hardware implementation of block cipher case study using
play

Hardware Implementation of Block Cipher: Case Study Using AES - PowerPoint PPT Presentation

May 20, 2023 •371 likes •676 views

Hardware Implementation of Block Cipher: Case Study Using AES Tohoku University Rei Ueno Acknowledgments Naofumi Homma, Tohoku Univ . Takafumi Aoki, Tohoku Univ . Sumio Morioka, Interstellar technologies, Inc . Noriyuki Miura, Kobe Univ . Kohei

  1. Hardware Implementation of Block Cipher: Case Study Using AES Tohoku University Rei Ueno

  2. Acknowledgments Naofumi Homma, Tohoku Univ . Takafumi Aoki, Tohoku Univ . Sumio Morioka, Interstellar technologies, Inc . Noriyuki Miura, Kobe Univ . Kohei Matsuda, Kobe Univ . Makoto Nagata, Kobe Univ . Shivam Bhasin, NTU Yves Mathieu, Telecom ParisTech Tarik Graba, Telecom ParisTech Jean-Luc Danger, Telecom ParisTech 2

  3. This talk n Given a symmetric key cipher, how hardware designer implement and optimize it p For practical application: • With higher efficiency, encryption/decryption unified, on-the-fly key scheduling, without block-wise pipelining p Case study using AES! n Disclaimer p Some modern lightweight ciphers are already optimized and they avoid some concerns in implementing AES p But I still believe that optimization of AES implementation can be feedbacked to cipher designs 3

  4. Hardware architectures of block cipher Un- rolled Datapath replication Area Round- Resource based sharing Serialized Time for one block encryption 4

  5. Hardware architectures of block cipher Un- rolled Datapath replication Pipelining Area Round- Resource based sharing Byte- Datapath Efficient optimization serial hardware Time for one block encryption 5

  6. For practical hardware implementation n Block-chaining modes have been widely deployed p CBC, CMAC, and CCM… n (Un)Parallelizability: Issue on block-wise pipelining p AES hardware achieves 53Gbps, but works only for parallelizable modes [Mathew+ JSSC2011] p Higher throughput ≠ Lower latency n Both encryption and decryption operations n Importance of on-the-fly key scheduling p Off-the-fly key scheduling requires additional memories to store expanded keys p Latency for calculating round keys is nonnegligible if we use AES with key-tweakable modes 6

  7. Outline n Introduction n Related works n Optimized architecture n Optimization of linear functions over tower-field n Performance evaluation n Concluding remarks 7

  8. Conventional architecture 1/2 [Lutz+, CHES 2002] n Enc and Dec datapaths with additional selectors p Overhead of selectors for unification is nontrivial p False paths appear www.chesworkshop.org/ches2002/presentations/Lutz.pdf 8

  9. Conventional architecture 2/2 [Satoh+, AC 2001] n Unify each pair of operation and its inverse p RoundKey requires InvMixColumns p Some MUXs in unified operations p Long critical path 9

  10. Tower-field implementation n Inversion should be performed over tower-field p Tower-field inversion is more efficient than direct mapping (e.g., table-lookup) n Two types of tower-field implementation p Type-I: only inversion is performed over tower-field p Type-II: all operations are performed over tower-field Inversion MixColumns (S-box) InvMixColumns Type-I Good Good Type-II Better Bad 10

  11. Outline n Introduction n Related works n Optimized architecture n Optimization of linear functions over tower-field n Performance evaluation n Concluding remarks 11

  12. Overall architecture Plaintext/Ciphertext Initial key Round function part Ciphertext/Plaintext n Round-based architecture Key scheduling part n On-the-fly key scheduler 12

  13. Round function part n Compress encryption and decryption datapaths by register-retiming and operation-reordering p Unify inversion circuits in encryption and decryption • Without any additional selectors (i.e., overheads) p Merge linear operations to reduce gates and critical delay • Affine/InvAffine and MixColumns/InvMixColumns • At most one linear operation for a round n Type-II tower-field implementation p Isomorphic mappings are performed at data I/O p Lower-area tower-field (Inv)Affine and (Inv)MixColumns 13

  14. Resister-retiming and operation-reordering Proposed Original Proposed Original Decryption Encryption 14

  15. Key tricks (of decryption) Ciphertext Data register Data register Final op. Pre-round op. Round op. InvSubBytes AddRoundKey InvSubBytes InvShiftRows InvShiftRows AddRoundKey AddRoundKey InvMixColumns Data register Plaintext Data register 15

