Statistical Ineffective Fault Attacks
Introduction Demo: Ascon S-box Demo: Masked χ3 S-box Demo: AES key recovery Contact
Demo: Masked χ3 S-box

  1. Enter your S-box inputs (e.g., ****** for "uniformly random 6-bit values" or 00000* for {000000,000001})
  2. Select a wire you want to fault with a bitflip (orange)
  3. If we keep only values where the fault is ineffective, we learn the blue wires! In a masked implementation, we need to learn all shares of a variable, e.g., a0 and a1.
  4. Click to run and see in detail how well your fault can be exploited (high capacity and ineffectivity rate)
  5. Below you find details on the input/output distribution among ineffective faults – the individual shares (top, distribution per bit) as well as the native 3-bit words (bottom).
a0
a1
b0
b1
c0
c1
a0 a1 b0 b1 c0 c1T0T1T2T3 r0 r1 s0 s1 t0 t1
r0
r1
s0
s1
t0
t1
Capacity C(p, θ)
N/A
Ineffectivity rate π=
N/A
No ineffective input -> output mapping could be found!
Welcome

This is an exmplanation and DIY page for Statistical Ineffective Fault Attacks (SIFA)!

Do you want to know how to recover some AES key using SIFA?



Do you want to see the effect of SIFA by trying different fault positions on S-boxes?



Nice! Then let's move to some device with a screen bigger than 769px!

See you there!