aes candidates
TRANSCRIPT
-
8/15/2019 AES Candidates
1/96
Kris Gaj
Electrical and Computer Engineering
George Mason University
Towards secure cryptographic transformationsefficient in both software and hardware:
case for synergy among
math! computing! and engineering
http:""ece#gmu#edu"crypto$te%t#htm
-
8/15/2019 AES Candidates
2/96
Motivation
-
8/15/2019 AES Candidates
3/96
Criteria used to evaluate cryptographic
transformations
&ecurity
&oftware
Efficiency
'ardware
Efficiency
(le%ibility
-
8/15/2019 AES Candidates
4/96
(le%ibility
• dditional )ey$si*es and bloc)$si*es
• Ability to function efficiently and securely in a wide
variety of platforms and applications
low-end smartcards, wireless: small memory requirements IPSec, ATM small )ey setup time in !ardware
"-IS#$, satellite communication large encryption speed
-
8/15/2019 AES Candidates
5/96
dvanced Encryption &tandard +E&, Contest
-../$011-
-2 Candidates from %SA, &anada, "el'ium,
(rance, )ermany, $orway, %*, Israel,
*orea, +apan, Australia, &osta ica
3une -..4
ugust -...
5ctober 0111
- winner: 6ijndael7elgium
2 final candidates
Mars, &, i.ndael, Serpent, Twofis!
6ound -
6ound 0
&ecurity
&oftware efficiency
(le%ibility
&ecurity
'ardware efficiency
-
8/15/2019 AES Candidates
6/96
8E&&9E roject8ew European &chemes for &ignatures!9ntegrity! and Encryption
0111$0110
C6;T6EC roject0111$0110
/urope
+apan
-
8/15/2019 AES Candidates
7/96
Multiple types of transformations:
#evelopment of met!odolo'y of a fair evaluation andcomparison of al'orit!ms belon'in' to t!e same class,
includin'
software and hardware efficiency
8E&&9E! C6;T6EC
• &ymmetric$)ey bloc) ciphers• &tream ciphers• 'ash functions
• MCs
• symmetric encryption schemes• symmetric digital signature schemes
• symmetric identification schemes
-
8/15/2019 AES Candidates
8/96
0
10
200
210
300
310
400
410
500
510100
Serpent i.ndael Twofis! & Mars
&peed of the final E& candidates in hardware
&peed
-
8/15/2019 AES Candidates
9/96
0
20
3040
50
10
0
60
70
80200
Serpenti.ndael Twofis! & Mars
&urvey filled by ->/ participants of
the Third E& Conference! pril 0111? votes
-
8/15/2019 AES Candidates
10/96
-
8/15/2019 AES Candidates
11/96
0
1
20
21
30
31
40
Serpenti.ndael Twofis!& Mars
Efficiency in software: 89&T$specified platform
237-bit 9ey283-bit 9ey
31-bit 9ey
200 MHz Pentiu Pro, !orland C""
&peed
-
8/15/2019 AES Candidates
12/96
-
8/15/2019 AES Candidates
13/96
&ecurity: Theoretical attac)s better
than e%haustive )ey search
0 1 20 21 30 31 40 41
Twofish
&erpent
6ijndael
6C>
Mars without -> mi%ing rounds
? of rounds in the attac)"total ? of rounds
> ->
A0.
/ -1
-2 01
->--
0A
-1
2
A
2
-
8/15/2019 AES Candidates
14/96
0 20 30 40 50 10 0 60 70 80 200
Twofish
&erpent
6ijndael
6C>
Mars
&ecurity: Theoretical attac)s better
than e%haustive )ey search
? of rounds in the attac)"total ? of rounds -11
04 /0
A4 >0
>. A-
/1 A1
/2 02
-
8/15/2019 AES Candidates
15/96
0200
300
400500
100
00600
A2.
