as the intensity increases. Therefore, the probability of 8R1B faults occurring decreases when injecting faults at a higher intensity value than a lower one.
The number of DFA trials required to uniquely identify the secret key from the obtained faulty ciphertexts using the proposed method is evaluated. The DFA performed in this study, it should assume that all obtained faulty ciphertexts satisfy to be usable for DFA. Therefore, the worst case \(N_{worst}\) can be evaluated as the difference between all possible pairs and the difference between pairs of ciphertexts with 8R1B faults, as shown in Eq. (1).
In Equation (1), \(N_{total}\) and \(N_{8R1B}\) denote the total number of fault occurrences and the number of 8R1B fault occurrences, respectively. In Fig. 9c, \(N_{worst}\) of several trials for each irradiation intensity is shown based on the results in Fig. 9a and b.
In Fig. 9c, "N/A" indicates that the intensity at which DFA cannot uniquely narrow down the secret key is due to the number o f 8R1B fault occurrences being less than 2. In the case of 35 dBm of irradiation intensity targeted for DFA in Sect. 3.3, the number of fault occurrences is 27 according to Fig. 9a, and the number of 8R1B faults is 3 according to Fig. 9b. Consequently, in the case of 35 dBm, \(N_{worst}\) is calculated to be 348 (= \( _{27} C_2\) - \( _3 C_2\)). On the other hand, in the case of 40 dBm that is maximum intensity, \(N_{worst}\) is estimated to be 339,710 (= \( _{825} C_2\) - \( _{20} C_2\)), requiring several hundred times more DFA trials compared to 35 dBm. These findings demonstrate that the secret key analysis by DFA can be efficiently performed by using faulty ciphertexts obtained at weak irradiation intensities, a few dB higher than the intensity at which faults begin to occur.
This study used only 8R1B faults for secret key analysis with DFA. However, of the 27 faulty ciphertexts obtained with an irradiation intensity of 35 dBm, the remaining 24 faulty ciphertexts that are not satisfied 8R1B Faults may contain faulty ciphertexts applicable to other secret key analysis methods [15, 20, 21, 33]. Therefore, secret key extraction may still be successful even when the attacker focuses on different secret key analysis methods. In addition, it is expected that the secret key analysis could be completed with fewer trials than the number shown in Fig. 9c when 9R1B faults are combined with 8R1B faults [45].
3.5 Mechanism of fault occurrence caused by IEMI
In this section, we elucidate the mechanism of fault occurrence induced by IEMI by examining the electrical variations that occur in the cryptographic module when EM waves are irradiated. Furthermore, we compare the voltage waveform of the cryptographic module during normal operation and fault occurrence, as well as the number of clock cycles required for the cryptographic process.
The waveform of the observed supply voltage variations of the FPGA 1 are shown in Fig. 10a when no EM is irradiated and Fig. 10b when EM waves were irradiated at 420 MHz which is profiled as the efficient transmission frequency for the cryptographic module. The voltage fluctuations of the cryptographic module were measured through the coaxial port (J8 in Fig. 5) connected between the VDD and GND of FPGA 1 using an oscilloscope (Keysight DSOS204A). A trigger signal representing AES execution time was employed through an external output pin (Trigger in Fig. 5) to synchronize the timing of voltage waveform observation. The vertical axis values of these waveforms are not normalized and represent actual measurement values.
The cryptographic module utilized in this experiment comprised a combinational circuit that executes one round of processing per clock cycle and a register for storing intermediate values. When the output of the ciphertext is loaded into the registers, the combinational circuit that performs the round process operates simultaneously. Therefore, 11 voltage fluctuations were observed, comprising 10 round processes and output loading operation (OUT in Fig. 10a).
However, as shown in Fig. 10b, when EM waves are irradiated, the voltage fluctuations temporarily increase at the time corresponding to the seventh round. This suggests that two rounds of operations are executed continuously during one clock cycle owing to overclocking. By applying the ciphertext output observed in this waveform to the method for estimating the round in which the fault occurred as outlined in Sect. 3.4, we determined that the fault occurred only in the seventh round. This indicates that the round in which the fault occurred aligned with the increase in voltage fluctuation owing to the irradiation of EM waves.
