International Association for Cryptologic Research

Ph.D. Database

The aim of the IACR Ph.D. database is twofold. On the first hand, we want to offer an overview of Ph.D. already completed in the domain of cryptology. Where possible, this should also include a subject classification, an abstract, and access to the full text. On the second hand, it deals with Ph.D. subjects currently under investigation. This way, we provide a timely map of contemporary research in cryptology. All entries or changes need to be approved by an editor. You can contact them via phds (at)


Joern-Marc Schmidt (#836)
Name Joern-Marc Schmidt
Personal Homepage
Topic of his/her doctorate. Implementation Attacks - Manipulating Devices to Reveal Their Secrets
Category implementation
Keywords Implementation Attacks
Ph.D. Supervisor(s) Karl Christian Posch
Year of completion 2009
Abstract Nowadays, embedded systems and smart cards are part of everyday life. With the proliferation of these devices the need for security increases. In order to meet this demand, cryptographic algorithms are applied. However, for implementations of such algorithms on mobile devices, not only the security from a cryptanalytical point of view, i.e. in a black box model, is important. This is because the practical realization of a theoretically secure algorithm can be insecure.

An adversary with physical access to the device can benefit from its characteristics or influence its behavior. Methods that measure the properties of a device are passive implementation attacks. In contrast to passive methods, active implementation attacks try to manipulate the computation and benefit from the erroneous results. These methods are called fault attacks.

In this thesis, we discuss the theory of implementation attacks as well as their practical realizations. New attacks and algorithmic countermeasures are presented. We show how to attack RSA implementations that make use of the square and multiply algorithm by manipulating the program flow. The attack is expanded to work on ECC and ECDSA. In order to protect devices against such attacks, we developed a countermeasure that secures the program flow of RSA and ECC implementations by an implicitly calculated program signature. Moreover, we present a probing attack on AES and discuss the problem of an untrusted external memory.

Furthermore, we describe our setups for different practical attacks. The possibilities range from low-cost methods using equipment for about 50 Euro up to high-end attacks, involving a focused ion beam (FIB). In particular, we performed non-invasive spike and glitch attacks, semi-invasive optical and electromagnetic fault induction, as well as an invasive chemical attack. In addition, we used a FIB for chip modification attacks.

Moreover, we applied fault injection techniques to RFID tags to show that low-cost attacks can manipulate the devices without being recognized.

Summing up, whenever a cryptographic primitive is implemented, physical security should be considered, since even the strongest security proof in a cryptographic black box model does not guarantee that an actual implementation can withstand a motivated adversary with physical access to the device.
E-Mail Address (at)
Last Change 2012-11-02 06:03:16
To provide an update on this entry, please click .

Contact: phds (at)

[ IACR home page ] [ IACR PhDs page ] © IACR