IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO.

7, JULY 2024 1311

FTC: A Universal Framework for Fault-Injection

Attack Detection and Prevention
Md Rafid Muttaki , Member, IEEE, Md Habibur Rahman , Akshay Kulkarni, Member, IEEE,
Mark Tehranipoor, Fellow, IEEE, and Farimah Farahmandi, Member, IEEE

Abstract— Fault-injection attacks (FIAs) represent a wide-
spread and potent method of compromising the integrity
and confidentiality of integrated circuits (ICs) and electronic
systems. These attacks include voltage/clock glitching, electro-
magnetic (EM) interference, laser, and optical injection. One
promising defense strategy is intrusion detection, which uses
sensors to monitor and capture the effects of such attacks.
However, the diversity of these attacks has led to the development
of specialized sensors for each attack type, posing challenges
in terms of feasibility and overhead. This article introduces a
universal solution for efficiently detecting prominent FIAs using
a lightweight on-chip delay-based fault-to-time converter (FTC)
sensor. The proposed sensor functions by translating the conse-
quences of fault attacks into measurable “time” differentials. This
design is readily implementable on both field-programmable gate
array (FPGA) and application-specific integrated circuit (ASIC)
platforms. The sensor placement considers the most vulnerable
elements in the design to fault attacks to position them closely to
those locations for extracting the best sensitivity to delay changes.
We illustrate the sensor’s responses to major FIAs, demonstrating
its ability to differentiate between nominal and fault conditions.
The overhead analysis also highlights the sensor’s minimal
resource utilization in FPGA implementations. We also explore
the sensor’s response to environmental variations for proper
characterization.
Index Terms— Clock glitching, electromagnetic (EM) fault-
injection, fault-injection attack (FIA), fault-to-time con-
verter (FTC), laser fault-injection (LFI), voltage glitching.
I. I NTRODUCTION
E MBEDDED and Internet-of-Things (IoT) devices have
become daily essentials—from smartphones, smart
homes, healthcare systems, and autonomous vehicles to
security-critical entities, i.e., military applications and financial
systems. While they offer immense benefits, their security
concerns have risen due to software attacks and physical
vulnerabilities. Modern electronics, especially in such harsh
environments, can be susceptible to physical attacks by the
tools and techniques used for failure analysis (FA) if they
fall into the wrong hands. This poses risks like informa-
tion extraction and IP theft via probing, fault-injection, and
reverse engineering. Initially developed for FA, tools such
as probing, microscopy, and focused ion beam (FIB) have
improved over the last two decades. However, adversaries have
learned to exploit these tools to compromise chip security.
Manuscript received 19 December 2023; revised 2 March 2024; accepted
20 March 2024. Date of publication 12 April 2024; date of current version
28 June 2024. (Corresponding author: Md Rafid Muttaki.)
The authors are with the Department of Electrical and Computer
Engineering, University of Florida, Gainesville, FL 32611 USA (e-mail:
[email protected]; [email protected]; [email protected]; However, their discreet and fleeting nature renders real-time
[email protected]; [email protected]). detection exceedingly challenging.
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TVLSI.2024.3384531.
Digital Object Identifier 10.1109/TVLSI.2024.3384531
1063-8210 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
Physical attacks can breach electronic systems’ confidentiality,
availability, and integrity [1], [2], impacting everything from
personal data to national security. For instance, attackers
can reverse-engineer advanced technologies or exploit chips’
vulnerabilities to gain unauthorized access or induce faults.
This can jeopardize systems, as adversaries can manipulate
biometric authentication systems to access unauthorized data.
Physical attacks are a rising concern in cybersecurity [3].
These attacks exploit security vulnerabilities to gain unautho-
rized access and compromise hardware assets. This is possible
due to the inherent susceptibility of underlying embedded
devices such as microprocessors and field-programmable gate
arrays (FPGAs) to physical attacks [4]. They are categorized
into three classes: noninvasive, semi-invasive, or invasive [5].
An overview of physical attacks is presented in Fig. 1.
Historically, invasive and semi-invasive attacks have been
considered less threatening due to the required costs and
expertise. However, improved accessibility to advanced tools
like FIB and scanning electron microscopy (SEM) has changed
this landscape, making physical attacks more feasible. Invasive
attacks like reverse engineering and electrical probing lead
to chip or device destruction [1]. For these attacks, access
to internal components, such as transistors or metal traces,
is needed. Printed circuit board (PCB) invasive attacks require
accessing metal traces or components through methods like
polishing. The destructive nature of invasive attacks neces-
sitates expertise in sample preparation and physical attack
methods, impacting time and cost.
Noninvasive attacks involve extracting assets without alter-
ing the device structure. Two types of noninvasive attacks,
active and passive methods, are prevalent. Passive attacks
involve side-channel signal analysis to expose sensitive
data [6], [7]. However, these side-channel analyses become
quite challenging for complex integrated circuits (ICs). More-
over, researchers have proposed effective countermeasures
against different side-channel attacks adopted in modern semi-
conductor designs [8], [9]. The active approaches include
fault-injection attack (FIA), where abnormal conditions are
induced to gain unauthorized access to the chip functionality.
Recent instances have witnessed the rise of FIAs, emerging
as highly perilous hardware exploits. These attacks primarily
pursue accessing confidential information [10], undermining
data integrity [11], or inflicting denial of service [12]. FIAs
can be executed through various means, including voltage
glitches [4], electromagnetic (EM) fault-injection (EMFI) [13],
clock glitch [10], optical fault-injection [14], and laser fault-
injection (LFI) (noninvasive) [15]. Ensuring system security
necessitates the prompt detection of FIAs upon initiation.
As different FIAs have emerged, researchers have actively
investigated various on-chip strategies to identify and prevent
1312 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024
Fig. 1. Overview of physical attacks [5].
these attacks. The solutions proposed thus far have predom-
inantly centered around individual categories of attacks. For
instance, when it comes to countering voltage glitch attacks,
innovative methods utilizing sense amplifiers, RC-circuit-
based, and a modified inverter configuration with RS latch
detection techniques have been suggested [16], [17], [18].
Similarly, researchers have put forward approaches using
frequency detectors, clock monitors, and ring oscillators (ROs)
in clock glitch detection, showcasing efforts to safeguard
against such vulnerabilities [19], [20], [21]. Meanwhile, the
research community has explored alternatives like LC oscil-
lators, phase-locked loops (PLLs) as on-chip sensors, and
watchdog RO with a Hogge phase detector (PD) for detecting
the frequency instability to address EMFI attacks, as evidenced
in [22], [23], and [24]. In tackling optical/laser FIAs, the pro-
posed solutions have encompassed frequency ripple monitors
and sensors integrated within the circuit’s “reset” signal tree
using buffer-based mechanisms, as indicated in [25] and [26].
Combining techniques to counter FIAs is plausible yet chal-
lenging due to potential high overheads in area and power. The
risk of physical interactions impacting detection also calls for
a prompt need for a universal, lightweight solution within the
research community to address FIAs effectively.
From a different point of view, the existing research
lacks a comprehensive evaluation of hardware designs for
susceptibility to FIAs during early stages, such as register
transfer level (RTL) or gate-level design. Automated tools lack
the ability to predict potential fault-injection vulnerabilities,
or security breaches in specific design locations. Designers
lack a well-defined method to pinpoint critical areas for pro-
tection against FIAs, often resorting to safeguarding the entire
design. This approach is resource-intensive and impractical.
Hence, it is crucial to devise a practical assessment technique
to accurately gauge design vulnerability to FIAs before the
silicon stage. This assessment would enable the development
of localized countermeasures, optimizing protection without
compromising area, power, or performance. Additionally, ran-
dom faults may not yield successful outcomes considering
an attacker’s perspective. Successful attacks typically involve
faults that breach security properties (SPs). Consequently,
a fault-injection vulnerability assessment should be guided by
a set of SPs within the design. Ensuring that injected faults do
not violate these properties substantially can enhance design
security and resiliency.
This research proposes a comprehensive framework to
detect FIAs (red font in Fig. 1) by considering the limitations
of the existing methodologies. This framework comprises
SP-driven vulnerability assessments of ICs against FIAs called
SoFI [27] and a universal FIA detection sensor named fault-
to-time converter (FTC) [28], [29] to address FIAs based on
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
design-under-test (DUT). The sensor outputs are combined and
compared against the golden dataset using comparator-based
logic to detect faults at runtime. This allows the system to
immediately halt or reset normal operations, preventing FIAs
from affecting the DUT.
The contributions of the research are stated as follows.
1) We investigate the physical effects of individual FIAs
on the targeted device. While the injection methods for
each FIA might differ, the resulting impact would affect
the circuit’s timing.
2) We implement multiple instances of the FTC sensor on
the FPGA platform to emulate a system-on-chip (SoC)
environment and extract a unified response to detect
FIAs effectively.
3) We implement the SoFI framework in the FPGA
environment to assess the DUT and find the most
FIA-vulnerable locations to place sensor instances effi-
ciently.
4) Based on the vulnerable locations and fault model,
we consider the sensor placement as an optimization
problem and propose a mixed-integer linear program-
ming (MILP)-based solution to minimize the cost
function.
5) We implement the overall framework on 28-nm Xilinx
Zynq FPGA. To showcase the framework’s efficacy,
we implement the FIAs mentioned above, i.e., voltage
glitch, clock glitch, EM fault, and optical/laser FIAs,
and report the sensor output to differentiate nominal vs.
attack conditions. The results show that the framework
effectively identifies such attacks with high precision.
The remainder of this article is organized as follows.
We briefly discuss how the FIAs are formulated, the reported
fault attacks, and the shortcomings of relevant detection tech-
niques in Section II. Section III describes the sensor-based
framework for FIA detection. In Section IV, we present the
experimental setup and results of the framework under differ-
ent attacks and environmental variations. Finally, Section V
concludes this article.
II. BACKGROUND
A. FIA Techniques
In this section, we discuss the noninvasive and semi-invasive
active FIAs, i.e., voltage glitch [4], clock glitch [10], EM fault-
injection [13], and optical/LFI [14] as these attacks are
primarily inexpensive, frequently reported, and easy to carry
out. Also, we describe how to address them using our proposed
framework in Section III.
