Security of Block Ciphers: From Algorithm Design to Hardware Implementation PDF
Preview Security of Block Ciphers: From Algorithm Design to Hardware Implementation
SECURITY OF BLOCK CIPHERS SECURITY OF BLOCK CIPHERS FROM ALGORITHM DESIGN TO HARDWARE IMPLEMENTATION KazuoSakiyama TheUniversityofElectro-Communications,Japan YuSasaki NTTSecurePlatformLaboratories,Japan YangLi NanjingUniversityofAeronauticsandAstronautics,China Thiseditionfirstpublished2015 (cid:2)c 2015JohnWiley&SonsSingaporePte.Ltd. Registeredoffice JohnWiley&SonsSingaporePte.Ltd.,1FusionopolisWalk,#07-01SolarisSouthTower,Singapore138628. Fordetailsofourglobaleditorialoffices,forcustomerservicesandforinformationabouthowtoapplyfor permissiontoreusethecopyrightmaterialinthisbookpleaseseeourwebsiteatwww.wiley.com. AllRightsReserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmitted,in anyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptas expresslypermittedbylaw,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthrough paymentoftheappropriatephotocopyfeetotheCopyrightClearanceCenter.Requestsforpermissionshouldbe addressedtothePublisher,JohnWiley&SonsSingaporePte.Ltd.,1FusionopolisWalk,#07-01SolarisSouth Tower,Singapore138628,tel:65-66438000,fax:65-66438008,email:[email protected]. Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmaynotbe availableinelectronicbooks. Designationsusedbycompaniestodistinguishtheirproductsareoftenclaimedastrademarks.Allbrandnamesand productnamesusedinthisbookaretradenames,servicemarks,trademarksorregisteredtrademarksoftheir respectiveowners.ThePublisherisnotassociatedwithanyproductorvendormentionedinthisbook.This publicationisdesignedtoprovideaccurateandauthoritativeinformationinregardtothesubjectmattercovered.Itis soldontheunderstandingthatthePublisherisnotengagedinrenderingprofessionalservices.Ifprofessionaladvice orotherexpertassistanceisrequired,theservicesofacompetentprofessionalshouldbesought. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsinpreparing thisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsof thisbookandspecificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.Itis soldontheunderstandingthatthepublisherisnotengagedinrenderingprofessionalservicesandneitherthe publishernortheauthorshallbeliablefordamagesarisingherefrom.Ifprofessionaladviceorotherexpert assistanceisrequired,theservicesofacompetentprofessionalshouldbesought. LibraryofCongressCataloging-in-PublicationData Sakiyama,Kazuo,1971- Securityofblockciphers:fromalgorithmdesigntohardwareimplementation/KazuoSakiyama,YuSasaki, YangLi. pagescm Includesbibliographicalreferencesandindex. ISBN978-1-118-66001-0(cloth) 1. Computersecurity–Mathematics. 2. Dataencryption(Computerscience) 3. Ciphers. 