Study of MDS Matrix Used in Twofish AES (Advanced Encryption Standard) - DocsLib

sign in sign up

<<

Home , MDS matrix, Twofish

StudyofMDSMatrixusedinTwofishAES (AdvancedEncryptionStandard)Algorithm anditsVHDLImplementation

AartiSingh 1/EC/97 ACKNOWLEDGEMENT

I carried out this Project at CEERI (Central Electronic Engineering ResearchInstitute),Delhi.IamthankfultomyadvisorandguideDr.AmrikSingh, withoutwhosesupport,thisprojectwouldnothavebeenpossible.Heintroducedme tothischallengingandexcitingtopicandguidedmethroughout.Iamalsothankful toDr.S.P.S.SainiandMr.BrijeshJoshifortheirusefulassistanceandcomments. AlsoItakethisopportunitytoexpressmyregardsandsincerethankstoDr.H.R. Singhwho assignedmetothisproject.I am alsoindebted toDr.S.S.Aggarwal, HeadCEERI(D)forprovidingmetheopportunitytoworkintheirreputedinstitute andextendsomecontributiontoit.Lastbutnottheleast,IthankallCEERIstafffor helpingmeoutwithwhateverIneeded. AartiSingh INTRODUCTION

Data Encryption has assumed a significant role in today’s world. With the everincreasing need to ensure security of data during communication, the Encryption Algorithms need to be strengthened. The advances in cryptanalysis further underscore the importance of having secure Algorithms. With this aim in mind,theNationalInstituteofStandardsandTechnology(NIST),responsiblefor maintainingencryptionstandardsintheU.S.,gaveacallforAESortheAdvanced EncryptionStandard.Tilldatethereare5contendersthathaveemergedsuccessful inthe3roundconferences. Thefivefinalists : 1. Mars 2. RC6 3. Rjndael 4. Serpent 5. Twofish ThisProjectisanintroductiontotheAEScandidate–Twofish .Twofishisnamed such since it has two main diffusion elements, they are the MDS (Maximum DistanceSeparable)matrixandthePHT(PseudoHadamardTransform).(Moreover itiscustomarytonameciphersafterseacreaturesandTwofishisthesuccessorof Blowfish.)ThisProjectundertakesadeeperanalysisofitsmostsignificantdiffusion element,theMDS matrix.AVHDLmodelforthehardwareimplementationofthe matrixisalsoproposed. AES(AdvancedEncryptionStandard):

AES is the nextgeneration of Encryption Standard. It is basically an improvementovertheDES(DataEncryptionStandard).Oneofitsprerequisiteisa 128bitblockciphertoreplacethecurrent64bitciphers. eedforAES/a128bitblockcipher : 1. The key used in various prevalent 64bit ciphers like DES is too short for acceptablecommercialsecurityrequirementsoftoday. 2. Recent advances in distributed keysearch technique have made the earlier cipherspronetocryptanalyticattacks. 3. CipherslikeTripleDES,whichdespitebeing64bitoffergreaternumberof roundstomeettherequiredsecurity,aretooslow. 4. Anotherdisadvantageof64bitciphersisthatthe64bitblocklengthisopen toattackswhenlargeamountofdataareencryptedunderthesamekey. TwofishCharacteristics:

• A128bitblockcipher. • Keylengthsof128bits,192bitsand256bits. • Noweakkeys. • Efficiencyandspeedonboth,software(PIIIproetc.)and hardware(smartcardetc.)platforms. • Flexibledesigne.g. o Acceptsadditionalkeylengths(allkeylengths upto256bitswithleadingzerosfilledin). o Implementableonvarietyofplatforms. o Suitableforstreamcipheringalso. o AlsousableforhashfunctionandMAC(Message AuthenticationCodes) TwofishAlgorithmBlockStructure:

P(128bitplaintext)

Littleendianconversion

P 0 P1P 2P 3

K0K 1 K 2 K 3 ]i/pwhitening

R r,2 Rr,3

Fr,0 <<1

Rr,0 F Fr,1 Rr,1 1round >>1

15more

rounds

K4 K5 K6 K7 ]o/pwhitening

C 0 C1 C2 C3

Littleendianconversion

C ( 128-bit cipher text)

