Side-channel leakage from sensor-based countermeasures against fault injection attack

A B S T R A C T In laser fault injection, an attacker injects laser to a chip implementing cryptography and exploits a fault to attack the cryptography. A promising approach to counteract fault injection attack is to detect an attempt of fault injection using sensors. In such a sensor-based countermeasure, a sensor detects a physical anomaly and raises an alarm so that the system can react to the attempt of an attack properly. Among them, the bit-ﬂip detector, that detects a short-circuit current induced by a laser fault injection, is actively studied as an eﬃcient realization. In this paper, we give the ﬁrst security evaluation of the bit-ﬂip detector. We show that an attacker can reveal an internal state by observing how the sensor reacts to laser fault injection. The leakage leads to a variant of probing attack that is feasible non-invasively. We also propose a new cryptanalytic technique that eﬃciently exploit the leakage to attack AES.


Introduction
In 1997, Boneh, Demillio, and Lipton proposed a novel attack on cryptography based on analyzing a faulty ciphertext released as a result of physical stress applied to an implementation of cryptography [1]. The class of attacks is now called fault injection attack or fault analysis and is one of the main security issues in implementations of cryptography. So far, new attacks and defenses have been studied for nearly two decades [13].
There are many ways to inject faults involving clock glitching, voltage glitching, overclocking, and electromagnetic injection [13]. Among them, laser fault injection (LFI) is one of the most effective ways of injecting faults because of its high spatial and temporal resolutions [7,25].
Fault injection attack is a serious concern in the industry. Modern secure products such as smartcard should implement countermeasures against fault injection attack. Security certification, such as Common Criteria, enforces penetration testing of such products against fault ☆ A preliminary version of this paper appeared in Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC2017) [27]. In this version, Sect. 3 is fully updated to cover (i) more sensors involving BBICS, (ii) multiple-input gates, (iii) laser fault injection on multiple transistors, (iv) errors in sensors. We also discuss countermeasures against the proposed attack. * Corresponding author.
injection attack. Consequently, there are LFI instruments commercially available for security assessment [24]. So far, researchers have proposed various countermeasures against fault injection attack. There is a class of countermeasures that detect a fault by using recalculation or an error detection code [13]. The major drawback of these countermeasures is a large performance penalty. Meanwhile, there is an emerging class of countermeasures based on sensors. In such countermeasure, a sensor detects an attempt of fault injection and raises an alarm. Upon the alarm, the system terminates an ongoing cryptographic operation and prevents a potentially faulty ciphertext from releasing. The countermeasure thwarts a large class of attacks that require faulty ciphertexts, e.g., differential fault analysis [3].
Conventionally, photodetectors have been used to detect laser fault injection [5,14]. However, photodetectors only cover the photosensitive area within the sensor, and thus increasing the coverage is costly. To address the problem, researchers are studying alternative sensors [2,4,8,14,17,18,21,23,29,30]. As we will describe later, LFI inevitably causes a short circuit before making a bit flip. The alternative sensors detect electrical phenomena caused by the short circuit. Since such electrical phenomena quickly propagate through a chip, the sensor efficiently covers a larger area. In this paper, we call such sensors as the bit-flip detector.
A new feature sometimes introduces a new attack surface. In this paper, we give the first security analysis of the bit-flip detector. Firstly, we show that an attacker can abuse the bit-flip detector as a new side channel. The side-channel enables the attacker to probe a 1-bit value in the target chip. Secondly, we propose a new cryptanalytic method that efficiently exploit the leakage. More specifically, contributions of the paper are summarized as follows.
1. We propose the first attack on the sensor-based countermeasure against LFI which transforms the sensor into an oracle that leaks an internal state of a target. The proposed attack is also the first realization of probing attack that is feasible non-invasively. We give a thorough discussion on the condition, target, and countermeasures on the proposed attack. 2. As an abstraction of the proposed attack, we show a new class of probing attacks in which ciphertext is conditionally available. We propose a new cryptanalytic technique, based on linear cryptanalysis, that works efficiently in the new setting.
These contributions are crucial for improving the security of a system equipped with bit-flip detector. This paper is organized as follows. In Sect. 2, we briefly review previous works on the mechanism behind LFI, the sensor-based countermeasure against LFI, and the conventional attacks. In Sect. 3, we describe the proposed side-channel leakage from the bit-flip detector. In Sect. 4, we describe the cryptanlaytic attack on AES using the sidechannel leakage. Sect. 5 is a conclusion.