1) Voltage Glitch: A cost-effective fault injection approach
involves manipulating a device’s power supply, such as using
MUTTAKI et al.: FTC: A UNIVERSAL FRAMEWORK FOR FIA DETECTION AND PREVENTION
a MOSFET switch to create a voltage glitch attack. A sudden
drop in supply voltage can be induced by momentarily shorting
two nets with different voltage levels, causing an undervoltage
attack [30]. This technique, known as voltage undershoot,
introduces transient faults into the device. Let us consider
the voltage undershoot (low-power supply) where the timing
constraint can be specified as follows [31]:
tck > dclk2q + dpMax + tstp − tskew . (1)
Here tck , tskew , dck2q , dpMax , and tstp are clock cycle time, clock
skew, internal register delay, setup time, and data propagation
time through combinational logic, respectively. A dip in supply
voltage will lead to an increased dpMax and induce fault in
design timing.
2) Clock Glitch: Another noninvasive fault injection
method involves manipulating the clock signal to induce
setup/hold time violations [32]. Reducing the clock cycle dura-
tion (Tg ) through premature toggling introduces a glitch where
Tg becomes less than the combinational logic’s maximum
path delay (τ ). This can cause subsequent registers to capture
erroneous data, leading to transient faults propagating through
the circuit. Such faults, known as clock glitches, can result
in skipped instructions or incorrect data storage in memory
modules [33]. Despite their impact, these faults leave no trace
of tampering [34].
3) EM Fault-Injection: EM injection perturbs the magnetic
field around a target device, inducing Eddy currents and caus-
ing global power fluctuations, potentially leading to single-bit
faults [35]. Such faults, easily induced with low-cost tools like
a gas lighter [36], pose a significant security risk by potentially
leaking sensitive data such as cryptographic keys [35]. These
attacks exploit the magnetic properties of electronic devices,
compromising their integrity and security.
4) Optical and LFI: A powerful and precisely directed
light beam, such as a laser, can induce modifications in logic
gates by generating electron-hole pairs at the drain of nMOS
transistors, leading to current pulses. These pulses charge the
load capacitance, causing voltage pulses to propagate as tran-
sient faults through the circuit. By targeting specific transistors
within static random access memory (SRAM) cells, attackers
can flip the cell’s state at will [37] and in a reproducible
manner [38].
B. Related Work
Countermeasures against FIAs keep adapting as the FIAs
become more advanced. They are developed based on a
balance between security and overhead trade-offs, aiming to
make attacks sufficiently costly without being impossible.
These countermeasures fall into two main categories: error
detection and intrusion detection.
1) Error Detection: Error detection at the algorithm level
involves adding redundancy to detect injected faults, known
as concurrent error detection (CED). Redundancy is achieved
through hardware (e.g., adding extra components like in triple
modular redundancy [39]), time (repeating processes), or infor-
mation (using error detection or correction codes) [40]. While
hardware and time redundancy can significantly increase
design size (2 to 3 times) and slow performance, making
them less suitable for large designs [41], information redun-
dancy through codes like error detection codes (EDCs) or
error correction codes (ECCs) offers lower overheads but
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
1313
may provide incomplete fault coverage. For instance, parity-
based EDCs can detect any fault with an odd number of bit
errors within a single byte [42]. In modern SoCs, one of the
prominent uses of ECCs is found in the memory units as
the technology scaling causes increasing error rates [43], [44].
To address these errors, the main memory manufacturers have
started using on-die ECC to rectify uncorrelated single-bit
errors within the memory [45], [46]. With the advancement in
research, the newly proposed ECC units for memory chips and
controllers can be highly efficient with smaller overheads [47].
However, these ECC techniques are developed considering
a particular structure of a dynamic random access memory
(DRAM) [48], inappropriate for protecting/correcting different
modules of an SoC responsible for performing specific opera-
tions. Additionally, it is practically impossible to assign ECCs
to each operation/functionality of a large SoC with limited
overhead and without impacting the intended efficiency.
Several EDC techniques have recently been proposed on
different ciphers that offer high error coverage with varying
overheads. In the following section, we discuss the impact of
these techniques on the ciphers.
a) ASCON: ASCON, being one of the finalists for
the National Institute of Standards and Technology (NIST)
lightweight cryptography (LWC) standardization competition,
received standardization in February 2023 [49]. ASCON is
known for its strong security, minimal footprint, and hashing
capabilities. However, fault attacks proposed in [50] and [51]
have successfully targeted the ASCON S-Box vulnerabilities.
To address this, the error detection scheme presented in [52]
shows exceptionally high error coverage.
b) WAGE: WAGE cipher [53] is a 259-bit lightweight
permutation derived from the Welch–Gong (WG) stream
cipher. Despite its integration of both AEAD and WG-7
transformation, WAGE remains vulnerable to statistical fault
analysis and differential fault analysis, even with the inclu-
sion of supplementary security measures, as outlined in [54].
Kaur et al. [55] introduced an error detection scheme for
the nonlinear sub-blocks of WAGE cipher with reasonable
overheads.
c) Camelia: Camellia encryption is a secure, symmetric
key cipher with 128-bit data size and secret key lengths
from 128 to 256 bits [56]. The studies in [57] and [58] intro-
duce signature-based and CED methods, respectively, on the
Camellia block cipher to improve the reliability of hardware
implementations of these processes. However, the proposed
techniques incur significant overheads of 21% and 83%, which
can become unfeasible in practical implementation scenarios.
d) Midori: Another lightweight block cipher, Midori,
was designed to minimize energy consumption during encryp-
tion and decryption operations within the circuit [59].
Differential fault analysis has successfully retrieved encryption
keys with high probability on Midori cipher as presented
in [60]. To detect these errors, Aghaie et al. [61] present
an error detection architecture for Midori showcasing error
coverage of close to 100% with reasonable overheads (<15%).
e) QARMA: QARMA is a lightweight tweakable cipher
that derives its cryptographic characteristics from the block
ciphers PRINCE, Midori, and MANTIS [62]. QARMA, while
claiming acceptable security margins, can be susceptible to
malicious faults leading to erroneous outputs and fault attacks.
For exposing errors due to such anomalies, a signature-based
error detection technique has been presented in [63] with error
1314 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024
coverage close to 100% with ∼20% overheads. Another study
in [64] leverages a message authentication code (MAC) rooted
in QARMA to counteract Rowhammer attacks.
f) AES s-Box Error Detection: Different techniques have
been proposed in the literature for the AES s-box error
detection by representing polynomial basis into normal, mixed,
and redundant bases [65], [66], [67], [68]. In [65], a stream-
lined fault detection method is presented using the normal
basis for the s-box fault detection. The FPGA implemen-
tation of the technique required 25.8% slice overhead with
minimal impact on timing delays. Mozaffari-Kermani and
Reyhani-Masoleh [66] introduced a high-speed architecture
that formulates multibit parities for the s-box using mixed
bases. However, this approach entails a trade-off between
error coverage and timing overhead. The redundant basis
implements fault detection in encryption by performing a test
decryption post-encryption to check if the original data is
recovered, using redundancy at various levels, i.e., algorithm,
round, and operation level. However, these schemes result in a
time penalty during the decryption or comparison process [67].
In [68], another redundancy strategy is proposed for the s-box
fault detection that uses an inverse s-box after the original one
with good efficiency but extremely high overhead (∼100%).
g) PQC Kyber: PQC Kyber undergoes the NIST stan-
dardization process and serves as a key exchange mechanism
(KEM) protocol relying on the difficulty of the module
learning-with-errors problem [69], [70]. Ravi et al. [71]
thoroughly examine side-channel and FIAs on lattice-based
schemes, with particular emphasis on Kyber. Another work
on Kyber presented in [72] conducts side-channel attacks
on Kyber for FPGA implementation. Fritzmann et al. [73]
present error-correcting codes to significantly improve KEM
protocols’ failure rate, security level, and bandwidth.
h) NTT: Number-theoretic transform (NTT) is another
error detection scheme standardized by NIST in 2022. Previ-
ous attempts on NTT error detection are presented in [74]
and [75]. Sarker et al. [74] construct hardware for error
detection of NTT, while Sarker et al. [75] present new error
detection schemes in NTT for detecting transient and perma-
nent faults.
With the above discussion, we can see several EDC tech-
niques that can work on specific cipher structures, ensuring
high error coverage with acceptable overheads, have already
been proposed. However, each method differs from the other
and entirely depends on the cipher under consideration. For
this reason, these techniques fall short of providing a compre-
hensive solution for detecting FIAs in an SoC environment.
2) Intrusion Detection: Intrusion detection systems aim to
protect devices from tampering by blocking physical access
and countering specific FIAs. These techniques include shield-
ing the chip with wire mesh [76], [77] and employing
analog sensors, i.e., light sensors and frequency detectors
to detect optical fault-injection, probing attacks, and volt-
age/clock glitch attacks [26]. While various countermeasures
have been proposed for FIAs [16], [17], [20], [22], [23], [25],
[26], [78], [79], [80], each typically targets a specific type
of attack and has its drawbacks. For example, some methods,
like the sense amplifier-based approach in [16], may not detect
certain glitches. In contrast, the RC-based detector in [17]
suffers from continuous current leakage. Clock glitch detection
methods in [78] and [79] involve real-time error detection,
impacting performance and introducing high overheads. EMFI
detection technique in [23] relies on the presence of a PLL
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Block overview of critical location extraction steps using SoFI.
unit in the device. Despite the diversity of approaches, these
solutions often entail significant costs, design complexity, and
overheads. A comprehensive strategy addressing the wide
range of FIAs with a unified, parameter-based solution remains
lacking in the existing literature.
C. Threat Model
In this work, we focus solely on assessing the suscep-
tibility of common FIAs, like voltage/clock glitch, EMFI,
and optical/laser FIA. The adversary aims to manipulate
security-critical areas within the design using fault-injection
techniques to compromise the targeted SPs. To provide a
comprehensive solution, we consider a robust attack model
where the adversary possesses complete gate-level information
about the design obtained from an untrusted foundry, reverse
engineering, IP theft, or cooperation with a rogue employee
in the design house. Furthermore, we assume the attacker
can achieve the maximum theoretical precision achievable
by each FIA. For instance, in the case of clock glitching,
they can inject a fault precisely in a particular register by
extending the data path delay of that register. Consequently,
the practical vulnerable locations in a real-world FIA, with
potentially lower precision, would always constitute a subset
of the identified critical locations with this framework.
III. P ROPOSED F RAMEWORK FOR FIA D ETECTION
A. Critical Location Identification
To effectively extract the sensor response from areas critical
to the security of a circuit, it is essential to determine the
locations of security-critical cells/nets in the design. The
placement of the developed FTC sensor will depend on the
positions of these identified wires or registers. The rationale is
that a fault in one of these elements will impact the sensor’s
response. By observing the changes in the sensor response,
we can also establish a connection between a specific SP
violation and the corresponding alterations in the sensor’s
output. To pinpoint the exact wires and registers crucial for
potential SP violations, we employ the SoFI [27] framework.
