Implementation and Performance analysis of Skipjack & Rijndael Algorithms

Transcription

1 Implementation and Performance analysis of Skipjack & Rijndael Algorithms By Viswanadham Sanku 1 Topics Skipjack cipher operations Design principles & cryptanalysis Implementation & optimization Results Rijndael cipher operations Design principles & cryptanalysis Implementation & optimization Results Problems encountered Conclusions 2 1

2 Skipjack cipher operations Background Skipjack is a block cipher designed in 1993 by NSA Unclassified on June 2th, bit block size and 8-bit key 32 rounds, composed of round functions Two round functions RuleA, RuleB and their inverses (decryption) Key expansion Each of the 32 rounds uses byte subkey 1 byte key is repeated itself to make it 128 byte 3 Skipjack cipher operations ENCRYPTION 6 bits DECRYPTION 6 bits 8 Rounds (Rule A) 8 Rounds (Rule B -1 ) 8 Rounds (Rule B) 8 Rounds (Rule A -1 ) 8 Rounds (Rule A) 8 Rounds (Rule B -1 ) 8 Rounds (Rule B) 8 Rounds (Rule A -1 ) 6 bits 6 bits 2

3 Skipjack cipher operations RuleA RuleB G G Counter Counter RuleA -1 RuleB -1 G -1 G -1 Counter Counter 5 Skipjack cipher operations G Permutation G -1 Permutation g1(high) g2(low) g1(high) g2(low) CV k CV k3 CV k1 CV k2 CV k2 CV k1 CV k3 CV k g1(high) g2(low) g1(high) g2(low) 6 3

4 Design principles & cryptanalysis Design Principles Symmetry in encryption & decryption protects against choosen plaintext and chosen ciphertext attacks. Not too much Symmetry Symmetry is broken with round counters. protects against symmetry based attacks 8-bit Key Effective size against differential & linear attacks Cryptanalysis Less diffusion in B rounds and A -1 rounds Bad interactions between the round-types A one bit difference in input to the Table may cause a difference of only one bit in its output Eli Biham had shown an attack on 31 round skipjack using impossible differentials Less security margin 7 Implementation & optimization Implementation Implemented with MS VC (Windows) and gnu C (Linux) Implemented in ECB, CBC, CB, OB and CTR modes in 6-bit mode Used PKCS#5 padding Pad the input by appending 8 - (n mod 8) bytes to the end of the message, each having the value 8 - (n mod 8), the number of bytes being added Implemented KAT, MCT tests to verify the correctness of the implementation Optimization techniques Operations on integers, except Gfunction. Int oprations are faster than other types. Unroll the rounds #define macro substitutions. Reduces run-time overtime of function call With prior key knowledge, subkey table representing the Gpermutaion function ftable[inbyte ^ keybyte] Data movement can be minimized by rotating the names of variables w1,w2,w3, w instead of the contents. (Note: last two techniques not used in my implementation) 8

5 Results 35 MHz Pentium II, Visual C 5 MHz Pentium III, GNU C Viswanadh Sanku Mark T illotson Mark optimized Encrypt D ecrypt Viswanadh Sanku Mark T illotson Mark optimized Encrypt D ecrypt 9 Results 35 MHz Pentium II, Visual C (ilesize: 51 Mbytes) Enc (cycle) Enc (clock) D ec (cycle) Dec (clock) 1 ECB CBC CB OB CTR 1 5

6 Results 1 35 MHz Pentium II, Visual C bit count Diffusion in Encryption Input (x..) Key(x..) Rounds Diffusion 6 2 ECB MCT CBC MCT Encrypt D ecrypt bit count Diffusion in Decryption Input (x..) Key(x..) Diffusion Rounds 11 Rijndael cipher operations Background Rijndael is a block cipher designed Joan Daemen and Vincent Rijmen Selected as proposed AES by NIST. Will be official sometime spring 21 Keys lengths of 128, 192, or 256 bits and blocks lengths of 128, 192 or 256 bits are supported Block length and key length can be extended to multiples of 32 bits Number of rounds depend on block and key lengths Each round transformation is composed of four different transformation, ByteSub, ShiftRow, MixColumn and AddRoundKey, except the final round, which does not have MixColumn. Intermediate cipher result is called the State. Number of rounds = Max(NB, NK) 6 NB = # of 32-bit blocks in input block NK = # of 32-bit blocks in key 12 6

7 Rijndael cipher operations Encryption 128/192/256 bit block Key Addition 128/192/256 bit round key Round Transformation 128/192/256 bit block ByteSub MAX(NB,NK) - 1 Round Transformations inal Transformation 128/192/256 bit cipher ShiftRow MixColumn AddRoundKey 128/192/256 bit round key inal Transformation 128/192/256 bit block ByteSub ShiftRow AddRoundKey 128/192/256 bit round key 13 Rijndael cipher operations Decryption 128/192/256 bit block Key Addition 128/192/256 bit inverse round key Inverse Round Transformation 128/192/256 bit block Inv ByteSub MAX(NB,NK) - 1 Inv Round Transformations Inv ShiftRow Inv MixColumn Inv inal Transformation 128/192/256 bit cipher AddRoundKey 128/192/256 bit inverse round key Inverse inal Transformation 128/192/256 bit block Inv ByteSub Inv ShiftRow AddRoundKey 128/192/256 bit inverse round key 1 7

8 Rijndael cipher operations ByteSub ShiftRow MixColumn Uses Galois field arithmatic Inverse ByteSub uses inverse S-box Inverse ShiftRow shifted in other direction or MixColumn c(x) = 3 x 3 1 x 2 1 x 2 or InverseMixColumn d(x) = B x 3 d x 2 9 x E Key Expansion Expanded key size = NB * (NR1) Each round key consists of next NB 32-bit blocks taken from expanded key Inverse round key is obtained by applying InvMixColumn to all Round Keys except the first and the last one. 15 Rijndael cipher operations Round Transformation 16 8

