

Received 14 September 2023, accepted 30 September 2023, date of publication 4 October 2023, date of current version 18 October 2023.

*Digital Object Identifier 10.1109/ACCESS.2023.3321696*



# Fault Probability Correlation Analysis Based on Secondary Filtering

# TONG W[U](https://orcid.org/0009-0001-3279-4568)<sup>©1</sup>, DAWEI ZHOU<sup>©1</sup>, LEI DU<sup>2</sup>, AND SHIWEI WANG<sup>2</sup>

<sup>1</sup>Department of Information Security, Naval University of Engineering, Wuhan, Hubei 430033, China <sup>2</sup>DPLS Laboratory, Beijing 102300, China

Corresponding author: Dawei Zhou (zdw\_xp@163.com)

This work was supported by the National Natural Science Foundation of China under Grant 11202239.

**ABSTRACT** Correlation power analysis (CPA) is a classical method in side-channel attacks. Based on the power consumption model, the correlation between the power consumption of cryptographic devices and the assumed intermediate value is analyzed to recover the key. Theoretically, only a few power traces are required to recover the key when the noise hypothesis is known. However, in the high-frequency and high-noise environment, the completion of CPA requires more power traces, and the computational complexity also increases. Therefore, this paper proposes a fault probability correlation analysis method based on secondary filtering (2F-FPCA), which selects the fault probability traces according to the Hamming Weight of the intermediate value and reduces the number of sampling points by selecting points of interest. This method does not need to access ciphertext and is little affected by noise. Moreover, it can recover the key with fewer fault probability traces and lower computational complexity, improving the attack efficiency of CPA. In this paper, 2F-FPCAs are carried out based on the AES-128 algorithm of the Micro Controller Unit (MCU). The key can be recovered successfully using 10 fault probability traces, and the computational complexity is reduced by  $10<sup>4</sup>$  times.

**INDEX TERMS** Correlation power analysis, side-channel attacks, fault injection attacks, AES.

### **I. INTRODUCTION**

<span id="page-0-4"></span><span id="page-0-2"></span><span id="page-0-1"></span><span id="page-0-0"></span>Side-channel attacks play an essential role in evaluating the performance of cryptographic devices. There are many classic side-channel methods, such as attacking power con-sumption [\[1\], ru](#page-7-0)nning time [\[2\], an](#page-7-1)d electromagnetic leakage [\[3\]. Po](#page-7-2)wer analysis is a representative type of side-channel attack, including Simple Power Analysis (SPA) [\[4\], C](#page-7-3)orrelation Power Analysis [\[5\], an](#page-7-4)d Differential Power Analysis (DPA) [\[6\]. Br](#page-7-5)ier et al. [7] [firs](#page-7-6)t proposed CPA, which uses the power model to calculate the correlation coefficient between the power sample and the hypothetical intermediate value to identify the correct key. Heuser et al. [8] [sho](#page-7-7)w that CPA is almost optimal when the leakage model is known under the assumption of affine transformation and Gaussian noise.

<span id="page-0-6"></span><span id="page-0-5"></span>In practical applications, in high-frequency and high-noise environments, CPA often needs more power traces to recover the key, which means more computing time and computa-

The associate editor coordinating the review [of t](https://orcid.org/0000-0001-8221-0666)his manuscript and approving it for publication was Pedro R. M. In'acio<sup>1</sup>.

tion. In addition, when the candidate key space is too large to traverse the search, CPA is often used to recover some bytes of the key. However, under the local leakage model, the correlation coefficient of CPA is significantly reduced, and the demand for the number of power traces is greater. In order to reduce the number of power traces required for attacks, key exhaustion [\[9\],](#page-7-8) [\[10\]](#page-7-9) and ranking evaluation [\[11\]](#page-7-10) algorithms are proposed to estimate the ranking of correct keys. However, the problems of computational complexity and excessive memory requirements still need to be solved.

<span id="page-0-13"></span><span id="page-0-12"></span><span id="page-0-11"></span><span id="page-0-10"></span><span id="page-0-9"></span><span id="page-0-8"></span><span id="page-0-7"></span><span id="page-0-3"></span>Recently, research on the computational efficiency of CPA has received widespread attention. An enhancement technique of CPA is proposed in [\[12\], w](#page-7-11)hich classifies traces by Hamming distance and combines DPA, multi-bit DPA, and CPA. Kim et al. [\[13\]](#page-7-12) proposed a preprocessing technique to select a subset with higher correlation factors from the power trace set and then conduct CPA. In [\[14\], th](#page-7-13)e plaintext is selected in both non-adaptive and adaptive ways, and the original optimization of the standard CPA is carried out, which reduces the number of power traces needed to recover the key.