1) SoFI Framework: The security property-driven vulner-
ability assessment framework (SoFI) identifies design areas
most susceptible to FIAs based on specific SPs and attack
types. It highlights where an adversary might attack to com-
promise confidentiality or integrity. SoFI targets design areas
relevant to the evaluated SPs, originally designed for the
application-specific integrated circuit (ASIC) flow. To adapt
it for FPGA use to conform with the FTC sensor imple-
mentation, particularly in the Xilinx Vivado platform [81],
modifications were made for compatibility and identifying
critical locations. Fig. 2 outlines the block-level steps for
MUTTAKI et al.: FTC: A UNIVERSAL FRAMEWORK FOR FIA DETECTION AND PREVENTION
Fig. 3. (a) Fan-in segment. (b) Signal property 1 waveform.
FPGA-specific implementation, including fault model charac-
terization, fault list generation based on the fault model and
SPs, and fault simulation to pinpoint critical locations. The
main steps of the framework can be detailed as follows:
a) Executable SPs: The SoFI framework models faults
for different fault attacks by focusing on critical areas with
sensitive data. It necessitates defining SPs that fault attacks
could violate, ensuring FIAs are considered effective only if
they compromise these properties. Not every fault will breach
all SPs; SoFI requires that an attack violates at least one
specified security criterion, which must then be converted
into executable formal representations with defined verification
metrics.
An example security property 1 (SP1) can be defined as
follows. It states that the “done” signal indicating the end of
ten AES encryption rounds should not be activated in the first
round. Violating this property will lead to the availability of
the first round computation results, weakening AES security.
Fig. 3(a) and (b) shows a 4-bit counter fan-in circuit for the
“done” signal and the waveform of AES SP1, respectively.
Normally, the “done” signal activates nine clock cycles post-
first round, but a fault can trigger it just three cycles after
loading the AES keys, breaching the property.
We have illustrated a simple example of AES “done” signal
above to explain how an SP can be used to characterize a
certain behavior in the design. However, in practical designs,
the designer needs to identify the assets, critical operations,
and functionalities in light of confidentiality, integrity, and
availability metrics of the design and the considered fault
model (discussed in detail in Section III-A1b). Based on these
parameters, the designer can identify a set of attributes in
the design (i.e., control signals, outputs, and fan-in circuits)
that need to be protected and generate SPs to characterize the
expected functionality.
b) Fault Modeling: Different fault injection methods like
voltage/clock glitching, EMFI, FIB, or optical/laser attacks
require unique fault models due to their varied processes.
Fault modeling translates an attack’s physical effects into
attributes such as fault category (global or local), location
(dispersed or specific circuit parts), timing (critical moments
for vulnerability), fault type (transient or permanent), and
attack duration (based on circuit functionality). Fig. 4 shows
a segment of the gate-level schematic of AES, highlighting a
critical circuit related to Security Property 1 (indicated in a
red, illustrating the specificity needed in fault modeling.
c) Fault List Generation: To analyze system vulnera-
bilities, a detailed fault list is created based on SPs and
fault models, focusing on four main attributes: fault-injection
timing, location, fault type, and duration. Typically, faults
are transient bit flips occurring within a defined attack
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
1315
Fig. 4. Segment of a gate-level schematic of AES in Vivado tool with an
extracted fan-in circuit for security property 1.
Fig. 5. Identifying critical faults using SoFI framework. (a) Identifying
critical faults. (b) Fault lists with critical faults.
window between control signal activation and SP verification.
In Fig. 3(b), an attack starts at clock cycle 14 (when “load”
signal is raised) and ends at clock cycle 17, targeting any cycle
within for an SP breach. Global faults like voltage or clock
glitching affect sequential cells, while local faults from laser
or FIB attacks may target both sequential and combinational
circuit areas. The fan-in circuit for SP1 is shown in Fig. 3(a)
with three input signals (“reset,” “clock,” and “load”) and an
output signal (“done”). SP1 is checked by examining the rising
edge of the “done” signal.
d) Fault Simulation and Critical Location Identification:
Fault simulation, performed with the Synopsys Z01X simula-
tor [82], helps identify critical locations for fault injection and
assess SP violations. Based on the fault locations, a preventive
countermeasure for FIAs can be incorporating an active shield.
Faults can be injected at the SP check point or within the fan-in
circuit, with the simulator detecting any property violations.
Analysis of the generated fault list reveals whether the list
effectively breaches SPs and the specific locations of these
violations.
SPs like SP1 are breached only when faults are injected at
specific locations, i.e., the fan-in circuit of the “done” signal.
Faults that successfully breach security are termed “effective”
faults. Among these, “critical” faults are a subset where every
fault location is essential for violating the security property.
Not all effective faults are critical; some may originate from
multiple locations without all being necessary for a breach.
Critical faults require all involved locations to contribute to the
security violation. Fig. 5(a) shows a test case on identifying
both effective and critical faults. While faults 5 and 6 are
effective, they are not critical because locations “D” and “E”
are not essential for SP1 breaches for cases 5 and 6, respec-
tively. In these cases, a fault at location “F” directly violates
SP1, making it critical. Conversely, fault 4 is both effective
and critical as locations “D” and “E” are indispensable for the
fault’s impact.
2) Multiple Fault Locations for FTC Sensor: Ideally,
designers aim to equip the entire chip with detection mech-
anisms like fault sensors for intrusion detection. However,
due to constraints like overhead and resource requirements,
1316 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024
it is impractical to deploy numerous sensors. To place sensors
both effectively (to detect FIAs) and efficiently (minimizing
the number needed), we utilize the SoFI framework’s analysis
of critical locations. The identification of these locations
depends on the types of attacks and defined SPs; different
attacks or properties would highlight different critical areas.
By aggregating SoFI findings across various attack scenarios
and security considerations, designers can pinpoint crucial
wires/registers for sensor placement. The goal is to position
FTC sensor instances near these critical spots to monitor for
potential security breaches.
Sensor placement is based on fault-prone areas and the FIA
type, adapting from local to global impacts. When devising a
sensor placement strategy for highly localized attacks, such
as laser attacks, the method will likely be effective across
various FIAs. We consider the challenge of placing sensors
near clusters of vulnerable locations and areas affected by
laser attacks as an optimization problem [83]. This approach
involves defining parameters to achieve an optimal place-
ment solution with minimal cost, considering each vulnerable
location identified by the SoFI framework corresponds to a
configurable logic block (CLB) in the FPGA. A cluster can be
defined as a set of fault-vulnerable CLBs, where the distance
from one CLB to all other CLBs is ≤(x 2 + y 2 )1/2 . Here, x
and y are the length and width of a sensor instance in the
FPGA floorplan. Let M = number of CLBs vulnerable to
LFI attack in a cluster, K = CLBs the LFI can impact at
a time provided at least one of them is fault-vulnerable, P =
sensor instances available, z sc is a binary decision variable to
represent whether a sensor instance is assigned to a cluster,
xs ji = distance between a sensor and each CLB impacted by
the LFI attack in a cluster, d ji = distance between jth fault
vulnerable CLB and ith CLB impacted by the LFI attack in a
cluster, and xsc = distance between a sensor s and a cluster of
fault vulnerable CLBs c. Now, we define the objective function
and constraint equations as follows:
XP
f = xsc (2)
s=1
M X
X K
xsc ≤ (1/M K )


xs ji + d ji ∀s, c
j=1 i=1
0 ≤ xsc ≤ 1 ∀s, c
P
X
z sc = 1 ∀c.
s=1
Equation (2) defines the objective function, which min-
imizes the total distance from all the sensor instances to
all clusters of fault-vulnerable CLBs. In this optimization
problem, we focus on the scenarios where fault-vulnerable
CLBs overlap with the LFI-impacted CLBs. Equation (3)
describes the constraint where the distance between a sen-
sor instance and a cluster is ≤ the normalized distance
between a sensor and all fault-vulnerable CLBs situated in
that cluster considering LFI impact on multiple CLBs at a
time. Equation (4) defines the boundary condition for the
distance parameter between a sensor and a cluster. Based
on the problem formulation, we require another constraint to
ensure each sensor instance is assigned to a fault-vulnerable
CLB cluster defined by Equation (5). Additionally, constraint
equations such as “not using more resources than allocated
(for meeting overhead specifications)” can be used based on
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
Fig. 6. Applying constraints on identified critical locations during imple-
mentation (floorplan) stage.
the designer’s requirements. Finally, we use the MILP [84]
to solve the objective function with the defined constraint
equations.
Based on the above discussion, if the identified locations by
the SoFI framework are far apart, then by the cluster definition,
each cluster will contain a single CLB requiring a dedicated
sensor instance (5). Additionally, if the identified locations
are in the middle region of a large module, then the sensor’s
efficacy can decrease (discussed in detail in Section IV-D).
These scenarios are not ideal as the identified CLBs dis-
persed within a large design will necessitate many sensors,
resulting in higher overheads without ensuring high efficacy.
We follow the steps illustrated in Fig. 6 to address this.
First, we implement the design with a nominal configuration
based on the design specifications and run the SoFI framework
later. By locating the fault-vulnerable elements in the design,
we apply constraints during the floorplanning stage to place the
identified cells near the edge of the design module/s. In Fig. 6,
we consider two scenarios, one at the IP level and the other at
the SoC level. In both scenarios, the constraints are applied to
facilitate placing the fault-vulnerable cells nearby. In a single
module, we can apply this process to the design (i.e., AES
core), whereas one or more modules undergo this process
at the SoC level. This enables an efficient output from the
(3) optimization tool, resulting in fewer sensor instances (“S1” for
Sc. 1 and “S1, S2” for Sc. 2 in Fig. 6) placed optimally near
(4) the vulnerable locations.
(5) B. FTC: Fault-to-Time Converter
In this section, we provide a comprehensive overview of the
architecture and operational principles of the FTC sensor.
Identifying a common parameter among various FIAs is
essential to develop a universal sensor for effective detection.
These attacks manipulate power lines, system clocks, magnetic
fields, and transistor behavior, leading to changes in intercon-
nect delays and overall circuit timing. The analysis emphasizes
that FIAs can be translated into measurable “time” changes.
Most FIAs induce voltage fluctuations, impacting delay line-
based sensors. However, clock glitch attacks directly affect
the sensor output, causing anomalies during result sampling.
