SlideShare a Scribd company logo

AES effecitve software implementation

Roman Oliynykov
Roman Oliynykov

Slides of my lecture on effective AES implementation in software given at University of Bergen (Norway)

Internet
1 of 40
Download to read offline
Effective Software Implementation of Advanced Encryption Standard December 2014 Roman Oliynykov Professor at Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Ukraine Visiting professor at Samsung Advanced Technology Training Institute Korea ROliynykov@gmail.com
Outline  A few words about myself  Brief history of AES/Rijndael  AES properties  Direct AES implementation and problems with it  Methods for effective encryption implementation (proposed by Rijndael authors in their submission to AES competition)  Decryption optimization  Conclusions
About myself (I)  I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship  I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia), former capital of the Soviet Ukraine (1918-1934) three Nobel prize winners worked at Kharkov University
About myself (II)  Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics  courses on computer networks and operation system security, special mathematics for cryptographic applications  Head of Scientific Research Department at JSC “Institute of Information Technologies”  Scientific interests: symmetric cryptographic primitives synthesis and cryptanalysis  Visiting professor at Samsung Advanced Technology Training Institute  courses on computer networks and operation system security, software security, effective application and implementation of symmetric cryptography
Modern and effective solution: Advanced Encryption Standard (AES)  result of international public cryptographic competition (1997-2000)  had been chosen among 15 candidate ciphers (developed in the US, Belgium, Denmark, Germany, Israel, Japan, Switzerland, Armenia, etc.)  original name is Rijndael (developed by researchers from Belgium)  votes on 3rd AES conference had been given to this cipher, but the rest Twofish (US), MARS (US, IBM), E2 (Japan, Camellia predecessor), Serpent (Israel) are also remain strong  the most researched block cipher all over the world (2014, open publications)  basis for development of many other symmetric primitives
AES properties  block length 128 bits only (subset of Rijndael which supports 128, 192 and 256 bits)  key length is 128, 192 and 256 bits  uses Substitution-Permutation Network (SPN)  number of rounds (10,12,14) depends on key length  quite transparent design, algebraic structure (theoretically may be vulnerable to algebraic analysis)  quite effective in software (32-bit platforms) and hardware implementation
AES parameters: key length, block size, number of rounds
AES: presentation of processing bytes as a “cipher state”
AES: main steps running key schedule procedure: generation of all round keys running encryption or decryption procedure  or, for compact hardware implementation, sequential operations:  generation of the current round key  one encryption round
AES: high-level structure (pseudocode)
AES: high-level structure (picture for 128 bit key)
AES: SubBytes transformation
AES: ShiftRows transformation
AES: MixColumns transformation
AES: AddRoundKey transformation
AES round key generation (key expansion) NB: not all key length (128, 192, 256) must be supported; for many applications it’s enough to have the single key length
AES round key generation: RotWord
AES round key generation: SubBytes
AES round key generation: round constant application NB: without Rcon there would be equal blocks in ciphertext if plaintext and keys have equal blocks (1, 2 or 4 bytes repeats in plaintext and key)
AES round key sequence
AES decryption (direct presentation): reverse operations in different order
AES/Rijndael design goals  be extremely fast on 32 bit platforms (+++)  be compact on hardware implementation with small number of gates (++)  possibility to implement cipher on 8-bit smart- card processors actual for 1990th (++)  cryptographic strength (+)
Direct implementation of AES round function: SubBytes 16 operations (byte substitution)
Direct implementation of AES round function: ShiftRows 12 operations (byte permutation)
AES: MixColumns transformation 60 operations (logical and conditional):  3+ operations for each input byte (48+ total): • shift and conditional XOR (mult by 02) • XOR (mult by 03)  3 XORs for each row (12 total)
Direct implementation of AES round function  SubBytes: 16 operations (byte substitution)  ShiftRows: 12 operations (byte permutation)  MixColumns: 60 or even more operations (conditions will prevent effective pipelining)  AddRoundKey: 16 operations (logical) TOTAL: more than 102 operations per round
AES effective software implementation: 32-bit platform  three different operations can be united into the single (!) look-up table access:  SubBytes (non-linear)  ShiftRows (linear)  MixColumns (linear)  cipher consists of look-up table accesses and round key additions
AES effective software implementation: MixColumns Matrix multiplication: 7 operations (4 memory look-ups + 3 XORs) instead of 60:  32-bit XOR of 4 columns  each column depends on one input byte only  all 4 bytes in each column are precomputed and stored in advance
AES round function operations sequence variants: Original:  SubBytes  ShiftRows  MixColumns Equivalent:  ShiftRows  SubBytes  MixColumns
AES effective software implementation: MixColumns and SubBytes at one precomputed table SubBytes and MixColumns: 7 operations (4 memory look-ups + 3 XORs) total:  32-bit XOR of 4 columns  each column depends on one input byte only (already sent throw S-box)  all 4 bytes in each column are precomputed and stored in advance
Fragment of OpenSSL AES source code (based on Rijndael author's implementation) 4 tables are needed; size of each table is 256 * 4 = 1 kByte
Fragment of OpenSSL AES source code (based on Rijndael author's implementation) ShiftRows is implemented as usual shift and mask of 32-bit register; SubBytes and MixColumns are implemented as memory lookups (8 bit → 32 bit)
AES effective software implementation: extra memory optimization Decreasing memory amount: single table (1 kByte instead of 4 tables of 1 kB each)
Main table size for the fastest and compact optimized 32-bit AES implementation  fastest:  (4 bytes) x (256 different entries to S-box) x x (4 different positions for ShiftRow) == 4 kbytes  compact optimized:  (4 bytes) x (256 different entries to S-box) == == 1 kbyte  three additional operations in C ( << , >>, | or ^) are needed besides a table look-up NB: for reaching highest performance precomputed tables and processing data must fit into L1 processor cache (32-64kBytes for modern processors)
Number of 32-bit operations needed for a single block encryption at main transformation (having all round keys)  ( (4 look-up) + (3 xors) ) * (4 columns) == == 28 operations / round  4 xors with round keys == == 4 operations / round  (28 + 4) * (9 rounds) == 288 operations for high strength encryption of 9 rounds (!)  (16 operations on SubBytes) + (24 operations on ShiftRows) + (4 xors with round keys) == == 44 operations at last round
AES decryption: high-level structure (pseudocode)
AES decryption: optimization  SubBytes() and ShiftRows() transformations commute, their sequence can be chaged  The column mixing operations - MixColumns() and InvMixColumns() – are linear with respect to the column input, which means InvMixColumns(state xor Round Key) == InvMixColumns(state) xor InvMixColumns(Round Key)
AES optimized decryption with changed round keys
Additional details on AES implementation  two set of tables for encryption  main optimized set (MixColumns, ShiftRows and SubBytes)  separate S-box array for the last round  two set of tables for decryption (complexity is the same as for encryption)  main optimized set (InvMixColumns, InvShiftRows and InvSubBytes)  separate reverse S-box array for the last round NB: ECB decryption is not needed for the most block cipher modes of operation
Conclusions  direct AES implementation is very slow (requires many byte operations and conditions)  three different round function operations can be united into the single look-up table access  with effective implementation AES consists of look- up table accesses and round key additions  the fastest version AES requires 4 kB of memory for tables, fast but compact requires 1 kB  fast AES decryption operation has the same speed as encryption and uses changed order of round function operations with modified round keys

