The Rijndael algorithm is a block cipher algorithm operating on blocks of data. The algorithm reads an entire block of data, processes the block and then outputs the encrypted data. The Rijndael algorithm needs a key, which is another block of data. The proposed AES standard will include only a 128-bit standard length for plaintext blocks and 128, 192 and 256-bit standard lengths for the key material.
For a general review of the Rijndael/AES algorithms reference may be made to the following documents/websites:                J. Daemen, V. Rijmen, “AES Proposal: Rijndael” www.nist.gov/aes;        J. Daemen, V. Rijmen, “The Block Cipher Rijndael” Smart Card Research and Applications, LNCS 1820, J.-J. Quisquater and B. Schneier, Eds., Springer-Verlag, 2000, pp. 288-296;        J. Daemen and V. Rijmen, “Rijndael, the advanced encryption standard”, Dr. Dobb's Journal, Vol.-26, No. ˜3, March 2001, pp. 137-139;        V. Rijmen, “Efficient Implementation of the Rijndael S-box” “www.eas.kuleuven.ac.be/˜rijmen/rijndael/”;        J. Gladman “A specification for Rijndael, the AES Algorithm” March 2001 “www.fp.gladman.plus.com/”;        M. Akkar, C. Giraud “An implementation of DES and AES, secure against some attacks”—Proceedings of CHES 2001, pp. 315-325;        M. McLoone, J. V. McCanny “High performance single-chip FPGA Rijndael algorithm implementations”—Proceedings of CHES 2001, pp. 68-80;        V. Fischer, M. Drutarovsky “Two methods of Rijndael implementation in reconfigurable Hardware” Proceedings of CHES 2001, pp. 81-96;        H. Kuo and I. Verbauwhede “Architectural optimization for a 3 Gbits/sec VLSI Implementation of the AES Rijndael algorithm”, Proceedings of CHES 2001, pp. 53-67;        Rudra, P. K. Dubey, C. S. Jutla, V. Kumar, J. R. Rao, and P. Rohatgi “Efficient Rijndael encryption implementation with composite field arithmetic” Proceedings of CHES 2001, pp.175-188;        A. Dandalis, V. K. Prasanna, J. P. D. Rolim “An adaptive cryptographic engine for IPSec architecutures” Field-Programmable Custom Computing Machines, 2000 IEEE Symposium on 2000, pp. 132-141; 132-141.         “Advanced Encryption Standard (AES)” “www.nist.gov/aes”,        National Institute of Standards and Technology “www.nist.gov/aes”;        Rijndael Home Page's “www.esat.kuleuven.ac.be/rijmen/rijndael/”;        Gladman Home Page “www.fp.gladman.plus.com/”;        
The encryption process based on the Rijndael algorithm follows the general layout shown in FIG. 1 of the enclosed drawings.                Unencrypted data are subject to a sequence of “rounds” R1, R2, . . . , R9, R10. Each round in turn provides for the application of a respective round key (i.e. round key 1, round key 2, . . . ) generated according to a key scheduling process KS.        
Each generic round Ri develops along the lines shown in FIG. 2 and is essentially based on a first processing step currently referred to as the S-box step or function. This generates a matrix array which is subjected to a row shifting process followed by column mixing.
The respective key scheduled for round Ri is then added to produce the output of the round. The output of the final round (designated round 10 in FIG. 1) corresponds to the encrypted data.
More specifically, the first and last rounds are at least marginally different from the other rounds: the first round is in fact comprised of key addition only, while the last round does not provide for mix column transformation.
The decryption algorithm of AES is very similar to the encryption process just described. The decryption process is essentially based on a sequence of steps reproducing in a complementary manner the sequence of steps of the encryption process, wherein each transformation is replaced by the respective inverse transformation.
All of the foregoing corresponds to basic principles and criteria well known to those of skill in the art (see, for instance, the references cited in the introductory portion of this description), thus making it unnecessary to provide a more detailed description herein. This applies more to the point to the steps/functions designated “S-box” and “Add Key” in FIG. 2.
FIG. 3 is a schematic representation of a round in matrix form.
Apart from the add round key, sub byte and shift row operations, the application of a single round can essentially be described as the application to an array of input data ID of a matrix M to generate a corresponding array of output data OD. Data ID and OD are in typical 32-bit format partitioned in four 8-bit words (bytes).
In current implementations of the Rijndael/AES algorithm, matrix M is thus a matrix including 4×4=16 elements s0, . . . , s15 is corresponding to a byte.
The block diagram of FIG. 4 shows a typical embodiment of an encryption system implementing the Rijndael/AES algorithm according to the traditional approach followed so far.
The system shown in FIG. 4, designated 10 overall, is intended to generate encrypted data starting from unencrypted data UD. Both unencrypted and encrypted data UD and ED are arranged in a 32-bit word format.
In the diagram of FIG. 4, reference numeral 12 designates a demultiplexer which distributes the input unencrypted data stream UD over four different paths leading to respective adder modules 14a, 14b, 14c and 14d where the first key addition is performed.
Reference numerals 24a, 24b, 24c and 24d designates respective sets of byte registers wherein the 32-bit words subjected to the first key addition are distributed over four byte registers to be subsequently fed to respective sets of modules 34a, 34b, 34c and 34d where the S-box processing takes place.
Reference 16 designates a module which implements the shift row operation. Data blocks resulting from row shifting are fed to respective mix column modules 18a, 18b, 18c and 18d.
These latter modules are intended to be bypassed during the last round. In fact the structure shown permits the first round to be calculated immediately. Iterative calculation is then carried out for the following rounds. As indicated, the last round does not provide for the mix column step, whereby lines are shown enabling such a step to be bypassed during the last round.
The data output from modules 18a, 18b, 18c and 18d—which are arranged over four parallel 8-bit words—are then fed to respective key addition modules 20a, 20b, 20c and 20d where the key addition operation is performed. After being subjected to key addition in modules 20a, 20b, 20c and 20d data are loaded into final registers 22a to 22d from which the encrypted code words are fed to a multiplexer unit 26 to generate the encrypted data stream ED.
All of the foregoing again corresponds to principles and criteria which are known to those of skilled in the art.
The main disadvantage of the prior art solutions exemplified by the arrangement shown in FIG. 4 lies in the complex circuitry required to implement the encryption/decryption mechanism. Such a disadvantage is particularly felt to those envisaged applications of cryptosystems adapted for use in embedded systems such as, e.g., smartcards and the like.