TwofishAlgorithmsteps:(Overview)

splitusing

(1) Plaintext(128bit) P 0 ,...,P 3(32bitseach) littleendianconversion p 0,..., p15

accordingto: 3 8j P i = p (4i+j) .2 i=0,…,3 j=0

(2) InputWhitening–XORingwithsubkeys

R 0,i =P iK i i=0,…,3

(3) 16Iterationsofroundfunction AbalancedFeistelnetworkconstitutesthe16iterations.AFeistelnetwork transforms any function F into a permutation. In a Feistel cipher, the round functionconsistsoftakingonepartofthedatabeingencrypted,feedingitinto somekeydependentfunctionF,andthenXORingtheresultintoanotherpartof theblock.Ifthetwopartsareeachhalfablock,thenthecipheris“balanced”. Forr th iteration,

(F r,0 ,F r,1 )= F (R r,0 ,R r,1,r) r=0,…,15 risusedtoselecttheappropriatesubkeyfortheFfunction. Finally,afterswapping

Rr+1,0 =ROR(R r,2 Fr,0 ,1)

Rr+1,1 =ROL(R r,3 ,1) Fr,1

Rr+1,2 =R r,0

Rr+1,3 =R r,1 (4) OutputWhitening–XORingwithsubkey

Ci =R 16,(i+2)mod4 Ki+4 i=0,…,3

(5) C0,…,C 3 ofciphertext 128bitciphertext,c i littleendianconversion Thereverselittleendianproceedsas:

8 ci =C [i/4] mod2 i=0,…15 28(imod4) Function F – is a keydependent permutation on64bit values. It takes three arguments:twoinputwordsR 0 andR 1,andtheroundnumberrusedtoselectthe appropriatesubkeysandproducesF 0 andF 1astheresult.

F PHT

g

R0 T0 F0

K2r+8

g

<< 8

R1 T1 F1

K2r+9

T0 =g(R 0 )

T1 =g(ROL(R 1,8))

32 F0 =(T 0+T 1+K 2r+8 )mod2

32 F1=(T 0+2T 1+K 2r+9 )mod2

PHT(PseudoHadamardTransform )isasimplemixingoperation.Thisisthe secondmaindiffusionelement.Twofishusesa32bitPHTdefinedas: a’=(a+b)mod2 32 b’=(a+2b)mod2 32 whereaandbareinputs. Functiong isthemostimportantpartofTwofishAlgorithm.Itconsistsoftwomain elements:thekeydependentSboxesandtheMDSmatrix.

g y 0

x0 S 0

y 1

x 1 S 1

X y 2 MDS Z T

x 2S 2

y 3

x 3 S 3 TheinputwordXissplitinto4bytesas

X(32bit)x 0,…,x 3 (4bytes) 8i 8 xi =[X/2 ]mod2 i=0,…,3 Each byte passes through a keydependent Sbox. An Sbox is a nonlinear substitution operation. In twofish four Sboxes each constructed of 8by8bit permutationsandkeymaterial. yi=S i[x i] MDSmatrixisthemaindiffusionelementinTwofish.Itisdescribedindetail below.

MDS(MaximumDistanceSeparable)Matrix

8 y 0

8 32 y1 MDS Z

8 y2

8 y3

3

8i Z= zi.2

i=0

where zi are theresultofmultiplicationbytheMDSmatrix:

z 0 01EF5B5B y0

z 1 5BEFEF01 y1 …(1)

z 2 EF5B01EF y2

z 3 EF01EF5By 3

AIM :Tounderstandandimplementthis4x4MDSmatrix. SomeBasicsfromCodingTheory Field: A field is a set of elements in which it is possible to add, subtract, multiply and divide (except that division by zero is not defined) and the two operations addition and multiplication satisfy the commutative, associative and distributivelaws.

