A Low Device Occupation IP to Implement Rijndael Algorithm

Transcription

1 A Low Device Occupation IP to Implement Rijndael Algorithm Alex Panato, Marcelo Barcelos, Ricardo Reis Universidade Federal do Rio Grande do Sul PPGC - Instituto de Informática P.O. Box CEP Porto Alegre - RS - Brasil <panato,reis>@inf.ufrgs.br;mb@e-trust.com.br Abstract This work presents a soft IP description of Rijndael, the Advanced Encryption Standard (AES) of National Institute of Standards and Technology (NIST). This Rijndael implementation run its symmetric cipher algorithm using a key size of 128, mode called AES128. The focus here is to produce a low area IP achieving good performance. To do that, we propose a architecture using mixed bit size processing. The usage of memory has a significant decrease. The same methodology is used to implement three versions: the first one only encrypts the data, the second one decrypts and the third one performs both operation at same device. The implementation choice was Acex1K and Cyclone devices of Altera. The paper presents a introduction of cryptography, the AES contest that defined Rijndael as the new standard, the AES-128 structure and some results, such as device occupation, clock frequency, throughput and latency. 1. Introduction Security is a great necessity in data operations today. The authentication process or commerce exchanges need security and reliability. There are several ways to guarantee the operation of these systems with security. Cryptography is one option and is very used today in many applications. Cryptography needs a standard to allow the communication of both sides. In 1997 a new symmetric algorithm was defined by National Institute of Standard and Technology (NIST) as the Advanced Encryption Standard (AES). The winner of contest was Rijndael. The hardware implementation of Rijndael could provide either high performance or low cost for specific applications. At backbone communication channels, or at heavily loaded server, it is not possible to lose processing speed running cryptography algorithms in general software, which drops the efficiency of the overall system. On the other side, a low cost and small design can be used in smart card applications, allowing a wide range of equipment to operate securely. The main key of this work is to produce and implement, in high volume FPGA devices, a low area and fast clock speed device. This is made by the use of mixed processing of 32 and 128, i.e., we do more cycles but faster. An implementation to high performance is presented in [1]. This paper as organized as follows: Section 2 presents a overview about cryptography, section 3 shows the algorithm basics fundamentals, section 4 introduces ours architecture, section 5 presents the results, while section 6 comments some conclusions. 2. Cryptography Overview Cryptography is not a recent science, but an old strategy to guarantee information exchange securely, that means, other people do not have access to encrypted information. Many kind of devices was used in the history, as mechanic equipment used by Germany in World War II. Nowadays, the cryptography is largely used in Internet Banking and other telecommunications operations. In the past, the core of security was in the unknown of algorithm. In the present days, however, was assumed that this technical provides a false sense of security. To guarantee a true security, the algorithm must be public and all the security must be in the key. In cryptography, the original data is called plaintext. The process of hiding the information is called encryption. The result (hidden text), is called ciphertext. To take back the original data, we execute the decryption process, wich returns the plaintext. There are two main types of cryptography: symmetric and asymmetric. In the first one, in the ordinary case, the communication uses only one key. User A transmits the key to user B before the start of communication. The both sides use this key to encrypt and decrypt the information. In an asymmetric algorithm, there are two keys. One of them must be public and used to encrypt the data and the