Recommended

Modified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxesModified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxeschuxuantinh
 
Twofish
TwofishTwofish
Twofishghanbarianm
 
Twofish algo
Twofish algoTwofish algo
Twofish algoAAQIB PARREY
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)Rakeshkumar Sachdev
 
Amba axi 29 3_2015
Amba axi 29 3_2015Amba axi 29 3_2015
Amba axi 29 3_2015kiemnhatminh
 
Unit 3 – assembly language programming
Unit 3 – assembly language programmingUnit 3 – assembly language programming
Unit 3 – assembly language programmingKartik Sharma
 
Algoritma Gost ( Computer Scurity )
Algoritma Gost ( Computer Scurity )Algoritma Gost ( Computer Scurity )
Algoritma Gost ( Computer Scurity )Er Erlyta
 
Verification of amba axi bus protocol implementing incr and wrap burst using ...
Verification of amba axi bus protocol implementing incr and wrap burst using ...Verification of amba axi bus protocol implementing incr and wrap burst using ...
Verification of amba axi bus protocol implementing incr and wrap burst using ...eSAT Journals
 

Recommended

Modified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxesModified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxeschuxuantinh
 
Twofish
TwofishTwofish
Twofishghanbarianm
 
Twofish algo
Twofish algoTwofish algo
Twofish algoAAQIB PARREY
 
PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)PCIe DL_layer_3.0.1 (1)
PCIe DL_layer_3.0.1 (1)Rakeshkumar Sachdev
 
