vlsi design conference 2016, kolkata- authenticated encryption decryption

29th International Conference on VLSI Design&

15th International Conference on Embedded Systems

Technologies for a Safer and Inclusive World

About Us

• Design Contest Challenge D3– Efficient Accelerator for Authenticated Encryption

• Title of the Project: HarSam• Authors:

» Samnit Dua• Final Year Student, B.Tech- E.C.E• G B Pant Government Engineering College, GGSIPU, Delhi

» Hardik Manocha• Final Year Student, B.Tech-E.C.E• G B Pant Government Engineering College, GGSIPU, Delhi

Authenticated Encryption- AE

• What it is:– A simple process to authenticate the confidential data of a

process, object, human or about anything; to increase the security associated with the data.

– It describes that the person transmitting the data is the Actual person who has to send the data.

– On the receiving end, data comes from where it is intended to come from.

– MUCH SECURE scheme than the scheme of Encrypting (AES) and then Authenticating the message(MAC).

– Easier for developers to incorporate Authentication in their designs.

AE continued..•Authentication is much needed to secure the encrypted data.• Systems involving Encryption without Authentication: XML Encryption, WEP etc.• Above mentioned Systems were susceptible to attacks and therefore less reliable.• Then came the need for Authenticity to be associated with Encryption so that attackers had to work upon a stronger string of data.

• Two ways to apply authenticity: • Encrypt the data and then apply MAC (Message Authentication Code). Two different processes and therefore complex.• Encrypt and Authenticate using a single procedure.

• Second method to obtain Authenticated Encryption is much better and widely used by developers.

TIAOXIN-346

• Name of a design which provides the feature of Authenticated Encryption.

• Designed by Ivica Nikolic of Nanyang Technological University, Singapore.

• TIAOXIN-346 is one of the Entries of CAESAR, a worldwide competition related to Encryption.

• HarSam, our project is the Hardware Implementation of TIAOXIN-346.

Screenshot representing CAESAR Entries

TIAOXIN-346 Encryption

Inputs:• Key, K of 128 bits• Public Message Number- Nonce, IV of 128 bits• Plaintext, M of 256 bits• Associated Data, AD of 256 bits

Outputs:• Ciphertext , C of 256 bits• Tag of 128 bits

Tiaoxin - 346 (K; IV; M;D) = (C; Tag)

Notations and Operations Used

• Word- sequence of 16 bytes.• Z0- is a constant word with value “428a2f98d728ae227137449123ef65cd”.• Z1- is a constant word with value “b5c0fbcfec4d3b2fe9b5dba58189dbbc”.• Ts- state composed of s word. For instance, T3 has 3 words, T4 has 4 words and T6 has 6 words.

• X Y { bitwise addition (XOR) of the words X and Y}.• X & Y { bitwise conjunction (AND) of the words X and Y}.• AES(X; SK) – X is the word and SK is the sub key. AES is one round single of AES.

AES(X; SK) = MixColumns(ShiftRows(SubBytes(X))) + SK• R(Ts;M) - a round transformation of a state with s words.

R: Ts X M -> Ts newFurther R(Ts;M) uses AES(X;SK) either in keyless mode or keyed mode.

UPDATE Function

Update : T3 X T4 X T6 X M0 X M1 X M2 -> T3 X T4 X T6. T3 new = R(T3,M0); T3=T3 new T4 new = R(T4,M1); T4=T4 new T6 new = R(T6,M2); T6=T6 new

Keyed Mode of AES round uses Z0 as Sub Key

AES Operations

• STATE Matrix:Input Data block viewed as 4-by-4 table of bytes.

• Filling Up of STATE Matrix:

1 byte

AES Operations continued..

SubBytes: Byte Substitution Operation• A simple substitution of each byte

• Uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit values

• Each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)– E.g. byte {75} is replaced by byte in row 7 column 5– which has value {5B}

SubBytes Table

Implement by Table Lookup

Sample SubByte Transformation

• Shifting, which permutes the bytes. • A circular byte shift in each

– 1st row is unchanged– 2nd row does 1 byte circular shift to left– 3rd row does 2 bytes circular shift to left– 4th row does 3 bytes circular shift to left

ShiftRow Operation

Sample ShiftRow Operation

MixColumn Operation

• Each column is processed separately.• Each byte is replaced by a value dependent on all 4 bytes in the column

Sample MIxColumn Operation

TIAOXIN-346 Encryption Processing

• TIAOXIN-346 Encryption Algorithm works in 4 stages and are as following• Initialization• Processing Associated Data• Encryption• Tag Production

• Above mentioned processes are executed in the same order as they are written.

Initialization --> Processing Associated Data --> Encryption --> Tag Production

INITIALIZATION

• In this stage, three states T3, T4 and T6 are loaded with the Inputs K and IV.

• After fill up process, States T3, T4 and T6 are updated 15 times using UPDATE function.

