AES Candidates

8/15/2019 AES Candidates

1/96

Kris Gaj

Electrical and Computer Engineering

George Mason University

Towards secure cryptographic transformationsefficient in both software and hardware:

case for synergy among

math! computing! and engineering

http:""ece#gmu#edu"crypto$te%t#htm


2/96

Motivation


3/96

Criteria used to evaluate cryptographic

transformations

&ecurity

&oftware

Efficiency

'ardware

Efficiency

(le%ibility


4/96

(le%ibility

• dditional )ey$si*es and bloc)$si*es

• Ability to function efficiently and securely in a wide

variety of platforms and applications

low-end smartcards, wireless: small memory requirements IPSec, ATM small )ey setup time in !ardware

"-IS#$, satellite communication large encryption speed


5/96

dvanced Encryption &tandard +E&, Contest

-../$011-

-2 Candidates from %SA, &anada, "el'ium,

(rance, )ermany, $orway, %*, Israel,

*orea, +apan, Australia, &osta ica

3une -..4

ugust -...

5ctober 0111

- winner: 6ijndael7elgium

2 final candidates

Mars, &, i.ndael, Serpent, Twofis!

6ound -

6ound 0

&ecurity

&oftware efficiency

(le%ibility

&ecurity

'ardware efficiency


6/96

8E&&9E roject8ew European &chemes for &ignatures!9ntegrity! and Encryption

0111$0110

C6;T6EC roject0111$0110

/urope

+apan


7/96

Multiple types of transformations:

#evelopment of met!odolo'y of a fair evaluation andcomparison of al'orit!ms belon'in' to t!e same class,

includin'

software and hardware efficiency

8E&&9E! C6;T6EC

• &ymmetric$)ey bloc) ciphers• &tream ciphers• 'ash functions

• MCs

• symmetric encryption schemes• symmetric digital signature schemes

• symmetric identification schemes


8/96

0

10

200

210

300

310

400

410

500

510100

Serpent i.ndael Twofis! & Mars

&peed of the final E& candidates in hardware

&peed


9/96

0

20

3040

50

10

0

60

70

80200

Serpenti.ndael Twofis! & Mars

&urvey filled by ->/ participants of

the Third E& Conference! pril 0111? votes


10/96


11/96

0

1

20

21

30

31

40

Serpenti.ndael Twofis!& Mars

Efficiency in software: 89&T$specified platform

237-bit 9ey283-bit 9ey

31-bit 9ey

200 MHz Pentiu Pro, !orland C""

&peed


12/96


13/96

&ecurity: Theoretical attac)s better

than e%haustive )ey search

0 1 20 21 30 31 40 41

Twofish

&erpent

6ijndael

6C>

Mars without -> mi%ing rounds

? of rounds in the attac)"total ? of rounds

> ->

A0.

/ -1

-2 01

->--

0A

-1

2

A

2


14/96

0 20 30 40 50 10 0 60 70 80 200

Twofish

&erpent

6ijndael

6C>

Mars

&ecurity: Theoretical attac)s better

than e%haustive )ey search

? of rounds in the attac)"total ? of rounds -11

04 /0

A4 >0

>. A-

/1 A1

/2 02


15/96

0200

300

400500

100

00600

A2.

>-1

&peed in hardware


16/96


17/96

'istorical view

&ecret$)ey ciphers 'ash functions

time

-./1

-.41

-..1

0111

#/S optimied for hardware

(ast Software /ncryption:

cip!ers optimied for software:e;';, &1, "lowfis!, &5

A/S optimied for

software and hardware

M#5-family

optimied primarily

for software

#/S-based !as! functions

optimied for hardware


18/96

&oftware or hardwareF

&5(TD6E '6D6E

security of data

during transmission

fle%ibility


19/96

Efficiency indicators


20/96

Memory

ower

consumption

rimary efficiency indicators

&oftware 'ardware

&peed Memory &peed rea


21/96

Efficiency parameters

Hatency Throughput I &peed

/ncryption>decryption

Time to

encrypt"decrypta single bloc)

of data

Mi

&i

8umber of bits

encrypted"decrypted

in a unit of time

Encryption"