Amba axi 29 3_2015
Amba axi 29 3_2015Amba axi 29 3_2015
Amba axi 29 3_2015kiemnhatminh
 
Unit 3 – assembly language programming
Unit 3 – assembly language programmingUnit 3 – assembly language programming
Unit 3 – assembly language programmingKartik Sharma
 
Algoritma Gost ( Computer Scurity )
Algoritma Gost ( Computer Scurity )Algoritma Gost ( Computer Scurity )
Algoritma Gost ( Computer Scurity )Er Erlyta
 
Verification of amba axi bus protocol implementing incr and wrap burst using ...
Verification of amba axi bus protocol implementing incr and wrap burst using ...Verification of amba axi bus protocol implementing incr and wrap burst using ...
Verification of amba axi bus protocol implementing incr and wrap burst using ...eSAT Journals
 
PCIe
PCIePCIe
PCIeChiaYang Tsai
 
Binary and hex input/output (in 8086 assembuly langyage)
Binary and hex input/output (in 8086 assembuly langyage)Binary and hex input/output (in 8086 assembuly langyage)
Binary and hex input/output (in 8086 assembuly langyage)Bilal Amjad
 
overview of register transfer, micro operations and basic computer organizati...
overview of register transfer, micro operations and basic computer organizati...overview of register transfer, micro operations and basic computer organizati...
overview of register transfer, micro operations and basic computer organizati...Rai University
 
Axi protocol
Axi protocolAxi protocol
Axi protocolAzad Mishra
 
Instruction set of 8086
Instruction set of 8086Instruction set of 8086
Instruction set of 8086Vijay Kumar
 
Arrays and addressing modes
Arrays and addressing modesArrays and addressing modes
Arrays and addressing modesBilal Amjad
 
Dlc{binary to gray code conversion} ppt
Dlc{binary to gray code conversion} pptDlc{binary to gray code conversion} ppt
Dlc{binary to gray code conversion} pptTanish Gupta
 
Yeni Başlayanlar için Blowfi̇sh Algoritması
Yeni Başlayanlar için Blowfi̇sh AlgoritmasıYeni Başlayanlar için Blowfi̇sh Algoritması
Yeni Başlayanlar için Blowfi̇sh AlgoritmasıENES B
 
Aes
AesAes
AesAravindharamanan S
 
Integers
IntegersIntegers
IntegersCalderside Academy
 
Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)MdFazleRabbi18
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxeschutinhha
 
Assembly 8086
Assembly 8086Assembly 8086
Assembly 8086Mustafa Salah
 
Scrambling
ScramblingScrambling
Scramblinglaraibalvi1
 
Evolution of microprocessors
Evolution of microprocessorsEvolution of microprocessors
Evolution of microprocessorsHarshitParkar6677
 
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersAdaLabs
 
Assembly language
Assembly language Assembly language
Assembly language Usama ahmad
 
Pc ie tl_layer (3)
Pc ie tl_layer (3)Pc ie tl_layer (3)
Pc ie tl_layer (3)Rakeshkumar Sachdev
 
SHA512.pptx
SHA512.pptxSHA512.pptx
SHA512.pptxssuserb4287c
 
Blowfish Şifreleme Algoritması
Blowfish Şifreleme AlgoritmasıBlowfish Şifreleme Algoritması
Blowfish Şifreleme AlgoritmasıEnes Caglar
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4Federal Urdu University
 
Aes
AesAes
AesManju Hegde
 

More Related Content

What's hot

Binary and hex input/output (in 8086 assembuly langyage)
Binary and hex input/output (in 8086 assembuly langyage)Binary and hex input/output (in 8086 assembuly langyage)
Binary and hex input/output (in 8086 assembuly langyage)Bilal Amjad
 
overview of register transfer, micro operations and basic computer organizati...
overview of register transfer, micro operations and basic computer organizati...overview of register transfer, micro operations and basic computer organizati...
overview of register transfer, micro operations and basic computer organizati...Rai University
 
Instruction set of 8086
Instruction set of 8086Instruction set of 8086
Instruction set of 8086Vijay Kumar
 
Arrays and addressing modes
Arrays and addressing modesArrays and addressing modes
Arrays and addressing modesBilal Amjad
 
Dlc{binary to gray code conversion} ppt
Dlc{binary to gray code conversion} pptDlc{binary to gray code conversion} ppt
Dlc{binary to gray code conversion} pptTanish Gupta
 
