Voltage regulator assisted lightweight countermeasure against fault
  injection attacks by Vosoughi, Ali et al.
VOLTAGE REGULATOR ASSISTED LIGHTWEIGHT
COUNTERMEASURE AGAINST FAULT INJECTION ATTACKS
A PREPRINT
Ali Vosoughi∗†
Department of Electrical and Computer Engineering
University of Rochester
Rochester, NY 14620
mvosough@ur.rochester.edu
Longfei Wang
Department of Electrical and Computer Engineering
University of Rochester
Rochester, NY 14620
longfei.wang@rochester.edu
Selçuk Köse
Department of Electrical and Computer Engineering
University of Rochester
Rochester, NY 14620
selcuk.kose@rochester.edu
January 13, 2020
ABSTRACT
The impeccable design of sensitive and cryptographic circuits (CC) against fault injection attacks
is essential for modern data storage, communication, and computation systems that are susceptible
to fault injection attacks. The robustness of a CC against voltage glitch attacks increases with an
on-chip voltage regulator that considers the impact of topology and component selection on the fault
injection robustness. With an emphasis on increasing the number of phases in a multiphase voltage
regulator and component selection, an on-chip voltage regulator with multiphase configuration and
an optimal operating point is proposed as a lightweight countermeasure to minimize injected glitches.
Furthermore, an infective countermeasure is added to the on-chip multiphase voltage regulator that
contaminates the computation of the cryptographic algorithm when a voltage glitch reaches to the
CC. By increasing the number of phases from 1 to 16, the confrontation with fault attacks increases
by 52.45%, which is equal to 91.82% if the number of phases increases to 32. Using the infective
countermeasure for fault resiliency, the security-enhanced CC provides a robust and resilient solution
against fault attacks that improve the security and availability of the device.
Keywords voltage regulator · multiphase voltage regulator · fault injection attack · side-channel analysis ·
countermeasures · power glitches · infective computation · fault resilient computation
Side-channel attacks are a class of cryptoanalysis attacks on the implementation of a cryptographic circuit (CC) that
threaten the security of modern storage, communication, and encryption systems. In a side-channel attack, side-channel
leakages of the physically accessible CC is used to obtain the secret key of the device. Despite the mathematically
sound schemes of the cryptographic algorithms, the presence of a side-channel attack shudders the security of these
devices [2, 3].
Active side-channel attacks are a class of side-channel attacks that obtain the correct key by composing transient (or
permanent) abnormalities on the CC and investigating the output of CC under the attack. In these attacks that are known
as fault injection attacks, deliberate fault in the CC that an attacker creates are exploited in a fault analysis tools, such
∗Ali Vosoughi and Selçuk Köse are with Electrical and Computer Engineering Department at University of Rochester, Rochester,
NY 14627 USA (e-mail: mvosough@ur.rochester.edu, selcuk.kose@rochester.edu).
†Manuscript received January 13, 2020. This paper is an extension from the previously published paper from the ACM GLSVLSI
conference held on May 9-11, 2019 in Washington, D.C., US [1].
ar
X
iv
:2
00
1.
03
23
0v
1 
 [c
s.C
R]
  9
 Ja
n 2
02
0
A PREPRINT - JANUARY 13, 2020
as differential fault analysis (DFA) [4, 5, 6, 7], safe error analysis (SEA) [8], and collision fault analysis (CFA) [9] to
obtain the key.
Generating faulty outputs on the CC requires a different level of equipment and experience of mounting an attack that
varies from expensive laser techniques to affordable clock and voltage glitch injection attacks [10, 11]. Each of the fault
injection techniques, such as over and under voltage glitches, power starvation or overfeeding, temperature variations,
light and laser shots to the CC, and clock glitches, have different mechanism of impacting a CC that is correlated with
the precision (number of affected bits) and controllability (ability to reproduce the same fault) of the injected fault
[12, 13, 14, 15, 16, 17, 18, 19, 11, 10, 20]. Voltage glitch attack (VGA) is a fault injection technique that exploits
deliberately abrupt variation of the voltage level at the power supply of a CC [19, 11, 10, 16, 17]. Voltage glitches
can lead to misinterpreting instructions of (crypto-) processor, failure to erase or overwrite data or retaining data from
memory when not instructed [21, 22, 20].
VGA is used in a fault injection attack on the RSA device in the presence of countermeasures in [16], and in [19] VGA
is exerted to inject the faults in unprotected RFID tags. A VGA attack on a Motorola MC68HC05B6 microcontroller by
under-voltage attack is explained in [20] that modifies instruction of the microcontroller, and unauthorized access to the
memory of a PIC16F84 microcontroller from Microchip using over-voltage glitches confirmed to be effective in the
same literature. Over-voltage VGA may burn-in the contents of CMOS random access memory (RAM) by failing the
power down or overwrite instructions to erase the contents [22].
Immense hardware countermeasures are proposed to further protect the cryptographic systems against side-channel
attacks. Each of the countermeasures, even though created in general for one end, perseveres different aims. The
utilization of digital methods, such as data encoding, masking, infective computation, and redundant computation,
and the utilization of analog techniques, such as sensors, detectors, and noise addition are several of the available
countermeasures against side-channel attacks.
Although countermeasures have been proposed to hinder fault injection attacks, most of these countermeasures require
additional resources for CC that are not desirable. Duplication and multiplication of CC, redoing processes, and coding
data are types of countermeasures against fault attacks. These methods, although possess a satisfactory immunity
to fault attacks, have a significant overhead for power, performance, and availability of the CC. Consequently, fault
injection resilient countermeasures, such as [23], have been proposed to provide security along with the availability.
