

# SIFA on Nonce-based Authenticated Encryption: When does it fail? Application to Ascon

Viet-Sang Nguyen

joint work with Vincent Grosso and Pierre-Louis Cayrel

SESAM Seminars  
Saint-Étienne, 3 July 2025



# What is SIFA?



# What is SIFA?



## Statistical Ineffective FAttack

# What is SIFA?



## Statistical Ineffective FAttack

But what is it exactly?



# Example on AES

- ◆ State: 4x4 bytes



- ◆ Operations in a round:
  - ▶ SB: SubBytes
  - ▶ SR: ShiftRows
  - ▶ MC: MixColumns
  - ▶ ARK: AddRoundKey

# Example on AES

---

# Example on AES

---

- ◆ Choose an intermediate value  $\nu$

# Example on AES

---

- ◆ Choose an intermediate value  $\nu$
- ◆ Cause  $\nu$  biased by faults  
(e.g., stuck-at-0)

# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery: 😈



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery:  
▶ Guess 4 key bytes, compute  $v$



# Example on AES

- ◆ Choose an intermediate value  $\nu$
- ◆ Cause  $\nu$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery:  
▶ Guess 4 key bytes, compute  $\nu$   
▶ If **correct** key guess,  $\nu$  is **biased**



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery:  
  - ▶ Guess 4 key bytes, compute  $v$
  - ▶ If **correct** key guess,  $v$  is **biased**
  - ▶ If **wrong** key guess,  $v$  is **uniform**



# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery:  
  - ▶ Guess 4 key bytes, compute  $v$
  - ▶ If **correct** key guess,  $v$  is **biased**
  - ▶ If **wrong** key guess,  $v$  is **uniform**



Statistical Fault Attack (SFA) by Fuhr et al., 2013

# Example on AES

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery:  
  - ▶ Guess 4 key bytes, compute  $v$
  - ▶ If **correct** key guess,  $v$  is **biased**
  - ▶ If **wrong** key guess,  $v$  is **uniform**



Statistical Fault Attack (SFA) by Fuhr et al., 2013

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts



# When a countermeasure is used...

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts



# When a countermeasure is used...

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts



# When a countermeasure is used...

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery (still works): 😈
  - ▶ Guess 4 key bytes, compute  $v$
  - ▶ If **correct** key guess,  $v$  is **biased**
  - ▶ If **wrong** key guess,  $v$  is **uniform**



# When a countermeasure is used...

- ◆ Choose an intermediate value  $v$
- ◆ Cause  $v$  biased by faults  
(e.g., stuck-at-0)
- ◆ Collect a number of ciphertexts
- ◆ Key recovery (still works): 😈
  - ▶ Guess 4 key bytes, compute  $v$
  - ▶ If **correct** key guess,  $v$  is **biased**
  - ▶ If **wrong** key guess,  $v$  is **uniform**



all = correct + faulty

Statistical Ineffective Fault Attack (SIFA)  
by Dobraunig et al., 2018

# Ineffective faults

---

# Ineffective faults

---

- ◆ Consider 2-bit values

# Ineffective faults

---

- ◆ Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$

# Ineffective faults

- ◆ Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$

|     | $x'$ |    |    |    |
|-----|------|----|----|----|
|     | 00   | 01 | 10 | 11 |
| $x$ | 00   | 01 | 10 | 11 |

# Ineffective faults

- Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$

$$00 \xrightarrow{\text{stuck-at-0}} 00 \quad \text{Probability: 1}$$

|     |    | $x'$ |    |    |    |
|-----|----|------|----|----|----|
|     |    | 00   | 01 | 10 | 11 |
| $x$ | 00 | 1    | 0  | 0  | 0  |
|     | 01 | 0    | 1  | 0  | 0  |
| 10  | 0  | 0    | 1  | 1  | 0  |
| 11  | 0  | 0    | 0  | 1  | 1  |

# Ineffective faults

- Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$

$$00 \xrightarrow{\text{stuck-at-0}} 00 \quad \text{Probability: 1}$$

|     |    | $x'$ |    |    |    |
|-----|----|------|----|----|----|
|     |    | 00   | 01 | 10 | 11 |
| $x$ | 00 | 1    |    |    |    |
|     | 01 |      |    |    |    |
|     | 10 |      |    |    |    |
|     | 11 |      |    |    |    |

# Ineffective faults

- Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$



| $x$ | $x'$ |
|-----|------|
| 00  | 00   |
| 01  | 01   |
| 10  | 10   |
| 11  | 11   |

# Ineffective faults

- Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$



|    | $x'$ |    |    |    |
|----|------|----|----|----|
|    | 00   | 01 | 10 | 11 |
| 00 | 1    |    |    |    |
| 01 | 1    |    |    |    |
| 10 | 1    |    |    |    |
| 11 | 1    |    |    |    |

