



RUHR-UNIVERSITÄT BOCHUM

## Computer-Aided Verification of Countermeasures against Physical Attacks

Jan Richter-Brockmann, Jakob Feldtkeller, Pascal Sasdrich, Tim Güneysu

16. Januar 2025

Chair for Security Engineering  
Faculty of Computer Science  
Ruhr University Bochum

## Cryptographic Algorithms



## Cryptographic Algorithms



# Physical Attacks



Fault-Injection Attacks



Side-Channel Attacks

# Countermeasures

## Side-Channel Attacks



Masking

## Fault-Injection Attacks



Redundancy

# Research Questions



Combined Attacks



Combined Protection



Formal Verification



# Side-Channel Analysis



# Side-Channel Attacks



(Statistical) analysis to recover processed secret

Measure power consumption during ongoing operation

# Countermeasures against Side-Channel Attacks

$$x = x_0 \oplus x_1 \oplus \dots \oplus x_{s-1}$$

Linear Functions



Non-linear Functions



# Modeling Side-Channel Attacks

## $d$ -probing model [ISW03]



An adversary is given the exact values of up to  $d$  wires of a circuit  $C$ .

## Glitch-extended $d$ -probing model [FGP+18]



An adversary is given the exact values of all synchronization points influencing up to  $d$  wires of a circuit  $C$ .

# Protection by Secure Gadgets

## Insecure Circuit



## Protected Circuit



- Replace insecure gates by secure gadgets
- Share inputs and outputs
- Maintain timing (pipelining)

# Modeling Side-Channel Attacks – Composability

**PNI [BBD+15]**

Probe Non-Interference



$$\underline{d'} \leq d$$

**PSNI [BBD+16]**

Probe Strong Non-Interference



$$\underline{d_1} + \underline{d_2} \leq d$$

**PINI [CS20]**

Probe-Isolating Non-Interference



$$\underline{d_1} + \underline{d_2} \leq d$$

# Fault-Injection Attacks



## Clock Glitches



$$T_{\text{clk}} \geq T_{\text{crit}} + t_{\text{clkq}} + t_{\text{setup}} - \delta$$

# Fault-Injection Attacks [RBSG21]

## Clock Glitches



$$T'_{\text{clk}} < T_{\text{crit}} + t_{\text{clkq}} + t_{\text{setup}} - \delta$$

## Laser Fault Injection



# Fault-Injection Attacks [RBSG21]

## Clock Glitches



$$T'_{\text{clk}} < T_{\text{crit}} + t_{\text{clkq}} + t_{\text{setup}} - \delta$$

## Laser Fault Injection



# Countermeasures against Fault-Injection Attacks

## Duplication



**Detection:**  $k + 1$  instantiations

**Correction:**  $2k + 1$  instantiations

## Linear Error Correcting Codes



**Detection:**  $d_{\min} - 1$

**Correction:**  $\left\lfloor \frac{d_{\min}-1}{2} \right\rfloor$

# Modeling Fault-Injection Attacks [RBSG21]

$$\zeta(n, t, l)$$



# Modeling Fault-Injection Attacks [RBSG21]



# Modeling Fault-Injection Attacks [RBSG21]

$$\zeta(n, t, l)$$



# Modeling Fault-Injection Attacks [RBSG21]

$$\zeta(n, t, l)$$



# Modeling Fault-Injection Attacks – Composability

**FNI [DN20]**

Fault Non-Interference

**FSNI [DN20]**

Fault Strong Non-Interference

**FINI [FRSG22]**

Fault-Isolating Non-Interference



$$\underline{k'} \leq k$$

$$k_1 + \underline{k_2} \leq k$$

$$\underline{k_1} + k_2 \leq k$$

# Combined Attacks



# Modeling Fault-Injection Attacks – Composability

**CNI [DN20]**

Combined Non-Interference

**CSNI [DN20]**

Combined Strong Non-Interference

**ICSNI [DN20]**

Independent Combined Strong Non-Interference



$$\begin{array}{l} d' + k_1 + k_2 \leq d \\ \underline{k_1 + k_2} \leq k \end{array}$$

$$\begin{array}{l} d_1 + d_2 + k_1 + k_2 \leq d \\ \underline{k_1 + k_2} \leq k \end{array}$$

$$\begin{array}{l} d_1 + d_2 \leq d \\ \underline{k_1 + k_2} \leq k \end{array}$$