>-1
&peed in hardware
-
8/15/2019 AES Candidates
16/96
-
8/15/2019 AES Candidates
17/96
'istorical view
&ecret$)ey ciphers 'ash functions
time
-./1
-.41
-..1
0111
#/S optimied for hardware
(ast Software /ncryption:
cip!ers optimied for software:e;';, &1, "lowfis!, &5
A/S optimied for
software and hardware
M#5-family
optimied primarily
for software
#/S-based !as! functions
optimied for hardware
-
8/15/2019 AES Candidates
18/96
&oftware or hardwareF
&5(TD6E '6D6E
security of data
during transmission
fle%ibility
-
8/15/2019 AES Candidates
19/96
Efficiency indicators
-
8/15/2019 AES Candidates
20/96
Memory
ower
consumption
rimary efficiency indicators
&oftware 'ardware
&peed Memory &peed rea
-
8/15/2019 AES Candidates
21/96
Efficiency parameters
Hatency Throughput I &peed
/ncryption>decryption
Time to
encrypt"decrypta single bloc)
of data
Mi
&i
8umber of bits
encrypted"decrypted
in a unit of time
Encryption"
decryption
Mi
Mi?2
Mi?3
&i
&i?2
&i?3
Throughput I7loc)Jsi*e 8umberJofJbloc)sJprocessedJsimultaneously
Hatency
-
8/15/2019 AES Candidates
22/96
-
8/15/2019 AES Candidates
23/96
8on$(eedbac) Cipher ModesEC7! counter
C i f f db ) i h d
-
8/15/2019 AES Candidates
24/96
Comparison for non$feedbac) cipher modes! e#g#
Counter Mode $ CT6
M0 M2 M3
/
&i @ Mi ⊕
/
-
8/15/2019 AES Candidates
25/96
9ncreasing speed by parallel processing
/ncryption>
decryption
unit
/ncryption>
decryption
unit
/ncryption>
decryption
unit
/ncryption>
decryption
unit
/ncryption>
decryption
unit
/ncryption>
decryption
unit
9 i d i i li i
-
8/15/2019 AES Candidates
26/96
9ncreasing speed using pipelining
Cipher - Cipher 0
round -round -
round 0
round -1
# # #
round ->
# # #
&peed I
targetJcloc)Jperiod
bloc) si*e
target
cloc)
period!
e#g#! 01 ns
-
8/15/2019 AES Candidates
27/96
ipelined operation of the encryption unit
"2
cloc)
cycle2
"3
3
"2
"4
4
"3
"2
7@
5
"4
"3
7-
72
1
"5
"4
70
7>
"1
"5
7A
7/
6
"
"1
7@
74
"6
"
72
7
7-A
"5
"4
7-1
7-@
"1
"5
7--
7-2
"
"1
7-0
7->
"6
"
7-A
7.
"7
"6
7>
7-1
"8
"7
7/
7--
"20
"8
74
7-0
"4
"3
7.
cloc)
cycle8 20 22 23 24 25 21 2
E ti i f db ) d +EC7 t ,
-
8/15/2019 AES Candidates
28/96
0
2000
3000
4000
5000
1000
000
6000
0 20000 30000 40000 50000 10000 0000
rea
6ijndael
Mars
5 6 lt ( ll i d i li i
-
8/15/2019 AES Candidates
29/96
1
0
@
>
4
-1
-0
-@
->
-4
5ur 6esults: (ull mi%ed pipelining
Throughput
-
8/15/2019 AES Candidates
30/96
0
1000
20000
21000
30000
31000
40000
41000
50000
5100010000
Serpent i.ndaelTwofis! &
rea !.11
-0!>11
41 6Ms
dedicated memory bloc9s, AMs
5ur 6esults: (ull mi%ed pipelining
89&T 6 t GMU 6 t
-
8/15/2019 AES Candidates
31/96
89&T 6eport GMU 6eport:'ardware Efficiency
8on$feedbac) cipher modes: EC7! CT6
&peed
rea
'igh
How
&mall
6ijndael
&erpent
Twofish
6C>
Mars
Medium
Medium Harge
-
8/15/2019 AES Candidates
32/96
(eedbac) cipher modesC7C! C(7! 5(7