# Ineffective faults

- Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$

|     |                                   |    |                |
|-----|-----------------------------------|----|----------------|
| 00  | $\xrightarrow{\text{stuck-at-0}}$ | 00 | Probability: 1 |
| $x$ | $\xrightarrow{\text{stuck-at-0}}$ | 00 | Probability: 1 |
| 00  | $\xrightarrow{\text{stuck-at-0}}$ | 01 | Probability: 0 |

|    | 00 | 01 | 10 | 11 |
|----|----|----|----|----|
| 00 | 1  |    |    |    |
| 01 |    | 1  |    |    |
| 10 |    |    | 1  |    |
| 11 |    |    |    | 1  |

# Ineffective faults

- Consider 2-bit values

$$x \xrightarrow{\text{stuck-at-0}} x'$$

|     |                                   |    |                |
|-----|-----------------------------------|----|----------------|
| 00  | $\xrightarrow{\text{stuck-at-0}}$ | 00 | Probability: 1 |
| $x$ | $\xrightarrow{\text{stuck-at-0}}$ | 00 | Probability: 1 |
| 00  | $\xrightarrow{\text{stuck-at-0}}$ | 01 | Probability: 0 |

|    | 00 | 01 | 10 | 11 |
|----|----|----|----|----|
| 00 | 1  | 0  |    |    |
| 01 |    | 1  |    |    |
| 10 |    |    | 1  |    |
| 11 |    |    | 1  |    |

# Ineffective faults

- Consider 2-bit values

$x \xrightarrow{\text{stuck-at-0}} x'$

$00 \xrightarrow{\text{stuck-at-0}} 00$

Probability: 1

$x \xrightarrow{\text{stuck-at-0}} 00$

Probability: 1

$00 \xrightarrow{\text{stuck-at-0}} 01$

Probability: 0

$x \xrightarrow{\text{stuck-at-0}} x' \neq 00$

Probability: 0

|     |    | $x'$ |    |    |    |
|-----|----|------|----|----|----|
|     |    | 00   | 01 | 10 | 11 |
| $x$ | 00 | 1    | 0  |    |    |
|     | 01 |      | 1  |    |    |
|     | 10 |      | 1  |    |    |
|     | 11 |      | 1  |    |    |

# Ineffective faults

- Consider 2-bit values

$x \xrightarrow{\text{stuck-at-0}} x'$

$00 \xrightarrow{\text{stuck-at-0}} 00$

Probability: 1

$x \xrightarrow{\text{stuck-at-0}} 00$

Probability: 1

$00 \xrightarrow{\text{stuck-at-0}} 01$

Probability: 0

$x \xrightarrow{\text{stuck-at-0}} x' \neq 00$

Probability: 0

|  |  | $x'$ |    |    |    |   |
|--|--|------|----|----|----|---|
|  |  | 00   | 01 | 10 | 11 |   |
|  |  | 00   | 1  | 0  | 0  | 0 |
|  |  | 01   | 1  | 0  | 0  | 0 |
|  |  | 10   | 1  | 0  | 0  | 0 |
|  |  | 11   | 1  | 0  | 0  | 0 |

# Ineffective faults

- Consider 2-bit values

$x \xrightarrow{\text{stuck-at-0}} x'$

|     |                                   |              |                |
|-----|-----------------------------------|--------------|----------------|
| 00  | $\xrightarrow{\text{stuck-at-0}}$ | 00           | Probability: 1 |
| $x$ | $\xrightarrow{\text{stuck-at-0}}$ | 00           | Probability: 1 |
| 00  | $\xrightarrow{\text{stuck-at-0}}$ | 01           | Probability: 0 |
| $x$ | $\xrightarrow{\text{stuck-at-0}}$ | $x' \neq 00$ | Probability: 0 |



biased distribution of ineffective faults

# SIFA on Nonce-based Authenticated Encryption

## Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

Christoph Dobraunig<sup>1</sup>, Stefan Mangard<sup>1</sup>, Florian Mendel<sup>2</sup>, and Robert Primas<sup>1</sup>

<sup>1</sup> Graz University of Technology, Austria

[first.last@iaik.tugraz.at](mailto:first.last@iaik.tugraz.at)

<sup>2</sup> Infineon Technologies AG, Germany

[florian.mendel@infineon.com](mailto:florian.mendel@infineon.com)

# Dobraunig et al., 2019

---

- ◆ Proposed generic strategy to apply SIFA on Nonce-based AE

## Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

Christoph Dobraunig<sup>1</sup>, Stefan Mangard<sup>1</sup>, Florian Mendel<sup>2</sup>, and Robert Primas<sup>1</sup>

<sup>1</sup> Graz University of Technology, Austria

[first.last@iaik.tugraz.at](mailto:first.last@iaik.tugraz.at)

<sup>2</sup> Infineon Technologies AG, Germany

[florian.mendel@infineon.com](mailto:florian.mendel@infineon.com)

