DOCSLIB.ORG

Design and Implementation of Unified Hardware for 128-Bit Block Ciphers ARIA and AES

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Design and Implementation of Unified Hardware for 128-Bit Block Ciphers ARIA and AES Design and Implementation of Unified Hardware for 128-Bit Block Ciphers ARIA and AES Bonseok Koo, Gwonho Ryu, Taejoo Chang, and Sangjin Lee ABSTRACT⎯ARIA and the Advanced Encryption Standard AES, and we measure its performance using a 0.25 μm CMOS (AES) are next generation standard block cipher algorithms of standard cell library. Our processor is very suitable to implement Korea and the US, respectively. This letter presents an area- low-cost and area-constrained cryptographic modules that efficient unified hardware architecture of ARIA and AES. Both should support both algorithms. Note also that the Public Key algorithms have 128-bit substitution permutation network (SPN) structures, and their substitution and permutation layers Cryptography Standard (PKCS) #11 has recently begun to could be efficiently merged. Therefore, we propose a 128-bit support the mechanisms of ARIA as well as those of AES [3]. processor architecture with resource sharing, which is capable of processing ARIA and AES. This is the first architecture which supports both algorithms. Furthermore, it requires only II. Unified Substitution Layer 19,056 logic gates and encrypts data at 720 Mbps and 1,047 Mbps for ARIA and AES, respectively. The substitution layer of ARIA consists of two kinds of S-boxes, S1, S2, and their inverses. The S-box S1 is composed of Keywords⎯ARIA, AES, hardware architecture, resource multiplicative inversion over GF(28) and affine transformation, sharing. 247 while S2 is a combination of x and affine transformation. Both S-boxes are defined over the GF(28) with the irreducible I. Introduction polynomial m(x)=x8 +x4+x3+x+1, which is the same as that of 247 AES. Also, S1 is identical to the S-box of AES. The term x in The Advanced Encryption Standard (AES) is a block cipher -8 8 -1 which was adopted as an encryption standard by the US S2 is equivalent to x in GF(2 ) and can be represented as C· x government in November 2001 [1]. In Korea, ARIA was with an 8×8 binary matrix C. Consequently, the two S-boxes announced as a standard block cipher algorithm in December can be rearranged with multiplicative inverse as (1) and (2). 2004 [2]. The algorithm structures of ARIA and AES are Here, A, B, and C are 8×8 binary matrices, and a and b are 8×1 analogous. Both algorithms are 128-bit block ciphers with binary vectors: substitution permutation network (SPN) structures. Also, ARIA −1 Sx1 ()=⋅ Ax ⊕ a , uses two kinds of S-boxes, one of which is the same as the S-box Sx−1 ()=⋅⊕⋅ ( AxAa−111−− ) , (1) of AES. However, the permutation layer of ARIA uses a 16×16 1 involutional binary matrix, whereas AES uses two kinds of 4×4 247−− 8 1 Sx2 ()= Bx⋅⊕=⋅⊕=⋅⊕ b Bx b BCx b , matrices which involve multiplication over GF(28). Sx−1 ()=⋅⊕⋅ (( BCxBCb )−−−111 ( ) ) . (2) In this letter, using resource sharing techniques, we propose an 2 efficient unified hardware architecture incorporating ARIA and Therefore, we designed two kinds of shared S-boxes, SA, SU, which share a multiplicative inverter and merging affine Manuscript received Apr. 17, 2007; revised Sept. 3, 2007. -1 transformations, as depicted in Fig. 