PARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER

Transcription

1 PARALLEL ANALYSIS OF THE RIJNDAEL BLOCK CIPHER Philip Brisk, Adam Kaplan, Majid Sarrafzadeh Computer Science Department, University of California Los Angeles 3532C Boelter Hall, Los Angeles, CA United States of America {philip, kaplan, Abstract In this paper, we present the first theoretical study of the parallelism inherent in the Rijndael Advanced Encryption Standard (AES). We derive the asymptotic sequential runtime for the algorithm and describe two parallel implementations: one that is optimal in terms of time, and another that is optimal in terms of cost (the asymptotic product of time and number of processors required). The cost-optimal implementation sacrifices acceleration to reduce the number of processors required for encryption. Key Words Parallel Algorithms and Architectures, Parallel and Distributed Algorithms, Security and Reliability, Cryptography. 1. Introduction On June 2, 1997, the American National Institute for Standardization and Technology (NIST) proposed a competition for cryptographers all over the world to create a new encryption algorithm to replace the aging and increasingly vulnerable Data Encryption Standard (DES). The new Advanced Encryption Standard (AES) chosen from the competitors was Rijndael [1]. Since becoming the AES, Rijndael has been the focus of countless analyses and has been implemented both in hardware and as software for many different platforms. Although many spatial hardware implementations of Rijndael implement many of its operations in parallel to accelerate runtime, a theoretic analysis of its parallel performance has been heretofore non-extant. Acceleration of encryption algorithms is a crucial step to their deployment on embedded consumer devices (which often have limited computational resources) as well as their employment in protecting large pieces of data (such as entire file systems). Without acceleration, the runtime cost of encryption becomes unwieldy, and many users simply choose vulnerability over the inconvenience of encrypting their data. We propose to increase the convenience and flexibility of encryption by exploring parallel models of computation applied to the Rijndael algorithm. In this work, we identify the most promising models of computation for Rijndael, and also bound the complexity of the algorithm for these models. Additionally, we derive a slightly slower yet cost-optimal implementation of Rijndael for parallel machines. This paper is organized as follows. In Section 2, we describe our cost model and the prefix sum computation, the latter of which plays an important role in our implementation. In Section 3, we describe the Rijndael cipher and analyze its complexity on a sequential machine. In Sections 4 and 5, we present time and cost optimal analyses of Rijndael respectively. In Section 6 we discuss related work, and we conclude in Section Preliminary Discussion and Background Material The purpose of this section is to familiarize the reader with the cost model we use to analyze our parallel implementations of Rijndael (Section 2.1). Additionally, we describe the prefix sum computation (Section 2.2), which mirrors the Key Expansion phase of the Rijndael. Algorithm. 2.1 Cost Model In our parallel analysis, we use the cost model described in [2]. We let n represent the problem size and N represent the number of processors. For any implementation of the algorithm, we let t( be the asymptotic run time of the algorithm and p( = N be the number of processors. The speedup, s(, and cost, c(, of a parallel algorithm are defined as follows: t( p( = 1 s( = (1) t( p( = N c ( = t( p( (2) For an algorithm implemented on a sequential (N = 1) machine, c(=t( and s( = 1. Under this model, cost is equal to the number of steps executed collectively by all processors in solving a problem under the assumption that all processors execute