# Dobraunig et al., 2019

---

- ◆ Proposed generic strategy to apply SIFA on Nonce-based AE
- ◆ Demonstrated on 2 ciphers

## Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

Christoph Dobraunig<sup>1</sup>, Stefan Mangard<sup>1</sup>, Florian Mendel<sup>2</sup>, and Robert Primas<sup>1</sup>

<sup>1</sup> Graz University of Technology, Austria

[first.last@iaik.tugraz.at](mailto:first.last@iaik.tugraz.at)

<sup>2</sup> Infineon Technologies AG, Germany

[florian.mendel@infineon.com](mailto:florian.mendel@infineon.com)

# Dobraunig et al., 2019

---

- ◆ Proposed generic strategy to apply SIFA on Nonce-based AE

## Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

Christoph Dobraunig<sup>1</sup>, Stefan Mangard<sup>1</sup>, Florian Mendel<sup>2</sup>, and Robert Primas<sup>1</sup>

- ◆ Demonstrated on 2 ciphers

- ◆ Conjectured that this attack strategy is applicable to Ascon (new standard)

<sup>1</sup> Graz University of Technology, Austria

[first.last@iaik.tugraz.at](mailto:first.last@iaik.tugraz.at)

<sup>2</sup> Infineon Technologies AG, Germany

[florian.mendel@infineon.com](mailto:florian.mendel@infineon.com)

# Dobraunig et al., 2019

---

- ◆ Proposed generic strategy to apply SIFA on Nonce-based AE

## Fault Attacks on Nonce-based Authenticated Encryption: Application to Keyak and Ketje

Christoph Dobraunig<sup>1</sup>, Stefan Mangard<sup>1</sup>, Florian Mendel<sup>2</sup>, and Robert Primas<sup>1</sup>

- ◆ Demonstrated on 2 ciphers

- ◆ Conjectured that this attack strategy is applicable to Ascon (new standard)

Hum, let's try ! 😈

# Ascon



# Permutation blocks



- ▶  $p^a$ : 12 permutation rounds ( $a = 12$ )
- ▶  $p^b$ : 8 permutation rounds ( $b = 8$ )

# Key (128 bits)



# Nonce (128 bits)



# Initialization vector



# Associated data



# Plaintext / Ciphertext



# Verification tag





# Focus on 1st round of initialization



# Focus on 1st round of initialization



# Focus on 1st round of initialization



# Focus on 1st round of initialization



# 1st round computation

---

# 1st round computation

---

On 320-bit state =  $5 \times 64\text{-bit words}$



# 1st round computation

---

On 320-bit state =  $5 \times 64\text{-bit words}$



Input of the first round:

# 1st round computation

---

On 320-bit state =  $5 \times 64\text{-bit words}$



Input of the first round:

- 128-bit key :  $K = (k_0, k_1)$
- 128-bit nonce :  $N = (n_0, n_1)$
- 64-bit init. vector : IV

# 1st round computation

---

On 320-bit state =  $5 \times 64\text{-bit words}$



Input of the first round:

- 128-bit key :  $K = (k_0, k_1)$
- 128-bit nonce :  $N = (n_0, n_1)$
- 64-bit init. vector : IV

# 1st round computation

---

On 320-bit state =  $5 \times 64\text{-bit words}$



Input of the first round:

- 128-bit key :  $K = (k_0, k_1)$
- 128-bit nonce :  $N = (n_0, n_1)$
- 64-bit init. vector : IV

3 operations in a round

# 1st round computation

On 320-bit state =  $5 \times 64-bit words$



(1) Constant addition

Input of the first round:

- 128-bit key :  $K = (k_0, k_1)$
- 128-bit nonce :  $N = (n_0, n_1)$
- 64-bit init. vector : IV

3 operations in a round

# 1st round computation

On 320-bit state =  $5 \times 64-bit words$



(1) Constant addition

Input of the first round:

- 128-bit key :  $K = (k_0, k_1)$
- 128-bit nonce :  $N = (n_0, n_1)$
- 64-bit init. vector :  $\text{IV}$



(2) Substitution *(vertical)*

3 operations in a round

# 1st round computation

On 320-bit state =  $5 \times 64-bit words$



(1) Constant addition

Input of the first round:

- 128-bit key :  $K = (k_0, k_1)$
- 128-bit nonce :  $N = (n_0, n_1)$
- 64-bit init. vector : IV



(2) Substitution (*vertical*)

3 operations in a round



(3) Linear diffusion (*horizontal*)

# State changes in 1st round

---

|       |  |
|-------|--|
| IV    |  |
| $k_0$ |  |
| $k_1$ |  |
| $n_0$ |  |
| $n_1$ |  |

# State changes in 1st round



# State changes in 1st round



# Apply Dobrabiunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy

biased distribution  
(under ineffective faults)

↑  
intermediate value  $z_0^j$



# Apply Dobraunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy

biased distribution  
(under ineffective faults)

key recovery

intermediate value  $z_0^j$

But we found problems ! 😠



Problem 1:

Possibly impractical to have enough ineffective faults

Problem 1:  
Possibly impractical to have enough ineffective faults  
(with **instruction-skip** faults)

# Instruction skip: XOR

---

# Instruction skip: XOR

---

OP<sub>0</sub> R<sub>2</sub> — —

...