2 other private and is used to decrypt the information. In a communication between A and B, A uses the public key of B to encrypt the message, so only B (neither A) is able to decrypt this message using your private key. Because a symmetric algorithm computation is simpler than an asymmetric one, the second way is used to transmit the symmetric key. After that, all communication is made using a symmetrical algorithm [2] [3]. Cryptography needs a standard, as the communication is only possible when the same algorithm is used. To replace the old Data Encryption Standard, in September,12 of 1997, the National Institute of Standards and Technology (NIST) required proposals to what was called Advanced Encryption Standard (AES)[4]. After Round 1 selection process, five algorithms were chosen to the Round 2, in which NIST improve the analysis on each proposal, encouraging the "attack" to all competitors [5]. The five algorithms selected were: MARS [6] RC6 [7] RIJNDAEL [8] SERPENT [9] TWOFISH [10] At the end of Round 2, the conclusion was that the five (5) competitors showed similar characteristics. On October 2nd, NIST announced the Rijndael Algorithm as the winner of the contest, because it had the best overall scores in security, performance, efficiency, implementability and flexibility [11]. The Rijndael algorithm was developed by Joan Daemen, Proton World International, and Vincent Fijmen, Katholieke Universiteit Leuven [12]. Rijndael encrypt variable size blocs with variable size keys. The specification allows the utilization of key sizes of 128, 192 and 256, and blocks of 128, 192 and 256 too. The nature of algorithm allows the sizes of keys and blocks to be multiples of 32 [12]. The AES specified a subset of Rijndael, fixing the block size on 128. The AES defines three (3) versions AES-128, AES-192 and AES-256 corresponding to the usage of 128, 192 and 256 bit cipher keys. 3. Rijndael Structure Rijndael algorithm defines the work variable as a 128 matrix of four columns by four rows. Each cell of this matrix is a byte. This variable type is called state_t variable (figure 1). The transformations performed by Rijndael algorithm are executed in this variable or in a part of it. The algorithm has five functions to encrypt the data. To perform the decrypt, it uses another set of functions that executes the inverse operation. The analog functions of both operation are executed in inverse sequence. The functions used are, in execution order: Byte Sub, Shift Row, Mix Column and Add Key, in the decryption the order is Add Key, IMix Column, IShift Row and IByte Sub. Note that Add Round Key is its own inverse function. The encryption schedule is presented in figure 2. Figure 1: State_t. In AES-128, the Key Schedule uses 10 rounds. Each round executes the same functions in the same order. Only one round, the first one in decryption and the last one in encryption, does not execute the Mix Column (or, in the decryption case, the IMix Column). Figure 2: Encryption diagram. To each round the key schedule generates a specific key, called Round Key. The fifth function, called Round Key Function, executes this operation. The round keys are generated based on the original key. Once this is done, the round keys of each round are the same until a new key are set. The round schedule works with xors, shifts and table look-ups. It operates using a subset of state_t variable, using just a bidimensional array. All keys are assumed as a sequence of one byte cells. The function executes a xor of some previous cells to determine the present cell. The Round Key function uses a sub function called KStran (figure 3). It first shifts the word left. Next, a Byte

3 Sub function is executed. After that, a xor operation is made with a constant determined by the round of operation. The second step is the Shift Row, operating over a row of bytes. The function only shifts the variable to left: once in the second row, twice in the third and so on (figure 6). Figure 6: Ishift Row transformation. The third operation is the Mix Column, operating over the columns of the variable. This function assumes the data variable as a forth degree polynomial one and executes a multiplication by a specific polynomial (figure 7). Figure 3: KStran. In the usual round operation, the first function in the encryption process is a table look up, also executed byte to byte. The function takes the data variable and assumes it as an address of a specific memory defined by the algorithm. The data stored in this address is taken as the new work variable (figure 4). The function is called Byte Sub. Figure 7: Mix Column transformation. Figure 4: Byte Sub transformation. Each S-box (figure 5) uses 2048 of memory and allow 8 process. To execute 128 in parallel form, we need 16 S-Box (32768 ). To execute 32 in parallel form, only 4 S-Box (8192 ). The KStran sub function also uses too 4 S-Box to operate. The last operation made in the Rijndael algorithm is a xor operation between the data and the key variable. In the first round, data and key are read as input. In the next rounds, the data is the work variable and the key is the round key of the specific round. This xor procedure is called Add Key and it operates over each byte. 4. AES128 Architecture Figure 5: S-Box table. Besides Rijndael was designed to work with data blocks of 128, 192 and 256 using 128, 192 and 256 key, the AES was defined as three versions AES128, AES168 and AES256 corresponding to the usage of 128, 192 and 256 bit cipher keys. In this work, all the implementation was focused in the AES-128. Here we present the implementation of Rijndael in three ways: the first one just encrypt the data, the second one just decrypt and the third one does the both executions. This options can provide a choice to implement the Rijndael, as the area increases with the both devices together. If either decrypt or encrypt function are not needed, just one device could be implemented. Although, the use of the third implementation is better as it is easiest to operate. All versions use a very similar structure.

