Efficient Hardware Architecture of SEED S-box for Smart Cards

Transcription

1 JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes the design of SEED S-bo using comosite field arithmetic. SEED is the Korean standard -bit block ciher algorithm develoed by Korea Information Security gency. The nonlinear function S-bo is the most costly oeration in terms of size and ower consumtion taking u more than 3% of the entire SEED circuit. Therefore the S-bo design can become a crucial factor when imlemented in systems where resources are limited such as smart cards. In this aer we transform elements in to comosite field where more efficient comutations can be imlemented and transform the comuted result back to. This technique reduces the S-bo ortion to 5% and the entire SEED algorithm can be imlemented at 7 gates using Samsung smart card CMOS technology. Inde Terms SEED S-bo symmetric encrytion block ciher comosite field smart card. I. INTRODUCTION SEED algorithm is a -bit symmetric key block ciher that has been develoed by Korea Information Security gency KIS and a grou of eerts in 99 []. SEED is a national industrial association standard TTS KO and is widely used to rotect electronic transactions financial services and electronic mails rovided in Korea. SEED is a 6-round Feistel structure using -bit Manuscrit received November 3 4; revised December 4. SoC R&D Center Samsung Electronics Seoul Korea joonho.hwang@samsung.com message block and -bit key for oeration. SEED utilize the S-boes and ermutations for high security level and is known to be strong against differential crytanalysis and linear crytanalysis until now. There are several factors to consider when imlementing a block ciher such as SEED. There have been literatures to imrove the erformances [6] however there have been no ublication on how to imlement effectively on systems where resources are limited such as smart cards. In such systems it is imortant to kee the gate count as well as the ower consumtion to minimum since they have rigorous constraints on such factors. nother factor to consider is the vulnerability to side channel attacks. Smart cards have a characteristic that it can be easily robed and side channel attacks such as Differential Power nalysis DP [7] can be erformed. Hence countermeasure against these side channel attacks is another challenging factor to consider when imlementing crytograhic ules. One of the advantages of using comosite field arithmetic for S-bo imlementation is that random masking techniques can be designed for SEED [] to revent side channel attacks. However crytanalysis is not the main subject of this aer and hence will not be mentioned any further. The idea of using comosite field arithmetic for S- bo designs were first alied to ES dvanced Encrytion Standard block ciher [][3][4][5]. The main oeration of ES S-bo is an inverse oeration for elements in whereas the main oeration of SEED S-bo is an ular eonentiation for elements in. lso the rimitive olynomial used for ES S-bo is different from the rimitive olynomial used for SEED S-bo. Therefore the comosite field transformation for ES S-bo cannot be d irectly

2 ..3 JOON-HO HWN EFFICIENT HRDWRE RCHITECTURE OF SEED S-BOX FOR SMRT CRDS alied to SEED S-bo. In the remainder of this aer we resent an efficient architecture of imlementing SEED S-bo using comosite field technique. The aer is organized as follows In section we give a brief introduction to SEED block ciher algorithm. Section 3 describes our new architecture for SEED S-bo and section 4 gives some imlementation results of our new architecture. Finally our conclusion is given in section 5.. Round function F The round function F divides the 64-bit inut block into two 3-bit blocks C D and goes through 4 hases a miing hase with two 3-bit round key blocks K[i] K[i] and 3 layers of function with additions for miing two 3-bit blocks. The round function F is shown in Figure. II. DESCRIPTION OF SEED LORITHM D This section gives a brief descrition on SEED block ciher algorithm. More detailed information can be obtained in []. K[i] K[i]. Structure of SEED SEED is a classical Feistel structure ciher with 6 rounds. Feistel structure cihers have a common characteristic that an inverse function does not have to eist. The decrytion rocess is eactly the same as the encrytion rocess ecet that the round keys are arranged in reverse sequences. Therefore no C D Fig.. Structure of round function F distinguishment needs to be made between an SEED The denotes a bitwise eclusive OR oeration and encrytion circuit and a SEED decrytion circuit. - the boed denotes an addition in ular 3. bit inut is divided into two 64-bit blocks and the right 64-bit block is an inut to the round function F with a 64- bit round key generated from the key scheduling. The structure of SEED is shown in Figure..C 3. Function The function has two layers a layer of two S- L[] R[] boes and a layer of block ermutation of siteen 6-bit sub-blocks. F K[] L[] R[] d c b a K[].F S S S S Block Permutation L[5] R[5] F K[6] d c b a L[6] R[6] Fig.. Feistel structure of SEED Fig. 3. Structure of function