All the above methods improve the computational efficiency of CPA, but these papers do not analyze the computational complexity.

<span id="page-1-2"></span>A method is proposed in  $[15]$  to index the vector template with plaintext values and then associate it with the power vector model. Compared with the original CPA calculation, the calculation speed of this method is 200 times faster, and it is especially effective when there are many traces. Reference [\[16\]](#page-7-15) proposed to find points of interest (POI) to reduce the computing time of CPA. The above methods improve the computing speed of CPA and time but need many power traces as data support.

<span id="page-1-3"></span>In order to solve the problems that CPA is greatly affected by noise, significant data demand, and high computational complexity, this paper applies CPA to fault attacks and proposes a fault probability correlation analysis attack method based on secondary filtering (2F-FPCA). This method uses the data dependence of the fault probability of cryptographic equipment under the fault injection attack and establishes the fault probability trace in the operation process. The traces are classified and filtered according to the Hamming Weight of the intermediate value, which reduces the number of fault probability traces needed to calculate the assumed intermediate value. At the same time, the number of samples and iterations are significantly reduced by finding POIs on the fault probability trace. 2F-FPCA does not need to access ciphertext and is little affected by noise. It can recover the key with less fault probability trace and lower computational complexity, improving the efficiency of CPA.

The paper is organized as follows. Section  $\mathbf{II}$  $\mathbf{II}$  $\mathbf{II}$  starts with an overview of CPA and the experimental platform. In Section [III,](#page-2-0) we propose a fault correlation analysis attack method based on fault probability (FPFCA), carry out experiments, and analyze the attack results. In Section [IV,](#page-4-0) we improve the FPFCA to 2F-FPCA and evaluate the attack results. Finally, Section [V](#page-6-0) concludes this paper.

### <span id="page-1-0"></span>**II. PRELIMINARIES AND PRACTICAL IMPLEMENTATION**

# A. CORRELATION POWER ANALYSIS

CPA mainly uses the correlation between the actual power consumption and the power consumption model. CPA has a general attack strategy, which is divided into 5 steps [\[17\]:](#page-7-16)

- **Step 1:** Select an intermediate value of the executed algorithm. First, select the power consumption model and establish the leakage function. The intermediate value must be a function that depends on the small part of the key and known non-constant data value, which is usually the plaintext or the ciphertext. The most widely used power consumption model is the Hamming Distance (HD) between two corresponding values in the same register or Hamming Weight (HW) of a specific value.
- **Step 2:** Measure the power consumption. Measure the power consumption of cryptographic devices

<span id="page-1-1"></span>

**FIGURE 1.** Voltage glitch injection experiment layout.

when encrypting or decrypting different data blocks.

- **Step 3:** Calculate hypothetical intermediate values. For each key hypothetical, the corresponding hypothetical intermediate value is calculated.
- **Step 4:** Map the intermediate values to the power consumption value.
- **Step 5:** Compare the hypothetical power consumption values with the power traces. The index corresponding to the maximum correlation coefficient reveals the correct key index and time. The correlation is calculated as follows.

Pearson correlation coefficient is denoted as *c*. Suppose the attacker gets *M* power traces, each with *N* sampling points. The power consumption value corresponding to the *i th* sampling point on the  $m^{th}$  trace is denoted as  $t_{m,i}$  (1 $\leq m \leq M$ , 1≤ *i* ≤ *N*). Based on the power consumption model, the power consumption hypothesis value corresponds to the *m th* trace under the key assumption *k* is denoted as  $h_{m,k}$  (1  $\leq m \leq$ *M*,  $1 \leq k \leq K$ ). Under the key assumption *k*, the correlation coefficient of the *i<sup>th</sup>* sampling point is calculated as follows:

$$
c_{k,i} = \frac{\sum_{m=1}^{M} (h_{m,k} - \bar{h}_k) (t_{m,i} - \bar{t}_i)}{\sqrt{\sum_{m=1}^{M} (h_{m,k} - \bar{h}_k)^2} \sqrt{\sum_{m=1}^{M} (t_{m,i} - \bar{t}_i)^2}}
$$

<span id="page-1-4"></span>where  $\bar{h}_k$  and  $\bar{t}_i$  are the average of the power consumption model and the actual power consumption at the *i*<sup>th</sup> sampling point respectively.

