Cryptography Reference
In-Depth Information
The affine transformation (AT) is protected by an Additive Digest Value (ADV), i.e.
15
ADV
(
x
)
=
x
i
.
i
=
0
8
Since AT
(
x
1
+
x
2
)
=
AT
(
x
1
)
+
AT
(
x
2
)
+
c
for
x
1
,
x
2
∈
GF
(
2
)
and a constant
c
,
we get ADV
(
AT
(
s
))
=
AT
(
ADV
(
s
))
+
c
. A possible extension for a multibyte fault
scenario is the digest
15
ADV
λ
(
x
)
=
0
λ
i
x
i
i
=
2
8
for nonzero constants
. Naturally, these constants differ before and after
the computation of the affine transformation and have to be adjusted accordingly.
λ
i
∈
GF
(
)
5.4.2.2 ShiftRows
The ShiftRows operation is protected by the ADV, since it does not modify it. For
the multibyte variants, a Generalized ADV can be used, i.e.
15
i
0
x
i
.
=
5.4.2.3 MixColumns
Since the MixColumns operation does not change the sum of a column, the ADV
provides protection. The multibyte case is addressed by the
ADV
λ
value.
5.4.2.4 AddRoundKey
For the AddRoundKey operation, the
ADV
and the
ADV
λ
are again the natural
choice. However, the corresponding values of the round key must be computed and
added to the
ADV
/
ADV
λ
of the state before the operations to compute the estimated
value to compare them with.
An implementation protected by these methods provides perfect security assuming
that one byte is manipulated. For a model that allows two errors, an upper bound
over all transformations can be given by 14
255
2
. The authors state furthermore that
the computation of the additive check values can be combined for the one-byte fault
mode to make the method more efficient.
/