4. Computer algorithms. I. Sasaki,Yu. II. Li,Yang,1986-III. Title. QA76.9.A25S2562015 005.8(cid:3)2–dc23 2015019381 Typesetin10/12pt,TimesLTStdbySPiGlobal,Chennai,India 1 2015 Contents Preface xi AbouttheAuthors xiii 1 IntroductiontoBlockCiphers 1 1.1 BlockCipherinCryptology 1 1.1.1 Introduction 1 1.1.2 Symmetric-KeyCiphers 1 1.1.3 EfficientBlockCipherDesign 2 1.2 BooleanFunctionandGaloisField 3 1.2.1 INV,OR,AND,andXOROperators 3 1.2.2 GaloisField 3 1.2.3 ExtendedBinaryFieldandRepresentationofElements 4 1.3 LinearandNonlinearFunctionsinBooleanAlgebra 7 1.3.1 LinearFunctions 7 1.3.2 NonlinearFunctions 7 1.4 LinearandNonlinearFunctionsinBlockCipher 8 1.4.1 NonlinearLayer 8 1.4.2 LinearLayer 11 1.4.3 Substitution-PermutationNetwork(SPN) 12 1.5 AdvancedEncryptionStandard(AES) 12 1.5.1 SpecificationofAES-128Encryption 12 1.5.2 AES-128Decryption 19 1.5.3 SpecificationofAES-192andAES-256 20 1.5.4 NotationstoDescribeAES-128 23 FurtherReading 25 2 IntroductiontoDigitalCircuits 27 2.1 BasicsofModernDigitalCircuits 27 2.1.1 DigitalCircuitDesignMethod 27 2.1.2 Synchronous-StyleDesignFlow 27 2.1.3 HierarchyinDigitalCircuitDesign 29 vi Contents 2.2 ClassificationofSignalsinDigitalCircuits 29 2.2.1 ClockSignal 29 2.2.2 ResetSignal 30 2.2.3 DataSignal 31 2.3 BasicsofDigitalLogicsandFunctionalModules 31 2.3.1 CombinatorialLogics 31 2.3.2 SequentialLogics 32 2.3.3 ControllerandDatapathModules 36 2.4 MemoryModules 40 2.4.1 Single-PortSRAM 40 2.4.2 RegisterFile 41 2.5 SignalDelayandTimingAnalysis 42 2.5.1 SignalDelay 42 2.5.2 StaticTimingAnalysisandDynamicTimingAnalysis 45 2.6 CostandPerformanceofDigitalCircuits 47 2.6.1 AreaCost 47 2.6.2 LatencyandThroughput 47 FurtherReading 48 3 HardwareImplementationsforBlockCiphers 49 3.1 ParallelArchitecture 49 3.1.1 ComparisonbetweenSerialandParallelArchitectures 49 3.1.2 AlgorithmOptimizationforParallelArchitectures 50 3.2 LoopArchitecture 51 3.2.1 Straightforward(Loop-Unrolled)Architecture 51 3.2.2 BasicLoopArchitecture 53 3.3 PipelineArchitecture 55 3.3.1 PipelineArchitectureforBlockCiphers 55 3.3.2 AdvancedPipelineArchitectureforBlockCiphers 56 3.4 AESHardwareImplementations 58 3.4.1 StraightforwardImplementationforAES-128 58 3.4.2 LoopArchitectureforAES-128 61 3.4.3 PipelineArchitectureforAES-128 65 3.4.4 CompactArchitectureforAES-128 66 FurtherReading 67 4 CryptanalysisonBlockCiphers 69 4.1 BasicsofCryptanalysis 69 4.1.1 BlockCiphers 69 4.1.2 SecurityofBlockCiphers 70 4.1.3 AttackModels 71 4.1.4 ComplexityofCryptanalysis 73 4.1.5 GenericAttacks 74 4.1.6 GoalofShortcutAttacks(Cryptanalysis) 77 4.2 DifferentialCryptanalysis 78 4.2.1 BasicConceptandDefinition 78 Contents vii 4.2.2 MotivationofDifferentialCryptanalysis 79 4.2.3 ProbabilityofDifferentialPropagation 80 4.2.4 DeterministicDifferentialPropagationinLinearComputations 83 4.2.5 ProbabilisticDifferentialPropagationinNonlinearComputations 86 4.2.6 ProbabilityofDifferentialPropagationforMultipleRounds 89 4.2.7 DifferentialCharacteristicforAESReducedtoThreeRounds 91 4.2.8 DistinguishingAttackwithDifferentialCharacteristic 93 4.2.9 KeyRecoveryAttackafterDifferentialCharacteristic 95 4.2.10 BasicDifferentialCryptanalysisforFour-RoundAES† 96 4.2.11 AdvancedDifferentialCryptanalysisforFour-RoundAES† 103 4.2.12 PreventingDifferentialCryptanalysis† 106 4.3 ImpossibleDifferentialCryptanalysis 110 4.3.1 BasicConceptandDefinition 110 4.3.2 ImpossibleDifferentialCharacteristicfor3.5-roundAES 111 4.3.3 KeyRecoveryAttacksforFive-RoundAES 114 4.3.4 KeyRecoveryAttacksforSeven-RoundAES† 123 