Various techniques have been proposed to counteract fault injection attacks. Information redundancy-based techniques
such as error correcting codes are a class of countermeasures against fault injection attack by encoding information
flowing through the CC [10], while a recent paper [24] provides a protectively against side-channel attacks using the
bus-invert coding scheme. Spatial redundancy-based countermeasures are a class of countermeasures which use the
duplication/multiplication of the hardware of the CC to ensure the accuracy of the output through majority voting,
and temporal redundancy based countermeasures verify the output through repetition of (part of) the cryptographic
algorithm in time. Even though these countermeasures are advantageous in countering fault injection attacks, spatial,
temporal, and information redundancies will lead to increased power dissipation of CC, reduced throughput, and
increased area of the CC [10, 11, 16, 25]. Alternatively, analog countermeasures, such as voltage, temperature, and
frequency sensors, are used to detect malicious fault injection activities and to protect a CC by ceasing the operations if
such an activity is detected [11, 16, 26]. Detection of dynamic supply voltage variations has been used in [27]. Timing
detectors are used to detect the glitches in [26] as a digital solution to counteract the VGA within a specific voltage
and clock range. To the best of the knowledge of the authors, the on-chip VR has never been used as an inherent
countermeasure against fault injection attacks. This paper is the first work to utilize the existing resources of an on-chip
VR as a countermeasure against voltage glitch attacks where the implications of on-chip VR and the number of phases
are investigated in counteracting voltage glitch attacks.
To the best of the authors’ knowledge, the benefits of the on-chip voltage regulator as an inherent countermeasure
has not been discussed in the literature to thwart fault injection attacks. The hardware used in the voltage regulator
intrinsically exists in the cryptographic circuits that are employed to prevent various side-channel attacks. However, the
resistance of voltage regulators is not extended to voltage glitch fault injection attacks, while a fault injection attack can
eliminate the protection of the circuit against side-channel attacks. In this paper, with an emphasis on the application of
on-chip voltage regulator as an intrinsic defense mechanism to fault injection attacks, we confirm that the number of
phases and capacitor size of the voltage regulator influences the immunity of a CC against voltage glitch attacks.
Moreover, we introduce an infective computation based countermeasure that combines the on-chip voltage regulator
with auxiliary fault detection and infection circuit. The combined countermeasure would try to lessen the influence of
the injected glitch on the CC using the on-chip multiphase voltage regulator. An infective countermeasure contaminates
the cryptographic process using a pseudo-random number generator (PRNG) to make the leakages incompetent for
an attacker when the MPVR is not adequate to prevent the injected glitch. The proposed combined countermeasure
2
A PREPRINT - JANUARY 13, 2020
Glitch (V)
Time
𝑡𝑔
𝑡𝑔
𝑡𝑟 𝑡𝑓
𝑡𝑓 𝑡𝑟
𝑉𝑔
−𝑉𝑔
Figure 1: A trapezoidal voltage glitch has a positive or negative amplitude depending on the choice of the attacker, and
the rise time tr, fall time tf , and the duration tg of the glitch.
increases the availability of the CC in the presence of the injected faults, while the protection of the voltage regulator as
a countermeasure further improved using the infective computation in the presence of an on-chip voltage regulator as a
countermeasure. The proposed fault resilient countermeasure against voltage glitch attacks increases the availability of
the CC in the presence of injected faults.
The rest of this paper is as follows. In Section 2, the advantage of the on-chip VR on the resilience of CC against
VGA is discussed and the effect of the capacitor size is analyzed. In Section 3, the effect of increasing the number of
phases in the robustness of the CC to the VGA is investigated. In Section 5, extensive practical evaluations on the S-box
of an AES with and without an on-chip VR is presented, followed by discussions on the overhead of the proposed
countermeasure and conclusions.
1 Threat model
For a fault injection attack, an attacker needs to inject a fault into the CC utilizing one of the techniques to generate
faulty ciphertexts, and subsequently to interpret the observations using one of the fault analysis techniques to obtain the
correct key. This section explains the threat model of a fault injection attack for the proposed countermeasure. It should
be noted that not all the AES is simulated in this paper, and the explanations given in this section are to illuminate how
a fault injection attack acts to obtain the key and to provide a vision for a well-designed countermeasure. The offline
fault analysis is out of the scope of this paper; however, knowledge for successful fault analysis is useful for designing
effective countermeasures against fault injection attacks. The offline fault analysis techniques are succinctly explained
to clarify the complete attack procedure.
1.1 Fault injection
The naive CC is assumed to have no countermeasure except the proposed countermeasure if needed. The attacker
is equipped to perform a fault injection by varying the supply voltage of the CC to the desired level. Moreover, the
attacker is capable of injecting a voltage glitch into the CC at the desired time, with an arbitrary duration and amplitude.