(eedbac) cipher modes C7C
-
8/15/2019 AES Candidates
33/96
(eedbac) cipher modes $ C7C
M2 M3 M4
/
I
C ) @ /
-
8/15/2019 AES Candidates
34/96
Initial transformation
(inal transformation
?rounds
times
ound *eyBiC
i:@i?2
ound *eyB0C
i:@2
iDEroundsF
&ip!er ound
ound *eyBErounds?2C
Typical (low iagram of
a &ecret$Key 7loc) Cipher
7 i it ti hit t
-
8/15/2019 AES Candidates
35/96
re'ister
combinational
lo'icone round
multipleGer
7asic iterative architecture
-
8/15/2019 AES Candidates
36/96
GMU 6esults: Encryption in cipher feedbac) modes
-
8/15/2019 AES Candidates
37/96
GMU 6esults: Encryption in cipher feedbac) modes
+C7C! C(7! 5(7, $ Lirte% (GThroughput
-
8/15/2019 AES Candidates
38/96
8& 6esults: Encryption in cipher feedbac) modes
+C7C! C(7! 5(7, $ &9C! 1#2 m CM5&Throughput
-
8/15/2019 AES Candidates
39/96
ecreasing area by resource sharing
( (
1 -
1 -
(
1 -
1 -
multipleGer
7efore fter
re'ister re'ister
6esource sharing: &peed vs rea
-
8/15/2019 AES Candidates
40/96
Throughput
rea
basic arc!itecture
6esource sharing: &peed vs# rea
- basic arc!itecture
- resource s!arin'
resource s!arin'
89&T 6eport GMU 6eport:
-
8/15/2019 AES Candidates
41/96
89&T 6eport GMU 6eport:'ardware Efficiency
(eedbac) cipher modes: C7C! C(7
&peed
rea
'igh
How
&mall
6ijndael
M6&
&erpent
Twofish
6C>Medium
Medium Harge
-
8/15/2019 AES Candidates
42/96
rent software and hardware
optimi*ations eBuivalentF
Efficiency in software: 89&T$specified platform
-
8/15/2019 AES Candidates
43/96
0
1
20
21
30
31
40
&erpenti.ndael Twofis!& Mars
Efficiency in software: 89&T$specified platform
237-bit 9ey
283-bit 9ey
31-bit 9ey
200 MHz Pentiu Pro, !orland C""
&peed
-
8/15/2019 AES Candidates
44/96
0
10
200210
300
310
400
410
500
510
100
&erpent i.ndael Twofis! & Mars
5ur 6esults: 7asic architecture $ &peed
Throughput
-
8/15/2019 AES Candidates
45/96
tomic operations used in @- most popular
-
8/15/2019 AES Candidates
46/96
tomic operations used in @- most popular
secret$)ey ciphers +-,
!. Chetw$nd, MS -he&i&, P*
Considered ciphers:
"lowfis!, &AST, &AST-237, &AST-31, &HPT$,
&S-&ip!er, #/AJ, #/S, #(&, /3,(/AJ, (), )ST, Kasty Puddin', I&/,
I#/A, *!afre, *!ufu, J*I82, J*I86,
Jucifer, Mac)uffin, MA)/$TA, MAS, MISTH2,
MISTH3, MM", &3, &1, &,i.ndael, SA(/ *, SA(/?, Serpent, SL%A/,
SKA*, S9ip.ac9, T/A, Twofis!, A*/,
idera9e
Major atomic operations used in @- most popular
-
8/15/2019 AES Candidates
47/96
Major atomic operations used in @- most popular
secret$)ey ciphers +0,
!. Chetw$nd, MS -he&i&, P*
0
1
20
21
30
31
40
41
50
A1
-1
/ /-
&$bo% Lariable
rotation
Modular
multi$
plication
G(+0n,
multi$
plication
Modular
inversion
u%iliary atomic operations used in @- most popular
-
8/15/2019 AES Candidates
48/96
u%iliary atomic operations used in @- most popular
secret$)ey ciphers +A,
!. Chetw$nd, MS -he&i&, P*
7oolean
+N56! 8! 56!