A sensor must consistently monitor delay variations to detect
subtle timing alterations caused by the FIAs. The proposed
solution is the FTC sensor, which monitors the impact of FIAs
as delay changes in the circuit. It employs a dual-delay line,
as illustrated in Fig. 7 with low and high threshold voltage (Vt )
buffer cells. This design enhances sensitivity to minimal delay
MUTTAKI et al.: FTC: A UNIVERSAL FRAMEWORK FOR FIA DETECTION AND PREVENTION
Fig. 7. FTC sensor architecture.
changes caused by FIAs, representing a pioneering approach
in FIA detection. Unlike previous methods, such as in [85],
unable to capture transient changes, the FTC sensor efficiently
captures transient changes, operating at the speed of its driver
clock.
In Fig. 7, the external clock signal is adjusted to the desired
frequency by scaling the sampling clock generator. This scaled
signal drives the FTC block, detecting timing delay variations
caused by FIAs. Unlike traditional time-to-digital converters
(TDC) [86], the FTC incorporates both high Vt (HVT) and
low Vt (LVT) cells within buffer lines to enhance sensitivity
to voltage and timing variations. The sampling clock splits
into two paths within the FTC framework for driving the
HVT and LVT buffer delay lines. These delay lines capture
XOR outputs from each HVT and LVT buffer cell, stored
in latches once enabled. A flip-flop stage loads these cached
readings. A bubble-proof encoder filters out unexpected 0s and
identifies the longest sequence of 1s. Sensor range fine-tuning
adjusts initial and observable buffer lengths, with optimal sizes
determined through post-implementation timing simulations
to ensure consistent XOR output and identify the longest 1s
sequence while modifying initial buffer lengths and keeping
the observable length constant.
The FTC sensor, adaptable for ASIC platforms, requires a
technology library containing different Vt cells. This prereq-
uisite is incompatible with FPGAs due to their uniform Vt
SRAM cells. Nevertheless, for prototyping, we adapted the
sensor for FPGAs by simulating different Vt cells’ behavior
using transparent lookup tables (LUTs) to create variable
delays, emulating LVT and HVT cells with different LUT
configurations (e.g., 1-LUT for LVT, 2-LUTs for HVT). This
approach allows us to mimic actual LVT/HVT cell delay
variations, increasing with more buffers. The sensor detects
the start and end of the longest sequence of 1s, averaging
these values for baseline data and adjusting for device and
environmental differences with a threshold. Deviations from
this threshold raise a flag to report the FIA condition. Sensor
accuracy relies on precise delay calibration and strategic
placement.
IV. E XPERIMENTAL S ETUP AND R ESULTS
A. Experimental Setup
We have used the Zybo Z7 Zynq-7000 FPGA board for
testing the sensor response against voltage glitch, clock glitch,
and EM fault injection. We also used the AC701 evaluation
board due to its flip-chip configuration. This section discusses
how we use multiple sensor instances to detect FIA conditions
in a running system effectively. For this purpose, we run the
SoFI framework first on the DUT (AES encryption design)
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
1317
Fig. 8. Instance of AES with identified security critical locations.
to locate the security-critical locations prone to FIAs. Fig. 8
highlights three circled clusters within the “AES_top” module,
identifying critical locations vulnerable to FIAs based on
the definition in Section III-A2. Two clusters (1 and 2) are
depicted in a zoomed-in view, showing four registers each
on both sides of the AES, with their cell names visible.
Cluster 3 can also be zoomed in to identify the remaining
critical locations. Utilizing MILP for optimization, as per
Equations 2-5, we strategically placed three sensor instances
(shown in Fig. 9) around these locations. After calibrating the
sensors to record nominal outputs for baseline comparison,
we subjected them to various FIAs to monitor the effectiveness
of each sensor by comparing outputs under normal and FIA
conditions.
Fig. 9 shows the block level setup for detecting FIAs in an
FPGA running an AES encryption engine, with three sensor
instances strategically placed near FIA-vulnerable spots as
determined by optimization. This multisensor approach mim-
ics an SoC environment to effectively cover multiple critical
locations, i.e., nets and registers, acknowledging that a single
sensor is insufficient for efficient attack detection. Addition-
ally, immediate fault detection is crucial to safeguard design
assets in real-time, which makes post-processing inadequate.
We use a comparator-based structure for instant fault detection.
The decision logic for fault conditions is the “Detect Fault
Condition” block, in which the designer can use any logic
block, i.e., AND / OR based on the design requirements to decide
upon the fault condition. This block’s output can be utilized
in multiple ways based on the security requirements of a DUT
to prevent the FIAs from impacting it. One way is to use the
output wire/signal and instantaneously raise a flag signal to
alert the user [11]. Additionally, the signal can be used as an
input to the controller of a running program to halt/reset the
DUT [87]. Another intuitive way is by monitoring secret asset
transactions in the DUT and observing if flag signal is raised
at a specific time, halting the operation accordingly. This way,
it deters the system from unnecessary resets. These approaches
can prevent the FIAs from impacting the DUT, deeming the
attacks unsuccessful.
Initially, the system undergoes a trial run under the nominal
condition where encoded values for all sensor instances are
recorded. Then, we set a threshold for each sensor to account
for intra-device and environmental variations and use them
as inputs to a set of comparators. Finally, we set the DUT
to go through different FIAs, where the encoded outputs
of the sensors are compared to the preset threshold values
from the trial run. Finally, based on the unified response
from all sensor instances, a fault condition will get activated
when the threshold is exceeded, and a flag will be raised.
In our implementation, we chose the observable delay length
1318 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024
Fig. 9. Block diagram of 3-FTC sensor instance implementation for FIA detection.
Fig. 10. Experimental setup for EMFI.
for buffers, labeled as N, as 30. This choice ensures sufficient
monitoring range for detecting delay variations in this setup.
As a result, the encoded output can span from 0 to 29 for
each sensor. For detecting fault conditions, we observe the
start and end of the largest 1 s string for each sensor under
FIA conditions and compare it with the golden data from the
trial run.
B. Sensor Response Against FIAs
In this work, we have considered four prominent FIAs,
i.e., EMFI, voltage glitch, clock glitch, and optical/LFI. For
applying FIAs, we have used different setups as per the attack
requirements. We discuss each attack setup and corresponding
sensor responses in the following subsections.
1) Against Electromagnetic Fault-Injection: We have opted
for the EMV-Langer E1 Immunity Development System [88]
with a range of EM intensity and waveform options to imple-
ment the EMFI attack. The setup comes with an EM generator,
several injection probes, and wire connectors to connect the
generator with the probes. The generator has two types of
pulse options: flat pulse, which maximizes the pulsewidth, and
steep pulse with a sharp but smaller width. The frequency of
the EM signal varies between 125 and 200 MHz. The EM
intensity ranges from 500 to 1500 V. For the EMFI attack
with this setup, we used a steep pulse, with an EM injection
probe on top of the FPGA chip without contact and varied
intensity from 500 up to 1500 V. An overview of the EMFI
setup containing the FPGA as the victim device, EM injection
probe, holder, and a local machine for observing the sensor
outputs is shown in Fig. 10.
In the golden dataset, we observe three instances of sensor
outputs denoted as (1, 16), (9, 26), and (9, 29). These instances
represent the beginning and end positions of the longest
sequence of 1 s in the data, which is illustrated in Fig. 11(a)
for the EMFI attack. For any intra-device and environmental
variation, we set a threshold with a radius of 1 unit around
the sensor outputs. Based on the design applications, the user
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
Fig. 11. Comparison of sensor response with/without EMFI. (a) Golden
dataset. (b) Sensor response under EMFI.
can consider a smaller threshold region to detect the slightest
anomaly in the design. Finally, we applied the EMFI attack
with intensities 500, 700, 900, 1100, and 1500 V and annotated
the sensor outputs as F1–F5 as shown in Fig. 11(b). With
the increased intensity, more bit flips can be found while
monitoring the binary representation of the sensors’ responses
(start/end of 1 s string). Considering sensor responses for each
attack instance, we can see that the encoded outputs primarily
reside far away from the threshold region. However, due to
the locations of the sensor instances and the transient nature
of the injected EM wave, all sensor outputs are not impacted
similarly. For this reason, sensor 3 output for the F1 fault and
sensor 1 output for the F5 fault are found inside the threshold.
Nevertheless, each fault instance can be easily identified by
combining the results from all sensor instances.
2) Against Voltage Glitch: For the voltage glitch attack,
we have used a signal generator to effect a pulsed signal that
turns on an nMOS to make it act as a fast switch. Connecting
the drain and source of the nMOS to the capacitor terminals
can cause a momentary short circuit, resulting in a voltage
glitch in the victim device. For this purpose, we selected
two capacitors C108 = 100 µF and C147 = 100 µF in the
FPGA under test. After turning on the FPGA, we measured
the voltage across the two capacitor terminals to be 1.94 and
3.44 V, respectively. While connecting the drain and source
of the nMOS to C147 and turning the nMOS ON causes
the FPGA to switch OFF due to a high current flow and
significant voltage drop, connecting the positive terminals of
C147 and C108 to the nMOS drain and source, respectively,
causes a large enough voltage drop to cause voltage glitch
without turning the FPGA OFF. For the switching functionality,
we used the RFP30N06LE, a power MOSFET capable of
operating under a high-voltage environment. Fig. 12(b) shows
the transfer characteristics of the MOSFET under nominal
temperature (25 ◦ C). Based on the features of the MOSFET,
we have used a pulsed signal from the signal generator with
a square shape, 10 Hz frequency, 3.7 V amplitude (peak-to-
peak), and a duty cycle of 10%. The voltage glitch setup is
MUTTAKI et al.: FTC: A UNIVERSAL FRAMEWORK FOR FIA DETECTION AND PREVENTION
Fig. 12. Experimental setup for voltage glitch attack. (a) Voltage glitch setup.
(b) MOSFET IDS versus VGS .
Fig. 13. Comparison of sensor response with/without voltage glitch.
(a) Golden dataset. (b) Sensor output for voltage glitch.
illustrated in Fig. 12(a). When the MOSFET gets turned ON,
a short circuit is created across the two terminals of the capac-
itor, causing a high-current flow within the FPGA, and the
device voltage comes down to a lower voltage, momentarily
signifying an under-voltage attack.
In the golden dataset, we have three sensor instances outputs
(2, 8), (2, 16), and (9, 29) as the start and end of the largest 1 s
string shown in Fig. 13(a) for the voltage glitch attack. Similar
to the EMFI attack scenario, we set a threshold with a radius
of 1 unit around the sensor outputs. Finally, we applied the
voltage glitch attack with the signal generator configuration
mentioned above, and the selected capacitors of the FPGA.
