IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 60, NO.
8, AUGUST 2013
Fault Rate Analysis: Breaking Masked AES
Hardware Implementations Efficiently
An Wang, Man Chen, Zongyue Wang, and Xiaoyun Wang
Abstract—In 2011, Li et al. presented clockwise collision anal-
ysis on nonprotected Advanced Encryption Standard (AES)
hardware implementation. In this brief, we first propose a new
clockwise collision attack, called fault rate analysis (FRA), on
masked AES. Then, we analyze the critical and noncritical paths of
the S-box and find that, for its three input bytes, namely, the input
value, the input mask, and the output mask, the path relating to
the output mask is much shorter than those relating to the other
two inputs. Therefore, some sophisticated glitch cycles can be
chosen such that the values in the critical path of the whole S-box
are destroyed but this short path is not affected. As a result, the
output mask does not offer protection to the S-box, which leads to
a more efficient attack. Compared with three attacks on masking
countermeasures at the Workshop on Cryptographic Hardware
and Embedded Systems 2010 and 2011, our method only costs
about 8% of their time and 4% of their storage space.
Index Terms—Collision attack, fault rate analysis (FRA), mask-
ing, path delay, side-channel attack.
I. I NTRODUCTION
S INCE Kocher proposed timing attack in 1996 [1], many
cryptanalysts have focused on side-channel attacks. The
side-channel information that leaks the secret key includes
power consumption, timing, electromagnetic radiation, faulty
output, and so on. Accordingly, many side-channel models such
as collision [2]–[4] correlation coefficient [5], [6] template [7],
and fault [8] were considered.
At the Workshop on Cryptographic Hardware and Embedded
Systems 2010, Li et al. presented a new fault attack, called
fault sensitivity analysis (FSA) [9], which exploited the fact that
the critical path of an Advanced Encryption Standard (AES)
S-box combinational circuit is data dependent. Thus, an illegal
clock and a timing model can be used for recovering key
bytes. Combining with the correlation collision attack [10],
Moradi et al. gave an attack on the masked AES hardware
implementation by colliding timing characteristics [11]. How-
Manuscript received March 26, 2013; accepted May 31, 2013. Date of
publication July 16, 2013; date of current version August 10, 2013. This work
was supported in part by the 973 Project of China under Grant 2013CB834205,
by the National Natural Science Foundation of China under Grant 61133013,
and by the open fund of the Science and Technology on Information Assurance
Laboratory. This brief was recommended by Associate Editor C.-Y. Lee.
A. Wang is with the Institute for Advanced Study and the Institute of Micro-
electronics, Tsinghua University, Beijing 100084, China (e-mail: wanganl@
tsinghua.edu.cn).
M. Chen and Z. Wang are with the Key Laboratory of Cryptologic Tech-
nology and Information Security, Ministry of Education, Shandong Univer-
sity, Jinan 250100, China (e-mail: manchen@mail.sdu.edu.cn; zongyue1988@
sina.com).
X. Wang is with the Institute for Advanced Study, Tsinghua University,
Beijing 100084, China (e-mail: xiaoyunwang@tsinghua.edu.cn).
Color versions of one or more of the figures in this brief are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TCSII.2013.2268379
1549-7747 © 2013 IEEE
517
ever, the acquirement of the setup time was not efficient, and
512 setup-time samples were required in the idea of correlation
collision [10]. In 2011, Li et al. introduced the clockwise
collision analysis [12], which was based on the fact that, when
the inputs of a combinational circuit for two consecutive clock
cycles are the same, little computation is required in the second
clock cycle. In practice, some countermeasures such as delay
block [13] and glitch detection are adopted so that a clock glitch
cannot be injected into an embedded module easily. However,
it is possible that adversary can develop some technologies to
achieve it in the future. Moreover, most chips for a resource-
constrained environment are still vulnerable owing to the lack
of countermeasures.
In this brief, a new side-channel collision attack, called fault
rate analysis (FRA), on masked AES is proposed. We inject a
clock glitch into masked S-box implementations and utilize the
fault rate to recover the secret key. Specially, we further study
the inner structure of the S-box and select some sophisticated
clock glitches to mount a more efficient attack. Due to the
implementation characteristics of masking, our attacks have
good universality.
