Lecture 5. Block Diagrams. Modes of Operation of Block Ciphers

Transcription

1 Lecture 5 Block Diagrams Modes of Operation of Block Ciphers

2 Modes of Operation of Block Ciphers ECE 448 FPGA and ASIC Design with VHDL

3 Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n K Block cipher K Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f K (M i ) c i = f K (m i, IS i ) IS i+1 =g K (m i, IS i ) Every block of ciphertext is a function of only one corresponding block of plaintext Every block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher

4 Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom Key Generator Pseudorandom Key Generator k i keystream k i keystream m i plaintext c i ciphertext c i ciphertext m i plaintext

5 Standard modes of operation of block ciphers Block cipher Block cipher turned into a stream ciphers ECB mode Counter mode CFB mode CBC mode

6 ECB (Electronic CodeBook) mode

7 Electronic CodeBook Mode ECB Encryption M 1 M 2 M 3 M N-1 M N K K K K K E E E E E... C 1 C 2 C 3 C N-1 C N C i = E K (M i ) for i=1..n

8 Electronic CodeBook Mode ECB Decryption C 1 C 2 C 3 C N-1 C N K K K K K D D D D D... M 1 M 2 M 3 M N-1 M N M i = D K (C i ) for i=1..n

9 Electronic CodeBook Mode ECB (simplified block diagram) M i C i K IN E C i = E K (M i ) M i = D K (C i ) K IN D OUT OUT C i M i

10 Electronic CodeBook Mode ECB (combined block diagram) bdi IN IN K E K D OUT OUT bdi = M i for Encryption C i for Decryption bdo bdo = C i for Encryption M i for Decryption

11 Counter Mode

12 E Counter Mode - CTR Encryption IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = E K (IV+i-1) for i=1..n

13 E Counter Mode - CTR Decryption IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E... k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = E K (IV+i-1) for i=1..n

14 IV Counter Mode CTR (simplified block diagram) IV counter IS i IN IS 1 = IV c i = E K (IS i ) m i IS i+1 = IS i +1 counter IS i IN K E OUT IS 1 = IV m i = E K (IS i ) c i IS i+1 = IS i +1 K E OUT c i c i m i m i

15 Counter Mode CTR (combined block diagram) IV counter bdi = m i for Encryption c i for Decryption IS i K IN E bdo = c i for Encryption m i for Decryption OUT bdo bdi

16 CFB (Cipher FeedBack) Mode

17 IV E Cipher Feedback Mode - CFB Encryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i =E K (c i-1 ) for i=1..n, and c 0 = IV

18 IV E Cipher Feedback Mode - CFB Decryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N m i = c i k i k i =E K (c i-1 ) for i=1..n, and c 0 = IV

19 IV Cipher Feedback Mode CFB (simplified block diagram) IV register IS i IN IS 1 = IV c i = E K (IS i ) m i IS i+1 = c i register IS i IN K E OUT IS 1 = IV m i = E K (IS i ) c i IS i+1 = c i K E OUT c i c i m i m i

20 IV Cipher Feedback Mode CFB (combined block diagram) register bdi = m i for Encryption c i for Decryption K IN E IS i bdi bdo = c i for Encryption m i for Decryption OUT bdo bdi

21 CBC (Cipher Block Chaining) Mode

22 Cipher Block Chaining Mode - CBC Encryption IV m 1 m 2 m 3... m N-1 m N E E E E E... c 1 c 2 c 3 c N-1 c N c i = E K (m i c i-1 ) for i=1..n c 0 =IV

23 Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N IV D D D... D D... m 1 m 2 m 3 m N-1 m N m i = D K (c i ) c i-1 for i=1..n c 0 =IV

24 Cipher Block Chaining Mode CBC IV (simplified block diagram) m i register IS i IS 1 = IV c i = E K (IS i m i ) IS i+1 = c i K IN D OUT K IN E OUT IS 1 = IV m i = D K (c i ) IS i IS i+1 = c i IS i register m i c i c i IV

25 Cipher Block Chaining Mode CBC (combined block diagram) IV bdi c i IN bdi register K D IS i OUT bdi IN K E OUT bdo

26 Advanced Encryption Standard (AES) Pseudocode ECE 448 FPGA and ASIC Design with VHDL

27 AES Encryption

28 AES Decryption

29 AES: Symbols, Block Diagrams, Interfaces ECE 448 FPGA and ASIC Design with VHDL

30 AES_Enc Encryption Only Key scheduling done as a part of initialization

31 Symbol start din key done init done_init rst AES_Enc 128 dout ready

32 Block Diagram AES_Enc Note: Bold line represents a 128 bit bus unless specified otherwise din 0 1 din Round sel_in en_in rkey key we dout en_fkey wr_rkey RAM din addr 0 1 sel_fkey ki KeyUpdate dout_fdb dout en_rkey round round ko dout

