Cryptography Reference
In-Depth Information
•
Reference version
. This circuit implements the nonlinear transformation as
described in the standard and is used as the reference version.
•
Single parity-based error code
. The single byte parity circuit implements the
error detection scheme described by Bertoni et al. [34].
•
Double parity-based error codes
. This code computes two parities: one for the
bits with even indices and one for the bits with odd indices.
•
Residue-based codes
. These are the residue codes that use the moduli 3 and 7.
•
Error codes based on complementary parity
. In this scheme, both the even and
the odd byte parity bits are computed.
•
Hamming error correcting code
. We consider a (12,4) Hamming code described
by the following parity matrix:
⎡
⎤
111000111000
100110110100
010101100010
001011010001
⎣
⎦
.
H
=
15.3 Experimental Setup
Figure
15.3
depicts the complete setup we have used for our evaluation procedure,
which is similar to the one presented by Regazzoni et al. [337]. It is composed of
a standard Electronic Design Automation (EDA) flow and includes a simulation
environment for generating the power consumption traces which are used to provide
a measure of the resistance against power analysis attacks. The input to the process is
the Register Transfer Level (RTL) description of the S-box and one of the considered
error detection/correction circuits. The output is a text file which stores the noise-free
instantaneous current consumption of the circuit simulated at a very high resolution
of both time and current.
In all our circuit implementations, the S-box module has been described using
VHDL at the behavioral level. Because of this, it has been synthesized by the tool as a
combinatorial circuit rather than as a memory-based lookup table. It is therefore not
necessary to protect the address decoder against injected faults since this component
is not present in the synthesized implementation of the substitution function. This
approach does not constitute a limitation since it reflects a typical situation when
designing a cryptographic unit, where the entire unit is specified using a hardware
description language and then synthesized by an EDA tool with no specific imple-
mentation constraints imposed. In such cases, the S-box module is often realized as
a combinatorial logic.
The VHDL description is synthesized using the STMicroelectronics 90 nm CMOS
standard cell library [388] and the Synopsys Design Compiler [391]. If the synthesis
tool is set to minimize the circuit's area, it is possible that during the optimization
phase of the synthesis process the redundant parts of the circuits (e.g., the circuit
generating the complementary parity bit) will be removed. In order to prevent this