The measured trigger signal representing the AES execution interval observed when the waveforms in Fig. 10a and b were observed are shown in Fig. 11. Here, the vertical axis in Figure 10 is the actual measured value. Since the I/O power supply of SASEBO-G is supplied at 3.3 V, the trigger signal is output at a voltage level of 3.3 V when the trigger signal indicates a HIGH value. These results reveal that the time required to execute the AES is reduced by one clock cycle when a fault occurs, indicating overclocking. Based on the aforementioned experimental results, we validate that the mechanism of fault occurrence caused by IEMI is a timing violation owing to overclocking.
Comparison of measured voltage waveforms of FPGA 1
Comparison of the trigger signal indicating AES execution time between scenarios in which EM waves are not irradiated and the case of fault occurrence caused by irradiating EM waves
3.6 Application of the proposed method for cryptographic device with different physical structures
Next, to demonstrate the general applicability of the proposed fault injection method, IEMI irradiation experiments were conducted on cryptographic modules with different implementation scheme of cryptographic circuit and physical structures.
3.6.1 Different implementation schemes
As implementation schemes of AES circuit, in addition to the composite-field S-Box AES implementation that is targeted in Sect. 3.2, two different implementation schemes based on positive polarity Reed Muller (PPRM) implementations [37] were targeted. PPRM implementation uses AND logic to implement some of the XOR logic used in the composite-field S-Box AES implementation. PPRM-1 uses a single-stage XOR logic and AND logic, while PRPM-3 consists of three stages. Therefore, PPRM1 has a shorter data path delay time than PPRM-3. The hardware description language (HDL) code for the three types of AES circuits used as attack targets is published as intellectual property (IP) cores, available at [49].
As an additional experiment, under the same experimental conditions as in Sect. 3.1, the irradiation frequency of CW was swept in 5 MHz increments for each AES implementation, focusing on 420 MHz, where a discontinuous fault occurrence frequency was observed in Sect. 3.2. Then, for each irradiation frequency, the fault occurrence rate over 1000 encryption operations was evaluated. Here, the irradiation intensity was increased to 40 dBm to more clearly observe differences in the fault occurrence rate.
Figure 12 shows the experimental results of fault occurrence rate with three different AES implementation schemes. This result showed that no difference was observed in the rates despite the difference in data path delay time, and that the dependence of the rates on irradiation frequency was similar for both implementation schemes. One of the reasons for this is that the proposed fault injection scheme applies CW asynchronously to cryptographic operations. In this case, clock glitches occur at different phases for each rising edge of the clock. This suggests that the effect of the variation in the shortening of the clock period due to glitching caused by changes in the phase of the CW is more significant than the difference in the delay time of the data path due to differences in implementation.
3.6.2 Different length of power cable
As mentioned in Sect. 2.2, whether fault occurs or not and its occurrence rate depends on the frequency transmission characteristics of EM waves from the antenna to the cryptographic device.
These transfer characteristics are known to vary depending on the physical structure of the cryptographic devices, such as the size of the PCB, the length of the power cables, and the placement and number of circuit elements. In the literature [28], it has been experimentally shown that both the frequency transfer characteristics and the secret key obtainability by side-channel analysis using leaked EM waves change when the PCB size and the length of power cable are different. This indicates that fault injection using EM irradiation can also generate faults at different irradiation frequencies based on the EM reciprocity theorem [4], whereby the fault occurrence rate varies according to the differences in the physical structure of the cryptographic device.
To verify the above, this paper focuses on the length of the power cable as the physical structure of cryptographic devices and investigates the effect of the length of the power cable on the fault occurrence rate. From the experimental conditions as in Sect. 3.1, only the length of the power cables for FPGA 1 are changed from 30 cm to 50 cm, 100 cm, 150 cm, and 200 cm, as in the experimental conditions in the literature [28]. However, to eliminate any effects other than cryptographic operations, the length of the power cable connected to FPGA 2 was kept constant.
Figure 13 shows the fault rates as a function of irradiated frequency for (a) 50 cm, (b) 100 cm, (c) 150 cm, and (d) 200 cm power cables connected to the cryptographic module. From these experimental results, it is confirmed that the fault occurrence rate varies with the length of the power cable. These results indicate that the proposed method is effective for cryptographic devices with different physical structures. Based on our results and [28], it could be expected to obtain similar results for other FPGA boards with different board sizes, placement, and number of elements in the devices.
