aes and other secret key implementations
play

AES and other secret key implementations Ingrid Verbauwhede - PDF document

Dec 26, 2022 •188 likes •545 views

AES and other secret key implementations Ingrid Verbauwhede ingrid.verbauwhede-at-esat.kuleuven.be K.U.Leuven, ESAT- SCD - COSIC Computer Security and Industrial Cryptography Acknowledgements: Current and former Ph.D. students at UCLA and

  1. AES and other secret key implementations Ingrid Verbauwhede ingrid.verbauwhede-at-esat.kuleuven.be K.U.Leuven, ESAT- SCD - COSIC Computer Security and Industrial Cryptography Acknowledgements: Current and former Ph.D. students at UCLA and K.U.Leuven KUL - COSIC ECRYPT Summer School - 1 Albena, May 2011 Outline & Goal • Crypto engineering for secret key algorithms – Design parameters – DES – Modes of operation – AES – Light weight crypto KUL - COSIC ECRYPT Summer School - 2 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 1

  2. Design Parameters Embedded security: Area, delay, power, energy KUL - COSIC ECRYPT Summer School - 3 Albena, May 2011 Crypto engineering everywhere Everything is always connected everywhere • Continuum between software and hardware – ASIC (microcode) – FPGA – fully programmable processor KUL - COSIC ECRYPT Summer School - 4 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 2

  3. Embedded Security NEED BOTH • Efficient, light-weight Implementation – Within power, area, timing budgets – Public key: 1024 bits RSA on 8 bit μ C and 100 μ W – Public key on a passive RFID tag • Trustworthy implementation – Resistant to attacks – Active attacks: probing, power glitches, JTAG scan chain – Passive attacks: side channel attacks, including power, timing and electromagnetic leaks KUL - COSIC ECRYPT Summer School - 5 Albena, May 2011 Cost definition • Area • Time • Power, Energy • Physical Security • NRE (Non Recurring Engineering) cost KUL - COSIC ECRYPT Summer School - 6 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 3

  4. Design parameters • Speed or throughput: – HW: Gbits/sec or Mbits/sec/slice – SW: Cycles/byte, independent of clock frequency • Area: – HW: mm2 (gate or transistor count) – SW: memory footprint • Power or energy consumption: – Power (Watts) for cooling or transmission (RFID) – Energy (Joule): battery operated devices • Security: difficult to measure, but we want it – Entropy, leakage functions? – Measurements until disclosure? KUL - COSIC ECRYPT Summer School - 7 Albena, May 2011 Throughput: Real-time • Extremely high throughput (Radar or fiber optics) • One operator (= hardware unit, e.g. adder, shifter, register) • for each operation (= algorithmic, e.g. addition, multiplication, delay) clock frequency = sample frequency • Most designs: time multiplexing clock frequency = sample frequency clock frequency = number of clock cycles available for the job sample frequency KUL - COSIC ECRYPT Summer School - 8 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 4

  5. SW: cycles per byte • “independent” of clock frequency Cycles/byte or machine 40 cycles/byte • Size of packet matters • “match” of algorithm to architecture Size (bytes) 8 64 4096 [Source: http://bench.cr.yp.to/results-sha3.html] KUL - COSIC ECRYPT Summer School - 9 Albena, May 2011 Power density problem • Intel S. Borkar power density problem Cooling!! [Author: S. Borkar, Intel] KUL - COSIC ECRYPT Summer School - 10 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 5

  6. Low Energy: battery capacity • Rabaey slide battery capacity One AAA battery: 1300 to 5000 Joule KUL - COSIC ECRYPT Summer School - 11 Albena, May 2011 Power and Energy are not the same! • Power = P = I x V (current x voltage) (= Watt) – instantaneous – Typically checked for cooling or for peak performance • Energy = Power x execution time (= Joule) – Battery content is expressed in Joules – Gives idea of how much Joules to get the job done Low power processor � low energy solution ! KUL - COSIC ECRYPT Summer School - 12 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 6