II. P RELIMINARY
A. Fault Sensitivity Analysis
When some input bits of a combinational circuit transit,
outputs will remain stable in a short time. This delay time is
called the setup time. Li et al. found that an illegal clock could
cause a setup time violation of an S-box combinational circuit
since flip-flops were triggered before the output signal was fixed
to a correct value [9]. This illegal clock is called the clock glitch,
which can be generated by the digital clock manager inside
the control module in another field-programmable gate array
(FPGA). When a clock glitch is injected into round 10 of AES,
an adversary can determine which S-box produces a mistake
according to the wrong ciphertext. Therefore, a glitch cycle
is evaluated by gradually decreasing until the S-box makes
a mistake. At this moment, the glitch cycle is approximately
equal to the setup time of the S-box corresponding to a certain
input value.
For each key guess, the correlation coefficient between the
two following lists can be computed. The Hamming weights of
S-box inputs computed from the guessed key are regarded as
a list of samples, whereas their corresponding setup times are
the other list of samples. Because of the data dependence of the
schemes proposed in [14], the key guess corresponding to the
maximum correlation coefficient is the right one.
However, FSA seems to be inefficient. To get a setup-time
value, adversary shortens the glitch cycles until the probability
518 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 60, NO. 8, AUGUST 2013
Fig. 1. Procedure of clockwise collision analysis, taking the validity of output
as the distinguisher.
of the faulty output is higher than a threshold, which needs to
repeat encryptions 104 times [11]. Unfortunately, computing
the correlation coefficient needs 512 setup-time values in all.
B. Fault-Based Clockwise Collision Analysis
Block ciphers are usually implemented iteratively, and dif-
ferent values are input into a same combinational circuit during
different clock cycles, which is called serial implementation.
There exists a phenomenon that when the inputs of an S-box
circuit are the same in two consecutive clocks, there is no
transition during the second clock [12]. Thus, even if the second
clock cycle is much less than the setup time, no fault will occur.
This fact results in the side-channel attack, named clockwise
collision analysis, which is described in Fig. 1. If the setup-time
violation of an S-box combinational circuit cannot be triggered
in the second clock, one can infer that inputs of the two S-boxes
are the same. Therefore, an adversary can determine the colli-
sion between two consecutive S-boxes according to the output
results during a specific glitch. Here, the setup-time violation of
the S-box in round 10 can be detected by verifying whether an
error takes place in the corresponding ciphertext byte.
III. FRA ON M ASKING
Here, we study whether the S-box circuit happens to have
identical inputs in two consecutive clock cycles, which is
similar to clockwise collision analysis. The only difference
here is that each S-box includes an input and output mask. To
attack the protected S-boxes, we study the AES implementation
proposed in [15]. There are only four S-box combinational
circuits in one round, and every four S-boxes are computed
by the same combinational circuit singly. Assume that two
S-box operations S1 and S2 in round 10 are processed by the
same combinational circuit and that S1 is followed by S2 . For
mounting an attack, the adversary runs the whole AES circuit
with the same plaintext twice, which is described in Fig. 2. For
the second encryption, inject a glitch into S2 . According to the
output ciphertexts with no masks, one can determine whether
an error happens.
Let x1 , x2 and y1 , y2 denote the unmasked inputs and outputs
of the two S-boxes; m1 , m2 and w1 , w2 denote the input and
output masks of S1 and S2 in the first experiment; and m1 , m2
and w1 , w2 denote those in the second experiment, respectively.
There are two phenomena.
1) If x1 ⊕ m1 = x2 ⊕ m2 , m1 = m2 , and w1 = w2 , then
y2 = y2 always holds. That is to say, the two outputs must
be correct no matter how short the glitch cycle is.
2) If x1 ⊕ m1 = x2 ⊕ m2 or m1 = m2 or w1 = w2 , there
must exist transitions in the combinational circuit during
Fig. 2. Procedure of our attack on a serial S-box circuit, in which the correct
rate of y2 is taken as a distinguisher.
the second clock. If the glitch cycle is shorter than the
setup time, we define the average probability of y2 = y2
(intuitively, it should not hold except for some infrequent
coincidence) as p.
