Cryptography Reference
In-Depth Information
Fig. 11.5
The nonlinear portion of one round can be separated into 16 identical independent blocks.
The linear portion can be separated into 4 identical independent blocks
section is composed of 16 disjoint blocks and the linear portion is composed of four
identical disjoint blocks (Fig.
11.5
).
Based on this partitioning, redundant protection hardware can be designed for
each of the two types of blocks. The details of each block as a method of protection
are discussed in the next section.
11.6.1 Protection of the Nonlinear Block of AES
2
8
The nonlinear block performs an inversion in
GF
. Since 0 does not have an
inverse, it is defined that the result of the inverse operation on 0 is 0.
Let
x
be the input to the nonlinear block. The fault detection circuitry for the
nonlinear block can be based on multiplication in
GF
(
)
2
8
(
)
of input and output vectors
to verify the condition (Fig.
11.6
)
00000001
if
x
=
0,
x
−
1
•
=
x
00000000
if
x
=
0.
x
−
1
is an APN function over
GF
2
8
Remark 11.2
(
)
[276]. Hence the code
C
defined
x
−
1
{
(
,
)
}
by
x
is a robust code with no undetectable errors.
8 significant bits
of the product instead of the whole eight-bit product. The probability that an error
in the inverter will be missed is equal to the probability that two eight-bit vectors
multiplied together will produce the expected
r
-bit constant
I
r
. When
x
To reduce the hardware overhead, we can compute the least
r
<
=
0,
I
r
=
0.
Otherwise
I
r
has 1 for the least significant bit and 0 elsewhere.
Let
e
2
8
is the error at the output
of the original inverter and
e
2
is the error at the output of the redundant portion. Then
e
is missed iff
=
(
e
1
,
e
2
)
be the error vector, where
e
1
∈
GF
(
)
x
−
1
((
+
e
1
)
•
x
)
r
=
I
r
+
e
2
,
(11.6)
2
8
i.e. the least significant
r
bits of the product in
GF
(
)
are equal to
I
r
+
e
2
or,
equivalently,
x
•
e
1
=
e
2
.
