A combined design-time/test-time study of the vulnerability of sub-threshold devices to low voltage fault attacks

The continuous scaling of VLSI technology and the possibility to run circuits in subthreshold voltage range make it possible to implement standard cryptographic primitives within the very limited circuit and power budget of radio frequency identification (RFID) devices. However, such cryptographic implementations raise concerns regarding their vulnerability to both active and passive side-channel attacks. In particular, when focusing on RFID targeted designs, it is important to evaluate their resistance against low-cost physical attacks. A low-cost fault injection attack can be mounted, for example, by lowering the supply voltage of the chip with the goal of causing setup time violations. In this paper, we provide an in-depth characterization of a chip implementation of the AES cipher. The chip has been designed using a 65-nm low-power standard cell library and operates in a subthreshold voltage range. We first show that it is possible to inject faults (through lowering the supply voltage) compliant with the fault models required to perform attacks against the AES cipher. We then investigate the possibility of predicting, at design time, which parts of the chip are more likely to be sensitive to such fault injection attacks and produce the desirable (from the point of view of the attacker) faulty behavior. Identifying such sensitive logic signals allows us to suggest to the designer a tailored countermeasure strategy for thwarting these attacks, with a minimal impact on the circuit's performance.