( Pune ) VIP Baner Call Girls ๐๏ธ 9352988975 Sizzling | Escorts | Girls Are Re...
ย
AES effecitve software implementation
1. Effective Software
Implementation of
Advanced Encryption Standard
December 2014
Roman Oliynykov
Professor at
Information Technologies Security Department
Kharkov National University of Radioelectronics
Head of Scientific Research Department
JSC โInstitute of Information Technologiesโ
Ukraine
Visiting professor at
Samsung Advanced Technology Training Institute
Korea
ROliynykov@gmail.com
2. Outline
๏ฌ A few words about myself
๏ฌ Brief history of AES/Rijndael
๏ฌ AES properties
๏ฌ Direct AES implementation and problems with it
๏ฌ Methods for effective encryption
implementation (proposed by Rijndael authors
in their submission to AES competition)
๏ฌ Decryption optimization
๏ฌ Conclusions
3. About myself (I)
๏ฌ Iโm from Ukraine (Eastern part of
Europe),
host country of Euro2012 football
championship
๏ฌ I live in Kharkov (the second biggest
city in the country, population is 1.5
million people), Eastern Ukraine
(near Russia),
former capital of the Soviet Ukraine
(1918-1934)
three Nobel prize winners worked at
Kharkov University
4. About myself (II)
๏ฌ Professor at Information Technologies Security
Department at Kharkov National University of
Radioelectronics
๏ฌ courses on computer networks and operation
system security, special mathematics for
cryptographic applications
๏ฌ Head of Scientific Research Department at JSC
โInstitute of Information Technologiesโ
๏ฌ Scientific interests: symmetric cryptographic
primitives synthesis and cryptanalysis
๏ฌ Visiting professor at Samsung Advanced
Technology Training Institute
๏ฌ courses on computer networks and operation
system security, software security, effective
application and implementation of symmetric
cryptography
5. Modern and effective solution:
Advanced Encryption Standard (AES)
๏ฌ result of international public cryptographic competition
(1997-2000)
๏ฌ had been chosen among 15 candidate ciphers
(developed in the US, Belgium, Denmark, Germany,
Israel, Japan, Switzerland, Armenia, etc.)
๏ฌ original name is Rijndael (developed by researchers from
Belgium)
๏ฌ votes on 3rd AES conference had been given to this
cipher, but the rest Twofish (US), MARS (US, IBM), E2
(Japan, Camellia predecessor), Serpent (Israel) are also
remain strong
๏ฌ the most researched block cipher all over the world
(2014, open publications)
๏ฌ basis for development of many other symmetric primitives
6. AES properties
๏ฌ block length 128 bits only (subset of Rijndael which
supports 128, 192 and 256 bits)
๏ฌ key length is 128, 192 and 256 bits
๏ฌ uses Substitution-Permutation Network (SPN)
๏ฌ number of rounds (10,12,14) depends on key length
๏ฌ quite transparent design, algebraic structure
(theoretically may be vulnerable to algebraic
analysis)
๏ฌ quite effective in software (32-bit platforms) and
hardware implementation
9. AES: main steps
๏ฌrunning key schedule procedure:
generation of all round keys
๏ฌrunning encryption or decryption
procedure
๏ฌ or, for compact hardware implementation,
sequential operations:
๏ฌ generation of the current round key
๏ฌ one encryption round
16. AES round key generation (key
expansion)
NB: not all key length (128, 192, 256) must be supported; for many
applications itโs enough to have the single key length
19. AES round key generation:
round constant application
NB: without Rcon there would be equal blocks in ciphertext if plaintext and
keys have equal blocks (1, 2 or 4 bytes repeats in plaintext and key)
22. AES/Rijndael design goals
๏ฌ be extremely fast on 32 bit platforms (+++)
๏ฌ be compact on hardware implementation with
small number of gates (++)
๏ฌ possibility to implement cipher on 8-bit smart-
card processors actual for 1990th (++)
๏ฌ cryptographic strength (+)
25. AES: MixColumns
transformation
60 operations (logical and conditional):
๏ฌ
3+ operations for each input byte (48+ total):
โข shift and conditional XOR (mult by 02)
โข XOR (mult by 03)
๏ฌ
3 XORs for each row (12 total)