Comparison of the distribution of the fault rate during frequency-swept CW irradiation for three different AES implementation schemes
Comparison of the distribution of the fault rate during frequency-swept CW irradiation for four different length of power cable of cryptographic module
4 Countermeasures against remote EM fault injection
4.1 Conventional countermeasures and the concept of countermeasures required for the proposed method
The experiment in Sect. 3.2 was conducted in an anechoic chamber with 37 dBm irradiation intensity and 420 MHz irradiation frequency. Since the antenna factor of log-periodic antenna used in this experiment is 16.66 [18] at the 420 MHz, the electrical field strength at the irradiation point can be calculated to be approximately 160 dB\(\upmu \)V/m. This value is much higher than the limit of 40 dB\(\upmu \)V/m for the radiated frequency in FCC Part 15 Subpart B. However, since it is assumed that an attacker will irradiate EM waves without regard to the legal regulations, it is not possible to prevent the attack with only the legal regulations. Therefore, it is important to appropriately implement existing countermeasure technologies without relying on only legal regulations.
Countermeasures have been proposed at the algorithmic and circuit levels to prevent fault injections, such as detecting faults and stopping the faulty outputs. Examples of these countermeasures include duplicating cryptographic modules or performing multiple encryption processes on the same circuit for output comparison [5, 25], parity check-based countermeasures [51], and detecting temporary fluctuations in clock cycles or power supply voltage caused by glitches [17, 52]. Furthermore, for analysis methods, such as DFA, where success of key recovery is contingent upon the the number of faulty bytes, an equalizer circuit that stabilizes the delay times has been proposed to fix the number of faulty bytes [36].
These techniques are expected to be effective against the proposed method. However, implementing additional circuitry can result in overhead. In addition, applying such countermeasures to devices targeted by this threat, particularly those already shipped is challenging. This study proposes countermeasures that do not require additional circuitry and can be applied after product shipment. Specifically, we investigate methods to manipulate the transmission efficiency of the devices containing cryptographic module.
Remote EM wave injection attacks using an antenna, as discussed in previous sections, propagate injected waves from a distance to the target device’s interior, inducing overclocking and causing faults. Thus, implementing mechanisms to block the propagation of such incoming EM waves could serve as a countermeasure. One such mechanism is EM shielding. The general principle of EM shielding is to use conductive materials to create a boundary that reflects or absorbs EM waves, preventing them from reaching the components or modules that need to be protected.
Typically, EM shielding functions by fully enclosing the target. However, it is challenging to achieve complete shielding if the target has communication capabilities, making it difficult to apply to many devices. Therefore, this study proposes a method that uses conductive materials, similar to those used in EM shielding, to reduce the propagation efficiency of EM waves to the cryptographic module without completely blocking the device.
4.2 Electrical countermeasure for post-shipments devices based on extended conductive shield
As mentioned in Sect. 2, the propagation of EM waves within a device heavily depends on its frequency characteristics. Factors determining these electrical characteristics include device elements composed of conductors, transmission lines laid out on the PCB, the size of the PCB ground plane, etc. If the shapes and sizes of these device elements, conductive transmission lines, and ground planes can be manipulated, the device’s frequency characteristics and propagation properties to each module will change. However, considering the countermeasures applicable after product shipment in this section, alterations to the size or shape of the existing device elements or cables are not considered. Instead, the proposal involves placing conductive materials near the device to induce parasitic coupling and modify the device’s frequency characteristics.
The conductive materials placed nearby are not intended to completely block or reflect the propagating EM waves completely but to couple with the device, altering its reception characteristics parasitically. This method does not require complete coverage of the target, as with shielding.
