Embed Size (px)
Citation preview
Algorithms for cryptography- Education and learning
perspective
P.V.Ananda Mohan Fellow IEEE
ECIL, Bangalore
14th Dec 2007
Agenda
• Introduction
• E-learning requirements
• Overview of Algorithms
• Case studies of Encryption, Authentication and message digest Algorithm implementations- what needs to be taught, at what level, for whom
• Conclusion
Introduction
Implementations of Cryptosystems
Hardware Options
Software PC applicationsPortable Devices Mobile PhonesE-CommerceATMs etc
ASIC FPGA DSP
Smart cardsI-Buttons Key Guns
Key Loading Tools
Key Generation Systems
Algorithm Implementation
Who wants to learn?
• (a) Implementers of a given algorithm• Implementation of the given algorithm in a
particular platform.• Software implementation using C, C++ • Hardware implementation using (i) FPGAs
(ii) DSPs or (iii) ASICs will be needed.• Speed or Area Requirements (or
resources on FPGA such as CLBs, gates in an ASIC) Optimization
Who wants to learn?• (b) Advanced implementers• tamper proof design• protection of IP or code• Error/malfunction detection• Side-channel attack resistance etc.• Technological solutions or architectural solutions needed• Extremely high speed of operation for example IPSEC in
gigabit routers• Low-power implementations desired • Agility regarding Multiple Algorithms , modes (e.g DES,3-
DES,AES, Blow Fish, IDEA, CBC mode, Counter mode, ECB mode, CFB, OFB)
Who wants to learn?
• (c) Researchers and cryptanalysts• Fast implementations • Secure protocols • Key Search engines for brute force attacks based on
Software and hardware • Attacks• Differential and linear cryptanalysis• Power Attacks• new algorithms which are resistant to various types of
attacks.• New Algorithms • Cryptanalysis of New Algorithms of others and old
Algorithms
Three Related domains
Encryption
Hashing and Digital Signatures
Authentication
Case studies
• One encryption algorithm based on a stream cipher
• one encryption algorithm based on a block cipher
• A RSA implementation
• A Hash algorithm
STREAM CIPHERING
Clear data Ciphered data
= Masking = modulo 2
No error Propagation
Masking sequence
3-STAGE LFSR
• Primitive Polynomial is x3+x2+1
clock
1 0 1
Key
Non-zero initial conditions
3-stage LFSR
• 101 • 010• 001 • 100• 110• 111• 011
•seed (initial condition)•period= 23-1=7 states
GSM Authentication using signature and encryption in a nutshell
RANDSRES
A5
A8
A3A3
A8
A5
?
KiKi
RAND 128 BitsRAND
RAND
SRES (32 bits)
KiKi
Frame# Frame#Encrypted traffic
Kc 64 bitsKc 64 bits
Example: A5 Algorithm of GSM
• Clock Controlled Shift registers
• Fixed sparse Primitive polynomials
• Initial conditions is the key (64 bits)
LFSR 17
LFSR 19
LFSR 23
LOGIC
What do you need to know
• Primitive polynomial: definition• Testing for Primitivity (software) • Implementation of LFSR in Software and hardware• Combining LFSrs in many ways • Linear Complexity evaluation (using Berlekamp-Massey
Algorithm) and period• Possible Attacks-immunity• Advanced systems (word level LFSRs-synthesis,
NLFSRs)• Design of New schemes and evaluation • Study of known schemes like BlueTooth (E0), CAVE, A5
etc • Interactive exercises
BLOCK CIPHERS
N bit output block
N bit input block
K bit key
SYMMETRIC KEY ENCRYPTION ALGORITHMS
• Data encryption standard(DES)• Triple DES• International data encryption algorithm
(IDEA)• Blowfish• RIJNDAEL - the advanced encryption
standard• Other AES candidates
General Features/Specifications
• Block length in bits• Key length in Bits• Rounds• Operations in Each round• Key Schedule for all rounds • Round Key generation• Decryption• Modes of operation• Any Weak Keys• Complexity / Execution time Benchmarks• Five modes of operation
56 bit key
64 bit input
64 bit output
ECB (Electronic codebook mode
Cipher Block Chaining mode
E E E
Text block1
Textblock2
Textblock3
IV(Initialization Vector)
Cipher text blocks
• CFB(CIPHER FEEDBACK MODE)
DES Encryption
key
Plain text j bits Cipher text j bits
J bits(64-J) bitsShift Register
J bits Discard 64-j bits
OFB (Output feedback) mode
E
Plain text Cipher
text
64-j bits j bits
Basic Primitives in Block Ciphers
• Bit by bit exclusive OR • Modulo 216 or 232 Additions (use fast adders)• Arbitrary rotations (left or right by any number of bits)• Permutations • S-Boxes• Modulo Multiplication (X.Y) mod N• Exponentiation XY mod N• Multiplicative Inverses (1/X) mod N• Galois field operations (multiplication, inversion, word
based LFSRs)
Typical Architecture Software, ASIC or FPGA
Key Scheduler
Actual key
Round Keys
Round Processor 1
Round Processor k
Round Processor2
Round Processor k-1
Input block
Output block
Multiplexer
Latch Round processors individual or few or one
Mode controlKey Register
Clock
Rijndael (AES)
• Variable block length (128,192,256 bits)• Variable key length( 128,192 or 256 bits) • Block cipher• Data and key arranged as rows and
columns• Byte level design • Suitable for DSP or Microprocessor based
or ASIC implementation
Rijndael
• Four Rows
• Nb columns : Nb = Block length/32
• Nk columns : Nk = Key length /32
• Number of rounds dependent on Nb and Nk:
4 6 8 4 10 12 146 12 12 14
8 14 14 14
Nk
Nb
Rijndael
• Rounds shown in Table +1 needed
• Each round consists of four operations:
• 1)Byte Substitution
• 2) Shift row
• 3)Mix column
• 4) Add Round key (modulo 2 bit by bit)
• Some steps can be combined.