Yeni Başlayanlar için Blowfi̇sh Algoritması
Yeni Başlayanlar için Blowfi̇sh AlgoritmasıYeni Başlayanlar için Blowfi̇sh Algoritması
Yeni Başlayanlar için Blowfi̇sh AlgoritmasıENES B
 
Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)MdFazleRabbi18
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxeschutinhha
 
Evolution of microprocessors
Evolution of microprocessorsEvolution of microprocessors
Evolution of microprocessorsHarshitParkar6677
 
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersAdaLabs
 
Assembly language
Assembly language Assembly language
Assembly language Usama ahmad
 
Blowfish Şifreleme Algoritması
Blowfish Şifreleme AlgoritmasıBlowfish Şifreleme Algoritması
Blowfish Şifreleme AlgoritmasıEnes Caglar
 

What's hot (20)

PCIe
PCIePCIe
PCIe
 
Binary and hex input/output (in 8086 assembuly langyage)
Binary and hex input/output (in 8086 assembuly langyage)Binary and hex input/output (in 8086 assembuly langyage)
Binary and hex input/output (in 8086 assembuly langyage)
 
overview of register transfer, micro operations and basic computer organizati...
overview of register transfer, micro operations and basic computer organizati...overview of register transfer, micro operations and basic computer organizati...
overview of register transfer, micro operations and basic computer organizati...
 
Axi protocol
Axi protocolAxi protocol
Axi protocol
 
Instruction set of 8086
Instruction set of 8086Instruction set of 8086
Instruction set of 8086
 
Arrays and addressing modes
Arrays and addressing modesArrays and addressing modes
Arrays and addressing modes
 
Dlc{binary to gray code conversion} ppt
Dlc{binary to gray code conversion} pptDlc{binary to gray code conversion} ppt
Dlc{binary to gray code conversion} ppt
 
Yeni Başlayanlar için Blowfi̇sh Algoritması
Yeni Başlayanlar için Blowfi̇sh AlgoritmasıYeni Başlayanlar için Blowfi̇sh Algoritması
Yeni Başlayanlar için Blowfi̇sh Algoritması
 
Aes
AesAes
Aes
 
Integers
IntegersIntegers
Integers
 
Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxes
 
Assembly 8086
Assembly 8086Assembly 8086
Assembly 8086
 
Scrambling
ScramblingScrambling
Scrambling
 
Evolution of microprocessors
Evolution of microprocessorsEvolution of microprocessors
Evolution of microprocessors
 
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH CiphersChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
ChaCha20-Poly1305 Cipher Summary - AdaLabs SPARKAda OpenSSH Ciphers
 
Assembly language
Assembly language Assembly language
Assembly language
 
Pc ie tl_layer (3)
Pc ie tl_layer (3)Pc ie tl_layer (3)
Pc ie tl_layer (3)
 
SHA512.pptx
SHA512.pptxSHA512.pptx
SHA512.pptx
 
Blowfish Şifreleme Algoritması
Blowfish Şifreleme AlgoritmasıBlowfish Şifreleme Algoritması
Blowfish Şifreleme Algoritması
 

Similar to AES effecitve software implementation

AES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptxAES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptxssuser0a47f0
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphersRoman Oliynykov
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...ijcsit
 
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdfA VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdfRamRaja15
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad Renas Rekany
 
Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportsakhi rehman
 

Similar to AES effecitve software implementation (20)

Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4
 
Aes
AesAes
Aes
 
icwet1097
icwet1097icwet1097
icwet1097
 
AES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptxAES (Intro Advanced Encryption Standard).pptx
AES (Intro Advanced Encryption Standard).pptx
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2
 
sheet7.pdf
sheet7.pdfsheet7.pdf
sheet7.pdf
 
paper7.pdf
paper7.pdfpaper7.pdf
paper7.pdf
 
lecture6.pdf
lecture6.pdflecture6.pdf
lecture6.pdf
 
doc7.pdf
doc7.pdfdoc7.pdf
doc7.pdf
 
Next generation block ciphers
Next generation block ciphersNext generation block ciphers
Next generation block ciphers
 
Ch05
Ch05Ch05
Ch05
 
Unit -2.ppt
Unit -2.pptUnit -2.ppt
Unit -2.ppt
 
Network security cs5
Network security cs5Network security cs5
Network security cs5
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...
 
