SlideShare a Scribd company logo

AES effecitve software implementation

Roman Oliynykov
Roman Oliynykov

Slides of my lecture on effective AES implementation in software given at University of Bergen (Norway)

Internet
1 of 40
Download to read offline
Effective Software Implementation of Advanced Encryption Standard December 2014 Roman Oliynykov Professor at Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Ukraine Visiting professor at Samsung Advanced Technology Training Institute Korea ROliynykov@gmail.com
Outline  A few words about myself  Brief history of AES/Rijndael  AES properties  Direct AES implementation and problems with it  Methods for effective encryption implementation (proposed by Rijndael authors in their submission to AES competition)  Decryption optimization  Conclusions
About myself (I)  I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship  I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia), former capital of the Soviet Ukraine (1918-1934) three Nobel prize winners worked at Kharkov University
About myself (II)  Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics  courses on computer networks and operation system security, special mathematics for cryptographic applications  Head of Scientific Research Department at JSC “Institute of Information Technologies”  Scientific interests: symmetric cryptographic primitives synthesis and cryptanalysis  Visiting professor at Samsung Advanced Technology Training Institute  courses on computer networks and operation system security, software security, effective application and implementation of symmetric cryptography
Modern and effective solution: Advanced Encryption Standard (AES)  result of international public cryptographic competition (1997-2000)  had been chosen among 15 candidate ciphers (developed in the US, Belgium, Denmark, Germany, Israel, Japan, Switzerland, Armenia, etc.)  original name is Rijndael (developed by researchers from Belgium)  votes on 3rd AES conference had been given to this cipher, but the rest Twofish (US), MARS (US, IBM), E2 (Japan, Camellia predecessor), Serpent (Israel) are also remain strong  the most researched block cipher all over the world (2014, open publications)  basis for development of many other symmetric primitives
AES properties  block length 128 bits only (subset of Rijndael which supports 128, 192 and 256 bits)  key length is 128, 192 and 256 bits  uses Substitution-Permutation Network (SPN)  number of rounds (10,12,14) depends on key length  quite transparent design, algebraic structure (theoretically may be vulnerable to algebraic analysis)  quite effective in software (32-bit platforms) and hardware implementation
AES parameters: key length, block size, number of rounds
AES: presentation of processing bytes as a “cipher state”
AES: main steps running key schedule procedure: generation of all round keys running encryption or decryption procedure  or, for compact hardware implementation, sequential operations:  generation of the current round key  one encryption round
AES: high-level structure (pseudocode)
AES: high-level structure (picture for 128 bit key)
AES: SubBytes transformation
AES: ShiftRows transformation
AES: MixColumns transformation
AES: AddRoundKey transformation
AES round key generation (key expansion) NB: not all key length (128, 192, 256) must be supported; for many applications it’s enough to have the single key length
AES round key generation: RotWord
AES round key generation: SubBytes
AES round key generation: round constant application NB: without Rcon there would be equal blocks in ciphertext if plaintext and keys have equal blocks (1, 2 or 4 bytes repeats in plaintext and key)
AES round key sequence
AES decryption (direct presentation): reverse operations in different order
AES/Rijndael design goals  be extremely fast on 32 bit platforms (+++)  be compact on hardware implementation with small number of gates (++)  possibility to implement cipher on 8-bit smart- card processors actual for 1990th (++)  cryptographic strength (+)
Direct implementation of AES round function: SubBytes 16 operations (byte substitution)
Direct implementation of AES round function: ShiftRows 12 operations (byte permutation)
