pvam CDAC -Noida
Transcript of pvam CDAC -Noida
-
8/7/2019 pvam CDAC -Noida
1/71
Algorithms for cryptography-
Education and learningperspective
P.V.Ananda Mohan Fellow IEEE
ECIL, Bangalore
14th Dec 2007
-
8/7/2019 pvam CDAC -Noida
2/71
Agenda
Introduction
E-learning requirements
Overview of Algorithms Case studies of Encryption, Authentication
and message digest Algorithm
implementations- what needs to be taught,at what level, for whom
Conclusion
-
8/7/2019 pvam CDAC -Noida
3/71
Introduction
Implementations of Cryptosystems
Hardware
Options
Software
PC applications
Portable Devices
Mobile Phones
E-Commerce
ATMs etc
ASIC FPGA DSP
Smart cards
I-Buttons Key GunsKey Loading Tools
Key Generation
Systems
Algorithm
Implementation
-
8/7/2019 pvam CDAC -Noida
4/71
-
8/7/2019 pvam CDAC -Noida
5/71
Who wants to learn? (b) Advanced implementers
tamper proof design
protection of IP or code
Error/malfunction detection
Side-channel attack resistance etc. Technological solutions or architectural solutions
needed
Extremely high speed of operation for example
IPSEC in gigabit routers Low-power implementations desired
Agility regarding Multiple Algorithms , modes(e.g DES,3-DES,AES, Blow Fish, IDEA, CBC
mode, Counter mode, ECB mode, CFB, OFB)
-
8/7/2019 pvam CDAC -Noida
6/71
Who wants to learn?
(c) Researchers and cryptanalysts
Fast implementations
Secure protocols
Key Search engines for brute force attacks based onSoftware and hardware
Attacks
Differential and linear cryptanalysis
Power Attacks
new algorithms which are resistant to various types ofattacks.
New Algorithms
Cryptanalysis of New Algorithms of others and oldAlgorithms
-
8/7/2019 pvam CDAC -Noida
7/71
Three Related domains
Encryption
Hashing and
DigitalSignatures
Authentication
-
8/7/2019 pvam CDAC -Noida
8/71
Case studies
One encryption algorithm based on a
stream cipher
one encryption algorithm based on a blockcipher
A RSA implementation
A Hash algorithm
-
8/7/2019 pvam CDAC -Noida
9/71
-
8/7/2019 pvam CDAC -Noida
10/71
3-STAGE LFSR
Primitive Polynomial is x3+x2+1
clock
1 0 1
Key
Non-zeroinitial
conditions
-
8/7/2019 pvam CDAC -Noida
11/71
3-stage LFSR
101
010
001
100
110
111
011
seed (initialcondition)
period= 23-1=7states
-
8/7/2019 pvam CDAC -Noida
12/71
GSM Authentication using signature
and encryption in a nutshell
RANDSRES
A5
A8
A3A3
A8
A5
?
KiKi
RAND 128 Bits
RAND
RAND
SRES (32 bits)
KiKi
Frame# Frame#Encrypted traffic
Kc 64 bitsKc 64 bits
-
8/7/2019 pvam CDAC -Noida
13/71
Example: A5 Algorithm of GSM
Clock Controlled Shift registers
Fixed sparse Primitive polynomials
Initial conditions is the key (64 bits)
LFSR 17
LFSR 19
LFSR 23
LOGIC
-
8/7/2019 pvam CDAC -Noida
14/71
What do you need to know
Primitive polynomial: definition
Testing for Primitivity (software)
Implementation of LFSR in Software and hardware
Combining LFSrs in many ways
Linear Complexity evaluation (using Berlekamp-MasseyAlgorithm) and period
Possible Attacks-immunity
Advanced systems (word level LFSRs-synthesis,NLFSRs)
Design of New schemes and evaluation
Study of known schemes like BlueTooth (E0), CAVE, A5etc
Interactive exercises
-
8/7/2019 pvam CDAC -Noida
15/71
BLOCK CIPHERS
N bit output block
N bit input
block
K bit key
-
8/7/2019 pvam CDAC -Noida
16/71
SYMMETRIC KEY ENCRYPTION ALGORITHMS
Data encryption standard(DES)
Triple DES
International data encryption algorithm(IDEA)
Blowfish
RIJNDAEL - the advanced encryption
standard Other AES candidates
-
8/7/2019 pvam CDAC -Noida
17/71
General Features/Specifications
Block length in bits
Key length in Bits
Rounds
Operations in Each round
Key Schedule for all rounds
Round Key generation
Decryption Modes of operation
AnyWeak Keys