2 the same number of steps. A parallel algorithm is costoptimal if its cost is within a constant multiplicative factor of a lower bound on the number of sequential operations required to solve the problem. 2.2 Prefix Sum Computation Our description of the prefix sum is based on [2]. Consider an ordered set of processors P 1,, P N, each of which holds a respective value a 1,, a N. For each processor P i, we wish to compute the following value Ai. A i = a j i j= 1 i, 1 i N (3) Intuitively, one would assume that this operation would require exactly N time steps to compute; however an appropriate interconnection network allows this computation to be achieved in O(logN) time. A cost-optimal implementation of the prefix sum computation subject to the following condition is described in [3]: N log N (4) Given n, we can select a value N that satisfies: N = O log n n As reported in [2], the prefix sum computation can be modified to solve similar problems where the addition operation is replaced by any associative binary operation, including multiplication, and the logical operations and, or, and xor/xnor. This property plays allows us to parallelize the Key Scheduling phase of Rijndael. 2.3 The Field GF(2 8 ) In the Rijndael algorithm, each byte is represented as an element of a finite field taken in the classical polynomial representation [1]. The Rijndael cipher makes use of addition and multiplication operations defined for GF(2 8 ). Like their arithmetic and boolean counterparts, we assume that the operations over GF(2 8 ) require constant time. 3. Description of the Algorithm In this section, we summarize the important operations of the Rijndael algorithm and analyze their time complexities on a sequential machine. The description of the algorithm is essentially a summary of Section 4 of the AES Proposal [1]. Rijndael is an iterated block cipher; that is data is encrypted in a series of rounds. During each round, the same basic operations are applied to a fixed (5) number of data (plaintext) and key bytes. To improve the strength of encryption, a different key is used for each round, even though the user is only provided with a single key. In order to generate new keys for each round a key schedule is derived from the original key. Using the key schedule, a round key is generated for each round. Let be the block length (a fixed number of bytes) divided by 32. Let Nk be the key length divided by 32. The block and key lengths are variable; each may be independently specified as 128, 192, or 256 bits (hence and Nk can take the values 4, 6, or 8 respectively). The number of rounds, Nr, is computed as follows: Nr = max(, Nk) + 6 (6) Each transformation of the cipher operates on an intermediate result, which is referred to as the state. The state and key are represented as 4 and 4 Nk rectangular arrays of bytes respectively. Next, we discuss the two primary facets of the Rijndael Algorithm: the Round Transformation (Section 3.1) and the Key Schedule (Section 3.2). Additionally, we analyze the time complexity of a sequential implementation of the algorithm. 3.1 The Round Transformation The Round Transformation involves applying four transformations: ByteSub, ShiftRow, MixColumn, and AddRoundKey. The first Nr 1 rounds apply these transformations in order; the last round, omits the MixColumn transformation. ByteSub: The ByteSub transformation consists of two bit-level operations applied to each byte x in the state. 1. Compute the multiplicative inverse of x in GF(2 8 ). 2. Apply the transformation shown in Figure 1 below. y x0 1 y x 1 1 y x2 0 y3 = x3 + 0 y x4 y x5 1 y x6 y x7 0 Figure 1 An affine transformation over GF(2 8 ). The ByteSub transformation is frequently implemented as a substitution table that is fixed at compile-time. The substitution-table implementation is commonly referred to as an S-Box (see Figure 2). Because the dimensions of the

3 matrix are fixed, either implementation (matrix or tabular) of the ByteSub transformation requires constant time. a 0,0 a 0,1 a 0,2 a 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1,1 b a 1,0 a 1,1 a i,j 1,2 a 1,3 S-box b 1,0 bb i,j 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2,3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 Figure 2 ByteSub implemented as an S-Box Row 0 Row 1 Row 2 Row 3 = = = Table 1 The row offset for the ShiftRow Transformation as a function of a 0,0 a 0,1 a 0,2 a 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1,j b Mix- 1,j a 1,0 a 1,1 a 1,2 a 1,3 b 1,0 b 1,1 b 1,2 b Column 1,3 a 2,0 a 2,1 a 2,2 a 2,3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 Figure 3 The MixColumn Transformation b a0 b1 = a1 b a2 b a3 Figure 4 The matrix used for the MixColumn Transformation KeyExpansion( byte Key[4Nk], word W[(Nr+1)] ) { } a 0,j a 2,j a 3,j for( int j = 0; j < Nk; j++ ) W[j] = ( Key[4j], Key[4j+1], Key[4j+2], Key[4j+3] ); for( int j = Nk; j < (Nr + 1); j++ ) { word temp = W[j 1]; if( j % Nk == 0 ) temp = SubByte(RotByte(temp)) ^ Rcon[j / Nk]; else if( Nk > 6 && j % Nk == 4 ) temp = SubByte(temp); W[j] = W[j Nk] ^ temp } Figure 5 The Key Expansion Algorithm ShiftRow: The ShiftRow transformation involves cyclically shifting the rows of the state by a different offset per row, depending on. These