Fig. 1 shows the glitch that the attacker applies to inject faults into the CC. The attacker craves to inject faults into
the implementation of the CC. Because the countermeasure is against the voltage glitch attacks, the assessment also
comprises faults generated by voltage glitches. The proposed countermeasure is not evaluated to prevent different fault
injection attacks such as temperature variations, clock glitches, light, laser, and EM radiation attacks. The attacker
knows that the duration of the glitch should be at least half the length of the switching period of the CC, and assumes
that the switching frequency of the CC is within 50 MHz and 1 GHz range. Similarly, the attacker comprehends that if
the injected glitch voltage is too high for the CMOS device of the CC, the device will breakdown. Further, the attacker
knows the voltage rating of the CMOS in CC and tries to inject glitches up to two times of the nominal voltage to
infiltrate the CC in safe operation region. The attacker records the correct and faulty ciphertexts and inputs for an offline
fault analysis phase
3
A PREPRINT - JANUARY 13, 2020
S-box
A-key
S-row
M-col
S-box
A-key
S-row
M-col
S-box
S-row
A-key
R=1 R=2-9 R=10
𝒆𝟏
𝒆𝟐
෩𝑪 ∶ 𝒇𝒂𝒖𝒍𝒕𝒚
𝑪 ∶ 𝒄𝒐𝒓𝒓𝒆𝒄𝒕
𝑷⨁𝑲
Figure 2: Error e1 occurs toward a byte of the block cipher in one of the rounds and diffuses as propagates in the CC,
settling to error e2 where e1 6= e2.
1.2 Fault analysis
Different techniques are introduced for fault analysis in fault injection attacks among which are differential fault analysis
(DFA) [4], safe-error analysis (SEA) [8], and collision fault analysis (CFA) [9]. DFA is a technique that exploits
correct-faulty pairs ciphertexts to analyze and obtain the secret key [4]. In fault analysis using SEA, an attacker utilizes
the leakages of the correct-faulty pairs of the ciphertexts for same input plaintexts [28]. In CFA the collision at the
output of CC for different input plaintexts is utilized to obtain the secret key [9].
In Fig. 2 an attacker injects a fault e1 in the middle rounds of the AES cryptographic algorithm (with a substitution-
permutation network), and e1 is evolved to e2 when reaches to the output where e1 6= e2 as the S-box is a nonlinear
operation. In [5] a DFA on an AES is proposed that enables an attacker to obtain the correct key with only two pairs of
correct-faulty ciphertexts using an injected fault in the last or (last− 1) rounds of the CC. In [4] an extended version
of [5] is introduced by generalizing DFA to the injected fault within all rounds of an AES. Fault analysis of AES is
proposed in [18] that solely needs faulty ciphertexts without their correct pairs.
To perform an attack, an attacker selects a plaintext P and reaches the correct ciphertext C. Then, during the encryption
initiates a voltage glitch in the supply of the CC. Due to fault e1 in Fig. 2, the correct state of the CC changes to the
erroneous one state′ = state⊕ e1. The error happens in one or multiple rounds or any part of the control circuitry
of CC. Moreover the error may diffuse to more location of the CC due to inter-byte diffusion in the cryptographic
algorithm [4], generating error e2 (in Fig.2) which is nonlinearly related to e1. Then the recorded faulty ciphertexts
{C˜1, C˜2, C˜3, . . . } as explained in [4, 5]. The attacker repeats the experiment with different amplitudes and duration
of voltage glitches or/and at a different time with the identical plaintext P . The correct-faulty pairs are used by the
attacker to obtain the secret key in DFA(C, {C˜1, C˜2, C˜3, . . . }); however, reproducibility and controllability of the errors
are essential for a successful fault injection attack, i.e., the attacker has to be able to reproduce the fault for identical
experiments (glitch timing, amplitude, duration). [29, 5, 4].
2 On-chip VR as a countermeasure against VGA
In [30, 31, 32, 33, 34, 35] an on-chip VR is used as the first defense mechanism against power and EM attacks that
motivates the use of a VR as a defense mechanism against fault injection by a power supply channel. Implicitly VRs are
utilized as triumphant countermeasures to tackle power and EM attacks; however, their vulnerabilities to fault attacks
require an investigation. [36] reports the susceptibility of the implemented on-chip VR-based countermeasure to fault
injection attacks while the countermeasure is against the power and EM attacks. Different topologies of VR, such as
LDO, buck, and switched-capacitor VR differently respond to the injected glitch at the input, and these differences
affect how the glitches lead the CC. Fig. 3 shows a voltage glitch injection to a CC in the presence of an on-chip VR and
without on-chip VR. A subtle comparison of different topologies of the LDO, the buck, and the SC seems biased due to
the differences in the components employed. Notwithstanding, the use of higher reactive components will increase the
order of low-pass filtering in a VR. Hence, as in an LDO, a direct path is provided for the glitch to reach the CC, a
buck VR will be considered to be more secure than an LDO against injected voltage glitches as the inductor limits the
injected glitch in a buck.
4
A PREPRINT - JANUARY 13, 2020
Off-chip VR
Cryptographic 
circuit (CC)
On-chip VR 
Cryptographic 
circuit (CC)
(a)
(b)
Figure 3: A fault injection attack by a voltage glitch into a CC a) without on-chip VR and b) in the presence of an
on-chip VR that debilitates the voltage glitches.
Ceq
Vin
Vout
Req
Cout RL 
On-chip VR CC
CL
Figure 4: A general, simplified first-order model for the behavior of a VR as a low-pass filter (LPF) for input glitches.
The impedance of the load (CC) comprises RL and CL. Req and Ceq are representative of approximated first-order
LPF of on-chip VR.
