Download ppt - Algorithms for cryptography- Education and learning perspective P.V.Ananda Mohan Fellow IEEE ECIL, Bangalore 14 th Dec 2007

Algorithms for cryptography- Education and learning

perspective

P.V.Ananda Mohan Fellow IEEE

ECIL, Bangalore

14th Dec 2007

Agenda

• Introduction

• E-learning requirements

• Overview of Algorithms

• Case studies of Encryption, Authentication and message digest Algorithm implementations- what needs to be taught, at what level, for whom

• Conclusion

Introduction

Implementations of Cryptosystems

Hardware Options

Software PC applicationsPortable Devices Mobile PhonesE-CommerceATMs etc

ASIC FPGA DSP

Smart cardsI-Buttons Key Guns

Key Loading Tools

Key Generation Systems

Algorithm Implementation

Who wants to learn?

• (a) Implementers of a given algorithm• Implementation of the given algorithm in a

particular platform.• Software implementation using C, C++ • Hardware implementation using (i) FPGAs

(ii) DSPs or (iii) ASICs will be needed.• Speed or Area Requirements (or

resources on FPGA such as CLBs, gates in an ASIC) Optimization

Who wants to learn?• (b) Advanced implementers• tamper proof design• protection of IP or code• Error/malfunction detection• Side-channel attack resistance etc.• Technological solutions or architectural solutions needed• Extremely high speed of operation for example IPSEC in

gigabit routers• Low-power implementations desired • Agility regarding Multiple Algorithms , modes (e.g DES,3-

DES,AES, Blow Fish, IDEA, CBC mode, Counter mode, ECB mode, CFB, OFB)

Who wants to learn?

• (c) Researchers and cryptanalysts• Fast implementations • Secure protocols • Key Search engines for brute force attacks based on

Software and hardware • Attacks• Differential and linear cryptanalysis• Power Attacks• new algorithms which are resistant to various types of

attacks.• New Algorithms • Cryptanalysis of New Algorithms of others and old

Algorithms

Three Related domains

Encryption

Hashing and Digital Signatures

Authentication

Case studies

• One encryption algorithm based on a stream cipher

• one encryption algorithm based on a block cipher

• A RSA implementation

• A Hash algorithm

STREAM CIPHERING

Clear data Ciphered data

= Masking = modulo 2

No error Propagation

Masking sequence

3-STAGE LFSR

• Primitive Polynomial is x3+x2+1

clock

1 0 1

Key

Non-zero initial conditions

3-stage LFSR

• 101 • 010• 001 • 100• 110• 111• 011

•seed (initial condition)•period= 23-1=7 states

GSM Authentication using signature and encryption in a nutshell

RANDSRES

A5

A8

A3A3

A8

A5

?

KiKi

RAND 128 BitsRAND

RAND

SRES (32 bits)

KiKi

Frame# Frame#Encrypted traffic

Kc 64 bitsKc 64 bits

Example: A5 Algorithm of GSM

• Clock Controlled Shift registers

• Fixed sparse Primitive polynomials

• Initial conditions is the key (64 bits)

LFSR 17

LFSR 19

LFSR 23

LOGIC

What do you need to know

• Primitive polynomial: definition• Testing for Primitivity (software) • Implementation of LFSR in Software and hardware• Combining LFSrs in many ways • Linear Complexity evaluation (using Berlekamp-Massey

Algorithm) and period• Possible Attacks-immunity• Advanced systems (word level LFSRs-synthesis,

NLFSRs)• Design of New schemes and evaluation • Study of known schemes like BlueTooth (E0), CAVE, A5

etc • Interactive exercises

BLOCK CIPHERS

N bit output block

N bit input block

K bit key

SYMMETRIC KEY ENCRYPTION ALGORITHMS

• Data encryption standard(DES)• Triple DES• International data encryption algorithm

