{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,7]],"date-time":"2025-10-07T01:06:53Z","timestamp":1759799213827,"version":"build-2065373602"},"reference-count":49,"publisher":"International Association for Cryptologic Research","issue":"3","license":[{"start":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T00:00:00Z","timestamp":1751587200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,9,2]]},"abstract":"<jats:p>Cryptographic implementations are vulnerable to active physical attacks where adversaries inject faults to extract sensitive information. Existing fault models, such as the threshold and random fault models, assume limitations on the amount or probability of injecting faults. Such models, however, insufficiently address the case of practical fault injection methods capable of faulting a large proportion of the wires in a circuit with high probability. Prior works have shown that this insufficiency can lead to concrete key recovery attacks against implementations proven secure in these models. We address this blind spot by introducing the uniform random fault model, which relaxes assumptions on the amount\/probability of faults and instead assumes a uniform probabilistic faulting of all wires in a circuit or region. We then show that security in this new model can be reduced to security in the random fault model by inserting canaries in the circuit to ensure secret-independent fault detection. We prove that combining canaries with a more classical fault countermeasure such as redundancy can lead to exponential fault security in the uniform random fault model at a polynomial cost in circuit size in the security parameter. Finally, we discuss the interactions between our work and the practical engineering challenges of fault security, shedding light on how the combination of state-of-the-art countermeasures may protect against injections of many high probability faults, while opening a path to methodologies that formally analyze the guarantees provided by such countermeasures. <\/jats:p>","DOI":"10.62056\/an-49qxqi","type":"journal-article","created":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T18:49:52Z","timestamp":1759776592000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Fly Away: Lifting Fault Security through Canaries and the Uniform Random Fault Model"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5426-9345","authenticated-orcid":false,"given":"Ga\u00ebtan","family":"Cassiers","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0030xrh72","id-type":"ROR","asserted-by":"publisher"}],"name":"CryptoExperts","place":["Paris, France"]},{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"UCLouvain","place":["Louvain-la-Neuve, Belgium"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0591-7355","authenticated-orcid":false,"given":"Siemen","family":"Dhooghe","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05f950310","id-type":"ROR","asserted-by":"publisher"}],"name":"KU Leuven","place":["Leuven, Belgium"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3809-9803","authenticated-orcid":false,"given":"Thorben","family":"Moos","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"UCLouvain","place":["Louvain-la-Neuve, Belgium"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5535-1102","authenticated-orcid":false,"given":"Sayandeep","family":"Saha","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02qyf5152","id-type":"ROR","asserted-by":"publisher"}],"name":"IIT Bombay","place":["Bombay, India"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7444-0285","authenticated-orcid":false,"given":"Fran\u00e7ois-Xavier","family":"Standaert","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02495e989","id-type":"ROR","asserted-by":"publisher"}],"name":"UCLouvain","place":["Louvain-la-Neuve, Belgium"]}]}],"member":"48349","published-online":{"date-parts":[[2025,10,6]]},"reference":[{"key":"ref1:DBLP:conf\/crypto\/KocherJJ99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"388","DOI":"10.1007\/3-540-48405-1_25","article-title":"Differential Power Analysis","volume":"1666","author":"Paul C. Kocher","year":"1999"},{"key":"ref2:DBLP:conf\/crypto\/BihamS97","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/BFB0052259","article-title":"Differential Fault Analysis of Secret Key Cryptosystems","volume":"1294","author":"Eli Biham","year":"1997"},{"key":"ref3:DBLP:conf\/eurocrypt\/BonehDL97","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1007\/3-540-69053-0_4","article-title":"On the Importance of Checking Cryptographic