Quantitative Evaluation of Security on Cryptographic ICs against

Fault Injection Attacks

C. Shao, H. Li and G. Xu

Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, The Chinese University of Hong Kong,

518055, Shenzhen, China

Keywords: Fault Injection Attacks, DFST, Security Evaluation, Quantitative Evaluation, RSA.

Abstract: Fault injection attacks have become a serious threat against cryptographic ICs. However, the traditional

security evaluation often demands experienced engineers repeatedly scan the IC under test for a few hours to

a few days, and take the workload statistics and experiences as qualitative indexes. This paper proposes a

quantitative model to evaluate security based Design for Security Test (DFST), considering both the sensitive

time during the algorithm operation and the sensitive area of the cryptographic IC against fault injection

attacks. The case study on two RSA implementations demonstrates the feasibility of the quantitative

evaluation of security model.

1 INTRODUCTION

Cryptographic integrated circuits (ICs) are dedicated

semiconductor implementations of various

cryptographic algorithm and have been employed in

an increasing number of consumer products, e.g.,

smart cards, cell phones, and set-top boxes, to provide

security and privacy protection. In order to ensure that

the confidential information in cryptographic ICs will

be generated, stored, transmitted and processed safely,

we define security for its information assurance

capabilities with the ability to resist attacks.

Cryptographic modules as one of the information

security products, how to timely and efficiently

evaluate its security to complete their functions, has

issued the relevant international standards and many

scholars have made a research in this are a(Su et al.,

2011).

Cryptographic ICs inevitably become the targets

of numerous attacks, including fault injection attacks.

The fault injection may cause transient logic errors

during the execution of cryptographic algorithms.

The transient errors may bypass the security condition

checks, or be used for differential fault analysis(DFA)

(Barenghi et al., 2012).There are multiple methods to

invoke faults such as variations in supply voltage,

variations in the external clock, temperature

variation, white light, laser, and X-rays and ion beams

(Kim and Quisquater, 2007). The RSA

implementation with Chinese Remainder Theorem

(CRT-RSA) was reported broken by fault attacks with

only one faulty computation (Boneh et al., 2001).

Similarly the secret keys could be compromised from

ECC, DES, AES and RC5 crypto modules etc. (Bar-

El et al., 2006).

The key point of fault injection attack is injecting

a fault in correct location and correct time. Therefore

security evaluation must be done in both time and

space domains. The security evaluation in space

domain is to locate the vulnerable region of

cryptographic ICs under test. The security evaluation

in time domain is to identify the sensitive time period

on the vulnerable region.

The traditional security evaluation often demands

experienced engineers repeatedly scan the IC under

test for a few hours to a few days to obtain effective

results. Take the smart card test for example, it

usually takes 1-5 days for security evaluation against

laser beam attacks (MasterCard International

Incorporated, 2005). On one hand, this is due to the

niche probability of effective fault injection both on

the temporal and the spatial domain. On the other

hand, the traditional way of fault injection test cannot

effectively detect the internal logic errors due to the

limited IO numbers. The requirement on specific and

profound knowledge of cryptographic ICs also makes

it difficult for successful evaluation both in space and

time domains. Besides, location of the vulnerable

region is affected by the attack time, which will cause

Shao, C., Li, H. and Xu, G.

Quantitative Evaluation of Security on Cryptographic ICs against Fault Injection Attacks.

DOI: 10.5220/0005686300970104

In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 97-104

ISBN: 978-989-758-167-0

Copyright

c

2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

97

inaccurate evaluation results if security evaluation in

space and time are separated.

Motivated by these challenges, we develop a

quantitative model to evaluate the security

considering both the sensitive time and space during

the algorithm operation for cryptographic ICs, which

is based on the proposed design for security test

(DFST) in (Shao et al., 2014) against fault injection

attacks with industrial automatic test equipment

(ATE). A three dimensions (3D) fault map in time

and space can be quickly and accurately obtained,

which helps to locate the error-prone region of

cryptographic ICs. The value representing the

security level can be calculated by the quantitative

model.

Compared to the existing security evaluation, the

main contributions of the proposed security

evaluation method are as follows:

Security evaluation is performed based DFST,

which helps to diagnose the fault occurrence

locations with high accuracy and fault occurrence

time period with high efficiency.

The quantitative model considers both the space

domain and the time domain, which could provide

intuitive understanding and comprehensive

evaluation of cryptographic ICs security against

fault injection attacks.