We have used multiple instances of the attack and observed
the sensor outputs. Such two cases of the sensor outputs are
(2, 9), (2, 17), (9, 29) and (2, 9), (2, 17), (9, 20) for attack
instances 1 and 2, respectively, as shown in Fig. 13(b). We can
see that the sensor 1 and 2 outputs under the voltage glitch
attacks reside within the threshold region. On the contrary, the
sensor 3 output changed drastically on both occasions. This
situation can arise due to the impact of the FIAs on the actual
location of the sensor instances and design elements, causing
significant delay changes. In this scenario, we can identify
the fault attack instances using the OR logic as the fault detect
condition. This scenario provides a valid reason for the design
analysis using SoFI and using the required number of sensor
instances rather than one to ensure efficient FIA detection.
3) Against Clock Glitch: For conducting the clock glitch
attack, we employed the “Clocking Wizard” available within
the IP catalog of the Vivado software, a widely used tool in
FPGA design and programming. The reference clock for the
chosen FPGA is 100 MHz. We needed to create two distinct
clock signals with frequencies 100 and 400 MHz to execute the
glitch attack. This was achieved using the FPGA’s multimode
clock manager (MMCM). The MMCM generated these clocks
from the initial 100 MHz reference clock. These two clocks
were used one at a time as the reference clock for the DUT,
which encompassed the FTC sensor and various other design
components. The glitch generation process involved an FSM
featuring a simple 4-bit counter. The FSM is independent of
the system clock (100 MHz) and only depends on an external
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
1319
Fig. 14. Experimental setup for clock glitch attack. (a) Block diagram for
clock glitch. (b) Simulation waveform using the setup.
Fig. 15. Comparison of sensor response with/without clock glitch. (a) Golden
dataset. (b) Sensor output for clock glitch.
“trigger” signal and internal register value of the 4-bit counter.
As a result, the synchronization of FSM with the system clock
is not required in this implementation. When the “trigger”
signal was activated, and the counter reached a predefined
value, the FSM output a “high” signal. This “high” signal
served as the “select” input for a 2-to-1 multiplexer (MUX).
The MUX had two inputs, each connected to one of the two
clocks generated by the MMCM. When the “select” input went
“high,” the MUX altered its output, “clk_out,” transitioning
its frequency from the nominal 100 to 400 MHz in just one
clock cycle. This sudden change effectively disrupted the ref-
erence clock frequency, causing a glitch. The key components
involved in this glitch attack are illustrated in Fig. 14(a).
The resulting waveforms are presented in Fig. 14(b), where
you can observe that the “clk_out” signal’s frequency shifts
to 400 MHz when the “trigger” goes “high” and remains at
this frequency until the end of the original clock cycle.
In the golden dataset, we observe three instances of sensor
outputs denoted as (0, 14), (9, 29), and (11, 29). These
instances represent the beginning and end positions of the
longest sequence of 1 s in the data illustrated in Fig. 15(a)
for the clock glitch attack. We set a threshold with a radius
of 1 unit around the sensor outputs, similar to previous
experiments. Finally, we applied the clock glitch attack by
turning “on” the “trigger” signal from the external switch at the
FPGA. We have applied the “trigger” multiple times for this
attack and recorded the outputs for the three sensor instances.
Fig. 15(b) illustrates the sensor responses for seven instances
of the clock glitch attack. For example, sensor outputs are
(3, 21), (9, 27), (0, 0); (3, 21), (9, 27), (1, 16); and (3, 21),
(19, 27), (1, 16) for first three attack instances, respectively.
The figure shows that the sensor’s encoded values reside
far away from the threshold region set in the nominal run.
This change in sensor outputs is because the setup and hold
1320 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024
Fig. 16. LFI setup.
TABLE I
M ICROSCOPE xy S TAGE C ONFIGURATION OF THE L ASER S TATION [89]
violations occur due to the arrival of a glitched clock edge
earlier than the actual edge. This effect introduces incorrect
latching of XORed values, resulting in changed data at the
encoded sensor outputs. Again, we observe that the fault attack
scenario can be detected using a unified sensor response for
the clock glitch attack.
4) Against LFI: To capture the sensor outputs during a
laser FIA, we utilized the AC701 evaluation board designed
for the Artix-7 FPGA, as the board possesses the essential
flip-chip configuration necessary for a successful laser attack.
For implementing the laser attack, we have used the Riscure
laser station [89]. In this setup, we used the near-infrared
(NIR) laser with a 1064 nm wavelength. The maximum rated
laser pulse power is 20 W, where we used 45% of the beam
power (9 W). The maximum pulse frequency of the station
is 25 MHz. The spot size of the chosen laser is 6 × 1.4 µm.
The laser station also contains a microscope xy stage with the
configuration specified in Table I. For applying the laser attack,
we have chosen 46 × 84 data points based on the floorplan
of the implemented design with 30 µm spacing between two
attack points. Fig. 16 illustrates the experimental setup for
the laser attack where we can find the major components
of the Riscure laser station and the FPGA under test. The
diode laser emits the laser light into the victim device. Using
the camera, the user can check the probing points from the
software tool. The beam splitter controls how much light
should reach the camera from outside. The objective lens
options available for the system are 5×, 20×, and 50×, where
we used the later configuration. Finally, the xyz table facilitates
three-dimensional movement to properly position the chip
under the laser probe.
In the golden dataset, we have three sensor instances outputs
(4, 13), (1, 13), and (24, 29) as the start and end of the largest
1s string shown in Fig. 17(a) for the laser FIA. We set the same
threshold around the sensor outputs. Then, we set the FPGA
under test on the xy stage and placed the flip chip underneath
the laser probe by moving the stage accordingly using the
Riscure software. Then, we started probing the chip with the
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
Fig. 17. Comparison of sensor response with/without LFI. (a) Golden dataset.
(b) Sensor output for laser attack.
TABLE II
OVERHEAD A NALYSIS BASED ON LUT U TILIZATION ACROSS
FPGA P LATFORMS FOR I MPLEMENTING FTC S ENSOR
laser pulse. Fig. 17(b) shows the sensor outputs as (0, 9),
(0, 13), and (18, 29) under laser attack. The change in values
can be associated with bit-flips in the memory cells impacted
by the laser pulse, i.e., in the flip-flops, block memories,
or reconfigurable circuit configuration bits. Additionally, the
signal propagation gets impacted (increase/decrease), causing
violations in circuit timing in the logic chain [90]. The
CLBs consist of the logical part and the interconnect part.
In the logical part, the LUTs and internal multiplexers are
the most sensitive to laser fault, whereas the fault impact on
interconnects depends on their initial states [91]. The average
change in modified bits due to laser attack depends on the
spot size and initial configuration of the logic blocks. Similar
to previous attack scenarios, with the obtained results, we can
detect the laser fault attack using the unified sensor response.
C. Overhead Analysis
This section discusses resource utilization as part of the
overhead analysis implementing the FTC sensor on FPGA
platforms. Using different LUT configurations, we created
models for HVT and LVT buffer cells to deploy the FTC
sensor on FPGA platforms. To demonstrate the effectiveness of
the design, we opted to modify the LUT parameter to replicate
the varying intercell delays. More LUTs were required for
the HVT cells to model these delay variations accurately
within the cells. For this reason, this elevated LUT count leads
to increased overall resource utilization (%) for the LUTs.
Across both FPGAs, the primitives used are LUTs (871), reg-
isters (88), and slices (272), which constitute the asset usage
percentage of 5.23% (0.69%), 0.25% (0.03%), and 6.18%
(0.77%) for Zynq-7000 (AC701 evaluation board). Table II
illustrates the resource utilization for LUTs for implementing
the sensor on different FPGA platforms. It can be seen that the
number of LUTs needed for the FTC sensor implementation is
almost identical. However, as the available resources (LUTs,
registers, and so on) in the newer FPGA platforms increase,
the percentage of used LUTs becomes minimal. The same
analysis can be extended for other resource types as well.
Accessing various Vt cells from the technology library in
typical ASIC implementations is straightforward. These cells,
MUTTAKI et al.: FTC: A UNIVERSAL FRAMEWORK FOR FIA DETECTION AND PREVENTION
Fig. 18. Proximity analysis of the FTC sensor. (a) Initial placement.
(b) Moving the upper block close to the sensor.
consisting primarily of two cascaded NOT gates, have similar
physical area footprints, ensuring the sensor’s implementation
occupies minimal space on the device. Additionally, the sensor
can be isolated from the main application, preventing any
impact on the performance of the DUT.
D. Proximity Analysis
We have performed the proximity analysis on the proposed
FTC sensor. Based on our study, we observed that the sensor
can detect delay variations from different proximity of the
active blocks. However, any alterations in the sensor’s place-
ment will change the start, end, and length of the 1 s string
of the sensor output. For analyzing this, we have placed the
sensor in between two blocks of a RISC-V [92] SoC and then
varied the position of the sensor with respect to these blocks.
For instance, Fig. 18(a) shows the initial placement of the three
blocks comprising the FTC and two blocks. The upper block
consists of the fetch, issue, and multiplier, whereas the lower
block includes execution, division, load/store unit (LSU), and
control and status registers (CSRs).
With this configuration, the start and end of 1 s string are
found as (11,28). We have brought the upper block closer to
the FTC sensor to observe the impact of placement change,
as illustrated in Fig. 18(b). The updated sensor output was
observed as (13,38) with the changed placement. In the first
instance, the 1 s string length is 18 compared to 25 in the later
case. This behavior can be explained as follows. When the
upper block is placed far away from the sensor, the detected
delay variation at the sensor becomes minimal, resulting in
more XORed 0 s and less 1 s. However, placing the block
closer to the sensor causes the HVT and LVT cells to transmit
more 1 s than before. For this reason, the 1 s string length
increases to 25 for the later case. Additionally, we can observe
the variation of LVT and HVT cell shift from the start and
end values of 1 s string. The start value (13) signifies that
two new HVT cells transmitted 1, whereas the end value (38)
indicates that ten new LVT cells carried 1 compared to the
initial placement. This shift is also expected as LVT cells
supposedly introduce more 1s than HVT cells.
E. Sensor Response With Environmental Variation
Along with efficacy in detecting FIA conditions, the pro-
posed sensor must be effective under environmental variation.
This section discusses the effect of process, temperature, and
supply voltage variation on the FTC sensor.
1) Process Variation: It is imperative to evaluate the sensor
performance at varying process corners to ensure the efficacy
of the design. For this reason, we have performed the Monte
Carlo Simulation [93] at the Cadence Virtuoso [94] tool
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
1321
Fig. 19. Monte Carlo Simulation for process variation on a buffer chain with
300 samples.
to observe the impact of mismatch and process variation.
As the sensor design is directed toward measuring delay
variations through buffer cells, we have applied the Monte
Carlo simulation on a long buffer chain (comprising 40 cells).