AES: MixColumns transformation 60 operations (logical and conditional):  3+ operations for each input byte (48+ total): • shift and conditional XOR (mult by 02) • XOR (mult by 03)  3 XORs for each row (12 total)
Direct implementation of AES round function  SubBytes: 16 operations (byte substitution)  ShiftRows: 12 operations (byte permutation)  MixColumns: 60 or even more operations (conditions will prevent effective pipelining)  AddRoundKey: 16 operations (logical) TOTAL: more than 102 operations per round
AES effective software implementation: 32-bit platform  three different operations can be united into the single (!) look-up table access:  SubBytes (non-linear)  ShiftRows (linear)  MixColumns (linear)  cipher consists of look-up table accesses and round key additions
AES effective software implementation: MixColumns Matrix multiplication: 7 operations (4 memory look-ups + 3 XORs) instead of 60:  32-bit XOR of 4 columns  each column depends on one input byte only  all 4 bytes in each column are precomputed and stored in advance
AES round function operations sequence variants: Original:  SubBytes  ShiftRows  MixColumns Equivalent:  ShiftRows  SubBytes  MixColumns
AES effective software implementation: MixColumns and SubBytes at one precomputed table SubBytes and MixColumns: 7 operations (4 memory look-ups + 3 XORs) total:  32-bit XOR of 4 columns  each column depends on one input byte only (already sent throw S-box)  all 4 bytes in each column are precomputed and stored in advance
Fragment of OpenSSL AES source code (based on Rijndael author's implementation) 4 tables are needed; size of each table is 256 * 4 = 1 kByte
Fragment of OpenSSL AES source code (based on Rijndael author's implementation) ShiftRows is implemented as usual shift and mask of 32-bit register; SubBytes and MixColumns are implemented as memory lookups (8 bit → 32 bit)
AES effective software implementation: extra memory optimization Decreasing memory amount: single table (1 kByte instead of 4 tables of 1 kB each)
Main table size for the fastest and compact optimized 32-bit AES implementation  fastest:  (4 bytes) x (256 different entries to S-box) x x (4 different positions for ShiftRow) == 4 kbytes  compact optimized:  (4 bytes) x (256 different entries to S-box) == == 1 kbyte  three additional operations in C ( << , >>, | or ^) are needed besides a table look-up NB: for reaching highest performance precomputed tables and processing data must fit into L1 processor cache (32-64kBytes for modern processors)
Number of 32-bit operations needed for a single block encryption at main transformation (having all round keys)  ( (4 look-up) + (3 xors) ) * (4 columns) == == 28 operations / round  4 xors with round keys == == 4 operations / round  (28 + 4) * (9 rounds) == 288 operations for high strength encryption of 9 rounds (!)  (16 operations on SubBytes) + (24 operations on ShiftRows) + (4 xors with round keys) == == 44 operations at last round
AES decryption: high-level structure (pseudocode)
AES decryption: optimization  SubBytes() and ShiftRows() transformations commute, their sequence can be chaged  The column mixing operations - MixColumns() and InvMixColumns() – are linear with respect to the column input, which means InvMixColumns(state xor Round Key) == InvMixColumns(state) xor InvMixColumns(Round Key)
AES optimized decryption with changed round keys
Additional details on AES implementation  two set of tables for encryption  main optimized set (MixColumns, ShiftRows and SubBytes)  separate S-box array for the last round  two set of tables for decryption (complexity is the same as for encryption)  main optimized set (InvMixColumns, InvShiftRows and InvSubBytes)  separate reverse S-box array for the last round NB: ECB decryption is not needed for the most block cipher modes of operation
Conclusions  direct AES implementation is very slow (requires many byte operations and conditions)  three different round function operations can be united into the single look-up table access  with effective implementation AES consists of look- up table accesses and round key additions  the fastest version AES requires 4 kB of memory for tables, fast but compact requires 1 kB  fast AES decryption operation has the same speed as encryption and uses changed order of round function operations with modified round keys