4.4 IntegralCryptanalysis 131 4.4.1 BasicConcept 131 4.4.2 ProcessingP throughSubkeyXOR 132 4.4.3 ProcessingP throughSubBytesOperation 133 4.4.4 ProcessingP throughShiftRowsOperation 134 4.4.5 ProcessingP throughMixColumnsOperation 134 4.4.6 IntegralPropertyofAESReducedto2.5Rounds 135 4.4.7 BalancedProperty 136 4.4.8 IntegralPropertyofAESReducedtoThreeRoundsand DistinguishingAttack 137 4.4.9 KeyRecoveryAttackwithIntegralCryptanalysisforFiveRounds 139 4.4.10 Higher-OrderIntegralProperty† 141 4.4.11 KeyRecoveryAttackwithIntegralCryptanalysisforSixRounds† 143 FurtherReading 147 5 Side-ChannelAnalysisandFaultAnalysisonBlockCiphers 149 5.1 Introduction 149 5.1.1 IntrusionDegreeofPhysicalAttacks 149 5.1.2 PassiveandActiveNoninvasivePhysicalAttacks 151 5.1.3 CryptanalysisComparedtoSide-ChannelAnalysis andFaultAnalysis 151 5.2 BasicsofSide-ChannelAnalysis 152 5.2.1 SideChannelsofDigitalCircuits 152 5.2.2 GoalofSide-ChannelAnalysis 154 5.2.3 GeneralProceduresofSide-ChannelAnalysis 155 5.2.4 ProfilingversusNon-profilingSide-ChannelAnalysis 156 5.2.5 Divide-and-ConquerAlgorithm 157 5.3 Side-ChannelAnalysisonBlockCiphers 159 5.3.1 PowerConsumptionMeasurementinPowerAnalysis 160 5.3.2 SimplePowerAnalysisandDifferentialPowerAnalysis 163 viii Contents 5.3.3 GeneralKeyRecoveryAlgorithmforDPA 164 5.3.4 OverviewofAttackTargets 169 5.3.5 Single-BitDPAAttackonAES-128HardwareImplementations 181 5.3.6 AttacksUsingHWModelonAES-128HardwareImplementations 186 5.3.7 AttacksUsingHDModelonAES-128HardwareImplementations 192 5.3.8 AttackswithCollisionModel† 199 5.4 BasicsofFaultAnalysis 203 5.4.1 FaultsCausedbySetup-TimeViolations 205 5.4.2 FaultsCausedbyDataAlternation 208 5.5 FaultAnalysisonBlockCiphers 208 5.5.1 DifferentialFaultAnalysis 208 5.5.2 FaultSensitivityAnalysis† 215 Acknowledgment 223 Bibliography 223 6 AdvancedFaultAnalysiswithTechniquesfromCryptanalysis 225 6.1 OptimizedDifferentialFaultAnalysis 226 6.1.1 RelaxingFaultModel 226 6.1.2 FourClassesofFaultyBytePositions 227 6.1.3 RecoveringSubkeyCandidatesofsk 228 10 6.1.4 AttackProcedure 230 6.1.5 ProbabilisticFaultInjection 231 6.1.6 OptimizedDFAwiththeMixColumnsOperationinthe LastRound† 232 6.1.7 CountermeasuresagainstDFAandMotivationofAdvancedDFA 236 6.2 ImpossibleDifferentialFaultAnalysis 237 6.2.1 FaultModel 238 6.2.2 ImpossibleDFAwithUnknownFaultyBytePositions 238 6.2.3 ImpossibleDFAwithFixedFaultyBytePosition 244 6.3 IntegralDifferentialFaultAnalysis 245 6.3.1 FaultModel 246 6.3.2 IntegralDFAwithBit-FaultModel 247 6.3.3 IntegralDFAwithRandomByte-FaultModel 251 6.3.4 IntegralDFAwithNoisyRandomByte-FaultModel† 254 6.4 Meet-in-the-MiddleFaultAnalysis 260 6.4.1 Meet-in-the-MiddleAttackonBlockCiphers 260 6.4.2 Meet-in-the-MiddleAttackforDifferentialFaultAnalysis 263 FurtherReading 268 7 CountermeasuresagainstSide-ChannelAnalysisandFaultAnalysis 269 7.1 Logic-LevelHidingCountermeasures 269 7.1.1 OverviewofHidingCountermeasurewithWDDLTechnique 270 7.1.2 WDDL-NANDGate 272 7.1.3 WDDL-NORandWDDL-INVGates 273 7.1.4 PrechargeLogicforWDDLTechnique 273 7.1.5 IntrinsicFaultDetectionMechanismofWDDL 276
Description:The list of books you might like