operations are illustrated in Table 1. During each shift operation, each byte in rows 1, 2, and 3 must be sent from one processor b 0,j b 2,j b 3,j to another. We assume that this process (reading/writing) requires constant time. MixColumn: The MixColumn transformation treats each column in the state as a vector of bytes (see Figure 3) and multiplies each vector by a constant matrix (see Figure 4). Since the size of the matrix is fixed, this operation can trivially be shown to require constant time. AddRoundKey: The AddRoundKey transformation applies a bitwise xor operation to each byte in the state and each byte in the round key a constant time operation. Although the block length () and the original key length (Nk) need not be equal, the length of the round key is as a consequence of the Key Schedule. Lemma 1: For the Round Transformation implemented on a sequential machine, t( ) Proof: The ByteSub, ShiftRow, and AddRoundKey Transformations must be applied to every byte in the state; the MixColumn Transformation must be applied to each column in the state. Since the state contains 4 bytes and columns, t( ) since each transformation requires constant time. 3.2 The Key Schedule Key Expansion: The expanded key is a linear array of (Nr+1) 4-byte words, represented as an array, W. The first Nk words contain the original key; all other words are defined recursively in terms of previous words. A sequential implementation of the Key Expansion algorithm is shown in Figure 5. The Key Expansion scheme makes use of two functions, SubByte and RotByte, and an array of bytes, Rcon. SubByte is a function that returns a 4-byte word in which each byte is the result of applying the Rijndael S-box (see Figure 2) to the byte at the previous position in the input word. RotByte performs a cyclic permutation of the bytes in its input. For example, applying RotByte to input (a, b, c, d) yields output (b, c, d, a). Rcon is a constant array of 30 bytes whose contents are known at compile-time. Round Key Selection: The round key for the ith round is given by the Round Key Buffer words W[ i] through W[ (i+1)-1]. Round key sizes are chosen to be equal to, the number of bytes in the state in order to properly implement the AddRoundKey Transformation (Section 3.2). Lemma 2: For the Key Scheduling Algorithm on a sequential processor, t( Nr ). Proof: Both the Key Expansion and Round Key Selection algorithms perform a linear traversal of array W, which has (Nr + 1) elements. All of the operations in the Key Expansion require constant time. Round Key Selection does not perform any actual operations on W

4 other than marking specific bytes as boundaries for round keys. Therefore, t( Nr ). Theorem 1: For the Rijndael Algorithm implemented on a sequential processor, t( Nr ). Proof: From Lemmas 1 and 2, the time complexity of the Round Transformation and Key Scheduling Algorithms are O() and O(Nr ) respectively. The cipher requires us to apply the Round Transformation Nr times. Therefore, t( Nr ). 4. Time-Optimal Parallel Analysis In this section, we describe a time-optimal parallel analysis of the Rijndael Algorithm. In this approach, we maximize the parallelism in both the Round Transformation (Section 4.1) and the Key Expansion (Section 4.2) independently; in Section 4.3, we show that this implementation fails our cost-optimality criterion. 4.1 Round Transformation To parallelize the Round Transformation, we observe that we can fully parallelize each of the four component transformations. We let p( = 4 ; that is, each processor holds one byte in the state. The ByteSub and AddRoundKey Transformations can be applied to each byte in the state in parallel; similarly, the MixColumn Transformation can be applied to each column in the state in parallel; and finally, the ShiftRow operation can shift all bytes in parallel. To implement the MixColumn Transformation, one processor per column is selected to perform the computation; the other processors send and receive values to/from this processor in at most 3 steps. The designated processors perform the computation in parallel. To implement the ShiftRow Transformation, each processor in rows 2, 3, and 4 must communicate with exactly two neighbors in the same row. Each processor will send its byte to one processor, and receive a new byte from another. Lemma 3: If p( = 4, then the time complexity of performing all Round Transformations is: t( p ( ) Nr) (7) Proof: The ByteSub, ShiftRow, MixColumn, and AddRoundKey Transformations may be applied to every byte in the state in parallel. In Section 3.1, we established that all of these operations require constant time. Therefore, a single Round Transformation requires constant time. Since Nr Round Transformations are applied during the cipher, (7) holds. 