Cryptography Reference
In-Depth Information
registers are less complex, the clock frequency can be increased and thus the latency
stays nearly the same. However, now a result is produced in every clock cycle and
this increases the throughput by a factor of
n
.
Feedback modes of operation do not benefit from pipelining as each input depends
on the previous output. Nevertheless, pipelining can still be advantageous for error
detection. That is, in a pipelined design of an involution cipher, it is possible to
implement each pipeline stage according to Fig.
5.4
. This allows each pipeline stage
to work on data in one cycle and to check the data in the successive cycle. Hence, for
involution ciphers operating in a feedback mode, it is possible to implement time-
redundant error detection without throughput decrease and at the same time detect
permanent errors.
A similar technique might also make sense for noninvolution ciphers in feedback
mode if decryption is not available. In such a case, the same input is encrypted
twice. For instance, at the end of the second cycle, the input and the output of the
first pipeline register are equal. This technique does not decrease the throughput.
However, permanent errors are not detected.
5.4 Coding-Theoretical Countermeasures for AES
In order to implement fault detection based on coding theory, it is necessary to tailor
the countermeasure to the algorithm used. Since it is the current NIST standard for
symmetric encryption, we focus on AES in this section.
Even before fault attacks were proposed, circuits were equipped with parity bits
to detect common hardware faults. Such schemes show very little hardware overhead
but are often not very robust in the presence of a strong adversary. This is because the
parities usually handle only small parts of data when it comes to nonlinear operations.
As a result, local data fragments are often only protected by a single bit.
In order to provide strong data integrity at little cost, it is necessary to find parities
or check symbols which handle the whole AES state. As the AES does not use a
continuous algebra, no straightforward solution is possible. Therefore, digest values
have been proposed. The idea is to use different suitable digest values for the different
operations.
Another approach which is based on coding theory embeds the AES field into a
larger ring. This approach was motivated by similar techniques for public key cryp-
tography. The advantage of this scheme is that it provides a continuous protection, a
constant error detection rate can be provided, and automatically protects the program
flow of the algorithm.
Finally, also an infective computation-based countermeasure has been proposed.
The idea here is to render an error check obsolete by automatically randomizing the
output in the case of a fault.
