&&|&&&&|&&&&|&&
The products search:Product category
Silicone Rubber SeriesXL-PE Lead WireFlat Cable (LSZH)Jacketed Cable (LSZH)XL-PVC Lead WirePVC Flat CablePVC Lead WireTPU cableJacketed CableFR-PE CablePUR CableSpiral CablePower cableComputer cableTPE cableMPPE-PE cableTeflon wire
Product category
Contact Us
+86-769-+86-769-+86-769-
+86-769-+86-769-
Baisha Yicun Industrial District, Humen, Dongguan, Guangdong, China, Zip Code 523912
Mr. Hugo Lau
WenChang――Environmental Production
Nowadays, envrionmental production is the most improtant action in the world. It’s our duty to carry out the green environmental protection and refuse to use the prohibited substances. It’s our mission to promote envrionmental protection and protect the earth. Responsing to the requirements of the environmental organizations all over the world, all...
WenChang――Certifications
With the high technical expertise on wire and cable and the excellent product quality, we have gained the certifications of America UL,
Canada CSA, ISO qulity management systems and HSPMQC080000 hazardous substances management system. We have our own brand on the market and we are one of the largest companies which get certified in th...
WenChang――Welfare
Wechang is the second home for every employee. We freely provide employees with meals and accommodation. Each dormitory has separate bathroom, washroom and balcony to insure employee feel at ease.
In order to enrich our employees’ leisure life, we are doing our best to improve campany culture and entertainment facilities.By now, we have built ente...39Low Voltage Fault Attacks-第2页
上亿文档资料，等你来发现
39Low Voltage Fault Attacks-2
tomaintaincoherencebetwe；Itiseasilypossibletogene；Data:t=?log2?(n)?,c=memo；c=me?2modn,?∈[0,t?1]:?xe；position.；1begin；2m?←c??c?1modn/*m?←m2mod；/*a=memod2modn,emod2?&lt；ns；13ys←y2mod
tomaintaincoherencebetweenthestoredvalueoftheyexponenteysandtheactualexponentofy,weneedtosquareacorrectnumberoftimes(line13).UsingthistechniquewereducethenumberofsubtractionstoO(log2e)thusmakingcomputationallyfeasibletheretrievalofthemessage.Thischainofsubtractionswilleventuallyleadtotherecoveryofthemessagesincethepossiblevaluesgeneratedfortheexponentarestrictlydecreasingandbelongtothesubgroup(??gcd(e,2?)??,+)over(Z?(n),+)therefore,beingeand2?coprime,wewillsurelygenerate1.Itiseasilypossibletogeneralizethealgorithmassumingthepositionofthefaultiscompletelyunknownbut?xed.InthiscasetheAlgorithmIV.1hastoberunatmostt=?log2?(n)?timesinordertocheckallpossiblefaultlocations.AlgorithmIV.1:PLAINTEXTRETRIEVALInput:c,??c,kpub=(n,e),?Output:m:potentialplaintextData:t=?log2?(n)?,c=memodn,?c=me?2modn,?∈[0,t?1]:?xedfault??position.1begin?2m?←c??c?1modn/*m?←m2modn*/3a,b←??c,m?4forj←?+1tot?1do5b←b2modn6ifej=1then7a←ab?1modn?/*a=memod2modn,emod2?&?