etc#,
(i%ed
rotation
Modular
addition
O subtraction
ermutation0
1
20
21
30
31
40
41
50@1
02
01
F
Major cipher operations +-, $ &$bo%
-
8/15/2019 AES Candidates
49/96
Major cipher operations +-, & bo%
&$bo% n % m65M
&oftware 'ardware
C
&M
# SB2DDnC@
N 0G34, 0G45, 0G1
; ; ; ; ; ; ; ; ; ; ; ; ; ;O
S # 34K, 45K,
1K
;;
direct logic
n
3n words
n bit address
bit output
;
;
;
G2G3
Gn
;
;
;
y2y3
ym
&
3n⋅
/it&
&$bo%: Memory in hardware
-
8/15/2019 AES Candidates
50/96
& bo%: Memory in hardware43 G 5 @ 237 bits
&
5
5
&
5
5
&
5
5
&
5
5
&
5
5
&
5
5
&
5
5
# # #
Memory @ 43 ⋅ 35 ⋅ 5 bits @ 0 )bit
&
7
7
&
7
7
&
7
7
&
7
7
# # #
2 G 7 @ 237 bits
Memory @ 2 ⋅ 37 ⋅ 7 bits @ A0 )bit I -> ⋅ 3 9bit
&$bo%: Memory in software
-
8/15/2019 AES Candidates
51/96
& bo%: Memory in software43 G 5 @ 237 bits
&
5
5
&
5
5
&
5
5
&
5
5
&
5
5
&
5
5
&
5
5
# # #
Memory @ 35 ⋅ 5 bits @ >@ bit
&
7
7
&
7
7
&
7
7
&
7
7
# # #
2 G 7 @ 237 bits
Memory @ 37 ⋅ 7 bits @ 0 )bit @ A0 ⋅ 5 bits
Major cipher operations +0, P Lariable 6otation
-
8/15/2019 AES Candidates
52/96
variable rotation
65HA0
Mu%$based shifter
'igh$speed cloc)
C
&M
Major cipher operations +0, Lariable 6otation
QQQ 7
J A, "
& @
-
8/15/2019 AES Candidates
53/96
CI7 mod 0n 'alf$Multiplier
&M
C
Major cipher operations +A, P Modular Multiplication
'ardware&oftware
& @ AU"
M%J
n n
MUH
n
n n
n
unsi'ned lon' A, ", &
A "
&
n@43, 2
-
8/15/2019 AES Candidates
54/96
u%iliary cipher operations +-, $ ermutation
-
8/15/2019 AES Candidates
55/96
ermutation
C
order of wires
u%iliary cipher operations +-, ermutation
'ardware&oftware
&M
compleG
sequence of
instructionsDD, Q, X
compleGsequence of
instructions
J, , A$#
n
n
G2 G3 G4 GnGn-2; ; ;
y2 y3 y4 ynyn-2
; ; ;
u%iliary cipher operations +0, $ (i%ed rotation
-
8/15/2019 AES Candidates
56/96
C
order of wires
u%iliary cipher operations +0, (i%ed rotation
'ardware&oftware
&M
J A, n
G2 G3 G4 GnGn-2; ; ;
y2 y3 y4 ynyn-2
; ; ;
& @
-
8/15/2019 AES Candidates
57/96
u%iliary cipher operations +@,
-
8/15/2019 AES Candidates
58/96
CI7 mod 0ndder"subtractor
&M
C
y p p + ,
ddition"subtraction
'ardware&oftware
& @ A?"
A##
n n
n
n n
n
unsi'ned lon' A, ", &
A "
&
n@43, 2
-
8/15/2019 AES Candidates
59/96
-
8/15/2019 AES Candidates
60/96
7asic operations
-
8/15/2019 AES Candidates
61/96
addition
multiplication
7oolean
permutation
fi%ed rotation
G(+0n,
multiplication
variable rotation
elay and area in &5(TD6E
p
elay
Memory
&$bo%
@%@
&$bo%
4%4
&$bo%
.%A0
modular inverse
Major operations of E& finalists
-
8/15/2019 AES Candidates
62/96
MarsTwofish&erpent 6C>6ijndael
Major operations of E& finalists
&$bo%es
9nteger
multiplication
Lariable
rotation
Multiplication
in G(+0m,
u%iliary operations of E& finalists
-
8/15/2019 AES Candidates
63/96
MarsTwofish&erpent 6C>6ijndael
y p
7oolean
ddition"
subtraction
ermutation
(i%ed rotation
M6& P !M team
-
8/15/2019 AES Candidates
64/96
elay
rea
modular
multiplication
7oolean
permutation
variable
rotationG(+0n,
multiplication
fi%ed rotation
elay and area in '6D6E
addition +CH,
addition +6C,
&$bo%
@%@
&$bo%
4%4
&$bo%.%A0
modular
inverse
&erpent P "# Anderson$ E# !iham$ %# &nudsen
-
8/15/2019 AES Candidates
