pvam CDAC -Noida

8/7/2019 pvam CDAC -Noida

1/71

Algorithms for cryptography-

Education and learningperspective

P.V.Ananda Mohan Fellow IEEE

ECIL, Bangalore

14th Dec 2007


2/71

Agenda

Introduction

E-learning requirements

Overview of Algorithms Case studies of Encryption, Authentication

and message digest Algorithm

implementations- what needs to be taught,at what level, for whom

Conclusion


3/71

Introduction

Implementations of Cryptosystems

Hardware

Options

Software

PC applications

Portable Devices

Mobile Phones

E-Commerce

ATMs etc

ASIC FPGA DSP

Smart cards

I-Buttons Key GunsKey Loading Tools

Key Generation

Systems

Algorithm

Implementation


4/71


5/71

Who wants to learn? (b) Advanced implementers

tamper proof design

protection of IP or code

Error/malfunction detection

Side-channel attack resistance etc. Technological solutions or architectural solutions

needed

Extremely high speed of operation for example

IPSEC in gigabit routers Low-power implementations desired

Agility regarding Multiple Algorithms , modes(e.g DES,3-DES,AES, Blow Fish, IDEA, CBC

mode, Counter mode, ECB mode, CFB, OFB)


6/71

Who wants to learn?

(c) Researchers and cryptanalysts

Fast implementations

Secure protocols

Key Search engines for brute force attacks based onSoftware and hardware

Attacks

Differential and linear cryptanalysis

Power Attacks

new algorithms which are resistant to various types ofattacks.

New Algorithms

Cryptanalysis of New Algorithms of others and oldAlgorithms


7/71

Three Related domains

Encryption

Hashing and

DigitalSignatures

Authentication


8/71

Case studies

One encryption algorithm based on a

stream cipher

one encryption algorithm based on a blockcipher

A RSA implementation

A Hash algorithm


9/71


10/71

3-STAGE LFSR

Primitive Polynomial is x3+x2+1

clock

1 0 1

Key

Non-zeroinitial

conditions


11/71

3-stage LFSR

101

010

001

100

110

111

011

seed (initialcondition)

period= 23-1=7states


12/71

GSM Authentication using signature

and encryption in a nutshell

RANDSRES

A5

A8

A3A3

A8

A5

?

KiKi

RAND 128 Bits

RAND

RAND

SRES (32 bits)

KiKi

Frame# Frame#Encrypted traffic

Kc 64 bitsKc 64 bits


13/71

Example: A5 Algorithm of GSM

Clock Controlled Shift registers

Fixed sparse Primitive polynomials

Initial conditions is the key (64 bits)

LFSR 17

LFSR 19

LFSR 23

LOGIC


14/71

What do you need to know

Primitive polynomial: definition

Testing for Primitivity (software)

Implementation of LFSR in Software and hardware

Combining LFSrs in many ways

Linear Complexity evaluation (using Berlekamp-MasseyAlgorithm) and period

Possible Attacks-immunity

Advanced systems (word level LFSRs-synthesis,NLFSRs)

Design of New schemes and evaluation

Study of known schemes like BlueTooth (E0), CAVE, A5etc

Interactive exercises


15/71

BLOCK CIPHERS

N bit output block

N bit input

block

K bit key


16/71

SYMMETRIC KEY ENCRYPTION ALGORITHMS

Data encryption standard(DES)

Triple DES

International data encryption algorithm(IDEA)

Blowfish

RIJNDAEL - the advanced encryption

standard Other AES candidates


17/71

General Features/Specifications

Block length in bits

Key length in Bits

Rounds

Operations in Each round

Key Schedule for all rounds

Round Key generation

Decryption Modes of operation

AnyWeak Keys

Complexity / Execution time Benchmarks

Five modes of operation


18/71

56 bit key

64 bit input

64 bit output

ECB (Electronic codebook mode


19/71

Cipher Block Chaining mode

E E E

Text

block1

Text

block2Text

block3

IV

(Initialization

Vector)

Cipher

text blocks


20/71

CFB(CIPHER FEEDBACK MODE)

DES Encryption

key

Plain text j bits

Cipher text j bits

J bits(64-J) bitsShift Register

J bits Discard 64-j bits


21/71

OFB (Output feedback) mode

E

Plain

text Cipher

text

64-j bits j bits


22/71

Basic Primitives in Block Ciphers

Bit by bit exclusive OR

Modulo 216 or 232 Additions (use fast adders)

Arbitrary rotations (left or right by any number of bits)

Permutations S-Boxes

Modulo Multiplication (X.Y) mod N

Exponentiation XY mod N

Multiplicative Inverses (1/X) mod N

Galois field operations (multiplication, inversion, wordbased LFSRs)