(n)*/8x,y←m?,a9ex,ey←2?,emod2?10ez←ex/ey/*integerdivision*/11whileez=1do12eys,ns←ALIGNEXP(ex,ey)ns13ys←y2modn?114z←xysmodn15ez←ex?eys16ifez&eythen17x,y←y,x18ex,ey←ey,ex19returnz20endC.SecretKeyExtractionAttackThetargetofthisattackistoretrievetheprivateexponentdwhenthedeviceissigningmessageswithanRSAimplemen-tationperformingtheexponentiationthroughplainsquare-and-multiply.Theattackscenarioistheoneinwhichtheattackerhasaccesstoadecryptingdeviceandisallowedtochoosearbitraryciphertextstobefedwhileinjectingfaults.Thekeypointsofthisattackaresketchedin[14],whereitisassumedagenericfaulthypothesiswhichiscompliantwithourfaultmodel.Thefaultmodelusedinthiscontextistheoneconcerningtheswapofinstructionswithsiinparticular,ourpurposeistoexploitthesubstitutionofthenotequalconditionintheinstructionopcodewithanequalcondition.Inthefollowingcodesnippetisreportedanexampleofthechecksectionoftheleft-to-rightsquare-and-multiplyexponentiationusedinordertoperformanRSAsignature://intheS&Mloop...MOVr2,#0//loadconstantvalue0CMPr1,r2//comparewithexponentbitBNEMULT//branchtomultiplysection...Everytimethefault?ipstheconditioncheckedbythebranchinstructioninthecode,theeffectontheresultisthesameofabit?ipinthevalueofd.Thereforetherearetwopos-?siblevaluesforthecorruptedsignatures??:s??=sd?2modn?ors??=sd+2modndependingonwhetherthevaluethatthecheckmisjudgedisazerooraone.InordertodiscoverboththepositionandtheeffectofthefaultitispossibletousethemethoddescribedinAl-gorithmIV.2.Thekeyideaistousethefaultysignaturetoextracttheinformationonthesecretexponentonebitatatime.Firstofall,itisnecessarytoprecomputealookuptable,A,ofiallthevaluesAi=m2modnfori∈[0,t?1]andstoreit.Sincethevalues/s??modnors??/smodnmaybe2?equaltommodndependingonwhethera?ipdownora?ipupoccurred,itispossibletosearchbothvaluesintheprecomputedtable.Ifoneofthetwovaluesmatchesanentry,webothknowthepositionofthefaultandthevalueofthebitoftheexponentd.Thisprocedurecanbeiterateduntilareasonablenumberofbitsoftheexponentisknown.Inordertogiveaquanti?cationofthenumberoffaultsAlgorithmIV.2:SECRETKEYRETRIEVALInput:m,s,kpub=(n,e)Output:d=??dt?1,dt?2,...,d1,d0??:recoveredsecretkeyData:t=?log2?(n)?,R=tln(t+1)iA=???i∈[0,t?1],Ai=m2modn??1begin2fori←0tot?1do3di←NIL4fori←0toR?1do5s??←FAULTYSIGN(m)6fori←0tot?1do7ifss???1modn=Aithen8di←1/*flipdown*/9break10ifs??s?1modn=Aithen11di←0/*flipup*/12break13returnd14endneededtodiscoverthevalueoftunknownbitsweconsiderarandomvariableXcountinghowmanyfaultsareinjectedinarununtilallthebitshavebeenhitandaimat?ndingitsexpectedvalue.LetXjdenotetherandomvariablecountingthenumberofinjectedfaultsneededtocoverthej+1-thbitassumingthatalltheothersuptothej-tharecovered.TherandomvariableXjfollowsageometricdistributionjwithparametert?t.Therefore,theprobabilitythat,afterkinjections,anuntouchedbitgetshitataj+1-thposition??j??k?1j.TheexpectedisgivenbyProb(Xj=k)=t?tttvalueofXjisE[Xj]=t?j.SincetheoriginalXisactually??t?1X=j=0Xj,itispossibletomodeltheexpectedvalueof??1XasE[X]=ttj=1j≤tln(t+1).ThisgivesusanaveragenumberoffaultsR=tln(t+1)tobeinjectedsuccessfullyinordertoretrieveallbits.Theattackmayberunuptothecompletediscoveryofallthebitsofdoruntilwhenthepossiblevaluesoftheexponentarefewenoughtobecheckedthroughbruteforce.V.EXPERIMENTALRESULTSAfterproposingafaultmodelbackedbyexperimentalcon?rmationsanddelineatinganumberofattacksexploitingit,thissectionpresentstheresultsoftheexperimentalcampaignconductedinordertoassessthepracticalfeasibilityoftheBellcoreande-throotextractionattack.WedelegatetoafuturedevelopmenttheexperimentalrealizationofthesecretkeyretrievalattackreportedinSectionIV-Cduetothelongtimesinvolvedinreproducingsigni?cantinstancesofthefault.A.BellcoreAttackEvaluationThe?rstcampaignwasconductedtoexplorethefeasibilityoftheattacktotheCRTbasedversionofRSA.Theem-ployedC-codeimplementsRSAusingMontgomeryMulti-plication[15]andperformsthetwoexponentiationsneededbytheCRTthroughplainsquare-and-multiplyfollowingthealgorithmdelineatedinSectionIV-A.Noneofthecounter-measuresknownintheliteraturewereenabled[16],[17].Ina?rstphase,thewholealgorithmisruninacontinuousloopinordertodeterminethevoltagepointatwhichthefaultsbegintoappear.Thisallowsustotunetheinducednumberoffaultstoasingleoneperalgorithmrun.Oncethecorrectvoltagepointhasbeendetermined,weranthreeexperimentalcampaignsof10000runseachtocomputeRSAsignatureswithmodulussizes:512,bitsrespectively.Thebinarycodewasdirectlyloadedontheplat-formthroughtheU-Bootembeddedbootloader,thusrunningwithoutanyunderlyingoperatingsystem.ThedatacacheoftheARM9microprocessorwasdisabledforthewholedurationoftheseexperiments.Subsequently,allthefaultycomputationresultswerecollectedandthegcdbetweenthemandthemoduluswascomputedtoretrieveoneofthetwofactors.TableIshowsthepercentageofexploitablefaultsobtainedduringthecampaign.Asexpected,thenumberofinjectedfaultsgrowswiththesizeofthemodulussincethenumberofloadoperationsemployedincreases.Forlargemodulussizes,theexploitablefaultsrepresentthevastmajorityoftheTableIPERCENTAGESOFINJECTEDFAULTSOVER10000RUNS,WITHOUTANYUNDERLYINGOS.THEFIRSTCOLUMNSHOWSTHEPERCENTAGEOFINJECTEDFAULTSDURINGRSA-CRTCOMPUTATIONS,WHILETHESECONDCOLUMNREPORTSTHENUMBEROFFAULTSEXPLOITEDTOFACTORTHEMODULUS.ModuleSizeFaultedRSAComputations7%12%25%ExploitableFaults3%8%19%occourredfaultssincethemodularexponentiationrequiresagreaternumberofloadoperationsduetotheincreasednumberofmultipleprecisionmultiplicationoperations.Willingtoinvestigateascenarioclosertoarealworldimplementation,wedecidedtomountanattackwhilerunningthebinaryoverafull?edgedLinux2.6.15kernel,enablingthe16KiBdatacacheembeddedintheARM9microprocessor.TableIIshowstheresultsoftheattack.CoherentlywiththeTableIIPERCENTAGESOFINJECTEDFAULTSOVER10000RUNS,RUNNINGONLINUX2.6.15.THEFIRSTCOLUMNSHOWSTHEPERCENTAGEOFINJECTEDFAULTSDURINGRSA-CRTCOMPUTATIONS,WHILETHESECONDCOLUMNREPORTSTHENUMBEROFFAULTSEXPLOITEDTOFACTORTHEMODULUS.ModuleSizeFaultedRSAComputations6.6%5.4%39%ExploitableFaults4.6%5.0%39%previousresults,thegapbetweentheinjectedandexploitablefaultsclosesasthemodulesizegrows.Thesteepincreaseinthesuccessrateoftheattackwhenmovingupfrombitofmodulussizemaybeascribedtothelapsingoftheeffectivenessofdatacache,whichinturnforcestheCPUtoloadtherequiredvaluesfromthemainmemory,thusraisingthefaultoccurrencerate.Theratesofsuccessfulattacksforthe2048bitmodulusareevenhigherthanthepreviousexperimentwherenooperatingsystemwaspresent.Thisistobeascribedtothefrequentregisterspilloperationsforcedbythemulti-taskingoperatingsystem,whichleadtoextraloadoperationsofthevalueselaboratedinthealgorithm.InordertoevaluateawellknownandwidespreadopensourceimplementationofRSA,wedecidedtomountthelastvoltageunderfeedingattacktoRSA-CRTusingOpenSSL0.9.1i[18]ontheprevioustestset.Intheattackedimplemen-tationbothmessageblindingandsignatureveri?cationattackcountermeasuresweredisabled.Thesigni?cantdifferencebetweentheresultsinTableIIIandthepreviousonesliesinthefactthattheOpenSSLlibraryhasamorefaultsensitiveinternalstructureduetoadeeperlayeringoftheencryptionprimitivecalls.TheresultshowninthissectionprovethatourfaultmodelispracticallyviableinordertosuccessfullydelivertheBellcoreattackwithareasonablenumberofinducedfaults.ThevastexperimentalcampaigndemonstratesthefeasibilityonawidelydeployedplatformconstitutedbyLinuxrunningTableIIIPERCENTAGESOFINJECTEDFAULTSOVER10000RUNS,RUNNINGONLINUX2.6.15.THEFIRSTCOLUMNSHOWSTHEPERCENTAGEOFINJECTEDFAULTSDURINGOPENSSLRSA-CRTCOMPUTATIONS,WHILETHESECONDCOLUMNREPORTSTHENUMBEROFFAULTSEXPLOITEDTOFACTORTHEMODULUS.thattheattackisfeasibleinpractice.Theworstcaserecoverytimedoesnotexceed5minutesandtheaveragenumberofrequiredfaultsisnotgreaterthan5,sinceasingleexploitablefaultleadstotherecoveryofthewholeencipheredmessage.VI.CONCLUSIONInthispaperwehavepresentedanewfaultinjectionmodelrelyingonconstantlyunderfeedingageneralpurposemicroprocessor.Wehavecharacterizedinfullthenewtypeofinducedfaultsinbothpositionandcorruptionpatterns,splittingtheeffectsintotwoclasses:datacorruptionsandinstructionswaps.Themostappealingfeaturesofthemodelarethecheapness,theeaseofinductionandtheabsenceofforecominghurdlesboundtotheevolutionofthechipbuildingtechniques.TheexperimentalcampaignconductedprovedthatourfaultmodelispracticallyviableinordertosuccessfullymountboththeBellcoreandthee-throotextractionattackswithareasonablenumberofinducedfaults.Weforeseeasfuturedevelopmentsinthis?eldthepracticalimplementationofthesecretkeyextractionattack,theevaluationoftheimplementativecostofthepossiblecountermeasuresrequiredtothwartthisattackandtheevaluationoftheeffectivenessoftheexistingones.AnotherinterestingdirectionofresearchisrepresentedbytheapplicationofthisfaultmodeltodifferentcryptographicprimitivessuchasAESandpairingalgorithms.ACKNOWLEDGEMENTSThisworkwaspartiallysupportedbyMIURintheframe-workofthePRINSESAMEproject.REFERENCES[1]H.Bar-El,H.Choukri,D.Naccache,M.Tunstall,andC.Whelan,“TheSorcerer’sApprenticeGuidetoFaultAttacks,”ProceedingsoftheIEEE,vol.94,no.2,pp.370C382,Feb.2006.[2]S.P.SkorobogatovandR.J.Anderson,“OpticalFaultInductionAttacks,”inCHES,ser.LectureNotesinComputerScience,B.S.K.Jr.,C?etinKayaKoc?,andC.Paar,Eds.,vol.2523.Springer,2002,pp.2C12.[3]J.-M.SchmidtandM.Hutter,“OpticalandEMFault-AttacksonCRT-basedRSA:ConcreteResults,”inAustrochip2007,15thAustrianWorkhoponMicroelectronics,11October2007,Graz,Austria,Pro-ceedings,J.W.KarlC.Posch,Ed.VerlagderTechnischenUniversit¨atGraz,2007,pp.61C67.[4]J.-M.SchmidtandC.Herbst,“APracticalFaultAttackonSquareandMultiply,”FDTC,vol.0,pp.53C58,2008.[5]N.Selmane,S.Guilley,andJ.-L.Danger,“PracticalSetupTimeViola-tionAttacksonAES,”inEDCC-7’08:Proceedingsofthe2008SeventhEuropeanDependableComputingConference.Washington,DC,USA:IEEEComputerSociety,2008,pp.91C96.[6]G.PiretandJ.