



# Fault injection attacks exploiting high voltage pulsing over Si-substrate backside of IC chips

<u>Yusuke Hayashi</u>, Rikuu Hasegawa, Takuya Wadatsumi, Kazuki Monta, Takuji Miki, Makoto Nagata

Kobe University

### **Fault Injection**

Use physical attack to extract a private key



#### Method

- ✓ Clock Glitch
- ✓ Voltage Glitch
- ✓ EM(electromagnetic)
- ✓ Laser
- ✓ HVP (High Voltage Pulse)

#### **Threat of attack methods**

#### Threat levels according to attack methods

| Method         | Injection | location | De-packaging | Equipment Cost | Fault spot size |  |
|----------------|-----------|----------|--------------|----------------|-----------------|--|
| Internou       | Frontside | Backside | De-packaging | Equipment Cost | Tault Spot Size |  |
| Clock glitch   |           |          | No           | Low            | Global          |  |
| Voltage glitch |           |          | No           | Low            | Global          |  |
| EM pulse       | Yes       | Yes      | No           | Low            | Global          |  |
| Laser beam     | No        | Yes      | Yes          | High           | Local           |  |
| HVP            | Yes       | Yes      | Yes          | Low            | Local           |  |

#### Fault analysis

- ✓ DFA (Differential Fault Analysis)
- ✓ LFA (Linear Fault Analysis)
- ✓ IFA (Ineffective Fault Analysis)

Fault analysis requires highly localized Fault Injection

Copyright Y.Hayashi, 2024, Kobe University -3-

### Attack capability in Si backside HVP

- The threat of Si backside HVP (Simulation and measurement)
  - ✓ Si backside HVP can induce faults among highly localized
  - ✓ Thinner Si-substrate thicknesses increase the threat
- DFA on AES using Si backside HVP
  - ✓ Fault injection in the 9th round of AES
  - Possible to derive secret keys by DFA

#### Si backside HVP is a threat as Fault Injection attack

### Si backside HVP

A needle contact with the Si-substrate on the backside of a flip-chip IC

Target

**Z**TGT

Polarity

SW

**V**<sub>pulse</sub>

Flip-chip BGA

**PCB** 

V<sub>peak</sub> can be controlled by V<sub>control</sub>

 $(\underline{\mu}) \mathbf{V}_{charge}$ 

T<sub>tria</sub>

Boost Circuit

Feedback

Controller

 $V_{\rm control}$ 



Copyright Y.Hayashi, 2024, Kobe University -5-

#### **Simulation Evaluation**



Copyright Y.Hayashi, 2024, Kobe University -6-

#### **Measurement of HVP ability**



Copyright Y.Hayashi, 2024, Kobe University -7-

#### Voltage intensity from the frontside and backside



#### Localization from the frontside and backside



# Controllability of localization by $V_{peak}$

• The area of impact can be controlled by  $V_{peak}$ 

Measurement



Copyright Y.Hayashi, 2024, Kobe University -10-

#### **Controllability of Fault Injection Location**



### **Localization by Si-substrate thickness**



Simulation

### Attackability vs. Si-substrate thickness

- The localization of faults increases as the Si-substrate becomes thinner
  - ✓ It facilitates fault analysis such as DFA



Copyright Y.Hayashi, 2024, Kobe University -13-

#### Attackability vs. Si-substrate thickness



Copyright Y.Hayashi, 2024, Kobe University -14-

# **DFA on AES using Si backside HVP**

HVP is injected in the 9th round of AES operation

AES

- The operation frequency: 10MHz
- The faulty ciphertexts are analyzed to extract a secret key





3 mm

**4 mm** 

Copyright Y.Hayashi, 2024, Kobe University -15-

# **DFA on AES using Si backside HVP**

- 4 byte fault ciphertext can be obtained at 4 points
- Possible to derive secret keys by DFA
  - ✓ Positive pulse : 320V
  - ✓ Negative pulse : -120V



С



Α

| <i>C</i> <sub>0</sub> | <i>C</i> <sub>4</sub> | C <sub>8</sub>         | <i>C</i> <sub>12</sub> |
|-----------------------|-----------------------|------------------------|------------------------|
| С1                    | <i>C</i> <sub>5</sub> | С9                     | <i>C</i> <sub>13</sub> |
| <i>C</i> <sub>2</sub> | С <sub>6</sub>        | <i>C</i> <sub>10</sub> | <i>C</i> <sub>14</sub> |
| <i>C</i> <sub>3</sub> | <i>C</i> <sub>7</sub> | <i>C</i> <sub>11</sub> | <i>C</i> <sub>15</sub> |