Laser fault injection
We exemplify the LFI mechanism with a cross-coupled inverter, an essential part for memorizing data in static ram (SRAM) and flip-flops, shown in Fig. 1. We inject a laser on the transistor M P1 . When a laser is injected into a reversely biased PN-junction, the junction becomes temporarily conductive because of the photoelectric effect. We can model the phenomenon with a resistor and a current source as shown in Fig. 1.
The state of the cross-coupled inverter can be either Y = High or Y = Low. If Y = Low, the transistor states are M P1 = OFF and M N1 = ON. When M P1 becomes conductive as a result of LFI, it causes a short circuit between V DD and GND as shown in Fig. 1-(left). That makes the voltage at Y higher, and when Y exceeds a threshold voltage, The bit-set and bit-reset faults describe the above behavior: That means the target transistor determines the direction of the unidirectional fault. The attacker can control the target bit and direction by illuminating a specific region of a layout of a cross-coupled inverter as shown in Fig. 2.
The above discussion assumes a high-resolution LFI that affects a single transistor only. A laser spot should be sufficiently small to achieve such a high resolution (see Fig. 2). Consequently, such a highly selective LFI is expected to become more difficult as the target CMOS technology node becomes smaller. To verify the feasibility, researchers are racing to show successful experimental results in smaller technology nodes. At the time of writing, Dutertre et al. [7] has a record. They showed that a single-bit bit-set/reset fault is still possible in a D flipflop in a 28-nm ASIC. Besides, Selmke et al. reported that the fault is possible in a BRAM in 45-nm FPGA [25]. Although the 28-nm and 45nm technology nodes are not the states of the art, industries will keep using such mature technology nodes for low-cost embedded devices in the next decade. Consequently, countermeasures against LFI are still in need.

Bit-flip detector
Since a fault injection applies an unusual physical stresses, detecting it using a sensor is a practical approach. Such a sensor-based countermeasure can be more efficient compared to alternative countermeasures using either recalculation or error detection code.
Conventionally, photodetectors have been used to detect LFI [5,14]. However, a photodetector only detects a light in a photosensitive area. Therefore, a large circuit area should be devoted to increasing coverage.
The bit-flip detector has been studied as an alternative way to detect LFI in the last decade [8,17,18]. As described in Sect. 2.1, LFI induces a short circuit between V DD and GND before causing a bit flip. The idea behind the bit-flip detector is to detect LFI through electrical phenomena caused by the short circuit. Since the short circuit causes electrical phenomena that easily propagate through a chip, a small sensor can cover a larger area compared to photodetectors.
Many bit-flip detectors base on the bulk built-in current sensor (BBICS) proposed by Neto et al. [23] for detecting soft errors. BBICS can be modeled as a current sensor (an ammeter) measuring currents that go through N-well and P-substrate as shown in Fig. 3. When an LFI induces a short-circuit current, the BBICS efficiently detects it. If the reading of the current sensor exceeds a pre-determined threshold, the sensor raises the alarm for LFI.
The effectiveness of BBICS for detecting LFI is experimentally validated in 28-nm and 90-nm chips [4,29,30]. We recommend the paper by Bastos et al. for a comprehensive survey on BBICS [2]. Beside improving each sensor, efficient integration is also studied. Dutertre et al. proposed circuit architecture for tuning sensitivity of BBICS [8]. Matsuda et al. proposed a distributed sensor layout and a circuit for a reaction that immediately cuts a power supply upon detection [17]. [26].

Probing attack on AES
In probing attack, an attacker reads sensitive data by attaching a probe to wire in a target chip. Probing is not an easy task because on-chip wires are tiny. It requires expensive setup such as a focused ion beam which is categorized as a bespoke instrument [14]. The task is even more laborious if the chip is equipped with an anti-probing countermeasure such as active shielding [10].
Since probing is expensive, an attacker wants to reduce the number of probing points to achieve a goal. It motivated a research challenge of breaking cryptography using the minimal number of probes [11]. Notably, Schmidt and Kim proposed a probing attack against AES [26]. They showed that a single probing point is sufficient to recover a full AES key under the chosen-message setting. [6].

