Table Of ContentCryptographic Engineering
C¸etin Kaya Koc¸
Editor
Cryptographic Engineering
123
Editor
C¸etinKayaKoc¸
CityUniversityofIstanbul
Tophane,Istanbul
Turkey
and
UniversityofCaliforniaSantaBarbara
SantaBarbara,CA
USA
ISBN:978-0-387-71816-3 e-ISBN:978-0-387-71817-0
DOI10.1007/978-0-387-71817-0
LibraryofCongressControlNumber:2008935379
(cid:2)c SpringerScience+BusinessMedia,LLC2009
Allrightsreserved.Thisworkmaynotbetranslatedorcopiedinwholeorinpartwithoutthewritten
permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York,
NY10013,USA),exceptforbriefexcerptsinconnectionwithreviewsorscholarlyanalysis.Usein
connection with any form of information storage and retrieval, electronic adaptation, computer
software,orbysimilarordissimilarmethodologynowknownorhereafterdevelopedisforbidden.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
theyaresubjecttoproprietaryrights.
While the advice and information in this book are believed to be true and accurate at the date of
goingtopress,neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityfor
anyerrorsoromissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,with
respecttothematerialcontainedherein.
Printedonacid-freepaper
springer.com
To allscientistsandengineerswhoseideas
gavebirthto moderncryptography,
particularly,ClaudeShannon,WhitDiffie,
MartinHellman,RalphMerkle, Don
Coppersmith,RonRivest, AdiShamir,Len
Adleman,and Neal Koblitz.
Preface
Cryptographyis an ancientart. Chinese, Roman, and Arab culturesoftenused ci-
phers to protect military and state communications or secret society documents.
Cryptographicengineering,onthe otherhand,is a relativelynew subject.A cryp-
tographic engineer designs, implements, tests, validates, and sometimes reverse-
engineersorattemptstobreakcryptographicsystems.ThedesignersofEnigma,an
electromechanicalciphermachine,werecryptographicengineers;sowasAlanTur-
ingwhocontributedtoitscryptanalysis.Inourview,anyonewhodesignsandbuilds
electromechanical,electronic,orquantum-mechanicalsystemsinordertoencrypt,
decrypt,signorauthenticatedataisacryptographicengineer.However,inthisbook
wehavenarrowedourdefinitiontoonlyelectronicsystems,specifically,hardware
andsoftwaresystems.
Cryptographic engineering is a complicated, multidisciplinary field. It encom-
passesmathematics(algebra,finitegroups,rings,andfields),electricalengineering
(hardware design, ASIC, FPGAs) and computer science (algorithms, complexity
theory,software design,embeddedsystems). Itis ratherdifficultto be a master of
all subjects; one usually has to be contentwith being a master of one. In order to
practicestate-of-the-artcryptographicdesign,mathematicians,computerscientists,
andelectricalengineersneedtocollaborate.
Thisbookwasbornoutoftheclassnotesofthelecturerswhohavebeenmeeting
since2002inLausanne,Switzerland,atthecampusofEPFL,toteachaone-week
coursetograduatestudents,faculty,andresearchersfromacademia,andengineers
from industry. In order to create this book, I compiled the lecture notes together,
wrote some of the material, and also invited other prominent researchers to con-
tribute.Thisbookisintendedtoconstitutea firststeptowardsbecominga crypto-
graphicengineer.Wehopethatitwillsuccessfullyserveitspurpose.
