2 Algorithm Description

Transcription

1 An implementation of Rinjdael algorithm through programmable logic devices J.E. Muñoz, A.J. Yuste,.J. Sanchez-Roselly, S.G. Galan Departamento de Electrónica Universidad de Jaén Alfonso X El Sabio, Linares (Jaen) SPAIN Abstract: - This paper describes an implementation of the Rijndael(v.2) ciphered algorithm. Hardware implementation uses a programmable logic device (PLD) manufactured by ALTERA. Concretely, it is considered a LEX10K family device. Its main feature is to enclose EAB blocks, useful to bring about the necessary tables for the development of the algorithm. This realization uses a distributed control to chain multiples units with the purpose of increasing the bits rate. Key Words: - Block Cipher. State. Round. Byte Transformation. Key Addition. Distributed Control. 1 Introduction In 1996, NIST started works forward the consolidation of a standard in advanced ciphered (Advanced Encryption Standard, AES). Its objective was the development of a specification to find an cipher algorithm that substitute the current ones, i.e. DES, so that the new algorithm will be capable of protecting the sensitive information of the citizens and of the government over the XXI century. It is hoped that the selected algorithm will be used by the Government of United States and by private sectors, in substitution of DES. It is expected that the rest of the world would adopt it. In October 2000, NIST announced the winning algorithm: Rijndael, the Belgian Vincent Rijmen and Joan Daemen proposed it. Rijndael it is a block cipher algorithm that operates with blocks and keys of different length that can be specified to 128, 192 or 256 bits. The objective of this work is the implementation of the "Rijndael(v.2) ciphered algorithm through a programmable logic device (PLD). Concretely, it has been considered a device of the family LEX10K(Altera). irst, a study of the algorithm and component blocks was carried out in order to implement the cipher and its inverse. It is a symmetrical private key system (based on the utilization of a secret key), so it will be necessary to accomplish a key planning. In order to achieve these proposes, a iterative program will be developed, in every iteration or round, it will generate derived keys from a given initial key (and its inverse). 2 Algorithm Description Rijndael is a block cipher algorithm with flexible block and key length. The possible values are 128,192 and 256 bits. The information to cipher is block decomposed, on these blocks some transformations are applied. Different functions have been programmed for the realization of these transformations: - Bit mixing. It works a linear combination between block bits. - Byte transformation. It is a non-linear value assignment for the different byte combination. - Key addition. It accomplishes a XOR function between block bits and key bits. The result of applying the different transformations on a block is called state. The different states generated can be represented using a byte matrix, each byte matrix has four rows. The number of columns is equal to the length of the block divided by 32, and it is designated as Nb. The number of columns varies according to the length of the block that it is being handled, thus for the different lengths we can select, it exists the following values of Nb:

2 Table I BLOCK LENGHT (NB) NUMBER O COLUMNS (Nb) This discussion also applies for the key, but in this case, the number of columns is named Nk, instead of Nb. An example for Nb=4 (128 bits of block) and Nk=4 (128 bits of key length) is: KeyAdition(state, keyiter) or ( i=1; i<nr; i++) { ByteSub(state); ShiftRow(state); MixColumn(state); KeyAdition(state, keyiter); } ByteSub(state); ShiftRow(state); KeyAdition(state, keyiter); Table II a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 The first step in order to cipher a data block using Rijndael, is to make an initial key addition, performing an XOR operation with operands equal to the data block. Afterward, a series of regular iterations are carried out, and at last, a final iteration is brought out without MixColumn. Table III k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 The text bytes not ciphered correspond with the bytes a i,j of the byte matrix following this order a 0,0, a 1,0, a 2,0, a 3,0, a 0,1, a 1,1, a 2,1, a 3,1, a 0,2., and the key bytes are the corresponding with: k 0,0, k 1,0, k 2,0, k 3,0, k 0,1, k, 1,1, k 2,1, k 3,1, k 0,2 When the process completes, the bytes are extracted in the same order. The number of iterations is named as Nr and it is a function of the block length and the key, that is, it is function of Nb and Nk. or different values of theses variables, we have the following number of iterations: Nr Nb=4 Nb=6 Nb=8 Nk= Nk= Nk= Table IV The implementation, that is being designed, works with a Nb value equal to 4. The blocks are 128 bits sized. The cipher algorithm has the following structure: The functions carried out in the cipher algorithm are: - KeyAdition: it implements the XOR operation between the key and data or state block. The key length is 128 bits, but an appropriate calculation provides a key of bits, 128 bits for the first XOR operation (this operation is performed with the original key) and 128 bits for each iteration. The key expansion is not hardware calculated because it does not frequently change. Before the cipher process, the key is saved into a ROM, and it will be loaded in the beginning of the KeyAdition. - ShiftRow: the four block rows are shifted to the left sequentially 0,1,2 and 3 positions. - ByteSub: All the bytes are altered by a non-linear function. - MixColumn: A linear function is applied to each column of the block. This function is a multiplication with a fixed polynomial on G(28), module x This step is omitted in the concluding iteration. or the inverse cipher, the same algorithm is employed, nevertheless, the weak variations from the direct cipher are specified in the next section. 3 Algorithm Implementation In the project implementation, the cipher algorithm and its inverse were developed. A 128 bits size was selected for both the block and key. The system is