# Verification



# Verification Concept



# Binary Decision Diagrams (BDDs)

## Advantages using BDDs

- Proposed for testing VLSI circuits
- Symbolic simulation
- Boolean operations are elementary operations
- Efficiently determine number of satisfying assignments
- Checking statistical dependencies
- Comparing golden and faulty circuit models



# Verification Principles for $d$ -Probing [KSM20]

**$d$ -Probing Security.** A circuit  $C$  with secret input set  $X \in \mathbb{F}_2^n$  is  $d$ -probing secure, if and only if for any observation set  $Q$  containing  $d$  wires,  $X$  is statistically independent of the observation set, i.e., the following condition holds:

$$\Pr[Q|X] = \Pr[Q].$$



$$Q = \{P_0, P_1\}$$

$$X' \subseteq X \text{ i.e., } X' \in \{\{a\}, \{b\}, \{a, b\}\}$$

$$p_{Q,X'}(\mathbf{1}, \mathbf{1}) \neq p_Q(\mathbf{1}) \cdot p_{X'}(\mathbf{1}) \rightarrow \text{insecure}$$

# Checking Fault Security on BDDs



Single round of CRAFT protected by linear error correcting codes

$$t = \tau_{bf} \quad l = mc_\infty$$

### 1-bit Protection

|                                                                                  |     |
|----------------------------------------------------------------------------------|-----|
|  | 925 |
|----------------------------------------------------------------------------------|-----|

|                |     |
|----------------|-----|
| $\binom{n}{k}$ | 766 |
|----------------|-----|

|                                                                                  |         |
|----------------------------------------------------------------------------------|---------|
|  | 0.021 s |
|----------------------------------------------------------------------------------|---------|

### 2-bit Protection

|                                                                                   |       |
|-----------------------------------------------------------------------------------|-------|
|  | 1 490 |
|-----------------------------------------------------------------------------------|-------|

|                |         |
|----------------|---------|
| $\binom{n}{k}$ | 329 730 |
|----------------|---------|

|                                                                                   |         |
|-----------------------------------------------------------------------------------|---------|
|  | 1.496 s |
|-----------------------------------------------------------------------------------|---------|

### 3-bit Protection

|                                                                                     |       |
|-------------------------------------------------------------------------------------|-------|
|  | 1 807 |
|-------------------------------------------------------------------------------------|-------|

|                |            |
|----------------|------------|
| $\binom{n}{k}$ | 91 737 144 |
|----------------|------------|

|                                                                                     |         |
|-------------------------------------------------------------------------------------|---------|
|  | 2 937 s |
|-------------------------------------------------------------------------------------|---------|

# Verification of Combined Gadgets [RFSG22]



The gadget has been originally proposed in [DN20] and should be (1,1)-ICSNI.

# VERICA – Verification of Combined Attacks



## Side-Channel Security

$d$ -probing model  
Glitch-extended  $d$ -probing



## Fault Security

Detection strategy  
Correction strategy  
SIFA strategy



## Combined Security

$(d, k)$ -combined security

## Side-Channel Composability

PNI  
PSNI  
PINI

## Fault Composability

FNI  
FSNI  
FINI

## Combined Composability

CNI  
CSNI  
ICNSI



Only unrolled circuits

No transitions nor couplings

Higher-order verifications

Performing exhaustive analyses - exact verification  
for generic unrolled hardware circuits

# Summary



Code and paper are publicly available

<https://github.com/Chair-for-Security-Engineering/VERICA>



## Modeling of Physical Attacks



## Verification of Countermeasures against Physical Attacks



Thank you!

[jan.richter-brockmann@rub.de](mailto:jan.richter-brockmann@rub.de)