# B. EXPERIMENT LAYOUT

<span id="page-1-5"></span>The experimental platform mainly includes an attack target, fault injection controller, oscilloscope monitoring module, and data acquisition and processing module  $[18]$ , as shown in Fig. [1.](#page-1-1)

We conduct a large number of fault injection attacks and establish fault probability traces [\[18\]](#page-7-17) which are used in subsequent analyses.

# <span id="page-2-0"></span>**III. FAULT CORRELATION ANALYSIS BASED ON FAULT PROBABILITY**

# A. SCHEME DESIGN

For the Advanced Encryption Standard algorithm (AES), attackers usually choose the sampling points near the S-box transformation operation as attack points, showing strong correlations between the actual power consumption and the power consumption model.

Taking the AES-128 algorithm as an example to implement FPFCA, as shown in Fig. [2.](#page-3-0) We conduct mass fault injection attacks on the output of the first S-box in the first round of encryption and establish the fault probability traces. If the first byte of the key is recovered, the attack is successful. The recovery of other bytes of the key is similar; attack the output of other S-boxes in the first round of encryption.

FPFCA attacks take advantage of the data dependency of cryptographic device faults. Many fault probability traces are used to analyze the fault probability at specific points, which is regarded as a function of the data being processed.

In all subsequent discussions, it is assumed that the processed data are subject to a uniform distribution.

The steps of FPFCA are as follows:

- **Step 1:** Select an intermediate value of the executed algorithm. The intermediate value must be a function *f(d, k)*, where *d* represents non-constant data, and *k* represents a small part of the key. We choose the plaintext as *d* and the first byte of the key as *k*.
- **Step 2:** Establish the fault probability traces. We calculate the fault probability of cryptographic devices when encrypting or decrypting *M* different data blocks. These plaintexts are recorded as vectors  $m = (m_1, m_2, \cdots, m_M)'$ , where  $m_i$  represents a value corresponding to the *i th* encryption or decryption operation. Many fault injection attacks are carried out on each *m<sup>i</sup>* , and the corresponding fault probability trace is established as  $\mathbf{p}'_i = (p_{i,1}, p_{i,2}, \cdots, p_{i,N})$ , where *N* represents the length of the fault probability trace. The attacker establishes a fault probability trace for each of the *M* data. These fault probability traces are denoted as a matrix  $P_{M \times N}$ .
- **Step 3:** Calculate the hypothetical intermediate value. For each possible key *k*, the corresponding hypothetical intermediate value is calculated, denoted as  $k = (k_1, k_2, \cdots, k_K)$ , where *K* represents the number of all possible values of *k*. Given the data  $m$  and the key hypothesis  $k$ , the hypothetical intermediate value can be calculated for all *M* encryptions and all *K* key assumptions:  $v_{i,j}$  = *f*  $(m_i, k_j)$   $(1 \le i \le M, 1 \le j \le K)$ .

It is obtained that the matrix  $V_{M \times K}$ . The  $j^{th}$ column of *V*contains all the intermediate values calculated by the key hypothesis  $k_j$ . In fact, the cryptographic device uses only one element in *k*, which is denoted as  $k_c$ . Our target is to find the

 $k_c$ , that is, to determine which column of *V* the device is dealing with during the *M* encryption or decryption.

- **Step 4:** Map the intermediate value to the fault probability. The hypothetical intermediate value *V* is mapped to the hypothetical fault probability matrix *H* by the HW model.
- **Step 5:** Compare the hypothetical fault probability value and the fault probability trace. Each column *h<sup>i</sup>* of matrix  $H$  and each column  $p_i$  of matrix  $P$  are compared. The attacker compares the hypothetical fault probability value corresponding to each key hypothesis with the fault probability trace recorded at each location. The result of the comparison is a matrix  $C_{K \times P}$ , where each element  $c_{i,j}$ contains the comparison of the columns *h<sup>i</sup>* and  $p_j$ . The higher the value of  $c_{i,j}$ , the higher the matching degree of the columns *h<sup>i</sup>* and *p<sup>j</sup>* .