  16. Key tricks (of decryption) Ciphertext Data register Data register Final op. Pre-round op. Round op. Inversion AddRoundKey Inversion InvShiftRows InvShiftRows InvAffine AddRoundKey AddRoundKey InvMixColumns InvAffine Data register Plaintext Data register n Decompose InvSubByte to InvAffine and Inversion n Register-retiming to initially perform inversion in round operations 16

  17. Key tricks (of decryption) Ciphertext Data register Data register Final op. Pre-round op. Round op. Inversion AddRoundKey Inversion InvShiftRows InvShiftRows InvAffine AddRoundKey AddRoundKey Unified affine -1 Data register Plaintext Data register n Merge linear operations as Unified affine -1 p InvAffine and InvMixColumns n Distinct AddRoundKey to avoid additional selectors or InvMixColumns for RoundKey 17

  18. Resulting datapath Unified inversion without selector Disable inactive path At most one linear operation for round Only one 4:1 selector 18

  19. Overall architecture Plaintext/Ciphertext Initial key Round function part Ciphertext/Plaintext n Round-based architecture Key scheduling part n On-the-fly key scheduler 19

  20. Key scheduling part n Round key generator is dominant p Unify encryption and decryption datapaths p Shorten critical delay than round function part by NOT unifying some XOR gates Unified components Not unified XOR gates 20

  21. Outline n Introduction n Related works n Optimized architecture n Optimization of linear functions over tower-field n Performance evaluation n Concluding remarks 21

  22. Coming back to round function part n Major components p Inversion p Linear operations p Bit-parallel XOR p Selectors p (Inv)ShiftRows n Performance depends on constructions of inversion and linear operations p Inversion: Use state-of-the-art adoptable one p Linear operations: Depends on XOR matrices 22

  23. Multiplicative-offset n Increase variation of construction of XOR matrices p To find optimal XOR matrices with lower HWs n Multiply offset value c to intermediate value d i,j ( r ) and store cd i,j ( r ) into register p Multiplication with fixed value is XOR matrix operation p c is taken from GF (2 8 ) excluding 0 Pre-round Round Post-round d i,j ( r ) d i,j (11) Plaintext Inversion Iso. Mapping -1 Iso. mapping Unified Affine d i,j (1) Ciphertext d i,j ( r +1) Original encryption flow (simplified) 23

  24. Multiplicative-offset n Increase variation of construction of XOR matrices p To find optimal XOR matrices with lower HWs n Multiply offset value c to intermediate value d i,j ( r ) and store cd i,j ( r ) into register p Multiplication with fixed value is XOR matrix operation p c is taken from GF (2 8 ) excluding 0 Pre-round Round Post-round cd i,j ( r ) cd i,j (11) Plaintext Inversion Multiply c Iso. Mapping -1 Multiply c 2 Iso. mapping Multiply c -1 Unified Affine cd i,j (1) Ciphertext cd i,j ( r +1) Proposed encryption flow (simplified) 24

  25. Multiplicative-offset n Increase variation of construction of XOR matrices p To find optimal XOR matrices with lower HWs n Multiply offset value c to intermediate value d i,j ( r ) and store cd i,j ( r ) into register p Multiplication with fixed value is XOR matrix operation p c is taken from GF (2 8 ) excluding 0 Pre-round Round Post-round cd i,j ( r ) cd i,j (11) Plaintext Inversion Merged mapping -1 Merged Merged mapping Reduce HW of XOR matrices Unified Affine cd i,j (1) Ciphertext for linear operations by 10% cd i,j ( r +1) Original encryption flow (simplified) 25

  26. Performance comparison n Synthesized proposed and conventional archs. p Logic synthesis: Design Compiler p Technology: Nangate 45-nm Open Cell Library Area (GE) Latency Throughput Efficiency (ns) (Gbps) (Kbps/GE) Satoh et al. 16,628.67 24.97 5.64 339.10 Lutz et al. 28,301.33 16.20 7.90 279.18 Liu et al. 15,335.67 29.70 4.74 309.13 Mathew et al. 21,429.33 30.80 4.57 213.33 This work w/o MO 18,013.00 16.28 8.65 480.49 This work w/ MO 17,368,67 15.84 8.89 511.78 n 51—57% higher efficient than conventional ones p Multiplicative-offset (MO) improves efficiency by 7—9% 26