In Fig. 4 the first-order low-pass filter is depicted as a low-pass behavioral model of a VR. The number of reactive
components in a VR can be one or more depending on the topology and configuration of the VR. The first-order model
is not a perfect approximation of the response of a VR, but it can provide an insight into the behavior of the voltage
converter by varying the size of the elements and the switching frequency. For instance, the latter analyzes the behavior
of a switched-capacitor VR with the change of switching frequency and flying capacitance. Fast-switching limit (FSL)
and slow-switching limit (SSL) introduces the optimum sizing of the components and the switching frequency of an
SC-VR [37]. However, the SSL and FSL describe the low-frequency (near DC frequencies) of the VR. By assuming Ceq
as the representative of the capacitor size, and Req as the representative of the FSS and SSL, the following relationships
can be written as
Vout(s) =
1
Req
RL
+ sRL(CL + Cout + Ceq)
V in(s), (1)
where
Req =
√
R2FSL +R
2
SSL. (2)
By replcaing RFSL = βtopRon and RSSL =
γtop
Ceqfsw
[37] into (2), the following expression could be achieved for (1)
Vout(s) =
V in(s)√
(βtopRon)2+(
γtop
Ceqfsw
)2
RL
+ sRL(CL + Cout + Ceq)
. (3)
When the VR is operating in an optimal region,
√
(βtopRon)2+(
γtop
Ceqfsw
)2
RL
≈ 1, and given s = j2pifin the expression (3)
is as follows
Vout(fin) =
V in(fin)
1 + j2pifinRL(CL + Cout + Ceq)
, (4)
5
A PREPRINT - JANUARY 13, 2020
Glitch (V)
𝐶𝑒𝑞(𝑛𝐹)
Figure 5: Relation of capacitor size Ceq and voltage glitch transmitted to the CC. With the increase of the Ceq the
voltage glitch transferred by the VR also increases to the extent that the cutoff frequency of VR appears, and after that,
the increase in the amount of the capacitor does not have much effect on the transferred glitch energy.
Which fin is the frequency of the voltage glitch attack. Therefore, the frequency response of the VR will be
|Vout(fin)
Vin(fin)
| = 1√
1 + 4pi2f2inR
2
L(CL + Cout + Ceq)
2
, (5)
which affects the f3dB frequency of the VR. Alternatively, the amount of energy transferred by the Ceq to the CC is
equal to 1/2Ceq(∆VCeq )
2, where ∆VCeq is the difference in voltage across the Ceq . Therefore, by increasing Ceq the
energy of the transferred glitch through the VR to the CC will be increased. Conversely, with increasing Ceq the cutoff
frequency f3dB of the VR reduces, thus reducing the energy of high-frequency VGA by the VR. Therefore, there is a
relationship between the capacitance of the VR and the glitch energy transmitted to the CC, as shown in Fig. 5.
3 Multi-phase VR against VGA
For a switching circuit, the moment when a VGA occurs has implications on the success of the attack [38]. If the VGA
occurs while the VR is connected to deliver the charge to the CC, the glitch does not reach to the CC and dissipates to
the resistive off-switches. Consequently, in a switching VR, the glitch strikes the CC if the attack occurs in a proper
time. Therefore, switching VR degrades the likelihood of VGA success.
The block diagram of an MPVR with N interleaved stages (sub-converters) is shown in Fig. 6. MPVR is a technique in
modern integrated circuits (IC) to enhance the performance of the VR in the generation, delivery, and management of
power in modern electronic systems. The MPVR is a discrete time sampling system due to the timing that connects
and disconnects continuously to and from the VR input. Due to the switching in a multiphase interleaved VR, and
also because of the analogy of the MPVR with a finite-impulse-response (FIR) filter (shown in Fig. 7), interleaved VR
exhibits attractive properties against VGA. Thus, an extension to consequences of the topology, component selection,
and operating frequency, the number of phases in an MPVR determines the security of the CC against VGA.
The excessive energy spiking the CC during the VGA affects the success of the attack which is associated with the
duration and amplitude of the input glitch [26]. In an MPVR, by increasing the number of stages N the transmitted
power is reduced by each phase. Considering the Fig. 8, taking V gi as the voltage glitch when the stage i connects to the
input of VR, the total glitch energy transmitted by the VR to the CC EgCC at the end of period Ts is as follows
EgCC =
Ctot
2N
N∑
i=1
(V gi )
2
, (6)
6
A PREPRINT - JANUARY 13, 2020
Stage 
1
Stage 
2
Stage 
3
Stage 
N-1
Stage 
N
Vin Vout
Load
(CC)
Time 
C
k
 1
C
k
 2
C
k
 N
Glitch 
(V)
Time
tr tf
trtf
(a) (b)
Cout
tg
tg
Ts
Figure 6: Schematic of a) an MPVR with N phases, and b) glitches of the VGA and clocks of the MPVR are depicted.
The glitch has trapezoid shape with rise time tr, fall time tf , and duration tg .
where Ctot =
∑
i Cfly,i is the total fly capacitance of MPVR. If the glitch duration is less than half of the Ts, such that
N
2 > ‖
−→
V g‖0, then
lim
N→∞
EgCC → 0. (7)
(7) implies that as the number of the phases N increases, the glitch on the CC reduces that results in reducing the effect
of voltage glitch on CC, as shown in Fig.9.
3.1 Frequency analysis of MPVR
According to the Nyquist condition, to reconstruct a signal from its samples, the sampling frequency should be at
least twice the frequency of the sampled signal, and the reconstruction distorts the signal if the sampling outrages the
condition. In this case, there is a relationship with the conditions obtained for the glitch duration (frequency) in (7)
and the Nyquist condition for successful signal reconstruction. To achieve a countermeasure against a VGA using an
on-chip VR the frequency of the VR has to be fewer than half the frequency of the injected glitch. If this condition
is fulfilled the injected voltage glitch on the CC is distorted by VR that makes it difficult for an attacker to establish
a glitch. Alternatively, by increasing the number of phases of an MPVR the order of the FIR filter also increases.
