{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T01:22:58Z","timestamp":1760232178641,"version":"build-2065373602"},"reference-count":35,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2022,10,19]],"date-time":"2022-10-19T00:00:00Z","timestamp":1666137600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"the Foundation Enhancement Planning Technology Field Fund Project","award":["2021JCJQJJ0926"],"award-info":[{"award-number":["2021JCJQJJ0926"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>A Fault Attack (FA) is performed mainly under the data corruption model and poses a threat to security chips. Instruction corruption can enact the same purpose at the behavioral level, which is produced by interfering with the instruction system. Laser Fault Injection (LFI) on program memory during the instruction-fetching process, which we refer to as an instruction-fetching attack, is studied in this paper. This process bears the ability to produce a controllable instruction-fetching fault. Our work shows the implementation of the attack and its specific application case on an 8-bit microcontroller. The main contributions of this paper include: (1) We have mapped the sensitive areas precisely to the faulted instructions via laser injection and implemented controllable instruction tampering. (2) A Collision Fault Attack (CFA) scheme based on instruction-fetching fault is proposed. (3) The impacts of the faulted instructions are fully explored, including the influence on subsequent operations and key recovery. (4) The fault mechanism of the on-chip Flash is further investigated. Instruction-fetching fault means that the controller fetches a tampered instruction from the program memory under external interference, which likely gives rise to an invalid or incorrect operation. The experiment confirms that this specific fault can induce particular types of faults that are different to realize, e.g., the byte-fault model in CFA. The realization, application and mechanism of instruction-fetching fault are discussed in detail.<\/jats:p>","DOI":"10.3390\/sym14102201","type":"journal-article","created":{"date-parts":[[2022,10,19]],"date-time":"2022-10-19T22:19:53Z","timestamp":1666217993000},"page":"2201","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Instruction-Fetching Attack and Practice in Collision Fault Attack on AES"],"prefix":"10.3390","volume":"14","author":[{"given":"Huilong","family":"Jiang","sequence":"first","affiliation":[{"name":"State Key Laboratory of Space Weather, National Space Science Center, Chinese Academy of Sciences, Beijing 101499, China"},{"name":"School of Astronomy and Space Science, University of Chinese Academy of Sciences, Beijing 100049, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6952-4019","authenticated-orcid":false,"given":"Xiang","family":"Zhu","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Space Weather, National Space Science Center, Chinese Academy of Sciences, Beijing 101499, China"},{"name":"School of Astronomy and Space Science, University of Chinese Academy of Sciences, Beijing 100049, China"}]},{"given":"Jianwei","family":"Han","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Space Weather, National Space Science Center, Chinese Academy of Sciences, Beijing 101499, China"},{"name":"School of Astronomy and Space Science, University of Chinese Academy of Sciences, Beijing 100049, China"}]}],"member":"1968","published-online":{"date-parts":[[2022,10,19]]},"reference":[{"doi-asserted-by":"crossref","unstructured":"Kocher, P.C. (1996, January 18\u201322). Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA.","key":"ref_1","DOI":"10.1007\/3-540-68697-5_9"},{"doi-asserted-by":"crossref","unstructured":"Gandolfi, K., Mourtel, C., and Olivier, F. (2001, January 14\u201316). Electromagnetic analysis: Concrete results. Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, Paris, France.","key":"ref_2","DOI":"10.1007\/3-540-44709-1_21"},{"doi-asserted-by":"crossref","unstructured":"Kocher, P., Jaffe, J., and Jun, B. (1999, January 15\u201319). Differential power analysis. Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA.","key":"ref_3","DOI":"10.1007\/3-540-48405-1_25"},{"doi-asserted-by":"crossref","unstructured":"Boneh, D., DeMillo, R.A., and Lipton, R.J. (1997, January 11\u201315). On the importance of checking cryptographic protocols for faults. Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Konstanz, Germany.","key":"ref_4","DOI":"10.1007\/3-540-69053-0_4"},{"doi-asserted-by":"crossref","unstructured":"Schmidt, J.M., and Herbst, C. (2008, January 10\u201310). A practical fault attack on square and multiply. Proceedings of the 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, Washington, DC, USA.","key":"ref_5","DOI":"10.1109\/FDTC.2008.10"},{"key":"ref_6","first-page":"13","article-title":"Round reduction using faults","volume":"5","author":"Choukri","year":"2005","journal-title":"FDTC"},{"unstructured":"Schmidt, J.M., and Hutter, M. (2007, January 11). Optical and em Fault-Attacks on Crt-Based Rsa: Concrete Results. Proceedings of the Austrochip 2007, 15th Austrian Workhop on Microelectronics, Graz, Austria.","key":"ref_7"},{"unstructured":"Skorobogatov, S.P., and Anderson, R.J. (2002, January 13\u201315). Optical fault induction attacks. Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, Redwood Shores, CA, USA.","key":"ref_8"},{"doi-asserted-by":"crossref","unstructured":"Balasch, J., Gierlichs, B., and Verbauwhede, I. (2011, January 28). An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs. Proceedings of the 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography, Nara, Japan.","key":"ref_9","DOI":"10.1109\/FDTC.2011.9"},{"doi-asserted-by":"crossref","unstructured":"Moro, N., Dehbaoui, A., Heydemann, K., Robisson, B., and Encrenaz, E. (2013, January 20). Electromagnetic fault injection: Towards a fault model on a 32-bit microcontroller. Proceedings of the 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA.","key":"ref_10","DOI":"10.1109\/FDTC.2013.9"},{"unstructured":"Trabelsi, O., Sauvage, L., and Danger, J.L. (2020, January 15\u201317). Characterization of electromagnetic fault injection on a 32-bit microcontroller instruction buffer. Proceedings of the 2020 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), Kolkata, India.","key":"ref_11"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1587\/transfun.2019CIP0028","article-title":"Laser-induced controllable instruction replacement fault attack","volume":"103","author":"Sakamoto","year":"2020","journal-title":"IEICE Trans. Fundam. Electron. Commun. Comput. Sci."},{"doi-asserted-by":"crossref","unstructured":"Colombier, B., Menu, A., Dutertre, J.M., Mo\u00ebllic, P.A., Rigaud, J.B., and Danger, J.L. (2019, January 5\u201310). Laser-induced single-bit faults in flash memory: Instructions corruption on a 32-bit microcontroller. Proceedings of the 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), McLean, VA, USA.","key":"ref_13","DOI":"10.1109\/HST.2019.8741030"},{"doi-asserted-by":"crossref","unstructured":"Khuat, V., Danger, J.L., and Dutertre, J.M. (2021, January 17). Laser Fault Injection in a 32-bit Microcontroller: From the Flash Interface to the Execution Pipeline. Proceedings of the 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), Milan, Italy.","key":"ref_14","DOI":"10.1109\/FDTC53659.2021.00020"},{"doi-asserted-by":"crossref","unstructured":"Menu, A., Dutertre, J.M., Rigaud, J.B., Colombier, B., Moellic, P.A., and Danger, J.L. (2020, January 13). Single-bit laser fault model in NOR flash memories: Analysis and exploitation. Proceedings of the 2020 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), Milan, Italy.","key":"ref_15","DOI":"10.1109\/FDTC51366.2020.00013"},{"doi-asserted-by":"crossref","unstructured":"Biham, E., and Shamir, A. (1997, January 17\u201321). Differential fault analysis of secret key cryptosystems. Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA.","key":"ref_16","DOI":"10.1007\/BFb0052259"},{"doi-asserted-by":"crossref","unstructured":"Kim, C.H., and Quisquater, J.J. (2008, January 8\u201311). New differential fault analysis on AES key schedule: Two faults are enough. Proceedings of the International Conference on Smart Card Research and Advanced Applications, London, UK.","key":"ref_17","DOI":"10.1007\/978-3-540-85893-5_4"},{"doi-asserted-by":"crossref","unstructured":"Bl\u00f6mer, J., and Seifert, J.P. (2003, January 27\u201330). Fault based cryptanalysis of the advanced encryption standard (AES). Proceedings of the International Conference on Financial Cryptography, Guadeloupe, French West Indies.","key":"ref_18","DOI":"10.1007\/978-3-540-45126-6_12"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"172","DOI":"10.46586\/tches.v2020.i2.172-195","article-title":"Persistent fault attack in practice","volume":"2020","author":"Zhang","year":"2020","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"doi-asserted-by":"crossref","unstructured":"Hemme, L. (2004, January 11\u201313). A differential fault attack against early rounds of (triple-) DES. Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, Cambridge, MA, USA.","key":"ref_20","DOI":"10.1007\/978-3-540-28632-5_19"},{"doi-asserted-by":"crossref","unstructured":"Bl\u00f6mer, J., and Krummel, V. (2006, January 10). Fault based collision attacks on AES. Proceedings of the International Workshop on Fault Diagnosis and Tolerance in Cryptography, Yokohama, Japan.","key":"ref_21","DOI":"10.1007\/11889700_11"},{"doi-asserted-by":"crossref","unstructured":"Tunstall, M., Mukhopadhyay, D., and Ali, S. (2011, January 1\u20133). Differential fault analysis of the advanced encryption standard using a single fault. Proceedings of the IFIP International Workshop on Information Security Theory and Practices, Heraklion, Crete, Greece.","key":"ref_22","DOI":"10.1007\/978-3-642-21040-2_15"},{"doi-asserted-by":"crossref","unstructured":"Selmane, N., Guilley, S., and Danger, J.L. (2008, January 7\u20139). Practical setup time violation attacks on AES. Proceedings of the 2008 Seventh European Dependable Computing Conference, Kaunas, Lithuania.","key":"ref_23","DOI":"10.1109\/EDCC-7.2008.11"},{"doi-asserted-by":"crossref","unstructured":"Bhasin, S., Selmane, N., Guilley, S., and Danger, J.L. (2009, January 27). Security evaluation of different AES implementations against practical setup time violation attacks in FPGAs. Proceedings of the 2009 IEEE International Workshop on Hardware-Oriented Security and Trust, San Francisco, CA, USA.","key":"ref_24","DOI":"10.1109\/HST.2009.5225057"},{"doi-asserted-by":"crossref","unstructured":"Yuce, B., Ghalaty, N.F., Santapuri, H., Deshpande, C., Patrick, C., and Schaumont, P. (2016). Software fault resistance is futile: Effective single-glitch attacks. Proceedings of the 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), IEEE.","key":"ref_25","DOI":"10.1109\/FDTC.2016.21"},{"unstructured":"Dutertre, J.M., Riom, T., Potin, O., and Rigaud, J.B. (2016, January 16). Experimental analysis of the laser-induced instruction skip fault model. Proceedings of the Nordic Conference on Secure IT Systems, Santa Barbara, CA, USA.","key":"ref_26"},{"doi-asserted-by":"crossref","unstructured":"Elmohr, M.A., Liao, H., and Gebotys, C.H. (2020, January 25\u201326). EM fault injection on ARM and RISC-V. Proceedings of the 2020 21st International Symposium on Quality Electronic Design (ISQED), Santa Clara, CA, USA.","key":"ref_27","DOI":"10.1109\/ISQED48828.2020.9137051"},{"doi-asserted-by":"crossref","unstructured":"Kumar, D.S., Beckers, A., Balasch, J., Gierlichs, B., and Verbauwhede, I. (2018, January 12\u201314). An in-depth and black-box characterization of the effects of laser pulses on atmega328p. Proceedings of the International Conference on Smart Card Research and Advanced Applications, Montpellier, France.","key":"ref_28","DOI":"10.1007\/978-3-030-15462-2_11"},{"doi-asserted-by":"crossref","unstructured":"Khuat, V., Dutertre, J.M., and Danger, J.L. (2021, January 1\u20133). Analysis of a laser-induced instructions replay fault model in a 32-bit microcontroller. Proceedings of the 2021 24th Euromicro Conference on Digital System Design (DSD), Palermo, Italy.","key":"ref_29","DOI":"10.1109\/DSD53832.2021.00061"},{"doi-asserted-by":"crossref","unstructured":"Vasselle, A., Thiebeauld, H., Maouhoub, Q., Morisset, A., and Ermeneux, S. (2017, January 25). Laser-induced fault injection on smartphone bypassing the secure boot. Proceedings of the 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), Taipei, Taiwan.","key":"ref_30","DOI":"10.1109\/FDTC.2017.18"},{"doi-asserted-by":"crossref","unstructured":"Gaine, C., Aboulkassimi, D., Ponti\u00e9, S., Nikolovski, J.P., and Dutertre, J.M. (2020, January 6\u201311). Electromagnetic fault injection as a new forensic approach for SoCs. Proceedings of the 2020 IEEE International Workshop on Information Forensics and Security (WIFS), New York, NY, USA.","key":"ref_31","DOI":"10.1109\/WIFS49906.2020.9360902"},{"key":"ref_32","first-page":"137","article-title":"Reijndael: The Advanced Encryption Standard","volume":"26","author":"Daemen","year":"2001","journal-title":"Dr. Dobb\u2019s J. Softw. Tools Prof. Program."},{"doi-asserted-by":"crossref","unstructured":"Roscian, C., Sarafianos, A., Dutertre, J.M., and Tria, A. (2013, January 20). Fault model analysis of laser-induced faults in sram memory cells. Proceedings of the 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA.","key":"ref_33","DOI":"10.1109\/FDTC.2013.17"},{"doi-asserted-by":"crossref","unstructured":"Richter, D. (2014). Fundamentals of non-volatile memories. Flash Memories, Springer.","key":"ref_34","DOI":"10.1007\/978-94-007-6082-0"},{"doi-asserted-by":"crossref","unstructured":"Amiel, F., Villegas, K., Feix, B., and Marcel, L. (2007, January 10). Passive and active combined attacks: Combining fault attacks and side channel analysis. Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), Vienna, Austria.","key":"ref_35","DOI":"10.1109\/FDTC.2007.12"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/14\/10\/2201\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:57:11Z","timestamp":1760144231000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/14\/10\/2201"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,19]]},"references-count":35,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2022,10]]}},"alternative-id":["sym14102201"],"URL":"https:\/\/doi.org\/10.3390\/sym14102201","relation":{},"ISSN":["2073-8994"],"issn-type":[{"type":"electronic","value":"2073-8994"}],"subject":[],"published":{"date-parts":[[2022,10,19]]}}}