Byte Sub: Step 1
• a00 ao1 ao2 a03 ao4 ao5
• a10 a11 a12 a13 a14 a15
• a20 a21 a22 a23 a24 a25
• a30 a31 a32 a33 a34 a35
First write data vertically
Substitute for each byte from a Rijndalel S-Box to get a new block: Simple step
Rijndael• Shift row: Step 2
First row no shift
Second row One byte left circular shift
2 byte left circular shift Third row
Fourth row Three byte left circular shift
1 5 9 13
2 6 10 14
3 7 11 15
4 8 12 16
The result is the permutation
1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
Original
Mix Column
• Mix column Transformation -Avoids a big 32 bit input 32 bit output S-Box
• All bytes are treated as polynomials
• Example the byte b7b6b5b4b3b2b1b0 is the polynomial b7x7
+b6x6+b5x5
+b4x4+b3x3
+b2x2+b1x+b0
• Columns are considered as polynomials over GF(2**8)
• The irreducible 8th degree polynomial used is x8+x4+x3+x+1
MIX Column
• b(x)=[c(x).a(x)] mod (x4 +1)
• c(x) = “03” x3 + “01”.x2 + “01”.x+”02”
• we thus obtain all new columns corresponding to a(x).
Example• d(x)=[a(x).b(x)] mod (x4 +1)• a(x) = a3.x3 + a2.x2 +a1.x+a0
• b(x) = b3.x3 + b2.x2 +b1.x+b0
• d(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0
• c0= a0b0, c4=a3b1+a2b2+a1b3
• c1=a1b0+a0b1, c5= a3b2+a2b3
• c2=a2b0+a1b1+a0b2, c6=a3b3
• c3=a3b0+a2b1+a1b2+a0b3
• All + are Exclusive OR• But x4=1,x5=x,x6=x2 mod (x4+1)
• c0= a0b0+a3b1+a2b2+a1b3
• c1=a1b0+a0b1+a3b2+a2b3
• c2=a2b0+a1b1+a0b2+a3b3
• c3=a3b0+a2b1+a1b2+a0b3
• Each of the above is a multiplication in GF(8)
• Fortunately, all bi s are simple.
• 02H or 03 H or 01H or 01H
Rijndael Mix Column: Step3
• a00 a01 a02 a03 ao4 a05• a10 a11 a12 a13 a14 a15• a20 a21 a22 a23 a24 a25• a30 a31 a32 a33 a34 a35
• b00 b01 b02 b03 bo4 b05• b10 b11 b12 b13 b14 b15• a20 b21 b22 b23 b24 b25• b30 b31 b32 b33 b34 b35
Xc(x)
Add (EXOR) Round Key
• Add Round key is Bit wise “exclusive or” of the complete block with the round key.
• Simple operation
• Round key used only in this step.
Key Scheduler to get round keys
• Initial Round key addition
• Consider 128 bit block.
• Each round key 128 bits = 4 number of 32 bit words.
• Total key 32 bit words 44 = (Initial add round key+ 10 round keys)
• How to generate all round key words from 128 bit (4 word) basic key?
Rijndael Key schedule
• We need 44 numbers of 32 bit words W for Nk=4 i.e. 128 bit key.
• First four words are given key data itself• Temp= w(i-1)• W(i) = temp exor W(i-4) for all i except multiples
of 4• For i= multiples of 4, temp = subbyte (rotbyte
(temp)) exor Rcon(i/4) • Rot byte is one byte circular left shift of the word
• Rcon is a word with three Least significant bytes zero. Most significant byte is as per table.