1. Here, SA executes S1 or S1 , Bonseok Koo (phone: + 82 42 870 2218, email: [email protected]), Gwonho Ryu (email: -1 -1 [email protected]), and Taejoo Chang (email: [email protected]) are with the Network & and SU selectively executes S1, S1 , S2 , or S2 . Also, δA and δU are 8 2 2 2 Communication Security Division, The Attached Institute of ETRI, Daejeon, Rep. of Korea. isomorphism functions from GF(2 ) to GF(((2 ) ) ), and AF1 and Sangjin Lee (email: [email protected]) is with the Center for Information Security Technologies, Korea University, Seoul, Rep. of Korea. AF2 denote the affine transformations of S1 and S2, respectively. 820 Bonseok Koo et al. ETRI Journal, Volume 29, Number 6, December 2007 and can be written as a 4×4 matrix multiplication [1]. Also, SA InvMixColumns can be arranged in a form which includes a -1 δA x-1 over δA • AF1 MixColumns matrix; thus, these two functions can be 2 2 2 -1 2:1 GF(((2 ) ) ) -1 2:1 AF1 • δA δA efficiently implemented with resource sharing [4]. On the other hand, the permutation function of ARIA called a diffusion matrix uses a 16×16 involutional binary matrix [2]. SU -1 δU δU • AF1 -1 As each row of the matrix has 7 elements of 1, it requires 768 -1 x over -1 AF1 • δU 2 2 2 δU • AF2 3:1 GF(((2 ) ) ) 3:1 (that is, 6×16×8) 2-input XOR gates to implement the diffusion -1 -1 AF2 • δU δU matrix in a general way. In order to efficiently design a merged permutation circuit, Fig. 1. Structures of the shared S-boxes SA and SU. we examine common 2-input XOR terms among these three matrices. For a 16-byte input (x0, x1,···, x14, x15), we find 1-byte sharing common terms αi and βj as Table 1. Performance of the shared S-boxes S and S . A U α = xx⊕ , i = 0,1, 2, ,15, ii4⎣⎦⎢⎥ii / 4 +(+ 1 mod 4) L Shared S-box (functions) Gate counts Delay (ns) (3) β jjj=⊕xx2−+− ( mod 2) 2( jj 1) ( mod 2) , j = 0,1, 2,L , 7. -1 SA (S1, S1 ) 273 6.17 -1 -1 Then, using common terms αi and βj, each 16-byte output of SU (S1, S1 , S2, S2 ) 373 6.63 MixColumns, (u0, u1,···, u14, u15) and of InvMixColumns, (v0, v1,···, v14, v15) can be rearranged as uxkk=⊕2,αα4⎢⎥kk / 4 +(++ 2 mod 4) ⊕ 4 ⎢⎥ kk / 4 +( 1 mod 4) ARIA ⎣⎦ ⎣⎦ (4) Unified substitution layer 8 8 8 8 8 8 8 8 vukk=⊕12ββ2⎢⎥kk / 4+++ ( mod 2) ⊕ 8 2 ⎢⎥ kk / 4 ( 1 mod 2) , S S S -1 S -1 S -1 S -1 S S ⎣⎦ ⎣⎦ 32 32 32 32 1 2 1 2 1 2 1 2 8 8 8 8 8 8 8 8 where k=0,···,15. UT UT UT UT AES Also, the 16-byte output (w0, w1,···, w14, w15) of the diffusion 8 8 8 8 8 8 8 8 32 32 32 32 -1 -1 -1 -1 S1 S1 S1 S1 S1 S1 S1 S1 matrix of ARIA can be arranged with the common terms as 8 8 8 8 8 8 8 8 follows: wx= ⊕⊕⊕β αα,, wx =⊕⊕⊕ βαα Fig. 2. Structure of the unified substitution layer. 0 3 2 8 13 1 2 3 8 15 wx2=⊕ 1β 2 ⊕αα 10 ⊕ 15,, wx 3 =⊕ 0 βαα 3 ⊕ 10 ⊕ 13 2 2 2 For a compact area, we use the composite field GF(((2 ) ) ) wx4501114541914=⊕⊕βα ⊕ α,, wx =⊕⊕⊕ βαα inverter and also combine the isomorphism functions and wx67=⊕⊕⊕β 0αα 9 1276,, wx =⊕⊕ βα 11112 ⊕ α -1 affine transformations as AF1 · δA. The performance of the wx810707= ⊕⊕⊕β αα,, wx 911605 = ⊕⊕⊕ βαα S-boxes is shown in Table 1, where a 0.25 μm CMOS standard wx10=⊕⊕⊕ 8β 7αα 2 5,, wx 11 =⊕⊕⊕ 9 βαα 6 2 7 cell library is used, and one-gate is equivalent to a 2-input w12 = xwx12516⊕⊕⊕β αα,, 1313436 = ⊕⊕⊕ βαα NAND gate. Although S supports four functions of S-boxes, it U wx=⊕⊕⊕β αα,. wx =⊕⊕⊕ βαα (5) uses only 