23/71

Typical Architecture Software, ASIC or FPGA

Key Scheduler

Actual key

Round Keys

Round Processor 1

Round Processor k

Round Processor2

Round Processor k-1

Input block

Output block

Multiplexer

Latch Round processors

individual or few or

one

Mode control

Key Register

Clock


24/71

Rijndael (AES)

Variable block length (128,192,256 bits)

Variable key length( 128,192 or 256 bits)

Block cipher Data and key arranged as rows andcolumns

Byte level design

Suitable for DSP or Microprocessor basedor ASIC implementation


25/71

Rijndael

Four Rows

Nb columns : Nb = Block length/32

Nk columns : Nk = Key length /32 Number of rounds dependent on Nb and

Nk:

4 6 8

4 10 12 14

6 12 12 14

8 14 14 14

Nk

Nb


26/71

Rijndael

Rounds shown in Table +1 needed

Each round consists of four operations:

1)Byte Substitution 2) Shift row

3)Mix column

4) Add Round key (modulo 2 bit by bit) Some steps can be combined.


27/71


28/71

Byte Sub: Step 1

a00 ao1 ao2 a03 ao4 ao5

a10 a11 a12 a13 a14 a15

a20 a21 a22 a23 a24 a25 a30 a31 a32 a33 a34 a35

First write data vertically

Substitute for each byte from a Rijndalel S-Box to get a

new block: Simple step


29/71

Rijndael Shift row: Step 2

First row no shift

Second row One byte left circular shift

2 byte left circular shift Third row

Fourth row Three byte left circular shift

1 5 9 13

2 6 10 14

3 7 11 15

4 8 12 16

The result is the permutation

1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12

Original


30/71

Mix Column

Mix column Transformation -Avoids a big 32 bit

input 32 bit output S-Box

All bytes are treated as polynomials

Example the byte b7b6b5b4b3b2b1b0 is the

polynomial b7x7

+b6x6

+b5x5

+b4x4

+b3x3

+b2x2

+b1x+b0

Columns are considered as polynomials over

GF(2**8) The irreducible 8th degree polynomial used is

x8+x4+x3+x+1


31/71

MIX Column

b(x)=[c(x).a(x)] mod (x4 +1)

c(x) = 03 x3 + 01.x2 + 01.x+02

we thus obtain all new columnscorresponding to a(x).


32/71

Example

d(x)=[a(x).b(x)] mod (x4 +1)

a(x) = a3.x3 + a2.x

2 +a1.x+a0 b(x) = b3.x

3 + b2.x2 +b1.x+b0

d(x)=c6x6

+c5x5

+c4x4

+c3x3

+c2x2

+c1x+c0 c0= a0b0, c4=a3b1+a2b2+a1b3 c1=a1b0+a0b1, c5= a3b2+a2b3 c2=a2b0+a1b1+a0b2, c6=a3b3 c3=a3b0+a2b1+a1b2+a0b3 All + are Exclusive OR

But x4=1,x5=x,x6=x2 mod (x4+1)


33/71

c0= a0b0+a3b1+a2b2+a1b3

c1=a1b0+a0b1+a3b2+a2b3



Each of the above is a multiplication in GF(8)

Fortunately, all bi s are simple.

02H or 03 H or 01H or 01H


34/71

Rijndael Mix Column: Step3

a00 a01 a02 a03 ao4 a05

a10 a11 a12 a13 a14 a15

a20 a21 a22 a23 a24 a25

a30 a31 a32 a33 a34 a35

b00 b01 b02 b03 bo4 b05

b10 b11 b12 b13 b14 b15

a20 b21 b22 b23 b24 b25

b30 b31 b32 b33 b34 b35

Xc(x)


35/71

Add (EXOR) Round Key

Add Round key is Bit wise exclusive or of

the complete block with the round key.

Simple operation Round key used only in this step.


36/71

Key Scheduler to get round keys

Initial Round key addition

Consider 128 bit block.

Each round key 128 bits = 4 number of 32bit words.

Total key 32 bit words 44 = (Initial add

round key+ 10 round keys) How to generate all round key words from

128 bit (4 word) basic key?


37/71

Rijndael Key schedule

We need 44 numbers of 32 bit words W for

Nk=4 i.e. 128 bit key.

First four words are given key data itself

Temp= w(i-1)

W(i) = temp exorW(i-4) for all iexcept multiples

of 4

For i= multiples of 4, temp = subbyte (rotbyte(temp)) exor Rcon(i/4)

Rot byte is one byte circular left shift of the word


38/71

Rcon is a word with three Least significant

bytes zero. Most significant byte is as per

table.