3 MIXCOL E_S SHITROW SEL_SBOX SBOX D[63..0] MIXCOL MUX KEYADITION IRST RESET ENCRYP IN CK UCONTROL M S AKEY[6..0] CELL[3..0] igure 1: Cipher System made up using blocks; each one is associated with a specific function. The most important elements carry out the transformation functions that are applied to the block, these are shift_row, mixcol and key_adition. The general cipher system structure is shown in the igure 1. The elements that constitute the cipher implementation are the following ones: e_s: this block useful for performing the input/output function. This device has a two-way bus of 64 bits, d[63..0]. shift_row: this part implements the ShiftRow(state) function. sel_sbox: it is an intermediate module, that works coupling the input to the sbox block. Its role is to select the two bytes that will be applied simultaneously to the transformation sbox. sbox: this part implements the ByteSub(state) transformation. It is 256 bytes memory saved table. Sbox transforms two bytes concurrently. mixcol: this block function is the accomplishment of the MixColumn(state) transformation. In figure 1, two modules mixcol appear, the reason is the simultaneous application of the transformation on two bytes. first: this part selects the data that will be XOR added in the key_adition block. It selects the data from different sources: e_s block, sbox (in the last iteration) or mixcol (in a regular iteration). key_adition: this block contains the various keys used in the different iterations. It implements XOR operation between the 32 first s bits and their corresponding keys. mux: it is in charge of selecting data source. It chooses if the records that store the block will be loaded from the external data bus, or they are the result of the key_adition function. ucontrol: this part generates the control signals, it sequences the different actions that must be carried out on the blocks to obtain the correct system operation. The block 128 bits will not be loaded at the same time. In order to process the block, a 64 bit subsets are taking. Initially, the 64 bits less meaningful of the block will be loaded and afterwards, the higher 64 bits. 3.1 Control unit This module generates the system control signals. It sequences the actions to accomplish for the execution of the cipher algorithm.