The rest of the paper is organized as follows. We

briefly introduce the background of fault injection

attacks on cryptographic ICs and security test of

cryptographic ICs with DFST in Section II. In Section

III, we present the evaluation flow based on DFST

method and present the quantitative model

considering both the space and the operation time. In

Section IV, a case study on two RSA implementations

is demonstrated to validate the effectiveness of the

quantitative evaluation model. The study is concluded

in Section V.

2 BACKGROUND

2.1 Fault Injection Attacks

Fault injection attackers aim to maliciously alter the

correct functioning of computing devices, and

analyze the faulty output to retrieve the secret

information, which been listed into Federal

Information Processing Standard FIPS 140-3,

Security Requirements for Cryptographic Modules

(NIST, 2009), generally accepted as one of the

standard security evaluation methods. Fault injection

techniques can be classified in two main categories:

hardware fault injection, and software fault injection

(Ningfang et al., 2011).The hardware fault injection

are of the main interest in this paper, which include

variations in the external clock, variations in supply

voltages, laser illumination, X-rays and ion beams

radiation etc.

The hardware fault injection tools can be

classified by their (temporal and spatial) precision

and the cost (Kim and Quisquater, 2007).

With well-timed power spikes or dropdowns into

the supply line, it is possible to for the device to skip

specific instruction execution. The temporal precision

depends on the voltage drop/spike duration and

synchronization with the target device. Similarly,

altering the length of a single clock cycle may corrupt

data storage, which also requires relatively high

temporal precision.

Electromagnetic (EM) disturbances near the

device may induceddy currents in the circuit, causing

temporary alterations of the signal voltage level.

Laser beam and heavy ion micro beam can cause

abnormal behaviors on semiconductor devices

through single event effects (SEE), where a strong

radiation of a transistor may form a temporary

conductive channel in the dielectric, which, in turn,

may cause the logic circuit to switch state in a precise

and controlled manner.

2.2 Fault Attacks to Break

Cryptosystems

Fault injection has been reported effective on various

crypto modules. DES (Data Encryption Standard)

was reported vulnerable against fault injection attacks

at the15

th

round, an exclusive-OR (XOR) operation

between the correct and faulty cipher text will yield

the 15

th

round-sub keys. An exhaustive search of the

64 possible values of the corresponding substitution

will reveal the left 6-bitsubkey and thus the entire key

(Bar-El et al., 2006). A fault occurs on the 9

th

round

of AES (Advanced Encryption Standard) before Mix

Column operation will also yield the round key

(Moradi et al., 2006).This paper will take the right-to-

left RSA binary implementation with Montgomery

modular multiplication as the example to illustrate the

principle of fault injection attacks.

RSA is one of the first practicable public-key

cryptosystems and is widely used for secure data

transmission, named after Ron Rivest, Adi Shamir

and Leonard Adleman (Rivest et al., 1978). In such a

crypto system, the encryption key is public and differs

from the decryption key which is private and kept

secret. Two distinct and large odd prime numbers p

and q are used to generate two key-pair values: the

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

98

public key-pair (e,N), and the private key-pair (d,N)

(Wang, 2006; Zhang, 2005). The RSA algorithm can

be described as follows:

The modulus N is the product of two large primes

p and q.

Computes e through

()()

()

,111gcd e p q−−=

, where

gcd refers to the function of greatest common divisor

(Hardy and Wright, 1979).

Computes d through

()

1 mod( 1)( 1)de p q⋅= − −

.

The RSA encryption is performed using the public

key e:

mod

e

N

cm=

(1)

Where m is the plaintext,0<m<N, and c is the

ciphertext which can be decrypted using the secret

key d:

mod

d

N

mc=

(2)

An effective fault induced in one of the RSA private

key bits in the binary RSA implementation will result

in a faulty decryption result. With detailed fault

analysis, one can extract the key bit (Bar-El et al.,

2006). The procedure is as following. An attacker

arbitrarily chooses a plaintext m and computes the

cipher-text c. Let us assume there is one bit in secret

key d flipping from 1 to 0 or vice versa with a fault

injection, and the position of the flipped bit is

randomly located, then the attacker obtains a faulty

plaintext

ˆ

m

as the decryption result. Since there is

only one bit flipped, let it be

[]di

flipped to

[]di

]

[id

,

then the division between the faulty and the correct

plaintext will yield:

2[]

2[]

ˆ

(mod )

i

i

di

di

mc

N

m

c

=

(3)

Obviously, if

2

ˆ

1

(mod ) [ ] 1

i

m

Ndi

m

c

= →=

(4)

And if

2

ˆ

(mod ) [ ] 0

i

m

cNdi

m

= →=

(5)

This process is repeated until enough information is

obtained about the secret key d.