# References

- [BBD+15] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, and Pierre-Yves Strub. *Verified Proofs of Higher-Order Masking*. In EUROCRYPT, pages 457–485, 2015.
- [BBD+16] Gilles Barthe, Sonia Belaïd, François Dupressoir, Pierre-Alain Fouque, Benjamin Grégoire, Pierre-Yves Strub, and Rébecca Zucchini. *Strong Non-Interference and Type-Directed Higher-Order Masking*. In SIGSAC, pages 116–129, 2016.
- [CS20] Gaetan Cassiers and François-Xavier Standaert. *Trivially and Efficiently Composing Masked Gadgets With Probe Isolating Non-Interference*. IEEE Trans. Inf. Forensics Secur., 15:2542–2555, 2020.
- [DDE+20] Joan Daemen, Christoph Dobraunig, Maria Eichlseder, Hannes Groß, Florian Mendel, and Robert Primas. *Protecting against Statistical Ineffective Fault Attacks*. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2020(3):508–543, 2020.
- [DN20] Siemen Dhooghe and Svetla Nikova. *My Gadget Just Cares for Me – How NINA Can Prove Security Against Combined Attacks*. In CT-RSA, volume 12006 of Lecture Notes in Computer Science, pages 35–55. Springer, 2020.
- [FGP+18] Sebastian Faust, Vincent Grosso, Santos Merino Del Pozo, Clara Paglialonga, and François-Xavier Standaert. *Composable Masking Schemes in the Presence of Physical Defaults & the Robust Probing Model*. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2018(3):89–120, 2018.
- [FRSG22] Jakob Feldtkeller, Jan Richter-Brockmann, Pascal Sasdrich, and Tim Güneysu. *CINI MINIS: Domain Isolation for Fault and Combined Security*. CCS, 2022
- [HPB21] Vedad Hadzic, Robert Primas, and Roderick Bloem. *Proving SIFA protection of masked redundant circuits*. In Automated Technology for Verification and Analysis, volume 12971 of Lecture Notes in Computer Science, pages 249–265. Springer, 2021.
- [ISW03] Yuval Ishai, Amit Sahai, and David A. Wagner. *Private Circuits: Securing Hardware against Probing Attacks*. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 463–481. Springer, 2003.
- [KSM20] David Knichel, Pascal Sasdrich, and Amir Moradi. *SILVER – Statistical Independence and Leakage Verification*. In ASIACRYPT, volume 12491 of Lecture Notes in Computer Science, pages 787–816. Springer, 2020.
- [RBRSS+21] Jan Richter-Brockmann, Aein Rezaei Shahmirzadi, Pascal Sasdrich, Amir Moradi, and Tim Güneysu. *FIVER – Robust Verification of Countermeasures against Fault Injections*. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2021(4):447–473, Aug. 2021.
- [RBSG21] Jan Richter-Brockmann, Pascal Sasdrich, and Tim Güneysu. *Revisiting Fault Adversary Models - Hardware Faults in Theory and Practice*. Trans. On Computers, 2022
- [RFSG22] Jan Richter-Brockmann, Jakob Feldtkeller, Pascal Sasdrich, and Tim Güneysu. *VERICA - Verification of Combined Attacks: Automated formal verification of security against simultaneous information leakage and tampering*. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2022(4), 2022.
- [SMG16] Tobias Schneider, Amir Moradi, and Tim Güneysu. *ParTI - Towards Combined Hardware Countermeasures Against Side-Channel and Fault-Injection Attacks*. In CRYPTO 2016, volume 9815 of Lecture Notes in Computer Science, pages 302–332. Springer, 2016.

# Modeling Side-Channel Attacks – Composability

**PNI [BBD+15]**

Probe Non-Interference



$$\underline{d'} \leq d$$

**PSNI [BBD+16]**

Probe Strong Non-Interference



$$\underline{d_1} + \underline{d_2} \leq d$$

# Modeling Fault-Injection Attacks – Composability

**FNI [DN20]**  
Fault Non-Interference



$$\underline{k'} \leq k$$

**FSNI [DN20]**  
Fault Strong Non-Interference



$$\underline{k_1} + \underline{k_2} \leq k$$

# Modeling Combined Attacks – Composability

**CNI [DN20]**

Combined Non-Interference

**CSNI [DN20]**

Combined Strong Non-Interference

**ICSNI [DN20]**

Independent Combined Strong Non-Interference



$$\frac{d' + k_1 + k_2 \leq d}{\underline{k_1} + \underline{k_2} \leq k}$$

$$\frac{d_1 + d_2 + k_1 + k_2 \leq d}{\underline{k_1} + \underline{k_2} \leq k}$$

$$\frac{d_1 + d_2 \leq d}{\underline{k_1} + \underline{k_2} \leq k}$$

# Modeling Side-Channel Attacks – Composability

**PINI [CS20]**

Probe-Isolating Non-Interference



$$\underline{d_1 + d_2 \leq d}$$

# Modeling Fault-Injection Attacks – Composability



# Modeling Combined Attacks – Composability

**CINI [FRSG22]**

Combined-Isolating Non-Interference



$$\frac{d_1 + d_2}{k_1 + k_2} \leq k$$

**ICINI [FRSG22]**

Independent Combined-Isolating Non-Interference



$$\frac{d_1 + d_2}{k_1 + k_2} \leq k$$

# PINI Gadget (HPC2)











# Practical Validation

## PRESENT S-box protected by (2, 2)-CINI Gadgets



fault free – 100 million traces



one fault – 100 million traces



two faults – 1 million traces

# Verification Principles in SILVER [KSM20]

**$d$ -Non-Interference.** A circuit  $C$  with secret input set  $X \in \mathbb{F}_2^n$  provides  $d$ -Non-Interference if and only if for any observation set of  $d' \leq d$  wires  $Q$  there exists a set  $S$  of input shares with  $|S|_{\forall i} \leq d'$  such that

