720 likes | 1.04k Views
Algorithms for cryptography- Education and learning perspective. P.V.Ananda Mohan Fellow IEEE ECIL, Bangalore. 14 th Dec 2007. Agenda. Introduction E-learning requirements Overview of Algorithms
E N D
Algorithms for cryptography- Education and learning perspective P.V.Ananda Mohan Fellow IEEE ECIL, Bangalore 14th Dec 2007
Agenda • Introduction • E-learning requirements • Overview of Algorithms • Case studies of Encryption, Authentication and message digest Algorithm implementations- what needs to be taught, at what level, for whom • Conclusion
Hardware Options Introduction Implementations of Cryptosystems Key Generation Systems Software PC applications Portable Devices Mobile Phones E-Commerce ATMs etc ASIC FPGA DSP Algorithm Implementation Key Loading Tools Smart cards I-Buttons Key Guns
Who wants to learn? • (a) Implementers of a given algorithm • Implementation of the given algorithm in a particular platform. • Software implementation using C, C++ • Hardware implementation using (i) FPGAs (ii) DSPs or (iii) ASICs will be needed. • Speed or Area Requirements (or resources on FPGA such as CLBs, gates in an ASIC) Optimization
Who wants to learn? • (b) Advanced implementers • tamper proof design • protection of IP or code • Error/malfunction detection • Side-channel attack resistance etc. • Technological solutions or architectural solutions needed • Extremely high speed of operation for example IPSEC in gigabit routers • Low-power implementations desired • Agility regarding Multiple Algorithms , modes (e.g DES,3-DES,AES, Blow Fish, IDEA, CBC mode, Counter mode, ECB mode, CFB, OFB)
Who wants to learn? • (c) Researchers and cryptanalysts • Fast implementations • Secure protocols • Key Search engines for brute force attacks based on Software and hardware • Attacks • Differential and linear cryptanalysis • Power Attacks • new algorithms which are resistant to various types of attacks. • New Algorithms • Cryptanalysis of New Algorithms of others and old Algorithms
Three Related domains Authentication Encryption Hashing and Digital Signatures
Case studies • One encryption algorithm based on a stream cipher • one encryption algorithm based on a block cipher • A RSA implementation • A Hash algorithm
Ciphered data Clear data = Masking = modulo 2 STREAM CIPHERING Masking sequence No error Propagation
Primitive Polynomial is x3+x2+1 Key 1 0 1 Non-zero initial conditions clock 3-STAGE LFSR
3-stage LFSR • 101 • 010 • 001 • 100 • 110 • 111 • 011 • seed (initial condition) • period= 23-1=7 states
RAND RAND 128 Bits A3 A3 Ki Ki SRES (32 bits) SRES ? RAND A8 A8 Ki Ki Kc 64 bits Kc 64 bits Frame# Frame# Encrypted traffic A5 A5 GSM Authentication using signature and encryption in a nutshell RAND
LFSR 17 LFSR 19 LOGIC LFSR 23 Example: A5 Algorithm of GSM • Clock Controlled Shift registers • Fixed sparse Primitive polynomials • Initial conditions is the key (64 bits)
What do you need to know • Primitive polynomial: definition • Testing for Primitivity (software) • Implementation of LFSR in Software and hardware • Combining LFSrs in many ways • Linear Complexity evaluation (using Berlekamp-Massey Algorithm) and period • Possible Attacks-immunity • Advanced systems (word level LFSRs-synthesis, NLFSRs) • Design of New schemes and evaluation • Study of known schemes like BlueTooth (E0), CAVE, A5 etc • Interactive exercises
N bit input block K bit key N bit output block BLOCK CIPHERS
SYMMETRIC KEY ENCRYPTION ALGORITHMS • Data encryption standard(DES) • Triple DES • International data encryption algorithm (IDEA) • Blowfish • RIJNDAEL - the advanced encryption standard • Other AES candidates
General Features/Specifications • Block length in bits • Key length in Bits • Rounds • Operations in Each round • Key Schedule for all rounds • Round Key generation • Decryption • Modes of operation • Any Weak Keys • Complexity / Execution time Benchmarks • Five modes of operation
64 bit input 56 bit key 64 bit output ECB (Electronic codebook mode
Text block2 Text block3 Text block1 IV (Initialization Vector) E E E Cipher text blocks Cipher Block Chaining mode
Shift Register (64-J) bits J bits DES Encryption key J bits Discard 64-j bits Plain text j bits Cipher text j bits • CFB(CIPHER FEEDBACK MODE)
64-j bits j bits E Plain text Cipher text OFB (Output feedback) mode
Basic Primitives in Block Ciphers • Bit by bit exclusive OR • Modulo 216 or 232 Additions (use fast adders) • Arbitrary rotations (left or right by any number of bits) • Permutations • S-Boxes • Modulo Multiplication (X.Y) mod N • Exponentiation XY mod N • Multiplicative Inverses (1/X) mod N • Galois field operations (multiplication, inversion, word based LFSRs)
Input block Multiplexer Mode control Actual key Key Scheduler Round Processor 1 Round Processor2 Round Processor k-1 Round Processor k Round Keys Latch Round processors individual or few or one Output block Typical Architecture Software, ASIC or FPGA Key Register Clock
Rijndael (AES) • Variable block length (128,192,256 bits) • Variable key length( 128,192 or 256 bits) • Block cipher • Data and key arranged as rows and columns • Byte level design • Suitable for DSP or Microprocessor based or ASIC implementation
Rijndael • Four Rows • Nb columns : Nb = Block length/32 • Nk columns : Nk = Key length /32 • Number of rounds dependent on Nb and Nk: 4 6 8 4 10 12 14 6 12 12 14 8 14 14 14 Nb Nk
Rijndael • Rounds shown in Table +1 needed • Each round consists of four operations: • 1)Byte Substitution • 2) Shift row • 3)Mix column • 4) Add Round key (modulo 2 bit by bit) • Some steps can be combined.