Figure 14 shows a block diagram of the measurement environment to evaluate the intentional manipulation of the transmission efficiency for the cryptographic module by placing an aluminum plate, a conductive material, near the device. In the measurement environment, the tracking generator function of a spectrum analyzer (Rohde & Schwarz, FSV) was utilized, with the input connected to an observation port (J8) between the power supply voltage of FPGA 1 and ground. The output was connected to a log-periodic antenna to measure the EM wave propagation efficiency from the antenna to the cryptographic module. The EM wave propagation for the measurement of the transmission efficiency was in the opposite direction; however, this is based on the EM reciprocity theorem [4] and prioritizes the measurement reproducibility. The irradiation frequency was set between 80 and 1000 MHz, in accordance with Sect. 3.1 whereas the input intensity of the tracking generator was set to 0 dBm. Additionally, fault injection experiments were conducted using the same experimental setup and parameters outlined in Sect. 3.1, except for the presence or absence of an aluminum plate.
Block diagram of the environment for measuring transmission efficiency
Difference in transmission efficiency in the case of without and with aluminum plate
Distributions of the number of fault occurrences for each irradiation frequency and intensity without and with aluminum plate
The differences in transmission efficiencies with and without the aluminum plate are shown in Fig. 15. Installation of the aluminum plate resulted in electrical parasitic coupling between the plate and SASEBO-G, altering the equivalent circuit of the device. This alteration in the propagation characteristics of EM waves from the external environment to the cryptographic module decreased the transmission efficiency over a wide frequency range, including the frequency range in which faults occur.
Subsequently, the distribution of the number of faults that occurred during the 200 encryption processes performed for each frequency and intensity of EM waves is shown in Fig. 16a and b for the scenarios without and with the aluminum plate, respectively. In both cases, a trend of reduced fault occurrence was observed with the installation of the aluminum plate.
In this example, the installation of an aluminum plate validates a decrease in the propagation efficiency of EM waves originating from the surroundings. However, complete suppression of fault occurrence has not yet been achieved. One potential solution involves directly attaching conductive materials, such as aluminum foil to the device to modify the coupling characteristics. Furthermore, by combining typical EM compatibility (EMC) countermeasures [42] with the techniques proposed in this study, the transmission efficiency of irradiated EM waves can be reduced to a fault-free state across a wide frequency band.
5 Discussion
5.1 Applicability of the proposed fault injection method to other secret key analysis methods
This study validated the feasibility of a fault attack using the proposed injection method on an AES implementation on SASEBO-G and demonstrated the probability of key analysis using DFA. In addition, the proposed method allowed for the manipulation of the number of fault occurrence rounds by controlling the parameters of the irradiated EM waves. This flexibility enables the application of the proposed method to other analysis methods that assume faults occur only in a single round [15, 20, 21, 33]. In this section, we focused on the secret key analysis methods proposed in [20, 33] which representative of secret key analysis methods other than the DFA. We provide an overview of the analysis methods and discuss the feasibility of secret key analysis using the proposed method.
5.1.1 Fault sensitivity analysis (FSA)
FSA [33] leverages information on fault injection intensity, such as a shortened clock period caused by a clock glitch, to determine when a fault occurs (fault sensitivity) and when the intensity is gradually increased under fixed input plaintext conditions. The secret key was estimated based on the correlation between multiple input plaintexts and their fault sensitivities. This approach eliminates the need for the actual output ciphertext values and disables the DFA countermeasure that prevents the output of faulty ciphertext through redundancy computation. However, the attacker requires a resolution of the fault intensity that can be precisely controlled such that the difference in fault sensitivity for each input plaintext can be observed.
In the proposed method, irradiated EM waves were not synchronized with the encryption process and clock glitches were generated at random timings for each clock. Therefore, even if EM waves are irradiated at the same intensity, the length of the shortened clock period is not uniquely determined, thus deviating from the assumptions of FSA. However, the clock period can be reduced by applying a CW of a specific frequency, satisfying certain conditions. Furthermore, the length can be precisely controlled by manipulating the phase of the CW [39]. Therefore, by combining this method [39] with the proposed method, FSA can be performed by generating different fault sensitivities for each plaintext with a constant fault intensity.
5.1.2 Statistical fault analysis (SFA)
SFA [20] leverages the uniformity bias in cryptographic processes caused by fault injection. This involves collecting numerous ciphertext datasets only when a fault occurs in a particular round, followed by statistical analysis to estimate the secret key. SFA is useful in scenarios where attackers face challenges in accessing and manipulating the plaintext required for the DFA and FSA. However, if faulty ciphertexts are introduced when a fault occurs outside a particular round, the reduction in uniformity owing to fault injection may not be sufficiently observable, leading to inaccurate secret key estimation. Therefore, even when the irradiated EM waves are not synchronized with the encryption process, secret key analysis using SFA with fault ciphertexts obtained through the proposed method may still be feasible if the round of fault occurrence can be identified.
