Extensive Fault Emulation on RFID Tags
Ibrahim Mezzah, Omar Kermia
Centre for Development of Advanced Technologies (CDTA)
Algiers, Algeria
Abstract—Radio frequency identification (RFID) is
widespread and still necessary in many important applications.
However, and in various significant cases, the use of this
technology faces multiple security issues that must be addressed.
This is mainly related to the use of RFID tags (transponders)
which are electronic components communicating wirelessly, and
hence they are vulnerable to multiple attacks through several
means. In this work, an extensive fault analysis is performed on
a tag architecture in order to evaluate its hardness. Tens of
millions of single-bit upset (SBU) and multiple-bit upset (MBU)
faults are emulated randomly on this tag architecture using an
FPGA-based emulation platform. The emulated faults are
classified under five groups according to faults effect on the tag
behaviour. The obtained results show the faults effect variation
in function of the number of MBU affected bits. The
interpretation of this variation allows evaluating the tag
robustness. The proposed approach represents an efficient
mean that permits to study tag architectures at the design level
and evaluating their robustness and vulnerability to fault
attacks.
Keywords—RFID, fault injection, fault attacks, emulation,
SEU, SBU, MBU, robustness
I. INTRODUCTION
Radio frequency identification (RFID) technology is used
in several main applications including the internet of things.
In many cases, the deployment of this technology is facing
various challenges relating to authentication, security, and
reliability. The key element of RFID, who is the tag
(transponder), is vulnerable to external disturbance and
susceptible to fault attacks [1]. Therefore, evaluating tag fault
tolerance and its security assessments are required. Fault
analysis represents then a powerful mean that can be used to
evaluate tags robustness and identify tags weak parts.
Single-event upset (SEU) represents a potential fault that
can be occurred in electronic devices resulting from a heavy
particle effect, it affects a storage element by changing its
state. A heavy particle can also introduce a single-event
transient (SET) which occurs in combinational cells as a
transient output pulse. Moreover, as an effect of a heavy
particle, multiple storage elements can change their states and
these occurrences are called multiple-bit upset (MBU) [2].
Estimating SEU, SET sensitivity is a crucial task in safety-
critical circuit design [3].
The purpose of this work is evaluating the robustness of
RFID tags through a deep fault analysis. Almost all reported
works in this field have focused on the practice of side-
channel attacks on tags via several means as well as contact-
based fault injection techniques [1]. Both methods have
demonstrated that fault attacks can effectively break
cryptographic functions embedded into tags. Other
approaches have used FPGA boards to perform fault injection
analysis on a tag [4]. However, all these approaches do not
process thoroughly analysis and deliver weak information
about injected fault effects. A different approach is presented
in [5] where authors use an FPGA board to perform a fault
978-1-7281-5426-8/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:47:44 UTC from IEEE Xplore. Restrictions apply.
Hamimi Chemali
Department of Electronics, University of Setif
Setif, Algeria
analysis on a tag architecture. This analysis included an
exhaustive SEU and SET faults emulation, for a supposed
communication scenario, and led to identify the faults effects
and the tag vulnerable parts. The work presented in this paper
constitutes a continuation of the analysis of [5], but this time,
the targeted analysis covers MBU random emulation in order
to evaluate in advance the tag robustness. Thus, the platform
presented in [5] has been reused in this work including the tag
architecture and the communication scenario.
II. MBU EMULATION
Several random MBU experimentations were realised
with the use of different parameters in order to vary the
maximum number of flip-flops (FFs) targeted by one MBU
injection. Each experimentation is composed of several
emulation cycles and every cycle is processed in four phases:
(1) initialising the two tag–reader pairs, (2) enabling readers
and tags to communicate together for a sufficient period in
order to accomplish the desired scenario. During this time,
MBU fault is effectively introduced randomly into the faulty
tag, (3) collecting and transferring produced results to the host
computer, (4) finally, analysing and saving MBU emulation
results. The adopted communication scenario between the pair
tag–reader is identical to the scenario used in [5].
All tag FFs, 314 in total, were the subject of the performed
MBU experimentations. The number of affected FFs in every
emulation cycle varies randomly from one to twelve.
Consequently, the emulated fault can be a single bit upset
(SBU) when only one FF is affected, or MBU when more than
one FF are affected. When a fault injection is enabled, the fault
injection mechanism takes charge to emulate the SEU effect
on the targeted FFs. These latter are selected randomly from
the whole tag FFs.
Produced MBU emulation results for each emulation cycle
are analysed when received by the computer application, from
the FPGA board, and the emulated MBU is then classified in
five classes according to its effect on the scenario progression
[5]: Silent (S), Frame Alteration (FA), Latent (L), Latent with
Frame Alteration (L&FA) and Failure (F).
III. EMULATION RESULTS
The total number of emulated faults is 75,151,357
combined between SBU and MBU. The experimentations
were setting in a manner to cover all cycle equally of the
communication scenario (about 7,600 cycles). The emulated
faults are grouped in twelve categories (SBU and 2bit-MBU
to 12bit-MBU); each category corresponds to a different
number of affected bits (FFs) in one emulated fault, which
varies, as said, between one and twelve. In order to obtain
valuable results, we experimented more than two million
MBUs for every number of affected bits category. The aim is
to obtain a high fault coverage able to cover, in the case of
SBU, 314 FFs (in space) and 7,600 cycles (in time), that yields
2,386,400 possible cases (314 × 7,600).
 !