Β

| <i>C</i> <sub>0</sub> | <i>C</i> <sub>4</sub> | C <sub>8</sub>         | <i>C</i> <sub>12</sub> |
|-----------------------|-----------------------|------------------------|------------------------|
| <i>C</i> <sub>1</sub> | <i>C</i> <sub>5</sub> | С9                     | $C_{13}$               |
| <i>C</i> <sub>2</sub> | <i>C</i> <sub>6</sub> | <i>C</i> <sub>10</sub> | <i>C</i> <sub>14</sub> |
| <i>C</i> <sub>3</sub> | С7                    | <i>C</i> <sub>11</sub> | <i>C</i> <sub>15</sub> |

| $C_0  C_4  C_8  C_{12}$                      |                        |                        |                       |                |
|----------------------------------------------|------------------------|------------------------|-----------------------|----------------|
|                                              | <i>C</i> <sub>12</sub> | C <sub>8</sub>         | С4                    | C <sub>0</sub> |
| $C_1  C_5  C_9  C_{13}$                      | <i>C</i> <sub>13</sub> | С9                     | <i>C</i> <sub>5</sub> | $\hat{z}_1$    |
| $C_2 \qquad C_6 \qquad C_{10} \qquad C_{14}$ | D C <sub>14</sub>      | <i>C</i> <sub>10</sub> | <i>C</i> <sub>6</sub> | 2              |

 C3
 C7
 C11
 C15

 Faulty byte

**Output of faulty ciphertext** 

Copyright Y.Hayashi, 2024, Kobe University -16-

# Faulty bytes by V<sub>peak</sub>

- ►  $V_{peak}$  : 320V $\rightarrow$ 370V
  - ✓ Fault occurs in 8 bytes at point A
  - ✓ Fault occurs in 5 bytes at point D



| Α                     |                       |                        |                        |  |
|-----------------------|-----------------------|------------------------|------------------------|--|
| <i>C</i> <sub>1</sub> | <i>C</i> <sub>5</sub> | С9                     | <i>C</i> <sub>13</sub> |  |
| <i>C</i> <sub>2</sub> | <i>C</i> <sub>6</sub> | <i>C</i> <sub>10</sub> | <i>C</i> <sub>14</sub> |  |
| <i>C</i> <sub>3</sub> | <i>C</i> <sub>7</sub> | <i>C</i> <sub>11</sub> | <i>C</i> <sub>15</sub> |  |
| <i>C</i> <sub>4</sub> | <i>C</i> <sub>8</sub> | <i>C</i> <sub>12</sub> | <i>C</i> <sub>16</sub> |  |

|                       | L                     | )                      |                        |
|-----------------------|-----------------------|------------------------|------------------------|
| C <sub>0</sub>        | С4                    | <i>C</i> <sub>8</sub>  | <i>C</i> <sub>12</sub> |
| <i>C</i> <sub>1</sub> | <i>C</i> <sub>5</sub> | С9                     | <i>C</i> <sub>13</sub> |
| <i>C</i> <sub>2</sub> | <i>C</i> <sub>6</sub> | <i>C</i> <sub>10</sub> | <i>C</i> <sub>14</sub> |
| <i>C</i> <sub>3</sub> | <i>C</i> <sub>7</sub> | <i>C</i> <sub>11</sub> | <i>C</i> <sub>15</sub> |

П

## Faulty ciphertext at point A



Copyright Y.Hayashi, 2024, Kobe University -18-

# Faulty ciphertext at point D

Difficult to obtain analyzable fault ciphertext





#### The FFs storing the round key

The FFs storing the round output data

Copyright Y.Hayashi, 2024, Kobe University -19-

#### **Future works**

- Understanding the principle of bit-flip is necessary
  - ✓ The principle of bit flipping with HVP with positive is examined
    - T. Wadatsumi *et al.*, "Chip-Backside Vulnerability to Intentional Electromagnetic Interference in Integrated Circuits," in *IEEE Transactions on Electromagnetic Compatibility*, doi: 10.1109/TEMC.2024.3440919.
  - ✓ Understanding of the principles for HVP with negative pulses is also necessary.
- Methods to counter HVP will also be devised

#### Conclusion

- Ability of Si backside HVP to precisely target local circuits
  - ✓ It can control the location and area of fault
  - ✓ Thinner Si-substrate thicknesses are more localized.
    - It could be a serious threat as IC chips become thinner
- DFA on AES using Si backside HVP injection
  - ✓ It is possible to derive secret keys by DFA

This work has been supported by JSPS KAKENHI Grant No. JP22H04999 and by SECOM Science and Technology Foundation