We can view the above properties from a new perspective:
If x1 = x2 , y2 should be correct with probability p. How-
ever, if x1 = x2 , the expectation of probability of y2 = y2
should be higher than p since it contains the case where x1 =
x2 , m1 = m2 , and w1 = w2 . Thus, the correct probability is
about ((1 + 65535p)/65536) ≈ p + (1/65536), which implies
a probability advantage of 1/65 536. Roughly, p is about 1/256
when the glitch cycle is close to 0; thus, the threshold ρ0 may
be chosen as (1/256) + (1/(65 536 × 2)). Then, we construct
an attack described in Algorithm 1. Repeating the online stage
and the linear collision attack [3] in the key recovery stage, an
adversary can shrink the key space to 232 .
Algorithm 1 FRA on serial S-boxes with masks
Precomputation stage:
1: Determine the minimum setup time t0 of the S-box circuit.
2: Choose n glitch cycles t1 , t2 , . . . , tn , s.t. ti << t0 , i ∈
{1, . . . , n}.
3: Determine threshold ρ0 of the distinguisher corresponding
to the cycles t1 , t2 , . . . , tn .
Online stage:
1: Encrypt a random plaintext P under the normal clock and
record the correct result. (Two target ciphertexts and subkey
bytes of round 10 are denoted by c1 , c2 and k1 , k2 ,
respectively.)
2: For each ti , i ∈ {1, . . . , n}:
3: Encrypt P for n times and inject a glitch (cycle is ti )
into S2 .
4: Compare the n × n output bytes with the correct value c2 .
5: Compute the correct rate ρ.
6: If ρ ≥ ρ0 , then x1 = x2 is determined; else. x1 = x2 .
7: If collision is detected, execute the key recovery stage;
else, repeat steps 1–6.
Key recovery stage:
1: For a detected collision xi = xj , ki ⊕ kj = ci ⊕ cj
holds [3].
WANG et al.: FRA: BREAKING MASKED AES HARDWARE IMPLEMENTATIONS EFFICIENTLY 519

Fig. 3. Brief hardware architecture of a masked S-box for AES. Intuitively, the path from wi to output is much shorter than the critical path.

The signal-to-noise ratio is low in practice; therefore, the ad-

versary should perform experiments many times for an average
success rate based on different glitch cycles. We continue to
explore the internal regularity of the S-box circuit in the next
section.

IV. I MPROVED FRA

Here, we try to study the case where x1 ⊕ m1 = x2 ⊕ m2
and m1 = m2 regardless of w1 and w2 . If this case happens
with a higher probability for some fixed x1 and x2 , we can
conclude that x1 = x2 .

A. Output Mask Independence

Most masked hardware implementations of the S-box first
process xi ⊕ mi and mi and then mix the intermediate value
with output mask wi . Therefore, the timing delay from inputs
xi ⊕ mi and mi to output yi ⊕ wi is usually longer than that
from input wi to yi ⊕ wi . For example, we have implemented “a
very compact perfectly masked S-box for AES” [16]. Accord-
ing to the simulation in Quartus II, we know that the setup time
of the path from xi ⊕ mi and mi to yi ⊕ wi is always longer
than 15 ns, whereas that from wi to yi ⊕ wi is always shorter
than 6 ns. Fig. 3 shows these characteristics intuitively.
One can image that a glitch of 9 ns is injected in the second
cycle (noting that the glitch cycle must be longer than 6 ns so
that wi can be involved in operation correctly).
1) If x1 ⊕ m1 = x2 ⊕ m2 and m1 = m2 , then y2 = y2 al-
ways holds since w2 gets enough time to get through the
circuit. Fig. 4. Correlation among input and output masks and maximum delays of
the critical path in the case of (a) collision and (b) noncollision, respectively.
