Cryptography Reference
In-Depth Information
plaintext
1st round enc.
n
th round dec.
check
ok
n
i
1 th round dec.
i
th round enc.
check
ok
n
th round enc.
1st round dec.
check
ok
ciphertext
Fig. 5.3
Round-based inverse check
the same. At first glance, it looks as if the case is even worse for space-redundant
approaches. There, in addition to area for the decryption hardware, it is not even
possible to run the two algorithms in parallel as in the case of encrypting twice.
Thus, a naïve implementation, as depicted in Fig.
5.2
, decreases the performance
by 50 % and increases the area by 100 %. If more than one block is processed, the
throughput penalty is reduced as the
i
th block can be encrypted, while the
th
one is checked. Nevertheless, the latency increase stays 100 %. However, it is possible
to significantly improve the scheme in terms of area and latency.
The latency can be improved by implementing the countermeasure in a finely
grained manner as proposed in [217]. A block cipher consists of several rounds.
For each round its inverse round can be immediately applied to the round's output.
Thus, while the
i
th round of the encryption is performed, the
(
i
−
1
)
(
i
−
1
)
th round can
be checked. This reduces the latency overhead from 100 % to
(
1
/
n
)
×
100 % for an
n
-round block cipher. Figure
5.3
illustrates this interleaved approach.
The area overhead of this scheme strongly depends on the cipher but in general it
can be expected to be less than that for a standard DMR scheme. Usually, hardware
realizations of block ciphers implement both, an encryption and a decryption circuit.
If encryption and decryption are realized by two independent circuits, then the above
scheme requires only little additional hardware. In such a case the overhead is caused
by the additional registers, multiplexers and comparators for the check process. How-
ever, most implementations share resources between encryption and decryption. The
most extreme case is presented by involution ciphers, where encryption and decryp-
tion are performed by the same building blocks and only the control logic differs.
An extensive study on inverse-based error detection for the AES finalists can be
found in [217].