XOR R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

...

OP<sub>2</sub> — R<sub>2</sub> —

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

|                                                       | No fault | Fault occurs |
|-------------------------------------------------------|----------|--------------|
| $OP_0 \quad R_2 \quad - \quad -$                      |          |              |
| $\dots$                                               |          |              |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   |          |              |
| $\dots$                                               |          |              |
| $OP_2 \quad - \quad R_2 \quad -$                      |          |              |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |          |              |

# Instruction skip: XOR

|                                                               | No fault    | Fault occurs |
|---------------------------------------------------------------|-------------|--------------|
| $OP_0 \quad R_2 \quad - \quad -$                              | $R_2 = v_2$ |              |
| $\dots$                                                       |             |              |
| <b>XOR    R<sub>2</sub>    R<sub>1</sub>    R<sub>0</sub></b> |             |              |
| $\dots$                                                       |             |              |
| $OP_2 \quad - \quad R_2 \quad -$                              |             |              |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b>         |             |              |

# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs |
|-------------------------------------------------------|-------------------------------|--------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   |              |
| $\dots$                                               |                               |              |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ |              |
| $\dots$                                               |                               |              |
| $OP_2 \quad - \quad R_2 \quad -$                      |                               |              |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               |              |

# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs |
|-------------------------------------------------------|-------------------------------|--------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   |              |
| $\dots$                                               |                               |              |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ |              |
| $\dots$                                               |                               |              |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                |              |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               |              |

# Instruction skip: XOR

|                                                               | No fault                      | Fault occurs |
|---------------------------------------------------------------|-------------------------------|--------------|
| $OP_0 \quad R_2 \quad - \quad -$                              | $R_2 = v_2$                   | $R_2 = v_2$  |
| $\dots$                                                       |                               |              |
| <b>XOR    R<sub>2</sub>    R<sub>1</sub>    R<sub>0</sub></b> | $R_2 = v'_2 = v_1 \oplus v_0$ |              |
| $\dots$                                                       |                               |              |
| $OP_2 \quad - \quad R_2 \quad -$                              | $v'_2$ is used                |              |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b>         |                               |              |

# Instruction skip: XOR

|                                                               | No fault                      | Fault occurs |
|---------------------------------------------------------------|-------------------------------|--------------|
| $OP_0 \quad R_2 \quad - \quad -$                              | $R_2 = v_2$                   | $R_2 = v_2$  |
| $\dots$                                                       |                               |              |
| <b>XOR    R<sub>2</sub>    R<sub>1</sub>    R<sub>0</sub></b> | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)    |
| $\dots$                                                       |                               |              |
| $OP_2 \quad - \quad R_2 \quad -$                              | $v'_2$ is used                |              |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b>         |                               |              |

# Instruction skip: XOR

|                                                               | No fault                      | Fault occurs  |
|---------------------------------------------------------------|-------------------------------|---------------|
| $OP_0 \quad R_2 \quad - \quad -$                              | $R_2 = v_2$                   | $R_2 = v_2$   |
| $\dots$                                                       |                               |               |
| <b>XOR    R<sub>2</sub>    R<sub>1</sub>    R<sub>0</sub></b> | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)     |
| $\dots$                                                       |                               |               |
| $OP_2 \quad - \quad R_2 \quad -$                              | $v'_2$ is used                | $v_2$ is used |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b>         |                               |               |

# Instruction skip: XOR

|                                                               | No fault                          | Fault occurs  |
|---------------------------------------------------------------|-----------------------------------|---------------|
| $OP_0 \quad R_2 \quad - \quad -$                              | $R_2 = v_2$                       | $R_2 = v_2$   |
| $\dots$                                                       |                                   |               |
| <b>XOR    R<sub>2</sub>    R<sub>1</sub>    R<sub>0</sub></b> | $R_2 = v'_2 = v_1 \oplus v_0$     | (skipped)     |
| $\dots$                                                       |                                   |               |
| $OP_2 \quad - \quad R_2 \quad -$                              | $v'_2$ is used                    | $v_2$ is used |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b>         | Ineffective fault if $v_2 = v'_2$ |               |

