AES and other secret key implementations Ingrid Verbauwhede ingrid.verbauwhede-at-esat.kuleuven.be K.U.Leuven, ESAT- SCD - COSIC Computer Security and Industrial Cryptography Acknowledgements: Current and former Ph.D. students at UCLA and K.U.Leuven KUL - COSIC ECRYPT Summer School - 1 Albena, May 2011 Outline & Goal • Crypto engineering for secret key algorithms – Design parameters – DES – Modes of operation – AES – Light weight crypto KUL - COSIC ECRYPT Summer School - 2 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 1
Design Parameters Embedded security: Area, delay, power, energy KUL - COSIC ECRYPT Summer School - 3 Albena, May 2011 Crypto engineering everywhere Everything is always connected everywhere • Continuum between software and hardware – ASIC (microcode) – FPGA – fully programmable processor KUL - COSIC ECRYPT Summer School - 4 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 2
Embedded Security NEED BOTH • Efficient, light-weight Implementation – Within power, area, timing budgets – Public key: 1024 bits RSA on 8 bit μ C and 100 μ W – Public key on a passive RFID tag • Trustworthy implementation – Resistant to attacks – Active attacks: probing, power glitches, JTAG scan chain – Passive attacks: side channel attacks, including power, timing and electromagnetic leaks KUL - COSIC ECRYPT Summer School - 5 Albena, May 2011 Cost definition • Area • Time • Power, Energy • Physical Security • NRE (Non Recurring Engineering) cost KUL - COSIC ECRYPT Summer School - 6 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 3
Design parameters • Speed or throughput: – HW: Gbits/sec or Mbits/sec/slice – SW: Cycles/byte, independent of clock frequency • Area: – HW: mm2 (gate or transistor count) – SW: memory footprint • Power or energy consumption: – Power (Watts) for cooling or transmission (RFID) – Energy (Joule): battery operated devices • Security: difficult to measure, but we want it – Entropy, leakage functions? – Measurements until disclosure? KUL - COSIC ECRYPT Summer School - 7 Albena, May 2011 Throughput: Real-time • Extremely high throughput (Radar or fiber optics) • One operator (= hardware unit, e.g. adder, shifter, register) • for each operation (= algorithmic, e.g. addition, multiplication, delay) clock frequency = sample frequency • Most designs: time multiplexing clock frequency = sample frequency clock frequency = number of clock cycles available for the job sample frequency KUL - COSIC ECRYPT Summer School - 8 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 4
SW: cycles per byte • “independent” of clock frequency Cycles/byte or machine 40 cycles/byte • Size of packet matters • “match” of algorithm to architecture Size (bytes) 8 64 4096 [Source: http://bench.cr.yp.to/results-sha3.html] KUL - COSIC ECRYPT Summer School - 9 Albena, May 2011 Power density problem • Intel S. Borkar power density problem Cooling!! [Author: S. Borkar, Intel] KUL - COSIC ECRYPT Summer School - 10 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 5
Low Energy: battery capacity • Rabaey slide battery capacity One AAA battery: 1300 to 5000 Joule KUL - COSIC ECRYPT Summer School - 11 Albena, May 2011 Power and Energy are not the same! • Power = P = I x V (current x voltage) (= Watt) – instantaneous – Typically checked for cooling or for peak performance • Energy = Power x execution time (= Joule) – Battery content is expressed in Joules – Gives idea of how much Joules to get the job done Low power processor � low energy solution ! KUL - COSIC ECRYPT Summer School - 12 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 6
Heat and parallelism Reduce power = reduce WASTE !! P M Power memory processor (Heat) C P mono = CV 2 f (Watt) M/4 P/4 M/4 P/4 M/4 P/4 M/4 P/4 4 (C/4)V 2 (f/4) = P mono /4 but since f ~ V C/4 C/4 C/4 C/4 can be even P mono /4 3 TREND: MULTI-CORE!! KUL - COSIC ECRYPT Summer School - 13 Albena, May 2011 Intermezzo: standard cell based design KUL - COSIC ECRYPT Summer School - 14 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 7
Logic Design Activities #literals • Logic and FSM synthesis – State minim., coding VHDL – Multilevel Logic Optimisation Logic 6... 2 • Technology Mapping Depth Area – Functions to library cells Logic ! ! aoi ff – Minimal Area for given delay Synthesis (Synopsys) • Timing Verification Delay Timing – Estimate wiring load C Closure – Critical logic path • Layout Extraction-> Timing – P&R C extraction from wiring ... KUL - COSIC ECRYPT Summer School - 15 Albena, May 2011 Standard Cell Layout Std. Cell Routing Channel Cell Row Std. Cell Place & Route (RT-Module) (Courtesy : Tanner Tools) KUL - COSIC ECRYPT Summer School - 16 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 8