In the scenario shown in Fig. 10b, overclocking occurred at the time corresponding to the seventh round, suggesting a fault in that round. By utilizing ciphertexts obtained during voltage fluctuations at specific times, the reduction in uniformity necessary for SFA owing to the fault injection can be sufficiently observed, enabling successful secret key retrieval. However, when implementing the proposed fault injection method, it becomes imperative to observe the voltage fluctuations of the cryptographic module non-invasively and remotely as leakage EM waves through an antenna.
5.2 Limitations of the proposed method in realistic attack scenarios
The effectiveness of our proposed method is demonstrated in a simple environment in which only an antenna and cryptographic devices are installed 2 m apart in an anechoic chamber. However, in real-world attack scenarios, cryptographic devices are installed in an environment with many non-targeted devices, such as those in buildings or offices. Attackers would need to irradiate EM waves from outside the building. However, owing to legal constraints, this experiment could not be conducted outside the anechoic chamber. Consequently, this section discusses the limitations of the proposed method in realistic attack scenarios.
First, regarding the distance between the antenna and cryptographic device being targeted, under a typical attack scenario, EM waves may be irradiated from several meters or more. Because EM waves are subject to significant attenuation during propagation through space, higher-intensity EM waves are required when launching an attack from a distance exceeding 2 m, as utilized in the experiments. Therefore, the distance at which the proposed fault injection attack can be executed is limited by the attacker’s setup.
Second, the scenario in which other devices not intended for the attack were present along the path of EM wave propagation was considered. In this case, when the intensity of the EM waves exceeds the immunity threshold of the other devices in the propagation path, malfunction, cessation of operation, or permanent destruction of the devices may occur. When these non-targeted devices operate alongside the cryptographic module, inducing a temporary fault in a specific process of the cryptographic operation becomes challenging, making fault attacks impractical. Therefore, the proposed fault injection attack can only be successful if the frequencies with the best transmission efficiency for the cryptographic module exist, considering the transmission characteristics of all devices in the path of EM wave propagation.
Finally, the feasibility of the proposed fault injection by a portable attack setup is discussed. The portability of the attack setup may increase the range of device that can be attacked by allowing more freedom in the location where the attacker can irradiate EM waves. In the literature [29], a similar attack scenario is considered in railroad infrastructure, where a pocket-sized jammer could interfere with radio communications for train control. In the proposed method, a similar setup could be realized by miniaturizing the antenna, amplifier, signal generator, and control PC. However, with portability and miniaturization come limitations on the accuracy of irradiation frequency, antenna directionality, and bandwidth, which may limit the frequency and intensity that can be irradiated.
6 Conclusion
This study proposed a novel fault injection method that utilized IEMI to induce temporary faults in the encryption process without intrusion, proximity to the module, or synchronization with the process. This was achieved by irradiating EM waves through an antenna placed remotely from a cryptographic device.
The proposed method involved irradiating EM waves to the cryptographic device using an antenna. However, the irradiated EM waves may have also reached and potentially induced faults in modules other than the cryptographic one. To address this issue, the frequency of the radiated EM waves was carefully selected to ensure that only the cryptographic module was impacted. In addition, because the EM wave irradiation is performed asynchronously with the processing performed in the cryptographic module, faults occur randomly. This randomness makes it challenging to apply conventional fault analysis. To mitigate this issue, the intensity of the irradiated EM waves was adjusted to prevent overclocking from spanning multiple encryption cycles, ensuring that faults only occur within a single cycle.
Moreover, implementing the proposed method could potentially increase the number of devices vulnerable to fault injection attacks, including those that were previously considered immune. To address this issue, countermeasures that can deter such threats, even after product shipment, have been proposed. One such countermeasure involved enhancing EM shielding by strategically placing conductive materials near the cryptographic device, thereby reducing the efficiency of EM wave propagation from the attacker to the cryptographic module, and significantly decreasing the fault occurrence rate. A combination of typical EMC countermeasures to suppress fault occurrences was also mentioned.