33 Block Diagram Round din input SubBytes output input ShiftRows output input MixColumns output dout_fdb rkey dout Note: Bold line represents a 128 bit bu unless specified otherwise

34 Block Diagram KeyUpdate ki[95..64] ki[ ] ki[63..32] ki[31..0] ROTWORD SUBWORD rcon ROM ko[ ] ko[63..32] ko[95..64] ko[31..0] Note: All buses are 32 bit wide unless specified otherwise 4 round

35 AES_Enc: Interface with the Division into the Datapath and Controller din din Enc Datapath 128 dout dout key key en_rkey wr_rkey en_fkey sel_fkey en_in sel_in round clk rst Note: Bold line represents a 128 bit bus unless specified otherwise 4 init init rst en_rkey wr_rkey en_fkey sel_fkey en_in sel_in round ready start start Enc Control done_init done ready done done_init

36 AES_Enc_KOF Encryption Only Key scheduling done On the Fly

37 Symbol 128 din 128 key start done AES_Enc_KOF rst 128 dout ready

38 Block Diagram AES_Enc_KOF Note: Bold line represents a 128 bit bus unless specified otherwise din key 0 1 sel_in en_in sel_in 0 1 round 4 din ki round dout_fdb Round rkey dout dout ko KeyUpdate

39 Block Diagram Round din input SubBytes output input ShiftRows output input MixColumns output dout_fdb rkey dout Note: Bold line represents a 128 bit bu unless specified otherwise

40 Block Diagram KeyUpdate ki[95..64] ki[ ] ki[63..32] ki[31..0] ROTWORD SUBWORD rcon ROM ko[ ] ko[63..32] ko[95..64] ko[31..0] Note: All buses are 32 bit wide unless specified otherwise 4 round

41 AES_Enc_KOF: Interface with the Division into the Datapath and Controller din key clk rst start din key start Enc_KOF Datapath 128 dout dout en_in sel_in round 4 rst en_in sel_in round ready ready Enc_KOF Control done done Note: Bold line represents a 128 bit bus unless specified otherwise

42 AES_EncDec Encryption and Decryption Key scheduling done as a part of initialization

43 Symbol 128 din start decrypt init 128 key done done_init AES_EncDec rst ready dout 128

44 Block Diagram AES_EncDec KeyUpdate round ko ki din en_fkey 4 sel_fkey 1 0 round Note: Bold line represents a 128 bit bus unless specified otherwise key en_lkey sel_in round invround 4 4 en_in 0 1 din Round rkey rkey din Inv Round din addr RAM we dout sel_round wr_rkey dout_fdb dout dout dout_fdb en_rkey 0 1 sel_decrypt dout

45 Block Diagram Round din input SubBytes output input ShiftRows output input MixColumns output dout_fdb rkey dout Note: Bold line represents a 128 bit bu unless specified otherwise

46 Block Diagram InvRound din input InvSubBytes output input InvShiftRows output input InvMixColumns output dout_fdb rkey dout Note: Bold line represents a 128 bit bu unless specified otherwise

47 Block Diagram KeyUpdate ki[95..64] ki[ ] ki[63..32] ki[31..0] ROTWORD SUBWORD rcon ROM ko[ ] ko[63..32] ko[95..64] ko[31..0] Note: All buses are 32 bit wide unless specified otherwise 4 round

48 AES_EncDec: Interface with the Division into the Datapath and Controller din key rst clk start init decrypt din key start init decrypt EncDec Datapath sel_decrypt invround round sel_round sel_in en_in en_rkey wr_rkey en_lkey en_fkey sel_fkey dout 128 dout Note: Bold line represents a 128 bit bus unless specified otherwise rst sel_decrypt invround round sel_round EncDec sel_in en_in Control en_rkey wr_rkey en_lkey en_fkey sel_fkey ready done_init done ready done done_init

49 Example of a Hierarchical Block Diagram JH hash function ECE 448 FPGA and ASIC Design with VHDL

50 rp SIPO rp rp group A q dg dg PISO 64 dout h 1..0 dgc 64 din 1024 IV C_IV zeros ha hb 1024 hc=ha hb rp dg dga dgb degroup 1024 q B dgc=dga dgb 1024 h JH 256: h=256 JH 512: h=512 R6 Cr R8 Cr r r rp Top Level

51 R8 : y = 1024 R6 : y = 256 R8/R6 r y y is the bit size of r S0 S1 S0 S1 S0 S1 S0 S1 Cr[0] Cr[1] Cr[y/4 2] Cr[y/4 1] A C L B D A C L B D PERMUTE rp y

52 L A 4 B 4 <<< A(3) 0 } <<< D(3) 0 } C D

53 Example of a Hierarchical Block Diagram BLAKE hash function ECE 448 FPGA and ASIC Design with VHDL

54 Top Level BLAKE 32 : b=512, h=256 BLAKE 64 : b=1024, h=512 b/2 IV b/2 1 0 b/2 64 din SIPO b c b/2 t c[0..7] b/8 1 b/2 t h Initialization c v b 0 b b/2 CV b/2 b b b b b V b/2 msg constant V Permute8 CM b b CM Core8 VP b b v Finalization h h b/2 b/2 b/2 PISO 64 dout