RSA using the Chinese Remainder Theorem

(CRT-RSA) is also vulnerable to fault attacks (Kim

and Quisquater, 2007). Let a and b be the pre-

computed values required by the CRT-RSA, there is:

{

{

1mod() 0mod()

0mod( ) 1mod( )

ap b p

and

aq bq

≡≡

≡≡

(6)

And define:

mod ( 1)

mod ( 1)

p

q

dd p

dd q

−

−

=

=

(7)

The RSA signature s is the sum as:

(mod )

pq

sas bs N=+⋅⋅

(8)

Where:

(mod )

(mod )

p

q

p

q

d

d

sm p

sm q

=

=

(9)

If there is a fault injected during the computation of

p

s

or

q

s

, then the faulty signature

(mod )

pq

s

as bs N

′′

=⋅ +⋅

. The subtraction between

the correct and the faulty signature will yield:

()

()mod

qq

s

sbs s N

′′

Δ= − = ⋅ −

(10)

A simple gcd (greatest common divisor) calculation

will factor N:

gcd( , )NpΔ=

(11)

This will compromise the RSA secret key, since we

can easily obtain d with known two large primes p

and q.

2.3 Security Test of Cryptographic ICs

with DFST

Quantitative Evaluation of Security is based on the

proposed design for security test (DFST). In this

section we demonstrate design for security test

(DFST) method and the consequent security test with

ATE on cryptographic ICs proposed in (Shao et al.,

2014), combining DFT and fault injection techniques

to facilitate a fast security test against fault injection

with a low IC area overhead.

Figure 1 demonstrates the relation of different

phases of cryptographic ICs from design to test. The

cryptographic ICs are designed with the proposed

DFST. Security test of cryptographic ICs is

performed by an engineer in a third authentication

party. The designers of cryptographic ICs should

provide the test patterns to the security authentication

party.

Quantitative Evaluation of Security on Cryptographic ICs against Fault Injection Attacks

99

Figure 1: Design for security test (DFST) and Security test

of cryptographic ICs.

The security test only concerns a small fraction of

the internal circuit states, on which an injected fault

will result in an effective faulty

encryption/decryption result. With careful

differential fault analysis, the effective faulty result

will largely reduce the search space of the secret key.

The principle idea of DFST is to observe the internal

states of those vulnerable cells.

The flowchart of DFST is as follows: Firstly, we

identify the sensitive registers with SER analysis as

previously described. Secondly, we mark the

sensitive registers in Register Transfer Level (RTL)

design netlist by prefixing sensitive registers. For

example, in the cryptographic algorithm of the right-

to-left RSA binary implementation with Montgomery

modular multiplication, all the sensitive registers

d[i]are beginning with ‘e_or_d_reg_’. Thirdly, we

only insert those marked registers into scan chains.

Finally, the test patterns are generated with the

commercial Automatic Test Pattern Generation

(ATPG) tools. The test pattern will be used during the

security test.

Once cryptographic ICs are designed for security

test with the proposed DFST, the security test could

be performed with the industrial ATE equipment. The

test structure is illustrated in Figure 2.

The procedures of the security test are as follows:

1) Set the device under test (DUT) in test mode; 2)

Run the test repeatedly with fault injection scanning

the DUT; 3) Compare the test result to the golden

references. If the two results are inconsistent, mark

the area being attacked as the sensitive area; 4) Scan

the whole DUT and form a fault map.

Figure 2: Security test on the cryptographic ICs with DFST.

3 QUANTITATIVE SECURITY

EVALUATION BASED ON DFST

Since the attacks are sensitive in both time and space

domains. We develop the quantitative security

evaluation model accordingly. We first locate the

vulnerable region of the IC under test. Then we

further identify the sensitive time period on the

vulnerable region. Thus we can plot the three-

dimensional (3D) map indicating the vulnerability.

Each fault is represented with a cuboid, the bottom

area stands for the fault injection spot on the chip

layout, and the height stands for the sensitive time

period of the spot. The volume of all the cuboids is

then calculated for quantitative evaluation.

