A Provably Secure Scheme to Prevent Master Key Recovery by Fault Attack on AES Hardware

We explore a relatively lightweight scheme to prevent key recovery by fault attacks on the advanced encryption standard (AES) cipher. We employ a transformed key (derived from the original key through a nonlinear and possibly one-way mapping) for AES encryption hardware. The mapping combines processing using a pseudorandom bitstream generator (the keystream generator of the Grain-128a stream cipher), followed by a self-shrinking generator (SSG). We provide formal proof of security of the scheme, based on the assumed difficulty of inverting the output of the proposed key transformer. The design of the key transformer ensures that it is itself resistant to fault-attack. Our scheme requires a 96-bit secret initial value (IV), a one-time initial latency (approximately 256 clock cycles for a 128-bit key) of generating the transformed key, and a key transformation layer. However, the core AES hardware is left unchanged. We present hardware platform-based experimental results for an FPGA implementation, which incurs less hardware overhead than previously proposed fault attack prevention/detection schemes.