AES [and other Block Ciphers] Implementation Tricks

Size: px

Start display at page:

Download "AES [and other Block Ciphers] Implementation Tricks"

Joan Parker
5 years ago
Views:

1 AES [and other Bloc Ciphers] Implementation Trics

2 Cryptographic algorithms Basic primitives Survey by Stephen et al, LNCS 1482, Sep. 98

3 General Structure of a Bloc Cipher

4 Useful Properties for Implementing Bloc Ciphers Bit-wise operations (XOR, AND, OR, etc.) LUT 4 x 1 X = a + b Y = X + c Z = Y + d Z = a + b + c + d

5 Useful Properties for Implementing Bloc Ciphers Substitution

6 Useful Properties for Implementing Bloc Ciphers Permutation Permutation = [1, 5, 4, 3, 2, 6] Change of wires Free of cost

7 Useful Properties for Implementing Bloc Ciphers Shift & rotation IN[31:0] A[31:24] B[23:16] C[15:8] 8-bit OUT[31:0] D[7:0] IN[24:0] Rotation Shifting 8-bit Cost free operations

8 Useful Properties for Implementing Bloc Ciphers Iterative nature Iterative IN Select One Round Latch CE CLK Out Pipeline IN 1 st Round 2 nd Latch n th Round Latch Round Latch Out CE CLK CE CLK CE CLK 1 st Round 2 nd Round n th Round Sub- Pipeline IN CLK2 Latch Latch Latch Latch Latch Latch Out CE CLK1 CE CLK1 CE CLK1

9 Useful Properties for Implementing Bloc Ciphers Parallelism X = a + b Y = X + c Z = Y + d Three cycle X = a + b Y = a + b + c Z = a + b + c + d One cycle X Y Z X Y Z

10 How FPGA implementations Speed up encryption??

11 Example for DES Implementation on FPGA Lot of permutation operations. Is there any difficulty? Substitution is a problem?

12 Permutations in Hardware (FPGA) concatenation operator right<=ip(56)&ip(48)&ip(40)&ip(32)&ip(24)&ip(16)&ip(8)& ip(0)&ip(58)&ip(50)&ip(42)&ip(34)&ip(26)&ip(18)&ip(10) &ip(2)&ip(60)&ip(52)&ip(44)&ip(36)&ip(28)&ip(20)&ip(12 )&ip(4)&ip(62)&ip(54)&ip(46)&ip(38)&ip(30)&ip(22)&ip(1 4)&ip(6); ip[63:0] right

13 Substitution in Hardware (FPGA) S1 S2 S3 S4 S5 S6 S7 S8 64 x 4 = 256 bits 64 x 4 = 256 bits 64 x 4 = 256 bits 64 x 4 = 256 bits 64 x 4 = 256 bits 64 x 4 = 256 bits 64 x 4 = 256 bits 64 x 4 = 256 bits 2048 bits = 2K CLB slices in memoy mode = 4 x 8 = 32 CLB slices Using selected BRAM => Virtex series devices contains more than 280 BRAMs of 4K each

14 DES implementation in Hardware (FPGA) Author Device CLB Slices Allowed Freq. (MHz) Throughput (Mbits/s) Biham(software) Alpha Wong et al 1998 XC4020E Kaps and Paar 1998 XC4028EX Free-DES 2000 XCV McLoony 2003 XCV Sandia 1999 ASIC 9280 Laboratories Patterson 2000 XCV (Jbits) This wor XCV

15 The same hold for other bloc ciphers?

16 AES AES Processes Plain Text 128 Key Scheduling Encryption Decryption AES 128 Cipher Text 128 Key

17 Rijndael Advanced Encryption Standard Rijndael bloc cipher algorithm has been chosen by NIST as the Advanced Encryption Standard 128, 192 and 256 bit bloc-length When it is called AES, it means bloc length of 128 bits only FPGA AES implementations: Single encryptor: Dandalis,, Elbirt, & Gaj, : 2000 Full encryptor/decryptor: McLoone & McCanny 2001 CHES Gbps

18 AES Encryption Algorithm Flow USER KEY SUB KEY SUB KEY IN ARK BS ARK BS SR ARK OUT SR MC (ROUND-1) BS: SR: MC: ARK: Byte Substitution Shift Rows Mix Column Add Round Key Selection of rounds

19 AES b Input = 128 bits = 16 bytes 0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 ' b b & b % b b b b b b b b b b b b b # " State Matrix Both plaintext and ey are arranged into 4 x 4 matrix

20 .. Round Key 10 Round Key 3 Round Key 1 Round Key 0 " # % & ' Key Scheduling " # % & ' " # % & ' User-ey Generated- eys