-J.Quisquater,“ADifferentialFaultAttackTechniqueagainstSPNStructures,withApplicationtotheAESandKHAZAD,”inCHES,ser.LectureNotesinComputerScience,C.D.Walter,C?etinKayaKoc?,andC.Paar,Eds.,vol.2779.Springer,2003,pp.77C88.[7]F.Amiel,C.Clavier,andM.Tunstall,“Faultanalysisofdpa-resistantal-gorithms,”inFDTC,ser.LectureNotesinComputerScience,L.Breveg-lieri,I.Koren,D.Naccache,andJ.-P.Seifert,Eds.,vol.4236.Springer,2006,pp.223C236.[8]ARM,“ARM9FamilyofGeneral-PurposeMicroproces-sors,ARM926EJ-STechnicalReferenceManual.”[Online].Available:/help/topic/com.arm.doc.ddi0198e/DDI0198Earm926ejsr0p5trm.pdf[9]STMicroelectronics,“SPEArHead200,ARM926,200kCustomiz-ableeASICGates,LargeIPPortfolioSoC,”May2009.[Online].Available:/stonline/products/literature/bd/14388/spear-09-h042.htmModuleSizeFaultedRSAComputations7.27%4.4%13.27%ExploitableFaults6.77%4.2%11.73%onanARM9microprocessor.B.Evaluationofthee-thRootExtractionAttackThesecondexperimentalcampaignwasconductedinordertoascertainthepossibilityofextractingthemessagefromaci-phertextthroughthetechniquedescribedinSectionIV-B.Theplatformusedfortheexperimentwasthesameemployedforthesecondexperimentoftheprevioussection,thatisaC-codeimplementationofRSAbasedonMontgomeryMultiplicationrunningonLinux2.6.15.Thistime,thealgorithmemployedwasaplainsquare-and-multiplymodularexponentiationusedtoencryptamessagewithafullsizedpublicexponente.Foreachcomputation,theinputmessagewasmappedintotheMontgomerydomainbeforetheexponentiationandwasmappedbackattheendofthecomputation.Consideringmodulussizesof512,1024,and2048bitsrespectively,weunderfedthesupplypowerlineoftheARM9microprocessorandcompletedforeachofthemanexperi-mentalsessionwith1000faultyrunsoftheRSAencryptionprimitive.LetT=4?log2e?/wbethenumberofpossiblepositionsofafaultinjectedinthepublicexponente,wherewisthewordlengthofthemicroprocessor(i.e.32bit).Theconstantfactor4wasduetothefourpossiblydifferentalignmentsoftheexponenteinthemainmemorycausedbythecompiler.Foreachrun,weneededtoiteratetheplaintextretrievalalgorithm(AlgorithmIV.1)atmostTtimesandcheckthroughre-exponentiationiftheretrievedmessagewascorrect.Inthiswayallthefaultyciphertextsgeneratedbyerrorswhichdidnotaltertheexponentwereeasilyrecognized.TableIVshowsinthe?rstcolumnthepercentageofexploitablefaultycomputationsoutof1000faultyrunsoftheRSAencryptionprimitive.ThesecondcolumnreportsthetimeneededtoexecuteasinglerunofAlgorithmIV.1onanIntelCore2QuadE6600clockedat2.4GHz.TableIVROOTEXTRACTIONSUCCESSRATEOVER10000INJECTEDFAULTSModulusExploitableFaults62.77%20.23%36.42%SingleCheckandRetrievalTime0.263s3.sTakingintoaccountthehighsuccesspercentagesshowninthetabletogetherwiththelowcomputationtimeswestate[10]W.D.etal.,“DasU-bootBootloader,”May2009.[Online].Available:http://www.denx.de/wiki/U-Boot[11]D.Boneh,R.A.DeMillo,andR.J.Lipton,“OntheImportanceofCheckingCryptographicProtocolsforFaults(ExtendedAbstract),”inEUROCRYPT,1997,pp.37C51.[12]A.K.Lenstra,“MemoonRSASignatureGenerationinthePresenceofFaults,”September1996.[13]V.Shoup,“AproposalforanISO-StandardforPublicKeyEncryption(version2.1),manuscript,”December2001.[Online].Available:http://shoup.net/papers/[14]F.Bao,R.H.Deng,Y.Han,A.B.Jeng,A.D.Narasimhalu,andT.