Byte Sub: Step 1 • a00 ao1 ao2 a03 ao4 ao5 • a10 a11 a12 a13 a14 a15 • a20 a21 a22 a23 a24 a25 • a30 a31 a32 a33 a34 a35 First write data vertically Substitute for each byte from a Rijndalel S-Box to get a new block: Simple step
First row no shift Second row One byte left circular shift 2 byte left circular shift Third row Fourth row Three byte left circular shift Rijndael • Shift row: Step 2 Original The result is the permutation 1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
Mix Column • Mix column Transformation -Avoids a big 32 bit input 32 bit output S-Box • All bytes are treated as polynomials • Example the byte b7b6b5b4b3b2b1b0 is the polynomial b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0 • Columns are considered as polynomials over GF(2**8) • The irreducible 8th degree polynomial used is x8+x4+x3+x+1
MIX Column • b(x)=[c(x).a(x)] mod (x4 +1) • c(x) = “03” x3 + “01”.x2 + “01”.x+”02” • we thus obtain all new columns corresponding to a(x).
Example • d(x)=[a(x).b(x)] mod (x4 +1) • a(x) = a3.x3 + a2.x2 +a1.x+a0 • b(x) = b3.x3 + b2.x2 +b1.x+b0 • d(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0 • c0= a0b0, c4=a3b1+a2b2+a1b3 • c1=a1b0+a0b1, c5= a3b2+a2b3 • c2=a2b0+a1b1+a0b2,c6=a3b3 • c3=a3b0+a2b1+a1b2+a0b3 • All + are Exclusive OR • But x4=1,x5=x,x6=x2 mod (x4+1)
c0= a0b0+a3b1+a2b2+a1b3 • c1=a1b0+a0b1+a3b2+a2b3 • c2=a2b0+a1b1+a0b2+a3b3 • c3=a3b0+a2b1+a1b2+a0b3 • Each of the above is a multiplication in GF(8) • Fortunately, all bi s are simple. • 02H or 03 H or 01H or 01H
Rijndael Mix Column: Step3 • a00 a01 a02 a03 ao4 a05 • a10 a11 a12 a13 a14 a15 • a20 a21 a22 a23 a24 a25 • a30 a31 a32 a33 a34 a35 • b00 b01 b02 b03 bo4 b05 • b10 b11 b12 b13 b14 b15 • a20 b21 b22 b23 b24 b25 • b30 b31 b32 b33 b34 b35 Xc(x)
Add (EXOR) Round Key • Add Round key is Bit wise “exclusive or” of the complete block with the round key. • Simple operation • Round key used only in this step.
Key Scheduler to get round keys • Initial Round key addition • Consider 128 bit block. • Each round key 128 bits = 4 number of 32 bit words. • Total key 32 bit words 44 = (Initial add round key+ 10 round keys) • How to generate all round key words from 128 bit (4 word) basic key?
Rijndael Key schedule • We need 44 numbers of 32 bit words W for Nk=4 i.e. 128 bit key. • First four words are given key data itself • Temp= w(i-1) • W(i) = temp exor W(i-4) for all i except multiples of 4 • For i= multiples of 4, temp = subbyte (rotbyte (temp)) exor Rcon(i/4) • Rot byte is one byte circular left shift of the word
Rcon is a word with three Least significant bytes zero. Most significant byte is as per table.
Key Generation method • Continue to get 44 words g
S-BOX implementations • ROM • Logic Synthesis based • Multiplexer based • FOM (figure of Merit): Delay (access time), area, flexibility, insight
Logic Synthesis of S-BOX b3b2b1b0 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111 • S1 First row • 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 • Analyze the Sequences of b3, b2, b1, b0 • The logic functions assuming an input from a counter counting from zero to 15 are as follows: • b3 = A’C’D’+AB’C+BCD’+AB’C’D+ABC’D • b2=D’C’B’+D’C’BA’+D’CB’A+DC’B+DCB’A’+DCBA • b1=D’C’B’A’+D’CB’+D’CBA’+DC’B’+DC’BA’+DCBA • b0=D’C’B+D’CB’A+D’CBA’+DC’B’A’+DCB’+DCBA
A B C D b3 = A’C’D’+AB’C+BCD’+AB’C’D+ABC’D b3
S-BOX based on Multiplexer Input nibble 0011011010001101 b0 Hardwire all inputs of Mux 16:1 to logic one and zero as needed. 1000111011100001 b1 1110010000111001 Delay is a 16:1 multiplexer delay Area 4 16:1 Multiplexers b2 1010011101010100 b3
What you need to learn • Basic algorithms • Implementation of primitives-efficiently • Implementation options • Combining steps • Efficient key schedule calculation • Agility to change new keys • Properties of S-box, evaluation • Evaluation of Block ciphers –other prmitives rotation, modulo multiplication etc. • Design resistant to side-channel attacks • Software and hardware solutions