Algorithms for cryptography Education and learning perspective

1
Algorithms for cryptography- Education and
learning perspective

• P.V.Ananda Mohan Fellow IEEE
• ECIL, Bangalore

14th Dec 2007
2
Agenda

• Introduction
• E-learning requirements
• Overview of Algorithms
• Case studies of Encryption, Authentication and
  message digest Algorithm implementations- what
  needs to be taught, at what level, for whom
• Conclusion

3
Introduction
Implementations of Cryptosystems
Key Generation Systems
Software PC applications Portable Devices
Mobile Phones E-Commerce ATMs etc
ASIC
FPGA
DSP
Algorithm Implementation
Key Loading Tools
Smart cards I-Buttons
Key Guns
4
Who wants to learn?

• (a) Implementers of a given algorithm
• Implementation of the given algorithm in a
  particular platform.
• Software implementation using C, C
• Hardware implementation using (i) FPGAs (ii) DSPs
  or (iii) ASICs will be needed.
• Speed or Area Requirements (or resources on FPGA
  such as CLBs, gates in an ASIC) Optimization

5
Who wants to learn?

• (b) Advanced implementers
• tamper proof design
• protection of IP or code
• Error/malfunction detection
• Side-channel attack resistance etc.
• Technological solutions or architectural
  solutions needed
• Extremely high speed of operation for example
  IPSEC in gigabit routers
• Low-power implementations desired
• Agility regarding Multiple Algorithms , modes
  (e.g DES,3-DES,AES, Blow Fish, IDEA, CBC mode,
  Counter mode, ECB mode, CFB, OFB)

6
Who wants to learn?

• (c) Researchers and cryptanalysts
• Fast implementations
• Secure protocols
• Key Search engines for brute force attacks based
  on Software and hardware
• Attacks
• Differential and linear cryptanalysis
• Power Attacks
• new algorithms which are resistant to various
  types of attacks.
• New Algorithms
• Cryptanalysis of New Algorithms of others and old
  Algorithms

7
Three Related domains
Authentication
Encryption
Hashing and Digital Signatures
8
Case studies

• One encryption algorithm based on a stream cipher
• one encryption algorithm based on a block cipher
• A RSA implementation
• A Hash algorithm

9
STREAM CIPHERING
Masking sequence
No error Propagation
10
3-STAGE LFSR
11
3-stage LFSR

• 101
• 010
• 001
• 100
• 110
• 111
• 011

• seed (initial condition)
• period 23-17 states

12
GSM Authentication using signature and encryption
in a nutshell
RAND
13
Example A5 Algorithm of GSM

• Clock Controlled Shift registers
• Fixed sparse Primitive polynomials
• Initial conditions is the key (64 bits)

14
What do you need to know

• Primitive polynomial definition
• Testing for Primitivity (software)
• Implementation of LFSR in Software and hardware
• Combining LFSrs in many ways
• Linear Complexity evaluation (using
  Berlekamp-Massey Algorithm) and period
• Possible Attacks-immunity
• Advanced systems (word level LFSRs-synthesis,
  NLFSRs)
• Design of New schemes and evaluation
• Study of known schemes like BlueTooth (E0),
  CAVE, A5 etc
• Interactive exercises

15
BLOCK CIPHERS
16
SYMMETRIC KEY ENCRYPTION ALGORITHMS

• Data encryption standard(DES)
• Triple DES
• International data encryption algorithm (IDEA)
• Blowfish
• RIJNDAEL - the advanced encryption standard
• Other AES candidates

17
General Features/Specifications

• Block length in bits
• Key length in Bits
• Rounds
• Operations in Each round
• Key Schedule for all rounds
• Round Key generation
• Decryption
• Modes of operation
• Any Weak Keys
• Complexity / Execution time Benchmarks
• Five modes of operation

18
ECB (Electronic codebook mode
19
Cipher Block Chaining mode
20

• CFB(CIPHER FEEDBACK MODE)

21
OFB (Output feedback) mode
22
Basic Primitives in Block Ciphers

• Bit by bit exclusive OR
• Modulo 216 or 232 Additions (use fast adders)
• Arbitrary rotations (left or right by any number
  of bits)
• Permutations
• S-Boxes
• Modulo Multiplication (X.Y) mod N
• Exponentiation XY mod N
• Multiplicative Inverses (1/X) mod N
• Galois field operations (multiplication,
  inversion, word based LFSRs)

23
Typical Architecture Software, ASIC or FPGA
Key Register
Clock
24
Rijndael (AES)

• Variable block length (128,192,256 bits)
• Variable key length( 128,192 or 256 bits)
• Block cipher
• Data and key arranged as rows and columns
• Byte level design
• Suitable for DSP or Microprocessor based or ASIC
  implementation

25
Rijndael

• Four Rows
• Nb columns Nb Block length/32
• Nk columns Nk Key length /32
• Number of rounds dependent on Nb and Nk

4 6
8 4 10 12
14 6 12 12
14 8 14 14
14
Nb
Nk
26
Rijndael

• Rounds shown in Table 1 needed
• Each round consists of four operations
• 1)Byte Substitution
• 2) Shift row
• 3)Mix column
• 4) Add Round key (modulo 2 bit by bit)
• Some steps can be combined.