decryption

Mi

Mi?2

Mi?3

&i

&i?2

&i?3

Throughput I7loc)Jsi*e 8umberJofJbloc)sJprocessedJsimultaneously

Hatency


22/96


23/96

8on$(eedbac) Cipher ModesEC7! counter

C i f f db ) i h d


24/96

Comparison for non$feedbac) cipher modes! e#g#

Counter Mode $ CT6

M0 M2 M3

/

&i @ Mi ⊕

/


25/96

9ncreasing speed by parallel processing

/ncryption>

decryption

unit

/ncryption>

decryption

unit

/ncryption>

decryption

unit

/ncryption>

decryption

unit

/ncryption>

decryption

unit

/ncryption>

decryption

unit

9 i d i i li i


26/96

9ncreasing speed using pipelining

Cipher - Cipher 0

round -round -

round 0

round -1

# # #

round ->

# # #

&peed I

targetJcloc)Jperiod

bloc) si*e

target

cloc)

period!

e#g#! 01 ns


27/96

ipelined operation of the encryption unit

"2

cloc)

cycle2

"3

3

"2

"4

4

"3

"2

7@

5

"4

"3

7-

72

1

"5

"4

70

7>

"1

"5

7A

7/

6

"

"1

7@

74

"6

"

72

7

7-A

"5

"4

7-1

7-@

"1

"5

7--

7-2

"

"1

7-0

7->

"6

"

7-A

7.

"7

"6

7>

7-1

"8

"7

7/

7--

"20

"8

74

7-0

"4

"3

7.

cloc)

cycle8 20 22 23 24 25 21 2

E ti i f db ) d +EC7 t ,


28/96

0

2000

3000

4000

5000

1000

000

6000

0 20000 30000 40000 50000 10000 0000

rea

6ijndael

Mars

5 6 lt ( ll i d i li i


29/96

1

0

@

>

4

-1

-0

-@

->

-4

5ur 6esults: (ull mi%ed pipelining

Throughput


30/96

0

1000

20000

21000

30000

31000

40000

41000

50000

5100010000

Serpent i.ndaelTwofis! &

rea !.11

-0!>11

41 6Ms

dedicated memory bloc9s, AMs

5ur 6esults: (ull mi%ed pipelining

89&T 6 t GMU 6 t


31/96

89&T 6eport GMU 6eport:'ardware Efficiency

8on$feedbac) cipher modes: EC7! CT6

&peed

rea

'igh

How

&mall

6ijndael

&erpent

Twofish

6C>

Mars

Medium

Medium Harge


32/96

(eedbac) cipher modesC7C! C(7! 5(7

(eedbac) cipher modes C7C


33/96

(eedbac) cipher modes $ C7C

M2 M3 M4

/

I

C ) @ /


34/96

Initial transformation

(inal transformation

?rounds

times

ound *eyBiC

i:@i?2

ound *eyB0C

i:@2

iDEroundsF

&ip!er ound

ound *eyBErounds?2C

Typical (low iagram of

a &ecret$Key 7loc) Cipher

7 i it ti hit t


35/96

re'ister

combinational

lo'icone round

multipleGer

7asic iterative architecture


36/96

GMU 6esults: Encryption in cipher feedbac) modes


37/96

GMU 6esults: Encryption in cipher feedbac) modes

+C7C! C(7! 5(7, $ Lirte% (GThroughput


38/96

8& 6esults: Encryption in cipher feedbac) modes

+C7C! C(7! 5(7, $ &9C! 1#2 m CM5&Throughput


39/96

ecreasing area by resource sharing

( (

1 -

1 -

(

1 -

1 -

multipleGer

7efore fter

re'ister re'ister

6esource sharing: &peed vs rea


40/96

Throughput

rea

basic arc!itecture

6esource sharing: &peed vs# rea

- basic arc!itecture

- resource s!arin'

resource s!arin'

89&T 6eport GMU 6eport:


41/96

89&T 6eport GMU 6eport:'ardware Efficiency

(eedbac) cipher modes: C7C! C(7

&peed

rea

'igh

How

&mall

6ijndael

M6&

&erpent

Twofish

6C>Medium

Medium Harge


42/96

rent software and hardware

optimi*ations eBuivalentF



43/96

0

1

20

21

30

31

40

&erpenti.ndael Twofis!& Mars


237-bit 9ey

283-bit 9ey

31-bit 9ey

200 MHz Pentiu Pro, !orland C""

&peed


44/96

0

10

200210

300

310

400

410

500

510

100

&erpent i.ndael Twofis! & Mars

5ur 6esults: 7asic architecture $ &peed

Throughput


45/96

tomic operations used in @- most popular


46/96

tomic operations used in @- most popular

secret$)ey ciphers +-,

!. Chetw$nd, MS -he&i&, P*

Considered ciphers:

"lowfis!, &AST, &AST-237, &AST-31, &HPT$,

&S-&ip!er, #/AJ, #/S, #(&, /3,(/AJ, (), )ST, Kasty Puddin', I&/,

I#/A, *!afre, *!ufu, J*I82, J*I86,

Jucifer, Mac)uffin, MA)/$TA, MAS, MISTH2,

MISTH3, MM", &3, &1, &,i.ndael, SA(/ *, SA(/?, Serpent, SL%A/,

SKA*, S9ip.ac9, T/A, Twofis!, A*/,

idera9e

Major atomic operations used in @- most popular


47/96

Major atomic operations used in @- most popular

secret$)ey ciphers +0,


0

1

20

21

30

31

40

41

50

A1

-1

/ /-

&$bo% Lariable

rotation

Modular

multi$

plication

G(+0n,

multi$

plication

Modular

inversion

u%iliary atomic operations used in @- most popular


48/96

u%iliary atomic operations used in @- most popular

secret$)ey ciphers +A,


7oolean

+N56! 8! 56!

etc#,

(i%ed

rotation

Modular

addition

O subtraction

ermutation0

1

20

21

30

31

40

41

50@1

02

01

F

Major cipher operations +-, $ &$bo%


49/96

Major cipher operations +-, & bo%

&$bo% n % m65M

&oftware 'ardware

C

&M

# SB2DDnC@

N 0G34, 0G45, 0G1

; ; ; ; ; ; ; ; ; ; ; ; ; ;O

S # 34K, 45K,

1K

;;

direct logic

n

3n words

n bit address

bit output

;

;

;

G2G3

Gn

;

;

;

y2y3

ym

&

3n⋅

/it&

&$bo%: Memory in hardware


50/96

& bo%: Memory in hardware43 G 5 @ 237 bits

&

5

5

&

5

5

&

5

5

&

5

5

&

5

5

&

5

5

&

5

5

# # #

Memory @ 43 ⋅ 35 ⋅ 5 bits @ 0 )bit

&

7

7

&

7

7

&

7

7

&

7

7

# # #

2 G 7 @ 237 bits

Memory @ 2 ⋅ 37 ⋅ 7 bits @ A0 )bit I -> ⋅ 3 9bit

&$bo%: Memory in software


51/96

& bo%: Memory in software43 G 5 @ 237 bits

&

5

5

&

5

5

&

5

5

&

5

5

&

5

5

&

5

5

&

5

5

# # #

Memory @ 35 ⋅ 5 bits @ >@ bit

&

7

7

&

7

7

&

7

7

&

7

7

# # #

2 G 7 @ 237 bits

Memory @ 37 ⋅ 7 bits @ 0 )bit @ A0 ⋅ 5 bits

Major cipher operations +0, P Lariable 6otation


52/96

variable rotation

65HA0

Mu%$based shifter

'igh$speed cloc)

C

&M

Major cipher operations +0, Lariable 6otation

QQQ 7

J A, "

& @


53/96

CI7 mod 0n 'alf$Multiplier

&M

C

Major cipher operations +A, P Modular Multiplication

'ardware&oftware

& @ AU"

M%J

n n

MUH

n

n n

n

unsi'ned lon' A, ", &

A "

&

n@43, 2


54/96

u%iliary cipher operations +-, $ ermutation


55/96

ermutation

C

order of wires

u%iliary cipher operations +-, ermutation

'ardware&oftware

&M

compleG

sequence of

instructionsDD, Q, X

compleGsequence of

instructions

J, , A$#

n

n

G2 G3 G4 GnGn-2; ; ;

y2 y3 y4 ynyn-2

; ; ;

u%iliary cipher operations +0, $ (i%ed rotation


56/96

C

order of wires

u%iliary cipher operations +0, (i%ed rotation

'ardware&oftware

&M

J A, n

G2 G3 G4 GnGn-2; ; ;

y2 y3 y4 ynyn-2

; ; ;

& @


57/96

u%iliary cipher operations +@,


58/96

CI7 mod 0ndder"subtractor

&M

C

y p p + ,

ddition"subtraction

'ardware&oftware

& @ A?"

