A Fault Induction Technique Based on Voltage Underfeeding with Application to Attacks against AES and RSA

Fault injection attacks have proven to be a powerful tool to exploit the implementation weaknesses of cryptographic algorithms. Several techniques perturbing the computation of a cipher have been devised and successfully employed to leak secret information from erroneous results. We present a low-cost, non-invasive and effective technique to inject transient faults into a general purpose processor through lowering its feeding voltage, and to characterize the effects on the computing system. This technique is effective enough to lead attacks against a software implementation of a cryptosystem running on a full fledged ARM9 CPU with a complete operating system. We validate the effectiveness of the fault model through attacking OpenSSL implementations of the RSA and AES cryptosystems. A new attack against AES, able to retrieve the full 256-bit key, is described, and the number of faults to be collected is delineated. In addition, we propose a generalization of the attack against the RSA encryption presented in Barenghi et al. (2009), to a multi-bit fault model, and the analysis of its computational complexity. The attacks against AES retrieve all the round keys regardless of their derivation strategy, the number of cipher rounds and the diffusion layer, while the attacks against RSA retrieve either the message or the secret key.