The  $j<sup>th</sup>$  sampling point on the  $m<sup>th</sup>$  fault probability trace is denoted as  $p_{m,j}$  (1≤  $m \leq M$ , 1≤  $j \leq N$ ). Based on the FPHW model [\[18\], th](#page-7-17)e hypothetical value of fault probability corresponding to the  $m<sup>th</sup>$  trace under the key assumption *i* is denoted as *hm*,*<sup>i</sup>* :

<span id="page-2-2"></span><span id="page-2-1"></span>
$$
h_{m,i} = HW(Sbox(plaintext_m \oplus i))
$$
 (1)

where *HW* represents the HW of the S-box output.

Under the key assumption *i*, the correlation coefficient of the  $j<sup>th</sup>$  sampling point is denoted as  $c_{i,j}$ :

$$
c_{i,j} = \frac{\sum_{m=1}^{M} (h_{m,i} - \bar{h}_i) (p_{m,j} - \bar{p}_j)}{\sqrt{\sum_{m=1}^{M} (h_{m,i} - \bar{h}_i)^2} \sqrt{\sum_{m=1}^{M} (p_{m,j} - \bar{p}_j)^2}}
$$
(2)

where  $\overline{h}_i$  and  $\overline{p}_i$  represents the average values of the FPHW model and the actual fault probability at the *i*<sup>th</sup> sampling point, respectively.

By finding the maximum value of matrix  $C$ , the attacker can determine the correct key index  $k_c$  and time index  $t_c$ . The index of the maximum value is the result of the CPA attack.

# B. ATTACK RESULT

We set the initial key to 0x04, conduct many fault injection attacks on 1000 random plaintexts, and establish fault probability traces. In the FPHW model  $[18]$ , there is a negative correlation between the fault probability and HW, so the closer the correlation coefficient in the attack result is to -1, the stronger the correlation is.

We randomly select 6 plaintexts to attack and get 6 fault probability traces. The correlation coefficient results of sampling points on the traces calculated by  $Eq.(1)$  $Eq.(1)$  are shown in Fig. [3.](#page-3-1) When the candidate keys are 4,67,127, the correlation coefficient is the minimum value of -0.98. For that the candidate key is not unique, the key fails to recover.

Next, we randomly select 8 plaintexts to attack, and get 8 fault probability traces. The correlation coefficient results

<span id="page-3-0"></span>

<span id="page-3-1"></span>**FIGURE 3.** Attack under 6 random plaintexts.

According to the results of attack experiments, the computational complexity of the FPFCA algorithm is  $1.06 \times 10^7$  by substituting  $M = 200$  and  $N = 13$ .

<span id="page-3-2"></span>**FIGURE 4.** Attack under 8 random plaintexts.

Compared with the existing CPA methods, the computational complexity of FPFCA has been significantly reduced, but the number of iterations is still significant. Therefore, we consider improving the calculation efficiency by lowering the values of *M* and *N*.

The calculation complexity is too high, which is mainly caused by a large amount of data redundancy in the selection of sampling points (*M*) and random plaintext (*N*) on the fault probability trace:

First, there are too many sampling points in the fault probability trace. The subkey only affects the fault probability in a few moments, so not all sampling points are essential in calculating correlation. Combined with the data dependence of fault probability, we need to locate the output of the S-box more accurately and reduce the search range of sampling points by selecting the sampling points with the prominent peak of fault probability trace as POIs.

of sampling points on the traces and the correlation coefficient results calculated by  $Eq.(1)$  $Eq.(1)$  are shown in Fig. [4.](#page-3-2) When the candidate key is 0x04, the correlation coefficient is the minimum value of -1, and the key is recovered successfully.

Under this method, the relationship between the success rate of key recovery and the number of fault probability traces is shown in Fig. [5.](#page-4-1) It can be seen that when the number of fault probability traces is 13 or more, the attacker has a 100% chance of recovering the key.

# C. ANALYSIS

In the attack process, we establish the fault probability trace based on the FPHW model and align multiple data groups by introducing trigger signals. Therefore, there is no need for re-alignment and noise reduction, significantly reducing the difficulty of data processing.

The computational complexity of the FPFCA algorithm is denoted as λ:

$$
\lambda = 16 \times 256 \times M \times N \tag{3}
$$

<span id="page-4-1"></span>

**FIGURE 5.** The relationship between the success rate and the number of fault probability traces.

#### <span id="page-4-2"></span>**TABLE 1.** Hw distribution of single btye data.



Second, there is much redundancy in selecting random plaintexts. All the sampling points in the fault probability traces are required to calculate the hypothetical intermediate value. Hence, the number of iterations in the calculation is enormous.