Recommended

Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportsakhi rehman
 
Modified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxesModified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxeschuxuantinh
 
Des
DesDes
DesAravindharamanan S
 
Aes (advance encryption standard)
Aes (advance encryption standard) Aes (advance encryption standard)
Aes (advance encryption standard) Sina Manavi
 
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)Hardik Manocha
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
Advanced Encryption Standard (AES) with Dynamic Substitution Box
Advanced Encryption Standard (AES) with Dynamic Substitution BoxAdvanced Encryption Standard (AES) with Dynamic Substitution Box
Advanced Encryption Standard (AES) with Dynamic Substitution BoxHardik Manocha
 
Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Mazin Alwaaly
 

Recommended

Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportsakhi rehman
 
Modified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxesModified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxeschuxuantinh
 
Des
DesDes
DesAravindharamanan S
 
Aes (advance encryption standard)
Aes (advance encryption standard) Aes (advance encryption standard)
Aes (advance encryption standard) Sina Manavi
 
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)Hardik Manocha
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
Advanced Encryption Standard (AES) with Dynamic Substitution Box
Advanced Encryption Standard (AES) with Dynamic Substitution BoxAdvanced Encryption Standard (AES) with Dynamic Substitution Box
Advanced Encryption Standard (AES) with Dynamic Substitution BoxHardik Manocha
 
Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Mazin Alwaaly
 
Classical Encryption
Classical EncryptionClassical Encryption
Classical EncryptionShafaan Khaliq Bhatti
 
Sv data types and sv interface usage in uvm
Sv data types and sv interface usage in uvmSv data types and sv interface usage in uvm
Sv data types and sv interface usage in uvmHARINATH REDDY
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyKelly Bresnahan
 
Chapter 4 The Processor
Chapter 4 The ProcessorChapter 4 The Processor
Chapter 4 The Processorguest4f73554
 
Chacha ppt
Chacha pptChacha ppt
Chacha pptVikramSingh1378
 
Information and network security 29 international data encryption algorithm
Information and network security 29 international data encryption algorithmInformation and network security 29 international data encryption algorithm
Information and network security 29 international data encryption algorithmVaibhav Khanna
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and AlternativesSam Bowne
 
UVM Ral model usage
UVM Ral model usageUVM Ral model usage
UVM Ral model usageParth Pandya
 
AES Abstract
AES AbstractAES Abstract
AES AbstractSathrukaSinha
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptographyBarani Tharan
 
AES Cryptosystem
AES CryptosystemAES Cryptosystem
AES Cryptosystemهيثم فرج
 
Idea (international data encryption algorithm)
Idea (international data encryption algorithm)Idea (international data encryption algorithm)
Idea (international data encryption algorithm)AmanMishra208
 
Aes Kriptoanaliz
Aes KriptoanalizAes Kriptoanaliz
Aes KriptoanalizAyenUSLU
 
Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 EncodingJonathan Francis Roscoe
 
Aes
AesAes
AesMuhammad Asif
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemoSamia Elsayed
 
Computer Security Lecture 2: Classical Encryption Techniques 1
Computer Security Lecture 2: Classical Encryption Techniques 1Computer Security Lecture 2: Classical Encryption Techniques 1
Computer Security Lecture 2: Classical Encryption Techniques 1Mohamed Loey
 
Number systems and conversions
Number systems and conversionsNumber systems and conversions
Number systems and conversionsSusantha Herath
 
Rc4 Research 2013
Rc4 Research 2013Rc4 Research 2013
Rc4 Research 2013Ahmed Yousify
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4Federal Urdu University
 
Aes
AesAes
AesAravindharamanan S
 

More Related Content

What's hot

Sv data types and sv interface usage in uvm
Sv data types and sv interface usage in uvmSv data types and sv interface usage in uvm
Sv data types and sv interface usage in uvmHARINATH REDDY
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyKelly Bresnahan
 
Chapter 4 The Processor
Chapter 4 The ProcessorChapter 4 The Processor
Chapter 4 The Processorguest4f73554
 
Information and network security 29 international data encryption algorithm
Information and network security 29 international data encryption algorithmInformation and network security 29 international data encryption algorithm
Information and network security 29 international data encryption algorithmVaibhav Khanna
 
3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and AlternativesSam Bowne
 
UVM Ral model usage
UVM Ral model usageUVM Ral model usage
UVM Ral model usageParth Pandya
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptographyBarani Tharan
 