Moreover, the coefficients bi are equal in Fig. 7 for an MPVR. Consequently, MPVR forms an FIR filter that its order
increases with an increasing number of the phase N . Fig. 10 shows the behavior of FIR filter for different N .
4 Fault-Resilient Voltage Regulator
Although a methodologically designed MPVR circuit reduces the energy of glitches on the CC, further advanced
techniques for an attack such as combined fault attacks or voltage and clock glitches with frequency modifications
7
A PREPRINT - JANUARY 13, 2020
Vout[n]
Vin[n]
Z-1
Z-2
Z-N
b1
b2
b3
bN
Z-3
Figure 7: An N th order FIR filter in which Vout[n] =
∑N
i=1 biVin[n− i].
is likely to affect the CC with a substantial glitch. Although the countermeasures against fault injection attacks,
such as spatial, temporal, and information redundancies are remedial as a countermeasure, a defensive response
of the countermeasure temporarily (or permanently) disables the CC if a fault attack occurs. Indeed, some of the
countermeasures such as error correction codes can correct a specific number of erroneous bits while a fault occurs.
Aforementioned suggests the intricacy of the availability of the CC to the safe use of the CC when a fault injection
attack finishes. Our proposed technique for fault resilient countermeasure is based on the infective computation that if
an stunning glitch concerns the CC, the countermeasure combines the correct key of the last round with a randomly
generated number to mislead the attacker. Hence, the countermeasure randomly contaminates the output of the CC that
dependents on the value of the random number and the glitch fault. Therefore, the output generated for the attacker will
be futile. Fig. 11 shows the architecture of the proposed countermeasure for an AES cryptography algorithm.
The negative and positive values of the reference voltage ranges are determined according to the tolerance of the CC
and based on trial and error. This limit is related to static timing analysis of the CC.
5 Practical evaluations
In this paper, SC-MPVR is preferred for simulations. SC-MPVR is a promising alternative across other counterparts,
including the buck and LDO regulators due to the stability and CMOS integration considerations [39]. Moreover, an
SC-MPVR with a high number of stages can be achieved by slicing larger capacitors and switches into tinier shares
of capacitors and switches and utilizing an oscillator to form interleaved clock phases [31, 39]. A 2:1 SC-MPVR
is designed and simulated in Virtuoso Cadence at 30 − 60MHz (Ts = 16.67 nS), Vin = 1.8V , Vout = 0.9V , and
M = {1, . . . , 32}. The schematic of the individual stages of VR, overall MPVR, and non-overlapping clocks are
shown in Fig. 12. Switches S1, S3 are on for half a period and S2, S4 are on for the rest of Ts. For the optimization
of the converter (switch sizing, capacitor size, frequency), the code referenced in [37] is used. Moreover, an S-box
of AES [32] is implemented [40] using the Virtuoso Cadence to operate at 200MHz. Average power dissipation of
8
A PREPRINT - JANUARY 13, 2020
tf
a1a2 aN
Time 
Time 
Time 
Time 
C
k 
1
C
k 
2
C
k 
N
Ts
P
h
as
e
 
ac
ti
va
ti
o
n
G
lit
ch
 (
V
)
Time 
tr
Vi
g
tg
Figure 8: Here is description of time domain glitch.
On chip VR
N=1
CC
MPVR
N>1
CC
(a)
(b)
MPVR
N   
CC
(c)
Figure 9: Cryptographic circuit (CC) is supplied by an on-chip voltage regulator. (a) For on-chip VR, VGA is healed a
bit on CC, while for (b) N > 1 the CC is less effected by VGA as compared to N = 1 and for MPVR with (c) N >> 1
the glitch is further reduced on the CC due to higher number of phases in on-chip VR.
9
A PREPRINT - JANUARY 13, 2020
0 0.5 1
Normalized Frequency (  rad/sample)
-80
-60
-40
-20
0
M
ag
ni
tu
de
 (d
B)
N=2
N=6
N=16
Figure 10: FIR filter frequency behavior for different N when bis are equal in Fig. 7 .
the S-box is 256 µW , where the minimum and maximum load power varies within 156.3 and 387.22 µW . As shown
in Fig. 13 by increasing the size of the flying capacitor from 500 fF to 3 nF , the effect of voltage glitch on the CC
increases; however, after a certain point the raise is marginal due to the filtering behavior of the VR.
Fig. 14 shows effect of increasing the switching frequency fsw of the on-chip VR on the voltage glitch on the CC.
The resistance of the CC against VGA increases by increasing the switching frequency of the VR, and for all fsw
frequencies, the robustness of the VR to VGA improves with increasing the number of phases.
As shown in Fig. 15, the security of the CC against VGA enhances by increasing the number of interleaved stages. For
a glitch with a 10 ns duration, the attenuation in the glitch amplitude is doubled with 32 interleaved phases, while the
practical span of a voltage glitch on a CC is half the cycle of the operating frequency [38]. The proposed countermeasure
increases the resistance of the CC to a wide range of glitch span. Considering the condition of 3.1, the VR is prepared
to prevent the glitches with the duration less than 12∗30MHz ≈ 17 nS.
As shown in Fig. 16, the resistance of CC against VGA increases by increasing the number of phases N . By specifying
the faulty outputs as each result at the output of CC different than the correct one, the success of the VGA on the CC is
determined by [14]
%Glitch attack success =
# Faults
# All tests
× 100. (8)
Using (8) and repeatedly simulating the VGA on the S-box of an AES and counting the number of the faulty outputs
using a comparator and a counter, the success rate of fault occurrence in the presence of an MPVR is obtained, as shown
in Fig. 17. The success of the VGA reduces by increasing the number of phases. As can be seen in Fig. 17, while the
fault coverage for the unprotected S-box is 0%, the fault coverage is 5.45% with an on-chip VR, and the fault coverage
reaches 51.45% and 91.82%, respectively, with an increase in the number of phases to 16 and 32. The fault coverage
rate is assumed as one minus the fault rate.