Ineffective Fault Analysis
Clavier and Wurcker proposed ineffective fault analysis on an AESlike cipher [6]. In the following, we describe a step for recovering a 1-byte key. We assume that an attacker can force a byte in a circuit to zero by fault injection. The target is the S-box output denoted The essence of the ineffective fault analysis is to exploit a statistical bias within a subset of plaintext/ciphertext that survived a fault injection. Sugawara et al. proposed a variant of the Fault Sensitivity Analysis [15] that find the bias using a collision-based distinguisher. More recently, Dobraunig et al. proposed the statistical ineffective fault analysis (SIFA) [9] which detects the bias by evaluating the distribution using a test statistic. These attacks are efficient because they bypass the detection-based countermeasures.

Laser-based probing
The idea of the proposed attack is to learn secret information by observing how a sensor reacts to LFI. We first exemplify the idea with the cross-coupled inverter shown in Fig. 1. The goal of the attacker is to reveal the unknown value Y. We assume that the attacker injects a laser on the transistor M P1 . We further assume that the attacker can observe either the presence or absence of an alarm. As discussed in Sect. 2.1, an alarm is raised if Y = Low or logical 0. Therefore, the attacker knows that Y = 0 by observing an alarm. If an alarm is missing, on the other hand, the attacker knows that Y = 1. The above procedure transforms the bit-flip detector into a side-channel oracle that leaks Y.
To the best of our knowledge, this is the first attack on sensor-based countermeasures for LFI. The essence that enabling the attack is the combination of (i) a bit-set/reset fault and (ii) a sensor that detects a bit flip. The attack applies to other countermeasures as far as the two conditions are satisfied. Moreover, this is the probing attack that can be conducted non-invasively. As described previously, the conventional probing attack requires a bespoke instrument. Meanwhile, a laser station for LFI is classified as a specialized instrument [14]. That means the proposed attack can be conducted using cheaper equipment compared to conventional probing attack.
We describe the idea more generally. Let  be the set of all transistors comprising the target chip. P  represents the power set of  . Then, we characterize the position to inject laser by a set of transistors covered by the laser.

Definition 2.
[LFI position] The position to inject laser is represented by a set of transistors T ∈ P  covered by the laser.
Let Predicate be a predicate on internal variables. Then, An LFI profile regarding Predicate is defined as follows.

Definition 3. [LFI profile] The LFI profile regarding Predicate namely
It is important to note that Definition 3 involves the cases wherein (i) a laser spot covers more than one transistor and (ii) a multivariate predicate that will be discussed in Sect. 3.2.2.
Example. We express the example in Fig. 1 The attacker can obtain an LFI position by profiling an open sample in which the attacker can control the value of Predicate. The availability of such an open sample is realistic. For Example, the attacker can purchase an unprogrammed chip on the market and use it as an open sample. There are many conventional attacks that assume profiling [19]. Consequently, attacks based on profiling are examined in penetration testing for certification [14].
At the first step of profiling, the attacker sets Predicate = true and scans the chip surface with a laser. When there is an alarm at the position T ∈ P  , it means that T raises an alarm ⟸ Predicate is true. ( At the second step, the attacker checks the converse for T: the attacker repeatedly injects a laser at T for all the possible parameters satisfying and thus the attacker concludes that T ∈ Π Predicate .
The cost of conducting the second step is a bottleneck that limits the number of transistors involved in a laser spot. A larger number of transistors means a larger number of variables in the predicate, and the number of cases that should be examined in the second step grows exponentially with the number of variables in the predicate.
The procedure of the proposed laser-based probing is shown in Alg.
1. In Alg. 1, the attacker injects a laser on the position T ∈ Π Predicate .
The sensor raises an alarm if and only if Predicate is true. Therefore, the attacker knows that the Predicate is true by observing the presence of an alarm. Conversely, a missing alarm indicates that the Predicate is false.

Target of probing
In this section, we discuss the potential targets that can be exploited by the proposed attack.