9 Design principles & cryptanalysis Design Principles Symmetry in encryption & decryption protects against choosen plaintext and chosen ciphertext attacks Linear-mixing layer (ShiftRow & MixColumn) which gaurentees high diffusion and Non-linear S-boxes. Protects against linear and differential cryptanalysis. Non-eistel round transformation. Cryptanalysis Rijndael has adequate security margin, against linear and differential cryptanalysis, as well as other type of attacks Square attack can be used to break 7 rounds of the cipher Niels erguson showed attacks on 8 rounds of cipher for key sizes 192 & 256 bits 17 Implementation & optimization Implementation Implemented with MS VC (Windows) and gnu C (Linux) Implemented in ECB, CBC, CB, OB and CTR modes for 128-bit input block and 128/192/256 bit- key sizes Used PKCS#5 padding Pad the input by appending 8 - (n mod 8) bytes to the end of the message, each having the value 8 - (n mod 8), the number of bytes being added Implemented KAT, MCT tests to verify the correctness of the implementation Optimization techniques #define macro substitutions. Reduces run-time overtime of function call Use pre calculated tables in place of (ByteSubShiftRowMixColumn) Transforms 18 9

10 Implementation & optimization Optimization technique Prepare (ByteSub ShiftRow MixColumn) transform Tables a b c d a1 b1 c1 d1 a2 b2 c2 d2 a3 b3 c3 d3 S-box A B C D A1 B1 C1 D1 A2 B2 C2 D2 A3 B3 C3 D3 Shift A B C D B1 C1 D1 A1 C2 D2 A2 B2 D3 A3 B3 C3 M i x 2A ^ 3B1 ^ C2 ^ D3 A ^ 2B1 ^ 3C2 ^ D3 A ^ B1 ^ 2C2 ^ 3D3 3A ^ B1 ^ C2 ^ 2D3 Table1 = S(2X) S(X) S(X) S(3X) Table1 19 Results 35 MHz Pentium II, Visual C 5 MHz Pentium III, GNU C Viswanadh Sanku Rijmen Vincent Brian Gladman Enc-128 bit key Dec-128 bit key Enc-192 bit key Dec-192 bit key Enc-256 bit key Dec-256 bit key Viswanadh Sanku R ijm en Vincent Enc-128 bit key Dec-128 bit key Enc-192 bit key Dec-192 bit key Enc-256 bit key Dec-256 bit key (Note: Brian Gladman implementation for GNU C compiler is not available) 2 1

11 Results Cycles 35 MHz Pentium II, Visual C Key setup (clock cycle count) Viswanadh Sanku 7326 Rijmen Vincent Brian Gladman 128 bit key 192 bit key 256 bit key Speed 5 MHz Pentium III, GNU C Key setup (Mbits/sec) Viswanadh Sanku Rijmen Vincent 128 bit key-enc 128 bit key-dec 192 bit key-enc 192 bit key-dec 256 bit key-enc 256 bit key-dec (Note: Key setup cycles for implementations by Viswanadh & Rijmen is total cycle count for encryption key setup and decryption key setup) (Note: Brian Gladman implementation for GNU C compiler is not available) 21 Results 35 MHz Pentium II, Visual C (ilesize: 51 Mbytes ; keysize: 128bits; blocksize: 128bits) ECB CBC CB OB CTR Enc (cycle) Enc (clock) D ec (cycle) Dec (clock) 22 11

12 Results D iffusion in Encryption Input (x ) 35 MHz Pentium II, Visual C (keysize: 128bits; blocksize: 128bits) Encrypt D ecrypt bit count Rounds D iffusion in Decryption Input (x ) D iffusio n 1 5 ECB MCT CBC MCT bit count D iffusio n Rounds 23 Results Skipjack Vs Rijndael The Best possible speeds I could able to achieve for Skipjack = 9 Mhz and Rijndael = 27 Mhz (128 bit block&key) Major contribution for the difference is the number of rounds (skipjack = 32, Rijndael = 1) and then the round transformation tables used in Rijndael. Skipjack G permutation is applied to one 16-bit word in each round. While Rindael round transformation (ByteSubShiftMix) is applied to every byte of the block. Rijndael has pretty good security margin compared to Skipjack. 2 12

13 Problems encountered Clock cycle counter code would not work with MSVC, because the code used constants CPUID, RDTSC, which the compiler can not understand. Instead they have to be force fed to the compiler using _emit instruction along with the opcode. double cycles(void) { unsigned long hi,lo; asm { _emit x6 //PUSHAD: Save all registers _emit xf _emit xa2 //CPUID: Serialize instruction execution _emit xf _emit x31 //RDTSC: Read clock cycle count into A,D mov lo,eax mov hi,edx //Get values from A,D registers _emit x61 } //POPAD: Restore the registers return * hi lo; // 2^32 * hi lo } Though the constants CPUID, RDTSC works with GNU C compiler, the count is not returning proper cycle count values. So I had to depend on the absolute time functions. Could not able to figure it out Yet. 25 Conclusions Rijndael is more flexible cipher than skipjack and more secure Rijndael yields greater speeds than skipjack with proper implementations To implement a cipher it is very important to analyze the cipher. So that the implementation can be optimized to yield far better performances than the straight forward implementation. The speed of the cipher depends on complier as well. Same implementation may yield widely varied performances on different platforms. Diffusion and security margin may not say anything about how secure the cipher is, but they are important in the analysis of the cipher