15.5 A 100Gbps Fault-Injection Attack Resistant AES-256 Engine with 99.1-to-99.99% Error Coverage in Intel 4 CMOS

Abstract

Fault-injection (FI) attacks exploit corrupted ciphertexts from cryptographic engines to extract secret keys. A single fault injected into the penultimate AES round using directed laser pulses or voltage/clock glitches corrupts 4 output bytes (Fig. 15.5.1), reducing key search space to a single guess with differential fault analysis (DFA) on 8 exploitable ciphertexts. FI countermeasures using redundant concurrent/time-interleaved computations incur 2x area/performance overheads [1], [3]. Conventional linear parity checkers [2] provide insufficient fault coverage due to the non-linear characteristics of Sbox inverse operations. FI detection-based countermeasures, employing source-specific detectors such as substrate-current sensors [4] for laser attacks and frequency-locked loops [5] to detect clock glitches, respectively are ineffective against generic FI attacks. In this paper, we present a source-agnostic FI-attack resistant AES-256 accelerator with <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$111\times$</tex> and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$10,000\times$</tex> improvement in minimum-time-to-disclose (MTD) against laser and undervoltage attacks, respectively compared to an unprotected AES engine. Arithmetic and parity-based checker circuits coupled with inverse and affine logic optimizations and byte-interleaved register placement enable 99.1% fault coverage against laser raster/box-scan injections (Fig. 15.5.1). Fine-grained placement of an all-digital laser detection circuit (LDC) within the AES core provides <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$13,400\times$</tex> higher margin for raster-scan laser pulse detections. Undervoltage attacks on FI-resistant AES show a measured 99.99% fault detection coverage and a <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$40\text{mV}$</tex> positive slack in checker datapath to capture undervoltage faults.