Memory and single-input gates
As exemplified in Sect. 3.1, a cross-coupled inverter is susceptible to the attack. By attacking a cross-coupled inverter, the attacker can read the content of SRAM and flip-flops. If there is sufficiently many known LFI positions, the attacker can read data bit by bit by repeating Alg. 1. That is simple yet strong because the attacker may directly read sensitive data such as a secret key.
Alternatively, the attacker can probe logic gates in a combinatorial circuit. The extension is feasible because the bit-flip detector can detect a short-circuit current caused in combinatorial circuits [21]. An inverter is susceptible to the attack in the same way as a cross-coupled inverter. Consequently, logic gates accompanying inverters are also susceptible to the attack. Fig. 4 shows such logic gates. Fig. 4-(a) is an AND gate composed of a NAND gate and an inverter. Fig. 4-(b) shows a NAND gate accompanying output buffer for driving a large capacitive load. Most of logic gates in a standard-cell library fall in one of the two categories.
In contrast to memory, the state of logic gate can change multiple times during a clock period as shown in Fig. 5. Such a transient switching is called glitch. The attacker is usually interested in the final state  rather than glitches of the target gate. Therefore, the attacker should make a LFI in the stationary period. Consequently, the laser-based probing on combinatorial circuits need a precise timing control compared to that on memory. From another viewpoint, the attacker can learn the duration of a glitchy period by the laser-based probing. Such an information leakage can enable another attack such as fault sensitivity analysis [15], but it is beyond the scope of this paper. Additionally, an attacker has an opportunity to extend the stationary region by changing the clock frequency and/or cooling the circuit.
Why may the attacker want to probe a logic gate despite the additional difficulty regarding glitches? Firstly, it increases the number of target intermediate variables. As we will discuss in Sect. 4, probing on a specific intermediate variable enables an efficient attack. Secondly, probing on memory is relatively easy to thwart as we will discuss in Sect. 3.4. The probing on logic gates still works even after the countermeasure thwarts the probing on memory.

Multiple-input gates
We can extend the proposed attack to logic gates having multiple inputs. We first exemplify the attack on the NAND gate shown in Fig. 6. We first consider LFI on M P3 , M P4 , or both. In these cases, a short  Table 1. It is important to note that the Predicate is multivariate.
We extend the above Example to an n-input logic gate input. The pull-up network of the gate is conductive when Fig. 6. NAND gate.
If there exists unique 1x 1 , … ,x i−1 ,x i+1 , …x n satisfying the above condition, we have Similarly, we can consider an LFI on the NMOS transistor M Ni controlled by x i . M Ni is originally OFF when x i = 0. A short circuit occurs when the pull-down network is originally OFF, and the LFI makes the pull-down network ON. The condition is expressed as If there exists uniqueẋ 1 , … ,˙x i−1 ,˙x i+1 , …˙x n satisfying the condition, we have

Errors in sensing
In this section, we discuss errors in the bit flip detector. So far, we considered an ideal sensor that detects a bit flip with 100% accuracy. In reality, however, the bit flip detector is error-prone.
The bit flip detector detects an anomaly by thresholding an analog physical quantity. The threshold is essential in discussing errors. In the bit flip detector, a false negative means a release of a faulty output which is unacceptable. Therefore, the threshold should be determined so that the probability of false negatives becomes negligibly small. Fig. 7 shows a probabilistic network representing the laser-based probing. The network is asymmetric because there is no false negative. Meanwhile, false positives can occur at the probability .
An important observation is that if the attacker observes the absence of an alarm, it always means that there is no bit flip, or equivalently Predicate = false. Therefore, as far as the ineffective fault is used, the attacker can make error-free measurement. As shown in Fig. 7, the probability to observe the absence of an alarm is (1 − )∕2. Consequently, to observe the absence of an alarm for M times, the attacker should make the laser-based probing 2 M∕(1 − ) times.
It is important to note that the attacker can reduce by improving an instrument. A false positive occurs when the LFI-induced short-circuit current is sufficient to trigger the bit flip detector but insufficient to cause The above discussion is correct as far as the LFI position satisfies Definition 3. If there is a false positive, the laser-based probing becomes probabilistic and the efficient analysis that will be described in Sect. 4 no longer works. Such a false positive can occur when a laser covers transistors that cause opposite bit flips, e.g., {M N1 , M P1 } in Fig. 1.
Besides, the laser-induced IR drop [28] can also break the assumption.
It is important to note that the attacker can check such probabilistic errors at the profiling phase by extending the method described in Sect. 3.1. By repeating the same measurement for several times with a fixed LFI position and the same parameters in the second step, probabilistic false positives can be detected. By doing this, the attacker knows if the measurement is contaminated with noise, and can switch the succeeding attack strategy.