Data Availability
No datasets were generated or analysed during the current study.
References
Alam, Md Mahbub, Tajik, Shahin, Ganji, Fatemeh, Tehranipoor, Mark, Forte, Domenic: RAM-Jam: Remote temperature and voltage fault attack on FPGAs using memory collisions. In: 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 48–55 (2019)
Anderson, Ross, Bond, Mike, Clulow, Jolyon, Skorobogatov, Sergei: Cryptographic processors-a survey. Proc. IEEE 94(2), 357–369 (2006)
Baksi, Anubhab, Bhasin, Shivam, Breier, Jakub, Jap, Dirmanto, Saha, Dhiman: A survey on fault attacks on symmetric key cryptosystems. Comput. Surveys 55(4), 1–34 (2022)
Balanis, Constantine A.: Antenna Theory: Analysis and Design, pp. 144–150. John Wiley & Sons, New Jersey (2016)
Bar-El, Hagai, Choukri, Hamid, Naccache, David, Tunstall, Michael, Whelan, Claire: The sorcerer’s apprentice guide to fault attacks. Proc. IEEE 94(2), 370–382 (2006)
Barbu, G., Duc, G., Hoogvorst, P.: Java card operand stack: fault attacks, combined attacks and countermeasures. In: Smart Card Research and Advanced Applications: 10th IFIP WG 8.8/11.2 International Conference, CARDIS 2011, Leuven, Belgium, September 14-16, 2011, Revised Selected Papers 10. Springer, 297–313 (2011)
Barenghi, Alessandro, Breveglieri, Luca, Koren, Israel, Naccache, David: Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures. Proc. IEEE 100(11), 3056–3076 (2012)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Advances in Cryptology-CRYPTO’97: 17th Annual International Cryptology Conference Santa Barbara, California, USA August 17–21, 1997 Proceedings 17. Springer, 513–525 (1997)
Breier, J., Jap, D., Chen, C.-N.: Laser profiling for the back-side fault attacks: with a practical laser skip instruction attack on AES. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. 99–103 (2015)
International Electrotechnical Commission. Electromagnetic compatibility (emc) - part 4-3 : Testing and measurement techniques - radiated, radiofrequency, electromagnetic field immunity test. Technical Report. IEC 61000-4- 3:2020 8 Sept (2020). https://webstore.iec.ch/publication/59849 (2020)
International Electrotechnical Commission. Electromagnetic compatibility (emc) - part 4-6: Testing and measurement techniques - Immunity to conducted disturbances, induced by radio-frequency fields. Tech. Rep. IEC 61000-4- 6:2023 PRV Pre release version 24 Mar (2023). https://webstore.iec.ch/publication/84355 (2023)
Cui, A., Housley, R.: BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection. In: WOOT (2017)
Dehbaoui, A., Dutertre, J.-M., Robisson, B., Orsatelli, P., Maurine, P., Tria, A.: Injection of transient faults using electromagnetic pulses Practical results on a cryptographic system. ACR Cryptology ePrint Archive (2012)
Dehbaoui, A., Dutertre, J.-M., Robisson, B., Tria, A.: Electromagnetic transient faults injection on a hardware and a software implementations of AES. In: 2012 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 7–15 (2012)
Dobraunig, Christoph, Eichlseder, Maria, Korak, Thomas, Mangard, Stefan, Mendel, Florian, Primas, Robert: SIFA: exploiting ineffective fault inductions on symmetric cryptography. IACR Trans. Cryptogr. Hardware Embedded Syst. 2018, 547–572 (2018)
Dumont, M., Lisart, M., Maurine, P.: Electromagnetic fault injection: How faults occur. In: 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE, 9–16 (2019)
El-Baze, D., Rigaud, J.-B., Maurine, P.: A fully-digital EM pulse detector. In: 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 439–444 (2016)
uslp SCHWARZBECK MESS ELEKTRONIK. [n. d.]. Datasheet, USLP 9143 B - Log Periodic Antenna. ([n. d.]). https://schwarzbeck.de/Datenblatt/K9143B.pdf
Elmohr, M. A., Liao, H., Gebotys, C. H.: EM fault injection on ARM and RISC-V. In: 2020 21st International Symposium on Quality Electronic Design (ISQED). IEEE, 206–212 (2020)