  7. Heat and parallelism Reduce power = reduce WASTE !! P M Power memory processor (Heat) C P mono = CV 2 f (Watt) M/4 P/4 M/4 P/4 M/4 P/4 M/4 P/4 4 (C/4)V 2 (f/4) = P mono /4 but since f ~ V C/4 C/4 C/4 C/4 can be even P mono /4 3 TREND: MULTI-CORE!! KUL - COSIC ECRYPT Summer School - 13 Albena, May 2011 Intermezzo: standard cell based design KUL - COSIC ECRYPT Summer School - 14 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 7

  8. Logic Design Activities #literals • Logic and FSM synthesis – State minim., coding VHDL – Multilevel Logic Optimisation Logic 6... 2 • Technology Mapping Depth Area – Functions to library cells Logic ! ! aoi ff – Minimal Area for given delay Synthesis (Synopsys) • Timing Verification Delay Timing – Estimate wiring load C Closure – Critical logic path • Layout Extraction-> Timing – P&R C extraction from wiring ... KUL - COSIC ECRYPT Summer School - 15 Albena, May 2011 Standard Cell Layout Std. Cell Routing Channel Cell Row Std. Cell Place & Route (RT-Module) (Courtesy : Tanner Tools) KUL - COSIC ECRYPT Summer School - 16 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 8

  9. Standard Cell Zoom In vdd vss layout KUL - COSIC ECRYPT Summer School - 17 Albena, May 2011 Module Generation For data-path operators: structure is in bit-slices Computer generated layout as function of wordlength Compact, predictable IP Instruction, Clock Power Data KUL - COSIC ECRYPT Summer School - 18 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 9

  10. Standard Cell and Module Standard Cell Datapath Random Logic Courtesy: J. Van Campenhout RUG KUL - COSIC ECRYPT Summer School - 19 Albena, May 2011 Start with easy one: Block cipher - DES KUL - COSIC ECRYPT Summer School - 20 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 10

  11. Symmetric key: DES • DES = Data Encryption Standard • FIPS Standard 46 effective in July 1977: US government standard for sensitive but unclassified data • Re-affirmed in 1983, 1988, 1993, 1999 (FIPS 46-3) • July 26, 2004: FIPS 46-3 is withdrawn: use TDEA or AES • TDEA = Triple DES encryption algorithm – NIST 800-67 Ciphertext (Ci) Plaintext (Pi) DES 64 64 64 Key = 56 bits + 8 parity bits KUL - COSIC ECRYPT Summer School - 21 Albena, May 2011 TDEA • Triple DES Encryption Algorithm, NIST Spec. Pub. 800- 67 (May 2004) • Three Key options: – K1, K2, K3 different – K1=K3, K2 different – K1=K2=K3, backward compatible with single DES • two-key triple DES: until 2009 • three-key triple DES: until 2030 Plaintext (Pi) Ciphertext (Ci) DES DES-1 DES 64 64 64 64 64 K2 K3 K1 KUL - COSIC ECRYPT Summer School - 22 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 11

  12. DES = Feistel cipher • DES has 16 rounds + initial and final permutation • Basic cipher structure is Feistel cipher – other examples of Feistel: IDEA, FEAL, Kasumi R i-1 R i-1 L i-1 L i-1 K i K i f f + + L i R i L i R i Decryption round i Encryption round i • Hardware: encryption = decryption! (different for AES) KUL - COSIC ECRYPT Summer School - 23 Albena, May 2011 DES- f function R i-1 K i 32 48 Expansion E 32b-to-48b permutation 48 (wiring & bit duplication) + input of S-boxes: 8x6b Si = 6b-to-4b non linear S1 S2 S3 S4 S5 S6 S7 S8 substitution (ROM or logic based Look up table) 32 Permutation P output of S-boxes: 8x4b 32 32b-to32b permutation (wiring) f(R i-1, K i ) • Because of Feistel: no need for f -1 (different for AES) KUL - COSIC ECRYPT Summer School - 24 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 12