Complexity / Execution time Benchmarks
Five modes of operation
-
8/7/2019 pvam CDAC -Noida
18/71
56 bit key
64 bit input
64 bit output
ECB (Electronic codebook mode
-
8/7/2019 pvam CDAC -Noida
19/71
Cipher Block Chaining mode
E E E
Text
block1
Text
block2Text
block3
IV
(Initialization
Vector)
Cipher
text blocks
-
8/7/2019 pvam CDAC -Noida
20/71
CFB(CIPHER FEEDBACK MODE)
DES Encryption
key
Plain text j bits
Cipher text j bits
J bits(64-J) bitsShift Register
J bits Discard 64-j bits
-
8/7/2019 pvam CDAC -Noida
21/71
OFB (Output feedback) mode
E
Plain
text Cipher
text
64-j bits j bits
-
8/7/2019 pvam CDAC -Noida
22/71
Basic Primitives in Block Ciphers
Bit by bit exclusive OR
Modulo 216 or 232 Additions (use fast adders)
Arbitrary rotations (left or right by any number of bits)
Permutations S-Boxes
Modulo Multiplication (X.Y) mod N
Exponentiation XY mod N
Multiplicative Inverses (1/X) mod N
Galois field operations (multiplication, inversion, wordbased LFSRs)
-
8/7/2019 pvam CDAC -Noida
23/71
Typical Architecture Software, ASIC or FPGA
Key Scheduler
Actual key
Round Keys
Round Processor 1
Round Processor k
Round Processor2
Round Processor k-1
Input block
Output block
Multiplexer
Latch Round processors
individual or few or
one
Mode control
Key Register
Clock
-
8/7/2019 pvam CDAC -Noida
24/71
Rijndael (AES)
Variable block length (128,192,256 bits)
Variable key length( 128,192 or 256 bits)
Block cipher Data and key arranged as rows andcolumns
Byte level design
Suitable for DSP or Microprocessor basedor ASIC implementation
-
8/7/2019 pvam CDAC -Noida
25/71
Rijndael
Four Rows
Nb columns : Nb = Block length/32
Nk columns : Nk = Key length /32 Number of rounds dependent on Nb and
Nk:
4 6 8
4 10 12 14
6 12 12 14
8 14 14 14
Nk
Nb
-
8/7/2019 pvam CDAC -Noida
26/71
Rijndael
Rounds shown in Table +1 needed
Each round consists of four operations:
1)Byte Substitution 2) Shift row
3)Mix column
4) Add Round key (modulo 2 bit by bit) Some steps can be combined.
-
8/7/2019 pvam CDAC -Noida
27/71
-
8/7/2019 pvam CDAC -Noida
28/71
Byte Sub: Step 1
a00 ao1 ao2 a03 ao4 ao5
a10 a11 a12 a13 a14 a15
a20 a21 a22 a23 a24 a25 a30 a31 a32 a33 a34 a35
First write data vertically
Substitute for each byte from a Rijndalel S-Box to get a
new block: Simple step
-
8/7/2019 pvam CDAC -Noida
29/71
Rijndael Shift row: Step 2
First row no shift
Second row One byte left circular shift
2 byte left circular shift Third row
Fourth row Three byte left circular shift
1 5 9 13
2 6 10 14
3 7 11 15
4 8 12 16
The result is the permutation
1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
Original
-
8/7/2019 pvam CDAC -Noida
30/71
Mix Column
Mix column Transformation -Avoids a big 32 bit
input 32 bit output S-Box
All bytes are treated as polynomials
Example the byte b7b6b5b4b3b2b1b0 is the
polynomial b7x7
+b6x6
+b5x5
+b4x4
+b3x3
+b2x2
+b1x+b0
Columns are considered as polynomials over
GF(2**8) The irreducible 8th degree polynomial used is
x8+x4+x3+x+1
-
8/7/2019 pvam CDAC -Noida
31/71
MIX Column
b(x)=[c(x).a(x)] mod (x4 +1)
c(x) = 03 x3 + 01.x2 + 01.x+02
we thus obtain all new columnscorresponding to a(x).
-
8/7/2019 pvam CDAC -Noida
32/71
Example
d(x)=[a(x).b(x)] mod (x4 +1)
a(x) = a3.x3 + a2.x
2 +a1.x+a0 b(x) = b3.x
3 + b2.x2 +b1.x+b0
d(x)=c6x6
+c5x5
+c4x4
+c3x3
+c2x2
+c1x+c0 c0= a0b0, c4=a3b1+a2b2+a1b3 c1=a1b0+a0b1, c5= a3b2+a2b3 c2=a2b0+a1b1+a0b2, c6=a3b3 c3=a3b0+a2b1+a1b2+a0b3 All + are Exclusive OR
But x4=1,x5=x,x6=x2 mod (x4+1)
-
8/7/2019 pvam CDAC -Noida
33/71
c0= a0b0+a3b1+a2b2+a1b3
c1=a1b0+a0b1+a3b2+a2b3
c2=a2b0+a1b1+a0b2+a3b3
c3=a3b0+a2b1+a1b2+a0b3
Each of the above is a multiplication in GF(8)
Fortunately, all bi s are simple.