Fuhr, T., Jaulmes, É., Lomné, V., Thillard, A.: Fault attacks on AES with faulty ciphertexts only. In: 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 108–118 (2013)
Ghalaty, N. F., Yuce, B., Taha, M., Schaumont, P.: Differential fault intensity analysis. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 49–58 (2014)
Giraud, C., Thillard, A.: 2010. Piret and Quisquater’s DFA on AES Revisited, Cryptology ePrint Archive (2010)
Gnad, D. R. E., Rapp, S., Krautter, J., Tahoori, M. B.: Checking for electrical level security threats in bitstreams for multi-tenant FPGAs. In: 2018 International Conference on Field-Programmable Technology (FPT). IEEE, 286–289 (2018)
Gross, M., Krautter, J., Gnad, D., Gruber, M., Sigl, G., Tahoori, M.: FPGANeedle: Precise remote fault attacks from FPGA to CPU. In: Proceedings of the 28th Asia and South Pacific Design Automation Conference. 358–364 (2023)
Guilley, S., Sauvage, L., Danger, J.-L., Selmane, N.: Fault injection resilience. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 51–65 (2010)
Guilley, S., Sauvage, L., Danger, J.-L., Selmane, N., Pacalet, R.: Silicon-level solutions to counteract passive and active attacks. In: 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 3–17 (2008)
Hayashi, Yu.-ichi, Homma, Naofumi, Mizuki, Takaaki, Aoki, Takafumi, Sone, Hideaki: Transient IEMI threats for cryptographic devices. IEEE Trans. Electromag. Compat. 55(1), 140–148 (2012)
Hayashi, Yu-Ichi., Homma, Naofumi, Mizuki, Takaaki, Aoki, Takafumi, Sone, Hideaki, Sauvage, Laurent, Danger, Jean-Luc.: Analysis of electromagnetic information leakage from cryptographic devices with different physical structures. IEEE Trans. Electromag. Compat. 55(3), 571–580 (2012)
Heddebaut, Marc, Deniau, Virginie, Rioult, Jean, Gransart, Christophe: Mitigation techniques to reduce the vulnerability of railway signaling to radiated intentional EMI emitted from a train. IEEE Trans. Electromag. Compat. 59(3), 845–852 (2016)
Kim, Yoongu, Daly, Ross, Kim, Jeremie, Fallin, Chris, Lee, Ji Hye, Lee, Donghyuk, Wilkerson, Chris, Lai, Konrad, Mutlu, Onur: Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. ACM SIGARCH Comp. Arch. News 42(3), 361–372 (2014)
Korak, T., Hoefler, M.: On the effects of clock and power supply tampering on two microcontroller platforms. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 8–17 (2014)
Krautter, Jonas, Gnad, Dennis RE., Tahoori, Mehdi B.: FPGAhammer: Remote voltage fault attacks on shared FPGAs, suitable for DFA on AES. IACR Trans. Cryptogr. Hardware Embedded Syst. 2018, 44–68 (2018)
Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Cryptographic Hardware and Embedded Systems, CHES 2010: 12th International Workshop, Santa Barbara, USA, August 17-20, 2010. Proceedings 12. Springer, 320–334 (2010)
Lu, Y.: Injecting software vulnerabilities with voltage glitching. arXiv preprint arXiv:1903.08102 (2019)
Majéric, F., Bourbao, E., Bossuet, L.: Electromagnetic security tests for SoC. In: 2016 IEEE International Conference on Electronics, Circuits and Systems (ICECS). IEEE, 265–268 (2016)
Miura, N., Fujimoto, D., Nagata, M.: Proactive and reactive protection circuit techniques against EM leakage and injection. In: 2015 IEEE International Symposium on Electromagnetic Compatibility (EMC). IEEE, 252–257 (2015)
Morioka, S., Satoh, A.: An optimized S-Box circuit architecture for low power AES design. In: International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 172–186 (2002)
Murdock, K., Oswald, D., Garcia, F. D., Van Bulck, J., Gruss, D., Piessens, F.: Plundervolt: Software-based fault injection attacks against Intel SGX. In: 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1466–1482 (2020)
Nishiyama, Hikaru, Fujimoto, Daisuke, Sone, Hideaki, Hayashi, Yuichi: Efficient noninvasive fault injection method utilizing intentional electromagnetic interference. IEEE Trans. Electromag. Compat. 65(4), 1211–1219 (2023)