Istanbul&SantaBarbara C¸etinKayaKoc¸
vii
Contents
1 AboutCryptographicEngineering ............................. 1
C¸etinKayaKoc¸
1.1 Introduction.............................................. 1
1.2 ChapterContents ......................................... 2
1.3 ExercisesandProjects ..................................... 4
2 RandomNumberGeneratorsforCryptographicApplications...... 5
WernerSchindler
2.1 Introduction.............................................. 5
2.2 GeneralRequirements ..................................... 6
2.3 Classification............................................. 7
2.4 DeterministicRandomNumberGenerators(DRNGs) ........... 7
2.4.1 PureDRNGs ..................................... 8
2.4.2 HybridDRNGs ................................... 11
2.4.3 AWordofWarning................................ 13
2.5 PhysicalTrueRandomNumberGenerators(PTRNGs) .......... 14
2.5.1 TheGenericDesign ............................... 14
2.5.2 EntropyandGuesswork ............................ 16
2.6 Non-physicalTrueRandomNumberGenerators(NPTRNGs):
BasicProperties .......................................... 18
2.7 StandardsandEvaluationGuidances ......................... 20
2.8 Exercises ................................................ 20
2.9 Projects ................................................. 21
References..................................................... 21
3 EvaluationCriteriaforPhysicalRandomNumberGenerators...... 25
WernerSchindler
3.1 Introduction.............................................. 25
3.2 GenericDesign ........................................... 26
3.3 EvaluationCriteriaforthePrincipleDesign ................... 27
3.4 TheStochasticModel...................................... 29
ix
x Contents
3.5 AlgorithmicPostprocessing................................. 37
3.6 OnlineTest,TotTest,andSelfTest .......................... 41
3.6.1 OnlineTests...................................... 42
3.7 AlternativeSecurityPhilosophies............................ 49
3.8 Side-channelAttacksandFaultAttacks....................... 50
3.9 Exercises ................................................ 51
3.10 Projects ................................................. 51
References..................................................... 52
4 TrueRandomNumberGeneratorsforCryptography ............. 55
BerkSunar
4.1 Introduction.............................................. 55
4.2 TRNGBuildingBlocks .................................... 56
4.3 DesirableFeatures ........................................ 57
4.4 SurveyofTRNGDesigns .................................. 57
4.4.1 BagginiandBucci................................. 58
4.4.2 TheIntelTRNGDesign ............................ 58
4.4.3 TheTkacikTRNGDesign .......................... 59
4.4.4 TheEpsteinetal.TRNGDesign..................... 60
4.4.5 TheFischer–Drutarovsky´Design .................... 61
4.4.6 TheGolic´FIGARODesign ......................... 62
4.4.7 TheKohlbrenner–GajDesign ....................... 63
4.4.8 TheBucci–LuzziTestableTRNGDesignFramework ... 64
4.4.9 TheRingsDesign ................................. 65
4.4.10 ThePUF–RNGDesign............................. 66
4.4.11 TheYooetal.Design .............................. 67
4.4.12 TheDichtlandGolic´RNGDesign ................... 67
4.5 PostprocessingTechniques ................................. 68
4.6 Exercises ................................................ 70
References..................................................... 71
5 FastFiniteFieldMultiplication................................ 75
SerdarSu¨erErdem,TugˇrulYanık,andC¸etinKayaKoc¸
5.1 Introduction.............................................. 75
5.2 FiniteFields.............................................. 76
5.3 MultiplicationinPrimeFields............................... 77
5.3.1 IntegerMultiplication.............................. 78
5.3.2 IntegerSquaring .................................. 80
5.3.3 IntegerModularReduction ......................... 80
5.4 MultiplicationinBinaryExtensionFields ..................... 87
5.4.1 PolynomialMultiplicationoverF ................... 88
2
5.4.2 PolynomialSquaringoverF ........................ 90
2
5.4.3 PolynomialModularReductionoverF ............... 90
2
5.5 MultiplicationinGeneralExtensionFields .................... 96
5.5.1 FieldMultiplicationinOEF......................... 97
5.5.2 CoefficientMultiplicationandReductions............. 98
Contents xi
5.6 Karatsuba–OfmanAlgorithm ............................... 99
5.6.1 Complexity.......................................100
5.6.2 NumberofScalarMultiplications ....................100
5.7 Exercises ................................................102
5.8 Projects .................................................103
References.....................................................103
6 EfficientUnifiedArithmeticforHardwareCryptography.......... 105
ErkaySavas¸andC¸etinKayaKoc¸
6.1 Introduction..............................................105
6.2 FundamentalsofExtensionFields ...........................106
6.3 AdditionandSubtraction...................................107
6.4 Multiplication ............................................110
6.4.1 MontgomeryMultiplicationAlgorithm ...............110
6.4.2 Dual-RadixMultiplier..............................116
6.4.3 SupportforTernaryExtensionFields,GF(3n)..........118
6.5 Inversion ................................................119
6.5.1 MontgomeryInversionforGF(p)andGF(2n) .........119
6.6 Conclusions..............................................122
6.7 Exercises ................................................122
6.8 Projects .................................................123
References.....................................................123
7 SpectralModularArithmeticforCryptography.................. 125
Go¨kaySaldamlıandC¸etinKayaKoc¸
7.1 Introduction..............................................125
7.2 NotationandBackground ..................................126
7.2.1 EvaluationPolynomials ............................126
7.2.2 DiscreteFourierTransform(DFT) ...................129
7.2.3 PropertiesofDFT:Time–frequencydictionary .........131
7.3 SpectralModularArithmetic................................135
7.3.1 TimeSimulationsandSpectralAlgorithms ............135