$$\Pr[Q|S] = \Pr[Q|Sh(X)].$$



$$Q = \{P_0, P_1\}$$

$$S = \{a_0, a_2, b_1, b_2\}$$

$$Sh(X) = Sh(a, b)$$

# Verification Principles in SILVER [KSM20]

**$d$ -Strong Non-Interference.** A circuit  $C$  with secret input set  $X \in \mathbb{F}_2^n$  provides  $d$ -Strong Non-Interference if and only if for any observation set of  $d' = d_1 + d_2 \leq d$  wires  $Q$  of which  $d_1$  are internal wires and  $d_2$  are output wires, there exists a simulation set  $S$  of input shares with  $|S|_{\forall i} \leq d_1$  such that

$$\Pr[Q|S] = \Pr[Q|Sh(X)].$$



$$Q = \{P_0, P_1\}$$

$$S = \{a_0, b_1\}$$

$$Sh(X) = Sh(a, b)$$

# Verification Principles in SILVER [KSM20]

**$d$ -Probe-Isolating Non-Interference.** Let  $P$  be the set of internal probes with  $|P| = d_1$ . Let further  $I_O$  be the index set assigned to the probed output wires  $O$  with  $|I_O| = d_2$ .

A circuit  $C$  with secret input set  $X \in \mathbb{F}_2^n$  provides  $d$ -Probe-Isolating Non-Interference if and only if for every  $P$  and  $O$  with  $d_1 + d_2 \leq d$  there exists a set  $I_I$  of circuit indices with  $|I_I| \leq d_1$  such that  $Q = P \cup O$  can be perfectly simulated by  $S = Sh(X)^{I_I \cup I_O}$ , i.e., it holds that

$$\Pr[Q|S] = \Pr[Q|Sh(X)].$$



$$Q = \{P_0, P_1\}$$

$$S = \{a_0, a_2, b_0, b_2\}$$

$$Sh(X) = Sh(a, b)$$

# Complexity Reduction in FIVER

**Algorithm 10** Complexity Reduction.

**Require:** Golden circuit model  $\mathbf{D}$ , set of valid fault location (nodes)  $\Lambda$

**Ensure:** Set of reduced fault locations  $\Lambda_{\text{red}}$

```

1:  $\Sigma \leftarrow \emptyset$ ,  $\Lambda_{\text{red}} \leftarrow \emptyset$ 
2: for  $\forall d \in \mathbf{D}$  do
3:   if  $\text{type}(d) = \text{reg}$  or  $\text{type}(d) = \text{out}$  then
4:      $\Sigma \leftarrow \Sigma \cup d$ 
5:     if  $d \in \Lambda$  then
6:        $\Lambda_{\text{red}} \leftarrow \Lambda_{\text{red}} \cup d$ 
7:     end if
8:   end if
9: end for
10: for  $\sigma \in \Sigma$  do
11:    $\Lambda_{\text{red}} \leftarrow \Lambda_{\text{red}} \cup \text{node\_in}(\sigma)$ 
12:    $\Phi \leftarrow \sigma$ 
13:
14:   while  $\Phi \neq \emptyset$  do
15:      $\alpha \leftarrow \Phi[0]$ , delete( $\Phi[0]$ )
16:     for  $\forall n \in \text{node\_in}(\sigma)$  do
17:       if  $\text{type}(n) \neq \text{reg}$  and  $\text{type}(n) \neq \text{in}$  then
18:          $\Phi \leftarrow \Phi \cup n$ 
19:       end if
20:       if  $\text{out\_degree}(\alpha) > 1$  and  $\alpha \in \Lambda$  and  $\alpha \notin \Lambda_{\text{red}}$  then
21:          $\Lambda_{\text{red}} \leftarrow \Lambda_{\text{red}} \cup \alpha$ 
22:       end if
23:     end for
24:   end while
25: end for

