1. Field of the Invention
The present invention relates to symmetrical iterated block encryption method and a device for implementing the method.
2. Description of the Related Art
Modern block encryption methods, such as the Advanced Encryption Standard (AES), are designed as iterated block ciphers. This means that processing of the input encompasses multiple rounds that are configured identically. The data to be encoded are divided into individual blocks of fixed length that are then mapped, by way of a transformation determined by a key, onto encoded values. The ciphertext blocks produced thereby also have fixed lengths.
A block cipher is a function that maps a cleartext onto an encoded text. This function is injective for every possible key, so that a decoding function exists which calculates the cleartext again for every encoded text.
Selection of the block cipher and of the key are of great interest. For certain cryptological methods it has been possible, by observing a cryptographic device as it executes the corresponding cryptological algorithms, to find correlations between the observed data and the key being used. Conclusions as to the key being used are thereby possible, and can ultimately cause the cryptographic method to be compromised.
For example, it is possible by way of side-channel attacks such as so-called differential power analysis, by measuring the energy consumption of a microprocessor during cryptographic calculations, to draw conclusions as to the operations being performed and thus as to the key being used.
Countermeasures against such side-channel attacks have already been proposed, and can be divided into the following groups:
Countermeasures at the cell level, i.e. modifying the implementation of the logic gates or analog components of the microprocessor, in order to influence the physical properties of the electronic circuit in such a way that the information regarding energy consumption is not measurable, or is measurable only with difficulty, for side-channel attacks.
Modifications to the implementation of a logic of a cryptographic algorithm on standard CMOS cells, which attempt to conceal or mask the information regarding energy consumption which is necessary for physical analysis in order thereby to prevent an analysis of the run time of the algorithm.