Countermeasure
Countermeasures against the proposed attack are discussed. A common strategy for side-channel attack is to remove the correlation between then intermediate value and the side-channel leakage.
The countermeasure shown in Fig. 8 efficiently thwarts the laserbased probing on memory. In the countermeasure, a target data d is stored as a share (r, d ⊕ r). The attacker gets no information about d by probing either r or d ⊕ r. Therefore, the countermeasure thwarts an attack with a single probe, i.e., LFI with a single laser. However, the countermeasure is no longer effective if we consider the attack on a combinatorial circuit. That is because the original value d is reconstructed at the XOR gate.
To thwart the probing attack on combinatorial circuits, cryptographic computation should be conducted by using the shares without reconstructing the original value. The countermeasures based on multiparty computation (MPC) satisfy the requirement [12]. Such MPC-based countermeasures are also effective against side-channel attack [20,22]. Although such an MPC-based countermeasure is costly, 2 it can be an efficient option because it is effective against two attacks: if we use an MPC-based countermeasure against SCA, the protection against the proposed attack comes for free.

Attack model
We model the laser-based probing in the context of cryptanalysis. Firstly, we consider a chosen-message attack in which an attacker can choose an input message. That is modeled by the oracle in Alg. 2. The attacker firstly determines a target Predicate and the corresponding LFI position T ∈ Π Predicate . Then, the attacker calls an encryption with a message m and makes LFI based on the profile. When the attacker observes the absence of an alarm, the attacker learns that Predicate = false and obtains a ciphertext. If there is an alarm, on the other hand, the attacker learns that Predicate = true and obtains the null symbol ⊥ meaning that a ciphertext is unavailable. Alg. 2 is different from conventional probing attacks on the point ciphertext can be unavailable.
Secondly, we consider a ciphertext-only attack in which an attacker can neither choose nor know a message. The ciphertext-only attack is commonly considered in a theoretical analysis of cryptography and is also practical. For Example, in a variant of challenge and response authentication, a verifier generates a message m and encrypts it to a ciphertext c = Enc k (m). Then, the verifier sends c to a prover. The prover decrypt the message with a pre-shared key K and recovers a message m ′ = Dec k (c). Then, the prover sends m ′ back to the prover. The verifier authenticates the prover upon m = m ′ . In the above setting, an attack by a malicious prover is a ciphertext-only attack.
The side-channel oracle in the ciphertext-only attack is shown in Alg. 3. In this case, the attacker observes either (true, c) or (false, ⊥). It is important that (false, ⊥) is hardly exploitable because the attacker has neither a plaintext nor a ciphertext. Therefore, the attacker should rely on the ineffective case (false, ⊥) for analysis. We discuss the best attacks on AES in different conditions based on Table 2. Firstly, we consider the error-free case. The case without fault negatives as discussed in the Sect. 3.3 also falls in this category. In the chosen-plaintext attack, the conventional probing attack by Schmidt and Kim [26] is still effective to attack AES. With the Schmidt-Kim attack, a full AES key can be recovered by using only one LFI position and 168 encryption queries on average. Since the Schmidt-Kim attack  Ciphertext-only  This work  16  128  No  Ciphertext-only  This work  4  132  Yes Ciphertext-only SIFA [9] 1 6 relies on the chosen plaintext, it cannot be used under the ciphertextonly attack. Therefore the ones described in the next sections are the best attacks. Secondly, we consider the case in which the result of probing is contaminated with noise. This is beyond the scope of the conventional probing attack. So far, the best attack to exploit the leakage is SIFA [9] described in Sect. 2.3. If we consider a SIFA on the AES S-boxes in the 10th round, 16 distinct probes are needed. The number of queries to recover the key depends on the signal-to-noise ratio and thus not shown in Table 2.

Probing on the 10th round
We discuss the attack on the 10th round of AES by exploiting the leakage in the ciphertext-only attack described in Alg. 3. The attack assume a LFI target in which Predicate is univariate, i.e., a bit-set/reset fault. This is a simple extension of the Clavier-Wurcker attack [6] considering a bit-set/reset fault (cf. byte-wise fault). We Accordingly, a set of key candidates satisfying Eq. (6) for any c i , denoted by , is returned.
The number of key candidates is roughly halved for each ciphertext. Therefore, a correct key is recovered with roughly 8 ciphertexts. By repeating the same procedure, the remaining key bytes can be recovered. For full-key recovery, 16 distinct LFI positions are needed. Accordingly, the analysis uses 8 × 16 = 128 correct ciphertexts. x ← slice(c i ) 5: : end for 7: if not t 1 = t 2 = · · ·t N = 0 then 8: end if 10: end for 11: Return 