```



# Case Studies from FIVER

| Redundancy<br>(Capability*)<br>[bits]              | Verification Parameter    |                   | Design Properties |            |              | Analysis Results |               |            |
|----------------------------------------------------|---------------------------|-------------------|-------------------|------------|--------------|------------------|---------------|------------|
|                                                    | $\zeta(n, t, l)$          | Variate Reduction | Comb. Gates       | Seq. Gates | Logic Stages | Combinations     | Time [s]      | Security   |
| <b>CRAFT – 1 round (detection)</b>                 |                           |                   |                   |            |              |                  |               |            |
| 1 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | univariate        | no                | 845        | 80           | 2                | 766           | 0.021 ✓    |
| 1 (1)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 845        | 80           | 2                | 151 561       | 0.769 ✗    |
| 3 (2)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 1 410      | 112          | 2                | 329 730       | 1.496 ✓    |
| 3 (2)                                              | $\zeta(3, \tau_{bf}, cs)$ | univariate        | no                | 1 410      | 112          | 2                | 64 320 469    | 441 ✗      |
| 4 (3)                                              | $\zeta(3, \tau_{bf}, cs)$ | univariate        | no                | 1 679      | 128          | 2                | 91 737 144    | 2 937 ✓    |
|                                                    |                           |                   | yes               | 1 679      | 128          | 2                | 4 665 200     | 360 ✓      |
| <b>CRAFT – 2 rounds (detection)</b>                |                           |                   |                   |            |              |                  |               |            |
| 1 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | univariate        | no                | 1 571      | 160          | 3                | 1 491         | 0.378 ✓    |
| 1 (1)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 1 571      | 160          | 3                | 417 882       | 62 ✗       |
| 3 (2)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 2 526      | 224          | 3                | 868 500       | 157 ✓      |
| 3 (2)                                              | $\zeta(3, \tau_{bf}, cs)$ | univariate        | no                | 2 526      | 224          | 3                | 250 984 950   | $\infty$ – |
|                                                    |                           |                   | yes               | 2 526      | 224          | 3                | 7 364 279     | 408 ✗      |
| <b>CRAFT – 2 rounds – multivariate (detection)</b> |                           |                   |                   |            |              |                  |               |            |
| 1 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | bivariate         | no                | 1 720      | 160          | 3                | 682 832       | 140 ✓      |
| 1 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | trivariate        | yes               | 1 720      | 160          | 3                | 99 542 528    | 26 955 ✓   |
| 3 (2)                                              | $\zeta(2, \tau_{sr}, s)$  | bivariate         | no                | 2 915      | 224          | 3                | 38 651 200    | 81 897 ✓   |
| <b>CRAFT – 1 round (correction)</b>                |                           |                   |                   |            |              |                  |               |            |
| 3 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | univariate        | no                | 2 868      | 112          | 2                | 2 788         | 0.081 ✓    |
| 3 (1)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 2 868      | 112          | 2                | 3 201 690     | 22 ✗       |
| 7 (2)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 17 460     | 176          | 2                | 129 651 034   | 3 543 ✓    |
|                                                    |                           |                   | yes               | 17 460     | 176          | 2                | 10 923 888    | 130 ✓      |
| <b>LED-64 – 1 round (detection)</b>                |                           |                   |                   |            |              |                  |               |            |
| 1 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | univariate        | no                | 1 541      | 0            | 1                | 1 301         | 0.064 ✓    |
| 1 (1)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 1 541      | 0            | 1                | 846 951       | 9.558 ✗    |
| 3 (2)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 2 435      | 0            | 1                | 1 730 730     | 27 ✓       |
| 3 (2)                                              | $\zeta(3, \tau_{bf}, cs)$ | univariate        | no                | 2 435      | 0            | 1                | 1 072 477 550 | 12 722 ✗   |
| 4 (3)                                              | $\zeta(3, \tau_{bf}, cs)$ | univariate        | no                | 2 916      | 0            | 1                | 1 654 087 449 | 17 348 ✓   |
|                                                    |                           |                   | yes               | 2 916      | 0            | 1                | 3 983 413     | 94 ✓       |
| <b>AES-128 – 1 round (detection)</b>               |                           |                   |                   |            |              |                  |               |            |
| 1 (1)                                              | $\zeta(1, \tau_{bf}, cs)$ | univariate        | no                | 24 864     | 0            | 1                | 24 432        | 22 ✓       |
| 4 (2)                                              | $\zeta(2, \tau_{bf}, cs)$ | univariate        | no                | 34 159     | 0            | 1                | 298 473 528   | $\infty$ – |
|                                                    |                           |                   | yes               | 34 159     | 0            | 1                | 56 632 584    | 471 281 ✓  |

\* The capability determines the maximum number of faults that can be detected or corrected by the corresponding countermeasure.