373 gates and has a 6.63 ns delay. It is 37% larger 14 14 5 3 4 15 15 4 1 4 and shows a 7% delay as compared to SA. Because each wk contains three common terms, one βj and Using the shared S-boxes SA and SU, we designed a unified two different αi’s as in (5), we can save 384 (that is, 3×16×8) transformation (UT), which is equal to (SA, SU, SA, SU), and 2-input XOR gates. Table 2 shows the hardware size and delay finally propose the 128-bit unified substitution layer which time of permutation functions by sharing common terms. consists of four UTs, as depicted in Fig. 2. By switching the When ARIA diffusion is also implemented, there is about a selection signals of the multiplexers shown in Fig. 1, UT can 49% increase in size from AES functions and no degradation in -1 -1 -1 -1 operate as (S1, S2, S1 , S2 ) or (S1 , S2 , S1, S2) for ARIA and as delay, because vk makes the critical path. -1 four units of S1 or S1 for AES. Table 2. Performance of 16-byte permutation functions. III. Merging Permutation Functions Permutation functions no. of XORs Delay (ns) AES uses two permutation functions, MixColumns and MixCol.+InvMixCol. 780 1.64 InvMixColumns in encryption and decryption, respectively. MixCol.+InvMixCol.+ARIA Diff. 1,164 1.64 8 Each function involves addition and multiplication over GF(2 ) ETRI Journal, Volume 29, Number 6, December 2007 Bonseok Koo et al. 821 Round function Key scheduler Table 3. Comparison of performance with previous results. AES key scheduler Input data 32 128 Rcon[i] 128 Throughput S1 S1 S1 S1 Designs (μm) Gate counts Functions Clock cycles 4:1 (Mbps) Output 32 32 32 32 << data 128 Our proposed ARIA 16 720 Data register 19,056 128 (0.25) AES (e/d) 11/21 1,047/548 128 32 32 32 32 128 2:1 128 Our ARIA 32 32 32 32 15,496 ARIA 16 816 128 Input key (0.25) 128 128 128 2:1 [4] Key registers 12,454 AES 11 1,691 128 UT UT UT UT 128 128 128 (0.18) W0 W1 W2 W3 [5] Camellia 22 661 ShiftRows 128 128 128 128 128 14,918 128 128 (0.18) AES 31 469 2:1 4:1 4:1 128 128 128 >>19>>31<<61<<31 2:1 2:1 128 5:1 the smallest AES processor [4] with 128-bit unit architecture.
Load more

Recommended publications
  • Authentication Key Recovery on Galois/Counter Mode (GCM)
    Authentication Key Recovery on Galois/Counter Mode (GCM) John Mattsson and Magnus Westerlund Ericsson Research, Stockholm, Sweden {firstname.lastname}@ericsson.com Abstract. GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST stan- dardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempts is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D. Keywords. Secret-key Cryptography, Message Authentication Codes, Block Ciphers, Cryptanalysis, Galois/Counter Mode, GCM, Authentica- tion Key Recovery, AES-GCM, Suite B, IPsec, ESP, SRTP, Re-forgery. 1 Introduction Galois/Counter Mode (GCM) [1] is quickly becoming the de facto mode of op- eration for block ciphers. GCM is included in the NSA Suite B set of cryp- tographic algorithms [2], and AES-GCM is the benchmark algorithm for the AEAD competition CAESAR [3]. Together with Galois Message Authentication Code (GMAC), GCM is used in a vast amount of security protocols: – Many protocols such as IPsec [4], TLS [5], SSH [6], JOSE [7], 802.1AE (MAC- sec) [8], 802.11ad (WiGig) [9], 802.11ac (Wi-Fi) [10], P1619.1 (data storage) [11], Fibre Channel [12], and SRTP [13, 14]1 only allow 128-bit tags.