Probing on the 9th round
We discuss the attack on the 9th round of AES in the ciphertext-only attack. The extension to the 9th round is not straightforward. The differential analysis is a common strategy for extending a target round [26]. We cannot use the strategy because a faulty ciphertext is unavailable. Moreover, since this is the ciphertext-only attack, a difference between messages is also unavailable. To address the problem, a technique from Matsui's linear cryptanalysis [16] is introduced.
We first define some notations. The 16-byte AES state is represented by SLabel in which Label is a text representing the round and operation. Each byte in the state is represented as  (2)) is a map defined by We describe the proposed attack using the diagram in Fig. 9. We consider MixColumns given by where x i , y i ∈ GF (2 8 ). MSB of x 0 namely x 0 (7) is considered. In that case, the following linear equation is satisfied at probability 1: where Ψ(y 0 , y 1 , y 2 , y 3 ) = (0x70, y 0 ) ⊕ (0xd0, y 1 ) ⊕ (0xb0, y 2 ) ⊕ (0x90, y 3 ).
By combining Eqs. (10), (12) and (13), we get Eq. (14) is used as a distinguisher. Alg. 5 shows the proposed attack procedure. The input to the algorithm is a set of ciphertexts namely {c 1 , … , c N } satisfying that the Predicate is false. In other words, s SB9 00 (7) = 0 is satisfied for any c i . The purpose of the algorithm is to recover 4 bytes of the round key K 10 namely k 10 00 , k 10 13 , k 10 22 , and k 10 31 . The procedure has a nested loop: the outer loop is for examining all the 32-bit key space meanwhile the inner loop is for {c 1 , … , c N }.
At the line #5, the corresponding bytes namely c 00 , c 13 , c 22 , and c 31 are extracted from c i by the sub-procedure slice4. Then, the 4-byte intermediate state s AR9 00 , s AR9 01 , s AR9 02 , and s AR9 03 are calculated based on a hypothetical key k. Then, a 1-bit value t i is evaluated as Fig. 9. Illustration of attack by probing on the 9th round.
For a correct key candidate, t i should be the same for any i because of Eq. (14). Therefore, the key candidate remains if t 1 = t 2 = · · · = t N .
Otherwise, the candidate is rejected. Finally, the algorithm output a set of remaining key candidates .
Algorithm 5 Attack using probing on the 9th round. Similarly to the 10th round attack, the number of key candidates is roughly halved for each ciphertext. However, one extra ciphertext is needed to fix the unknown constant in Eq. (14) determined by Ψ(k 9 00 , k 9 01 , k 9 02 , k 9 03 ). As a result, the key space is expected to be reduced to 32 − (N − 1) bits by using N ciphertexts and run Alg. 5. Therefore, the expected number of ciphertexts needed to determine the 4 key bytes uniquely is 33. The attacker repeats the same procedure for different columns to get the remaining bytes of the key. As a result, full key recovery needs laser injections to 4 different positions and 4 × 33 = 132 ciphertexts.

Require
Alg. 5 is verified through an experiment. In the experiment, a set of ciphertexts with a constraint that s SB9 00 (7) = 0 is generated by simulation. Then, Alg. 5 is executed, and the number of remaining key candidates are evaluated. Table 3 summarizes the number of ciphertexts N, the number of remaining key candidate ||, and the number of remaining key bits log 2 ||. The result clearly shows that log 2 || ≈ 32 − (N − 1) as expected.

Conclusion
In this paper, we conducted the first security evaluation of the sensor-based countermeasures against laser fault injection. The attack transforms a sensor into a side-channel oracle that enables an attacker to probe an internal state of a target chip non-invasively. The proposed attack is applicable to any countermeasures as far as the following two conditions are satisfied: (i) the target obeys bit-set/reset fault model and (ii) an alarm is raised on a bit flip. The leakage can be used to attack cryptography. Notably, with the proposed cryptanalytic technique, AES can be attacked using 132 ciphertexts even under the ciphertext-only setting.
Experimental verification of the proposed attack using a chip having a sensor-based countermeasure is an important open problem. The proposed cryptanalytic technique works with the bit-set and bit-reset faults only. An attack that efficiently exploits the LFI position corresponding to a multivariate Predicate is an open problem.