27
(No Transcript)
28
Byte Sub Step 1

• a00 ao1 ao2 a03 ao4 ao5
• a10 a11 a12 a13 a14 a15
• a20 a21 a22 a23 a24 a25
• a30 a31 a32 a33 a34 a35

First write data vertically Substitute for each
byte from a Rijndalel S-Box to get a new block
Simple step
29
Rijndael

• Shift row Step 2

Original
The result is the permutation 1 6 11 16 5 10 15 4
9 14 3 8 13 2 7 12
30
Mix Column

• Mix column Transformation -Avoids a big 32 bit
  input 32 bit output S-Box
• All bytes are treated as polynomials
• Example the byte b7b6b5b4b3b2b1b0 is the
  polynomial b7x7b6x6b5x5b4x4b3x3b2x2b1xb0
• Columns are considered as polynomials over
  GF(28)
• The irreducible 8th degree polynomial used is
  x8x4x3x1

31
MIX Column

• b(x)c(x).a(x) mod (x4 1)
• c(x) 03 x3 01.x2 01.x02
• we thus obtain all new columns corresponding to
  a(x).

32
Example

• d(x)a(x).b(x) mod (x4 1)
• a(x) a3.x3 a2.x2 a1.xa0
• b(x) b3.x3 b2.x2 b1.xb0
• d(x)c6x6c5x5c4x4c3x3c2x2c1xc0
• c0 a0b0, c4a3b1a2b2a1b3
• c1a1b0a0b1, c5 a3b2a2b3
• c2a2b0a1b1a0b2, c6a3b3
• c3a3b0a2b1a1b2a0b3
• All are Exclusive OR
• But x41,x5x,x6x2 mod (x41)

33

• c0 a0b0a3b1a2b2a1b3
• c1a1b0a0b1a3b2a2b3
• c2a2b0a1b1a0b2a3b3
• c3a3b0a2b1a1b2a0b3
• Each of the above is a multiplication in GF(8)
• Fortunately, all bi s are simple.
• 02H or 03 H or 01H or 01H

34
Rijndael Mix Column Step3

• a00 a01 a02 a03 ao4 a05
• a10 a11 a12 a13 a14 a15
• a20 a21 a22 a23 a24 a25
• a30 a31 a32 a33 a34 a35
• b00 b01 b02 b03 bo4 b05
• b10 b11 b12 b13 b14 b15
• a20 b21 b22 b23 b24 b25
• b30 b31 b32 b33 b34 b35

Xc(x)
35
Add (EXOR) Round Key

• Add Round key is Bit wise exclusive or of the
  complete block with the round key.
• Simple operation
• Round key used only in this step.

36
Key Scheduler to get round keys

• Initial Round key addition
• Consider 128 bit block.
• Each round key 128 bits 4 number of 32 bit
  words.
• Total key 32 bit words 44 (Initial add round
  key 10 round keys)
• How to generate all round key words from 128 bit
  (4 word) basic key?

37
Rijndael Key schedule

• We need 44 numbers of 32 bit words W for Nk4
  i.e. 128 bit key.
• First four words are given key data itself
• Temp w(i-1)
• W(i) temp exor W(i-4) for all i except
  multiples of 4
• For i multiples of 4, temp subbyte (rotbyte
  (temp)) exor Rcon(i/4)
• Rot byte is one byte circular left shift of the
  word

38

• Rcon is a word with three Least significant bytes
  zero. Most significant byte is as per table.

39
Key Generation method

• Continue to get 44 words

g
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
S-BOX implementations

• ROM
• Logic Synthesis based
• Multiplexer based
• FOM (figure of Merit) Delay (access time), area,
  flexibility, insight

46
Logic Synthesis of S-BOX

• S1 First row
• 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
• Analyze the Sequences of b3, b2, b1, b0
• The logic functions assuming an input from a
  counter counting from zero to 15 are as follows
• b3 ACDABCBCDABCDABCD
• b2DCBDCBADCBADCBDCBADCBA
• b1DCBADCBDCBADCBDCBADCBA
• b0DCBDCBADCBADCBADCBDCBA

b3b2b1b0 1110 0100 1101 0001 0010 1111 1011 1000 0
011 1010 0110 1100 0101 1001 0000 0111
47
b3 ACDABCBCDABCDABCD
b3
48
S-BOX based on Multiplexer
Input nibble
0011011010001101
b0
Hardwire all inputs of Mux 161 to logic one and
zero as needed.
1000111011100001
b1
1110010000111001
Delay is a 161 multiplexer delay Area 4 161
Multiplexers
b2
1010011101010100
b3
49
What you need to learn