3 JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 39 The first layer of two S-boes is generated from the following equation S S where 56 5 S S where 5 6 olynomial rimitive 4. Key scheduling The descrition of the SEED key schedule will be omitted in this aer because our roosed architecture is indeendent of the structure of the SEED key schedule. III. SEED S-BOX IN COMPOSITE FIELD In general the ular eonentiation calculation in equation and is very comlicated to imlement and hence is usually imlemented as a looku table or as SOP Sum-of-Product logic circuits generated by CD tools. In this section we resent an efficient way to imlement equation and where elements are transformed to comosite field elements for comutation.. Modification of S-bo equations Since the inuts and oututs of S-bo equations are all elements of the following congruence is true The following congruence can be derived from Therefore S-bo S can be ified as follows. 69 S 5 Equivalently S-bo S can be ified as follows S 6 s seen in equation 5 and 6 the S-bo equations for SEED have been ified to inverse oeration with additional squaring oerations. However squaring in is merely matri transformations and eventually can be merged with inverse isomorhic transformation and affine transformation at the final stage requiring no additional hardware resources. Therefore most art of S-bo oeration will be concentrated in inverse calculation.. Isomorhic transformation In order to otimize the inverse calculation we transform elements to comosite field elements defined by the following irreducible olynomials. 5 6 field Original {{}{}} {} field Comosite The isomorhic transformation of to using the above irreducible olynomial can be given by the following matri transformation δ. f δ δ

4 3 JOON-HO HWN EFFICIENT HRDWRE RCHITECTURE OF SEED S-BOX FOR SMRT CRDS 3. Inverse calculation in comosite field a[] Once the element is transformed into a comosite field element the inverse calculation can be done with the following circuit. a[] b[] aⅹb[] aⅹb[] X[3] X [3] X[3] Xλ[3] X[] X [] X[] Xλ[] b[] X[] X[] X [] X [] X[] X[] Xλ[] Xλ[] Fig. 6. multilier circuit X[74] X ⅹλ Mult X - [74] 4. Inverse isomorhic transformation Inv X[3] Mult Mult X - [3] Fig. 4. inverse calculation circuit The inverse calculation circuit is constructed with three multiliers and a inverse calculation. The multilier circuit is give in the following diagram. The element in must be transformed back to the original field once inverse is comuted. The inverse isomorhic transformation δ - is simly the inverse matri of isomorhic transformation δ. However the inverse matri must be merged with squaring transformation matri and affine transformation matri to get the S-bo result in equation 5 and 6. This is deicted in Figure 7. Mult ⅹФ [] Ф[] a[3] [] Ф[] a[] Mult aⅹb[3] b[3] b[] Mult aⅹb [] Fig. 5. multilier circuit The multilier circuit is constructed with three multiliers and eclusive OR oerations. Breaking down more into lower field the multilier circuit is constructed with bitwise ND oerations and eclusive OR oerations. The structure for multilier circuit is given in Figure 6. The inverse calculation can be either constructed as a re-comuted looku table since it is simle enough by having only 644 cases or by breaking down more into lower field multilication in the similar manner. The described circuits above calculate the inverse value of an element in and this is much more efficient than calculating the inverse value of an element in. Fig. 7. Inverse isomorhic transformation rocess IV. IMPLEMENTTION RESULTS Table. Imlementation results of SEED Our method Conventional rea S-bo 66 5% 354 3% ates Total Critical Path 3 ns 5 ns Throughut MHz We imlemented SEED with Verilog-HDL using the resented architecture. Our imlementation used the

5 JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 3 shared -function scheme since it was otimized for area and ower and therefore requires 7 clock cycles for each round. We simulated our imlementation with Cadence NC-Verilog and synthesized it with Synosys Design-Comlier. The imlementation was simulated and synthesized with Samsung smart-card library smart3 which is a.µm CMOS technology. The results are summarized in Table. V. CONCLUSION "Hardware Imlementation of -Bit Symmetric Ciher SEED" IEEE P-SIC. [7] P. Kocher J. Jaffe and B. Jun "Differential Power nalysis" dvances in Crytology - CRYPTO 999 LNCS Vol [] Y.J. Baek and J.H. Hwang "Imroved lgorithms for converting between Boolean Mask and rithmetic Mask" to aear in Fourth Conference on Security in Communication NetworksSCN '4 4 In this aer we resented an efficient hardware architecture for SEED S-bo imlementation using comosite field arithmetic. This architecture is alicable to systems where resources such as area and ower are limited as in smart cards or mobile devices. The reduction of comleity for S-bo results in a very comact and secure hardware architecture of SEED block ciher algorithm. REFERENCES [] Korea Information Security gency KIS SEED lgorithm Secification available at htt//www. kisa.or.kr. [] National Institute of Standards and Technology NIST dvanced Encrytion Standard ES FIPS Publication 97 Nov.. [3]. Rudra et al "Efficient Rijndael encrytion imlementation with comosite field arithmetic" Proc. CHES LNCS Vol [4]. Satoh S. Morioka K. Takano and S. Munetoh " Comact Rijndael Hardware rchitecture with S-Bo Otimization" dvances in Crytology - SICRYPT LNCS Vol [5] S. Morioka and. Satoh "n Otimized S-Bo Circuit rchitecture for Low Power ES Design" Proc. CHES LNCS Vol [6] D.W. Kim Y.H. Seo J.H. Kim and Y.J. Jung Joon-Ho Hwang received his B.S. and M.S. degrees in electronic and electrical engineering from Pohang University of Science and Technology POSTECH Korea in 999 and resectively. He was a member of the information security and telecommunication laboratory during the M.S. course where he concentrated research on crytograhy and PKI. He is currently a research engineer at Samsung Electronics SoC R&D Center. His current research interests include hardware architecture of crytograhic algorithms side-channel attacks and countermeasure schemes for such attacks.