4 f1 cell(3..0 CELL_EQU4_8 RES R(3..0) clr S s cella(3..0 f1 cell(3..0 nac CELL_EQU4_8 RES R(3..0) CELL_EQU5_9 LDL CELL(3..0) NACK LDH ldmix ldl ldh rese encry in ck RESET ENCRYP IN CK M CELL(6..0) 0 AKEY(6.0) 1 m f cella(6..0 f1 D_LATCH akey(6..0 f3 cell(3..0 nac CELL_EQU9 SUMA CELL(3..0) NACK LDSH suma ldsh 2 3 ACK NACK f2 f3 ac nac D_LATCH cell(6..0 igure 2: Control Unit This block generates four phases (, f1, f2, f3) that act as signals to the sequencer. It also originates the signals S, M, used to select the data sources in blocks. Other signals generated by the ucontrol are cella[3..0] and akeya[6..0]. These ones are equal to cell[3..0] and akey[6..0] that are signals that will be presented below. The only one difference between these two groups is a clock cycle out-of-phase each other. The blocks appointed with cell_equ generate the signals clr, ldmix, sum, ldsh. These part also originate the signals ldl and ldh, which are in charge of storing in e_s the new state. The signals grouped as cell[3..0] are used for different end. That is: - cell[2..0] select the two bytes that are going to be transformed into the function sbox, - cell[1..0] act as a coefficient selector, the number generated is multiplied by a mixcol byte and it is also used for directional proposes on the key_adition module reports. - cella2 is entrusted with selecting between 64 bits more meaningful or the 64 lower ones, in the first key_adition block iteration the choose group will be added. In this module, an account of the signal cell[3..0] is carried out, this account is a parameter that will be used to bring about different signals. The following blocks generate these signals: - cell_equ_4_8: when cell[3..0] yields 4 or 8 and the signal f1 equals 1, the sign clr will be activated, this condition will cause the erase of the accumulated value in the mixcol biestables. In a similar way, when cella[3..0] yields 4 or 8 and the sign equals 1, signal ldmix activates, causing the mixcol bytes propagation to the rest of the blocks. - cell_equ_5_9: ldl signal will be turned on when f1=1, cell[3..0]=5 and nack=1. ldh signal will switch on when f1=1, cell[3..0]=9 and nack=1. - cell_equ_9: when half of the rising up of cella[3..0] signal occurs adds signal will be generated. When that account is halved, the data in mixcol is already found at the entry of the biestable. adds signal is equal to f3 as long as cell[3..0] will be different from 8 and 9, in whose case this signal will yield zero. ldsh signal will be activated under the following condition: cell[3..0]=9, f3=1 and nack=1. This signal originates a change towards a new state. We have designed the system for to reach 9 counts, due to the fact that data will not be processed on 8 cycles cell[3..0] signal. akey[6 0] signal will be used to carry the cycles account needed in the cipher process, and depending on this account value the group of signals, M or S will activate. The generation of akey[6..0] signal is not coupled, that is, these signs appear toward the end of the phase f1, but they are not used below. They are stored in a record and they will act in the following phase,. In this way, when a phase began using a given group of akey signals, simultaneously, the generation of the

5 following group of signals is carried out. This fact causes an overlapping that improves the yield of the system: with the beginning of a new phase, the states machine evolved, it is generated a new future combination of akey and cell, and meanwhile the data go evolving by the system. 3.3 Mixcol This block is in charge of the implementation of MixColumn(state) function. This transformation consists on multiplication operation on each of the bytes of a column by a coefficient and afterwards, an XOR sum is performed between the said product results. All these operations turned out a new byte. The mixcol block implements the MixColumn(state) function as long as the entry signal M equals 1. In the opposite case, the signal S is the one that equals 1, and the mixcol block will successively load bytes that are going to generate sbox in the corresponding bi bytes records taking into account the transformation. This is due to the fact that in the last iteration of the algorithm, it is not necessary to make the said transformation. This transformation arises from the following counterfoil: igure 3: Control Unit Signals Simulation 3.2 key_adition The main function of this block is to store the key generated when iteration occurs. The implemented device does not calculate a key. Working on given key, new keys are derived; the information accomplished is internally saved. This data is saved as a 32 bits broad of band report. The reasons to chose this implementation strategy are: - Integration space. It is cheaper to implement a table than a calculation key hardware. On the other hand, this calculation was demoting the algorithm speed, unless a high degree of parallelism is used. - Security. The fact of using an encapsulated key gives rise to a secure robust device. If the key were introduced from the foreign, it would be vulnerable because the foreign will access the data bus. This information is added to the one that comes of first and the result enters the module mux, being at the point e_s, where it will be stored and later, it will cause a new block or state. b b b b = a0 a1 03 a 2 02 a3 The bytes transformed by sbox block enter this function. Each iteration produced in sbox generates 4 new bytes from a 4 bytes entry. Those new 4 bytes are mixcol part result. The remarkable features of the refereed counterfoil are the following: when the first byte, a0, gets in, it is multiplied by '02' and stored in the intended record for b0 harbor. In parallel way, a0 is multiplied by '' and saved in the internal record used to build b1. On the same way, it will be multiplied by '' to be stored in the record to be later used by b2, the result of multiplying operation by '03' will be saved in the internal record for b3 use. When the second byte, a1 arrives, it will be multiplied by '03' and the turned out result will be XORed with the value stored in b0, this value will be stored in b0. At the same time, it will be multiplied by '03', '' and '', and the same process will be accomplished. The hole can be resumed as follows, when the following bytes arrive, they are multiplied by the coefficient that corresponds and are saved in their exit records, making a XOR with the value previously stored. When the four bytes have arrived, the bytes b0 to b3 are not yet created.