A##

n n

n

n n

n

unsi'ned lon' A, ", &

A "

&

n@43, 2


59/96


60/96

7asic operations


61/96

addition

multiplication

7oolean

permutation

fi%ed rotation

G(+0n,

multiplication

variable rotation

elay and area in &5(TD6E

p

elay

Memory

&$bo%

@%@

&$bo%

4%4

&$bo%

.%A0

modular inverse

Major operations of E& finalists


62/96

MarsTwofish&erpent 6C>6ijndael

Major operations of E& finalists

&$bo%es

9nteger

multiplication

Lariable

rotation

Multiplication

in G(+0m,

u%iliary operations of E& finalists


63/96

MarsTwofish&erpent 6C>6ijndael

y p

7oolean

ddition"

subtraction

ermutation

(i%ed rotation

M6& P !M team


64/96

elay

rea

modular

multiplication

7oolean

permutation

variable

rotationG(+0n,

multiplication

fi%ed rotation

elay and area in '6D6E

addition +CH,

addition +6C,

&$bo%

@%@

&$bo%

4%4

&$bo%.%A0

modular

inverse

&erpent P "# Anderson$ E# !iham$ %# &nudsen


65/96

elay

rea

modular

multiplication

7oolean

permutation

variable

rotationG(+0n,

multiplication

fi%ed rotation


p

addition +CH,

addition +6C,

&$bo%

@%@

&$bo%

4%4

&$bo%

.%A0

modular

inverse

6ijndael P '# "ijmen$ (# )aemen


66/96

elay

rea

modular

multiplication

7oolean

permutation

variable

rotationG(+0n,

multiplication

fi%ed rotation


j j

addition +CH,

addition +6C,

&$bo%

@%@

&$bo%

4%4

&$bo%

.%A0

modular

inverse

M6& P !M team


67/96

addition

multiplication

7oolean

permutation

fi%ed rotation

G(+0n,

multiplication

variable rotation

elay and area in &5(TD6E

elay

Memory

&$bo%

@%@

&$bo%

4%4

&$bo%

.%A0

modular inverse

5perations efficient in both software and hardware


68/96

(ast O compact &low O big

&oftware

(ast Ocompact

&low O

big

permutation

addition

G(+0n, multiply

multiplication

&$bo%

7oolean

fi%ed rotation

variable rotation

&ummary

&low or

big

&low or big 'ardware

modular inverse


69/96

E&: Types of candidate algorithms


70/96

*eistel +et,orks Modiied *eistel

+et,ork

Su.stitution-

%inear /ransormation

+et,orks

thers

yp g

Twofish

/3

#(&

#eal

J*I86

Ma'enta

6C>

M6&

&AST-31

6ijndael

&erpent

Safer?

&rypton

(ro'KP&

(eistel 8etwor): &ingle 6ound of Twofish


71/96

DDD 2

RRR 2

( $ function

(eistel 8etwor): &ingle 6ound of Twofish

#B4C #B3C #B2C #B0C

#B4C #B3C #B2C #B0C

* 3r?7 * 3r?8

- units shared .et,een encr1ption and decr1ption

Modified (eistel 8etwor): &ingle 6ound of M6&


72/96


73/96

&ingle 6ound of &erpent

S-boGes

Jinear Transformation

237

237

*BiC

- units shared .et,een encr1ption and decr1ption

237

&ubstitution$Hinear Transformation 8etwor):

& i


74/96

initial permutation

encryption

bloc9

decryption

bloc9

final permutation

237

237

237237

237237

237

237

*0, ;;; , *6, *43 *43, ;;; , *6, *0

&erpent in 'ardware

&ubstitution$Hinear Transformation 8etwor):