    [Show full text]
  • Impossible Differential Cryptanalysis of Reduced Round Hight
    1 IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY CIHANG˙ IR˙ TEZCAN IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY JUNE 2009 Approval of the thesis: IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT submitted by CIHANG˙ IR˙ TEZCAN in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Ersan Akyıldız Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Mathematics Examining Committee Members: Prof. Dr. Ersan Akyıldız METU, Institute of Applied Mathematics Assoc. Prof. Ali Doganaksoy˘ METU, Department of Mathematics Dr. Muhiddin Uguz˘ METU, Department of Mathematics Dr. Meltem Sonmez¨ Turan Dr. Nurdan Saran C¸ankaya University, Department of Computer Engineering Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: CIHANG˙ IR˙ TEZCAN Signature : iii ABSTRACT IMPOSSIBLE DIFFERENTIAL CRYPTANALYSIS OF REDUCED ROUND HIGHT Tezcan, Cihangir M.Sc., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ June 2009, 49 pages Design and analysis of lightweight block ciphers have become more popular due to the fact that the future use of block ciphers in ubiquitous devices is generally assumed to be extensive.
    [Show full text]
  • Security Enhancement in Cloud Storage Using ARIA and Elgamal Algorithms
    International Journal of Computer Applications (0975 – 8887) Volume 171 – No. 9, August 2017 Security Enhancement in Cloud Storage using ARIA and Elgamal Algorithms Navdeep Kaur Heena Wadhwa Research Scholar Assistant Professor Department of IT Department of CSE CEC Landran, Mohali, Punjab CEC Landran, Mohali, Punjab ABSTRACT Cloud Computing examination [3]. The cloud does appear Cloud Computing is not an improvement, excluding an resolve some ancient issues with the still growing costs of income towards constructs information technology services apply, preserve, & supporting an IT communications that is that utilize superior computational authority & better storage rarely utilized everywhere near its ability in the single-owner space utilization. The major centre of Cloud Computing starts atmosphere. There is a chance to amplify competence & when the supplier vision as irrelevant hardware associated to reduce expenses in the IT section of the commerce & sustain down-time on some appliance in the system. It is not a decision-makers are commencement to pay concentration. modification in the user viewpoint. As well, the user software Vendors who can supply a protected, high-availability, picture should be simply convertible as of one confuse to a scalable communications to the loads may be poised to be new. Though cloud computing is embattled to offer better successful in receiving association to accept their cloud operation of possessions using virtualization method and to services[20]. receive up a great deal of the job load from the customer and Due to the current development in computer network provides safety also. Cloud Computing is a rising technology technology, giving out of digital multimedia pleased through with joint property and lower cost that relies on pay per use the internet is massive.
    [Show full text]
  • ARIA-CTR Encryption for Low-End Embedded Processors
    sensors Article ACE: ARIA-CTR Encryption for Low-End Embedded Processors Hwajeong Seo * , Hyeokdong Kwon, Hyunji Kim and Jaehoon Park Division of IT Convergence Engineering, Hansung University, Seoul, 02876, Korea; [email protected] (H.K.); [email protected] (H.K.); [email protected] (J.P.) * Correspondence: [email protected]; Tel.:+82-2-760-8033 Received: 21 June 2020; Accepted: 4 July 2020; Published: 6 July 2020 Abstract: In this paper, we present the first optimized implementation of ARIA block cipher on low-end 8-bit Alf and Vegard’s RISC processor (AVR) microcontrollers. To achieve high-speed implementation, primitive operations, including rotation operation, a substitute layer, and a diffusion layer, are carefully optimized for the target low-end embedded processor. The proposed ARIA implementation supports the electronic codebook (ECB) and the counter (CTR) modes of operation. In particular, the CTR mode of operation is further optimized with the pre-computed table of two add-round-key, one substitute layer, and one diffusion layer operations. Finally, the proposed ARIA-CTR implementations on 8-bit AVR microcontrollers achieved 187.1, 216.8, and 246.6 clock cycles per byte for 128-bit, 192-bit, and 256-bit security levels, respectively. Compared with previous reference implementations, the execution timing is improved by 69.8%, 69.6%, and 69.5% for 128-bit, 192-bit, and 256-bit security levels, respectively. Keywords: ARIA; electronic codebook mode of operation; counter mode of operation; software implementation; embedded processors 1. Introduction Data encryption is a fundamental technology for secure network communication in the Internet of Things (IoT).