The HW of single-byte data obeys the binomial distribution. Tab. [1](#page-4-2) shows the probability distribution of HW for uniformly distributed 8-bit data. The data with HW of 0 and 8 have the slightest probability of occurrence, and those with HW of 4 have the highest probability of occurrence. Therefore, there must be much repetition in the randomly selected plaintexts.

The experiments show that the difference in fault probability corresponding to the S-box output with the same HW is almost the same, as shown in Tab. [2.](#page-4-3)

If we select the plaintexts whose S-box outputs are of the same HW, column vectors of the hypothetical intermediate value mapped by the HW model are the same, and the corresponding fault probability traces are almost the same. In this case, it is impossible to recover the key. Therefore, we consider selecting plaintexts whose S-box outputs are of

#### <span id="page-4-3"></span>**TABLE 2.** Fault probability of the same Hw data.



different HW, which can reduce the computational redundancy significantly.

# <span id="page-4-0"></span>**IV. FAULT CORRELATION ANALYSIS BASED ON SECONDARY FILTERING**

# A. SCHEME DESIGN

Based on the above considerations, we use fewer fault probability traces and more accurate POIs to reduce the number of iterations. We improve the FPFCA scheme and propose a fault correlation analysis attack based on secondary filtering (2F-FPCA). This method classifies and selects plaintexts based on HW and selects POIs more accurately, which dramatically reduces the calculation amount. The specific steps are shown in Fig. [6.](#page-5-0)

The steps of 2F-FPCA are as follows:

- **Step 1:** Select the output value of the first S-box in the first round of encryption in the AES-128 algorithm as the intermediate value.
- **Step 2:** Select plaintexts randomly and inject many voltage glitches in the encryption process to establish the fault probability traces. For each possible key  $k_i$  ( $1 \le i \le K$ ), perform **steps 3-5**:.
- **Step 3:** Calculate the hypothetical intermediate value. Given  $\mathbf{m} = (m_1, m_2, \cdots, m_M)'$ , calculate the corresponding hypothetical intermediate value  $v_{i,j}$  = *f*  $(m_i, k_j)$   $(1 \le i \le M, 1 \le j \le K)$ .
- **Step 4:** Map the intermediate value to the fault probability. The hypothetical intermediate value  $v_i$  =  $(v_{1,i}, v_{2,i}, \ldots, v_{M,i})$  is mapped to the hypothetical fault probability  $h_i = (h_{1,i}, h_{2,i}, \ldots, h_{M,i})$  by the

<span id="page-5-0"></span>

**FIGURE 6.** Attack flow of 2F-FPCA.

FPHW model. Remove the same value in *h<sup>i</sup>* and get  $h'_i = (h'_{1,i}, h'_{2,i}, \ldots, h'_{T,i}).$ 

• **Step 5:** Compare the hypothetical fault probability value and the fault probability trace. Select the set of fault probability traces  $P'_i = (p'_1, p'_2, \dots, p'_T)$  corresponding to  $h'_i$ , where  $p'_i = (p'_{i,1}, p'_{i,2},..., p'_{i,R})$ is the fault probability trace after POI selection. Compare  $h_i^j$  and every column of  $P_i^j$  and get  $c'_{i} = (c'_{i,1}, c'_{i,2}, \dots, c'_{i,R})$ , which maximum value is denoted as  $c'_i$ . The maximum is denoted as  $c' = max\{c'_{1}, c'_{2}, \ldots, c'_{K}\}\$  for all the  $c'_{i}$ . The key  $k_i$ <sup>'</sup> corresponding to *c*' is the correct key.

# B. ATTACK PROCESS

According to the above scheme, we attack the implementation of the AES-128 algorithm based on MCU. The attack process is described in detail with the initial key of 0x03.

# 1) POI SELECTION

To reduce the computational complexity, we select the POIs in the fault probability trace to find the sampling points with the strongest correlation with the attack point to carry out subsequent attacks. From the above model verification results, we can see that the fault probability traces have a high degree of discrimination, so we first classify the attack traces based on the HW of the output data. Then, the summary of the difference method (SOD) is used to select the POIs.