(IDEA)• Blowfish• RIJNDAEL - the advanced encryption

standard• Other AES candidates

General Features/Specifications

• Block length in bits• Key length in Bits• Rounds• Operations in Each round• Key Schedule for all rounds • Round Key generation• Decryption• Modes of operation• Any Weak Keys• Complexity / Execution time Benchmarks• Five modes of operation

56 bit key

64 bit input

64 bit output

ECB (Electronic codebook mode

Cipher Block Chaining mode

E E E

Text block1

Textblock2

Textblock3

IV(Initialization Vector)

Cipher text blocks

• CFB(CIPHER FEEDBACK MODE)

DES Encryption

key

Plain text j bits Cipher text j bits

J bits(64-J) bitsShift Register

J bits Discard 64-j bits

OFB (Output feedback) mode

E

Plain text Cipher

text

64-j bits j bits

Basic Primitives in Block Ciphers

• Bit by bit exclusive OR • Modulo 216 or 232 Additions (use fast adders)• Arbitrary rotations (left or right by any number of bits)• Permutations • S-Boxes• Modulo Multiplication (X.Y) mod N• Exponentiation XY mod N• Multiplicative Inverses (1/X) mod N• Galois field operations (multiplication, inversion, word

based LFSRs)

Typical Architecture Software, ASIC or FPGA

Key Scheduler

Actual key

Round Keys

Round Processor 1

Round Processor k

Round Processor2

Round Processor k-1

Input block

Output block

Multiplexer

Latch Round processors individual or few or one

Mode controlKey Register

Clock

Rijndael (AES)

• Variable block length (128,192,256 bits)• Variable key length( 128,192 or 256 bits) • Block cipher• Data and key arranged as rows and

columns• Byte level design • Suitable for DSP or Microprocessor based

or ASIC implementation

Rijndael

• Four Rows

• Nb columns : Nb = Block length/32

• Nk columns : Nk = Key length /32

• Number of rounds dependent on Nb and Nk:

4 6 8 4 10 12 146 12 12 14

8 14 14 14

Nk

Nb

Rijndael

• Rounds shown in Table +1 needed

• Each round consists of four operations:

• 1)Byte Substitution

• 2) Shift row

• 3)Mix column

• 4) Add Round key (modulo 2 bit by bit)

• Some steps can be combined.

Byte Sub: Step 1

• a00 ao1 ao2 a03 ao4 ao5

• a10 a11 a12 a13 a14 a15

• a20 a21 a22 a23 a24 a25

• a30 a31 a32 a33 a34 a35

First write data vertically

Substitute for each byte from a Rijndalel S-Box to get a new block: Simple step

Rijndael• Shift row: Step 2

First row no shift

Second row One byte left circular shift

2 byte left circular shift Third row

Fourth row Three byte left circular shift

1 5 9 13

2 6 10 14

3 7 11 15

4 8 12 16

The result is the permutation

1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12

Original

Mix Column

• Mix column Transformation -Avoids a big 32 bit input 32 bit output S-Box

• All bytes are treated as polynomials

• Example the byte b7b6b5b4b3b2b1b0 is the polynomial b7x7

+b6x6+b5x5

+b4x4+b3x3

+b2x2+b1x+b0

• Columns are considered as polynomials over GF(2**8)

• The irreducible 8th degree polynomial used is x8+x4+x3+x+1

MIX Column

• b(x)=[c(x).a(x)] mod (x4 +1)

• c(x) = “03” x3 + “01”.x2 + “01”.x+”02”

• we thus obtain all new columns corresponding to a(x).

