IJCST Vo l . 2, Iss u e 2, Ju n e 2011 ISSN : 2229-4333(Print) | ISSN : 0976-8491(Online) A Novel Disk Encompression with Tweaked Code Book (DETCB) 1Debasis Gountia, 2Anil Kumar Swain 1Department of Computer Science & Application, CET, Bhubaneshwar, India 2Department of Computer Science & Engineering, HCE, Bhubaneshwar, India
Abstract II. Disk Encryption In this paper, we present a novel Disk Encompression (i.e., Disk encryption is normally encoded all the data on the disk. The encryption with compression) with Tweaked Code Book mode whole hard disk is encrypted with a single/multiple key(s) and (DETCB). DETCB is Xor-Encrypt-Xor based Tweaked Code encryption/ decryption are done without user interference. The Book mode with CipherText Stealing. The objective is to present encryption is on the block level that means each block should be an efficient disk encryption which is faster, memory saving and is encrypted separately. better resistant to the attacks. The proposed design is characterized by its high throughput compared to the current solutions. A. Encryption with Compression and Error control
Keywords block ciphers, disk encryption, Galois Field multiplier GF (2128), tweakable block ciphers.
I. Introduction Fig. 1: Steps for Disk encryption scheme. Since its inception, data encryption has evolved within many Using a data compression algorithm together with an encryption fields especially for individual precious documents for the security algorithm makes sense for two reasons: purpose. For security of data stored on computers and other 1. Cryptanalysis relies on exploiting redundancies in the plain text; devices like USB or external hard disk, cryptography methods compressing a file before encryption reduces redundancies. have been used so far. For this reason, many researchers are trying 2. Encryption is time-consuming; compressing a file before to implement secure, fast and efficient cryptographic algorithms encryption speeds up the entire process. for disk encryption. In this work, we first compress the data on the disk and then encrypt Disk encryption is usually used to protect the data on the disk by the data. Any type of transmission encoding or error detection encrypting it. The whole disk is encrypted with a single/ multiple and recovery will be added after encryption if needed. To access key(s) and encryption/decryption are done on the fly, without user data from the disk, we have to first decrypt and then uncompress interference. The encryption is on the block level that means each the decrypted data. block should be encrypted separately. There are so many block ciphers dedicated to this task like Bear, B. Disk Encryption Constraints Lion, Beast and Mercy [4, 4, 11, 14]. Bear, Lion and Beast are The common existing disk encryption constraints are: considered to be slow, as they process the data through multiple Data size. The ciphertext length should be the same as the plaintext passes and Mercy was broken in [18]. The current available length. Here, we use the current standard size of a block (16-byte) narrow-block modes of operations are subjected to manipulation for the plaintext. attacks. A need for a new secure and fast mode of operation with Performance. The used mode of operation should be fast enough, less memory consumption has demanded. as to be transparent to the users. If the mode of operation results In this paper, we propose a new narrow-block disk encryption in a significant and noticeable slowdown of the computer, there mode of operation with compression. We decided to build the will be great user resistance to its deployment. Tweaked Code Book (TCB) mode using Xor-Encrypt-Xor (XEX) [21] to inherit from its security and high performance. This design III. Disk Encompression with Tweaked Code Book is XEX-based TCB with CipherText Stealing (CTS). This model includes a Galois Field multiplier GF (2128) that can operate in A. Goals any common field representations. This allows very efficient The goals of designing the Disk Encompression with Tweaked processing of consecutive blocks in a sector. To handle messages Code Book (DETCB) mode are: whose length is greater than 128-bit but not a multiple of 128-bit, a variant of CipherText Stealing will be used for tweaked code 1. Security book. We named this mode Disk Encompression with Tweaked The constraints for disk encryption imply that the best achievable Code Book (DETCB). This mode takes less time for encryption security is essentially what can be obtained by using ECB mode as compared to the other modes. with a different key per block [19]. This is the aim. The rest of the paper is organized as follows: Section II present Encryption with compression, and the constraints facing in 2. Complexity the disk encryption applications. Tweak calculation, efficient DETCB complexity should be at least as fast as the current multiplication, and exponential are described in section III. Section available solutions. IV describes the implementation of our proposed scheme. Section V shows the performance analysis of our narrow-block mode of 3. Parallelization operations. Finally, section VI concludes the work with presenting DETCB should offer some kind of parallelization. open problem.