• Basic algorithms
• Implementation of primitives-efficiently
• Implementation options
• Combining steps
• Efficient key schedule calculation
• Agility to change new keys
• Properties of S-box, evaluation
• Evaluation of Block ciphers other prmitives
  rotation, modulo multiplication etc.
• Design resistant to side-channel attacks
• Software and hardware solutions

50
Authentication algorithms
51
Encryption and authentication
D
S
K
K
Conventional symmetric key based encryption
52
Encryption and authentication
U stands for Public R stands for Private
S
D
U
R
CONFIDENTIALITY
53
Encryption and authentication
D
S
R
U
AUTHENTICATION
54
Encryption and authentication
S
D
R
R
U
U
BOTH
55
Authentication

• Asymmetric systems( two keys-one public and
  another private are needed)
• Three types of authentication possible

56
AUTHENTICATION USING RSA

• RSA ( Rivest- Shamir- Adleman) inventors
• Two keys are used (public key and private key)

57
Authentication using RSA

• m message
• Public Key (e,n)
• Private Key (d,n)
• Encryption c me mod n
• Decryption m cd mod n

58
Choice of n ,e,d

• Choose two large primes p and q.
• n p.q
• Choose e such that e and (p-1).(q-1) are
  relatively prime.
• Calculate d so that ed 1 mod((p-1).(q-1))

59
Example

• p 47,q 71
• (p-1).(q-1) 46.703220
• choose e 79
• then d 1019.
• m688 say
• c 1570 and m 688 after decryption

60
How to compute XY mod N

• X,Y and n are 1024 bit numbers typically.
• Repeated squaring and conditional multiplications
• 1123 mod 37 ( 1116.114.112.11 ) mod 37
• Basic operation is A.B mod N
• XY mod N needs 2047 such operations at most for
  1024 bit numbers

61
How to compute A.B mod N

• Example 13.15 mod 23
• We do not want to do in a straight forward manner
  .
• Write b 13 in binary form 1101
• Do repeatedly starting from msb (2.Old bi.A)
  mod 23

62
What you need to learn

• Basic Algorithms
• Primality testing
• Choice of primes
• Factorization problem
• Kernel for Fast exponentiation mod M (multibit
  recoding, Montgomerys algorithm, Redundant
  Arithmetic, Attack resistant design, scalability
  to 2048 bits)
• Software/ hardware solutions

63
Digital signature algorithms
64
Authentication by digital signatures

M
M -------- CK(M)
K
C
COMPARE
K
65
General Principle of Hashing

• F is a compression function
• Yi are successive blocks in the input
• If F is collision resistant, so is the Hash
  algorithm.

66
SECURE HASH ALGORITHM

• Treats messages as 512 bit blocks
• Four rounds of 20 operations each
• Five Constants 32 bit A, B, C, D, E
• Uses nonlinear operations involving AND, OR,
  EXCLUSIVE-OR
• Uses circular shifts
• Generates a hash of 160 bits. Improvement over MD5

67
SHA Hashing step
68
What you need to learn

• Fundamentals of Hash functions
• Hash algorithms MD5, SHA, RIPE MD etc
• HMAC (hash using key)
• Collision issues
• New Hash function design to avoid collision
• Hardware/software implementations

69
Conclusion

• Sensitivity to issues addressed such as side
  channel attacks, compact hardware, protection of
  IP, Power (Low)-area (Low)-time (fast) trade offs
• Fault Tolerant designs (self checking)
• Self study modules with interactive
  question/answer type facility will be useful
• Testing/learning up to the desired level of
  proficiency shall be gracefully constructed with
  increasing depth of information

70
Books and Journals

• Stinson, Bruce Schneier, Menezes et al, Simmons,
  Rhee, Stallings, Rueppel, Beker and Piper many
  more
• IEEE Security and Privacy, IEEE Journal on
  Selected Areas in Communications, IEEE
  Transactions on computers, IEEE Transactions on
  Information Theory, IEEE Journal of Solid-State
  circuits, IEE Journal of Computers and Digital
  Techniques, Electronics Letters, IEEE Computer,
  Springer Verlag Conference Proceedings of
  ASEACRYPT, INDOCRYPT, Fast Software Encryption
  and so on, Journal of Cryptology, Cryptologia

71
My e-mail

• pvam_at_vsnl.net
• anandmohanpv_at_hotmail.com