02H or 03 H or 01H or 01H
-
8/7/2019 pvam CDAC -Noida
34/71
Rijndael Mix Column: Step3
a00 a01 a02 a03 ao4 a05
a10 a11 a12 a13 a14 a15
a20 a21 a22 a23 a24 a25
a30 a31 a32 a33 a34 a35
b00 b01 b02 b03 bo4 b05
b10 b11 b12 b13 b14 b15
a20 b21 b22 b23 b24 b25
b30 b31 b32 b33 b34 b35
Xc(x)
-
8/7/2019 pvam CDAC -Noida
35/71
Add (EXOR) Round Key
Add Round key is Bit wise exclusive or of
the complete block with the round key.
Simple operation Round key used only in this step.
-
8/7/2019 pvam CDAC -Noida
36/71
Key Scheduler to get round keys
Initial Round key addition
Consider 128 bit block.
Each round key 128 bits = 4 number of 32bit words.
Total key 32 bit words 44 = (Initial add
round key+ 10 round keys) How to generate all round key words from
128 bit (4 word) basic key?
-
8/7/2019 pvam CDAC -Noida
37/71
Rijndael Key schedule
We need 44 numbers of 32 bit words W for
Nk=4 i.e. 128 bit key.
First four words are given key data itself
Temp= w(i-1)
W(i) = temp exorW(i-4) for all iexcept multiples
of 4
For i= multiples of 4, temp = subbyte (rotbyte(temp)) exor Rcon(i/4)
Rot byte is one byte circular left shift of the word
-
8/7/2019 pvam CDAC -Noida
38/71
Rcon is a word with three Least significant
bytes zero. Most significant byte is as per
table.
j 1 2 3 4 5 6 7 8 9 10
RC(j) 01 02 04 08 10 20 40 80 1B 36
-
8/7/2019 pvam CDAC -Noida
39/71
Key Generation method
Continue to get 44
words
K0 K4 K8 K12
K1 K5 K9 K13
K2 K6 K10 K14
K3 K7 K11 K15
W0 W1 W2 W3
W4 W5 W6 W7
g
-
8/7/2019 pvam CDAC -Noida
40/71
-
8/7/2019 pvam CDAC -Noida
41/71
-
8/7/2019 pvam CDAC -Noida
42/71
-
8/7/2019 pvam CDAC -Noida
43/71
-
8/7/2019 pvam CDAC -Noida
44/71
-
8/7/2019 pvam CDAC -Noida
45/71
S-BOX implementations
ROM
Logic Synthesis based
Multiplexer based FOM (figure of Merit): Delay (access time),
area, flexibility, insight
-
8/7/2019 pvam CDAC -Noida
46/71
Logic Synthesis of S-BOX S1 First row
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
Analyze the Sequences of b3, b2, b1, b0
The logic functions assuming an input
from a counter counting from zero to 15are as follows:
b3 = ACD+ABC+BCD+ABCD+ABCD
b2=DCB+DCBA+DCBA+DCB+DCBA+DCBA
b1=DCBA+DCB+DCBA+DCB+DCBA+DCBA
b0=DCB+DCBA+DCBA+DCBA+DCB+DCBA
b3b2b1b0
1110
0100
1101
0001
0010
1111
1011
1000
0011
1010
01101100
0101
1001
0000
0111
-
8/7/2019 pvam CDAC -Noida
47/71
S BOX b d M lti l
-
8/7/2019 pvam CDAC -Noida
48/71
S-BOX based on MultiplexerInput nibble
b0
b3
b2
b1
Hardwire all inputs of
Mux 16:1 to logic one and zero
as needed.
1010011101010100
1110010000111001
1000111011100001
0011011010001101
Delay is a 16:1
multiplexer delay
Area 4 16:1
Multiplexers
-
8/7/2019 pvam CDAC -Noida
49/71
What you need to learn
Basic algorithms
Implementation of primitives-efficiently
Implementation options
Combining steps
Efficient key schedule calculation
Agility to change new keys
Properties of S-box, evaluation
Evaluation of Block ciphers other prmitives rotation,
modulo multiplication etc.