65/96
elay
rea
modular
multiplication
7oolean
permutation
variable
rotationG(+0n,
multiplication
fi%ed rotation
elay and area in '6D6E
p
addition +CH,
addition +6C,
&$bo%
@%@
&$bo%
4%4
&$bo%
.%A0
modular
inverse
6ijndael P '# "ijmen$ (# )aemen
-
8/15/2019 AES Candidates
66/96
elay
rea
modular
multiplication
7oolean
permutation
variable
rotationG(+0n,
multiplication
fi%ed rotation
elay and area in '6D6E
j j
addition +CH,
addition +6C,
&$bo%
@%@
&$bo%
4%4
&$bo%
.%A0
modular
inverse
M6& P !M team
-
8/15/2019 AES Candidates
67/96
addition
multiplication
7oolean
permutation
fi%ed rotation
G(+0n,
multiplication
variable rotation
elay and area in &5(TD6E
elay
Memory
&$bo%
@%@
&$bo%
4%4
&$bo%
.%A0
modular inverse
5perations efficient in both software and hardware
-
8/15/2019 AES Candidates
68/96
(ast O compact &low O big
&oftware
(ast Ocompact
&low O
big
permutation
addition
G(+0n, multiply
multiplication
&$bo%
7oolean
fi%ed rotation
variable rotation
&ummary
&low or
big
&low or big 'ardware
modular inverse
-
8/15/2019 AES Candidates
69/96
E&: Types of candidate algorithms
-
8/15/2019 AES Candidates
70/96
*eistel +et,orks Modiied *eistel
+et,ork
Su.stitution-
%inear /ransormation
+et,orks
thers
yp g
Twofish
/3
#(&
#eal
J*I86
Ma'enta
6C>
M6&
&AST-31
6ijndael
&erpent
Safer?
&rypton
(ro'KP&
(eistel 8etwor): &ingle 6ound of Twofish
-
8/15/2019 AES Candidates
71/96
DDD 2
RRR 2
( $ function
(eistel 8etwor): &ingle 6ound of Twofish
#B4C #B3C #B2C #B0C
#B4C #B3C #B2C #B0C
* 3r?7 * 3r?8
- units shared .et,een encr1ption and decr1ption
Modified (eistel 8etwor): &ingle 6ound of M6&
-
8/15/2019 AES Candidates
72/96
-
8/15/2019 AES Candidates
73/96
&ingle 6ound of &erpent
S-boGes
Jinear Transformation
237
237
*BiC
- units shared .et,een encr1ption and decr1ption
237
&ubstitution$Hinear Transformation 8etwor):
& i
-
8/15/2019 AES Candidates
74/96
initial permutation
encryption
bloc9
decryption
bloc9
final permutation
237
237
237237
237237
237
237
*0, ;;; , *6, *43 *43, ;;; , *6, *0
&erpent in 'ardware
&ubstitution$Hinear Transformation 8etwor):
6ij d l i ' d
-
8/15/2019 AES Candidates
75/96
9nversion in G(+04,
affine
transformation
inversed affine
transformation
S!iftow
MiG&olumn
sub9ey
InvS!iftow
sub9ey
InvMiG&olumn
encr1ption decr1ption
6ijndael in 'ardware- units shared .et,een encr1ption and decr1ption
-
8/15/2019 AES Candidates
76/96
8umber and comple%ity of rounds
8umber vs# comple%ity of a round
-
8/15/2019 AES Candidates
77/96
8umber of rounds
Comple%ity of a round
Triple E&
E&
&erpent
6ijndael
Mars
6C>
Twofish
20
30
40
50
10
Comple%ity of the cipher round in hardwareTime in hardware
-
8/15/2019 AES Candidates
78/96
&erpent
6ijndael
Twofish
6C>
Mars
&$bo% @%@ N56/
&$bo% 4%4 N56> N562 V5
> &$bo%es @%@0 A0 V1 V58 V3
&R6A0 0 A0 65TA0
MUHA0 5 M%V3
5 M%V3
3 M%V3
M%V3
3 M%V3
regular round
0 30 50 0 70 200
Time in hardware
-
8/15/2019 AES Candidates
79/96
-
8/15/2019 AES Candidates
80/96
Ma)ing all rounds identical
-
8/15/2019 AES Candidates
81/96
&erpent P 'ardware rchitecture 9-
-
8/15/2019 AES Candidates
82/96
237-bit re'ister
43 G S-boG 0
*i re'ular Serpent round
43 G S-boG 6