For the fault probability traces  $Trac_i$  ( $i = 0, \dots, 9$ ) with HW  $i(i = 0, 1, \dots, 8)$ , calculate

$$
SOD = \sum_{i_1=0}^{7} \sum_{i_2=i_1+1}^{8} (\text{Trac}_{i_1} - \text{Trac}_{i_2})
$$
 (4)

The SOD values of each sampling point are shown in Fig. [7.](#page-5-1) The higher the SOD value, the more significant the correlation between the sampling point and HW, so we selected 2900, 2904, 2908, 2912, and 2916ns as POIs.

<span id="page-5-1"></span>

**FIGURE 7.** Selection of POIs.

### 2) RANDOM PLAINTEXTS SELECTION

We still choose the output of the first S-box in the first round of encryption as the intermediate value and inject many voltage glitches near the attack point. Find its maximum  $c_i$  for each possible key hypothesis value  $k_i$  ( $1 \le i \le K$ ).

Take  $k_4$  = 0x03 as an example to illustrate the attack process. The hypothetical fault probability is  $h_4$  =  $(5,5,5,4,3,5,3,3)$ , and thus  $h'_4 = (5,4,3)$ . The set of fault probability traces after filtering is

$$
\mathbf{p}'_3 = \begin{pmatrix} 0.4533 & 0.5689 & 0.6389 & 0.5733 & 0.3844 \\ 0.4567 & 0.5689 & 0.6411 & 0.5744 & 0.3856 \\ 0.4611 & 0.5711 & 0.6500 & 0.5756 & 0.4033 \end{pmatrix}.
$$

## 3) ATTACK RESULT

Calculate that  $c'_3 = (-0.9973, -0.8660, -0.09443, -0.9997,$  $-0.8930$ ,  $c'_3 = -0.9997$ .

For all the  $k_i$ (1  $\le i \le 256$ ), the corresponding  $c_i$  calculated by Eq. $(1)$  is shown in Fig. [8.](#page-6-1) As can be seen that the correlation coefficient of key 0x03 is closest to  $-1$ , 0x03 is supposed to be the correct key. Thus, key recovery is successful.

<span id="page-6-1"></span>

**FIGURE 8.** Correlation coefficient of candidate keys.

<span id="page-6-2"></span>

**FIGURE 9.** The relationship between the success rate and the number of fault probability traces.

# C. ANALYSIS

Under the 2F-FPCA method, the relationship between the success rate of key recovery and the number of fault probability traces is shown in Fig. [9.](#page-6-2) The number of attack traces required for the proposed 2F-FPCA is less than that needed for FPFCA. When the number of fault probability traces is 10 or more, the attacker has a 100% chance of recovering the correct key.

We select 10 plaintexts randomly for key recovery. Under each key assumption, only 4.45 traces are needed by selecting plaintexts to complete the key recovery on average. By substituting  $M = 4.45$  and  $N = 5$  into Eq[.\(2\),](#page-2-2) the algorithm's computational complexity is calculated as  $9.11 \times 10^4$ .

<span id="page-6-5"></span><span id="page-6-4"></span>In recent years, some CPAs and improvement methods for the AES-128 algorithm have been continuously proposed, such as CPA with biased power traces [\[13\], C](#page-7-12)PA based on CPA with multiple filtering [\[19\], a](#page-7-18)nd block CPA based on artificial intelligence [\[20\].](#page-7-19)

#### <span id="page-6-3"></span>**TABLE 3.** Comparison of Cpa schemes.



Next, as shown in Tab[.3,](#page-6-3) we compare the above CPA attack methods with the FPFCA and 2F-FPCA attack methods proposed in this paper. We propose two criteria for performance evaluation: the number of traces required to recover the full key and computational complexity.

As described in Tab[.3,](#page-6-3) the number of traces and sampling points required for the attack directly affects the computational complexity, consistent with Eq[.\(2\).](#page-2-2) Therefore, the attacker must select the appropriate number of traces and sampling points to achieve high execution efficiency while considering the accuracy of key recovery.

# <span id="page-6-0"></span>**V. CONCLUSION**

This paper proposes a fault correlation analysis method based on secondary filtering. Based on the AES-128 algorithm of the MCU, we conducted experiments and achieved key recovery using 10 fault probability traces.

Compared with the existing CPA methods, 2F-FPCA has the following advantages:

1) It is less affected by noise. We choose the FPHW model, which does not need to collect ciphertext and only pays attention to the response of the attack.