232 In t e r n a t i o n a l Jo u r n a l o f Co m p u t e r Sci e n c e a n d Te c h n o l o g y www.ijcst.com ISSN : 2229-4333(Print) | ISSN : 0976-8491(Online) IJCST Vo l . 2, Iss u e 2, Ju n e 2011 Algorithm PolyMult16( a, b) { B. Terminologies p = 0; /* Product initialized to zero*/ The following terminologies are used to describe DETCB: while (b) { if (b & 1) p = p ⊕ a; /*p xor a if LSB of b is 1*/ Pi: The plaintext block i of size 128 bits. if (a127 = = 0) j: The sequential number of the 128-bit block inside the sector a << = 1; /*Left shift of bits in a by 1*/ encoded as 5-bit unsigned integer. else a = (a <<= 1) ⊕ 0x87; I : The address of block i encoded as 64-bit unsigned integer. i b >>= 1; /* Right shift of bits in multiplier by 1 */ Ti: The tweak i. 128 } α: Primitive element of GF (2 ). return p; ←: Assignment of a value to a variable. } ǁ: Concatenation operation. ⊕ PPi : Pi Ti−1
K1: Encryption key of size 128-bit used to encrypt the PPi.
K2: Tweak key of size 128-bit used to produce the tweak.
EK1: Encryption using AES algorithm with key K1. E. Efficient Modular Exponentiation
DK1: Decryption using AES algorithm with key K1. c Ci: The ciphertext block i of size 128 bits. Compute efficiency: z = x mod n ⊕: Bitwise Exclusive-OR operation. L - 1 128 : Multiplication of two polynomials in GF (2 ). Express c as follows: c = ∑ ( ci *2i ), i = 0
C. Tweak Calculation where ci = 0 or 1, value of i from 0 to (L-1) and L is number of In our proposed scheme, the mode of operation takes four inputs bits to represent c in binary. to calculate the ciphertext (4096-bit). These inputs are: The well-known Square-And-Multiply algorithm reduces the 1. The plaintext of size 4096-bit. number of modular multiplications required to compute xc mod 2. Encryption key of size 128 or 256-bit. n to at most 2L. It follows that xc mod n can be computed in time 3. Tweak key of size 128 or 256-bit. O(Lk2). Total number of modular multiplications is at least L and 4. Sector ID of size 64-bit. at most 2L. Therefore, time complexity is the order of [(log c)*k2], In this work, the term tweak is associated with any other inputs where n is a k-bit integer. to the mode of operation with the exception of the encryption key Efficient exponent in the finite field GF128 (2 ) is computed by and the plaintext. Here, the tweak T, which is equal to the product the polynomial multiplication and taking the remainder of the of encrypted block address, where the block address (after being Euclidean division by the chosen irreducible polynomial. In this 128 7 2 padded with zeros) is encrypted using AES by the tweak key, and case, the irreducible polynomial is P128(x) = x +x +x +x+1. αj, where j is the sequential number of the block inside the sector encoded as 5-bit unsigned integer and α is the primitive element of Table 2: Algorithm for computing of z = xc mod n , where x, c GF (2128), will be used as the initialization vector (IV) of CBC. and z ϵ GF (2128) The successive tweaks are again the product of encrypted block Algorithm Square&Multiply ( x, c, n){ address and αj. This is done so assuming that each track has 17 z = 1; /* z initialized to one*/ sectors and each sector has 32 blocks as per the standard disk for (i = (L - 1); i > = 0; i--) { structure. This procedure continues till end of the input file. z = (z * z) mod n;
D. Efficient Multiplication in the finite field GF (2128) if ( ci = = 1) In this work, we perform 16-byte multiplication for the encryption z = (z * x) mod n; procedure (see 4.1) and decryption procedure (see 4.2). Let a, } and b are two 16-byte operands and we consider the 16-byte return (z); output. When these blocks are interpreted as binary polynomials } of degree 127, the procedure computes p = a*b mod P, where P is a 128-degree polynomial P128(x) = x128 + x7 + x2 + x + 1.Multiplication of two elements in the finite field GF (2128) IV. Implementation of the Proposed Scheme is computed by the polynomial multiplication and taking the The design includes the description of the DETCB transform in remainder of the Euclidean division by the chosen irreducible both encryption and decryption modes, as well as how it should polynomial. In this case, the irreducible polynomial is P128(x) = be used for encryption of a sector with a length that is not an x128 + x7 + x2 + x + 1. integral number of 128-bit blocks. Table 1. Algorithm for Multiplication in GF (2128). Compute the value of p = a * b, where a, b and p ϵ GF (2128) A. Encryption of a Data Unit. The encryption procedure for a 128-bit block having index j is modeled with Equation (1):