Idea (international data encryption algorithm)
Idea (international data encryption algorithm)Idea (international data encryption algorithm)
Idea (international data encryption algorithm)AmanMishra208
 
Aes Kriptoanaliz
Aes KriptoanalizAes Kriptoanaliz
Aes KriptoanalizAyenUSLU
 
Computer Security Lecture 2: Classical Encryption Techniques 1
Computer Security Lecture 2: Classical Encryption Techniques 1Computer Security Lecture 2: Classical Encryption Techniques 1
Computer Security Lecture 2: Classical Encryption Techniques 1Mohamed Loey
 
Number systems and conversions
Number systems and conversionsNumber systems and conversions
Number systems and conversionsSusantha Herath
 

What's hot (20)

Classical Encryption
Classical EncryptionClassical Encryption
Classical Encryption
 
Sv data types and sv interface usage in uvm
Sv data types and sv interface usage in uvmSv data types and sv interface usage in uvm
Sv data types and sv interface usage in uvm
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
Chapter 4 The Processor
Chapter 4 The ProcessorChapter 4 The Processor
Chapter 4 The Processor
 
Chacha ppt
Chacha pptChacha ppt
Chacha ppt
 
Information and network security 29 international data encryption algorithm
Information and network security 29 international data encryption algorithmInformation and network security 29 international data encryption algorithm
Information and network security 29 international data encryption algorithm
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives
 
UVM Ral model usage
UVM Ral model usageUVM Ral model usage
UVM Ral model usage
 
AES Abstract
AES AbstractAES Abstract
AES Abstract
 
Elliptical curve cryptography
Elliptical curve cryptographyElliptical curve cryptography
Elliptical curve cryptography
 
AES Cryptosystem
AES CryptosystemAES Cryptosystem
AES Cryptosystem
 
Idea (international data encryption algorithm)
Idea (international data encryption algorithm)Idea (international data encryption algorithm)
Idea (international data encryption algorithm)
 
Aes Kriptoanaliz
Aes KriptoanalizAes Kriptoanaliz
Aes Kriptoanaliz
 
Base64 Encoding
Base64 EncodingBase64 Encoding
Base64 Encoding
 
Aes
AesAes
Aes
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
 
Computer Security Lecture 2: Classical Encryption Techniques 1
Computer Security Lecture 2: Classical Encryption Techniques 1Computer Security Lecture 2: Classical Encryption Techniques 1
Computer Security Lecture 2: Classical Encryption Techniques 1
 
Number systems and conversions
Number systems and conversionsNumber systems and conversions
Number systems and conversions
 
Rc4 Research 2013
Rc4 Research 2013Rc4 Research 2013
Rc4 Research 2013
 

Similar to AES effecitve software implementation

AES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptxAES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptxssuser0a47f0
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxeschutinhha
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphersRoman Oliynykov
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...ijcsit
 
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdfA VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdfRamRaja15
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad Renas Rekany
 

Similar to AES effecitve software implementation (20)

Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4
 
Aes
AesAes
Aes
 
Aes
AesAes
Aes
 
icwet1097
icwet1097icwet1097
icwet1097
 
AES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptxAES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptx
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2
 
sheet7.pdf
sheet7.pdfsheet7.pdf
sheet7.pdf
 
paper7.pdf
paper7.pdfpaper7.pdf
paper7.pdf
 
lecture6.pdf
lecture6.pdflecture6.pdf
lecture6.pdf
 
doc7.pdf
doc7.pdfdoc7.pdf
doc7.pdf
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxes
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphers
 
Ch05
Ch05Ch05
Ch05
 
Unit -2.ppt
Unit -2.pptUnit -2.ppt
Unit -2.ppt
 
Network security cs5
Network security cs5Network security cs5
Network security cs5
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...
 
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdfA VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad
 
Aes
AesAes
Aes
 
AES.ppt
AES.pptAES.ppt
AES.ppt
 

More from Roman Oliynykov

Cryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkCryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkRoman Oliynykov
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Roman Oliynykov
 
Kalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishKalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishRoman Oliynykov
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 

More from Roman Oliynykov (8)

Cryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkCryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin framework
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...
 
Kalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishKalyna block cipher presentation in English
Kalyna block cipher presentation in English
 
Software Security
Software SecuritySoftware Security
Software Security
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Kupyna
KupynaKupyna
Kupyna
 
Kalyna
KalynaKalyna
Kalyna
 
Software security
Software securitySoftware security
Software security
 

Recently uploaded

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 

Recently uploaded (20)

Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 

AES effecitve software implementation

  • 1. Effective Software Implementation of Advanced Encryption Standard December 2014 Roman Oliynykov Professor at Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Ukraine Visiting professor at Samsung Advanced Technology Training Institute Korea ROliynykov@gmail.com
  • 2. Outline  A few words about myself  Brief history of AES/Rijndael  AES properties  Direct AES implementation and problems with it  Methods for effective encryption implementation (proposed by Rijndael authors in their submission to AES competition)  Decryption optimization  Conclusions
  • 3. About myself (I)  I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship  I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia), former capital of the Soviet Ukraine (1918-1934) three Nobel prize winners worked at Kharkov University
  • 4. About myself (II)  Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics  courses on computer networks and operation system security, special mathematics for cryptographic applications  Head of Scientific Research Department at JSC “Institute of Information Technologies”  Scientific interests: symmetric cryptographic primitives synthesis and cryptanalysis  Visiting professor at Samsung Advanced Technology Training Institute  courses on computer networks and operation system security, software security, effective application and implementation of symmetric cryptography
  • 5. Modern and effective solution: Advanced Encryption Standard (AES)  result of international public cryptographic competition (1997-2000)  had been chosen among 15 candidate ciphers (developed in the US, Belgium, Denmark, Germany, Israel, Japan, Switzerland, Armenia, etc.)  original name is Rijndael (developed by researchers from Belgium)  votes on 3rd AES conference had been given to this cipher, but the rest Twofish (US), MARS (US, IBM), E2 (Japan, Camellia predecessor), Serpent (Israel) are also remain strong  the most researched block cipher all over the world (2014, open publications)  basis for development of many other symmetric primitives
  • 6. AES properties  block length 128 bits only (subset of Rijndael which supports 128, 192 and 256 bits)  key length is 128, 192 and 256 bits  uses Substitution-Permutation Network (SPN)  number of rounds (10,12,14) depends on key length  quite transparent design, algebraic structure (theoretically may be vulnerable to algebraic analysis)  quite effective in software (32-bit platforms) and hardware implementation
  • 7. AES parameters: key length, block size, number of rounds
  • 8. AES: presentation of processing bytes as a “cipher state”
  • 9. AES: main steps running key schedule procedure: generation of all round keys running encryption or decryption procedure  or, for compact hardware implementation, sequential operations:  generation of the current round key  one encryption round
  • 16. AES round key generation (key expansion) NB: not all key length (128, 192, 256) must be supported; for many applications it’s enough to have the single key length
  • 17. AES round key generation: RotWord
  • 18. AES round key generation: SubBytes
  • 19. AES round key generation: round constant application NB: without Rcon there would be equal blocks in ciphertext if plaintext and keys have equal blocks (1, 2 or 4 bytes repeats in plaintext and key)
  • 20. AES round key sequence
  • 21. AES decryption (direct presentation): reverse operations in different order
  • 22. AES/Rijndael design goals  be extremely fast on 32 bit platforms (+++)  be compact on hardware implementation with small number of gates (++)  possibility to implement cipher on 8-bit smart- card processors actual for 1990th (++)  cryptographic strength (+)
  • 23. Direct implementation of AES round function: SubBytes 16 operations (byte substitution)
  • 24. Direct implementation of AES round function: ShiftRows 12 operations (byte permutation)