2) If x1 ⊕ m1 = x2 ⊕ m2 or m1 = m2 , there must be tran-
sitions in the path from x2 ⊕ m2 , m2 to y2 ⊕ w2 . Since 2) If x1 = x2 , the setup time in the case of m1 = m2 is
the glitch cycle is less than the setup time, y2 = y2 holds remarkably shorter than that in other 255 cases.
with some probability p. 3) If x1 = x2 , there is no obvious difference between the
We employed Quartus II and ModelSim to confirm the above setup times regardless of m2 .
statement. For S1 , x1 = 49, m1 = 151, and w1 = 244, and Therefore, if we set the glitch cycle to be longer than the short
for S2 , x2 = 49, whereas m2 and w2 traverse 0–255. The path, an efficient distinguisher can be established: The correct
experimental result is shown in Fig. 4(a). The two horizontal rate of y2 is larger than p when x1 = x2 , which is about ((1 +
axis represents m2 and w2 , respectively, whereas the vertical 255p)/256) ≈ p + (1/256).
axis expresses how soon the output of S2 circuit (including
subsequent round key addition and mask elimination of the
B. Attack Scenario
ciphertext) will be stable when the transition from S1 to S2
takes place. With the experiment on noncollision pairs, select The adversary hopes that the distinguisher is independent
x1 = 94, m1 = 215, w1 = 204, x2 = 95, and m2 , w2 traverse of the output mask for a higher efficiency. Thus, based on the
0–255. Fig. 4(b) shows the noncollision experimental result. above analysis, a fast attack is described in Algorithm 2. Here,
The following can be easily observed from Fig. 4. the threshold ρ0 may be chosen as (1/256) + (1/(256 × 2)) or
1) The setup time is independent of output masks w2 . a little greater.
520 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 60, NO. 8, AUGUST 2013
Fig. 5. The experiment environment of our attack consists of a function
generator, an FPGA board, and a PC.
Fig. 6. Circuit structure of our experiments. The number of correct values is
saved, which can be acquired from Quartus II.
Algorithm 2 Improved FRA on serial S-boxes with masks
Precomputation stage:
1: Evaluate the S-box circuit’s minimum setup time t01 from
xi ⊕ mi and mi to yi ⊕ wi , and the maximum setup time
t02 from wi to yi ⊕ wi .
2: Choose n glitch cycles t1 , t2 , . . . , tn , such that t02 < ti <
t01 , i ∈ {1, . . . , n}.
3: Determine threshold ρ0 of the distinguisher.
Online stage:
The same as Algorithm 1.
Key recovery stage:
The same as Algorithm 1.
C. Experiments
We employed an Altera DE2 board with an EP2C35F672C6
FPGA for implementing an S-box hardware circuit and a
RIGOL DG4102 function generator for clock supply, as shown
in Fig. 5. The two devices cost about $1000, which is much
cheaper than other kinds of side-channel attacks.
Fig. 6 describes the circuit structure of our attack. First, we
implemented a masked AES S-box based on the tower field
[16]. Then, an on-chip glitchy-clock generator [17] was imple-
mented for generating expected glitches. A lookup table S-box
and a comparator were used for deciding the correctness of the
output of the masked S-box. As a result, the number of correct
values was recorded by a counter, which could be obtained by
the In-System Memory Content Editor of Quartus II.
For verifying our attack, let x1 = 1, m1 = 30, and the glitch
cycle be 7.1 ns, 7.2 ns, 7.3 ns, . . . , 11 ns for the fault injection.
When a glitch cycle is fixed, for each x2 ∈ {0, 1, 2, . . . , 255},
we choose m2 from 0 to 255 randomly and encrypt for 2000
times. Thus, 256 correct rates can be obtained, which is a
column of points in Fig. 7. In this figure, the correct rates corre-
sponding to x2 = 1 are plotted in stars, and x2 = 0, 2, . . . , 255
Fig. 7. Correct rates under different glitch cycles when x1 = 1 and x2
traversing 0–255. The stars and gray points stand for collision (x2 = 1) and
noncollision (x2 = 1), respectively.
Fig. 8. Distinct correct rates between (stars) collision and (gray points)
noncollision.
are plotted in gray points. Although the points overlap with each
other, one can still find that, when x1 = x2 = 1, the expectation
of the correct rate 0.79% is higher than that in the case of
noncollision. According to a threshold predetermined by a
template-based method, collision can be decided successfully.