Ci ← DETCB-Enc ( Key, Pi, Ii, j) (1)
where Key is the 256-bit AES key
Pi is a block of 128 bits (i.e., the plaintext) www.ijcst.com In t e r n a t i o n a l Jo u r n a l o f Co m p u t e r Sci e n c e a n d Te c h n o l o g y 233 IJCST Vo l . 2, Iss u e 2, Ju n e 2011 ISSN : 2229-4333(Print) | ISSN : 0976-8491(Online)
Ii is the address of 128-bit block inside data unit a) j ← i % 32
j is the logical position or index of the 128-bit b) Ci+1←DETCB-Enc (Key,Pi+1,Ii+1,j)
block inside the sector 2. r ← bit-size of Pm
Ci is the block of 128 bits of ciphertext resulting 3. if r = 0 then do from the operation a) j ← (m-2) % 32
b) Cm-1←DETCB-Enc (Key,Pm-1,Im-1,j)
The key is parsed as a concatenation of two fields of equal size c) Cm ← empty called Key1 and Key2 such that: 4. else do a) j ← (m-2) % 32
Key = Key1 || Key2 b) Cm-1 ← DETCB-Enc (Key,Pm-1,Im-1,j)
c) Cm ← first leftmost r bits of CCm-1 The plaintext data unit is partitioned into m blocks, as follows: d) C’ ← last rightmost (128-r) bits of
CCm-1
P = P1 || … || Pm-1 || Pm e) PPm-1 ← Pm || C’ f) j ← (m-1) % 32 where m is the largest integer such that 128(m-1) is no more than g) Cm-1 ← DETCB-Enc (Key,PPm-1,Im,j) the bit-size of P, the first (m -1) blocks 1P ,…, Pm-1 are each exactly 5. C ← C1 ||…. || Cm-1 || Cm 128 bits long, and the last block Pm is between 0 and 127 bits long ( Pm could be empty, i.e., 0 bits long ). An illustration of encrypting the last two blocks Pm−1Pm in the case that Pm is a partial block ( r > 0) is provided in Fig. 3.
The ciphertext Ci for the block having index j shall then be computed by the following or an equivalent sequence of steps (see Fig. 2):
Fig. 3: DETCB encryption of last two blocks when last block is 1 to 127 bits
B. Decryption of a Data Unit. The decryption procedure for a 128-bit block having index j is modeled with Equation (2):
Pi ← DETCB-Dec ( Key, Ci, Ii, j) (2)
where Key is the 256-bit AES key
Ci the 128-bit block of ciphertext
Fig. 2: Encryption of a single block using DETCB. Ii is the address of the 128-bit block inside the data unit Algorithm DETCB-Enc (Key, Pi, Ii, j) j is the logical position or index of the 128-bit block inside the sector j 1. T i-1 ← AES-enc ( Key2, Ii ) α Pi is the block of 128-bit of plaintext resulting ⊕ 2. PPi ← P i Ti-1 from the operation
3. CCi ← AES-enc ( Key1, PPi) ⊕ 4. Ci ← CCi Ti-1 The key is parsed as a concatenation of two fields of equal size
AES-enc(K, P) is the procedure of encrypting plaintext P using AES called Key1 and Key2 such that: algorithm with key K, according to FIPS-197.The multiplication 128 and computation of power in step (1) is executed in GF (2 ), Key = Key1 || Key2 where α is the primitive element defined in III (see D & E). The ciphertext is first partitioned into m blocks, as follows: The cipher text C is then computed by the following or an equivalent sequence of steps: C = C1 || … || Cm-1 || Cm
Algorithm DETCB-Encrypt (Key, P, I ) where m is the largest integer such that 128(m-1) is no more than
the bit-size of C, the first (m-1) blocks C1,…,Cm-1 are each exactly 1. for i ← 0 to m-3 do 128 bits long, and the last block Cm is between 0 and 127 bits
234 In t e r n a t i o n a l Jo u r n a l o f Co m p u t e r Sci e n c e a n d Te c h n o l o g y www.ijcst.com ISSN : 2229-4333(Print) | ISSN : 0976-8491(Online) IJCST Vo l . 2, Iss u e 2, Ju n e 2011
long (Cm could be empty, i.e., 0 bits long ). g) Pm-1←DETCB-Dec(Key,CCm-1,Im-1, j)
5. P ← P1 ||…. || Pm-1 || Pm
The plaintext Pi for the block having index j shall then be computed by the following or an equivalent sequence of steps (see Fig. An illustration of encrypting the last two blocks Cm−1Cm in the
4): case that Cm is a partial block ( r > 0) is provided in Fig. 5.
