The Advanced Encryption Standard (AES) is a round-based block cipher used in security applications. Each round of the AES cryptographic process includes up to four operations, known in the art as AddRoundKey, ShiftRow, MixColumn and SubByte. The AddRoundKey, ShiftRow and MixColumn operations are linear operations, while the SubByte operation is a non-linear substitution step in which each byte of input data is replaced with another byte. The substitution may be made using a substitution table or switch box commonly referred to as the S-box and usually implemented as a lookup table.
Hardware implementations of AES can be vulnerable to side channel attacks, also referred to as simple power analysis (SPA), differential power analysis (DPA) and electromagnetic analysis (EMA) attacks. Side channel attacks exploit information, such as power consumption and electromagnetic emission, that can leak from a device during execution of the cryptographic process. Adversaries enter different patterns of input data and monitor the side channel information in order to develop hypotheses about correlations between the side channel information and the device's internal state as the input data is encrypted. Using these correlations, an adversary can subsequently uncover a secret key used to encrypt data by monitoring side channel information as the data is encrypted.
One countermeasure to side channel attacks is to mask input data and intermediate results with random values and execute operations on the masked data. Both the data and the key may be masked. The masked data and the mask are operated on in parallel in order to unmask the final result once all computations are completed; this is referred to as mask correction. However, as noted above, the SubByte operation is non-linear and so does not lend itself to simple mask correction. Various attempts have been made to efficiently and securely implement mask correction for non-linear operations. Such attempts are generally problematic because they are vulnerable to side channel attacks, involve too much computational overhead, require too much coprocessor area (e.g., there is an unsatisfactory increase in the number of gates required), or introduce unsatisfactory propagation delays.
Accordingly, a solution that efficiently and securely implements mask correction for non-linear operations would be advantageous. Embodiments in accordance with the present invention provide these and other advantages.