    [Show full text]
  • Cryptanalysis of Selected Block Ciphers
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 Cryptanalysis of Selected Block Ciphers Alkhzaimi, Hoda A. Publication date: 2016 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Alkhzaimi, H. A. (2016). Cryptanalysis of Selected Block Ciphers. Technical University of Denmark. DTU Compute PHD-2015 No. 360 General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. Cryptanalysis of Selected Block Ciphers Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at the Department of Mathematics and Computer Science-COMPUTE in The Technical University of Denmark by Hoda A.Alkhzaimi December 2014 To my Sanctuary in life Bladi, Baba Zayed and My family with love Title of Thesis Cryptanalysis of Selected Block Ciphers PhD Project Supervisor Professor Lars R. Knudsen(DTU Compute, Denmark) PhD Student Hoda A.Alkhzaimi Assessment Committee Associate Professor Christian Rechberger (DTU Compute, Denmark) Professor Thomas Johansson (Lund University, Sweden) Professor Bart Preneel (Katholieke Universiteit Leuven, Belgium) Abstract The focus of this dissertation is to present cryptanalytic results on selected block ci- phers.
    [Show full text]
  • Encryption Block Cipher
    10/29/2007 Encryption Encryption Block Cipher Dr.Talal Alkharobi 2 Block Cipher A symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. When encrypting, a block cipher take n-bit block of plaintext as input, and output a corresponding n-bit block of ciphertext. The exact transformation is controlled using a secret key. Decryption is similar: the decryption algorithm takes n-bit block of ciphertext together with the secret key, and yields the original n-bit block of plaintext. Mode of operation is used to encrypt messages longer than the block size. 1 Dr.Talal Alkharobi 10/29/2007 Encryption 3 Encryption 4 Decryption 2 Dr.Talal Alkharobi 10/29/2007 Encryption 5 Block Cipher Consists of two algorithms, encryption, E, and decryption, D. Both require two inputs: n-bits block of data and key of size k bits, The output is an n-bit block. Decryption is the inverse function of encryption: D(E(B,K),K) = B For each key K, E is a permutation over the set of input blocks. n Each key K selects one permutation from the possible set of 2 !. 6 Block Cipher The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to 128-bit. Padding scheme is used to allow plaintexts of arbitrary lengths to be encrypted. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits.
    [Show full text]
  • Cryptanalysis of Block Ciphers
    Cryptanalysis of Block Ciphers Jiqiang Lu Technical Report RHUL–MA–2008–19 30 July 2008 Royal Holloway University of London Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, England http://www.rhul.ac.uk/mathematics/techreports CRYPTANALYSIS OF BLOCK CIPHERS JIQIANG LU Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics Royal Holloway, University of London 2008 Declaration These doctoral studies were conducted under the supervision of Prof. Chris Mitchell. The work presented in this thesis is the result of original research carried out by myself, in collaboration with others, whilst enrolled in the Information Security Group of Royal Holloway, University of London as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Jiqiang Lu July 2008 2 Acknowledgements First of all, I thank my supervisor Prof. Chris Mitchell for suggesting block cipher cryptanalysis as my research topic when I began my Ph.D. studies in September 2005. I had never done research in this challenging ¯eld before, but I soon found it to be really interesting. Every time I ¯nished a manuscript, Chris would give me detailed comments on it, both editorial and technical, which not only bene¯tted my research, but also improved my written English. Chris' comments are fantastic, and it is straightforward to follow them to make revisions. I thank my advisor Dr. Alex Dent for his constructive suggestions, although we work in very di®erent ¯elds.