According to our following experiment, adversary can still
distinguish collision from noncollision distinctly even if x1
is an arbitrary value between 0 and 255. For each pair
(x1 , x2 ), x1 , x2 ∈ {0, 1, . . . , 255}, we choose m1 and m2 from
0 to 255 randomly and perform 40 experiments (each ex-
periment consists of 2000 encryptions) during 40 different
glitch cycles for each pair (m1 , m2 ). Then, a total correct rate
corresponding to the pair (x1 , x2 ) is acquired, which is a point
in Fig. 8. The horizontal axis shows the values of x1 , and for
each x1 , the one star above corresponds to the case of x2 = x1 ,
whereas the 255 gray points below correspond to the other
255 x2 . It is clear that, for any pair (x1 , x2 ), adversary can
distinguish collision from noncollision distinctly.
For a 16-byte subkey of round 10, after repeating
Algorithm 2 for 12 times, 12 collisions can be decided, which
is described by the 12 dashed lines in Fig. 9. Here, the offset in
each row is due to ShiftRows operation of AES. Thus, only the
first four bytes should be guessed, and the other 12 bytes can
be expressed according to the found collisions. Altogether, 232
searches can recover the whole key of AES.
D. Efficiency Comparison
Compared with other three collision attacks on masked
S-box implementations in Table I, our attacks have remark-
able advantages in encryption time, computation complexity,
and feasibility. Specifically, for the online encryption, the
WANG et al.: FRA: BREAKING MASKED AES HARDWARE IMPLEMENTATIONS EFFICIENTLY
Fig. 9. Twelve detected collisions (dashed lines) corresponding to 16 subkey
bytes (table cells) of round 10.
TABLE I
C OMPARISONS OF F OUR M ETHODS F OR C OLLISION D ETECTION
fault-based colliding timing characteristic (CTC) [11] executes
106 encryptions in the FPGA, which cost about 100 s, and
records 512 critical path delays, which occupy 2048 bytes.
However, our attack executed in the FPGA only costs 8 s for
8 × 104 encryptions and 80 bytes for storage of 40 counters
corresponding to 40 glitches, which is 8% and 4% of the CTC,
respectively. In power-based attacks, it usually takes more than
100 ms to record one power trace, which is much longer than an
encryption in the FPGA. Thus, the computations of correlation-
enhanced power analysis (CEPA) [10] and collision-correlation
power analysis (CCPA) [4] executed in the FPGA cost 2000 s
for 2 × 104 encryptions and 1000 s for 104 encryptions, re-
spectively. Moreover, their space cost, i.e., 2 × 106 and 8 × 107
bytes, is much higher than that of our attack.
The column of complexity shows the offline computation
complexity for recovering a key byte. Here, Cρn represents the
complexity of computing the correlation coefficient relating to
n sample pairs, whereas Cdiv stands for the complexity of one
division operation, which is used to compute the correct rate.
In our attack, only one division is needed, which is much faster
than the computation of the correlation coefficient.
From the point of view of attack capability, our attack can
break countermeasures with nonreused masks as well as CEPA
and CTC, but CCPA cannot. Furthermore, the execution of
CEPA and CTC should satisfy an extra assumption that after
averaged directly, the trace can leak information, but our attack
does not need this kind of assumptions.
V. C ONCLUSION AND C OUNTERMEASURES
We have proposed a new side-channel collision attack on
masked AES based on the fault rate when injecting a clock
glitch into the S-box circuit. More interestingly, we first studied
the paths of the S-box circuit and found a better method for
521
fast key recovery. This phenomenon has potential applications
to side-channel attacks on protected block ciphers. By compar-
ison, previous FSA also considered the inner structure of the
S-box circuit, but it only utilized the critical path, instead of
other short paths.