National Institute of Standards and Technology (NIST). 2001. Advanced Encryption Standard (AES). fips publication 197 (2001)
O’Flynn, Colin: MIN () imum Failure: EMFI Attacks against USB Stacks.. In WOOT@ USENIX Security Symposium (2019)
Paul, C.R.: Introduction to Electromagnetic Compatibility, pp. 301–308. John Wiley & Sons, New Jersey (1992)
Piret, G., Quisquater, J.-J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Cryptographic Hardware and Embedded Systems-CHES 2003: 5th International Workshop, Cologne, Germany, September 8–10, 2003. Proceedings 5. Springer, 77–88 (2003)
Radasky, William, Savage, Edward: Intentional electromagnetic interference (IEMI) and its impact on the US power grid. Meta 1(2010), 1–3 (2010)
Sakiyama, Kazuo, Li, Yang, Gomisawa, Shigeto, Hayashi, Yu.-ichi, Iwamoto, Mitsugu, Homma, Naofumi, Aoki, Takafumi, Ohta, Kazuo: Practical DFA strategy for AES under limited-access conditions. J. Inform. Process. 22(2), 142–151 (2014)
Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A compact Rijndael hardware architecture with S-box optimization. In: Advances in Cryptology-ASIACRYPT 2001: 7th International Conference on the Theory and Application of Cryptology and Information Security Gold Coast, Australia, December 9-13, 2001 Proceedings. Springer, 239–254 (2001)
Shepherd, Carlton, Markantonakis, Konstantinos, van Heijningen, Nico, Aboulkassimi, Driss, Gaine, Clément., Heckmann, Thibaut, Naccache, David: Physical fault injection and side-channel attacks on mobile devices: A comprehensive analysis. Computers & Security 111(2021), 102471 (2021)
Tang, Adrian, Sethumadhavan, Simha, Stolfo, Salvatore J.: CLKSCREW: Exposing the perils of security-oblivious energy management. In USENIX Sec. Symp. 2, 1057–1074 (2017)
Aoki Laboratory Tohoku University. Cryptographic Hardware Project. (2007). http://www.aoki.ecei.tohoku.ac.jp/crypto/web/cores.html
Van Woudenberg, J. G. J., Witteman, M. F., Menarini, F.: Practical optical fault injection on secure microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE, 91–99 (2011)
Zhang, Maoshen, Li, He., Wang, Peijing, Liu, Qiang: Parity check based fault detection against timing fault injection attacks. Electronics 11(24), 4082 (2022)
Zussa, L., Dehbaoui, A., Tobich, K., Dutertre, J.-M., Maurine, P., Guillaume-Sage, L., Clediere, J., Tria, A..: Efficiency of a glitch detector against electromagnetic fault injection. In: 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 1–6 (2014)
Zussa, L., Dutertre, J.-M., Clediere, J., Tria, A.: Power supply glitch induced faults on FPGA: An in-depth analysis of the injection mechanism. In: 2013 IEEE 19th International On-Line Testing Symposium (IOLTS). IEEE, 110–115 (2013)
Acknowledgements
This work was supported by JSPS KAKENHI under Grant JP23H00472, Grant JP23K28087, JST CREST Grant Number JPMJCR19K5 and JST FOREST Program under Grant JPMJFR206L.
Author information
Authors and Affiliations
Contributions
H.N.: Hikaru Nishiyama Y.H. presented the concept of the proposed method in this paper, and all the authors concrete the proposed method. H.N. constructed the experimental environment, conducted the experiments, and analyzed the experimental results. All authors discussed and interpreted the experimental results. H.N. drafted the paper, which was reviewed and revised by D.F. and Y.H. H.N. and D.F. prepared figures and tables in the paper.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Nishiyama, H., Fujimoto, D. & Hayashi, Y. Remote fault injection attack against cryptographic modules via intentional electromagnetic interference from an antenna. J Cryptogr Eng 15, 9 (2025). https://doi.org/10.1007/s13389-025-00370-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s13389-025-00370-y