Fig. 5: DETCB decryption of last two blocks when last block is 1 to 127 bits.
V. Performance Analysis
Security Each block is encrypted with a different tweak T, which is the result of a non-linear function (multiplication) of encrypted file address and αj; due to this step the value of the tweak is neither known nor controlled by the attacker. By introducing the tweak, the attacker can not perform the mix-and-match attack [19] among Fig. 4: Decryption of a single ciphertext block using DETCB. blocks of different sectors, as each block has a unique secret tweak. Any difference between two tweaks result full diffusion
Algorithm DETCB-Dec (Key, Ci, Ii, j) in both the encryption and decryption directions. These enhance the security. j 1. Ti-1 ← AES-enc ( Key2, Ii ) α Here we also give option for the value of α to the user; it reduces ⊕ 2. CCi ← Ci Ti-1 the probability of getting plaintext from ciphertext. This is so
3. PPi ← AES-dec( Key1, CCi) because same plaintext produces different ciphertext if we choose ⊕ 4. Pi ← PPi T i-1 different value for α. This also increases confusion. DETCB transform is secured up to the use of a single cryptographic AES-dec (K,C) is the procedure of decrypting ciphertext C key for less than a few hundred terabytes of data. The limitation using AES algorithm with key K, according to FIPS-197. The on the size of data encrypted with a single key is not unique multiplication and computation of power in step (1) is executed to this standard. It comes directly from the fact that AES has a in GF (2128), where α is the primitive element defined in III (see block size of 128 bits and is not mitigated by using AES with a D & E). 256-bit key.
The plaintext P is then computed by the following or an equivalent Complexity sequence of steps: DETCB possesses high performance as it uses only simple and fast operations as standard simple shift and add (xor) operators are Algorithm DETCB-Decrypt (Key, C, I ) used in the multiplication in the finite field GF 128(2 ) having O(1) time complexity. Compression before encryption also enhances 1. for i ← 0 to m-3 do the speed and hence performance. a) j ← i % 32 b) Pi+1 ← DETCB-Dec(Key, Ci+1, Ii+1, j ) Parallelization
2. r ← bit-size of Cm DETCB can be parallelized on the block level as each block 3. if r = 0 then do is encrypted independently to other blocks. Also a plaintext a) j ← (m-2) % 32 can be recovered from the respective block of ciphertext. As a b) Pm-1 ← DETCB-Dec (Key,Cm-1,Im-1, j) consequence, decryption can be parallelized. c) Pm ← empty 4. else do DETCB meets all its design goals. a) j ← (m-1) % 32 b) PPm-1←DETCB-Dec(Key,Cm-1, Im, j) VI. Conclusions and Open Problem c) Pm ←first leftmost r bits of PPm-1 In this paper, we present a new mode of operation for disk d) C’ ← last rightmost (128-r) bits of encryption applications. The proposed scheme possesses a high
PPm-1 throughput. Although, it is designed based on the ECB mode, e) CCm-1← Cm || C’ it can be parallelized and does not suffer from the bit flipping f) j ← (m-2) % 32 attack. This mode also utilizes less memory space as the input www.ijcst.com In t e r n a t i o n a l Jo u r n a l o f Co m p u t e r Sci e n c e a n d Te c h n o l o g y 235 IJCST Vo l . 2, Iss u e 2, Ju n e 2011 ISSN : 2229-4333(Print) | ISSN : 0976-8491(Online) file is first compressed and then it is encrypted. This DETCB : http://eprint.iacr.org/2008/004.pdf encryption scheme is light weight and it is very useful where [18] S. Fluhrer, "Cryptanalysis of the Mercy block Cipher". In: time factor is so important as it takes less time as compared to Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 28. Springer, DETBC [13]. There still remain many open problems in the search Heidelberg (2002) for efficient and secure disk encryption. There is a lack of good [19] I. P1619. "IEEE standard for cryptographic protection of Boolean functions for the tweak generator which are efficient and data on block oriented storage devices". IEEE Std. 1619- also resist the cryptanalytic attacks, in particular algebraic and 2007, April 2008. [Online] Available : http://axelkenzo.ru/ fast algebraic attacks. downloads/1619-2007-NIST-Submission.pdf [20] P. Rogaway. "Efficient Instantiations of Tweakable Block References ciphers and Refinements to Modes OCB and