Paper 2010/130

Low Voltage Fault Attacks to AES and RSA on General Purpose Processors

Alessandro Barenghi, Guido Bertoni, Luca Breveglieri, Mauro Pellicioli, and Gerardo Pelosi


Fault injection attacks have proven in recent times a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms. A number of different techniques aimed at disturbing the computation of a cryptographic primitive have been devised, and have been successfully employed to leak secret information inferring it from the erroneous results. In particular, many of these techniques involve directly tampering with the computing device to alter the content of the embedded memory, e.g. through irradiating it with laser beams. In this contribution we present a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature to attack a software implementation of a cryptosystem running on a full fledged CPU with a complete operating system. The platform under consideration (an ARM9 CPU running a full Linux 2.6 kernel) is widely used in mobile computing devices such as smartphones, gaming platforms and network appliances. We fully characterise both the fault model and the errors induced in the computation, both in terms of ensuing frequency and corruption patterns on the computed results. At first, we validate the effectiveness of the proposed fault model to lead practical attacks to implementations of RSA and AES cryptosystems, using techniques known in open literature. Then we devised two new attack techniques, one for each cryptosystem. The attack to AES is able to retrieve all the round keys regardless both their derivation strategy and the number of rounds. A known ciphertext attack to RSA encryption has been devised: the plaintext is retrieved knowing the result of a correct and a faulty encryption of the same plaintext, and assuming the fault corrupts the public key exponent. Through experimental validation, we show that we can break any AES with roughly 4 kb of ciphertext, RSA encryption with 3 to 5 faults and RSA signature with 1 to 2 faults.

Note: The updated version can be found at:

Available format(s)
Publication info
Published elsewhere. An updated and extended version of this paper has been published in the Journal of Systems and Software
RSA AES Cryptanalysis Fault Attacks
Contact author(s)
barenghi @ elet polimi it
2013-03-21: last of 2 revisions
2010-03-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Alessandro Barenghi and Guido Bertoni and Luca Breveglieri and Mauro Pellicioli and Gerardo Pelosi},
      title = {Low Voltage Fault Attacks to {AES} and {RSA} on General Purpose Processors},
      howpublished = {Cryptology ePrint Archive, Paper 2010/130},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.