    [Show full text]
  • S-Box Construction Based on Linear Fractional Transformation and Permutation Function
    S S symmetry Article S-box Construction Based on Linear Fractional Transformation and Permutation Function Liyana Chew Nizam Chew 1,2,* and Eddie Shahril Ismail 1 1 Department of Mathematical Sciences, Faculty of Science and Technology, Universiti Kebangsaan Malaysia, Bangi 43600 UKM, Selangor, Malaysia; [email protected] 2 Cryptography Development Department, CyberSecurity Malaysia, Cyberjaya 63000, Selangor, Malaysia * Correspondence: [email protected] Received: 7 April 2020; Accepted: 7 May 2020; Published: 17 May 2020 Abstract: Substitution boxes (S-box) with strong and secure cryptographic properties are widely used for providing the key property of nonlinearity in block ciphers. This is critical to be resistant to a standard attack including linear and differential cryptanalysis. The ability to create a cryptographically strong S-box depends on its construction technique. This work aims to design and develop a cryptographically strong 8 8 S-box for block ciphers. In this work, the construction of the S-box × is based on the linear fractional transformation and permutation function. Three steps involved in producing the S-box. In step one, an irreducible polynomial of degree eight is chosen, and all roots of the primitive irreducible polynomial are calculated. In step two, algebraic properties of linear fractional transformation are applied in Galois Field GF (28). Finally, the produced matrix is permuted to add randomness to the S-box. The strength of the S-box is measured by calculating its potency to create confusion. To analyze the security properties of the S-box, some well-known and commonly used algebraic attacks are used. The proposed S-box is analyzed by nonlinearity test, algebraic degree, differential uniformity, and strict avalanche criterion which are the avalanche effect test, completeness test, and strong S-box test.
    [Show full text]
  • Multidimensional Differential-Linear Cryptanalysis of ARIA Block Cipher
    Multidimensional Differential-Linear Cryptanalysis of ARIA Block Cipher Wentan Yi, Jiongjiong Ren, and Shaozhen Chen ARIA is a 128-bit block cipher that has been selected as I. Introduction a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. ARIA [1] is a block cipher designed by the Korean In this study, we analyze the security of ARIA against cryptographers Kwon and others in ICISC 2003. The upgraded differential-linear cryptanalysis. We present five rounds version 1.0 of ARIA [2] was selected as a Korean standard of differential-linear distinguishers for ARIA, which block cipher by the Ministry of Commerce, Industry, and can distinguish five rounds of ARIA from random Energy [3] in 2004. ARIA has also been adopted by several permutations using only 284.8 chosen plaintexts. standard protocols such as IETF (RFC 5794 [4]), SSL/TLS Moreover, we develop differential-linear attacks based on (RFC 6209 [5]) and PKCS #11 [6]. In Korea, ARIA has been six rounds of ARIA-128 and seven rounds of ARIA-256. used widely, especially in government-to-public services. Thus, This is the first multidimensional differential-linear studies of the security of ARIA are important in various areas cryptanalysis of ARIA and it has lower data complexity of cryptanalysis and it is necessary to constantly reevaluate its than all previous results. This is a preliminary study and security using various cryptanalytic techniques. further research may obtain better results in the future. The design of ARIA is provably resistant against differential and linear attacks, but many other cryptanalysis methods have Keywords: ARIA, Block cipher, Cryptanalysis, Linear been developed to attack ARIA, such as integral attacks [7], [8], hull, Multidimensional differential-linear attack.
    [Show full text]
  • Analysis of Linear Relationships in Block Ciphers
    Analysis of Linear Relationships in Block Ciphers by Muhammad Reza Z’aba Bachelor of Science (Computer) (Universiti Teknologi Malaysia) – 2004 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Science and Technology Queensland University of Technology May 7, 2010 Keywords Block cipher, stream cipher, symmetric cipher, linear transformation, diffusion, cryptanalysis, fixed points, round function, key scheduling algorithm, integral attack, bit-pattern, algebraic analysis, system of equations, branch number, AES, ARIA, LEX, BES, Noekeon, PRESENT, Serpent, SMS4 i ii Abstract This thesis is devoted to the study of linear relationships in symmetric block ciphers. A block cipher is designed so that the ciphertext is produced as a nonlinear function of the plaintext and secret master key. However, linear re- lationships within the cipher can still exist if the texts and components of the cipher are manipulated in a number of ways, as shown in this thesis. There are four main contributions of this thesis. The first contribution is the extension of the applicability of integral attacks from word-based to bit- based block ciphers. Integral attacks exploit the linear relationship between texts at intermediate stages of encryption. This relationship can be used to recover subkey bits in a key recovery attack. In principle, integral attacks can be applied to bit-based block ciphers. However, specific tools to define the attack on these ciphers are not available. This problem is addressed in this thesis by introducing a refined set of notations to describe the attack. The bit pattern- based integral attack is successfully demonstrated on reduced-round variants of the block ciphers Noekeon, Present and Serpent.