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdfA VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
A VHDL Implemetation of the Advanced Encryption Standard-Rijndael.pdf
 
Renas Rajab Asaad
Renas Rajab Asaad Renas Rajab Asaad
Renas Rajab Asaad
 
Aes
AesAes
Aes
 
Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_report
 
AES.ppt
AES.pptAES.ppt
AES.ppt
 
11
1111
11
 

More from Roman Oliynykov

Cryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkCryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkRoman Oliynykov
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Roman Oliynykov
 
Kalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishKalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishRoman Oliynykov
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of OperationRoman Oliynykov
 

More from Roman Oliynykov (8)

Cryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin frameworkCryptocurrency with central bank regulations: the RSCoin framework
Cryptocurrency with central bank regulations: the RSCoin framework
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...
 
Kalyna block cipher presentation in English
Kalyna block cipher presentation in EnglishKalyna block cipher presentation in English
Kalyna block cipher presentation in English
 
Software Security
Software SecuritySoftware Security
Software Security
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Kupyna
KupynaKupyna
Kupyna
 
Kalyna
KalynaKalyna
Kalyna
 
Software security
Software securitySoftware security
Software security
 

Recently uploaded

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 

Recently uploaded (20)

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 

AES effecitve software implementation

  • 1. Effective Software Implementation of Advanced Encryption Standard December 2014 Roman Oliynykov Professor at Information Technologies Security Department Kharkov National University of Radioelectronics Head of Scientific Research Department JSC “Institute of Information Technologies” Ukraine Visiting professor at Samsung Advanced Technology Training Institute Korea ROliynykov@gmail.com
  • 2. Outline  A few words about myself  Brief history of AES/Rijndael  AES properties  Direct AES implementation and problems with it  Methods for effective encryption implementation (proposed by Rijndael authors in their submission to AES competition)  Decryption optimization  Conclusions
  • 3. About myself (I)  I’m from Ukraine (Eastern part of Europe), host country of Euro2012 football championship  I live in Kharkov (the second biggest city in the country, population is 1.5 million people), Eastern Ukraine (near Russia), former capital of the Soviet Ukraine (1918-1934) three Nobel prize winners worked at Kharkov University
  • 4. About myself (II)  Professor at Information Technologies Security Department at Kharkov National University of Radioelectronics  courses on computer networks and operation system security, special mathematics for cryptographic applications  Head of Scientific Research Department at JSC “Institute of Information Technologies”  Scientific interests: symmetric cryptographic primitives synthesis and cryptanalysis  Visiting professor at Samsung Advanced Technology Training Institute  courses on computer networks and operation system security, software security, effective application and implementation of symmetric cryptography
  • 5. Modern and effective solution: Advanced Encryption Standard (AES)  result of international public cryptographic competition (1997-2000)  had been chosen among 15 candidate ciphers (developed in the US, Belgium, Denmark, Germany, Israel, Japan, Switzerland, Armenia, etc.)  original name is Rijndael (developed by researchers from Belgium)  votes on 3rd AES conference had been given to this cipher, but the rest Twofish (US), MARS (US, IBM), E2 (Japan, Camellia predecessor), Serpent (Israel) are also remain strong  the most researched block cipher all over the world (2014, open publications)  basis for development of many other symmetric primitives
  • 6. AES properties  block length 128 bits only (subset of Rijndael which supports 128, 192 and 256 bits)  key length is 128, 192 and 256 bits  uses Substitution-Permutation Network (SPN)  number of rounds (10,12,14) depends on key length  quite transparent design, algebraic structure (theoretically may be vulnerable to algebraic analysis)  quite effective in software (32-bit platforms) and hardware implementation
  • 7. AES parameters: key length, block size, number of rounds
  • 8. AES: presentation of processing bytes as a “cipher state”
  • 9. AES: main steps running key schedule procedure: generation of all round keys running encryption or decryption procedure  or, for compact hardware implementation, sequential operations:  generation of the current round key  one encryption round
  • 16. AES round key generation (key expansion) NB: not all key length (128, 192, 256) must be supported; for many applications it’s enough to have the single key length
  • 17. AES round key generation: RotWord
  • 18. AES round key generation: SubBytes