  13. DES Key schedule Initial key K 64 PC1 PC1: permute and drop 8 bits 56 C&D: rotate left 1 or 2 C D bits each round DECRYPTION: rotate right 56 PC2 PC2: permute and select 48 output bits 48 Round Key K i C&D left/right shift registers: encryption & decryption HW KUL - COSIC ECRYPT Summer School - 25 Albena, May 2011 Key Schedule Two options: • On the “fly” = just in time processing • Pre-compute and store Key Schedule Memory Key BC Schedule BC Typical for Hardware Typical for Software KUL - COSIC ECRYPT Summer School - 26 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 13

  14. Key schedule on the fly • The cost of fast key context switching: Data at 1Gbps Context bandwidth (Gbps) 10 • Example for IPSEC ARC4 router 8 AES 3DES – one 128 bit key = 1408 6 bits round keys (10 rounds 4 + initial key) 2 – half of internet packets are 0 only 64 bytes in length 10 2 10 3 10 4 10 5 10 (512 bits) Record Size (bytes) [source: J. Goodman] BANDWIDTH PROBLEM ! KUL - COSIC ECRYPT Summer School - 27 Albena, May 2011 Modes of operation KUL - COSIC ECRYPT Summer School - 28 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 14

  15. Design method • Advice: include modes of operation into hardware IP module or co-processor: - increases the complexity somewhat: more control or instructions are needed + CLEAN security partitioning + reduces communication overhead and traffic KUL - COSIC ECRYPT Summer School - 29 Albena, May 2011 Modes of operation: ECB • ECB = Electronic code book • cipher blocks are independent, thus insertion or deletion of blocks can go undetected • block cipher does not hide data patterns Plaintext M Message M Ciphertext C BC BC-1 Key K K • BC = block cipher (e.g. 3DES or AES) KUL - COSIC ECRYPT Summer School - 30 Albena, May 2011 Ingrid Verbauwhede, K.U.Leuven - COSIC 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

1.47k views • 65 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

NEW YORK LONDON SHANGHAI VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret Sport WE ARE MISSION VISION VALUES 8.1% GROWTH BY 2022 3BN DOMESTIC VALUE STATS WE OFFER LINGERIE PANTIES

340 views • 30 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the international launchpad of a new Australian owned moisturizer specifically formulated for airline passengers and cabin crew. Aviation

493 views • 3 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry

TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry

TOP SECRET DEFENCE ESTATE & TOP SECRET INFRASTRUCTURE New Zealand Defence Industry Association Members Meeting 9 May 2018, Wellington UNCLASSIFIED 2 Estate Regeneration: Building DEI capability through an Alliance TOP SECRET

715 views • 17 slides
1 What makes something a secret? What is worth keeping secret? Should secrets be

1 What makes something a secret? What is worth keeping secret? Should secrets be

S E W OME N S B USINE SS : CRE T I NOUS R S , A NT OGY , AND T HE NDIGE IGHT HROPOL H INDMARSH I AND B RIDGE C ONT RSY SL ROVE 1 What makes something a secret? What is worth keeping secret? Should secrets be revealed?

260 views • 14 slides
Secret Com puters - transcript of presentation video Hi Im Kevin McCarthy and I work on secret

Secret Com puters - transcript of presentation video Hi Im Kevin McCarthy and I work on secret

Secret Com puters - transcript of presentation video Hi Im Kevin McCarthy and I work on secret computing at Inpher and Im part of team Secret Computers. Hi Im Simon Bucket I work for Standard Chartered in Financial Crime investigations.