-H.Ngair,“BreakingPublicKeyCryptosystemsonTamperResistantDevicesinthePresenceofTransientFaults,”inProceedingsofthe5thInternationalWorkshoponSecurityProtocols.London,UK:Springer-Verlag,1998,pp.115C124.[15]P.L.Montgomery,“ModularMultiplicationWithoutTrialDivision,”MathematicsofComputation,vol.44,no.170,pp.519C521,1985.[Online].Available:http://www.jstor.org/stable/2007970[16]C.H.KimandJ.-J.Quisquater,“Howcanweovercomebothsidechan-nelanalysisandfaultattacksonRSA-CRT?”inFDTC’07:ProceedingsoftheWorkshoponFaultDiagnosisandToleranceinCryptography.Washington,DC,USA:IEEEComputerSociety,2007,pp.21C29.[17]R.B.Rsa,M.Ciet,andM.Joye,“PracticalFaultCountermeasuresforChinese,”inInProc.FDTC,2005,pp.124C131.[18]M.J.Cox,R.S.Engelschall,S.Henson,andB.Laurie,“TheOpenSSLProject,”May2009.[Online].Available:http://www.openssl.org/包含各类专业文献、外语学习资料、生活休闲娱乐、专业论文、中学教育、文学作品欣赏、39Low Voltage Fault Attacks等内容。　
　Fault SFC 21-FPP High Voltage Fault SFC 22-FPP Low Voltage Fault SFC 23-MAT High Voltage Fault 氧传感器感应单元失败 电子油门踏板反馈电压高 电子油门... 　voltage low) 全程调速传感器输入电压偏高(VSG sensor input voltage high) 冷却...fault) 电脑非易变记忆装置故障(ECM non volatile memory fault) 车速传感器故障... 　low voltage fault value AC0 is AC187V ~ 220V 2 mains voltage failure value AC242V AC220 ~ 286V Fault value of the three mains high frequency 52HZ ... 　Low Voltage FAULT Output High Voltage FAULT Output Low Voltage BIAS GENERATOR Minimum Bias Current Maximum Bias Current 11 +0.8 12.7 +3 10 3.0V to ... 　(LOW DC VOLTAGE) 报警 直流电压过高(HIGH DC VOLTAGE) 报警 蓄电池弱电(WEAK...(CUSTOMER FAULT 1*) 报警/停机 接地故障*(GROUND FAULT*) 报警/停机 油箱... 　teristicwhichdependsonthetemperatureoronthevoltage.Due...fault attackscanalsobeusedtoavoidthestorageofvaria...[1]R.J.AndersonandM.G.Kuhn.LowCostAttackson... 　voltage caused by a fault and damaged electronic ...attacks sensors, sensors along the over-voltage ...Equipment insulation tolerance level is very low. ... 　 the supply voltage is too high or too low and the lightning attacks ...fault and timely protection, reducing the maximum effect on people's daily ... 　fault 处理焊接故障 03 Hold 05 Cycles 维持 05 周 55 Turn off Valve #1 ...Low Voltage 驱动器低电压 Inverter System Failure 逆变器故障 Illegal Power ...大家都在背：
1. We have also given the equivalent circuit of on - resistance and compute method.
本文也给出了导通电阻的等效电路及计算方法.
来自互联网
2. Features: High VEBO, high reverse hFE, low on resistance.
特点: E-B 反向击穿电压高,反向放大高, 导通电阻低.
来自互联网
3. Power MOSFETS on - resistance will have a ve temp coef and not + ve at low current levels.
功率MOSFETS 导通电阻 有负温度系数,小电流时有正系数.
来自互联网
4. This structure is suitable for breakdown voltage below 300 V to obtain ultra - low specific on - resistance.
在此基础上,推出了为获得击穿电压和比导通电阻最好折中的优化条件.
来自互联网
理想的PN结在正向导通后应该是没有电阻的，而实际的PN结比如二极管受材料、工艺的影响，在导通时实际上两端还有一个电阻，这个电阻一般在几欧到几十欧之间，被称为导通电阻。
本内容来源于
以上内容来自百度百科平台，由百度百科网友创作。
0){var rand = parseInt(Math.random() * (000)+100000);top.location.href='/'+encodeURIComponent(document.getElementById('s').value.trim().replace( / /g, '_'))+'?renovate='+}else{top.location.href='/'+encodeURIComponent(document.getElementById('s').value.trim().replace( / /g, '_'));};}" action="/">
查过的词自动加入生词本
Tip：此功能设置只能在登录状态下生效
需要改进的内容：
单词大小写
其他（请在下面补充描述）
错误描述：
您还可在这里补充说明下 O(∩_∩)O~
方便的话，请您留下一种联系方式，便于问题的解决：