4 Figure 8: Encrypt and decrypt architecture. To allow the free execution of the Rijndael algorithm, the structure was divided in some processes. The Rijndael process itself executes only the encrypt or decrypt algorithm, according to the case. The others processes only provide support to read and write bus operation and to round keys generation. The Data In process gives support to Rijndael. It is used to take the data from the bus. It is controlled by the WR_DATA and CLK signals. When the bus put a data to be read, this signal is selected and the data is taken. The independence of process execution allows the execution of a read of new data at same time an encryption/decryption process is being performed. Encdec signal indicates if the device must executes decrypt or encrypt. setup clk wr_data Data_In 128 Regsiter clk Din 128 wr_key Key_In Regsiter 128 Rijndael 128 Figure 9: Encrypt/decrypt architecture. Data_Out 128 Data_Ok The Out process executes the connection with the bus to send out a data, registering the values processed by Rijndael. It allows Rijndael processor to start another operation while the data out is being transferred to the bus, thus transient results in data out are avoided. The main proposal in the architecture is to produce a small area device, but with a good performance and a simple internal control system. To reduce the area, our choice was to generate the round keys on-the-fly, so there is no need to store round keys, as in the case of a previous generating. This Out implementation does not limit the process speed, since the speed restriction is in the 32 bit parts. To reduce the embedded memory, a very expensive resource in FPGA s, Byte Sub is implemented using 32. So, we need just 8k to do that. Shift Row can be executed at the same way of Byte Sub, but a better speed result is obtained when the function is built using 128. To increase the performance, to simplify the internal control and to reduce the area needed to control the process, all other functions are built in 128. This choice improves the architecture of the cryptography IP, decreasing the number of clock cycles needed to execute a round from 12 (in the case of all functions using 32 processing) to 5. The number of signals in the interface could be high, but since the main objective is to make an IP core, this does not represent a problem. If the implementations require only the Rijndael core, a simple interface could be built using 32 or 16 data bus. Lower bus sizes could not be sufficient to provide or to take the data from device in full rate operation. The device signals are presented in table 1. Signal In/Out Description clk IN Control the clock signal in all blocks. setup IN Determine the period of configuration/ operation. wr_data IN Indicate that the data in to be processed are in the bus. wr_key IN Indicate that a new key to be processed are in the bus. din IN Data and key in. enc/dec* IN Determine if the device must execute a encryption or a decryption data_ok OUT Indicate the permission of read/write in the bus. dout OUT Data out. Table 1: Device signals. * enc/dec signal are used only in the device with encrypt and decrypt ability. 5. Results We present here three implementations of the Rijndael AES128 using different devices. We chose to implement these architectures in the high volume FPGA s of Altera. The two family used are Acex1K and the new Cyclone family. Doing this, we expect to determine the differences between two distinct generations of FPGA s, considering speed and device occupation. The devices used were EP1K100FC484-1 in Acex devices and EP1C20F400C6 in Cyclone devices. To use the new Cyclone family, we must obtain the newest version of Quartus II and Leonardo Specrtum software. The versions are: Quartus II Version 2.1 and Leonardo