3.1 Security Evaluation in Space

Domain

The aim of security evaluation in space domain is to

locate the vulnerable region of ICs under test. The

cryptographic ICs designed by DFST can facilitate

fast and automatic security test in space domain

against fault injection. The flow of security test with

the DFST is displayed in Figure3.

The procedures of the security evaluation in space

are as follows:

1) Set the security chip designed by DFST in test

mode;

2) Make a scan test of the security chip under fault-

attack;

3) Judge the sensitive area by comparing the scan

output to the expected value and compute number

of fault occurrences n. If the two results are

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

100

inconsistent, mark the area being attacked as the

sensitive area.

4) Scan the whole chip layout and form a 2D fault

map.

The Security evaluation based DFST can determine

the sensitive region exactly by the output vector and

has nothing to do with the output analysis, which is

much more efficient than security chip without scan

chain.

Figure 3: The flow of security test.

During the security test, the chip surface will be

scanned with various fault injection tools, such as

laser illumination and ion beam irradiation. The chip

can be scanned with any size of fault injection attack

(FIA) spot, which can target from a single transistor

to hundreds of transistors, depending on the

equipment used by the attackers as described in

Section II. Figure 4 illustrates scanning in the security

test, where each scan (S

11

, S

12

…, S

mn

) is scan spot,

which corresponds to scan step and scan precision of

fault injection tool.

The equation for quantitative security in space

domain

QS

S

for the entire chip is as:

=

QS

n

S

N

(12)

Where N denotes the total number of the fault

injection evenly traversing the entire IC, which

depends on the entire chip area, each injection spot

size and scan step; n denotes the number of fault

occurrences;

QS

S

denotes the percentage of the

sensitive area in the whole chip. A larger value of

QS

S

indicates a lower security level.

Figure 4: Fault injection scan on the cryptographic ICs with

DFST.

3.2 Security Evaluation in Time

Domain

Since security evaluation in time domain aims to

locate the vulnerable time regions of marked

vulnerable locations during the cryptographic

algorithm execution, the cryptographic IC should

work in function mode. In order to flexible control

fault injection, security evaluation in time domain is

operated by the method of function simulation. The

procedures are as follows:

1) Select a sensitive logic cell from marked

vulnerable locations and inject faults at certain

time intervals. Fault can be injected by the

simulation tools. The time interval of fault

injection is flexible. A short interval usually

means finer operation but longer evaluation cycle.

We recommend one clock cycle as the time

interval for the simulation of each fault injection.

2) Analysis the encryption/decryption results and

judge the sensitive time. If the result generates a

valid error, mark the time interval as the

Quantitative Evaluation of Security on Cryptographic ICs against Fault Injection Attacks

101

sensitive time.

3) Traverse the entire encryption/decryption period

under fault injection at certain time intervals.

4) Move to the next a sensitive point and repeat the

above steps.

5) Traverse all sensitive logic cells from marked

vulnerable locations of 2D fault map. Then plot

the sensitive time period for corresponding

sensitive logic cells and form 3D fault map. Each

fault is represented with a cuboid.

The volume V of the sensitive regions is calculated as:

)()(

1

isitV

n

i

=

⋅=

(13)

Where n denotes the total number of the sensitive

spots in space; i denotes the ith spot that exhibits a

fault; s(i) denotes the area of the i

th

fault injection

spot; t(i) denotes the time during of the fault on the i

th

spot.

Eq. (13) does not take into account of the parallel

and the serial implementations of the same

cryptographic algorithm. A parallel implementation

usually occupies larger IC footprint than the serial

implementation, but takes shorter time. To eliminate

the effect from parallel and serial operation of the

same function, Eq. (13) could be updated through

normalization:

TS

isit

S

n

i

Q

∗

⋅

=

=1

)()(

(14)

Where S denotes the entire IC area, T denotes the

entire time for each cryptographic execution cycle. A

bigger value of

Q

S

indicates a lower security level.

4 CASE STUDY

4.1 Security Quantitative Evaluation

Method Based RSA

In this section, we demonstrate the quantitative

evaluation with the implementation of a 1024-bit

RSA cryptosystem. The RSA module is the right-to-

left binary algorithm with Montgomery modular

multiplication. The design mainly includes an 8051

microprocessor, memory, a bus controller, a random

number generator (RNG), the RSA encryption and

the decryption module. The procedure of security

quantitative evaluation for the RSA cryptographic IC

is divided into two steps: design for security test and

security quantitative evaluation. The detailed flow is

as follows:

1) Design for Security Test:

The key registers d[i] are identified as the

sensitive registers.

