Cryptography Reference
In-Depth Information
Fig. 17.2
SPICE simulation of the evaluation date of the least significant bit output of the S-box #0
of SERPENT for different voltages (1.2 V is nominal) in low-leakage 0.13
µ
m CMOS technology
from STMicroelectronics
17.2.3 Physical Explanation of the Bit-Flip Fault Model
In hardware, such a violation is compatible with the “bit-flip” model. Indeed, CMOS
gates are balanced in timing (rising and falling edges have similar transition dura-
tions). Thus evaluating a signal as 1 instead of 0 is as likely as the converse. In
software, this accounts for failures such as instruction skips or the setting of the out-
put signals of an XOR to 0, notably observed by Clavier [92, 93]. We can therefore
state that software derouting is a mere consequence of a failure of the hardware that
executes it.
We assert that in mainstream processors (unprotected CMOS) the timings are
data-dependent. Ideally, from an algorithmic optimization standpoint, all the paths
in a data path can be critical: it is the logic synthesizer's objective to create a design
that complies with the timing's closure constraints. This suggests that faults can occur
at various locations in the data path. This is beneficial to the attacker, because she
can take advantage of the faults occurring on various bits of the data path to retrieve
all the bits of the key.
Various means to inject global faults exist, most of which cause setup time viola-
tions; we refer to them as “stress methods”. When the stress is low, the perturbation
results in one single path being violated. This causes a single bit-flip at the output of
a combinatorial path; in turn, this causes a bit-flip in the next state register. As the
critical path is definitely data-dependent, the bit-flip can actually occur everywhere,
especially when the logic is well balanced. This is true of a block cipher, but not of