21 1. Byte Substitution SUB KEY BS ARK SR MC a 0,0 a 0,1 a 1,0 a 0,3 a 1,1 a 2,0 a 1,3 a 2,1 a 3,0 a 2,3 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 State Matrix a 3,3 S-BOX 16x16 b 0,0 b 0,1 b 1,0 b 0,3 b 1,1 b 2,0 b 1,3 b 2,1 b 3,0 b 2,3 b 3,1 b 0,2 b 1,2 b 2,2 b 3,2 b 3,3

22 Byte Substitution IN BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM BRAM OUT 16 BRAMS OF 256 X 8

23 o n m p j i l e h g f d c b a p o n m l j i h g f e d c b a Offset 0 2. ShiftRow(SR) MC Offset 1 Offset 2 Offset 3 o n m p j i l e h g f d c b a p o n m l j i h g f e d c b a Offset 0 IMC Offset 1 Offset 2 Offset 3 BS ARK SR MC SUB KEY

24 ShiftRow(SR) SUB KEY BS SR ARK MC Offset 0 Offset 1 Offset 2 Offset 3 a e i m b f j n c g o d h l p a f p b g l m c h i n d e j o MC IN a bc d e f g h OUT j m no i l p

25 **Every entry is represented in GF(2 8 ) 3. MixColumn(MC) & Inv MixColumn(IMC) MC IMC i=0,1,2,3 BS ARK SR MC SUB KEY " # % & " # % & = " # % & ' ' ' ' i i i i c c c c c c c c 3, 2, 1, 0, 0,0 0,0 0,0 0, " # % & " # % & = " # % & ' ' ' ' i i i i c c c c E D B B E D D B E D B E c c c c 3, 2, 1, 0, 0,0 0,0 0,0 0, in GF(2 8 ) in GF(2 8 )

26 4. AddRoundKey(ARK) SUB KEY BS ARK SR MC ey b 0,0 b 0,1 b 0,2 b 0,3 0,0 0,1 0,2 0,3 a 0,0 a 0,1 a 0,2 a 0,3 b 1,0 b 2,0 b 1,1 b 2,1 b 1,2 b 2,2 b 1,3 b 2,3 = 1,0 2,0 1,1 2,1 1,2 2,2 1,3 2,3 a 1,0 a 2,0 a 1,1 a 2,1 a 1,2 a 2,2 a 1,3 a 2,3 b 3,0 b 3,1 b 3,2 b 3,3 3,0 3,1 3,2 3,3 a 3,0 a 3,1 a 3,2 a 3,3

27 Novel techniques for implementing AES round transformation Steps Key schedule S-Box & Inv. S-Box MC & Inv. MC

28 Key Schedule " % ' ' ' ' # & # 0 " 4 " 8 " " % % 1 " 5 " 9 " " % 2 " 6 " 10 " " % 3 " 7 " 11 " " & ( ( ( ( ' 0 " 0 13 Step 1 Step 2 Step 3 Step 4 ( ) rcon = Sbox " 4 = 4 0 " 8 = 8 " 4 " 12 = 12 " 8 " 0 " 0 13 Step 1 Step 2 ( ), Sbox rcon " = " " = " = , " " 12 =

29 Key Schedule 0 " 0 13 Step 1 Step 2 ( ), Sbox rcon " = " " = " = , " " 12 =

30 Byte Substitution (BS) Loo-up table method Composite Field approach MI AF S-BOX IN IAF MI INV S-BOX in GF(2 8 ) E/D IN IAF MI AF S-BOX INV S-BOX

31 Byte Substitution (BS) (MI manipulation) Loo-up table method Two methods to construct S-Box using loo-up table method 1. Using distributed memory 2. Using built in memories called BRAMs Composite Field GF((2 2 ) 2 ) 2 S. Morioa and A. Satoh, CHES Map the element A GF(2 8 ) to a composite field F 2. Compute the Multiplicative Inverse over the field F 3. Map bac from field F to GF(2 8 )

32 MixColumn (MC) ' % % % % & v ' a 01 "% a "% 03" % a "% 02# & a [ 0] [ 1] [ 2] [ 3] " " " " # = 02a 01a 01a 03a [ 0] 03a[ 1] 01a[ 2] 01a[ 3] [ 0] 02a[ 1] 03a[ 2] 01a[ 3] [ 0] 01a[ 1] 02a[ 2] 03a[ 3] [ 0] 01a[ 1] 01a[ 2] 02a[ 3] t = a[ 0] a[] 1 a[ 2] a[ 3] = a[ 0] a[] 1 v = xtime( v) a "[ 0] = a[ 0] v t = a[] 1 a[ 2] v = xtime( v) a "[] 1 = a[] 1 v t = a[ 2] a[ 3] v = xtime( v) a "[ 2] = a[ 2] v t = a[ 3] a[ 0] v = xtime( v) a "[ 3] = a[ 3] v t v v v v in GF(2 8 ) [ 0] ( 02a[ 0] 02a[ 1] ) ( a[ 0] a[ 1] a[ 2] a[ 3] ) a