Our method is universal for most masked hardware imple-
mentations. The effectiveness of our attacks depends on two
factors: 1) the S-box should be executed in series; and 2) there
should be a short path corresponding to the output mask. In
practice, except for some special cases in which the speed of
encryption is required, most implementations of S-boxes are in
series due to the area limitation. Furthermore, because the out-
put mask always joins the computation very late (when the input
mask is being removed), all the hardware implementations of
the S-box include a short path corresponding to the output
mask. Therefore, our attacks are applicable to most hardware
implementations of many block ciphers and do not strongly
depend on the specific implementation or design.
For resisting our attacks, first, an illegal clock may be de-
tected. A delayed combinational circuit can be connected in
parallel with the S-box. When this circuit encounters errors,
any output of AES is forbidden. Second, our attack relies on
the equality of the previous and next masks. If the circuit can
detect this case and drop the flawed masks, the collision of
24 bits input values will never take place, and our attack can
be avoided. We expect some skillful combinations of counter-
measures showing relative high security and low complexity.
R EFERENCES
[1] P. C. Kocher, “Timing attacks on implementations of Diffie–Hellman,
RSA, DSS, and other systems,” in Proc. CRYPTO, 1996, pp. 104–113.
[2] K. Schramm, T. J. Wollinger, and C. Paar, “A new class of collision attacks
and its application to DES,” in Proc. FSE, 2003, pp. 206–222.
[3] A. Bogdanov, “Improved side-channel collision attacks on AES,” in Proc.
SAC, 2007, pp. 84–95.
[4] C. Clavier, B. Feix, G. Gagnerot, M. Roussellet, and V. Verneuil, “Im-
proved collision-correlation power analysis on first order protected AES,”
in Proc. CHES, 2011, pp. 49–62.
[5] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a
leakage model,” in Proc. CHES, 2004, pp. 16–29.
[6] E. Oswald, S. Mangard, C. Herbst, and S. Tillich, “Practical second-order
DPA attacks for masked smart card implementations of block ciphers,” in
Proc. CT-RSA, 2006, pp. 192–207.
[7] S. Chair, J. R. Rao, and P. Rohatgi, “Template attacks,” in Proc. CHES,
2002, pp. 13–28.
[8] E. Biham and A. Shamir, “Differential fault analysis of secret key cryp-
tosystems,” in Proc. CRYPTO, 1997, pp. 513–525.
[9] Y. Li, K. Sakiyama, S. Gomisawa, T. Fukunaga, J. Takahashi, and K. Ohta,
“Fault sensitivity analysis,” in Proc. CHES, 2010, pp. 320–334.
[10] A. Moradi, O. Mischke, and T. Eisenbarth, “Correlation-enhanced power
analysis collision attack,” in Proc. CHES, 2010, pp. 125–139.
[11] A. Moradi, O. Mischke, C. Paar, Y. Li, K. Ohta, and K. Sakiyama, “On
the power of fault sensitivity analysis and collision side-channel attacks
in a combined setting,” in Proc. CHES, 2011, pp. 292–311.
[12] Y. Li, K. Ohta, and K. Sakiyama, “An extension of fault sensitivity analy-
sis based on clockwise collision,” in Proc. Inscrypt, 2012, pp. 46–59.
[13] S. Endo, Y. Li, N. Homma, K. Sakiyama, K. Ohta, and T. Aoki, “An effi-
cient countermeasure against fault sensitivity analysis using configurable
delay blocks,” in Proc. FDTC, 2012, pp. 95–102.
[14] S. Morioka and A. Satoh, “An optimized S-box circuit architecture for low
power AES design,” in Proc. CHES, 2002, pp. 172–186.
[15] S. Mangard, M. Aigner, and S. Dominikus, “A highly regular and scal-
able AES hardware architecture,” IEEE Trans. Comput., vol. 52, no. 4,
pp. 483–491, Apr. 2003.
[16] D. Canright and L. Batina, “A very compact perfectly masked S-box for
AES,” in Proc. ACNS, 2008, pp. 446–459.
[17] S. Endo, T. Sugawara, N. Homma, T. Aoki, and A. Satoh, “An on-chip
glitchy-clock generator for testing fault injection attacks,” J. Cryptogr.
Eng., vol. 1, no. 4, pp. 265–270, Dec. 2011.