Design resistant to side-channel attacks
Software and hardware solutions
-
8/7/2019 pvam CDAC -Noida
50/71
Authentication algorithms
-
8/7/2019 pvam CDAC -Noida
51/71
Encryption and authentication
S D
K K
Conventional symmetric key based
encryption
-
8/7/2019 pvam CDAC -Noida
52/71
Encryption and authentication
S D
U R
CONFIDENTIALITY
U stands for Public
R stands for Private
-
8/7/2019 pvam CDAC -Noida
53/71
Encryption and authentication
S D
R U
AUTHENTICATION
-
8/7/2019 pvam CDAC -Noida
54/71
Encryption and authentication
S D
R U R U
BOTH
-
8/7/2019 pvam CDAC -Noida
55/71
Authentication
Asymmetric systems( two keys-one public
and another private are needed)
Three types of authentication possible
-
8/7/2019 pvam CDAC -Noida
56/71
AUTHENTICATION USING
RSA
RSA ( Rivest- Shamir- Adleman) inventors
Two keys are used (public key and private
key)
-
8/7/2019 pvam CDAC -Noida
57/71
Authentication using RSA
m = message
Public Key = (e,n)
Private Key = (d,n) Encryption c = me mod n
Decryption m = cd mod n
-
8/7/2019 pvam CDAC -Noida
58/71
Choice of n ,e,d
Choose two large primes p and q.
n = p.q
Choose e such that e and (p-1).(q-1) arerelatively prime.
Calculate d so that ed = 1 mod((p-1).(q-1))
-
8/7/2019 pvam CDAC -Noida
59/71
Example
p = 47,q = 71
(p-1).(q-1) = 46.70=3220
choose e = 79 then d = 1019.
m=688 say
c = 1570 and m = 688 after decryption
-
8/7/2019 pvam CDAC -Noida
60/71
How to compute XY mod N
X,Y and n are 1024 bit numbers typically.
Repeated squaring and conditional
multiplications
1123 mod 37 = ( 1116.114.112.11 ) mod 37
Basic operation is A.B mod N
XY mod N needs 2047 such operations at most
for 1024 bit numbers
-
8/7/2019 pvam CDAC -Noida
61/71
How to compute
A.B mod N Example: 13.15 mod 23
We do not want to do in a straight forward
manner .
Write b = 13 in binary form : 1101
Do repeatedly starting from msb: (2.Old +
bi
.A) mod 23
-
8/7/2019 pvam CDAC -Noida
62/71
What you need to learn
Basic Algorithms
Primality testing
Choice of primes
Factorization problem
Kernel for Fast exponentiation mod M(multibit recoding, Montgomerys
algorithm, Redundant Arithmetic, Attackresistant design, scalability to 2048 bits)
Software/ hardware solutions
-
8/7/2019 pvam CDAC -Noida
63/71
Digital signature algorithms
-
8/7/2019 pvam CDAC -Noida
64/71
Authentication by digital
signatures
M M--------
CK(M)C
K
K
COMPARE
-
8/7/2019 pvam CDAC -Noida
65/71
General Principle of Hashing
F is a compression function Yi are successive blocks in the input
If F is collision resistant, so is the Hash
algorithm.
F
FF
Y0 Y1 YN-1
IV
-
8/7/2019 pvam CDAC -Noida
66/71
SECURE HASH ALGORITHM
Treats messages as 512 bit blocks
Four rounds of 20 operations each
Five Constants 32 bit A, B, C, D, E
Uses nonlinear operations involving AND,OR, EXCLUSIVE-OR
Uses circular shifts
Generates a hash of 160 bits.Improvement over MD5
SHA Hashing step
-
8/7/2019 pvam CDAC -Noida
67/71
SHA Hashing step
+ + +E
D
C
B
E
D
C
B
WtKt
AA
+
S5S30
-
8/7/2019 pvam CDAC -Noida
68/71
What you need to learn
Fundamentals of Hash functions
Hash algorithms MD5, SHA, RIPE MD etc
HMAC (hash using key) Collision issues
New Hash function design to avoid
collision Hardware/software implementations
-
8/7/2019 pvam CDAC -Noida
69/71
Conclusion
Sensitivity to issues addressed such as sidechannel attacks, compact hardware, protectionof IP, Power (Low)-area (Low)-time (fast) tradeoffs
Fault Tolerant designs (self checking)
Self study modules with interactivequestion/answer type facility will be useful
Testing/learning up to the desired level ofproficiency shall be gracefully constructed withincreasing depth of information
-
8/7/2019 pvam CDAC -Noida
70/71
-
8/7/2019 pvam CDAC -Noida
71/71
My e-mail