26. Direct implementation of AES
round function
๏ฌ
SubBytes: 16 operations (byte substitution)
๏ฌ
ShiftRows: 12 operations (byte permutation)
๏ฌ
MixColumns: 60 or even more operations
(conditions will prevent effective pipelining)
๏ฌ
AddRoundKey: 16 operations (logical)
TOTAL: more than 102 operations per round
27. AES effective software
implementation: 32-bit platform
๏ฌ three different operations can be united
into the single (!) look-up table access:
๏ฌ SubBytes (non-linear)
๏ฌ ShiftRows (linear)
๏ฌ MixColumns (linear)
๏ฌ cipher consists of look-up table accesses and
round key additions
28. AES effective software
implementation: MixColumns
Matrix multiplication: 7 operations (4 memory look-ups + 3
XORs) instead of 60:
๏ฌ
32-bit XOR of 4 columns
๏ฌ
each column depends on one input byte only
๏ฌ
all 4 bytes in each column are precomputed and stored in
advance
30. AES effective software implementation:
MixColumns and SubBytes at one
precomputed table
SubBytes and MixColumns: 7 operations (4 memory look-ups + 3
XORs) total:
๏ฌ
32-bit XOR of 4 columns
๏ฌ
each column depends on one input byte only (already sent throw
S-box)
๏ฌ
all 4 bytes in each column are precomputed and stored in advance
31. Fragment of OpenSSL AES source
code (based on Rijndael author's
implementation)
4 tables are needed; size of each table is 256 * 4 = 1 kByte
32. Fragment of OpenSSL AES source
code (based on Rijndael author's
implementation)
ShiftRows is implemented as usual shift and mask of 32-bit register;
SubBytes and MixColumns are implemented as memory lookups (8 bit โ 32 bit)
33. AES effective software implementation:
extra memory optimization
Decreasing memory amount: single table (1 kByte instead of
4 tables of 1 kB each)
34. Main table size for the fastest and
compact optimized 32-bit AES
implementation
๏ฌ fastest:
๏ฌ (4 bytes) x (256 different entries to S-box) x
x (4 different positions for ShiftRow) == 4 kbytes
๏ฌ compact optimized:
๏ฌ (4 bytes) x (256 different entries to S-box) ==
== 1 kbyte
๏ฌ three additional operations in C ( << , >>, | or ^)
are needed besides a table look-up
NB: for reaching highest performance precomputed tables and processing data
must fit into L1 processor cache (32-64kBytes for modern processors)
35. Number of 32-bit operations needed for a
single block encryption at main
transformation (having all round keys)
๏ฌ ( (4 look-up) + (3 xors) ) * (4 columns) ==
== 28 operations / round
๏ฌ 4 xors with round keys ==
== 4 operations / round
๏ฌ (28 + 4) * (9 rounds) == 288 operations for high
strength encryption of 9 rounds (!)
๏ฌ (16 operations on SubBytes) + (24 operations on
ShiftRows) + (4 xors with round keys) ==
== 44 operations at last round
37. AES decryption: optimization
๏ฌ SubBytes() and ShiftRows() transformations
commute, their sequence can be chaged
๏ฌ The column mixing operations -
MixColumns() and InvMixColumns() โ are
linear with respect to the column input, which
means InvMixColumns(state xor Round Key)
== InvMixColumns(state) xor
InvMixColumns(Round Key)
39. Additional details on AES
implementation
๏ฌ two set of tables for encryption
๏ฌ main optimized set (MixColumns, ShiftRows and
SubBytes)
๏ฌ separate S-box array for the last round
๏ฌ two set of tables for decryption (complexity is
the same as for encryption)
๏ฌ main optimized set (InvMixColumns, InvShiftRows
and InvSubBytes)
๏ฌ separate reverse S-box array for the last round
NB: ECB decryption is not needed for the most block cipher modes of operation
40. Conclusions
๏ฌ direct AES implementation is very slow (requires
many byte operations and conditions)
๏ฌ three different round function operations can be
united into the single look-up table access
๏ฌ with effective implementation AES consists of look-
up table accesses and round key additions
๏ฌ the fastest version AES requires 4 kB of memory for
tables, fast but compact requires 1 kB
๏ฌ fast AES decryption operation has the same speed
as encryption and uses changed order of round
function operations with modified round keys