6ij d l i ' d


75/96

9nversion in G(+04,

affine

transformation

inversed affine

transformation

S!iftow

MiG&olumn

sub9ey

InvS!iftow

sub9ey

InvMiG&olumn

encr1ption decr1ption

6ijndael in 'ardware- units shared .et,een encr1ption and decr1ption


76/96

8umber and comple%ity of rounds

8umber vs# comple%ity of a round


77/96

8umber of rounds

Comple%ity of a round

Triple E&

E&

&erpent

6ijndael

Mars

6C>

Twofish

20

30

40

50

10

Comple%ity of the cipher round in hardwareTime in hardware


78/96

&erpent

6ijndael

Twofish

6C>

Mars

&$bo% @%@ N56/

&$bo% 4%4 N56> N562 V5

> &$bo%es @%@0 A0 V1 V58 V3

&R6A0 0 A0 65TA0

MUHA0 5 M%V3

5 M%V3

3 M%V3

M%V3

3 M%V3

regular round

0 30 50 0 70 200

Time in hardware


79/96


80/96

Ma)ing all rounds identical


81/96

&erpent P 'ardware rchitecture 9-


82/96

237-bit re'ister

43 G S-boG 0

*i re'ular Serpent round

43 G S-boG 6

linear transformation*43

output

237

237

237

43 G S-boG 2

7-to-2 237-bit multipleGer

237 237 237

237 237 237

GMU 6esults: Encryption in cipher feedbac) mode+C7C C(7 5(7, Lirte% (G


83/96

+C7C! C(7! 5(7, $ Lirte% (GThroughput


84/96

arallelism

arallelism in &'$-


85/96

A

B

D

C

E

ROTL5

f t

ROTL30

+ + ++

Kt

Wt

A

B

D

C

E

32

32

32

32

32

A

B

C

ROTL5

f t

ROTL30

+ + ++

Kt

Wt

A

B

D

C

E

32

32

32

32

32

5perations from two different steps that can be performed

in parallel

E%ecuting &'$- on a /$way superscalar processorA !o&&elaer& 1 Go(aert& +andewalle )4


86/96

J1

J2

J40

J2

J1 J40

J2

J1 J40

J2

J1 J40

J40

J2

J2

J40

step n

step n3

step n2

step n"3

step n"

A. !o&&elaer&, 1. Go(aert&, . +andewalle, )4

8umber of operations that can be

t d i ll l


87/96

e%ecuted in parallel

for various hash functions

1

-

0

A

@

2

>

/

4

&'$- 69EM

->1

69EM

-04

69EM M2 M@

A. !o&&elaer&, 1. Go(aert&, . +andewalle, )4


88/96

5ptimi*ation tric)s

6ijndael round: Table$loo)up implementation


89/96

a0,0 a0,2 a0,3 a0,4

a2,0 a2,2 a2,3 a2,4

a3,0 a3,2 a3,3 a3,4

a4,0 a4,2 a4,3 a4,4

b0 b2 b3 b4

T0

T2

T3

T4

@9 3 G4,3 G3,3 G2,3 G0,3 b3

&peed$up in software: Z -11 times

&peed$up in hardware: Z 01

&erpent: 7it$slice implementation43 G 5 @ 237 bits


90/96

&

G2


91/96

The proposed approach

Cipher design methodology +-,


92/96

2; &!oose one or maGimum two major operations efficient in bot! software and !ardware

best choice: &$bo% @%@! G(+0n, multiplication

3; &!oose one or maGimum two au%iliary operations efficient in

bot! software and !ardwarebest choice: 7oolean! fi%ed rotation

4; &!oose cipher type t!at enables maGimum s!arin'

amon' encryption and decryption

best choice: (eistel networ)! modified (eistel networ)

Cipher design methodology +0,


93/96

5; #esi'n a round ta9in' into account a trade-off amon'• round comple%ity

• number of rounds necessary to 'uarantee sufficient security mar'in

1; Ma9e each round BpossiblyC identical

negative e%amples: &erpent! Mars

; Joo9 for parallelism wit!in a round and amon' consecutive

rounds

positive e%ample: &'$-

6; Joo9 for optimi*ation tric)s

positive e%amples:

table$loo)$up in 6ijndael

bit$slice implementation in &erpent


94/96

Mathematicians

Computer

scientists

Computer

Engineers

&ecurity

&oftware

efficiency

'ardware

efficiency

(le%ibility

S-11 Challenges


95/96

g

(or mathematicians:

rove or disprove that &erpent with

• all &$bo%es identical• -> rounds

is at least as secure as 6ijndael

(or computer scientists:

9s there a way of using instruction level parallelism

to speed$up software implementation of


96/96

g

(or computer scientists:

Dhat is a level of parallelism present in

&'$02>! &'$A4@! &'$2-0F

(or mathematicians:

9s there a way of changing &erpent into

a modified (eistel networ) cipher

without loosing its security propertiesF

AES Candidates

Documents