6 Discussion
Assuming that the CC already has an on-chip VR, the throughput overhead on the CC is negligible. Although the
increase in the number of phases of the VR is beneficial for the protection of a CC, by increasing the number of phases
the losses in switches, buffers, and drivers increases [37]. Moreover, the design of an interleaved clock generators with
10
A PREPRINT - JANUARY 13, 2020
S-box
A-key
S-row
M-col
S-box
A-key
S-row
M-col
S-box
S-row
A-key
R=1
R=2-9
R=10
𝑪𝒊𝒑𝒉𝒆𝒓𝒕𝒆𝒙𝒕
Glitch detector
(GD)
⨁
K
e
y
 e
x
p
a
n
s
io
n
Pseudo-random 
number generator 
(PRNG)
Multiphase voltage 
regulator
(MPVR)
𝑷𝒍𝒂𝒊𝒏𝒕𝒆𝒙𝒕𝑲𝒆𝒚
Reduced glitch
Figure 11: The countermeasure is proposed for fault resiliency of the CC against voltage glitch attack. The MPVR
strives to depreciate the significance of the injected glitch on the CC (an AES). In the case that the injected voltage glitch
arrives at the CC for any reason, it is detected by the glitch detector (GD) circuit, and a random number is XORed
with the key of the last round of the AES. In this case, the output of the operating CC depends on a random number
(generated by PRNG) that makes the faulty ciphertext incompetent to an attacker. The GD is two comparators that
compare the voltage glitch to the permissible voltages of the CC. The OR’ed output of the GD activates the PRNG to
infect the computation.
Table 1: Efficiency and area overhead of MPVR.
M 1 2 4 8 16 24 32
Ar.% 0 2.62 3.93 4.58 4.9 5.02 5.07
Eff.% 84.4 84.54 84.68 84.9 85.56 86.0 85.41
higher resolution is an overhead in the design of MPVR with higher N . The ripple at the output Vrip is a function of
output current, switching frequency of VR, the equivalent series resistance of capacitors of VR, and N , and decreases
by increasing the number of phases [37]. Efficiency and area overheads of the on-chip VR with a various number of
stages are listed in Table 1. To simulate the overhead values, the power, and area of the ring oscillator ring increases
according to [41], while the power of the other elements varies with the number of phases according to [37]. The
proposed countermeasure with MPVR can be useful for glitches with frequencies higher than twice the VR frequency.
7 Conclusion
In this paper, the application of an on-chip VR as a countermeasure against fault injection attack is proposed as a
solution to enhance the robustness of the CC against a VGA. The effect of the number of phases in the MPVR on the
robustness of the circuit against VGA is analyzed. The effectiveness of the proposed countermeasure on an S-box of
11
A PREPRINT - JANUARY 13, 2020
Stage 
1
Stage 
2
Stage 
3
Stage 
M-1
Stage 
M
Vin Vout
Load
(CC)
Flying 
capacitor
S2
S4 S3
S1
Vin Vout
ClockA
ClockA
ClockA
Time 
C
lo
ck
A
ClockA
C
lo
ck
A
Figure 12: A 2:1 SC-VR with M stages is shown. Non-overlapping clocks A and B and switches < S1, S3 > are
connected for Ts/2− , and switches < S2, S4 > are conducting for Ts/2−  remaining, where  is the time assigned
to ensure non overlapping clocks.
0 . 0 1 . 0 n 2 . 0 n 3 . 0 n
0 . 4
0 . 6
0 . 8
1 . 0
VG
A o
n C
C (V
)
F l y  c a p a c i t o r  ( F )
 V G A  o n  C C  w i t h  i n c r e a s i n g  c a p a c i t a n c e  o f  V R
Figure 13: The implication of the capacitive impedance of the on-chip VR on the effect of glitch on the CC. By
increasing the size of the fly capacitor, the effect glitch on the CC increases.
12
A PREPRINT - JANUARY 13, 2020
1 0 M 1 0 0 M- 0 . 2
0 . 0
0 . 2
0 . 4
0 . 6
0 . 8
1 . 0
VG
A o
n C
C (V
)
f s  ( H z )
 M a x i m u m  v o l t a g e  o n  C C  f o r  M P V R  w i t h  N = 3 2 M a x i m u m  v o l t a g e  o n  C C  w i t h  o n - c h i p  V R
Figure 14: The maximum effect of VGA on a CC for different clock frequencies fsw of a VR is shown. For all
frequency ranges, the resistance of MPVR with N = 32 (depicted by squares) against VGA is higher than that of for a
CC with on-chip VR (N = 1).
0 . 0 5 . 0 n 1 0 . 0 n 1 5 . 0 n 2 0 . 0 n 2 5 . 0 n 3 0 . 0 n- 0 . 1
0 . 0
0 . 1
0 . 2
0 . 3
0 . 4
0 . 5
0 . 6
0 . 7
0 . 8
0 . 9
1 . 0
1 . 1
VG
A o
n C
C (V
)
G l i t c h  d u r a t i o n  ( s )
 M a x i m u m  v o l t a g e  o n  C C  w i t h  o n - c h i p  V R M a x i m u m  v o l t a g e  o n  C C  w i t h o u t  o n - c h i p  V R M a x i m u m  v o l t a g e  o n  C C  f o r  M P V R  w i t h  N = 1 6 M a x i m u m  v o l t a g e  o n  C C  f o r  M P V R  w i t h  N = 3 2
Figure 15: Relation of glitch duration and maximum effect of VGA on CC with glitch duration {1ns, 3ns, . . . , 31ns},
for CC with various MPVRs N = {1, 16, 32} (depicted by triangles and squares), and for CC without on-chip
VR (depicted by circles).