# Case Studies from VERICA – Combined Gadgets

| Gadget  | Design |     |       |       |        | SCA |      |          | FIA |      |         | Combined      |          |
|---------|--------|-----|-------|-------|--------|-----|------|----------|-----|------|---------|---------------|----------|
|         | $d$    | $k$ | rand. | comb. | memory | PNI | PSNI | Time     | FNI | FSNI | Time    | $(d, k)$      | Time     |
| NINA    | 1      | 1   | 0     | 4     | 0      | 1✓  | –    | 0.460 s  | 1✓  | –    | 0.429 s | (1,1)✓        | 0.430 s  |
| NINA    | 1      | 2   | 0     | 6     | 0      | 1✓  | –    | 0.455 s  | 2✓  | –    | 0.445 s | (1,2)✓        | 0.492 s  |
| NINA    | 2      | 1   | 0     | 6     | 0      | 2✓  | –    | 0.471 s  | 1✓  | –    | 0.451 s | (2,1)✓        | 0.436 s  |
| NINA    | 2      | 2   | 0     | 9     | 0      | 2✓  | –    | 0.442 s  | 2✓  | –    | 0.444 s | (2,2)✓        | 0.442 s  |
| SNINA   | 1      | 1   | 1     | 22    | 16     | –   | 1✓   | 0.476 s  | –   | 1✓   | 0.449 s | (1,1)✓        | 0.473 s  |
| SNINA   | 1      | 2   | 1     | 38    | 26     | –   | 1✓   | 0.451 s  | –   | 2✓   | 0.500 s | (1,2)✓        | 0.519 s  |
| SNINA   | 2      | 1   | 3     | 57    | 33     | –   | 2✓   | 0.566 s  | –   | 1✓   | 0.456 s | (2,1)✗/(1,1)✓ | 0.592 s  |
| SNINA   | 2      | 2   | 3     | 96    | 54     | –   | 2✓   | 0.821 s  | –   | 2✓   | 0.673 s | (2,2)✗/(1,1)✓ | 1.062 s  |
| SININA  | 1      | 1   | 2     | 90    | 30     | –   | 1✓   | 0.450 s  | –   | 1✓   | 0.461 s | (1,1)✗/(0,0)✓ | 0.456 s  |
| SININA  | 1      | 2   | 3     | 360   | 50     | –   | 1✓   | 0.555 s  | –   | 2✓   | 1.395 s | (1,2)✗/(0,0)✓ | 17.985 s |
| SININA  | 2      | 1   | 6     | 207   | 63     | –   | 2✓   | 1.334 s  | –   | 1✓   | 0.511 s | (2,1)✗/(0,0)✓ | 73.574 s |
| SININA* | 2      | 2   | 9     | 825   | 105    | –   | 2✓   | 76.030 s | –   | 2✓   | 5.300 s | (2,2)✗/(0,0)✓ | >2.7 h   |

\* Due to the high verification complexity, we interrupted the combined analysis after testing (2, 1)-SININA where VERICA already reported a failure.

# Case Studies from VERICA – SNINA Flaw



# Case Studies from VERICA – ParTI

| <b>Implementation</b>    | <b>Design</b> |        | $\zeta(0, \tau_{sr}, mc_\infty)$ |             | $\zeta(1, \tau_{sr}, mc_\infty)$ |               |
|--------------------------|---------------|--------|----------------------------------|-------------|----------------------------------|---------------|
|                          | comb.         | memory | Det./Corr.                       | Prob.       | Det./Corr.                       | Prob.         |
| ParTI S-box (Detection)  | 678           | 78     | –                                | 1✓[0.866 s] | 1✓[1.010 s]                      | 0✗[1.950 s]   |
| ParTI S-box (Correction) | 2063          | 72     | –                                | 1✓[4.103 s] | 1✓[3.677 s]                      | 0✗[336.239 s] |