4.2 Key Schedule At a first glance, it may appear that the Key Expansion algorithm is not parallelizable. In the second for-loop, W[j] is directly dependent on W[j-1] and W[j-Nk]. Upon a closer analysis, we observe that all of the mathematical operations involved in the Key Expansion are associative (refer to Figure 5). Therefore, we can parallelize the Key Expansion algorithm using a methodology analogous to the prefix sum computation described in Section 2.2. In order to satisfy Equation (4), we let: n = ( Nr + 1) Nr) (8) Nr N = O (9) log( ) + log( Nr) Note that n represents the number of bytes in the expanded key and is fixed; N represents the number of processors. These values maximize the achievable speedup for the Key Expansion. The Key Selection phase could be reduced to constant time if we let N Nr ); however, the time complexity of the Key Schedule would be limited by the time complexity of the Key Expansion. Lemma 4: Suppose that p(. Then the time complexity of the Key Scheduling algorithm is: t( p ( log + log Nr) (10) Proof: Observe that N has been selected such that (5) (see Section 2.2) has been satisfied. Then, the prefix sum computation on an N-processor network can be solved in t( logn) time (see Section 2.2). (10) is established by substituting (9) for N. 4.3 Speedup and Cost Theorem 2 below establishes the time complexity of the time-optimal analysis. Note that the time complexity of the Key Schedule dominates the time complexity of the Round Transformation. Corollaries 1 and 2 establish the speedup and cost of the time-optimal algorithm. Theorem 3 proves that the time-optimal algorithm is not cost optimal. Theorem 2: For the time-optimal implementation of Rijndael: t( p ( Nr) (11) Proof: Considering (6), we obtain:

5 Nr 6 Nr) (12) Corollary 3: If p(, then the Round Transformation is cost-optimal. Combining Lemmas 3 and 4 in conjunction with (12), (11) is established trivially. Corollary 1: The speedup obtained from the time-optimal implementation of Rijndael is: Proof: Immediate from Lemma 5 and (16). Recall that problem size n Nr). 5.2 Key Schedule s( p ( ) (13) Lemma 6 establishes the cost-optimality and timecomplexity of the Cost-Optimal Key Schedule under (15). Corollary 2: The cost of the time-optimal implementation of Rijndael is: Lemma 6: Let p(. Then there is a cost-optimal implementation of the Rijndael Key Schedule with time complexity: 2 Nr c( p ( = O (14) t( ( log ) log( ) + log( Nr) p ( = O Nr (17) Proof of Corollaries 1 and 2: Immediate from Theorem 2 taken in conjunction with (9). Theorem 3: The time-optimal analysis of Rijndael fails our cost-optimality criterion. Proof: Immediate from Theorem 1 and Corollary Cost-Optimal Parallel Analysis To achieve cost optimality, we reduce the number of processors at the expense of increased time complexity. We fix the number of processors, denoted N, to be: Proof: First, we prove that that (4) holds if p(. Let k be a constant. N log N k log log log (18) k log (19) log = k ) (20) = O ( Nr ) (21) N = O log (15) Therefore (4) holds. The prefix sum computation on an N-processor 5.1 Round Transformation network can be solved in t( logn) time (see Section 2.2); however, the construction of this proof indicates that this holds for inputs of size n = ; therefore, we must apply this computation Nr times to complete the key schedule. The time complexity is: If (15) holds, then each processor is responsible for log bytes of state, as opposed to 1 byte for the time-optimal implementation. As a result, the time complexity of the Round Transformation increases, as is illustrated by Lemma 5. Corollary 3 establishes cost-optimality of the Round Transformation. t ( Lemma 5: If p(, then the time to apply all Round Transformations has time complexity: O ( Nr log ) t( p ( Nr log ) (16) = Nr O log (22) log = (23) 5.3 Speedup, Cost, and Cost-Optimality Proof: All of the processors can still perform their computations in parallel during the Round Transformation; however, each processor must perform log constant-time operations. Since this must be done over Nr rounds, (16) holds: Theorem 4 establishes the time complexity of the Cost- Optimal analysis. Note that the time complexity of the Key Schedule dominates the time complexity of the Round Transformation. Corollaries 4 and 5 establish the speedup and cost of the Cost-Optimal analysis. Theorem 5 proves that this analysis is in fact cost-optimal.

