VLSI Circuits for Cryptographic Authentication
Total Page:16
File Type:pdf, Size:1020Kb
Research Collection Doctoral Thesis VLSI Circuits for Cryptographic Authentication Author(s): Henzen, Luca Publication Date: 2010 Permanent Link: https://doi.org/10.3929/ethz-a-006299208 Rights / License: In Copyright - Non-Commercial Use Permitted This page was generated automatically upon download from the ETH Zurich Research Collection. For more information please consult the Terms of use. ETH Library VLSI Circuits for Cryptographic Authentication Diss. ETH No. 19351 VLSI Circuits for Cryptographic Authentication A dissertation submitted to ETH ZURICH for the degree of Doctor of Sciences presented by LUCA HENZEN Dipl. El.-Ing. ETH (MSc ETH) born March 30th, 1982 citizen of Blatten VS, Switzerland accepted on the recommendation of Prof. Dr. Wolfgang Fichtner, examiner Prof. Dr. Willi Meier, co-examiner 2010 Abstract Nowadays, digital communication protocols rely on cryptographic mech- anisms to protect sensitive information from unauthorized access and modification. Cryptographic primitives, such as hash functions, block and stream ciphers, are key components of many information security applications, employed to provide privacy, authentication, and data integrity. Following the massive differentiation of modern commu- nication technologies, cryptography must be able to provide highly- efficient algorithms that combine strong security with optimal imple- mentability. It becomes therefore unlikely that a single cipher or hash function would be able to meet all the constraints imposed by the wide plethora of communication protocols. Researchers and designers are thus asked to develop application-specific algorithms that are jointly optimized for security and implementation performance. This thesis is concerned with the design of very large scale inte- gration (VLSI) circuits for cryptographic hash functions and block cipher authenticated encryption modes. We present two hash al- gorithms that have been submitted to the public hash competition organized by the U.S. National Institute of Standards and Technology (NIST). A complete design space exploration of their efficiency for application-specific integrated circuits (ASICs) is given. Due to our strong involvement in the competition, we further developed a uniform methodology for a fair comparison of the VLSI performance of the second round candidate algorithms. Our benchmarking framework is the result of three different research projects that culminated with the fabrication of three 0.18 µm and 90 nm ASICs, hosting the second round function cores. In the second part of this thesis, we investigate high-speed field- programmable gate array (FPGA) designs of the Advanced Encryp- tion Standard (AES) in the Galois/Counter Mode (GCM) of operation v vi for authenticated encryption. A multi-core AES-GCM architecture is optimized to fully support the recently-ratified IEEE 802.3ba Ethernet standard for 40G and 100G speeds. Moreover, a complete hardware platform for real-time 2G fibre channel (FC) encryption is described. Finally, after a brief introduction into low-cost hardware imple- mentations of lightweight cryptographic algorithms, we show the first FPGA-based implementation of specific cryptanalytic attacks on the stream cipher Grain-128 and we introduce the new hash function family Quark, tailored for resource-limited applications, such as em- bedded systems and portable devices. Sommario Molteplici protocolli di comunicazione digitale fanno affidamento su meccanismi crittografici per proteggere informazioni considerate riser- vate. Componenti crittografiche primarie, quali funzioni hash, cifrari a blocco e a flusso, sono al centro di svariate applicazioni di sicurezza informatica e sono utilizzate principalmente per assicurare la riser- vatezza, l’autenticit`a,e l’integrit`adei dati. A causa dell’eterogeneit`a che caratterizza le attuali tecnologie di comunicazione, la crittografia moderna deve cos`ıfornire algoritmi altamente performanti in grado di combinare al contempo sicurezza ed efficienza. Tuttavia, `eimpro- babile che un unico cifrario o un’unica funzione hash siano capaci di soddisfare tutte le limitazioni imposte dai sistemi di comunicazione attualmente utilizzati. Ricercatori e sviluppatori sono pertanto chia- mati a sviluppare nuovi algoritmi capaci ti ottimizzare unitamente aspetti di sicurezza e implementativi. Questa tesi `eprincipalmente incentrata sulla progettazione di cir- cuiti VLSI per funzioni hash e per cifrari a blocco configurati nella modalit`adi cifratura autenticata. Due algoritmi di hash, iscritti al- la competizione internazionale organizzata dall’istituto statunitense NIST, sono presentati nella prima parte. Una completa valutazione delle loro potenzialit`aimplementative su silicio `eriportata dettaglia- tamente. Grazie al nostro coinvolgimento nella competizione, abbiamo sviluppato un sistema di comparazione uniforme delle performance VLSI degli algoritmi promossi al secondo round. La nostra metodolo- gia `eil risultato di tre progetti di ricerca, nei quali le funzioni hash del secondo