# Case Studies from VERICA – SIFA

| <b>Implementation</b>        | <b>Design</b> |      | $\zeta(0, \tau_{sr}, mc_\infty)$ |             | $\zeta(1, \tau_{sr}, mc_\infty)$ |              | $\zeta(2, \tau_{sr}, mc_\infty)$ |            |
|------------------------------|---------------|------|----------------------------------|-------------|----------------------------------|--------------|----------------------------------|------------|
|                              | comb.         | mem. | SIFA                             | Prob.       | SIFA                             | Prob.        | SIFA                             | Prob.      |
| $p_{TS}$                     | 8             | 6    | –                                | 1✓[0.47 s]  | 1✓[0.45 s]                       | 1✓[0.45 s]   | 1✗[0.46 s]                       | 1✓[0.44 s] |
| $p_{\chi S}$                 | 10            | 6    | –                                | 1✓[0.45 s]  | 1✓[0.44 s]                       | 1✓[0.45 s]   | 1✗[0.46 s]                       | 1✓[0.45 s] |
| $\chi_3$                     | 30            | 30   | –                                | 1✓[0.43 s]  | 1✓[0.46 s]                       | 0✗[0.46 s]   | 1✗[0.46 s]                       | 0✗[0.49 s] |
| $\chi_5$                     | 52            | 42   | –                                | 1✓[0.44 s]  | 1✓[0.48 s]                       | 0✗[0.44 s]   | 1✗[0.48 s]                       | 0✗[0.54 s] |
| AES S-box, $g_{104}$ [HPB21] | 631           | 0    | –                                | 0✗[13.80 s] | 0✗[194.89 s]                     | 0✗[191.93 s] | [∞]                              | [∞]        |
| AES S-box, full [HPB21]      | 634           | 0    | –                                | 0✗[13.90 s] | 1✓[194.58 s]                     | 0✗[194.70 s] | [∞]                              | [∞]        |

# Case Studies from CINI – Gadgets

| Gadget           | Design |   |       |       |      | Verification |       |               |            |
|------------------|--------|---|-------|-------|------|--------------|-------|---------------|------------|
|                  | d      | k | rand. | comb. | reg. | area [GE]    | Def.  | (d, k)        | Time       |
| Detect           | –      | 1 | 0     | 3     | 0    | 4.7          | FINI  | (0, 1)✓       | 0.387 s    |
|                  | –      | 2 | 0     | 6     | 0    | 9            |       | (0, 2)✓       | 0.397 s    |
|                  | –      | 3 | 0     | 13    | 0    | 15           |       | (0, 3)✓       | 0.429 s    |
|                  | –      | 4 | 0     | 18    | 0    | 19.7         |       | (0, 4)✓       | 1.280 s    |
| Correct          | –      | 1 | 0     | 15    | 0    | 17           | FINI  | (0, 1)✓       | 0.383 s    |
|                  | –      | 2 | 0     | 75    | 0    | 98.3         |       | (0, 2)✓       | 0.445 s    |
|                  | –      | 3 | 0     | 147   | 0    | 194.3        |       | (0, 3)✓       | 16.501 s   |
|                  | –      | 4 | 0     | 297   | 0    | 390          |       | (0, 4)✓       | 6.24 h     |
| HPC <sub>T</sub> | 1      | 1 | 2     | 78    | 24   | 238          | CINI  | (1, 1)✓       | 0.409 s    |
|                  | 2      | 1 | 6     | 189   | 54   | 567          |       | (2, 1)✓       | 0.485 s    |
|                  | 3      | 1 | 12    | 356   | 96   | 1 032        |       | (3, 1)✓       | 39.544 s   |
|                  | 1      | 2 | 2     | 340   | 40   | 685          |       | (1, 2)✓       | 1.490 s    |
|                  | 2      | 2 | 6     | 795   | 90   | 1 595        |       | (2, 2)✓       | 6.321 s    |
|                  | 3      | 2 | 12    | 1 420 | 160  | 2 860        |       | (3, 2)✓       | 4.662 min  |
|                  | 1      | 3 | 2     | 590   | 56   | 1 087        |       | (1, 3)✓       | 16.817 min |
|                  | 2      | 3 | 6     | 1 362 | 126  | 2 502        |       | (2, 3)✓       | 3.897 h    |
|                  | 3      | 3 | 12    | 2 456 | 224  | 4 509        |       | *             | ∞          |
| HPC <sub>C</sub> | 1      | 1 | 1     | 66    | 36   | 294          | CINI  | (1, 1)✓       | 0.389 s    |
|                  | 2      | 1 | 3     | 189   | 90   | 768          |       | (2, 1)✓       | 0.775 s    |
|                  | 1      | 2 | 1     | 210   | 60   | 640          |       | (1, 2)✓       | 0.804 s    |
|                  | 2      | 2 | 3     | 615   | 150  | 1 730        |       | (2, 2)✓       | 5.643 s    |
|                  | 3      | 1 | 6     | 372   | 168  | 1 460        |       | (3,1)✗/(2,1)✓ | 18.386 h   |
| HPC <sub>I</sub> | 1      | 1 | 2     | 78    | 24   | 240          | ICINI | (1, 1)✓       | 0.397 s    |
|                  | 2      | 1 | 6     | 189   | 54   | 573          |       | (2, 1)✓       | 4.329 s    |
|                  | 3      | 1 | 12    | 356   | 96   | 1 044        |       | *             | ∞          |
|                  | 1      | 2 | 4     | 360   | 40   | 728          |       | (1, 2)✓       | 7.153 s    |
|                  | 2      | 2 | 12    | 855   | 90   | 1 725        |       | *             | ∞          |
|                  | 3      | 2 | 24    | 1 540 | 160  | 3 120        |       | *             | ∞          |
|                  | 1      | 3 | 6     | 646   | 56   | 1 203        |       | (1, 3)✓       | 4.743 h    |
|                  | 2      | 3 | 18    | 1 530 | 126  | 2 852        |       | *             | ∞          |
|                  | 3      | 3 | 36    | 2 792 | 224  | 5 209        |       | *             | ∞          |

