Differential fault analysis attack-tolerant hardware implementation of AES

Cryptographic circuits contain various confidential information and are susceptible to fraudulent manipulations, commonly called attacks, performed by ill-intentioned person. The primary goal of the attacker is to retrieve the sensitive information when the device is executing some task. One of the most efficient attack is Differential Fault Analysis attack that exploits the physical or implementation weakness of the device by injecting faults, for example with a laser beam, overheating, etc. AES is vulnerable against Differential Fault Analysis attack. The adversary can form a system of linear equations with a pair of ciphertexts to break AES cryptosystem. In the literature, it is shown that AES key can be recovered using this kind of fault attack with an exhaustive search of 2(32), which is further improved to 2(8). Using a 32 cores processor with 2.1 GHz clock speed each, the AES-128 key can be retrieved within 17.5 s. Ghosal et al. as reported by Ghosal (in: Yuan, Bai, Alcaraz, Majumdar (eds) International Conference on Network and System Security, Springer, Cham, 2022) propose an extra diffusion layer to AES cryptosystem, MixColumn-Plus, to strengthen the security of AES against such attack. With the addition of an extra diffusion layer, an attacker has to search exhaustively 2(84) keys. In this work, we propose another matrix for MixColumn-Plus and further, we implement MixColumnPlus layer with both matrices in hardware platform and compare the delay, LUT, gate count, frequency and execution time with original AES. The complexity of the byte fault attack is improved to 2(116) with the proposed matrix. The proposed hardware implementation of AES with MixColumn-Plus can be called as DFA attack-tolerant module.