We used the Cadence generic process design kit (GPDK)
45 nm library cells to build the buffers for this analysis. Our
goal was to observe the mean delay at the output of the buffer
chain and compare it with the simulation results from a typical
run with no process variation. Fig. 19 illustrates the histogram
of sample distribution for the resultant delays. As can be
seen, the mean of the delay parameter for the distribution is
found to be 704.102 ps for the 40 buffer cells. We performed
another simulation with the typical–typical (TT) corner to find
the nominal delay, which we found to be 702.389. These
two values are nearly the same, emphasizing that the process
variation will not impact the intercell delays of the sensor
elements to alter the intended outputs.
2) Temperature Variation: To identify the effect of tempera-
ture on the proposed sensor structure, we need to find the delay
variation of unit cells (buffers) in the design. We again used
the Cadence GPDK 45 nm library to design a single buffer
for simulating the temperature impact. For the simulation,
we considered the temperature range (−25 ◦ C–125 ◦ C) for
three process corners [TT, fast-fast (FF), and slow-slow (SS)]
at VDD = 1.1 V. Fig. 20 shows the change in unit buffer
least significant bit (LSB) delay measured in picoseconds (ps)
due to the temperature variation. The figure illustrates the
slightest delay increase at the FF corner, followed by the
TT and FF corner. This result is expected as the FF corner
considers the fast nMOS/pMOS transistors having the least
intercell delay. In contrast, the SS corner assumes the slow
nMOS/pMOS transistors have the most intercell delay. The
TT corner exhibits the delay profile between the FF and SS
corners. The increasing nature of delay can be attributed to the
difference between VDD = 1.1 V and the threshold voltage of
the transistors Vt ∼ 0.65 V which ensures the carrier mobility
plays a dominating factor rather than the threshold voltage Vt .
On the contrary, while considering a reduced supply voltage,
i.e., 0.8 V, the LSB delay can decrease with increasing tem-
perature [95] as the supply voltage becomes comparable to Vt ,
making it the dominating factor. This phenomenon is known
as temperature inversion [96]. In the FPGA implementation
with a 28 nm library, we have found the averaged LSB delay
to be ∼550 ps. If we scale down the simulated delay profile
using the GPDK 45 nm library with temperature impact, the
change in LSB delay will become ∼5 ps, which is minimal
compared to the nominal cell delay.
3) Supply Voltage Variation: We consider the impact of any
change in the supply voltage by applying a range of VDD to
the buffer chain of the FTC sensor. For this analysis, we used
the Cadence GPDK 45 nm library to create a buffer chain
containing 20 buffers and flip-flops to store the buffer outputs
1322 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024
Fig. 20. Temperature variation effect on FTC sensor unit buffer cell.
TABLE III
L ATCHED O UTPUT FOR A B UFFER C HAIN (20 B UFFERS ) W ITH
VARYING S UPPLY VOLTAGE
considering the TT corner with nominal temperature (25 ◦ C).
Table III shows the latched output for supply voltage from the
rated 1.1 to 0.85 V with a 0.05 V decrease in each step. When
comparing the latched output with the nominal response with
1.1 V, we can see that with each step decrease in the supply
voltage, the string of 1 s becomes smaller and shifts toward
the LSB. This result can be interpreted as follows. As the
voltage level decreases, the input (clock) signal propagates
slowly through each buffer stage and cannot reach the nth
buffer at the same clock edge as the nominal case. This trend
continues with each step decrease in the supply voltage. If we
continue to decrease the supply voltage, at some point, there
will be no 1 s propagated through the buffer chain. From the
designer’s perspective, they can calibrate the observable delay
stage considering the impact of supply voltage variation of the
design to achieve consistent output from the sensor.
V. C ONCLUSION AND F UTURE W ORK
In this work, we have proposed a comprehensive solution
for effectively detecting prominent FIAs with a lightweight
on-chip delay-based FTC sensor. From our analysis, we have
found that fault attacks impact the timing of the circuit, and a
sensor capable of tracking the delay changes in a design can
detect the fault conditions. To position the sensor instances
efficiently, we incorporated the SoFI framework for realizing
the most vulnerable locations, i.e., registers in the design, and
placed those instances closely. We have illustrated the sensor
response for the major FIAs, proving that the unified response
from the sensor can clearly distinguish between nominal
and fault conditions. We have also performed the overhead
analysis, showing minimal resource utilization in the FPGAs.
Finally, we explored the sensor response with environmental
variations, delivering consistent results with process and tem-
perature variation. We have characterized the change in buffer
outputs based on VD D degradation for the supply voltage
variation. In future work, we intend to utilize the FTC sensor
in the SoC environment, where we want to relate any irregular
behavior of SoC modules to the sensor outputs for detecting
silent data corruption. Additionally, we intend to incorporate
predictive attack modeling using sensor-generated output to
anticipate abnormal variations that will help prevent FIAs.
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.
R EFERENCES
[1] S. E. Quadir et al., “A survey on chip to system reverse engineering,”
ACM J. Emerg. Technol. Comput. Syst., vol. 13, no. 1, pp. 1–34,
Apr. 2016.
[2] M. Tehranipoor and C. Wang, Introduction to Hardware Security and
Trust. Berlin, Germany: Springer, 2011.
[3] S. Skorobogatov, Physical Attacks and Tamper Resistance. New York,
NY, USA: Springer, 2012, pp. 143–173.
[4] Z. Chen, G. Vasilakis, K. Murdock, E. Dean, D. Oswald, and
F. D. Garcia, “VoltPillager: Hardware-based fault injection attacks
against Intel SGX enclaves using the SVID voltage scaling interface,”
in Proc. 30th USENIX Secur. Symp., 2021, pp. 699–716.
[5] M. T. Rahman et al., “Physical inspection & attacks: New frontier in
hardware security,” in Proc. IEEE 3rd Int. Verification Secur. Workshop,
Jul. 2018, pp. 93–102.
[6] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in
Advances in Cryptology, M. Wiener, Ed. Heidelberg, Germany: Springer,
1999.
[7] P. C. Kocher, “Timing attacks on implementations of Diffie–Hellman,
RSA, DSS, and other systems,” in Advances in Cryptology—CRYPTO,
N. Koblitz, Ed. Berlin, Germany: Springer, 1996.
[8] P. C. Kocher, J. M. Jaffe, and B. C. Jun, “Prevention of side channel
attacks against block cipher implementations and other cryptographic
systems,” U.S. Patent 7 787 620, Aug. 31, 2010.
[9] K. Tiri and I. Verbauwhede, “A logic level design methodology for a
secure DPA resistant ASIC or FPGA implementation,” in Proc. Design,
Automat. Test Europe Conf. Exhib., 2004, pp. 246–251.
[10] S. Endo, T. Sugawara, N. Homma, T. Aoki, and A. Satoh, “An on-chip
glitchy-clock generator for testing fault injection attacks,” J. Crypto-
graph. Eng., vol. 1, pp. 265–270, Dec. 2011.
[11] N. Timmers, A. Spruyt, and M. Witteman, “Controlling PC on ARM
using fault injection,” in Proc. FDTC, 2016, pp. 25–35.
[12] M. N. I. Khan and S. Ghosh, “Fault injection attacks on emerging non-
volatile memory and countermeasures,” in Proc. HASP, 2018, pp. 1–8.
[13] M. Dumont, M. Lisart, and P. Maurine, “Electromagnetic fault injection:
How faults occur,” in Proc. FDTC, 2019, pp. 9–16.
[14] J. G. Van Woudenberg, M. F. Witteman, and F. Menarini, “Practical
optical fault injection on secure microcontrollers,” in Proc. FDTC, 2011,
pp. 91–99.
[15] J. Rodriguez, A. Baldomero, V. Montilla, and J. Mujal, “LLFI: Lateral
laser fault injection attack,” in Proc. FDTC, 2019, pp. 41–47.
[16] E.-S. Kim and J.-H. Kim, “Voltage glitch detection circuits and methods
thereof,” U.S. Patent 7 483 328, Jan. 27, 2009.
[17] C.-Y. Kim, S.-J. Jun, and E.-S. Kim, “Voltage-glitch detection device
and method for securing integrated circuit device from voltage glitch
attack,” U.S. Patent 7 085 979, Aug. 1, 2006.
[18] A. G. Yanci, S. Pickles, and T. Arslan, “Characterization of a volt-
age glitch attack detector for secure devices,” in Proc. BLISS, 2009,
pp. 91–96.
[19] P. Luo and Y. Fei, “Faulty clock detection for crypto circuits against dif-
ferential fault analysis attack,” IACR Cryptol. ePrint Arch., Tech. Rep.,
2016, no. 2014, p. 967.
[20] H. Igarashi, Y. Shi, M. Yanagisawa, and N. Togawa, “Concurrent faulty
clock detection for crypto circuits against clock glitch based DFA,” in
Proc. ISCAS, 2013, pp. 1432–1435.
[21] P. Luo, C. Luo, and Y. Fei, “System clock and power supply
cross-checking for glitch detection,” IACR Cryptol. ePrint Arch.,
Tech. Rep., 2016, p. 968.
[22] N. Homma et al., “EM attack is non-invasive?—Design methodology
and validity verification of EM attack sensor,” in Cryptographic Hard-
ware and Embedded Systems—CHES, L. Batina and M. Robshaw, Eds.
Berlin, Germany: Springer, 2014.
[23] N. Miura et al., “PLL to the rescue: A novel EM fault countermeasure,”
in Proc. 53rd ACM/EDAC/IEEE DAC, 2016, pp. 1–6.
[24] J. Breier, S. Bhasin, and W. He, “An electromagnetic fault injec-
tion sensor using Hogge phase-detector,” in Proc. 18th ISQED, 2017,
pp. 307–312.
[25] W. He, J. Breier, and S. Bhasin, “Cheap and cheerful: A low-cost digital
sensor for detecting laser fault injection attacks,” in Security, Privacy,
and Applied Cryptography Engineering. Berlin, Germany: Springer,
2016.
[26] D.-G. Lee, D. Choi, J. Seo, and H. Kim, “Reset tree-based optical fault
detection,” Sensors, vol. 13, no. 5, pp. 6713–6729, May 2013.
[27] H. Wang, H. Li, F. Rahman, M. M. Tehranipoor, and F. Farahmandi,
“SoFI: Security property-driven vulnerability assessments of ICs against
fault-injection attacks,” IEEE Trans. Comput.-Aided Design Integr. Cir-
cuits Syst., vol. 41, no. 3, pp. 452–465, Mar. 2022.