PROCESSING ASSOCIATED DATA •The associated data AD is divided into blocks of 32 bytes each. If the last block of AD is incomplete (the length of the block is less than 32 bytes), padding with zeroes is done.

AD = AD1; . . . ;ADd|ADi| = 256 and ADlength = |AD|The length of the AD is encoded as 16-byte big endian word and stored

in ADlength.

For our design, we have d=1 because AD is of 256 bits in size.

ENCRYPTION

•The message M is divided into blocks of 32 bytes each. If the last block of M is incomplete (the length of the block is less than 32 bytes), padding with zeroes is done.

M = M1; . . . ; Md|Mi| = 256 and Mlength = |M|The length of the M is encoded as 16-byte big endian word and stored in Mlength.

In our design, we have m=1 because of 256 bit length of M.C would be equal to M in terms of length.

ENCRYPTION continued..

• In case padding with zeroes is done in last block of M, then last block of C generated in the Encryption stage would undergo Truncation.

• Suppose last block of M contains ‘b’ bytes then, last block of C would be truncated after ‘b’ bytes. Therefore “32-b” bytes would be removed from the last block of C.

• Complete Ciphertext is explained by the following equation:

C = C1|| C2 || . . . || Cm

|| is the Concatenation Operator here

Tag Production

This is the Final stage of the complete Encryption Algorithm.

In this step, words holding the length of AD and M are processed.

Firstly, UPDATE function uses ADlength and Mlength

Further, 20 rounds of UPDATE function are used with Z0 and Z1 and Tag is generated by the XOR operation of all words of T3, T4 and T6

TIAOXIN-346 Decryption

• Inputs:• Key, K of 128 bits• Public Message Number- Nonce, IV of 128 bits• Ciphertext, C of 256 bits• Associated Data, AD of 256 bits• Tag of 128 bits

• Outputs:• Plaintext, M of 256 bits• Fail, single bit in size

Tiaoxin - 346 (K; IV; C;AD,Tag) = (M; Fail)

TIAOXIN-346 Decryption Processing

•TIAOXIN-346 Encryption Algorithm works in 4 stages and are as following• Initialization• Processing Associated Data• Decryption• Tag Production

• Above mentioned processes are executed in the same order as they are written. Initialization --> Processing Associated Data --> Decryption --> Tag Production

• Initialization, Processing Associated Data and Finalization stages are exactly similar to Encryption steps.

• Only the Decryption stage is altered.

DECRYPTIONAssuming C has m blocks of 32 bytes

C = C1|| C2 || . . . || Cm

In our design, m=1 and therefore above statements are executed only once.

Padding with zeroes is done similarly as done in Encryption.

If the Tag produced in Decryption is similar to the Input Tag, then only M is generated at the Output and Fail is made to Logic low. Else Fail is made to Logic High and M generated in Decryption Stage is not available at the Output port.

SIMULATION- ENCRYPTION• Inputs

•Key, K = 91cc70a38f1cf31c3a3a39c748e8ee3a• Nonce, IV = b7ddefbdfad7df7b7dbee3e5f5f5fbe6• Message, M=b7ddf2398e1471e39e6387474738e91d1dc74fbdfad7df7b7dbee3e5f5f5fb6• Associate Data, AD= 91cc70a38f1cf31c3a3a39c748edbeef7defd6befbdbedf71f2fafafdf30ee3a

• Outputs C= d4a1b9fb02fa511cdf7f8cfbb90e22438702502bada2b70436ca6fc14c5d6224 Tag= bf979c14211c4930064abc4f50c2d0d0

SIMULATION- DECRYPTION

• Inputs•Key, K = 91cc70a38f1cf31c3a3a39c748e8ee3a• Nonce, IV = b7ddefbdfad7df7b7dbee3e5f5f5fbe6• Ciphertext, C= d4a1b9fb02fa511cdf7f8cfbb90e22438702502bada2b70436ca6fc14c5d6224• Associate Data, AD= 91cc70a38f1cf31c3a3a39c748edbeef7defd6befbdbedf71f2fafafdf30ee3a• Tag= Tag= bf979c14211c4930064abc4f50c2d0d0

• Outputs• M= b7ddf2398e1471e39e6387474738e91d1dc74fbdfad7df7b7dbee3e5f5f5fb6• Fail= 0

SYNTHESIZE- ENCRYPTION

SYNTHESIZE- DECRYPTION

COMPARISONTIAOXIN-346 v/s HarSam

Modified Version of HarSam

As the comparison summarizes, our design is much slower than the TIAOXIN-346.But we have achieved Hardware Implementation.

In order to match the Timing characteristics of TIAOXIN-346, we have modified our design and built a newer design.

We have successfully Simulated the design but we were not able to Synthesize the design due to lack of our System resources.

SIMULATION- ENCRYPTION MODIFIED DESIGN

SIMULATION- DECRYPTION MODIFIED DESIGN

FUTURE WORKS

• Try to achieve Hardware Implementation of Our Modified design.• Further work on to decrease Timing features so as to take our design to be involved in some applications.

Thank You