  • 25. AES: MixColumns transformation 60 operations (logical and conditional):  3+ operations for each input byte (48+ total): • shift and conditional XOR (mult by 02) • XOR (mult by 03)  3 XORs for each row (12 total)
  • 26. Direct implementation of AES round function  SubBytes: 16 operations (byte substitution)  ShiftRows: 12 operations (byte permutation)  MixColumns: 60 or even more operations (conditions will prevent effective pipelining)  AddRoundKey: 16 operations (logical) TOTAL: more than 102 operations per round
  • 27. AES effective software implementation: 32-bit platform  three different operations can be united into the single (!) look-up table access:  SubBytes (non-linear)  ShiftRows (linear)  MixColumns (linear)  cipher consists of look-up table accesses and round key additions
  • 28. AES effective software implementation: MixColumns Matrix multiplication: 7 operations (4 memory look-ups + 3 XORs) instead of 60:  32-bit XOR of 4 columns  each column depends on one input byte only  all 4 bytes in each column are precomputed and stored in advance
  • 29. AES round function operations sequence variants: Original:  SubBytes  ShiftRows  MixColumns Equivalent:  ShiftRows  SubBytes  MixColumns
  • 30. AES effective software implementation: MixColumns and SubBytes at one precomputed table SubBytes and MixColumns: 7 operations (4 memory look-ups + 3 XORs) total:  32-bit XOR of 4 columns  each column depends on one input byte only (already sent throw S-box)  all 4 bytes in each column are precomputed and stored in advance
  • 31. Fragment of OpenSSL AES source code (based on Rijndael author's implementation) 4 tables are needed; size of each table is 256 * 4 = 1 kByte
  • 32. Fragment of OpenSSL AES source code (based on Rijndael author's implementation) ShiftRows is implemented as usual shift and mask of 32-bit register; SubBytes and MixColumns are implemented as memory lookups (8 bit → 32 bit)
  • 33. AES effective software implementation: extra memory optimization Decreasing memory amount: single table (1 kByte instead of 4 tables of 1 kB each)
  • 34. Main table size for the fastest and compact optimized 32-bit AES implementation  fastest:  (4 bytes) x (256 different entries to S-box) x x (4 different positions for ShiftRow) == 4 kbytes  compact optimized:  (4 bytes) x (256 different entries to S-box) == == 1 kbyte  three additional operations in C ( << , >>, | or ^) are needed besides a table look-up NB: for reaching highest performance precomputed tables and processing data must fit into L1 processor cache (32-64kBytes for modern processors)
  • 35. Number of 32-bit operations needed for a single block encryption at main transformation (having all round keys)  ( (4 look-up) + (3 xors) ) * (4 columns) == == 28 operations / round  4 xors with round keys == == 4 operations / round  (28 + 4) * (9 rounds) == 288 operations for high strength encryption of 9 rounds (!)  (16 operations on SubBytes) + (24 operations on ShiftRows) + (4 xors with round keys) == == 44 operations at last round
  • 37. AES decryption: optimization  SubBytes() and ShiftRows() transformations commute, their sequence can be chaged  The column mixing operations - MixColumns() and InvMixColumns() – are linear with respect to the column input, which means InvMixColumns(state xor Round Key) == InvMixColumns(state) xor InvMixColumns(Round Key)
  • 38. AES optimized decryption with changed round keys
  • 39. Additional details on AES implementation  two set of tables for encryption  main optimized set (MixColumns, ShiftRows and SubBytes)  separate S-box array for the last round  two set of tables for decryption (complexity is the same as for encryption)  main optimized set (InvMixColumns, InvShiftRows and InvSubBytes)  separate reverse S-box array for the last round NB: ECB decryption is not needed for the most block cipher modes of operation
  • 40. Conclusions  direct AES implementation is very slow (requires many byte operations and conditions)  three different round function operations can be united into the single look-up table access  with effective implementation AES consists of look- up table accesses and round key additions  the fastest version AES requires 4 kB of memory for tables, fast but compact requires 1 kB  fast AES decryption operation has the same speed as encryption and uses changed order of round function operations with modified round keys