Example• d(x)=[a(x).b(x)] mod (x4 +1)• a(x) = a3.x3 + a2.x2 +a1.x+a0

• b(x) = b3.x3 + b2.x2 +b1.x+b0

• d(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0

• c0= a0b0, c4=a3b1+a2b2+a1b3

• c1=a1b0+a0b1, c5= a3b2+a2b3

• c2=a2b0+a1b1+a0b2, c6=a3b3

• c3=a3b0+a2b1+a1b2+a0b3

• All + are Exclusive OR• But x4=1,x5=x,x6=x2 mod (x4+1)

• c0= a0b0+a3b1+a2b2+a1b3

• c1=a1b0+a0b1+a3b2+a2b3

• c2=a2b0+a1b1+a0b2+a3b3

• c3=a3b0+a2b1+a1b2+a0b3

• Each of the above is a multiplication in GF(8)

• Fortunately, all bi s are simple.

• 02H or 03 H or 01H or 01H

Rijndael Mix Column: Step3

• a00 a01 a02 a03 ao4 a05• a10 a11 a12 a13 a14 a15• a20 a21 a22 a23 a24 a25• a30 a31 a32 a33 a34 a35

• b00 b01 b02 b03 bo4 b05• b10 b11 b12 b13 b14 b15• a20 b21 b22 b23 b24 b25• b30 b31 b32 b33 b34 b35

Xc(x)

Add (EXOR) Round Key

• Add Round key is Bit wise “exclusive or” of the complete block with the round key.

• Simple operation

• Round key used only in this step.

Key Scheduler to get round keys

• Initial Round key addition

• Consider 128 bit block.

• Each round key 128 bits = 4 number of 32 bit words.

• Total key 32 bit words 44 = (Initial add round key+ 10 round keys)

• How to generate all round key words from 128 bit (4 word) basic key?

Rijndael Key schedule

• We need 44 numbers of 32 bit words W for Nk=4 i.e. 128 bit key.

• First four words are given key data itself• Temp= w(i-1)• W(i) = temp exor W(i-4) for all i except multiples

of 4• For i= multiples of 4, temp = subbyte (rotbyte

(temp)) exor Rcon(i/4) • Rot byte is one byte circular left shift of the word

• Rcon is a word with three Least significant bytes zero. Most significant byte is as per table.

j 1 2 3 4 5 6 7 8 9 10

RC(j) 01 02 04 08 10 20 40 80 1B 36

Key Generation method

• Continue to get 44 words

K0 K4 K8 K12

K1 K5 K9 K13

K2 K6 K10 K14

K3 K7 K11 K15

W0 W1 W2 W3

W4 W5 W6 W7

g

S-BOX implementations

• ROM

• Logic Synthesis based

• Multiplexer based

• FOM (figure of Merit): Delay (access time), area, flexibility, insight

Logic Synthesis of S-BOX• S1 First row• 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

• Analyze the Sequences of b3, b2, b1, b0• The logic functions assuming an input

from a counter counting from zero to 15 are as follows:

• b3 = A’C’D’+AB’C+BCD’+AB’C’D+ABC’D• b2=D’C’B’+D’C’BA’+D’CB’A+DC’B+DCB’A’+DCBA• b1=D’C’B’A’+D’CB’+D’CBA’+DC’B’+DC’BA’+DCBA• b0=D’C’B+D’CB’A+D’CBA’+DC’B’A’+DCB’+DCBA

b3b2b1b0

1110

0100

1101

0001

0010

1111

1011

1000

0011

1010

0110

1100

0101

1001

0000

0111

b3 = A’C’D’+AB’C+BCD’+AB’C’D+ABC’D

A

B

C

D

b3

S-BOX based on MultiplexerInput nibble

b0

b3

b2

b1

Hardwire all inputs of

Mux 16:1 to logic one and zero

as needed.