Protocols for\n  Faults (Extended Abstract)","volume":"1233","author":"Dan Boneh","year":"1997"},{"key":"ref4:DBLP:series\/isc\/364229655","series-title":"Information Security and Cryptography","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-29656-7","volume-title":"Fault Analysis in Cryptography","year":"2012","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642296550"},{"key":"ref5:DBLP:conf\/crypto\/IshaiSW03","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"463","DOI":"10.1007\/978-3-540-45146-4_27","article-title":"Private Circuits: Securing Hardware against Probing\n  Attacks","volume":"2729","author":"Yuval Ishai","year":"2003"},{"key":"ref6:DBLP:conf\/eurocrypt\/ProuffR13","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1007\/978-3-642-38348-9_9","article-title":"Masking against Side-Channel Attacks: A Formal Security\n  Proof","volume":"7881","author":"Emmanuel Prouff","year":"2013"},{"key":"ref7:DBLP:conf\/eurocrypt\/DucDF14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-642-55220-5_24","article-title":"Unifying Leakage Models: From Probing Attacks to Noisy\n  Leakage","volume":"8441","author":"Alexandre Duc","year":"2014"},{"key":"ref8:DBLP:conf\/eurocrypt\/BartheDFGSS17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"535","DOI":"10.1007\/978-3-319-56620-7_19","article-title":"Parallel Implementations of Masking Schemes and the Bounded\n  Moment Leakage Model","volume":"10210","author":"Gilles Barthe","year":"2017"},{"key":"ref9:DBLP:journals\/tches\/FaustGPPS18","doi-asserted-by":"publisher","first-page":"89","DOI":"10.13154\/TCHES.V2018.I3.89-120","article-title":"Composable Masking Schemes in the Presence of Physical\n  Defaults & the Robust Probing Model","volume":"2018","author":"Sebastian Faust","year":"2018","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref10:DBLP:conf\/ccs\/BartheBDFGSZ16","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1145\/2976749.2978427","article-title":"Strong Non-Interference and Type-Directed Higher-Order\n  Masking","author":"Gilles Barthe","year":"2016"},{"key":"ref11:DBLP:journals\/tifs\/CassiersS20","doi-asserted-by":"publisher","first-page":"2542","DOI":"10.1109\/TIFS.2020.2971153","article-title":"Trivially and Efficiently Composing Masked Gadgets With\n  Probe Isolating Non-Interference","volume":"15","author":"Ga\u00ebtan Cassiers","year":"2020","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref12:DBLP:journals\/tc\/CassiersGLS21","doi-asserted-by":"publisher","first-page":"1677","DOI":"10.1109\/TC.2020.3022979","article-title":"Hardware Private Circuits: From Trivial Composition to Full\n  Verification","volume":"70","author":"Ga\u00ebtan Cassiers","year":"2021","journal-title":"IEEE Trans. Computers"},{"key":"ref13:DBLP:conf\/eurocrypt\/MasureMMS23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"596","DOI":"10.1007\/978-3-031-30634-1_20","article-title":"Effective and Efficient Masking with Low Noise Using\n  Small-Mersenne-Prime Ciphers","volume":"14007","author":"Lo\u00efc Masure","year":"2023"},{"key":"ref14:DBLP:journals\/iacr\/BelaidCMRRST23","first-page":"1198","article-title":"Towards Achieving Provable Side-Channel Security in\n  Practice","author":"Sonia Bela\u00efd","year":"2023","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref15:DBLP:conf\/eurocrypt\/IshaiPSW06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"308","DOI":"10.1007\/11761679_19","article-title":"Private Circuits II: Keeping Secrets in Tamperable\n  Circuits","volume":"4004","author":"Yuval Ishai","year":"2006"},{"key":"ref16:DBLP:journals\/tc\/RichterBrockmannSG23","doi-asserted-by":"publisher","first-page":"572","DOI":"10.1109\/TC.2022.3164259","article-title":"Revisiting Fault Adversary Models - Hardware Faults in\n  Theory and Practice","volume":"72","author":"Jan Richter-Brockmann","year":"2023","journal-title":"IEEE Trans. Computers"},{"key":"ref17:DBLP:conf\/icalp\/FaustPV11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"391","DOI":"10.1007\/978-3-642-22006-7_33","article-title":"Tamper-Proof Circuits: How to Trade Leakage for\n  Tamper-Resilience","volume":"6755","author":"Sebastian Faust","year":"2011"},{"key":"ref18:DBLP:conf\/crypto\/Dachman-SoledK12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"533","DOI":"10.1007\/978-3-642-32009-5_31","article-title":"Securing Circuits against Constant-Rate Tampering","volume":"7417","author":"Dana Dachman-Soled","year":"2012"},{"key":"ref19:DBLP:conf\/sacrypt\/DhoogheN23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-031-53368-6_10","article-title":"The