International Association
for Cryptologic Research

--Recent research has demonstrated that there is

no sharp distinction between passive attacks based on sidechannel

leakage and active attacks based on fault injection.

Fault behavior can be processed as side-channel information,

offering all the benefits of Differential Power Analysis including

noise averaging and hypothesis testing by correlation. This paper

introduces Differential Fault Intensity Analysis, which combines

the principles of Differential Power Analysis and fault injection.

We observe that most faults are biased - such as single-bit,

two-bit, or three-bit errors in a byte - and that this property

can reveal the secret key through a hypothesis test. Unlike

Differential Fault Analysis, we do not require precise analysis

of the fault propagation. Unlike Fault Sensitivity Analysis, we do

not require a fault sensitivity profile for the device under attack.

We demonstrate our method on an FPGA implementation of

AES with a fault injection model. We find that with an average

of 7 fault injections, we can reconstruct a full 128-bit AES key