6 Theorem 4: Let p(. Then the time complexity of Rijndael is: t( p ( Nr log ) (24) Proof: Immediate from Lemmas 5 and 6. Corollary 4: The speedup obtained from the cost-optimal implementation of Rijndael is: s( p( = O (25) log Corollary 5: Let p(. Then the cost of Rijndael is given by: c( O( Nr) (26) p ( = Proof of Corollaries 4 and 5: Immediate from Theorem 4 taken in conjunction with (15). Theorem 5: If p(, then Rijndael achieves costoptimality. Proof: Immediate from Theorem 1 and Corollary Related Work This work is the first to formally analyze Rijndael and its acceleration through parallel computation. Previously, much study has been invested in parallelizing Rijndael for hardware implementation. One attractive hardware platform for Rijndael execution is reconfigurable logic. On such devices, Rijndael s keylength and block-length can be dynamically reconfigured to achieve different levels of security/performance for different situations. Karri and Kim presented an 8-bit FPGA implementation of the 128-bit block/key Rijndael algorithm in [4]. In this work, Rijndael was able to achieve an encryption throughput of 7.8 Mbits per second on a 13.7 MHz processor. However, not all stages were given fully parallel hardware implementation. For instance, although the round-key scheduler stage saved memory (as it performed key scheduling on the fly), it did not take advantage of the logarithmic xor implementation that our work proposed. Another reconfigurable implementation of Rijndael was discussed in [5]. They achieved throughput of 11 Gbits/second on a Xilinx Virtex3200E running at 92 MHz by unrolling and pipelining the 10 rounds of their implementation. Henry Kuo et.al from UCLA s Electrical Engineering Department implemented a 2.29 Gbits/second, 56 mw Rijndael implementation in CMOS technology without using a pipelined round structure [6]. This work was the first ASIC encryption core implementation of Rijndael. In this work, as in [4], round keys are generated on-the-fly, reducing reliance upon memory to store these values. 7. Conclusion In this work we provided the first formal study of the Rijndael encryption standard, specifically targeting asymptotic speedup through formal implementation. We identified models of computation for each stage of the Rijndael block cipher, and combined these to demonstrate a potential speedup of O() for each block. Additionally, we derived a cost-optimal implementation of Rijndael for parallel machines, which was still accelerated with a speedup of O( / log). In order to ensure public acceptance of security through cryptographic encryption of sensitive data, encryption algorithms must be made as fast and lightweight as possible, while retaining their security. In the near future, the deployment of encryption algorithms on embedded consumer devices will enable significant acceleration of encryption algorithms via parallel implementation. References [1] J. Daemen & V. Rijmen, AES Proposal: Rijndael, document version 2: ocv2.zip, [2] S. G. Akl, The design and analysis of parallel algorithms (London: Prentice-Hall, 1989). [3] H. Meijer & S. G. Akl, Optimal computation of prefix sums on a binary tree of processors, International Journal of Parallel Programming, 16(2) [4] R. Karri & Y. Kim, Field programmable gate array implementation of advanced encryption standard Rijndael: Submitted For Publication. [5] F. Standaert, G. Rouvroy, J. Quisquater, & J. Legat, A methodology to implement block ciphers in reconfigurable hardware and its application to fast and compact AES RIJNDAEL: Proc ACM/Sigda International Symposium on Field Programmable Gate Arrays, Monterey, CA, 2003, [6] H. Kuo, I. Verbauwhede, & P. Schaumont, A 2.29 gbits/sec, 56 mw non-pipelined Rijndael AES encryption IC in a 1.8V, 0.18 µm CMOS technology: Proc. IEEE Custom Integrated Circuits Conference, Orlando, Florida, 2002.