Mark the sensitive registers by defining the

registers’ names with the prefix “e_or_d_reg_” in

the netlist.

Insert the scan-chain around the marked sensitive

registers and output the original DFT gate-level

netlist. The DFT commands such as

“set_scan_path” and “set_scan_element

true/false” are able to separate the sensitive

registers from other registers.

Generate the test patterns out of TetraMax

TM

, a

commercial ATPG tool.

Generate the physical layout of the RSA

implementation t.

2) Quantitative Evaluation of Security:

Set the RSA cryptographic IC designed by DFST

in test mode.

Make a scan test of the RSA cryptographic IC

under fault-attack in Automatic Test Equipment.

Perform the quantitative security evaluation in

space domain by simulating the fault injection

test, and plot the 2D fault map.

Perform the quantitative security evaluation in

time domain, and plot the 3D fault map.

4.2 Experimental Results

In our simulation, the scan registers are synthesized

with Synopsys Design Compiler™, the scan chains

are inserted with DFT Complier™, the test patterns

are generated from the ATPG tool TetraMax™, and

the circuit simulator is chosen to be VCS™. Other

similar tools can also be used. We identify 2048

sensitive registers and insert 6 scan-chains, which

accounts for an area overhead of 0.6%. For our RSA

implementation and the necessary peripheral circuits

of 740,000 logic gates, the area of cryptographic IC

design of RSA is 36mm

2

, with the technology

of0.18um GSMC. Laser illumination is selected as

fault injection source, and a laser spot size is selected

to be 10umx 10umlarge.

Figure 5 demonstrates the 2D fault map of the

RSA cryptographic IC design. The crosses indicate

the faults (not one by one indication due to the image

resolution limit). The sensitive registers contain two

types: key_ed[i] and e_or_d[i]. The total number of

laser illumination traversing the entire chip is 360000,

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

102

among which the number to successfully inject faults

is 4248. Then the quantitative security evaluation of

our test chip in space domain for the entire chip is

calculated as:

%18.1

360000

4248

===

N

n

S

QS

Figure 5: 2D fault map of the binary RSA design.

Figure 6: 3D fault map of the binary RSA design.

Figure 6 demonstrates the of the 3D fault map of

the cryptographic IC design of the binary RSA

implementation. The die area of cryptographic IC

design of RSA is 36mm

2

and the length of the RSA

decryption time is about 54ms. The number of

sensitive spots related to the registers key_ed[i] is

2016, shown with the pink short blocks at the bottom.

The sensitive time interval for key_ed[i] is 50ns, as

‘t1’exemplifies. The number of sensitive spots related

to the registers e_or_d[i] is 2232, shown with the blue

blocks along the time axis. The sensitive time interval

for e_or_d[i] is 51400ns, as ‘t2’exemplifies. The area

of each register in technology library of0.18um

GSMC is 66.5um

2

.

The quantitative security evaluation of the right-

to-left binary implementation of RSA is then

calculated as:

1

_

2

62 6

6

() ()

(50 2016 51400 2232) 66.5

36 10 54 10

3.9 10

n

i

Q binary

ti si

S

ST

ns ns um

um ns

=

−

⋅

=

∗

×+ × ×

=

×∗×

=×

Various implementations will have different values of

quantitative security evaluation. The CRT-RSA has

much larger value than the binary RSA, since CRT-

RSA has much larger sensitive area: the whole sub-

modules computing

p

s

and

q

s

.Furthermore, each

sensitive spot will be vulnerable for a long time along

the execution cycle, since the fault injection attack

works on binary RSA if and only if one bit is changed,

but there is no such limit on CRT-RSA.