7.3.2 ModularReduction ................................136
7.3.3 SpectralModularReduction.........................137
7.3.4 TimeSimulationofSpectralModularReduction .......139
7.3.5 SpectralModularReductioninaFiniteRingSpectrum ..141
7.3.6 SpectralModularMultiplication(SMM) ..............143
7.3.7 SpectralModularExponentiation ....................145
7.3.8 IllustrativeExample ...............................149
7.4 ApplicationstoCryptography...............................153
7.4.1 MersenneandFermatrings .........................154
7.4.2 PseudoNumberTransforms.........................155
7.4.3 ParameterSelectionforRSA........................156
7.4.4 ParameterSelectionforECCoverPrimeFields ........157
7.5 SpectralExtensionFieldArithmetic..........................158
7.5.1 BinaryExtensionFields ............................158
xii Contents
7.5.2 MidsizeCharacteristicExtensionFields...............161
7.5.3 ParameterSelectionforECCoverExtensionFields .....164
7.6 Notes ...................................................165
7.7 Exercises ................................................166
7.8 Projects .................................................167
References.....................................................168
8 EllipticandHyperellipticCurveCryptography .................. 171
NigelBostonandMatthewDarnall
8.1 Introduction..............................................171
8.2 Diffie–HellmanKeyExchange .............................172
8.3 IntroductiontoEllipticandHyperellipticCurves ...............172
8.4 TheJacobianofaCurve....................................173
8.4.1 ThePrincipalSubgroupandJac(C) ..................174
8.5 ComputingonJac(C)......................................174
8.6 GroupLawforEllipticCurves ..............................176
8.7 TechniquesforComputationsinHyperellipticCurves...........178
8.7.1 ExplicitFormulae .................................178
8.7.2 ProjectiveCoordinates .............................178
8.7.3 OtherOptimizationTechniques......................179
8.8 CountingPointsonJac(C) .................................179
8.9 Attacks..................................................181
8.9.1 Baby-StepGiant-StepAttack........................181
8.9.2 PollardRhoandLambdaAttacks ....................181
8.9.3 Pohlig–HellmanAttack ............................182
8.9.4 Menezes–Okamoto–VanstoneAttack .................182
8.9.5 Semaev,Satoh-Araki,SmartAttack ..................183
8.9.6 AttacksemployingWeildescent .....................183
8.10 GoodCurves .............................................184
8.11 Exercises ................................................184
8.12 Projects .................................................185
References.....................................................185
9 InstructionSetExtensionsforCryptographicApplications......... 191
SandroBartolini,RobertoGiorgi,andEnricoMartinelli
9.1 Introduction..............................................191
9.1.1 InstructionSetArchitecture .........................191
9.2 ApplicationsandBenchmarks...............................194
9.2.1 Benchmarks......................................195
9.2.2 PotentialPerformance..............................195
9.3 ISEforCryptographicApplications..........................196
9.3.1 InstructionsforInformationConfusionandDiffusion ...196
9.3.2 ISEforAES......................................203
9.3.3 ISEforECCapplications...........................212
9.4 Exercises ................................................227
9.5 Projects .................................................228
References.....................................................229
Contents xiii
10 FPGAandASICImplementationsofAES ...................... 235
KrisGajandPawelChodowiec
10.1 Introduction..............................................235
10.2 AESCipherDescription....................................236
10.2.1 BasicFeatures ....................................236
10.2.2 RoundOperations .................................237
10.2.3 IterativeStructure .................................242
10.2.4 KeyScheduling ...................................243
10.3 FPGAandASICTechnologies ..............................247
10.4 ParametersofHardwareImplementations.....................250
10.4.1 ThroughputandLatency............................250
10.4.2 Area ............................................250
10.5 HardwareArchitecturesofSymmetricBlockCiphers ...........251
10.5.1 Hardware Architecturesvs. Block Cipher Modes
ofOperation......................................251
10.5.2 BasicIterativeArchitecture .........................252
10.5.3 LoopUnrolling ...................................253
10.5.4 Pipelining........................................254
10.5.5 LimitsontheMaximumClockFrequencyofPipelined
Architectures .....................................258
10.5.6 CompactArchitectureswithResourceSharing .........260
10.6 ImplementationofBasicOperationsofAESinHardware........261
10.6.1 SubBytesandInvSubBytes .........................261
10.6.2 MixColumnsandInvMixColumns ...................270
10.7 HardwareArchitecturesofaSingleRoundofAES .............274
10.7.1 S-Box-BasedArchitecture ..........................274
10.7.2 T-Box-BasedArchitecture ..........................276
10.7.3 CompactArchitectures.............................282
10.8 ImplementationofKeyScheduling ..........................286
10.9 OptimumChoiceofaHardwareArchitectureforAES ..........286
10.10 Exercises ................................................289
10.11 Projects .................................................290
References.....................................................291
11 SecureandEfficientImplementationofSymmetricEncryption
SchemesusingFPGAs ....................................... 295
Franc¸ois-XavierStandaert
11.1 Introduction..............................................295
11.2 EfficientFPGAImplementations ............................297
11.2.1 ExploitingtheSliceStructure .......................297
11.2.2 ExploitingEmbeddedBlocks........................300
11.2.3 ExploitingFurtherFeatures .........................302
11.2.4 Combining the Tricks: The Flexibility Versus
EfficiencyTradeoff ................................303
11.3 FairEvaluationofaCryptographicFPGADesign ..............303