  27. Evaluation of power/energy consumption n Gate-level timing simulation with back-annotation for estimating power consumption p With regarding glitch-effects Power consumption and power-latency product at encryption Power [uW] @ 100 MHz PL product Satoh et al. 902 22,523 Lutz et al. 735 11,907 Liu et al. 1,010 29,997 Mathew et al. 1,390 42,812 This work w/o MO 569 9,263 This work w/ MO 465 7,366 n Our architecture achieved lowest power/energy p MO achieves further reduction by 7—24% 27

  28. Encryption only architecture n Designed encryption-only hardware based on our philosophy p Compared with representative open-source IP (SASEBO IP) and state-of-the-art one [ARITH 2016] Area Latency Thru Thru/GE Power PL (GE) (ns) (Gbps) (uW) product SASEBO Table 23,085.00 11.64 12.00 519.66 352 4,097 IP Comp 11,431.67 23.04 6.06 530.16 513 11,820 ARITH Type-I 12,108.33 23.87 5.90 487.16 655 14,266 2016 Type-II 13,249.33 21.78 6.46 487.92 755 18,022 This work 12,127,00 13.97 10.08 831.10 279 3,898 n Our architecture is 58—64% higher efficient p Also advantageous in power/energy consumption 28

Recommend

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee ,

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model Jooyoung Lee , Byeonghak Lee KAIST Tweakable Block Cipher A tweakable block cipher accepts an additional input "tweak - Tweaks are publicly used

519 views • 30 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next?

Advanced Block Cipher Design My crazy boss asked me to design a new block cipher. Whats next? Pascal Junod University of Applied Sciences Western Switzerland Pascal Junod -- Advanced Block Cipher Design 1 ECRYPT II Summer School - May

914 views • 56 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx

COBRA: A Parallelizable Authenticated Online Cipher without Block Cipher Inverse 1 Atul Luykx COSIC KU Leuven and iMinds March 3, 2014 1 Joint work with E. Andreeva, B. Mennink, and K. Yasuda. 1 / 23 Overview COBRA 1 Misuse resistance 2

711 views • 58 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key

Overview of the DES A block cipher: encrypts blocks of 64 bits using a 64 bit key outputs 64 bits of ciphertext A product cipher basic unit is the bit performs both substitution and transposition (permutation) on the

512 views • 35 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I

Block Cipher Cryptanalysis: Basic and Advanced Techniques I & II Andrey Bogdanov KU Leuven, ESAT/COSIC Outline I. Block Ciphers II.

1.03k views • 79 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR CR STINSON : chapters 3 Block Cipher K D K E untrusted communicaGon link Alice Bob E D #%AR3Xf34^$ A?ack at Dawn!! decrypGon encrypGon (ciphertext) message A?ack at Dawn!!

1.71k views • 143 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system Let us suppose we have the following requirements System implementation is composed by physical devices (Hardware entity): 1. antenna + processor +

589 views • 10 slides
Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E

Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher K D K E untrusted communication link Alice Bob E D #%AR3Xf34^$ Attack at Dawn!! decryption encryption (ciphertext) message message Attack at

1.56k views • 143 slides
Block ciphers What is a block cipher? Dan Boneh Block

Block ciphers What is a block cipher? Dan Boneh Block

Online Cryptography Course

1.24k views • 65 slides
CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is

Block ciphers Building blocks for symmetric cryptography. M EK C Examples: DES, 3DES, AES... CS 4803 A block cipher E is a collection of functions from n bits to n bits. Each function is fully specified by a k-bit key. Computer and

317 views • 4 slides
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter:

1. Preliminaries 2. Differential-Linear Cryptanalysis: Previous and Our Methodologies 3. Application to 13 Rounds of the DES Block Cipher 4. Application to 10 Rounds of the CTC2 Block Cipher 5. Application to 12 Rounds of the Serpent Block

1.18k views • 25 slides
H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

H were created in the late 18th and 19th 2 n 2nd preimages centuries; they federated and became

Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro Introduction Iterated hash functions Block cipher constructions SHA-3 Outtro 1 Introduction Hash Functions and SHA-3 2 Iterated hash functions 3 Block cipher

786 views • 13 slides
Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline

Tweakable Block Cipher Secure Beyond the Birthday Bound in the Ideal Cipher Model *Byeonghak Lee, Jooyoung Lee KAIST Outline Tweakable block ciphers Our contribution Proof overview Conclusion 2 Tweakable Block Ciphers (TBCs)

362 views • 35 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides

More recommend