j 1 2 3 4 5 6 7 8 9 10

RC(j) 01 02 04 08 10 20 40 80 1B 36


39/71

Key Generation method

Continue to get 44

words

K0 K4 K8 K12

K1 K5 K9 K13

K2 K6 K10 K14

K3 K7 K11 K15

W0 W1 W2 W3

W4 W5 W6 W7

g


40/71


41/71


42/71


43/71


44/71


45/71

S-BOX implementations

ROM

Logic Synthesis based

Multiplexer based FOM (figure of Merit): Delay (access time),

area, flexibility, insight


46/71

Logic Synthesis of S-BOX S1 First row

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

Analyze the Sequences of b3, b2, b1, b0

The logic functions assuming an input

from a counter counting from zero to 15are as follows:

b3 = ACD+ABC+BCD+ABCD+ABCD

b2=DCB+DCBA+DCBA+DCB+DCBA+DCBA

b1=DCBA+DCB+DCBA+DCB+DCBA+DCBA

b0=DCB+DCBA+DCBA+DCBA+DCB+DCBA

b3b2b1b0

1110

0100

1101

0001

0010

1111

1011

1000

0011

1010

01101100

0101

1001

0000

0111


47/71

S BOX b d M lti l


48/71

S-BOX based on MultiplexerInput nibble

b0

b3

b2

b1

Hardwire all inputs of

Mux 16:1 to logic one and zero

as needed.

1010011101010100

1110010000111001

1000111011100001

0011011010001101

Delay is a 16:1

multiplexer delay

Area 4 16:1

Multiplexers


49/71

What you need to learn

Basic algorithms

Implementation of primitives-efficiently

Implementation options

Combining steps

Efficient key schedule calculation

Agility to change new keys

Properties of S-box, evaluation

Evaluation of Block ciphers other prmitives rotation,

modulo multiplication etc.

Design resistant to side-channel attacks

Software and hardware solutions


50/71

Authentication algorithms


51/71

Encryption and authentication

S D

K K

Conventional symmetric key based

encryption


52/71


S D

U R

CONFIDENTIALITY

U stands for Public

R stands for Private


53/71


S D

R U

AUTHENTICATION


54/71


S D

R U R U

BOTH


55/71

Authentication

Asymmetric systems( two keys-one public

and another private are needed)

Three types of authentication possible


56/71

AUTHENTICATION USING

RSA

RSA ( Rivest- Shamir- Adleman) inventors

Two keys are used (public key and private

key)


57/71

Authentication using RSA

m = message

Public Key = (e,n)

Private Key = (d,n) Encryption c = me mod n

Decryption m = cd mod n


58/71

Choice of n ,e,d

Choose two large primes p and q.

n = p.q

Choose e such that e and (p-1).(q-1) arerelatively prime.

Calculate d so that ed = 1 mod((p-1).(q-1))


59/71

Example

p = 47,q = 71

(p-1).(q-1) = 46.70=3220

choose e = 79 then d = 1019.

m=688 say

c = 1570 and m = 688 after decryption


60/71

How to compute XY mod N

X,Y and n are 1024 bit numbers typically.

Repeated squaring and conditional

multiplications

1123 mod 37 = ( 1116.114.112.11 ) mod 37

Basic operation is A.B mod N

XY mod N needs 2047 such operations at most

for 1024 bit numbers


61/71

How to compute

A.B mod N Example: 13.15 mod 23

We do not want to do in a straight forward

manner .

Write b = 13 in binary form : 1101

Do repeatedly starting from msb: (2.Old +

bi

.A) mod 23


62/71


Basic Algorithms

Primality testing

Choice of primes

Factorization problem

Kernel for Fast exponentiation mod M(multibit recoding, Montgomerys

algorithm, Redundant Arithmetic, Attackresistant design, scalability to 2048 bits)

Software/ hardware solutions


63/71

Digital signature algorithms


64/71

Authentication by digital

signatures

M M--------

CK(M)C

K

K

COMPARE


65/71

General Principle of Hashing

F is a compression function Yi are successive blocks in the input

If F is collision resistant, so is the Hash

algorithm.

F

FF

Y0 Y1 YN-1

IV


66/71

SECURE HASH ALGORITHM

Treats messages as 512 bit blocks

Four rounds of 20 operations each

Five Constants 32 bit A, B, C, D, E

Uses nonlinear operations involving AND,OR, EXCLUSIVE-OR

Uses circular shifts

Generates a hash of 160 bits.Improvement over MD5

SHA Hashing step


67/71

SHA Hashing step

+ + +E

D

C

B

E

D

C

B

WtKt

AA

+

S5S30


68/71


Fundamentals of Hash functions

Hash algorithms MD5, SHA, RIPE MD etc

HMAC (hash using key) Collision issues

New Hash function design to avoid

collision Hardware/software implementations


69/71

Conclusion

Sensitivity to issues addressed such as sidechannel attacks, compact hardware, protectionof IP, Power (Low)-area (Low)-time (fast) tradeoffs

Fault Tolerant designs (self checking)

Self study modules with interactivequestion/answer type facility will be useful

Testing/learning up to the desired level ofproficiency shall be gracefully constructed withincreasing depth of information


70/71


71/71

My e-mail

[email protected]

[email protected]

Documents

pvam CDAC -Noida