33 MixColumn (MC) = a[] 1 a[ 2] a[ 3] xt 0 = xtime( a[ 0] ) a" [ 0] = v xto xt1 = a[ 0] a[ 2] a[ 3] xt 1 = xtime( a[] 1 ) a "[] 1 = v xt1 xt2 = a[ 0] a[] 1 a[ 3] xt 2 = xtime( a[ 2] ) a "[ 2] = v xt2 xt3 = a[ 0] a[] 1 a[ 2] xt 3 = xtime( a[ 3] ) a "[ 3] = v xt3 xt0 v v v v = a[] 1 a[ 2] a[ 3] xt 0 = xtime( a[ 0] ) a" [ 0] = [ 0] v xto xt1 = a[ 0] a[ 2] a[ 3] xt 1 = xtime( a[] 1 ) a "[] 1 = [] 1 v xt1 xt2 = a[ 0] a[] 1 a[ 3] xt 2 = xtime( a[ 2] ) a "[ 2] = [ 2] v xt2 xt3 = a[ 0] a[] 1 a[ 2] xt 3 = xtime( a[ 3] ) a "[ 3] = [ 3] v xt3 xt0 v v v v 02 v Key

Inv MixColumn(IMC) IMC ' 0E % % 09 % 0D % %& 0B 0B 0E 09 0D 0D 0B 0E 09 09 ' a 0D "% "% a 0B" % a "% 0E" #%& a [ 0] [ 1] [ 2] [ 3] " " " " "# = 0Ea 09a 0Da 0Ba [ 0] 0Ba[ 1] 0Da[ 2] 09a[ 3] [ 0] 0Ea[

34 Inv MixColumn(IMC) IMC ' 0E % % 09 % 0D % %& 0B 0B 0E 09 0D 0D 0B 0E ' a 0D "% "% a 0B" % a "% 0E" #%& a [ 0] [ 1] [ 2] [ 3] " " " " "# = 0Ea 09a 0Da 0Ba [ 0] 0Ba[ 1] 0Da[ 2] 09a[ 3] [ 0] 0Ea[ 1] 0Ba[ 2] 0Da[ 3] [ 0] 09a[ 1] 0Ea[ 2] 0Ba[ 3] [ 0] 0Da[ 1] 09a[ 2] 0Ea[ 3] Now compare MC & IMC? 08(x) 04(x) 02(x) IMC 0Ex = [ xtime( xtime( xtime( x )] [ xtime( xtime( x )] xtime( x) 02(x) MC 03x = xtime( x) x * 02x = xtime( x)

35 Inv MixColumn(IMC) We observe that, & 0E 09 0D % 0B 0B 0E 09 0D 0D 0B 0E # 0D 0B 0E" = & % # & " % # " (1) (2) ( xtime( x ) x 05x = xtime The biggest co-efficient for Eq.2 is, 05 Eq.1, we already have(mc), Eq.2 calculation can be made before Eq.1

36 Implementing AES on FPGAs Architecture 1: Encryptor core Sequential approach Architecture 2: Encryptor core Pipeline approach Architecture 3: Encryptor/decryptor core MC/IMC modified approach Architecture 4: Encryptor/decryptor core Using loo-up table method Architecture 5: Encryptor/decryptor core Using composite field approach

37 AES Implementation Strategies The commonly used architecures are: Iterative looping One round repeated n times Loop unrolling round 1 round round n n rounds Inner-round pipeling Register 1 Stage 1 Register 2... Stage Register one round

38 Architecture 1 Sequential Approach PLAIN TEXT USER-KEY RND 0 S ROUND-KEY RND 1-9 CLK LATCH ROUND-KEY RND 10 CIPHER TEXT USER KEY S RCON KGEN CLK LATCH ROUND KEY

39 Architecture 2 Pipelined Approach IN IN REG RND 0 RND 1 RND 2 RND 3 RND 4 RND 5 RND 6 RND 7 RND 8 RND 9 RND 10 OUT RK 0 RK 1 RK 2 RK 3 RK 4 RK 5 RK 6 RK 7 RK 8 RK 9 RK 10 USER- KEY IN REG KGEN KGEN KGEN KGEN KGEN KGEN KGEN KGEN KGEN KGEN KGEN

40 Architecture 3 Encryption/Decryption ENC E/D AF MC E/D IN ISR MI SR IMC ARK OUT DEC IAF IARK IN ENC DEC ISR IAF E/D MI AF SR ModM E/D MC ARK OUT Encryption: MI + AF + SR + MC + ARK Decryption: ISR + IAF + MI + ModM + MC + ARK