j 1 2 3 4 5 6 7 8 9 10
RC(j) 01 02 04 08 10 20 40 80 1B 36
Key Generation method
• Continue to get 44 words
K0 K4 K8 K12
K1 K5 K9 K13
K2 K6 K10 K14
K3 K7 K11 K15
W0 W1 W2 W3
W4 W5 W6 W7
g
S-BOX implementations
• ROM
• Logic Synthesis based
• Multiplexer based
• FOM (figure of Merit): Delay (access time), area, flexibility, insight
Logic Synthesis of S-BOX• S1 First row• 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
• Analyze the Sequences of b3, b2, b1, b0• The logic functions assuming an input
from a counter counting from zero to 15 are as follows:
• b3 = A’C’D’+AB’C+BCD’+AB’C’D+ABC’D• b2=D’C’B’+D’C’BA’+D’CB’A+DC’B+DCB’A’+DCBA• b1=D’C’B’A’+D’CB’+D’CBA’+DC’B’+DC’BA’+DCBA• b0=D’C’B+D’CB’A+D’CBA’+DC’B’A’+DCB’+DCBA
b3b2b1b0
1110
0100
1101
0001
0010
1111
1011
1000
0011
1010
0110
1100
0101
1001
0000
0111
b3 = A’C’D’+AB’C+BCD’+AB’C’D+ABC’D
A
B
C
D
b3
S-BOX based on MultiplexerInput nibble
b0
b3
b2
b1
Hardwire all inputs of
Mux 16:1 to logic one and zero
as needed.
1010011101010100
1110010000111001
1000111011100001
0011011010001101
Delay is a 16:1 multiplexer delay
Area 4 16:1 Multiplexers
What you need to learn
• Basic algorithms• Implementation of primitives-efficiently• Implementation options• Combining steps• Efficient key schedule calculation• Agility to change new keys• Properties of S-box, evaluation• Evaluation of Block ciphers –other prmitives rotation,
modulo multiplication etc.• Design resistant to side-channel attacks• Software and hardware solutions
Authentication algorithms
Encryption and authentication
S D
K K
Conventional symmetric key based encryption
Encryption and authentication
S D
U R
CONFIDENTIALITY
U stands for Public
R stands for Private
Encryption and authentication
S D
R U
AUTHENTICATION
Encryption and authentication
S D
R U R U
BOTH
Authentication
• Asymmetric systems( two keys-one public and another private are needed)
• Three types of authentication possible
AUTHENTICATION USING RSA
• RSA ( Rivest- Shamir- Adleman) inventors
• Two keys are used (public key and private key)
Authentication using RSA
• m = message
• Public Key = (e,n)
• Private Key = (d,n)
• Encryption c = me mod n
• Decryption m = cd mod n
Choice of n ,e,d
• Choose two large primes p and q.
• n = p.q
• Choose e such that e and (p-1).(q-1) are relatively prime.
• Calculate d so that ed = 1 mod((p-1).(q-1))
Example
• p = 47,q = 71
• (p-1).(q-1) = 46.70=3220
• choose e = 79
• then d = 1019.
• m=688 say
• c = 1570 and m = 688 after decryption
How to compute XY mod N
• X,Y and n are 1024 bit numbers typically.• Repeated squaring and conditional
multiplications• 1123 mod 37 = ( 1116.114.112.11 ) mod 37 • Basic operation is A.B mod N• XY mod N needs 2047 such operations at most
for 1024 bit numbers
How to compute A.B mod N
• Example: 13.15 mod 23
• We do not want to do in a straight forward manner .
• Write b = 13 in binary form : 1101
• Do repeatedly starting from msb: (2.Old + bi.A) mod 23
What you need to learn
• Basic Algorithms• Primality testing• Choice of primes• Factorization problem• Kernel for Fast exponentiation mod M
(multibit recoding, Montgomery’s algorithm, Redundant Arithmetic, Attack resistant design, scalability to 2048 bits)
• Software/ hardware solutions
Digital signature algorithms
Authentication by digital signatures
MM
--------CK(M)
C
K
K
•
COMPARE
General Principle of Hashing
• F is a compression function
• Yi are successive blocks in the input
• If F is collision resistant, so is the Hash algorithm.
F
F
F
Y0 Y1YN-1
IV
SECURE HASH ALGORITHM
• Treats messages as 512 bit blocks• Four rounds of 20 operations each• Five Constants 32 bit A, B, C, D, E• Uses nonlinear operations involving AND,
OR, EXCLUSIVE-OR• Uses circular shifts• Generates a hash of 160 bits.
Improvement over MD5
SHA Hashing step
+ + +E
D
C
B
E
D
C
B
WtKt
AA
+
S5S30
What you need to learn
• Fundamentals of Hash functions
• Hash algorithms MD5, SHA, RIPE MD etc
• HMAC (hash using key)
• Collision issues
• New Hash function design to avoid collision
• Hardware/software implementations
Conclusion
• Sensitivity to issues addressed such as side channel attacks, compact hardware, protection of IP, Power (Low)-area (Low)-time (fast) trade offs
• Fault Tolerant designs (self checking)• Self study modules with interactive
question/answer type facility will be useful• Testing/learning up to the desired level of
proficiency shall be gracefully constructed with increasing depth of information
Books and Journals
• Stinson, Bruce Schneier, Menezes et al, Simmons, Rhee, Stallings, Rueppel, Beker and Piper many more
• IEEE Security and Privacy, IEEE Journal on Selected Areas in Communications, IEEE Transactions on computers, IEEE Transactions on Information Theory, IEEE Journal of Solid-State circuits, IEE Journal of Computers and Digital Techniques, Electronics Letters, IEEE Computer, Springer Verlag Conference Proceedings of ASEACRYPT, INDOCRYPT, Fast Software Encryption and so on, Journal of Cryptology, Cryptologia