# Instruction skip: XOR

|                                                               | No fault                      | Fault occurs  |
|---------------------------------------------------------------|-------------------------------|---------------|
| $OP_0 \quad R_2 \quad - \quad -$                              | $R_2 = v_2$                   | $R_2 = v_2$   |
| $\dots$                                                       |                               |               |
| <b>XOR    R<sub>2</sub>    R<sub>1</sub>    R<sub>0</sub></b> | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)     |
| $\dots$                                                       |                               |               |
| $OP_2 \quad - \quad R_2 \quad -$                              | $v'_2$ is used                | $v_2$ is used |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b>         |                               |               |

Ineffective fault if  $v_2 = v'_2$

Suppose  $v_0, v_1, v_2$  are uniform,

# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs  |
|-------------------------------------------------------|-------------------------------|---------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   | $R_2 = v_2$   |
| $\dots$                                               |                               |               |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)     |
| $\dots$                                               |                               |               |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                | $v_2$ is used |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               |               |

Ineffective fault if  $v_2 = v'_2$

Suppose  $v_0, v_1, v_2$  are uniform, then  $\Pr[v_2 = v'_2] = 0.5^w$ ,  $w$  is register bit-width

# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs                      |
|-------------------------------------------------------|-------------------------------|-----------------------------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   | $R_2 = v_2$                       |
| $\dots$                                               |                               |                                   |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)                         |
| $\dots$                                               |                               |                                   |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                | $v_2$ is used                     |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               | Ineffective fault if $v_2 = v'_2$ |

Suppose  $v_0, v_1, v_2$  are uniform, then  $\Pr[v_2 = v'_2] = 0.5^w$ ,  $w$  is register bit-width

| Architecture      | 8-bit | 32-bit | 64-bit |
|-------------------|-------|--------|--------|
| $\Pr[v_2 = v'_2]$ |       |        |        |

# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs                      |
|-------------------------------------------------------|-------------------------------|-----------------------------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   | $R_2 = v_2$                       |
| $\dots$                                               |                               |                                   |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)                         |
| $\dots$                                               |                               |                                   |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                | $v_2$ is used                     |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               | Ineffective fault if $v_2 = v'_2$ |

Suppose  $v_0, v_1, v_2$  are uniform, then  $\Pr[v_2 = v'_2] = 0.5^w$ ,  $w$  is register bit-width

| Architecture      | 8-bit            | 32-bit | 64-bit |
|-------------------|------------------|--------|--------|
| $\Pr[v_2 = v'_2]$ | $\approx 0.0039$ |        |        |



# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs                      |
|-------------------------------------------------------|-------------------------------|-----------------------------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   | $R_2 = v_2$                       |
| $\dots$                                               |                               |                                   |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)                         |
| $\dots$                                               |                               |                                   |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                | $v_2$ is used                     |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               | Ineffective fault if $v_2 = v'_2$ |

Suppose  $v_0, v_1, v_2$  are uniform, then  $\Pr[v_2 = v'_2] = 0.5^w$ ,  $w$  is register bit-width

| Architecture      | 8-bit            | 32-bit      | 64-bit |
|-------------------|------------------|-------------|--------|
| $\Pr[v_2 = v'_2]$ | $\approx 0.0039$ | $\approx 0$ |        |



# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs                      |
|-------------------------------------------------------|-------------------------------|-----------------------------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   | $R_2 = v_2$                       |
| $\dots$                                               |                               |                                   |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)                         |
| $\dots$                                               |                               |                                   |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                | $v_2$ is used                     |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               | Ineffective fault if $v_2 = v'_2$ |

Suppose  $v_0, v_1, v_2$  are uniform, then  $\Pr[v_2 = v'_2] = 0.5^w$ ,  $w$  is register bit-width

| Architecture      | 8-bit            | 32-bit      | 64-bit      |
|-------------------|------------------|-------------|-------------|
| $\Pr[v_2 = v'_2]$ | $\approx 0.0039$ | $\approx 0$ | $\approx 0$ |



# Instruction skip: XOR

|                                                       | No fault                      | Fault occurs                      |
|-------------------------------------------------------|-------------------------------|-----------------------------------|
| $OP_0 \quad R_2 \quad - \quad -$                      | $R_2 = v_2$                   | $R_2 = v_2$                       |
| $\dots$                                               |                               |                                   |
| $XOR \quad R_2 \quad R_1 \quad R_0$                   | $R_2 = v'_2 = v_1 \oplus v_0$ | (skipped)                         |
| $\dots$                                               |                               |                                   |
| $OP_2 \quad - \quad R_2 \quad -$                      | $v'_2$ is used                | $v_2$ is used                     |
| <b>Scenario 1 : <math>R_2 = R_1 \oplus R_0</math></b> |                               | Ineffective fault if $v_2 = v'_2$ |

Suppose  $v_0, v_1, v_2$  are uniform, then  $\Pr[v_2 = v'_2] = 0.5^w$ ,  $w$  is register bit-width

| Architecture      | 8-bit                 | 32-bit           | 64-bit           |
|-------------------|-----------------------|------------------|------------------|
| $\Pr[v_2 = v'_2]$ | $\approx 0.0039$<br>😈 | $\approx 0$<br>😈 | $\approx 0$<br>😈 |

Impractical to obtain ineffective fault ! 😠

# Instruction skip: XOR

---

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

XOR R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

Scenario 1 : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

---

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

---

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

XOR R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

OP<sub>0</sub> R<sub>2</sub> — —

...