1010011101010100

1110010000111001

1000111011100001

0011011010001101

Delay is a 16:1 multiplexer delay

Area 4 16:1 Multiplexers

What you need to learn

• Basic algorithms• Implementation of primitives-efficiently• Implementation options• Combining steps• Efficient key schedule calculation• Agility to change new keys• Properties of S-box, evaluation• Evaluation of Block ciphers –other prmitives rotation,

modulo multiplication etc.• Design resistant to side-channel attacks• Software and hardware solutions

Authentication algorithms

Encryption and authentication

S D

K K

Conventional symmetric key based encryption


S D

U R

CONFIDENTIALITY

U stands for Public

R stands for Private


S D

R U

AUTHENTICATION


S D

R U R U

BOTH

Authentication

• Asymmetric systems( two keys-one public and another private are needed)

• Three types of authentication possible

AUTHENTICATION USING RSA

• RSA ( Rivest- Shamir- Adleman) inventors

• Two keys are used (public key and private key)

Authentication using RSA

• m = message

• Public Key = (e,n)

• Private Key = (d,n)

• Encryption c = me mod n

• Decryption m = cd mod n

Choice of n ,e,d

• Choose two large primes p and q.

• n = p.q

• Choose e such that e and (p-1).(q-1) are relatively prime.

• Calculate d so that ed = 1 mod((p-1).(q-1))

Example

• p = 47,q = 71

• (p-1).(q-1) = 46.70=3220

• choose e = 79

• then d = 1019.

• m=688 say

• c = 1570 and m = 688 after decryption

How to compute XY mod N

• X,Y and n are 1024 bit numbers typically.• Repeated squaring and conditional

multiplications• 1123 mod 37 = ( 1116.114.112.11 ) mod 37 • Basic operation is A.B mod N• XY mod N needs 2047 such operations at most

for 1024 bit numbers

How to compute A.B mod N

• Example: 13.15 mod 23

• We do not want to do in a straight forward manner .

• Write b = 13 in binary form : 1101

• Do repeatedly starting from msb: (2.Old + bi.A) mod 23


• Basic Algorithms• Primality testing• Choice of primes• Factorization problem• Kernel for Fast exponentiation mod M

(multibit recoding, Montgomery’s algorithm, Redundant Arithmetic, Attack resistant design, scalability to 2048 bits)

• Software/ hardware solutions

Digital signature algorithms

Authentication by digital signatures

MM

--------CK(M)

C

K

K

•

COMPARE

General Principle of Hashing

• F is a compression function

• Yi are successive blocks in the input

• If F is collision resistant, so is the Hash algorithm.

F

F

F

Y0 Y1YN-1

IV

SECURE HASH ALGORITHM

• Treats messages as 512 bit blocks• Four rounds of 20 operations each• Five Constants 32 bit A, B, C, D, E• Uses nonlinear operations involving AND,

OR, EXCLUSIVE-OR• Uses circular shifts• Generates a hash of 160 bits.

Improvement over MD5

SHA Hashing step

+ + +E

D

C

B

E

D

C

B

WtKt

AA

+

S5S30


• Fundamentals of Hash functions

• Hash algorithms MD5, SHA, RIPE MD etc

• HMAC (hash using key)

• Collision issues

• New Hash function design to avoid collision

• Hardware/software implementations

Conclusion

• Sensitivity to issues addressed such as side channel attacks, compact hardware, protection of IP, Power (Low)-area (Low)-time (fast) trade offs

• Fault Tolerant designs (self checking)• Self study modules with interactive

question/answer type facility will be useful• Testing/learning up to the desired level of

proficiency shall be gracefully constructed with increasing depth of information

Books and Journals

• Stinson, Bruce Schneier, Menezes et al, Simmons, Rhee, Stallings, Rueppel, Beker and Piper many more

• IEEE Security and Privacy, IEEE Journal on Selected Areas in Communications, IEEE Transactions on computers, IEEE Transactions on Information Theory, IEEE Journal of Solid-State circuits, IEE Journal of Computers and Digital Techniques, Electronics Letters, IEEE Computer, Springer Verlag Conference Proceedings of ASEACRYPT, INDOCRYPT, Fast Software Encryption and so on, Journal of Cryptology, Cryptologia

My e-mail

• [email protected]

• [email protected]

mailto:[email protected]

mailto:[email protected]