round sono state fabbricate in tre circuiti ASIC. La seconda parte di questa tesi si concentra sull’implementazione per dispositivi FPGA di architetture high-speed per l’algoritmo AES nella modalit`adi operazione GCM. I circuiti sviluppati si basano su un’architettura multi-core, offrendo una completa compatibilit`acon vii viii il nuovo standard IEEE 802.3ba per traffico Ethernet fino a 100 Gbit per secondo. Nella parte finale, dopo aver introdotto il concetto di “crittogra- fia leggera” (a basso costo implementativo), presentiamo la prima applicazione in FPGA di attacchi crittanalitici sul cifrario a flusso Grain-128. L’ultima sezione `ededicata alla descrizione di una nuova famiglia di funzione hash, chiamata Quark, particolarmente appeti- bile per applicazioni a basso costo quali sistemi embedded e dispositivi portatili. Contents 1 Introduction 1 1.1 Basic Concepts . .2 1.1.1 Communications Model . .2 1.1.2 Security Goals . .2 1.2 Cryptography in Hardware . .3 1.2.1 High-Speed Encryption . .4 1.2.2 Portable Devices . .4 1.2.3 Implementation Security . .5 1.3 Contributions of this Thesis . .6 1.4 Thesis Outline . .9 2 Fundamentals 11 2.1 Notation . 12 2.2 Symmetric-Key Cryptography . 12 2.2.1 Block Ciphers . 13 2.2.2 Stream Ciphers . 16 2.3 Cryptographic Hash Functions . 18 2.4 Authentication in Public-Key Cryptography . 20 2.5 Security of Cryptographic Functions . 21 2.6 Quantum Cryptography . 22 2.6.1 Quantum Key Distribution (QKD) . 23 2.6.2 The BB84 Protocol . 23 2.6.3 Authentication in Quantum Cryptography . 25 3 Cryptographic Hash Functions 27 3.1 Iterated Hash Functions . 28 3.1.1 The Merkle-Damg˚ardConstruction . 28 3.1.2 Hardware Specifications . 30 ix x CONTENTS 3.1.3 Design Strategies . 32 3.1.4 Recent Hash Constructions . 36 3.1.5 Block Cipher-based Constructions . 38 3.2 The SHA-3 Competition . 39 3.3 The Hash Function EnRUPT . 41 3.3.1 Specification of EnRUPT . 41 3.3.2 EnRUPT Architectures . 44 3.4 The Hash Function BLAKE . 46 3.4.1 Specification of BLAKE . 47 3.4.2 High-Speed Architectures . 51 3.4.3 Silicon Implementation of a Compact BLAKE- 32 Core . 59 3.5 Development of a Hardware Evaluation Method for the SHA-3 Candidates . 68 3.5.1 Evaluation Methodology . 69 3.5.2 Implementation . 77 3.5.3 Results . 80 3.5.4 Final Remarks . 88 4 High-Speed Authenticated Encryption 91 4.1 Background . 92 4.1.1 Different Classes . 92 4.1.2 Applications . 93 4.2 The Advanced Encryption Standard . 94 4.2.1 Algorithm Specifications . 95 4.2.2 Hardware Architectures . 96 4.3 The Galois/Counter Mode . 98 4.3.1 Algorithm Specifications . 100 4.4 FPGA Parallel-Pipelined AES-GCM Core for 100G Eth- ernet Applications . 103 4.4.1 Hardware Design . 103 4.4.2 Results and Comparison . 109 4.5 2G Fibre Channel Link Encryptor . 111 4.5.1 AES-GCM Hardware Architecture . 112 4.5.2 FPGA Implementation . 113 4.5.3 Frame Encryption . 115 4.5.4 Results and Discussion . 118 CONTENTS xi 5 Lightweight Hashing 121 5.1 Lightweight Cryptography Overview . 122 5.2 Cube Testers . 124 5.2.1 Theoretical Background . 125 5.2.2 Description of Grain-128 . 126 5.2.3 Software Implementation . 128 5.2.4 Hardware Implementation . 128 5.2.5 Experimental Results . 134 5.2.6 Conclusion . 135 5.3 The Quark Hash Function . 136 5.3.1 Description of the Quark hash family . 137 5.3.2 Hardware implementation . 140 5.3.3 Discussion . 142 6 Summary and Conclusion 147 6.1 Summary . 147 6.2 Conclusion . 150 A Hardware Architectures 153 List of Acronyms 157 List of Figures 161 List of Tables 163 Bibliography 165 1 Introduction It is assumed that the science of concealing the information has been introduced with the advent of writing. The earliest form of cryptogra- phy has been discovered in Egyptian stone inscriptions, while the first most famous cryptosystem was the substitution cipher of the Roman general Julius Caesar (see [1]). During World War II, the German army deployed the mechanical rotor machine “Enigma” to encrypt and decrypt their communications. The breaking of Enigma by the British Government was the first and most appealing example of the battle between codemakers and codebreakers. However, only the com- bination of the post-Shannon understanding and the drastic increase of computational power allowed the birth of modern cryptography, which can be identified with two major contributions. In 1970, the research efforts of Horst Feistel culminated with the development of the first widely used cipher approved by the U.S. Federal Government under the name of Data Encryption Standard (DES). Six years later, Whitfield Diffie and Martin Hellman introduced a new cryptographic scheme that was able to solve the crucial issue of the key distribution. Nowadays, military and government institutions, as well as industries 1 2 CHAPTER 1. INTRODUCTION and private persons employ cryptographic schemes to exchange sensi- tive information in digital form. 1.1 Basic Concepts Cryptology is the art of communicate in secure and usually secret form. It can be divided into the science of making codes and algorithms, i.e., cryptography, and the science of breaking codes or extracting the meaning, i.e., cryptanalysis.