XOR R<sub>2</sub> R<sub>2</sub> R<sub>0</sub>

...

OP<sub>2</sub> — R<sub>2</sub> —

**Scenario 2** : R<sub>2</sub> = R<sub>2</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

---

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>**

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

**Scenario 1 : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>**

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR R<sub>2</sub> R<sub>2</sub> R<sub>0</sub>**

...

OP<sub>2</sub> — R<sub>2</sub> —

**Scenario 2 : R<sub>2</sub> = R<sub>2</sub>  $\oplus$  R<sub>0</sub>**

# Instruction skip: XOR

---

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>2</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_2 \oplus v_0$$

...

OP<sub>2</sub> — R<sub>2</sub> —

**Scenario 2** : R<sub>2</sub> = R<sub>2</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

v'<sub>2</sub> is used

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>2</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_2 \oplus v_0$$

...

OP<sub>2</sub> — R<sub>2</sub> —

**Scenario 2** : R<sub>2</sub> = R<sub>2</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

XOR R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

XOR R<sub>2</sub> R<sub>2</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_2 \oplus v_0$$



...

OP<sub>2</sub> — R<sub>2</sub> —

$v'_2$  is used

**Scenario 2** : R<sub>2</sub> = R<sub>2</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>1</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_1 \oplus v_0$$

→ in ARM

...

OP<sub>2</sub> — R<sub>2</sub> —

v'<sub>2</sub> is used

**Scenario 1** : R<sub>2</sub> = R<sub>1</sub>  $\oplus$  R<sub>0</sub>

OP<sub>0</sub> R<sub>2</sub> — —

$$R_2 = v_2$$

...

**XOR** R<sub>2</sub> R<sub>2</sub> R<sub>0</sub>

$$R_2 = v'_2 = v_2 \oplus v_0$$

→ in AVR

...

OP<sub>2</sub> — R<sub>2</sub> —

v'<sub>2</sub> is used

**Scenario 2** : R<sub>2</sub> = R<sub>2</sub>  $\oplus$  R<sub>0</sub>

# Instruction skip: XOR, AND, NOT

---

XOR (scenario 1)

$$\Pr[v_2 = v'_2] = 0.5^w$$

XOR (scenario 2)

$$\Pr[v_2 = v'_2] = 0.5^w$$

# Instruction skip: XOR, AND, NOT

---

XOR (scenario 1)

$$\Pr[v_2 = v'_2] = 0.5^w$$

XOR (scenario 2)

$$\Pr[v_2 = v'_2] = 0.5^w$$

AND (scenario 1)

$$\Pr[v_2 = v'_2] = 0.5^w$$

AND (scenario 2)

$$\Pr[v_2 = v'_2] = 0.75^w$$

# Instruction skip: XOR, AND, NOT

---

XOR (scenario 1)

$$\Pr[v_2 = v'_2] = 0.5^w$$

XOR (scenario 2)

$$\Pr[v_2 = v'_2] = 0.5^w$$

AND (scenario 1)

$$\Pr[v_2 = v'_2] = 0.5^w$$

AND (scenario 2)

$$\Pr[v_2 = v'_2] = 0.75^w$$

NOT (scenario 1)

$$\Pr[v_2 = v'_2] = 0.5^w$$

NOT (scenario 2)

$$0$$

# Implementations of Ascon

---

On 320-bit state =  $5 \times 64\text{-bit words}$



# Implementations of Ascon

---

On 320-bit state =  $5 \times 64\text{-bit words}$

64-bit implementation →



# Implementations of Ascon

On 320-bit state =  $5 \times 64\text{-bit words}$

64-bit implementation →



32-bit implementation →



# Implementations of Ascon

On 320-bit state =  $5 \times 64\text{-bit words}$

64-bit implementation →



32-bit implementation →



8-bit implementation →



# Apply to 8-bit implementation of Ascon

---

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              |                      |                       |                         |
| XOR S2              |                      |                       |                         |
| AND S1              |                      |                       |                         |
| AND S2              |                      |                       |                         |
| NOT S1              |                      |                       |                         |
| NOT S2              |                      |                       |                         |

# Apply to 8-bit implementation of Ascon

---

◆  $w = 8$

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              |                      |                       |                         |
| XOR S2              |                      |                       |                         |
| AND S1              |                      |                       |                         |
| AND S2              |                      |                       |                         |
| NOT S1              |                      |                       |                         |
| NOT S2              |                      |                       |                         |