\* Due to the extensive amount of combinations, these gadgets could not be verified with VERICA.

# Welsh's *t*-test

$$t = \frac{\mu_0 - \mu_1}{\sqrt{\frac{\sigma_0^2}{n_0} + \frac{\sigma_1^2}{n_1}}}$$

**Welsh's *t*-test is used to validate the null hypothesis.**

# Differential Power Analysis (DPA)



[MOP08] Power analysis attacks: Revealing the secrets of smart cards.

## Clock Glitches



$$T_{\text{clk}} \geq T_{\text{crit}} + t_{\text{clkq}} + t_{\text{setup}} - \delta$$

# Fault-Injection Attacks [RBSG21]

## Clock Glitches



$$T'_{\text{clk}} < T_{\text{crit}} + t_{\text{clkq}} + t_{\text{setup}} - \delta$$

## Underpowering and Voltage Glitches



$$t_{pLH} = \frac{C_L \cdot \left[ \frac{2|V_{TH2}|}{|V_{DD}| - |V_{TH2}|} + \ln \left( 3 - \frac{4|V_{TH2}|}{V_{DD}} \right) \right]}{\mu_p C_{OX} \left( \frac{W}{L} \right)_2 (V_{DD} - |V_{TH2}|)}$$

# Fault-Injection Attacks [RBSG21]

## Electromagnetic Pulses



## Laser Fault Injection



# Fault-Injection Attacks [RBSG21]

## Electromagnetic Pulses



## Laser Fault Injection



# Fault-Injection Mechanisms – Temperature



$$t_{PLH} = \frac{C_L \cdot \left[ \frac{2|V_{TH2}|}{V_{DD} - |V_{TH2}|} + \ln \left( 3 - \frac{4|V_{TH2}|}{V_{DD}} \right) \right]}{\mu_p C_{OX} \left( \frac{W}{L} \right)_2 (V_{DD} - |V_{TH2}|)}$$



[R08] Fundamentals of microelectronics.

# Details about the Location Parameter



$$\mathcal{P} = \{t_0, t_1, \dots, t_{T-1}\}$$

where  $t_0 > t_1 > \dots > t_{T-1}$  and  $T \leq |\mathcal{G}_{\text{regin}}|$

$$\mathcal{G}_{\text{cluster},i} = \{g \in \mathcal{G}_{\text{regin}} \mid t(g) \geq t_i, t_i \in \mathcal{P}\}$$

$$\mathcal{G}_{\text{cluster},0} = \{g_9\}$$

$$\mathcal{G}_{\text{cluster},1} = \{g_3, g_5, g_6\} \cup \{g_9\}$$

$$\mathcal{G}_{\text{cluster},2} = \{g_0\} \cup \{g_3, g_5, g_6\} \cup \{g_9\}$$

$$c_\infty = \{g_0, g_1, g_2, g_3, g_4, g_5, g_6, g_7, g_8, g_9\}$$

# Fault Injections in CMOS Gates – AND



$\{and\} \mapsto \{or, set, reset\}$

# Fault Injections in CMOS Gates – XOR



$\{and\} \mapsto \{nand, or, set, reset\}$



