2) The correct key is of apparent characteristics. The correlation coefficient between the actual fault probability corresponding to the correct key and the hypothetical fault probability value based on the FPHW model is as high as -1.

3) The computational complexity is low. We select plaintexts with different HW of S-box output and POIs to reduce the number of traces and sampling points. Therefore, the computational complexity is significantly reduced, improving the attack efficiency.

Due to the difference in cryptographic algorithms and selection methods, the selection results of POIs are different. Next, we will use Deep Learning to realize the automatic selection of POIs. At the same time, we consider expanding the range of cryptographic algorithms targeted by attacks. Testing new and masked cryptographic algorithms is the critical research content for the next step.

# **IEEE** Access

### **REFERENCES**

- <span id="page-7-0"></span>[\[1\] M](#page-0-0). Devi and A. Majumder, "Side-channel attack in Internet of Things: A survey,'' in *Applications of Internet of Things*. Singapore: Springer, 2021, pp. 213–222.
- <span id="page-7-1"></span>Y. Kulah, B. Dincer, C. Yilmaz, and E. Savas, "SpyDetector: An approach for detecting side-channel attacks at runtime,'' *Int. J. Inf. Secur.*, vol. 18, no. 4, pp. 393–422, Aug. 2019.
- <span id="page-7-2"></span>[\[3\] D](#page-0-2). Poggi, P. Maurine, T. Ordas, and A. Sarafianos, ''Protecting secure ICs against side-channel attacks by identifying and quantifying potential EM and leakage hotspots at simulation stage,'' in *Proc. Int. Workshop Constructive Side-Channel Anal. Secure Design*, Lugano, Switzerland, Oct. 2021, pp. 129–147.
- <span id="page-7-3"></span>[\[4\] I](#page-0-3). Kabin, Z. Dyka, D. Klann, and P. Langendoerfer, ''EC P-256: Successful simple power analysis,'' 2021, *arXiv:2106.12321*.
- <span id="page-7-4"></span>[\[5\] F](#page-0-4). Schellenberg, D. R. E. Gnad, A. Moradi, and M. B. Tahoori, ''An inside job: Remote power analysis attacks on FPGAs,'' *IEEE Des. Test*, vol. 38, no. 3, pp. 58–66, Jun. 2021.
- <span id="page-7-5"></span>[\[6\] F](#page-0-5). Schuhmacher, "Canonical DPA attack on HMAC-SHA1/SHA2," in *Proc. Int. Workshop Constructive Side-Channel Anal. Secure Design*, Leuven, Belgium, Apr. 2022, pp. 193–211.
- <span id="page-7-6"></span>[\[7\] E](#page-0-6). Brier, C. Clavier, and F. Olivier, "Correlation power analysis with a leakage model,'' in *Proc. 6th Int. Workshop Cryptograph. Hardw. Embedded Syst. (CHES)*, pp. 16–29, Aug. 2004, doi: [10.1007/978-3-540-28632-5\\_2.](http://dx.doi.org/10.1007/978-3-540-28632-5_2)
- <span id="page-7-7"></span>[\[8\] A](#page-0-7). Heuser, O. Rioul, and S. Guilley, "Good is not good enough: Deriving optimal distinguishers from communication theory,'' in *Proc. Int. Workshop Cryptograph. Hardw. Embedded Syst.*, Busan, South Korea, Sep. 2014, pp. 55–74.
- <span id="page-7-8"></span>[\[9\] L](#page-0-8). David and A. Wool, ''A bounded-space near-optimal key enumeration algorithm for multi-subkey side-channel attacks,'' in *Proc. Cryptographers' Track RSA Conf.* San Francisco, CA, USA, Feb. 2017, pp. 311–327.
- <span id="page-7-9"></span>[\[10\]](#page-0-9) R. Poussier, F.-X. Standaert, and V. Grosso, "Simple key enumeration (and rank estimation) using histograms: An integrated approach,'' in *Proc. Int. Conf. Cryptograph. Hardw. Embedded Syst.*, Santa Barbara, CA, USA, Aug. 2016, pp. 61–81.
- <span id="page-7-10"></span>[\[11\]](#page-0-10) D. P. Martin, J. F. O'connell, E. Oswald, and M. Stam, "Counting keys in parallel after a side channel attack,'' in *Proc. Int. Conf. Theory Appl. Cryptol. Inf. Secur.*, Auckland, New Zealand, Nov. 2015, pp. 313–337.
- <span id="page-7-11"></span>[\[12\]](#page-0-11) T.-H. Le, J. Clédiére, C. Canovas, B. Robisson, C. Servière, and J.-L. Lacoume, ''A proposition for correlation power analysis enhancement,'' in *Proc. Int. Workshop Cryptograph. Hardw. Embedded Syst.*, Yokohama, Japan, Oct. 2006, pp. 174–186.
- <span id="page-7-12"></span>[\[13\]](#page-0-12) Y. Kim, T. Sugawara, N. Homma, T. Aoki, and A. Satoh, "Biasing power traces to improve correlation power analysis attacks,'' in *Proc. 1st Int. Workshop Constructive Side-Channel Anal. Secure Design (COSADE)*, 2010, pp. 77–80.
- <span id="page-7-13"></span>[\[14\]](#page-0-13) M. Ouladj, P. Guillot, and F. Mokrane, ''Chosen message strategy to improve the correlation power analysis,'' *IET Inf. Secur.*, vol. 13, no. 4, pp. 304–310, Jul. 2019.
- <span id="page-7-14"></span>[\[15\]](#page-1-2) Q. L. Meunier, "FastCPA: Efficient correlation power analysis computation with a large number of traces,'' in *Proc. 6th Workshop Cryptogr. Secur. Comput. Syst.*, Jan. 2019, pp. 7–12.
- <span id="page-7-15"></span>[\[16\]](#page-1-3) N.-T. Do and V.-P. Hoang, "An efficient side channel attack technique with improved correlation power analysis,'' in *Proc. Int. Conf. Ind. Netw. Intell. Syst.*, Hanoi, Vietnam, Aug. 2020, pp. 291–300.
- <span id="page-7-16"></span>[\[17\]](#page-1-4) S. Mangard, E. Oswald, and T. Popp, *Power Analysis Attacks: Revealing the Secrets of Smart Cards*, vol. 31. Cham, Switzerland: Springer, 2008.
- <span id="page-7-17"></span>[\[18\]](#page-1-5) T. Wu, D. Zhou, L. Du, and S. Wang, "Fault template attack based on fault probability,'' *IEEE Access*, vol. 11, pp. 71705–71713, 2023.
- <span id="page-7-18"></span>[\[19\]](#page-6-4) Y. Ding, L. Zhu, A. Wang, Y. Li, Y. Wang, S. M. Yiu, and K. Gai, ''A multiple sieve approach based on artificial intelligent techniques and correlation power analysis,'' *ACM Trans. Multimedia Comput., Commun., Appl.*, vol. 17, no. 2s, pp. 1–21, Jun. 2021.
- <span id="page-7-19"></span>[\[20\]](#page-6-5) Y. Ding, Y. Shi, A. Wang, Y. Wang, and G. Zhang, "Block-oriented correlation power analysis with bitwise linear leakage: An artificial intelligence approach based on genetic algorithms,'' *Future Gener. Comput. Syst.*, vol. 106, pp. 34–42, May 2020.