# Apply to 8-bit implementation of Ascon

---

◆  $w = 8$

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              |                      |                       | 0.0039                  |
| XOR S2              |                      |                       | 0.0039                  |
| AND S1              |                      |                       | 0.0039                  |
| AND S2              |                      |                       | 0.1001                  |
| NOT S1              |                      |                       | 0.0039                  |
| NOT S2              |                      |                       | 0                       |

# Apply to 8-bit implementation of Ascon

---

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              |                      |                       | 0.0039                  |
| XOR S2              |                      |                       | 0.0039                  |
| AND S1              |                      |                       | 0.0039                  |
| AND S2              |                      |                       | 0.1001                  |
| NOT S1              |                      |                       | 0.0039                  |
| NOT S2              |                      |                       | 0                       |

# Apply to 8-bit implementation of Ascon

---

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              | 81                   |                       | 0.0039                  |
| XOR S2              | 79                   |                       | 0.0039                  |
| AND S1              | 80                   |                       | 0.0039                  |
| AND S2              | 2011                 |                       | 0.1001                  |
| NOT S1              | 74                   |                       | 0.0039                  |
| NOT S2              | 0                    |                       | 0                       |

# Apply to 8-bit implementation of Ascon

---

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              | 81                   | 0.0040                | 0.0039                  |
| XOR S2              | 79                   | 0.0040                | 0.0039                  |
| AND S1              | 80                   | 0.0040                | 0.0039                  |
| AND S2              | 2011                 | 0.1006                | 0.1001                  |
| NOT S1              | 74                   | 0.0037                | 0.0039                  |
| NOT S2              | 0                    | 0                     | 0                       |

# Apply to 8-bit implementation of Ascon

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineffective Faults | Empirical Probability | Theoretical Probability |
|---------------------|----------------------|-----------------------|-------------------------|
| XOR S1              | 81                   | 0.0040                | 0.0039                  |
| XOR S2              | 79                   | 0.0040                | 0.0039                  |
| AND S1              | 80                   | 0.0040                | 0.0039                  |
| AND S2              | 2011                 | 0.1006                | 0.1001                  |
| NOT S1              | 74                   | 0.0037                | 0.0039                  |
| NOT S2              | 0                    | 0                     | 0                       |

This confirms our analysis 

**Problem 2:**  
**Intermediate value remains uniform**

Problem 2:  
Intermediate value remains uniform

(with **instruction-skip** on 8-bit implementation)

# Apply Dobraunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy



# Apply Dobraunig et al.'s attack strategy

intermediate value  $z_0^j$

$$z_0^j = y_0^j \oplus y_0^{j+19} \oplus y_0^{j+45}$$



# Apply Dobraunig et al.'s attack strategy

An instruction skip  
does not affect all 3 bits

intermediate value  $z_0^j$

$$z_0^j = y_0^j \oplus y_0^{j+19} \oplus y_0^{j+45}$$



# Apply Dobraunig et al.'s attack strategy

An instruction skip  
does not affect all 3 bits

intermediate value  $z_0^j$

$$z_0^j = y_0^j \oplus y_0^{j+19} \oplus y_0^{j+45}$$

→  $z_0^j$  remains uniform



# Apply Dobraunig et al.'s attack strategy

# An instruction skip does not affect all 3 bits

intermediate value  $z_0^j$

$$z_0^j = y_0^j \oplus y_0^{j+19} \oplus y_0^{j+4}$$

→  $z_0^j$  remains uniform

→ SIFA is not applicable 😠



# Apply Dobraunig et al.'s attack strategy

An instruction skip  
does not affect all 3 bits

intermediate value  $z_0^j$

$$z_0^j = y_0^j \oplus y_0^{j+19} \oplus y_0^{j+45}$$

→  $z_0^j$  remains uniform

→ SIFA is not applicable 😠

Need formal proof? 🤔 → read our paper 



# Apply to 8-bit implementation of Ascon

---

| Skipped Instruction | # Ineff. Faults | Emp. Prob.<br>(Pr[0] / Pr[1]) | Theo. Prob.<br>(Pr[0] / Pr[1]) |
|---------------------|-----------------|-------------------------------|--------------------------------|
| XOR S1              |                 |                               |                                |
| XOR S2              |                 |                               |                                |
| AND S1              |                 |                               |                                |
| AND S2              |                 |                               |                                |
| NOT S1              |                 |                               |                                |
| NOT S2              |                 |                               |                                |

# Apply to 8-bit implementation of Ascon

◆  $w = 8$

| Skipped Instruction | # Ineff. Faults | Emp. Prob.<br>( $\text{Pr}[0] / \text{Pr}[1]$ ) | Theo. Prob.<br>( $\text{Pr}[0] / \text{Pr}[1]$ ) |
|---------------------|-----------------|-------------------------------------------------|--------------------------------------------------|
| XOR S1              |                 |                                                 |                                                  |
| XOR S2              |                 |                                                 |                                                  |
| AND S1              |                 |                                                 |                                                  |
| AND S2              |                 |                                                 |                                                  |
| NOT S1              |                 |                                                 |                                                  |
| NOT S2              |                 |                                                 |                                                  |