MUTTAKI et al.: FTC: A UNIVERSAL FRAMEWORK FOR FIA DETECTION AND PREVENTION
[28] “FTC—A universal low-overhead fault injection attack detection solu-
tion,” in Proc. ISTFA. ASM International, 2022, pp. 386–391.
[29] M. R. Muttaki, T. Zhang, M. Tehranipoor, and F. Farahmandi, “FTC:
A universal sensor for fault injection attack detection,” in Proc. IEEE
HOST, Jul. 2022, pp. 117–120.
[30] A. Barenghi, C. Hocquet, D. Bol, F.-X. Standaert, F. Regazzoni, and
I. Koren, “A combined design-time/test-time study of the vulnerability of
sub-threshold devices to low voltage fault attacks,” IEEE Trans. Emerg.
Topics Comput., vol. 2, no. 2, pp. 107–118, Jun. 2014.
[31] L. Zussa, J.-M. Dutertre, J. Clediere, and A. Tria, “Power supply
glitch induced faults on FPGA: An in-depth analysis of the injection
mechanism,” in Proc. IOLTS, 2013, pp. 110–115.
[32] M. Yilmaz, K. Chakrabarty, and M. Tehranipoor, “Test-pattern selection
for screening small-delay defects in very-deep submicrometer integrated
circuits,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.,
vol. 29, no. 5, pp. 760–773, May 2010.
[33] F. Amiel, C. Clavier, and M. Tunstall, “Fault analysis of DPA-resistant
algorithms,” in Fault Diagnosis and Tolerance in Cryptography. Berlin,
Germany: Springer, 2006.
[34] B. Ning and Q. Liu, “Modeling and efficiency analysis of clock glitch
fault injection attack,” in Proc. AsianHOST, 2018, pp. 13–18.
[35] J.-J. Quisquater and D. Samyde, “Eddy current for magnetic analysis
with active sensor,” in Proc. eSMART, 2002, pp. 1–9.
[36] J.-M. Schmidt and M. Hutter, “Optical and EM fault-attacks on
CRT-based RSA: Concrete results,” in Proc. Austrochip. Verlag der
Technischen Universität Graz, 2007, pp. 61–67.
[37] S. P. Skorobogatov, “Semi-invasive attacks—A new approach to hard-
ware security analysis,” Comput. Lab., Univ. Cambridge, Cambridge,
U.K., Tech. Rep. UCAM-CL-TR-630, 2005.
[38] M. Agoyan, J.-M. Dutertre, A.-P. Mirbaha, D. Naccache, A.-L. Ribotta,
and A. Tria, “How to flip a bit?” in Proc. IEEE 16th IOLTS, Jul. 2010,
pp. 235–239.
[39] R. E. Lyons and W. Vanderkulk, “The use of triple-modular redundancy
to improve computer reliability,” IBM J. Res. Develop., vol. 6, no. 2,
pp. 200–209, Apr. 1962.
[40] I. Koren and C. M. Krishna, Fault-Tolerant Systems. San Mateo, CA,
USA: Morgan Kaufmann, 2020.
[41] A. Dominguez-Oviedo and M. A. Hasan, “Error detection and fault
tolerance in ECSM using input randomization,” IEEE Trans. Dependable
Secure Comput., vol. 6, no. 3, pp. 175–187, Jul./Sep. 2009.
[42] G. Bertoni, L. Breveglieri, I. Koren, and P. Maistri, “An efficient
hardware-based fault diagnosis scheme for AES: Performances and
cost,” in Proc. IEEE DFT, Oct. 2004, pp. 130–138.
[43] S. Cha et al., “Defect analysis and cost-effective resilience architecture
for future DRAM devices,” in Proc. IEEE HPCA, Feb. 2017, pp. 61–72.
[44] U. Kang et al., “Co-architecting controllers and DRAM to enhance
DRAM process scaling,” in Proc. Memory Forum, vol. 14, 2014,
pp. 1–14.
[45] N. Kwak et al., “A 4.8 Gb/s/pin 2Gb LPDDR4 SDRAM with
sub-100 µA self-refresh current for IoT applications,” in IEEE Int. Solid-
State Circuits Conf. (ISSCC) Dig. Tech. Papers, Feb. 2017, pp. 392–393.
[46] H.-J. Kwon et al., “An extremely low-standby-power 3.733 Gb/s/pin
2Gb LPDDR4 SDRAM for wearable devices,” in IEEE Int. Solid-State [71] P. Ravi, A. Chattopadhyay, J. P. D’Anvers, and A. Baksi, “Side-channel
Circuits Conf. (ISSCC) Dig. Tech. Papers, Feb. 2017, pp. 394–395.
[47] M. Patel, G. F. de Oliveira, and O. Mutlu, “HARP: Practically and
effectively identifying uncorrectable errors in memory chips that use
on-die error-correcting codes,” in Proc. MICRO=, 2021, pp. 623–640.
[48] K. Criss et al., “Improving memory reliability by bounding DRAM
faults: DDR5 improved reliability features,” in Proc. MEMSYS, 2020,
pp. 317–322.
[49] C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schläffer, “Ascon v1.2:
lightweight authenticated encryption and hashing,” J. Cryptol., vol. 34,
no. 3, pp. 1–42, Jul. 2021.
[50] K. Ramezanpour, P. Ampadu, and W. Diehl, “A statistical fault analysis
methodology for the ascon authenticated cipher,” in Proc. IEEE Int.
Symp. Hardw. Oriented Secur. Trust (HOST), May 2019, pp. 41–50.
[51] P. Joshi and B. Mazumdar, “SSFA: Subset fault analysis of ASCON-
128 authenticated cipher,” Microelectron. Rel., vol. 123, Aug. 2021,
Art. no. 114155.
[52] J. Kaur, M. Mozaffari Kermani, and R. Azarderakhsh, “Hardware
constructions for error detection in lightweight authenticated cipher
ASCON benchmarked on FPGA,” IEEE Trans. Circuits Syst. II, Exp.
Briefs, vol. 69, no. 4, pp. 2276–2280, Apr. 2022.
[53] R. AlTawy, G. Gong, K. Mandal, and R. Rohit, “WAGE: An
authenticated cipher,” Submission to NIST Lightweight Cryptography
Standardization Project, Announced as Round 2 Candidate on August
30, 2019, Tech. Rep., 2019.
[54] J. Kaur, “Secure lightweight cryptographic hardware constructions for
deeply embedded systems,” Ph.D. dissertation, Dept. Comput. Sci. Eng.,
Univ. South
Authorized Florida,
licensed
2023. to: INSTITUTO FEDERAL DO CEARA. Downloaded on January
use limited
1323
[55] J. Kaur, A. Sarker, M. M. Kermani, and R. Azarderakhsh, “Hardware
constructions for error detection in lightweight welch-gong (WG)-
oriented streamcipher WAGE benchmarked on FPGA,” IEEE Trans.
Emerg. Topics Comput., vol. 10, no. 2, pp. 1208–1215, Apr. 2022.
[56] K. Aoki et al., “Camellia: A 128-bit block cipher suitable for multiple
platforms—Design andanalysis,” in Selected Areas in Cryptography.
Berlin, Germany: Springer, 2001.
[57] M. M. Kermani, R. Azarderakhsh, and J. Xie, “Error detection reliable
architectures of camellia block cipher applicable to different variants of
its substitution boxes,” in Proc. AsianHOST, 2016, pp. 1–6.
[58] H. Cheng and H. M. Heys, “Compact hardware implementation of the
block cipher camellia with concurrent error detection,” in Proc. CCECE,
2007, pp. 1129–1132.
[59] S. Banik et al., “Midori: A block cipher for low energy,” in
Advances in Cryptology—ASIACRYPT. Berlin, Germany: Springer,
2015, pp. 411–436.
[60] W. Cheng, Y. Zhou, and L. Sauvage, “Differential fault analysis on
midori,” in Information and Communications Security. Berlin, Germany:
Springer, 2016, pp. 307–317.
[61] A. Aghaie, M. Mozaffari Kermani, and R. Azarderakhsh, “Fault diag-
nosis schemes for low-energy block cipher midori benchmarked on
FPGA,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 25,
no. 4, pp. 1528–1536, Apr. 2017.
[62] R. Avanzi, “The QARMA block cipher family,” IACR Trans. Symmetric
Cryptol., IACR Cryptol. ePrint Arch., 2016, p. 444.
[63] J. Kaur, M. M. Kermani, and R. Azarderakhsh, “Hardware constructions
for lightweight cryptographic block cipher QARMA with error detection
mechanisms,” IEEE Trans. Emerg. Topics Comput., vol. 10, no. 1,
pp. 514–519, Jan. 2022.
[64] J. Jonas, L. Lamster, A. Kogler, M. Eichlseder, M. Lipp, and D. Gruss,
“CSI: Rowhammer—Cryptographic security and integrity against
rowhammer,” in Proc. IEEE Symp. SP, May 2023, pp. 1702–1718.
[65] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “A lightweight concur-
rent fault detection scheme for the AES S-boxes using normal basis,”
in Cryptographic Hardware and Embedded Systems—CHES. Berlin,
Germany: Springer, 2008, pp. 113–129.
[66] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “A high-performance
fault diagnosis approach for the AES subbytes utilizing mixed bases,”
in Proc. FDTC, 2011, pp. 80–87.
[67] S. A. Reddy and M. A. Kumar, “Efficient fault detection scheme for
reliable AES architecture,” in Proc. ICETECT, 2011, pp. 1004–1009.
[68] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Fault-based side-channel
cryptanalysis tolerant Rijndael symmetric block cipher architecture,” in
Proc. IEEE DFT, Oct. 2001, pp. 427–435.
[69] Y. Xing and S. Li, “A compact hardware implementation of CCA-secure
key exchange mechanism CRYSTALS-KYBER on FPGA,” IACR Trans.
Cryptograph. Hardware Embedded Syst., pp. 328–356, Feb. 2021.
[70] PS Process. (2022). Announcing Four Candidates to be
Standardized, Plus Fourth Round Candidates. [Online]. Available:
https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-
round-4
and fault-injection attacks over lattice-based post-quantum schemes
(Kyber, Dilithium): Survey and new results,” ACM Trans. Embedded
Comput. Syst., vol. 23, no. 2, pp. 1–54, Mar. 2024.
[72] H. Ma, S. Pan, Y. Gao, J. He, Y. Zhao, and Y. Jin, “Vulnerable
PQC against side channel analysis—A case study on Kyber,” in Proc.
AsianHOST, 2022, pp. 1–6.