    [Show full text]
  • Attacking Reduced Rounds of the ARIA Block Cipher
    Attacking Reduced Rounds of the ARIA Block Cipher Ewan Fleischmann, Michael Gorski, and Stefan Lucks Bauhaus-University Weimar, Germany {Ewan.Fleischmann, Michael.Gorski, Stefan.Lucks}@uni-weimar.de Abstract. ARIA [4] is a block cipher proposed at ICISC’03. Its design is very similar to the advanced encryption standard (AES). The authors propose that on 32-bit processors, the encryption speed is at least 70% of that of the AES. They claim to offer a higher security level than AES. In this paper we present two attacks of reduced round ARIA which shows some weaknesses of the cipher. Moreover, our attacks have the lowest memory requirements compared to existing attacks on ARIA with an increase in the time complexity. Keywords: block ciphers, differential cryptanalysis, ARIA. 1 Introduction The ARIA block cipher [4] was presented at ICISC’03. Its design is very similar to the advanced encryption standard (AES/Rijndael) [3]. The block size is 128-bit and the key size is either 128, 192 or 256 bits. It uses the same number of rounds as the AES, which are 10, 12 and 14 respectively. ARIA employs two kinds of S-Boxes and two types of substitution layers which are different between even and odd rounds. They skip using a MixComuns operation and use an 16 × 16 binary matrix with branch number 8 in their diffusion layer. The authors propose that ARIA can increase the efficiency in 8-bit and 32-bit software implementations in comparison to AES. Moreover, they claim to have better security against all existing attacks on block ciphers.
    [Show full text]
  • ARIA/AES 기반 GCM 인증암호를 지원하는 암호 프로세서 a Cryptographic Processor Supporting ARIA/AES-Based GCM Authenticated Encryption
    ISSN:1226-7244 (Print) ISSN:2288-243X (Online) j.inst.Korean.electr.electron.eng.Vol.22,No.2,233∼241,June 2018 논문번호 18-02-02 http://dx.doi.org/10.7471/ikeee.2018.22.2.233 7 ARIA/AES 기반 GCM 인증암호를 지원하는 암호 프로세서 A Cryptographic Processor Supporting ARIA/AES-based GCM Authenticated Encryption ★ 성 병 윤*, 김 기 쁨**, 신 경 욱* ★ Byung-Yoon Sung*, Ki-Bbeum Kim**, Kyung-Wook Shin* Abstract This paper describes a lightweight implementation of a cryptographic processor supporting GCM (Galois/Counter Mode) authenticated encryption (AE) that is based on the two block cipher algorithms of ARIA and AES. It also provides five modes of operation (ECB, CBC, OFB, CFB, CTR) for confidentiality as well as the key lengths of 128-bit and 256-bit. The ARIA and AES are integrated into a single hardware structure, which is based on their algorithm characteristics, and a 128×12-b partially parallel GF (Galois field) multiplier is adopted to efficiently perform concurrent processing of CTR encryption and GHASH operation to achieve overall performance optimization. The hardware operation of the ARIA/AES-GCM AE processor was verified by FPGA implementation, and it occupied 60,800 gate equivalents (GEs) with a 180 nm CMOS cell library. The estimated throughput with the maximum clock frequency of 95 MHz are 1,105 Mbps and 810 Mbps in AES mode, 935 Mbps and 715 Mbps in ARIA mode, and 138~184 Mbps in GCM AE mode according to the key length. 요 약 블록암호 알고리듬 ARIA, AES를 기반으로 GCM (Galois/Counter Mode) 인증암호를 지원하는 암호 프로세서를 경량화 구현하였다.
    [Show full text]