Information leakage due to fault propagation in XOR gates

Question

From the paper Fault Template Attacks on Block Ciphers Exploiting Fault Propagation, in the concept of Automatic Test Pattern Generation (ATPG), two events are required to perform in sequence: Fault Activation and Fault Propagation.

In the case of a linear 2-input XOR gate,

without loss of generality, we consider a stuck-at-0 fault at the input register a, while the input register b may take values independently. In order to activate the fault at a, one must set a = 1. The next step is to propagate the fault at the output. One may observe that setting the input b to either 0 or 1 will expose the fault at a to the output o.

and comes to the following conclusion:

Given an n-input XOR gate having an input set I, (|I| = n), an output O, and a faulted input $i \in I$, the fault propagation to O does not depend upon the valuations of the subset I \ {i}.

Moreover, in continuation of article, he says

with assuming the fault to be stuck-at-0, just by observing whether the output is faulty, Adversary can determine the value of a. More precisely, if the output is fault-free a = 0 and a = 1, otherwise.

I am confused at this point. When the type of fault is stuck-at-0, how can the value of a be equal to 0 in the case of "fault-free"? Have I misunderstood the concept? I think when we perform stuck-at-0 fault attack, the value of a is equal to 0 and if we know the output is faulty, we can just say that the output is equal to the value of b. Can anyone tell me what is the use of this method? I am confused!

One wonders if a *stuck-at-0* fault is a likely fault condition. What about disconnected inputs? To what logic state do they float to? — glen_geek, Dec 26 '22 at 17:04
Probably because of their use in the primitives of cryptography (S-Boxes), they will never be left float. — Mohammadsadeq Borjiyan, Dec 31 '22 at 07:08

score 3 · Accepted Answer · answered Dec 26 '22 at 21:34

In order to activate the fault at a, one must set a = 1.

The fault condition is that a stays stuck at at 0 even when set to 1 (ie. when the signal connected to it is trying to make it 1). So if it is set to 1 and becomes 1 at/in the gate then the output will be good, whereas if it is set to 1 but stays at 0 then the output will be bad. If it is set to 0 then the output will always be good whether it is stuck or not.

So by observing whether the output is good or bad, and knowing that a is stuck at 0, if the output is bad then you know that the input to a was set to 1, whereas if the output is good you know that the input to a was set to 0. Thus information about the signal input to a has leaked through.

Thank you for your assistance with this problem dear @BruceAbbott. You described it best. Merry Christmas. — Mohammadsadeq Borjiyan, Dec 31 '22 at 07:00

score 2 · Answer 2 · answered Dec 26 '22 at 16:53

2

how can the value of a be equal to 0 in the case of "fault-free"?

Here, somehow, faulty means o=~b, whereas fault-free means o=b. I have no idea why the author chose such a meaning of the terms "faulty" and "fault-free". The resource you're presumably citing tries to use fancy language - perhaps to hide author's shaky understanding? It's an annoyingly roundabout way of describing simple stuff :(

answered Dec 26 '22 at 16:53

Kuba hasn't forgotten Monica

32,734
1
38
103

Exactly! He has expressed a simple stuff in a bad language. Thank you for your guidance. Merry Christmas. – Mohammadsadeq Borjiyan Dec 31 '22 at 07:04

Information leakage due to fault propagation in XOR gates

2 Answers2