Cryptography Reference
In-Depth Information
Fig. 11.4
Transformations
involved in one typical round
of encryption of AES
Another variant of robust codes is the multilinear code. Multilinear codes are based
on randomly selecting a linear code from a set of linear codes for each encoding and
the corresponding decoding operation. The proposed method can achieve as small
a number of undetectable errors as classical robust codes while requiring much less
hardware overhead. Constructions of algebraic and arithmetic multilinear codes and
the applications of these codes for the protection of multipliers, lazy channels and
finite state machines can be found in [412, 413, 416].
11.6 Secure AES Architectures Based on Nonlinear Codes
In this section, we discuss the protection of the data path of AES devices based on
nonlinear codes. The key expansion block can be protected in a similar way. For a
discussion on the protection of the control circuit of the system (e.g. Finite Stage
Machines, State Registers), please refer to Sect.
11.7
.
Encryption in AES-128 (AES with a 128-bit key) involves performing ten rounds
of transformations on a block of 128 bits with the last round having one less transfor-
mation and with the first round being preceded by a round key addition. (The complete
AES specification can be found in [142].) In each of the nine typical rounds there are
four transformations: SubBytes (SBox), ShiftRows, MixColumns, and AddRound-
Key. The last round differs from the rest in that it does not contain the MixColumns
transformation. The SBox transformation actually involves two operations: inversion
in
GF
2
8
(
)
followed by an affine transform which involves a matrix multiplication
over
GF
, followed by the addition of a constant vector. With the exception of
inversion, all other transformations and operations are linear (Fig.
11.4
), i.e. they can
be implemented using XOR gates only.
When considering only one round, the 128-bit data path can be divided into four
identical independent 32-bit sections. Furthermore, in each of the four partitions
the nonlinear inversion is performed on an eight-bit data block. Thus, the nonlinear
(
2
)