PMAC". In Pil [1] Bruice Schneier, "Applied Cryptography", Wiley Press, Joong Lee, editor, Advances in Cryptology -ASIACRYPT Second Edition. ’04, volume 3329 of LNCS, pages 16-31, 2004. [2] Douglas R. Stinson, "Cryptography Theory and Practice", [21] "Disk encryption theory". [Online] Available : http:// CRC Press, Second Edition. en.wikipedia.org/wiki/Disk_encryption_theory [3] Mark Nelson, Jean-Loup Gailly, "The Data Compression [22] "Latest SISWG and IEEE P1619 drafts for Tweakable Book", M&T Press, Second Edition. Narrow-block Encryption". [Online] Availalbe : http:// [4] Anderson, R., Biham, E., "Two practical and provable secure grouper.ieee.org/groups/1619/email/pd f00017.pdf block ciphers: BEAR and LION". In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113-120. Springer, Heidelberg (1996) Debasis Gountia received the Bachelor of [5] S. Halevi, P. Rogaway, "A tweakable enciphering mode", in Computer Science and Engineering degree Lecture Notes in Computer Science, D. Boneh, Ed. Berlin, from University College of Engineering, Germany: Springer-Verlag, 2003, vol. 2729, pp. 482-499. Burla, India. He received the Master of [6] A. Menezes, P. V. Oorschot., S. Vanstone. "Handbook of Technology degree in Computer Science Applied Cryptography". CRC Press, 1996. and Engineering from the Indian Institute [7] D. McGrew. "Counter Mode Security: Analysis and of Technology, Kharagpur, India. Since Recommendations". [Online] Available : http://citeseer.ist. January 2006, he has been a Faculty with psu.edu/mcgrew02counter. html, 2002. the College of Engineering & Technology, [8] P. Rogaway, M. Bellare, J. Black. "OCB: A blockcipher mode Bhubaneshwar, India. He is having around 08 years of teaching and of operation for efficient authenticated encryption". ACM research experience. His research interests include cryptography, Trans. Inf. Syst. Secur., 6(3):365-403, 2003. data structures, formal language and automata theory, operating [9] R. Schroeppel. "The Hasty Pudding Cipher". The first AES system, and distributed systems. conference, NIST, 1998. [Online] Available : http://www. cs.arizona.edu/~rcs/hpc Anil Kumar Swain has completed his [10] M. Liskov, R. L. Rivest, D.Wagner, "Tweakable block bachelors’ (B.E) from VSSUT (formerly ciphers", in Lecture Notes in Computer Science, M. Yung, UCE, Burla), India, in the department Ed. Berlin, Germany: Springer-Verlag, 2002, vol.2442, pp. of Computer Science and Engineering. 31-46. He received his Masters’ (M.Tech) in [11] S. Lucks, "BEAST: A fast block cipher for arbitrary block Computer Science and Engineering from sizes". In: Horster, P. (ed.) Communications and Multimedia Indian Institute of Technology, Bombay, Security II, Proceedings of the IFIP TC6/TC11 International India. He has a teaching experience of more Conference on Communications and multimedia Security than 5 years. Presently, he is working as (1996) an Asst. Professor & Head of Computer Science & Engineering [12] C. Fruhwirth, "New Methods in Hard Disk Encryption". Department of Hi-Tech College of Engineering, Bhubaneshwar, [Online] Available : http://clemens.endorphin.org/nmihde/ India. His research interests include analysis & design of algorithm, nmihde-A4-ds.pdf, 2005. computer networks, cryptography, e-learning, formal language and [13] D. Gountia, D. Roy Chowdhury, "A New Narrow-Block automata theory, and data structure. Mode of Operation for Disk Encompression with Tweaked Block Chaining". [Online] Available : http://www.ijcset. excelingtech.co.uk/vol2Issue1/10-vol2issue1.pdf [14] P. Crowley. Mercy, "A fast large block cipher for disk sector encryption". In Bruce Schneier, editor, Fast Software Encryption: 7th International Workshop, FSE 2000, 2001. [15] Mitsuru Matsui. "The first experimental cryptanalysis of the data encryption standard". In Y. Desmedt, editor, Advances in Cryptology-CRYPTO 1994, number 839 in Lecture Notes in Computer Science, pages 1-11. Springer-Verlag, 1994. [16] M. Abo El-Fotouh, K. Diepold, "Extended Substitution Cipher Chaining Mode". http://eprint.iacr.org/2009/182. pdf [17] P. Sarkar, "Efficient Tweakable Enciphering Schemes From (Block-Wise) Universal Hash Functions". [Online] Available
236 In t e r n a t i o n a l Jo u r n a l o f Co m p u t e r Sci e n c e a n d Te c h n o l o g y www.ijcst.com