For our CRT-RSA implementation and the

necessary peripheral circuits of 983,000 logic gates,

there are 21633 sensitive registers. The total layout

area is 72mm

2

, the number of sensitive logic cells in

sub-modules computing sp or sq is 519401. The area

of a standard cell in technology library of0.18um

GSMC is 13.5um

2

.Each of the computation of s

p

and

s

q

roughly takes 27ms. Then the quantitative security

evaluation of the CRT-RSA implementation is

calculated as:

1

_

62

62 6

() ()

2(27 10 519401) 13.5

0.19

72 10 27 10

n

i

Q CRT RSA

ti si

S

ST

ns um

um ns

=

−

⋅

=

∗

×× ×

==

×∗×

This indicates that CRT-RSA is almost

_

_

48717

Q CRT RSA

Q binary

S

S

−

=

times more vulnerable against

the fault injection attacks. The result is quite contrary

to previous observation that CRT-RSA is superior

compared to the right-to-left binary implementation,

in terms of better security against simple power

analysis etc. This quantitative evaluation model can

help the product designers to select the appropriate

implementation, considering potential attack

environments.

Quantitative Evaluation of Security on Cryptographic ICs against Fault Injection Attacks

103

5 CONCLUSIONS

The security evaluation against fault injection attacks

is challenging due to the niche probability of effective

fault injection both on the temporal and spatial

domain and the difficulty in observing internal

transient logic errors. This paper proposes a

quantitative model to evaluate security based DFST

against fault injection attacks, considering both the

operation time and the sensitive area of the

cryptographic ICs. Simulation results on two RSA

implementations demonstrate the feasibility of the

design for security test method and the evaluation

model, which can be easily extend to implementation

of other cryptographic algorithms. Further work is to

improve the efficiency of the security evaluation

with automated scripts.

ACKNOWLEDGEMENTS

This work was supported by Shenzhen S&T Funding

with Grant No. JCYJ20140417113430591,

GJHZ20140417113430584,

CXZZ20140527172356968,

JSGG20150511104613104, Guangdong S&T

Funding 2013B050800003, 2015B010106004 and

China National S&T Major Project with Grant No.

2014ZX01032401-001.

REFERENCES

Su, D., Xu, K. and Gao, Y., 2011. The Evaluation Model

and Index System of Cryptographic Modules Security

Assurance Ability. Proceedings of Third International

Conference on Multimedia Information Networking

and Security, pp. 448-452.

Barenghi, A., Breveglieri, L., Koren, I. and Naccache, D.,

2012. Fault injection attacks on cryptographic devices:

Theory, practice, and countermeasures. Proceedings of

the IEEE, vol. 100, no. 11, pp. 3056—3076.

Kim, C.H. and Quisquater, J. J., 2007. Fault attacks for CRT

based RSA: New attacks, new results, and new

countermeasures. In: Information Security Theory and

Practices. Smart Cards, Mobile and Ubiquitous

Computing Systems, pp. 215—228.

Boneh, D., De Millo, R. A. and Lipton, R. J., 2001. On the

importance of eliminating errors in cryptographic

computations. Journal of cryptology, vol. 14, no. 2, pp.

101—119.

Bar-El, H., Choukri, H., Naccache, D., et al, 2006. The

sorcerer's apprentice guide to fault attacks. Proceedings

of the IEEE, vol. 94, no.2, pp. 370—382.

MasterCard International Incorporated, 2005. Security

Guidelines for Smart Card Integrated Circuits.

Shao, C., Li, H., Xu, G., et al, 2014. Design for security test

against fault injection attacks. Electronics Letters. vol.

50, no. 23, pp. 1677-1678.

The National Institute of Standards and Technology

(NIST), 2009. Security Requirements for

Cryptographic Modules. FIPSPUB140-3 Draft.

Ningfang, S., Jiaomei, Q., Xiong, P., et al, 2011. Fault

Injection Methodology and Tools. Electronics and

Optoelectronics (ICEOE), pp. 47—50.

Moradi, A., Shalmani, M. T. M., and Salmasizadeh, M.,

2006. A generalized method of differential fault attack

against AES cryptosystem. In Proc. Cryptographic

Hardware and Embedded Systems-CHES, Springer

Berlin Heidelberg, pp. 91-100.

Rivest, R. L., Shamir, A., and Adleman, L., 1978. A method

for obtaining digital signatures and public-key

cryptosystems.in Communications of the ACM, vol. 21,

pp.120-126.

Wang, J., 2006. Research of RSA Encryption Algorithm.

Shenyang University thesis.

Zhang, L., 2005. Research and Implementation of RSA

Cryptography. Shandong University of Science and

Technology thesis.

Hardy, G. H., and Wright, E. M., 1979. An introduction to

the theory of numbers. The Clarendon Press Oxford

University Press, fifth edition.

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

104