  • 19. AES round key generation: round constant application NB: without Rcon there would be equal blocks in ciphertext if plaintext and keys have equal blocks (1, 2 or 4 bytes repeats in plaintext and key)
  • 20. AES round key sequence
  • 21. AES decryption (direct presentation): reverse operations in different order
  • 22. AES/Rijndael design goals  be extremely fast on 32 bit platforms (+++)  be compact on hardware implementation with small number of gates (++)  possibility to implement cipher on 8-bit smart- card processors actual for 1990th (++)  cryptographic strength (+)
  • 23. Direct implementation of AES round function: SubBytes 16 operations (byte substitution)
  • 24. Direct implementation of AES round function: ShiftRows 12 operations (byte permutation)
  • 25. AES: MixColumns transformation 60 operations (logical and conditional):  3+ operations for each input byte (48+ total): • shift and conditional XOR (mult by 02) • XOR (mult by 03)  3 XORs for each row (12 total)
  • 26. Direct implementation of AES round function  SubBytes: 16 operations (byte substitution)  ShiftRows: 12 operations (byte permutation)  MixColumns: 60 or even more operations (conditions will prevent effective pipelining)  AddRoundKey: 16 operations (logical) TOTAL: more than 102 operations per round
  • 27. AES effective software implementation: 32-bit platform  three different operations can be united into the single (!) look-up table access:  SubBytes (non-linear)  ShiftRows (linear)  MixColumns (linear)  cipher consists of look-up table accesses and round key additions
  • 28. AES effective software implementation: MixColumns Matrix multiplication: 7 operations (4 memory look-ups + 3 XORs) instead of 60:  32-bit XOR of 4 columns  each column depends on one input byte only  all 4 bytes in each column are precomputed and stored in advance
  • 29. AES round function operations sequence variants: Original:  SubBytes  ShiftRows  MixColumns Equivalent:  ShiftRows  SubBytes  MixColumns
  • 30. AES effective software implementation: MixColumns and SubBytes at one precomputed table SubBytes and MixColumns: 7 operations (4 memory look-ups + 3 XORs) total:  32-bit XOR of 4 columns  each column depends on one input byte only (already sent throw S-box)  all 4 bytes in each column are precomputed and stored in advance
  • 31. Fragment of OpenSSL AES source code (based on Rijndael author's implementation) 4 tables are needed; size of each table is 256 * 4 = 1 kByte
  • 32. Fragment of OpenSSL AES source code (based on Rijndael author's implementation) ShiftRows is implemented as usual shift and mask of 32-bit register; SubBytes and MixColumns are implemented as memory lookups (8 bit → 32 bit)
  • 33. AES effective software implementation: extra memory optimization Decreasing memory amount: single table (1 kByte instead of 4 tables of 1 kB each)
  • 34. Main table size for the fastest and compact optimized 32-bit AES implementation  fastest:  (4 bytes) x (256 different entries to S-box) x x (4 different positions for ShiftRow) == 4 kbytes  compact optimized:  (4 bytes) x (256 different entries to S-box) == == 1 kbyte  three additional operations in C ( << , >>, | or ^) are needed besides a table look-up NB: for reaching highest performance precomputed tables and processing data must fit into L1 processor cache (32-64kBytes for modern processors)
  • 35. Number of 32-bit operations needed for a single block encryption at main transformation (having all round keys)  ( (4 look-up) + (3 xors) ) * (4 columns) == == 28 operations / round  4 xors with round keys == == 4 operations / round  (28 + 4) * (9 rounds) == 288 operations for high strength encryption of 9 rounds (!)  (16 operations on SubBytes) + (24 operations on ShiftRows) + (4 xors with round keys) == == 44 operations at last round
  • 37. AES decryption: optimization  SubBytes() and ShiftRows() transformations commute, their sequence can be chaged  The column mixing operations - MixColumns() and InvMixColumns() – are linear with respect to the column input, which means InvMixColumns(state xor Round Key) == InvMixColumns(state) xor InvMixColumns(Round Key)
  • 38. AES optimized decryption with changed round keys
  • 39. Additional details on AES implementation  two set of tables for encryption  main optimized set (MixColumns, ShiftRows and SubBytes)  separate S-box array for the last round  two set of tables for decryption (complexity is the same as for encryption)  main optimized set (InvMixColumns, InvShiftRows and InvSubBytes)  separate reverse S-box array for the last round NB: ECB decryption is not needed for the most block cipher modes of operation
  • 40. Conclusions  direct AES implementation is very slow (requires many byte operations and conditions)  three different round function operations can be united into the single look-up table access  with effective implementation AES consists of look- up table accesses and round key additions  the fastest version AES requires 4 kB of memory for tables, fast but compact requires 1 kB  fast AES decryption operation has the same speed as encryption and uses changed order of round function operations with modified round keys