Standard Cell Zoom In vdd vss layout KUL - COSIC ECRYPT Summer School - 17 Albena, May 2011 Module Generation For data-path operators: structure is in bit-slices Computer generated layout as function of wordlength Compact, predictable IP Instruction, Clock Power Data KUL - COSIC ECRYPT Summer School - 18 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 9
Standard Cell and Module Standard Cell Datapath Random Logic Courtesy: J. Van Campenhout RUG KUL - COSIC ECRYPT Summer School - 19 Albena, May 2011 Start with easy one: Block cipher - DES KUL - COSIC ECRYPT Summer School - 20 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 10
Symmetric key: DES • DES = Data Encryption Standard • FIPS Standard 46 effective in July 1977: US government standard for sensitive but unclassified data • Re-affirmed in 1983, 1988, 1993, 1999 (FIPS 46-3) • July 26, 2004: FIPS 46-3 is withdrawn: use TDEA or AES • TDEA = Triple DES encryption algorithm – NIST 800-67 Ciphertext (Ci) Plaintext (Pi) DES 64 64 64 Key = 56 bits + 8 parity bits KUL - COSIC ECRYPT Summer School - 21 Albena, May 2011 TDEA • Triple DES Encryption Algorithm, NIST Spec. Pub. 800- 67 (May 2004) • Three Key options: – K1, K2, K3 different – K1=K3, K2 different – K1=K2=K3, backward compatible with single DES • two-key triple DES: until 2009 • three-key triple DES: until 2030 Plaintext (Pi) Ciphertext (Ci) DES DES-1 DES 64 64 64 64 64 K2 K3 K1 KUL - COSIC ECRYPT Summer School - 22 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 11
DES = Feistel cipher • DES has 16 rounds + initial and final permutation • Basic cipher structure is Feistel cipher – other examples of Feistel: IDEA, FEAL, Kasumi R i-1 R i-1 L i-1 L i-1 K i K i f f + + L i R i L i R i Decryption round i Encryption round i • Hardware: encryption = decryption! (different for AES) KUL - COSIC ECRYPT Summer School - 23 Albena, May 2011 DES- f function R i-1 K i 32 48 Expansion E 32b-to-48b permutation 48 (wiring & bit duplication) + input of S-boxes: 8x6b Si = 6b-to-4b non linear S1 S2 S3 S4 S5 S6 S7 S8 substitution (ROM or logic based Look up table) 32 Permutation P output of S-boxes: 8x4b 32 32b-to32b permutation (wiring) f(R i-1, K i ) • Because of Feistel: no need for f -1 (different for AES) KUL - COSIC ECRYPT Summer School - 24 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 12
DES Key schedule Initial key K 64 PC1 PC1: permute and drop 8 bits 56 C&D: rotate left 1 or 2 C D bits each round DECRYPTION: rotate right 56 PC2 PC2: permute and select 48 output bits 48 Round Key K i C&D left/right shift registers: encryption & decryption HW KUL - COSIC ECRYPT Summer School - 25 Albena, May 2011 Key Schedule Two options: • On the “fly” = just in time processing • Pre-compute and store Key Schedule Memory Key BC Schedule BC Typical for Hardware Typical for Software KUL - COSIC ECRYPT Summer School - 26 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 13
Key schedule on the fly • The cost of fast key context switching: Data at 1Gbps Context bandwidth (Gbps) 10 • Example for IPSEC ARC4 router 8 AES 3DES – one 128 bit key = 1408 6 bits round keys (10 rounds 4 + initial key) 2 – half of internet packets are 0 only 64 bytes in length 10 2 10 3 10 4 10 5 10 (512 bits) Record Size (bytes) [source: J. Goodman] BANDWIDTH PROBLEM ! KUL - COSIC ECRYPT Summer School - 27 Albena, May 2011 Modes of operation KUL - COSIC ECRYPT Summer School - 28 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 14
Design method • Advice: include modes of operation into hardware IP module or co-processor: - increases the complexity somewhat: more control or instructions are needed + CLEAN security partitioning + reduces communication overhead and traffic KUL - COSIC ECRYPT Summer School - 29 Albena, May 2011 Modes of operation: ECB • ECB = Electronic code book • cipher blocks are independent, thus insertion or deletion of blocks can go undetected • block cipher does not hide data patterns Plaintext M Message M Ciphertext C BC BC-1 Key K K • BC = block cipher (e.g. 3DES or AES) KUL - COSIC ECRYPT Summer School - 30 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 15
Recommend
More recommend