13
A PREPRINT - JANUARY 13, 2020
0 5 1 0 1 5 2 0 2 5 3 0 3 5
0 . 0
0 . 5
1 . 0
VG
A o
n C
C (V
)
N  ( N u m b e r  o f  p h a s e s )
 M a x i m u m  v o l t a g e  o n  C C  f o r  M P V R
Figure 16: VGA on CC with on-chip VR for M = {1, 2, 4, 8, 16, 32}, when a glitch with amplitude Vg = ±2, duration
tr = tf = 500ps, and tg = 1 ns is applied.
0 5 1 0 1 5 2 0 2 5 3 0 3 50
2 0
4 0
6 0
8 0
1 0 0
Fau
lt oc
curr
enc
e (%
)
N  ( N u m b e r  o f  p h a s e s )
 F a u l t  o c c u r r e n c e  w i t h  i n c r e a s i n g  N
Figure 17: Fault occurrence versus the number of phases for an MPVR for a various number of phases is depicted.
Glitch is injected to an S-box with MPVR and an S-box without MPVR that are compared to each other, and a counter
specifies the number of faults at the output.
14
A PREPRINT - JANUARY 13, 2020
an AES is evaluated. The faults generated by the VGA on CC are reduced by 5.45% with a single phase on-chip VR,
and by 91.82% with an MPVR with 32 phases, as compared to unprotected S-box of an AES device. The throughput,
power, and area overhead of the proposed technique are negligible due to the utilization of the existing VR as a power
supply, while the area and power overhead of the MPVR are increased, respectively, by 5.1% and 1% when the number
of interleaved phases is 32. A voltage regulator as a countermeasure against fault injection attack has some limitations.
It is possible to generate a faulty output through the fault injection attack by increasing the duration or increasing the
amplitude of the injected voltage glitch. To counteract this type of vulnerability to fault injection attacks, a new method
based on infective computing has been proposed that contaminates data if a fault attack is detected. The combined
countermeasure assures that if the glitch injection is successful, the attacker will not be able to obtain exploitable faulty
outputs of the CC.
Acknowledgment
This work is supported in part by the NSF CAREER Award under Grant CCF-1350451, in part by the NSF Award
under Grant CNS-1715286, in part by SRC Contract NO: 2017-TS-2773, and in part by the Cisco Systems Research
Award. The authors would like to thank anonymous reviewers for their valuable inputs on improving this work.
References
[1] A. Vosoughi and S. Köse. Leveraging on-chip voltage regulators against fault injection attacks. In Proceedings of
the 2019 on Great Lakes Symposium on VLSI, pages 15–20, May 2019.
[2] S. Skorobogatov. The bumpy road towards iphone 5c nand mirroring. arXiv preprint arXiv:1609.04327, September
2016.
[3] M.A. Vosoughi and S. Köse. Combined distinguishers to enhance the accuracy and success of side channel
analysis. In IEEE International Symposium on Circuits and Systems, pages 1–5, May 2019.
[4] A. Moradi, M. Shalmani, and M. Salmasizadeh. A generalized method of differential fault attack against aes
cryptosystem. Cryptographic Hardware and Embedded Systems, pages 91–100, October 2006.
[5] G. Piret and J. J. Quisquater. A differential fault attack technique against spn structures, with application to the
aes and khazad. Cryptographic Hardware and Embedded Systems, pages 77–88, September 2003.
[6] C. Giraud. Dfa on aes. In International Conference on Advanced Encryption Standard, pages 27–41. Springer,
May 2004.
[7] P. Dusart, G. Letourneux, and O. Vivolo. Differential fault analysis on aes. In International Conference on Applied
Cryptography and Network Security, pages 293–306. Springer, October 2003.
[8] S. M. Yen and M. Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE
Transactions on Computers, 49(9):967–970, 2000.
[9] J. Blömer and V. Krummel. Fault based collision attacks on aes. In Fault Diagnosis and Tolerance in Cryptography,
pages 106–120. Springer, October 2006.
[10] A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache. Fault injection attacks on cryptographic devices: Theory,
practice, and countermeasures. Proceedings of the IEEE, 100(11):3056–3076, 2012.
[11] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The sorcerer’s apprentice guide to fault attacks.
Proceedings of the IEEE, 94(2):370–382, 2006.
[12] F. Bao and et al. Breaking public key cryptosystems on tamper resistant devices in the presence of transient faults.
In International Workshop on Security Protocols, pages 115–124. Springer, April 1997.
[13] A. Barenghi and et al. Low voltage fault attacks to aes. In International Symposium on Hardware-Oriented
Security and Trust, pages 7–12. IEEE, June 2010.
[14] N. Selmane, S. Guilley, and J. L. Danger. Practical setup time violation attacks on aes. In Seventh European
Dependable Computing Conference, pages 91–96. IEEE, May 2008.
[15] R. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In International Workshop on Security
Protocols, pages 125–136. Springer, April 1997.
[16] C. Aumüller and et al. Fault attacks on rsa with crt: Concrete results and practical countermeasures. In
International Workshop on Cryptographic Hardware and Embedded Systems, pages 260–275. Springer, August
2002.