5 Spectrum 2002 LS2002d_22. To fitting and check performance results we used Quartus II software. Simulation was made using Model Sim. Leonardo Spectrum is used to compile the code. Of course, the results presented in Cyclone family are preliminary, because the device will be available only after January The parameters that we use to evaluate the quality of device are: Logic Cells: Determine the usage of main resources of circuit, given us a idea about area occupation and the implementation of architecture. Memory: Number of used of embedded memory of FPGA. One of the most expensive resources, we try to reduce it. Pins: Signals of interface with other modules. Latency: Determine how many time the device takes to process the data. This measure are very important to real time communication. Clock frequency: Determine how fast the clock signal must be to achieve the full rate operation. Throughput: How many data information the device can process in a second. It is important to determine the amount of data that the channel can use with cryptography. It could be defined as the block size (128 ) divided by latency. Table 2 presents the results obtained in the selected devices. Note that the performance drops around 22% when the encrypt and decrypt run at the same device. This characteristic could encourage the use of different devices in a same board when high performance are required. Also note that the usage of LCs increases and that the memory is not implemented in Cyclone family. This occurs because the Cyclone embedded memory does not support asynchronous ROM. So, the memory was implemented using LCs. To allow the use of synchronous ROM, several modifications are needed. This is actually under development and the results will be reported in a future work. 6. Conclusions In this paper was presented an architecture to achieve a low area Rijndael IP. Some methodologies are used to guarantee the requisites, as the decrease of embedded memory and mixed process of 32 and 128. The performance results of presented IP show a fast implementation, besides the area decrease is not very great. The amount of memory used shows that a 32 solution could has a interesting area x performance aspect. System Design Acex1K Cyclone LC s 2114/42% 4057/20% Memory 16384/33% 0/0% Pins 261/78% 261/87% Latency 700 ns 500 ns Clk 14 ns 10 ns Throughput 182 Mbps 256 Mbps LC s 2217/44% 4211/20% Memory 16384/33% 0/0% Pins 261/78% 261/87% Latency 750ns 550 ns Clk 15ns 11 ns Throughput 170 Mbps 232 Mbps LC s 3222/64% 7034/35% Memory 32768/66% 0/0% Pins 262/78% 262/87% Latency 850 ns 650 ns Clk 17 ns 13 ns Throughput 150 Mbps 197 Mbps Table 2: Performance and occupation. Encrypt Decrypt Both Larger architectures do not provide a large increase of performance, as the key generation is slower then cipher part. A 128 could be limited by the key schedule. A smaller architecture, as 16 or 8, will use many clock cycles and the clock speed will not reverse this problem. Also, the 8 k used in KStran will not decrease. Some other results collected in the literature are presented in table 3. Author Technology Memory LC s Throughput (Mbps) E D C E D C [13] Flex10KA X X [14] Acex1K X X 1965 X X 61,2 [1] Apex20K-1X X X [15] Apex20KE (E) 57344(D) X X Table 3: Performance and occupation in different hardware implementations.

6 As future work, we propose a power analysis of the architecture. As one of the possible applications area mobile systems, this feature is very interesting. There is, also, another effort to produce a VHDL IP version hardened against radiation [16]. 7. References [1] PANATO, Alex; BOEIRA, Marcelo; REIS, Ricardo. An IP of an Advanced Encryption Standard for Altera Devices. SBCCI 2002, pp , Porto Alegre, Brazil, 9 and 14 September PDF file available at [2] SCHNEIER, Bruce. Applied cryptography: protocols, algorithms, and source code in c. 2ª ed. New York. John Wiley, [3] STALLINGS, William. Network Security Essentials: applications and standards. New Jersey. Prentice Hall, [4] NIST. Advanced Encryption Standard (AES). Official NIST homepage about AES, available at [5] NIST. AES Round 2 Information Official NIST information about the five algorithms selected to the second round of AES, available at gorithms (Aug ). [6] IBM. The MARS cipher - IBM submission to AES. Official MARS homepage, available at [7] RSA. RC6 Block Cipher. Official RC6 homepage, available at [8] DAEMEN, Joan e RIJMEN, Pawel. The block cipher Rijndael. Official Rijndael homepage, available at [9] ANDERSON, Ross, BIHAM, Eli and KNUDSEN, Lars. Serpent - A Candidate Block Cipher for the Advanced Encryption Standard. Official SERPENT homepage, available at [10] COUNTERPANE. Twofish: A New Block Cipher. Official TWOFISH homepage, available at [11] NIST. Commerce Department Announces Winner of Global Information Security Competition. Official NIST communicate, announcing Rijndael as the new AES, available at (Aug ) [12] DAEMEN, Joan e RIJMEN, Pawel. The block cipher Rijndael. Rijndael official homepage, available at [13] MROCZKOWSKI, Piotr. Implementation of the block cipher Rijndael using Altera FPGA. PDF file available at pmroczkowski.pdf (Aug. 2001). [14] Zigiotto, Anderson; d Amore, Roberto. A Low-cost FPGA Implementation of the Advanced Encryption Standard Algorithm. SBCCI 2002, pp , Porto Alegre, Brazil, 9 and 14 September [15] Altera, High Speed Rijndael Encryption/Decryption Processors., Hammercores whitepaper v [16] PANATO, Alex; NEUBERGER, Gustavo; LIMA, Fernanda; LAZZARI, Cristiano; REIS, Ricardo. Testing a Rijndael VHDL Description to Single Event Upsets. SIM 2002, Canela, Brazil, 28 and 29 June PDF file available at