55 msg b Permute8 constant select8 b b b b b b b Pσ0 Pσ1 Pσ2 Pσ7 Pσ8 Pσ9 i 4 select8 b b b b b b i Note: hi and low denotes top and bottom half of the permutation table b m XOR_W CROSS c b m = m[0..15] c = c[0..15] cm 2i = m 2i c 2i+1 cm 2i+1 = m 2i+1 c 2i CM BLAKE 32 : b=512,w=32 BLAKE 64 : b=1024,w=64

56 Core8 BLAKE 32 : b=512, w=32 BLAKE 64 : b=1024, w=64 V[0] V[8] V[4] V[12] V[1] V[9] V[5] V[13] V[2] V[10] V[6] V[14] V[3] V[11] V[7] V[15] A B C D A B C D A B C D A B C D CM[0,1] 2w cm A G_mod B C D CM[2,3] 2w cm A G_mod B C D CM[4,5] 2w cm A G_mod B C D CM[6,7] 2w cm A G_mod B C D A B C D A B C D A B C D A B C D CM[8,9] 2w cm A G_mod B C D CM[10,11] 2w cm A G_mod B C D CM[12,13] 2w cm A G_mod B C D CM[14,15] 2w cm A G_mod B C D VP[5] VP[15] VP[0] VP[10] VP[6] VP[12] VP[1] VP[11] VP[7] VP[13] VP[2] VP[8] VP[4] VP[14] VP[3] VP[9]

57 G_mod 2i R2 <<< R4 <<< w w w w w w w w w w R1 <<< w w w R3 <<< w w w w w w w w w w w w B A C D B A C D w w w BLAKE 64 : w=64 BLAKE 32 : w=32 CM2i+1 CM

58 Interface of CipherCore Datapath ECE 448 FPGA and ASIC Design with VHDL

59 59 Block Diagram of AEAD npub npub TAG_SIZE sdi_ready sdi sdi_valid bypass_full bypass_wr KEY_SIZE W sdi sdi_ready pdi_ready pdi pdi_valid sdi_valid write din full empty dout read FIFO Bypass DBLK_SIZE/8 DBLK_SIZE/8 bdi_decrypt bdi_decrypt nsec_ready nsec_ready bdi_pad_loc bdi_valid_bytes bdi_valid_bytes bdi_pad_loc bdi_size bdi_size bdi_read bdi_read exp_tag_ready exp_tag_ready bdi_eot bdi_eoi bdi_eot bdi_eoi bdi_nodata bdi_nodata BS_BYTES bdi_proc bdi_ready bdi_ready bdi_proc bdi_ad bdi_ad nsec_read nsec_read npub_read npub_read key_updated key_needs_update key_ready key_needs_update key_ready key_updated rdkey_ready rdkey_read rdkey_ready rdkey_read npub_ready npub_ready W W 4 W 3 do do_ready do_valid do_ready do tag_ready tag_write msg_auth_valid msg_auth_done bypass_empty bypass_rd status dout ctrl din aux_fifo_status aux_fifo_dout aux_fifo_din aux_fifo_ctrl bypass_data do_valid Processor Post AUX FIFO bdo_nsec bdo_size bdo_ready bdo_write bdo_data tag_data Processor Pre Controller CipherCore Datapath CipherCore W TAG_SIZE len_a len_d len_a len_d exp_tag exp_tag CTR_AD_SIZE tag bdo bdi bdi key key rdkey rdkey nsec nsec NSEC_SIZE AEAD Core CipherCore pdi pdi_valid pdi_ready DBLK_SIZE RDKEY_SIZE AEAD SW msg_auth_done tag_ready tag_write msg_auth_valid msg_auth_done bdo_nsec bdo_ready bdo_write bdo_size DBLK_SIZE BS_BYTES+1 CTR_D_SIZE NPUB_SIZE

60 Input Ports (nonce, IV) (only few candidates) (we will not use it) (AD, M, C)

61 ECE 448 FPGA and ASIC Design with VHDL Timeline

62 Project Timeline: Draft Block Diagrams Thursday 10/15, 12 noon: First draft of block diagrams (Blackboard) Thursday 10/15, 1:00-4:30pm Friday 10/16, 1:00-8:00pm Discussion of draft block diagrams (30 minutes per person, 60 minutes per group, electronic sign-up using Doodle)

63 Project Timeline: Revised Block Diagrams Thursday 10/22, 12 noon Revised block diagrams due (Blackboard) Thursday 10/22, 1:00-4:30pm Friday 10/23, 1:00-8:00pm Discussion of revised block diagrams (30 minutes per person, 60 minutes per group, electronic sign-up using Doodle)