64 views • 4 slides
SECRET i. Is it the SECRET 2 - SECURITY RUN:2t1A.1.444 1. Is it the present British

SECRET i. Is it the SECRET 2 - SECURITY RUN:2t1A.1.444 1. Is it the present British

COPY SECRET SECURITY INFORAI 718 CIWULE -- SUDJECT :uestions for Presentation toL_ London, England TO: Info:L 1. Per reference a, it is requested that you secure answers to the following questions fropel Are there any basic

385 views • 11 slides
How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key. The ciphertext can be replicated. Even if one replicated copy is lost, or stolen, Secret Sharing the information

181 views • 6 slides
Information must be Secret Metallurgical -- matters of general knowledge in an industry

Information must be Secret Metallurgical -- matters of general knowledge in an industry

Trade Secret (1) Validity Information must be Secret Metallurgical -- matters of general knowledge in an industry cannot be appropriated by one as his secret (p. 41) Restatement of Torts pp. 45, note 5 Trade Secret

517 views • 19 slides
Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

790 views • 75 slides
TRADE SECRETS Trade Secret A trade secret can be any formula,pattern,idea,process,physical

TRADE SECRETS Trade Secret A trade secret can be any formula,pattern,idea,process,physical

TRADE SECRETS Trade Secret A trade secret can be any formula,pattern,idea,process,physical device or a compilation of information which provides its owner a competitive advantage in the market. A trade secret is expected to be treated in such

699 views • 49 slides
Ameth Saloum Ndiaye UNU-WIDER 2017 Development Conference UNU-WIDER 2017 Development 1

Ameth Saloum Ndiaye UNU-WIDER 2017 Development Conference UNU-WIDER 2017 Development 1

Migration and Remittances in Senegal: Effects on Labor Supply and Human Capital of Households Members Left Behind Ameth Saloum Ndiaye UNU-WIDER 2017 Development Conference UNU-WIDER 2017 Development 1 Conference - Accra Outline of discussion

620 views • 31 slides
Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam

Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam

Using DE S to Implement ATM Cell E ncryption on the APIC David Ruppel Dr. Mansoor Alam Department of Electrical Engineering and Computer Science The University of Toledo Data E ncryption Standard (DE S) Data E ncryption Standard (DE S)

335 views • 16 slides
The Data Encryption Standard - see Susan Landaus paper: Standing the test of time: the data

The Data Encryption Standard - see Susan Landaus paper: Standing the test of time: the data

The Data Encryption Standard - see Susan Landaus paper: Standing the test of time: the data encryption standard. DES - adopted in 1977 as a standard for unclassified applications - after a public solicitation from NBS (now NIST),

550 views • 16 slides
XvMo%on: Unified Virtual Machine Migra%on over Long Distance Ali Jos

XvMo%on: Unified Virtual Machine Migra%on over Long Distance Ali Jos

XvMo%on: Unified Virtual Machine Migra%on over Long Distance Ali Jos Mash,zadeh, Min Cai, Gabriel Tarasuk-Levin, Ricardo Koller, Tal Garfinkel, Sreekanth SeBy Stanford

707 views • 38 slides
HPC/Blue Waters Role in the Dark Energy Survey Data Management Don Petravick Senior Project

HPC/Blue Waters Role in the Dark Energy Survey Data Management Don Petravick Senior Project

HPC/Blue Waters Role in the Dark Energy Survey Data Management Don Petravick Senior Project Manager National Center for Supercomputing Applications BW summary Incorporated BW into an overall Data Management System. Completed a

336 views • 17 slides
Cryptanalysis using GPUs Daniel J. Bernstein 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2

Cryptanalysis using GPUs Daniel J. Bernstein 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2

Cryptanalysis using GPUs Daniel J. Bernstein 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 May 2018 1 / 24 https://www.win.tue.nl/eipsi/surveillance.html Cryptography Motivation #1:

656 views • 52 slides
V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis

V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis

V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis es avec Dal Lago et Melli` es) Aix-Marseille Universit e - LSIS Visite des etudiants de lENS Paris-Saclay 23 novembre 2017 Charles

593 views • 57 slides
Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides

More recommend