Random Fault Model","volume":"14201","author":"Siemen Dhooghe","year":"2023"},{"key":"ref20:DBLP:conf\/asiacrypt\/BelaidFGGRRST24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1007\/978-981-96-0941-3_6","article-title":"Formal Definition and Verification for Combined Random Fault\n  and Random Probing Security","volume":"15490","author":"Sonia Bela\u00efd","year":"2024"},{"key":"ref21:DBLP:series\/isc\/SchmidtM12","series-title":"Information Security and Cryptography","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1007\/978-3-642-29656-7_5","article-title":"Countermeasures for Symmetric Key Ciphers","author":"J\u00f6rn-Marc Schmidt","year":"2012"},{"key":"ref22:DBLP:journals\/tches\/BartkewitzBMMS22","doi-asserted-by":"publisher","first-page":"438","DOI":"10.46586\/TCHES.V2022.I3.438-462","article-title":"Beware of Insufficient Redundancy An Experimental Evaluation\n  of Code-based FI Countermeasures","volume":"2022","author":"Timo Bartkewitz","year":"2022","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref23:DBLP:journals\/pieee\/Bar-ElCNTW06","doi-asserted-by":"publisher","first-page":"370","DOI":"10.1109\/JPROC.2005.862424","article-title":"The Sorcerer's Apprentice Guide to Fault Attacks","volume":"94","author":"Hagai Bar-El","year":"2006","journal-title":"Proc. IEEE"},{"key":"ref24:DBLP:conf\/tcc\/GennaroLMMR04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"258","DOI":"10.1007\/978-3-540-24638-1_15","article-title":"Algorithmic Tamper-Proof (ATP) Security: Theoretical\n  Foundations for Security against Hardware Tampering","volume":"2951","author":"Rosario Gennaro","year":"2004"},{"key":"ref25:DBLP:journals\/jacm\/DziembowskiPW18","doi-asserted-by":"publisher","DOI":"10.1145\/3178432","article-title":"Non-Malleable Codes","volume":"65","author":"Stefan Dziembowski","year":"2018","journal-title":"J. ACM"},{"key":"ref26:DBLP:conf\/eurocrypt\/FaustMVW14","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"111","DOI":"10.1007\/978-3-642-55220-5_7","article-title":"Efficient Non-malleable Codes and Key-Derivation for\n  Poly-size Tampering Circuits","volume":"8441","author":"Sebastian Faust","year":"2014"},{"key":"ref27:DBLP:conf\/crypto\/FaustHM017","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1007\/978-3-319-63715-0_4","article-title":"Non-Malleable Codes for Space-Bounded Tampering","volume":"10402","author":"Sebastian Faust","year":"2017"},{"key":"ref28:DBLP:conf\/crypto\/BrianFO0020","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1007\/978-3-030-56877-1_5","article-title":"Non-malleable Secret Sharing Against Bounded Joint-Tampering\n  Attacks in the Plain Model","volume":"12172","author":"Gianluca Brian","year":"2020"},{"key":"ref29:DBLP:conf\/asiacrypt\/BrianFMV22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/978-3-031-22972-5_14","article-title":"Continuously Non-malleable Codes Against Bounded-Depth\n  Tampering","volume":"13794","author":"Gianluca Brian","year":"2022"},{"key":"ref30:DBLP:conf\/ches\/Clavier07","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/978-3-540-74735-2_13","article-title":"Secret External Encodings Do Not Prevent Transient Fault\n  Analysis","volume":"4727","author":"Christophe Clavier","year":"2007"},{"key":"ref31:DBLP:journals\/tches\/DobraunigEKMMP18","doi-asserted-by":"publisher","first-page":"547","DOI":"10.13154\/TCHES.V2018.I3.547-572","article-title":"SIFA: Exploiting Ineffective Fault Inductions on Symmetric\n  Cryptography","volume":"2018","author":"Christoph Dobraunig","year":"2018","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref32:DBLP:conf\/asiacrypt\/DobraunigEGMMP18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"315","DOI":"10.1007\/978-3-030-03329-3_11","article-title":"Statistical Ineffective Fault Attacks on Masked AES with\n  Fault Countermeasures","volume":"11273","author":"Christoph Dobraunig","year":"2018"},{"key":"ref33:DBLP:conf\/asiacrypt\/FeldtkellerGS23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"302","DOI":"10.1007\/978-981-99-8730-6_10","article-title":"Quantitative Fault Injection Analysis","volume":"14441","author":"Jakob Feldtkeller","year":"2023"},{"key":"ref34:DBLP:journals\/tches\/TollecHNABCHJM24","doi-asserted-by":"publisher","first-page":"179","DOI":"10.46586\/TCHES.V2024.I4.179-204","article-title":"Fault-Resistant Partitioning of Secure CPUs for System\n  Co-Verification against Faults","volume":"2024","author":"Simon