# Apply to 8-bit implementation of Ascon

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineff. Faults | Emp. Prob.<br>( $\Pr[0] / \Pr[1]$ ) | Theo. Prob.<br>( $\Pr[0] / \Pr[1]$ ) |
|---------------------|-----------------|-------------------------------------|--------------------------------------|
| XOR S1              |                 |                                     |                                      |
| XOR S2              |                 |                                     |                                      |
| AND S1              |                 |                                     |                                      |
| AND S2              |                 |                                     |                                      |
| NOT S1              |                 |                                     |                                      |
| NOT S2              |                 |                                     |                                      |

# Apply to 8-bit implementation of Ascon

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineff. Faults | Emp. Prob.<br>( $\text{Pr}[0] / \text{Pr}[1]$ ) | Theo. Prob.<br>( $\text{Pr}[0] / \text{Pr}[1]$ ) |
|---------------------|-----------------|-------------------------------------------------|--------------------------------------------------|
| XOR S1              |                 |                                                 | 0.5 / 0.5                                        |
| XOR S2              |                 |                                                 | 0.5 / 0.5                                        |
| AND S1              |                 |                                                 | 0.5 / 0.5                                        |
| AND S2              |                 |                                                 | 0.5 / 0.5                                        |
| NOT S1              |                 |                                                 | 0.5 / 0.5                                        |
| NOT S2              |                 |                                                 | - / -                                            |

# Apply to 8-bit implementation of Ascon

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineff. Faults | Emp. Prob.<br>(Pr[0] / Pr[1]) | Theo. Prob.<br>(Pr[0] / Pr[1]) |
|---------------------|-----------------|-------------------------------|--------------------------------|
| XOR S1              | 81              |                               | 0.5 / 0.5                      |
| XOR S2              | 79              |                               | 0.5 / 0.5                      |
| AND S1              | 80              |                               | 0.5 / 0.5                      |
| AND S2              | 2011            |                               | 0.5 / 0.5                      |
| NOT S1              | 74              |                               | 0.5 / 0.5                      |
| NOT S2              | 0               |                               | - / -                          |

# Apply to 8-bit implementation of Ascon

- ◆  $w = 8$
- ◆ 20,000 executions with random inputs

| Skipped Instruction | # Ineff. Faults | Emp. Prob.<br>(Pr[0] / Pr[1]) | Theo. Prob.<br>(Pr[0] / Pr[1]) |
|---------------------|-----------------|-------------------------------|--------------------------------|
| XOR S1              | 81              | 0.54 / 0.46                   | 0.5 / 0.5                      |
| XOR S2              | 79              | 0.44 / 0.56                   | 0.5 / 0.5                      |
| AND S1              | 80              | 0.53 / 0.47                   | 0.5 / 0.5                      |
| AND S2              | 2011            | 0.52 / 0.48                   | 0.5 / 0.5                      |
| NOT S1              | 74              | 0.42 / 0.58                   | 0.5 / 0.5                      |
| NOT S2              | 0               | - / -                         | - / -                          |

# Summary

# Main points

---

# Main points

---

- ◆ Probability of an ineffective fault depends on
  - ▶ Instruction type
  - ▶ Architecture

# Main points

---

- ◆ Probability of an ineffective fault depends on

- ▶ Instruction type
- ▶ Architecture

Other instructions (OR, ROL,...)? 🤔

# Main points

---

- ◆ Probability of an ineffective fault depends on

- ▶ Instruction type
- ▶ Architecture

Other instructions (OR, ROL,...)? 🤔

Input data is not uniform? 🤔

# Main points

---

- ◆ Probability of an ineffective fault depends on

- ▶ Instruction type
- ▶ Architecture

Other instructions (OR, ROL,...)? 🤔

Input data is not uniform? 🤔

- ◆ Intermediate value may not unexpectedly be biased

- ▶ demonstrated on 8-bit implementation of Ascon
- ▶ failed to apply SIFA

# Main points

---

◆ Probability of an ineffective fault depends on

- ▶ Instruction type
- ▶ Architecture

Other instructions (OR, ROL,...)? 🤔

Input data is not uniform? 🤔

◆ Intermediate value may not unexpectedly be biased

- ▶ demonstrated on 8-bit implementation of Ascon
- ▶ failed to apply SIFA

Choose another intermediate value? 🤔

# SIFA on Nonce-based Authenticated Encryption: When does it fail? Application to Ascon

Viet-Sang Nguyen

joint work with Vincent Grosso and Pierre-Louis Cayrel

SESAM Seminars  
Saint-Étienne, 3 July 2025

