How to Easily Hack a Crypto Algorithm with Induction Probes

Two Circuits, Two Capacitors: One Couple Capacitor to Master Them All

Induction probes serve as invaluable instruments for hardware hacking (as we have already shown here ) , specifically through a specialized form of fault injection. Unlike traditional methods that rely on manipulating current or voltage, these probes utilize a focused electromagnetic (EM) pulse to interact with targeted hardware components for the purposes of tampering, analysis, or reverse engineering.

As illustrated in the figure below, there are two primary circuit configurations for constructing such EM or inductance probes: the Direct-Drive Probe Circuit and the Coupled Probe Circuit. Both configurations use capacitors as energy storage elements to fuel the EM pulse generation, but they differ in their complexity and applications as we right now see.

In the Direct-Drive Probe Circuit, the sole energy reservoir is a bank capacitor. This setup is both straightforward and versatile, engineered for the rapid generation and delivery of pulses. The bank capacitor accumulates energy from a DC source and swiftly discharges it upon triggering, thereby generating a high-voltage EM pulse. This makes the Direct-Drive Probe Circuit especially well-suited for applications that demand quick and straightforward fault injections. It's important to note that the gate of the MOSFET is connected to both the positive trigger and a pull-down resistor. This ensures that the gate is consistently set to zero when the trigger is inactive, thereby preventing any undesirable charge flow.

In the Coupled Probe Circuit, both a bank capacitor and—crucially—a coupling capacitor are incorporated. The bank capacitor performs the same role as in the Direct-Drive configuration, storing energy for rapid discharge. The coupling capacitor, on the other hand, acts as a filter, allowing only AC-like voltage signals to pass while blocking DC. But how is this possible when the circuit's only source is DC? The answer lies in the multi-step discharge process of the pulse:

1. Charge Phase: The capacitor bank is charged to a predetermined voltage level by the DC source.

2. Discharge Phase: Upon triggering, the capacitor bank rapidly discharges through the MOSFET, generating a high-voltage pulse.

3. AC-like Voltage Signal: The swift discharge results in a sudden voltage change, forming a pulse. This pulse is not a constant DC level but rather a quick rise and fall in voltage.

This rapid voltage fluctuation mimics an AC-like voltage signal for the brief duration of the pulse. This is why the Coupling Capacitor (CC) is essential; it allows this pulse, which behaves like an AC-like voltage signal, to pass through to the inductance probe while effectively blocking any DC components.

The Grand Finale: A Symphony of Frequencies (showcasing a real scenario)

Now, let's add another layer of complexity using a musical analogy to better understand the role of the Coupling Capacitor (CC) and the generation of AC voltage in a circuit sourced by DC: Fourier Analysis. Imagine Fourier Analysis as the music theory that dissects a complex symphony into its individual notes and rhythms. In the world of circuits, just as Fourier Analysis helps us understand how a simple 10V pulse can be broken down into its fundamental frequency components, the Coupling Capacitor (CC) serves as a critical filter that allows only these AC-like voltage components to pass through while blocking any DC elements.

RMS Voltage in Coupled Probe Circuit

When we apply Fourier Analysis to a 100V peak pulse (typically, we would use a range of 60V-350V and current from 1A-15A), we discover that it has significant frequency components starting at 100 MHz and its harmonics. The RMS (Root Mean Square) voltage of the original pulse would be about 70.7V, calculated as 100V divided by the square root of 2. The Coupling Capacitor (CC) comes into play here by allowing these high-frequency AC-like voltage components to pass while blocking the DC elements.

Assuming each frequency component contributes equally, their individual RMS voltages would be around 40.8V, calculated as 70.7V divided by the square root of 3. The total RMS voltage of the AC pulse would then be approximately 70.7V, calculated as the square root of the sum of the squares of these individual RMS voltages.

Real-World Example

1. Define the Pulse Function: Imagine a pulse that goes up to 100 volts and lasts for 10-20 ns.

2. Fourier Transform: Using software like MATLAB or Python libraries, we find that this pulse has significant frequency components starting at 100 MHz and its harmonics.

3. Identify AC and DC Components: The DC component is the average value of the pulse, which is 100V for that 10-20 ns duration. The AC components are the significant frequencies we found.

4. Coupling Capacitor (CC): Let's say we have a coupling capacitor of 10 microfarad. The cutoff frequency for this capacitor is much higher than our significant frequencies, allowing these high-frequency AC components to pass through.

5. Final Output: The output at the probe will contain these high-frequency AC components, while the DC component will be blocked by the coupling capacitor.

In this real-world example, the 100V pulse is transformed into its high-frequency AC components, which are then allowed to pass through the coupling capacitor to the probe, effectively filtering out the DC component.