[73] T. Fritzmann, T. Poppelmann, and J. Sepulveda, “Analysis of error-
correcting codes for lattice-based key exchange,” in Selected Areas in
Cryptography—SAC 2018: 25th International Conference, Calgary, AB,
Canada, August 15–17, 2018, Revised Selected Papers 25. Springer,
2019, pp. 369–390.
[74] A. Sarker, M. Mozaffari-Kermani, and R. Azarderakhsh, “Hardware
constructions for error detection of number-theoretic transform utilized
in secure cryptographic architectures,” IEEE Trans. Very Large Scale
Integr. (VLSI) Syst., vol. 27, no. 3, pp. 738–741, Mar. 2019.
[75] A. Sarker, A. C. Canto, M. M. Kermani, and R. Azarderakhsh, “Error
detection architectures for hardware/software co-design approaches of
number-theoretic transform,” IEEE Trans. Comput.-Aided Design Integr.
Circuits Syst., vol. 42, no. 7, pp. 2418–2422, Jul. 2023.
[76] H. Wang, Q. Shi, D. Forte, and M. M. Tehranipoor, “Probing assess-
ment framework and evaluation of antiprobing solutions,” IEEE Trans.
Very Large Scale Integr. (VLSI) Syst., vol. 27, no. 6, pp. 1239–1252,
Jun. 2019.
[77] H. Wang, Q. Shi, A. Nahiyan, D. Forte, and M. M. Tehranipoor,
“A physical design flow against front-side probing attacks by internal
shielding,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.,
vol. 39, 27,2025
no. 10, at
pp.13:20:08
2152–2165, Oct. 2020.
UTC from IEEE Xplore. Restrictions apply.
1324 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 32, NO. 7, JULY 2024

[78] R. Karri, K. Wu, P. Mishra, and Y. Kim, “Concurrent error detection Md Habibur Rahman received the B.Sc. degree in
schemes for fault-based side-channel cryptanalysis of symmetric block EEE from the Bangladesh University of Engineering
ciphers,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., and Technology, Dhaka, Bangladesh, in 2017. He is
vol. 21, no. 12, pp. 1509–1517, Dec. 2002. currently working toward the Ph.D. degree at the
[79] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “A lightweight high- University of Florida, Gainesville, FL, USA.
performance fault detection scheme for the advanced encryption standard His research interests include hardware secu-
using composite fields,” IEEE Trans. Very Large Scale Integr. (VLSI) rity, standard cell design in submicrometer Fin-
Syst., vol. 19, no. 1, pp. 85–91, Jan. 2011. FET process, robust memory architecture design,
[80] R. Karri, G. Kuznetsov, and M. Goessel, “Parity-based concurrent error developing novel architectures for digital and ana-
detection of substitution-permutation network block ciphers,” in Cryp- log hardware security verification, optimization of
tographic Hardware and Embedded Systems—CHES. Berlin, Germany: application-specific integrated circuit (ASIC) design
Springer, 2003. verification and physical design, and field programmable gate arrays (FPGAs).
[81] W-Contributors. (2023). Vivado—Wikipedia the Free Encyclopedia. He has proven experience working in both academia and the VLSI industry.
[Online]. Available: https://en.wikipedia.org/wiki/Vivado
[82] S-Solutions. VC Z01X Fault Simulation. Accessed: Oct. 15, 2023. Akshay Kulkarni (Member, IEEE) received the
[Online]. Available: https://www.synopsys.com/verification/simulation/ B.E. degree in electronics and telecommunication
vc-z01x.html from the University of Mumbai, Mumbai, India, and
[83] W-Contributors. (2023). Optimization Problem—Wikipedia the Free the Ph.D. degree from the University of Toledo,
Encyclopedia. [Online]. Available: https://en.wikipedia.org/wiki/ Toledo, OH, USA, in 2020.
Optimization_problem His research interests include microelectronics
[84] W-Contributors. (2023). Integer Programming—Wikipedia the security, with a focus on secure and trusted semi-
Free Encyclopedia. [Online]. Available: https://en.wikipedia.org/ conductor supply chains, hardware-oriented security
wiki/Integer_programming and trust (PUFs), field programmable gate arrays
[85] M. Zhao and G. E. Suh, “FPGA-based remote power side-channel (FPGAs), blockchain technology, and zero trust
attacks,” in Proc. IEEE Symp. SP, May 2018, pp. 229–244. architecture for assured and trusted semiconductors.
[86] F. Schellenberg, D. R. E. Gnad, A. Moradi, and M. B. Tahoori, He is currently serving as a Postdoctoral Research Associate with the
“An inside job: Remote power analysis attacks on FPGAs,” IEEE Des. University of Florida, Gainesville, FL, USA.
Test, vol. 38, no. 3, pp. 58–66, Jun. 2021.
[87] C. Dobraunig, M. Eichlseder, T. Korak, S. Mangard, F. Mendel, and Mark Tehranipoor (Fellow, IEEE) is currently the
R. Primas, “SIFA: Exploiting ineffective fault inductions on symmet- Intel Charles E. Young Preeminence Endowed Chair
ric cryptography,” IACR Trans. Cryptograph. Hardw. Embedded Syst., Professor of Cybersecurity with the University of
vol. 2018, no. 3, pp. 547–572, Aug. 2018. Florida, Gainesville, FL, USA. His current research
[88] LET. (2015). E1 Set: Immunity Development System. [Online]. Available: projects include hardware security and trust, supply
https://www.langer-emv.de/en/product/immunity-development- chain security, the Internet of Things (IoT) security,
system/68/e1-set-immunity-development-system/54 VLSI design, test, and reliability.
[89] (2023). Riscure Laser Station 2. [Online]. Available: https://www. Dr. Tehranipoor is a fellow of ACM, a Golden
riscure.com/products/laser-station-2/ Core Member of IEEE CS, and a member of ACM
[90] B. Selmke, S. Brummer, J. Heyszl, and G. Sigl, “Precise laser fault SIGDA. He was a recipient of a dozen best paper
injections into 90 nm and 45 nm SRAM-cells,” in Smart Card Research awards and nominations, as well as the 2008 IEEE
and Advanced Applications, vol. 9514. Berlin, Germany: Springer, 2015. Computer Society (CS) Meritorious Service Award, the 2012 IEEE CS
[91] G. Canivet, P. Maistri, R. Leveugle, J. Clédière, F. Valette, and Outstanding Contribution, the 2009 NSF CAREER Award, the 2014 AFOSR
M. Renaudin, “Glitch and laser fault attacks onto a secure AES imple- MURI Award, and the 2020 University of Florida Innovation of the Year
mentation on a SRAM-based FPGA,” J. Cryptol., vol. 24, no. 2, as well as teacher/scholar of the year awards. He co-founded the IEEE
pp. 247–268, Apr. 2011. International Symposium on Hardware-Oriented Security and Trust (HOST)
[92] W-Contributors. (2023). RISC-V—Wikipedia the Free Encyclopedia. and IEEE International Conference on Physical Assurance and Inspection
[Online]. Available: https://en.wikipedia.org/wiki/RISC-V of Electronics (PAINE). He serves on the program committee of more
[93] W-Contributors. (2023). Monte Carlo Method—Wikipedia the Free than a dozen leading conferences and workshops. He has also served as
Encyclopedia. [Online]. Available: https://en.wikipedia.org/wiki/Monte_ Program and General Chair of several IEEE and ACM-sponsored conferences
Carlo_method and workshops (HOST, ITC, DFT, D3T, DBT, NATW, and more). He is
[94] CCI Design Tools. Virtuoso Schematic Editor. Accessed: Sep. 22, 2023. currently serving as a founding EIC for Journal on Hardware and Systems
[Online]. Available: https://www.cadence.com/en_US/home/tools/ Security (HaSS) and served as Associate Editor for IEEE T RANSACTIONS ON
custom-ic-analog-RF-design/circuit-design/virtuoso-schematic- C OMPUTERS (TC), Journal of Electronic Testing: Theory and Applications
editor.html (JETTA), Journal of Low Power Electronics (JOLPE), ACM Transactions on
[95] M. Sadi and M. Tehranipoor, “Design of a network of digital sensor Design Automation of Electronic Systems (TODAES), IEEE D ESIGN AND
macros for extracting power supply noise profile in SoCs,” IEEE Trans. T EST (D&T), and IEEE TVLSI). He is currently serving as a Founding
Very Large Scale Integr. (VLSI) Syst., vol. 24, no. 5, pp. 1702–1714, Director for the Florida Institute for Cybersecurity Research (FICS) and
May 2016. several other centers with a focus on microelectronics security.
[96] R. Kumar and V. Kursun, “Reversed temperature-dependent propagation
delay characteristics in nanometer CMOS circuits,” IEEE Trans. Circuits Farimah Farahmandi (Member, IEEE) received the
Syst. II, Exp. Briefs, vol. 53, no. 10, pp. 1078–1082, Oct. 2006. Ph.D. degree from the Department of Computer and
Information Science and Engineering (CISE), Uni-
versity of Florida, Gainesville, FL, USA, in 2018.
She is currently an Assistant Professor with the
Department of Electrical and Computer Engineering
Md Rafid Muttaki (Member, IEEE) received the (ECE) and the Associate Director of Edaptive Com-
B.Sc. degree from the Department of Electrical and puting Inc., Transition Center (ECITC), University
Electronic Engineering (EEE), Bangladesh Univer- of Florida. Her research interests include hardware
sity of Engineering and Technology (BUET), Dhaka, security verification, formal methods, fault-injection
Bangladesh, in 2017, and the M.Sc. degree from the attack analysis, side-channel leakage assessment,
Department of Electrical and Computer Engineer- secure supply chain of microelectronics, and post-silicon validation and
ing (ECE), University of Florida, Gainesville, FL, debugging. Her research has resulted in four books, nine book chapters, and
USA, in 2023, where he is currently working toward several publications in premier ACM/IEEE journals and conferences. Her
the Ph.D. degree. research has been sponsored by SRC, DARPA, AFRL, DoD, Analog Devices,
His research interests include high-level synthesis ANSYS, and Cisco.
vulnerabilities assessment and possible solutions and Dr. Farahmandi is a member of ACM. She currently serves as an Associate
High-level obfuscation in the digital domain. In the analog domain, he has Editor of IET Computers & Digital Techniques. She also has served on many
been working on developing analog IP protection techniques consisting of technical program committees as well as organizing committees of premier
analog obfuscation and watermarking, AMS design security assessment, and ACM and IEEE conferences such as being the vice-program chair of IEEE
universal sensor-based solution against physical attacks. HOST.
Authorized licensed use limited to: INSTITUTO FEDERAL DO CEARA. Downloaded on January 27,2025 at 13:20:08 UTC from IEEE Xplore. Restrictions apply.