linear transformation*43
output
237
237
237
43 G S-boG 2
7-to-2 237-bit multipleGer
237 237 237
237 237 237
GMU 6esults: Encryption in cipher feedbac) mode+C7C C(7 5(7, Lirte% (G
-
8/15/2019 AES Candidates
83/96
+C7C! C(7! 5(7, $ Lirte% (GThroughput
-
8/15/2019 AES Candidates
84/96
arallelism
arallelism in &'$-
-
8/15/2019 AES Candidates
85/96
A
B
D
C
E
ROTL5
f t
ROTL30
+ + ++
Kt
Wt
A
B
D
C
E
32
32
32
32
32
A
B
C
ROTL5
f t
ROTL30
+ + ++
Kt
Wt
A
B
D
C
E
32
32
32
32
32
5perations from two different steps that can be performed
in parallel
E%ecuting &'$- on a /$way superscalar processorA !o&&elaer& 1 Go(aert& +andewalle )4
-
8/15/2019 AES Candidates
86/96
J1
J2
J40
J2
J1 J40
J2
J1 J40
J2
J1 J40
J40
J2
J2
J40
step n
step n3
step n2
step n"3
step n"
A. !o&&elaer&, 1. Go(aert&, . +andewalle, )4
8umber of operations that can be
t d i ll l
-
8/15/2019 AES Candidates
87/96
e%ecuted in parallel
for various hash functions
1
-
0
A
@
2
>
/
4
&'$- 69EM
->1
69EM
-04
69EM M2 M@
A. !o&&elaer&, 1. Go(aert&, . +andewalle, )4
-
8/15/2019 AES Candidates
88/96
5ptimi*ation tric)s
6ijndael round: Table$loo)up implementation
-
8/15/2019 AES Candidates
89/96
a0,0 a0,2 a0,3 a0,4
a2,0 a2,2 a2,3 a2,4
a3,0 a3,2 a3,3 a3,4
a4,0 a4,2 a4,3 a4,4
b0 b2 b3 b4
T0
T2
T3
T4
@9 3 G4,3 G3,3 G2,3 G0,3 b3
&peed$up in software: Z -11 times
&peed$up in hardware: Z 01
&erpent: 7it$slice implementation43 G 5 @ 237 bits
-
8/15/2019 AES Candidates
90/96
&
G2
-
8/15/2019 AES Candidates
91/96
The proposed approach
Cipher design methodology +-,
-
8/15/2019 AES Candidates
92/96
2; &!oose one or maGimum two major operations efficient in bot! software and !ardware
best choice: &$bo% @%@! G(+0n, multiplication
3; &!oose one or maGimum two au%iliary operations efficient in
bot! software and !ardwarebest choice: 7oolean! fi%ed rotation
4; &!oose cipher type t!at enables maGimum s!arin'
amon' encryption and decryption
best choice: (eistel networ)! modified (eistel networ)
Cipher design methodology +0,
-
8/15/2019 AES Candidates
93/96
5; #esi'n a round ta9in' into account a trade-off amon'• round comple%ity
• number of rounds necessary to 'uarantee sufficient security mar'in
1; Ma9e each round BpossiblyC identical
negative e%amples: &erpent! Mars
; Joo9 for parallelism wit!in a round and amon' consecutive
rounds
positive e%ample: &'$-
6; Joo9 for optimi*ation tric)s
positive e%amples:
table$loo)$up in 6ijndael
bit$slice implementation in &erpent
-
8/15/2019 AES Candidates
94/96
Mathematicians
Computer
scientists
Computer
Engineers
&ecurity
&oftware
efficiency
'ardware
efficiency
(le%ibility
S-11 Challenges
-
8/15/2019 AES Candidates
95/96
g
(or mathematicians:
rove or disprove that &erpent with
• all &$bo%es identical• -> rounds
is at least as secure as 6ijndael
(or computer scientists:
9s there a way of using instruction level parallelism
to speed$up software implementation of
-
8/15/2019 AES Candidates
96/96
g
(or computer scientists:
Dhat is a level of parallelism present in
&'$02>! &'$A4@! &'$2-0F
(or mathematicians:
9s there a way of changing &erpent into
a modified (eistel networ) cipher
without loosing its security propertiesF