TONG WU was born in Ma'anshan, Anhui, China, in 1996. She received the B.S. degree in information security from the Naval University of Engineering, Wuhan, China, in 2018, where she is currently pursuing the M.S. degree in cyberspace security. Her current research interest includes cryptographic chip security evaluation.



DAWEI ZHOU was born in Xuzhou, Jiangsu, China, in 1980. He received the B.S. degree from the China University of Mining and Technology, Xuzhou, in 2002, and the M.S. degree from the Naval University of Engineering, Wuhan, China, in 2008. He is currently an Associate Professor with the Naval University of Engineering. His current research interest includes information security.



LEI DU received the B.S. and M.S. degrees from Beihang University, Beijing, China, in 2002 and 2005, respectively. From 2005 to 2015, he was the General Manager of the Security Department, BCTC. He is currently the General Manager of the DPLS Laboratory, Beijing. His current research interest includes chip security design and testing.



**SHIWEI WANG** received the B.S. and Ph.D. degrees from the Beijing University of Posts and Telecommunications, Beijing, China, in 2013 and 2019, respectively. Since 2019, he has been a Senior Security Specialist and the Research and Development Department Manager of the DPLS Laboratory. His current research interests include side-channel analysis, fault injection, and security tests.

 $\sim$   $\sim$   $\sim$