15
A PREPRINT - JANUARY 13, 2020
[17] K. Tobich and et al. Voltage spikes on the substrate to obtain timing faults. In Euromicro Conference on Digital
System Design, pages 483–486. IEEE, March 2013.
[18] T. Fuhr, E. Jaulmes, V. Lomné, and A. Thillard. Fault attacks on aes with faulty ciphertexts only. In Workshop
onFault Diagnosis and Tolerance in Cryptography, pages 108–118. IEEE, August 2013.
[19] M. Hutter, J. M. Schmidt, and T. Plos. Contact-based fault injections and power analysis on rfid tags. In European
Conference on Circuit Theory and Design, pages 409–412. IEEE, August 2009.
[20] S. P. Skorobogatov. Semi-Invasive Attacks: A New Approach to Hardware Security Analysis. PhD thesis, University
of Cambridge, April 2005.
[21] Y. S. Lee et al. Fault attacks by using voltage and temperature variations: An investigation and analysis of
experimental environment. In Information Science and Applications, pages 483–490. February 2015.
[22] S. H. Weingart. Physical security devices for computer subsystems: A survey of attacks and defenses. In
International Workshop on Cryptographic Hardware and Embedded Systems, pages 302–317, March 2008.
[23] Y. Sung-Ming, S. Kim, S. Lim, and S. Moon. Rsa speedup with residue number system immune against
hardware fault cryptanalysis. In International Conference on Information Security and Cryptology, pages 397–413,
December 2001.
[24] M. A. Vosoughi, L. Wang, and S. Köse. Bus-invert coding as a low-power countermeasure against correlation
power analysis attack. In 2019 ACM/IEEE International Workshop on System Level Interconnect Prediction
(SLIP), pages 1–5, June 2019.
[25] S. A. Aftabjahani and A. Das. Robust secure design by increasing the resilience of attack protection blocks. In
International Verification and Security Workshop, pages 13–18. IEEE, July 2017.
[26] N. Beringuier-Boher and et al. Voltage glitch attacks on mixed-signal systems. In Euromicro Conference on
Digital System Design, pages 379–386. IEEE, August 2014.
[27] H. B. Le, X. D. Do, S. G. Lee, and S. T. Ryu. A long reset-time power-on reset circuit with brown-out detection
capability. IEEE Transactions on Circuits and Systems II: Express Briefs, 58(11):778–782, 2011.
[28] J. Blömer and JP. Seifert. Fault based cryptanalysis of the advanced encryption standard (aes). In International
Conference on Financial Cryptography, pages 162–181, January 2003.
[29] T. Roche, V. Lomné, and K. Khalfallah. Combined fault and side-channel attack on protected implementations of
aes. Smart Card Research and Advanced Applications, pages 65–83, 2011.
[30] W. Yu, O. A. Uzun, and S. Köse. Leveraging on-chip voltage regulators as a countermeasure against side-channel
attacks. In Design Automation Conference, pages 1–6. IEEE, June 2015.
[31] O. A. Uzun and S. Kose. Converter-gating: A power efficient and secure on-chip power delivery system. IEEE
Journal on Emerging and Selected Topics in Circuits and Systems, 4(2):169–179, 2014.
[32] W. Yu and S. Kose. Exploiting voltage regulators to enhance various power attack countermeasures. IEEE
Transactions on Emerging Topics in Computing, 2016.
[33] A. W. Khan, T. Wanchoo, G. Mumcu, and S. Köse. Implications of distributed on-chip power delivery on em
side-channel attacks. In International Conference on Computer Design, pages 329–336. IEEE, October 2017.
[34] M. Kar and et al. Exploiting fully integrated inductive voltage regulators to improve side channel resistance of
encryption engines. In Proceedings of the 2016 International Symposium on Low Power Electronics and Design,
pages 130–135. ACM, August 2016.
[35] M. Kar and et al. 8.1 improved power-side-channel-attack resistance of an aes-128 core via a security-aware
integrated buck voltage regulator. In International Solid-State Circuits Conference, pages 142–143. IEEE, February
2017.
[36] A. Singh and et al. 25.3 a 128b aes engine with higher resistance to power and electromagnetic side-channel
attacks enabled by a security-aware integrated all-digital low-dropout regulator. In IEEE International Solid- State
Circuits Conference, pages 404–406, February 2019.
[37] M. D. Seeman and S. R. Sanders. Analysis and optimization of switched-capacitor dc–dc converters. IEEE
Transactions on Power Electronics, 23(2):841–851, March 2008.
[38] A. Djellid-Ouar, G. Cathebras, and F. Bancel. Supply voltage glitches effects on cmos circuits. In International
Conference on Design and Test of Integrated Systems in Nanoscale Technology, 2006. DTIS 2006., pages 257–261,
September 2006.
[39] Y. Lu, J. Jiang, and W. Ki. Design considerations of distributed and centralized switched-capacitor converters for
power supply on-chip. IEEE Journal of Emerging and Selected Topics in Power Electronics, 6(2):515–525, 2018.
16
A PREPRINT - JANUARY 13, 2020
[40] NIMO Group Arizona State University. Predictive technology model (ptm), 2008. [Online]. Available:
http://ptm.asu.edu/.
[41] Y. Lu, J. Jiang, and W. Ki. Design considerations of distributed and centralized switched-capacitor converters for
power supply on-chip. IEEE Journal of Emerging and Selected Topics in Power Electronics, 6(2):515–525, June
2018.
17