6 This block is more complex one implemented in the system. While the sbox bytes are obtained, they are pushed into the mixcol modules. Each time a 4 bytes goup originated in sbox enter to each Mixcol module, 4 new bytes are generated, constituting the output of Mixcol part. As two mixcol blocks forms the system structure, during each 4 clock cycles, 8 bytes will be processed (4 bytes of each Mixcol), so it will take 8 clock cycles to transform the 16 bytes that constitute a complete block. 4 Results or a 128 block and key length, that have been treated in the project, and with a clock of 12 nseg (83.3 MHz), it takes only 5.3 microseg, giving bit rate of 24.2 Mbps. or inverse, the bits rate obtained is 20.8 Mbps. It is a strong algorithm, difficult to break. The keys are saved into the device, there is no external access to them. This fact guarantees the system safety. If the cipher process is built using a software implementation, the key will be placed in memory or in a secondary device, and it will be susceptible of being intercepted. Nevertheless, there are some hidden mechanisms (for example if the algorithm is implemented in a computer), but the implementation will not be totally secured. The current design can be easily expanded to a greater block size, i.e, for a 256 bits block size, some of the functional units must be multiplied by 2. The control will not need any modification.. The cipher structure can be used for any block length, if the new system byte size is a 4 multiple of the actual one, with a minimum of 4 bytes. The KeyAdition and ByteSub transformations are independent of the block length. The only transformation that depends on the block length block is ShiftRow. or block length, an array with the shift rows that take place must be defined. A parallel processing, in order to code information, is accomplished using multiple devices. or this purpose, it is necessary to distribute the control signals over the resulting system. One device will act as "master" and it will generate the control signals. These control signals will have access to the external bus (control bus). The rest devices will not implement control unit, instead, they will have some input control pines. An example of this is that with this plan is shown in figure 4, if is had 4 devices, the speed of ciphered would be four times the actual codification speed, for example, using the actual implementation, we will obtain 96,2 Mbps. If change actual block lenght, 128 bits, to 256 bits, we will get an speed equal to 193,2 Mbps. MASTER CONTROL UNIT PLD1 SLAVE PLD3 CONTROL SIGNALS CONTROL SIGNALS={SUMA, 2, 1, 0, CELL, AKEY, CLR,LDMIX,LDSH,,M,S,LDL,LDH} igure 4: Parallel process configuration with distributed control SLAVE PLD2 SLAVE PLD4 4 Conclusions - Rijndael version v2 has been presented as an excellent algorithm to be hardware integrated, in this case we have proposed a programmable logic device realization. - The system implementation using tables simplifies the complexity and the size of the design in a high degree. - The design is expandable: the each iteration transformations are accomplished in parallel, this is an important advantage for future processors and hardware devoted systems. - The design permits the variations on the specifications, block length as well as key can range from 128 to 256 bits in steps of 32 bit. - Though the number of iterations of Rijndael is fixed in the specification, it can be a variable parameter in the event of improving security. - Rijndael is a very fast algorithm. - The system safety increases, if the keys are implemented inside the cipher. - Key changes are easy affordable. References: [1] Joan Daemen, Vicent Rijmen, AES Proporsal: Rijndael v2. September 1999 [2] ALTERA. lex 10K embedded programmable logic family. Data Sheet v.3. May 1999 [3] ALTERA. MAX+PLUS II Getting Started v.8.1. September 1997.