Tollec","year":"2024","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref35:DBLP:journals\/access\/BreierH22","doi-asserted-by":"publisher","first-page":"113122","DOI":"10.1109\/ACCESS.2022.3217212","article-title":"How Practical Are Fault Injection Attacks, Really?","volume":"10","author":"Jakub Breier","year":"2022","journal-title":"IEEE Access"},{"key":"ref36:DBLP:journals\/csur\/BaksiBBJS23","doi-asserted-by":"publisher","DOI":"10.1145\/3530054","article-title":"A Survey on Fault Attacks on Symmetric Key Cryptosystems","volume":"55","author":"Anubhab Baksi","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"ref37:DBLP:conf\/ctrsa\/ToprakhisarNN24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"433","DOI":"10.1007\/978-3-031-58868-6_17","article-title":"SoK: Parameterization of Fault Adversary Models Connecting\n  Theory and Practice","volume":"14643","author":"Dilara Toprakhisar","year":"2024"},{"key":"ref38:DBLP:conf\/host\/SchellenbergFGH16","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1109\/HST.2016.7495583","article-title":"Large laser spots and fault sensitivity analysis","author":"Falk Schellenberg","year":"2016"},{"key":"ref39:DBLP:conf\/fdtc\/DutertreBCCFFGH18","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/FDTC.2018.00009","article-title":"Laser Fault Injection at the CMOS 28 nm Technology Node:\n  an Analysis of the Fault Model","author":"Jean-Max Dutertre","year":"2018"},{"key":"ref40:DBLP:conf\/fdtc\/DumontLM19","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1109\/FDTC.2019.00010","article-title":"Electromagnetic Fault Injection : How Faults Occur","author":"Mathieu Dumont","year":"2019"},{"key":"ref41:DBLP:conf\/ches\/LiSGFTO10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/978-3-642-15031-9_22","article-title":"Fault Sensitivity Analysis","volume":"6225","author":"Yang Li","year":"2010"},{"key":"ref42:DBLP:journals\/jce\/BaksiSS20","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/S13389-020-00224-9","article-title":"To infect or not to infect: a critical analysis of infective\n  countermeasures in fault attacks","volume":"10","author":"Anubhab Baksi","year":"2020","journal-title":"J. Cryptogr. Eng."},{"key":"ref43:DBLP:conf\/space\/HeBB16","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1007\/978-3-319-49445-6_2","article-title":"Cheap and Cheerful: A Low-Cost Digital Sensor for\n  Detecting Laser Fault Injection Attacks","volume":"10076","author":"Wei He","year":"2016"},{"key":"ref44:DBLP:conf\/isqed\/BreierBH17","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1109\/ISQED.2017.7918333","article-title":"An electromagnetic fault injection sensor using Hogge\n  phase-detector","author":"Jakub Breier","year":"2017"},{"key":"ref45:DBLP:journals\/tcad\/EbrahimabadiMVGDDK24","doi-asserted-by":"publisher","first-page":"774","DOI":"10.1109\/TCAD.2023.3322623","article-title":"DELFINES: Detecting Laser Fault Injection Attacks via\n  Digital Sensors","volume":"43","author":"Mohammad Ebrahimabadi","year":"2024","journal-title":"IEEE Trans. Comput. Aided Des. Integr. Circuits Syst."},{"key":"ref46:DBLP:journals\/tches\/AskelandNN24","doi-asserted-by":"publisher","first-page":"157","DOI":"10.46586\/TCHES.V2024.I1.157-179","article-title":"Who Watches the Watchers: Attacking Glitch Detection\n  Circuits","volume":"2024","author":"Amund Askeland","year":"2024","journal-title":"IACR Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref47:opentitanalert","volume-title":"OpenTitan Alert Handler Technical Specification","author":"lowRISC"},{"key":"ref48:DBLP:conf\/fdtc\/AmielVFM07","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1109\/FDTC.2007.4318989","article-title":"Passive and Active Combined Attacks: Combining Fault Attacks\n  and Side Channel Analysis","author":"Fr\u00e9d\u00e9ric Amiel","year":"2007"},{"key":"ref49:DBLP:conf\/cardis\/RocheLK11","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1007\/978-3-642-27257-8_5","article-title":"Combined Fault and Side-Channel Attack on Protected\n  Implementations of AES","volume":"7079","author":"Thomas Roche","year":"2011"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T20:22:56Z","timestamp":1759782176000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/3\/19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,6]]},"references-count":49,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2025,10,6]]}},"URL":"https:\/\/doi.org\/10.62056\/an-49qxqi","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,6]]},"assertion":[{"value":"2025-07-04","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-09-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-3-31"}}