41 Architecture 4 Encryptor/decryptor core using loo-up table method IN ISR IAF E/D MI AF SR IMC IARK MC ARK E/D OUT Same S-Box (MI) for encryption/decryption Memory requirements become half BRAMs are used for storing MI values. No initial time to prepare them

42 Architecture 5 Encryptor/decryptor core using composite field for MI M Ist MI FIELD 2nd F TO GF(28 ) Transformation Manipulation Transformation M-1 GF(2 8 ) TO FIELD F GF(2) 2 ) 2 8 A GF(2 8 ) to GF(2 4 ) A H 4 4 A L X 2 A L Xl Mul 4x4 l A H 2 A L A 16 A 17 A L 16 X -1 A H Mul 4x4 Mul 4x4 4 GF(24 ) to 4 GF(2 8 ) 8 A -1 Let A F 2 and A= A H y + A L, then it can be shown that: A A = = A A H 16 y + A ( A + H AL) ; ( ) = 0 y + l AH A + H AL A = l L A + H AL AL

43 AES Algorithm Implementations Results Comparison

44 AES Implementation Strategies Metrics to measure performance 1 Throughput := Cloc cycle (Frequency) x No. of bits No. of rounds 2 Area CLB slices, BRAMs etc. 3 Ratio= Throughput/Area

45 Architecture 1: AES encryptor core using sequential approach Device Area Throughput Through-put/Area (XCV) (CLB slices) (Mbs) Gaj et al [1] Dandalis et al [2] Nazar et al %, 51% 22%, 26% Architecture 2: AES encryptor core using pipeline approach Device Area (CLB slices) Throughput Throughput/Area (XCV) (Mbits/s) Elbirt et al [3] Nazar et al % 47%

46 Architecture 3: AES encryptor/decryptor core using MC/IMC modified approach Device BRAMs CLB(S) Slices Throughput (Mbits/s)(T) T/S McLoone et al XCV3200E This design XCV2600E % 27.03% Two approach for MC/IMC Less BRAMs Less Slices Higher Throughput reported to-date

47 Architecture 4 & 5: AES encryptor/decryptor core using MI loo-up table and composite field approach Device BRAMs CLB(S) Throughput T/S Slices (Mbits/s)(T) McLoone XCV3200E E/D GF(2 8 ) XCV2600E E/D GF(2 4 ) XCV2600E No BRAMs 11%, 77 % 25%, 3 % Two approaches for MI First design uses loo-up table for MI, Key Scheduling included Fast but high memory requirements No initial delay Second design use composite field approach for MI, Slower with less memory requirements. Both are efficient as compared to reported design

48 Related Publications 1. Nazar A. Saqib, Francisco Rodriguez-Henriquez, and Arturo Diaz-Perez, Sequential and pipelined architectures for AES implementation, proceedings of IASTED international conference COMPUTER SCIENCE AND TECHNOLOGY, pp , May 19-21, 2003, Cancun Mexico. 2. F. Rodriguez-Henriquez, N.A. Saqib, and A. Diaz-Perez, 4.2 Gbit/s single-chip FPGA implementation of AES algorithm, ELECTRONICS LETTERS, Vol.39, No. 15, July 24, Nazar A. Saqib, Francisco Rodriguez-Henriquez, and Arturo Diaz-Perez, Two Approaches for a Single-Chip FPGA Implementation of an Encryptor/Decryptor AES Core, FPL 2003, Lecture Notes in computer Science 2778, pp , 2003 (FPL 2003, Sep 1-3, Lisbon,Portugal). 4. Nazar A. Saqib, Francisco Rodriguez-Henriquez, and Arturo Diaz-Perez, AES Algorithm Implementation-An efficient approach for Sequential and Pipeline architectures, Fourth Mexican International Conference on Computer Science, ENC 03, pp , Sep. 8-12, 2003, Tlaxcala, Mexico. 5. Nazar A. Saqib, Arturo Diaz-Perez and Francisco Rodriguez-Henriquez, Highly Optimized Single-Chip FPGA Implementations of AES Encryption and Decryption Cores, Accepted for Iberchip 2004

49 Conclusions A promising AES Encryptor/decryptor core (contributions for AES S-Box/Inv S-Box) Using loo-up table for S-Box Using Composite Fields GF(2 4 ) An optimized AES Encryptor/decryptor core (contributions for AES MC/IMC) Using Modified version for IMC A sequential and pipeline encryptor core (tradeoff between speed and area) Future wor: completion of ECC scalar multiplication Thesis writing and defense

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES Rajasekar P Assistant Professor, Department of Electronics and Communication Engineering, Kathir College of Engineering, Neelambur,