Table I presents the number (in millions) of emulated

faults for each fault class according to the number of affected
!
bits category. Because of the random injection mechanism and
the used parameters in each MBU experimentation, we
obtained disparate numbers of emulated faults for each
category. The smallest obtained number is 2,275,854, and it is
achieved for SBU. While the biggest obtained number is for
3bit-MBU and it is around 8,120,000. The number of emulated
MBUs for the other categories varies between four and eight
millions, which represents an acceptable coverage number to
evaluate the tag robustness.
TABLE I. CLASSIFICATION OF EMULATED FAULTS.

Emulated faults Fault classification (in millions)

Affected Number
S FA L L&FA F
bits/MBU (in millions)
SBU (1) 2.27 1.43 0.02 0.30 0.19 0.32
2 5.92 2.47 0.09 1.00 0.84 1.51 Fig. 1. Emulated MBUs classification in function of affected bits
(FFs) number.
3 8.12 2.34 0.11 1.35 1.49 2.81
4 7.74 1.60 0.09 1.16 1.63 3.24 case, we also obtained a good value, which is about 14.18%.
5 7.42 1.14 0.07 0.96 1.69 3.54 Second, the tag is considered more robust when intersection
6 6.75 0.79 0.05 0.74 1.60 3.55 position between Silent and Failure classes does not occur
7 5.42 0.49 0.03 0.50 1.32 3.06 rapidly. In the current case, this intersection occurs just before
8 5.78 0.41 0.03 0.45 1.42 3.45
3bit-MBU and we have only two fault categories before that
(SBU and 2bit-MBU). Additionally, we note that the
9 7.31 0.42 0.03 0.48 1.80 4.56
percentage of MBUs that cause Failure is smaller than 50%
10 7.83 0.36 0.03 0.44 1.92 5.06 until the 6bit-MBU category. We can consider that the tag is
11 6.47 0.24 0.02 0.31 1.58 4.30 more robust when the number of MBU categories in which
12 4.05 0.12 0.01 0.17 0.98 2.75 failures are smaller than 50% is important. Finally, according
Total 75.15 11.87 0.64 7.92 16.52 38.19 to the obtained results and this analysis, we can judge that,
overall, the studied tag showed robust performances but also
The obtained results represent useful data that allow presented some weaknesses.
evaluating the tag fault tolerance; they show the variation of
this tolerance according to the number of MBU affected IV. CONCLUSION
bits. Fig. 1 shows clearly, throughout a set of five curves, this An extensive fault campaign is achieved on the whole FFs
variation where the rates evolution of each fault class is of a tag architecture in order to evaluate its robustness. This
depicted by one curve. We note that the percentage of Silent campaign includes multiple MBUs where the number of
MBUs decreases rapidly when the number of MBU affected affected bits (FFs) varies from two to twelve in addition to
bits rises and it becomes smaller than 10% after 6bit-MBU. On SBU. In total, more than 70 million MBUs were emulated
the opposite, the percentage of MBUs that causes Failure randomly. The adopted mechanism of random fault injection
increases constantly and approaches to 70% when the number led to valuable results. These results show the tag behaviour
of affected bits exceeds 10 bits. For the other fault variation in presence of MBUs through their classification into
classifications, we observe that the rates of Latent class and five classes. Indeed, the results allowed to evaluate the tag
Frame Alteration class increase slightly at 2bit-MBU and 3bit- robustness. The studied tag showed good endurance against
MBU categories, but they decrease after that and drop below MBUs.
5% for the latest categories. The percentage variation of
Latent with Frame Alteration MBUs has a different shape, it REFERENCES
increases from 8% (for SBU) to about 25% (for 7bit-MBU)
[1] M. Hutter, J. M. Schmidt, T. Plos, RFID and its vulnerability to faults,
and remains nearly unchangeable after that. Cryptographic Hardware and Embedded Systems – CHES 2008,
The obtained rates of fault classes for this study are Washington, USA, pp. 363–379.
62.96%, 1.28%, 13.23%, 8.35%, and 14.18% for S, FA, L, [2] A. D. Tipton et al., Multiple-Bit Upset in 130 nm CMOS Technology,
in IEEE Transactions on Nuclear Science, vol. 53, no. 6, pp. 3259-
L&FA and F classes respectively. These rates are analogue 3264, Dec. 2006.
with those obtained by exhaustive SBU fault emulation,
[3] R. Velazco, S. Rezgui, R. Ecoffet, Predicting error rate for
presented in [5], which means that the adopted random microprocessor-based digital architectures through CEU (Code
mechanism for MBU emulation is valuable. Emulating Upsets) injection. IEEE Transactions on Nuclear Science,
47(6) (2000), pp. 2405–2411.
From the obtained results, data that indicate the levels for [4] I. Mezzah, O. Kermia, H. Chemali, O. Abdelmalek, V. Beroulle, D.
which the studied tag architecture is robust are as follows: Hely, Assertion Based On-line Fault Detection Applied on UHF RFID
First, the amount of tolerated SBUs, which includes SBUs Tag, 8th International Design and Test Symposium (IDT), IEEE, 2013,
classified under Silent and Frame Alteration. This amount pp. 1–5.
reached a rate of 64.24%, which represents rather an [5] I. Mezzah, H. Chemali, O. Kermia, Emulation-based fault analysis on
acceptable value. The higher the latter rate, the more the tag is RFID tags for robustness and security evaluation, Microelectronics
Reliability, 2017, vol. 69, pp. 115-125.
considered as robust. The same thing about SBUs who cause
failures, the fewer they are, the more robust is the tag. In our

Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:47:44 UTC from IEEE Xplore. Restrictions apply.