GaloisField: AfieldwithqelementsiscalledafinitefieldorGaloisfield, andisdenotedbyGF(q).Thefieldwithminimumnumberof elementsi.e.two,0and1,iscalledthebinaryfield,GF(2). Extended AnextendedfieldofdegreemoverafinitefieldFhasq m Field: elementsifthebasefieldhasqelements. Basefield:GF(q)Extendedfield:GF(q m) Irreducible Apolynomialp(x)thatisnotdivisiblebyanyotherpolynomial Polynomial: exceptitselfand1. Monic Apolynomialthathasthecoefficientofthehighestpowerofx Polynomial: as1. Primitive Amonicirreduciblepolynomial. Polynomial:: ThefieldformedbytakingpolynomialsoverafinitefieldFmodulop(x),where p(x)isanirreduciblepolynomialofdegreem,isalsoanextensionfieldEof degreemoverF. TwofishMDSusesthebinaryextendedfieldGF(2 8)[x]/p(x)forcomputations wherep(x)=x 8+x 6+x 5+x 3+1.(GF(2 8)[x]representsafieldwhereafieldelement i i a=a ix ,a i GF(2)andi=0…7,isidentifiedwiththebytevaluea i2 . Constructing the Galois field GF(2 8) requires a primitive polynomial p(x) of degree8andaprimitiveelementβwhichisarootofp(x).Allelementsofa fieldcanbeexpressedintermsoftheprimitiveelement.

Code: Ablockofkmessagesymbolsu=u 1u2…u n isencodedintoa _ m codewordx=x 1x2…x n (u i, xi GF(2 ))wheren> k;these codewordsformacode. LinearCode:: AcodeCiscalledalinearcodeif(v+w)isawordinC whenevervandwareinCi.e.itisclosedunderaddition. Lengthofa isthelengthofallitscodewordsi.e.thenumberofelementsin code,n: eachcodewordwhereeachelementmaybelongtoanyfieldq m.

Hamming ortheweightofacodewordisthenumberof1’sacodewordhas. weight,wt: weight,wt: Hamming orthedistancebetweentwocodewordsistheno.ofpositionsin distance,d: whichthetwowordsdisagree. d(v,w)=wt(v+w) Dimension Acodewith2 kcodewordshasdimensionki.e.kisthenumber ofacode,k: ofelementsinanybasisforthecode. Information A(n,k)codehasratek/nsinceeachcodewordusesnsymbolsto rateor sendkmessagesymbols. efficiency,R: Alinearcodeischaracterizedbythreeparameters 1.Lengthofthecode,n 2.Dimensionofthecode,k 3.Distanceofthecode,d–istheminimumdistancebetweenits codewords.Foralinearcode,sincezeroisalwaysacodeword,distance ofthecodeistheminimumweightofanynonzerocodeword. Thefollowingmethodofencodingproducesalinear(n,k,d)code: Totransmitthekmessagesymbols u =u 1,u 2,…,u k,themessage uisencodedas acodeword, xoflengthn. x =x 1….x k xk+1 ….x n

message nkcheck symbols, u symbols Thechecksymbolsarechosenas: x 1 Hx 2 =0

xn The (n-k) x n matrixHisaparitycheckmatrixofthecodegivenby: H=[A|I nk] …(2) whereAissomefixed (n-k) x k matrixandI nk isthe (n-k) x (n-k) unitmatrix. Hhasnklinearlyindependentrows.Thisguaranteestheuniquedetermination ofthenkchecksymbolsx k+1 tox n.IfHhaslesserno.oflinearlyindependent

rows, then many such check symbols can be found. So, no. of linearly independentrowsislessthanorequaltonk. Equation(2)=>[A|I nk]x 1 =0 xn

=> Ax 1 + Inkx k+1 =0 xk xn

=>checksymbolsx k+1 x1 u1 =A =A …(3) xn xk uk Generator Matrix,x G is defined as the matrix that operates on the message symbolstoproducethecorrespondingcodeword. x=u G tr =>G=[I k|A ]

Comparing(3)with(1) , Matrix‘A’ 01EF5B5B usedintwofish: 5BEFEF01 EF5B01EF EF01EF5B

Messagesymbols,u:y 0,y 1,y 2,y 3

Checksymbolsgenerated:z 0,z 1,z 2,z 3 whicharebothelementsofthefieldGF(2 8).

Codewordproduced,x:z 3z2z1z0y3y2y1y0 Lengthofcodeword,n=8d Dimensionofcode,k=4.e MDS(MaximumDistanceSeparable)Codes:Alinear(n,k,d)codeissaidtobe: amaximumdistanceseparableorMDScodeifd=nk+1. ThegiventwofishMDScodehasn=8,k=4=>d=84+1=5

AnecessaryandsufficientconditionforamatrixtobeMDSi.e.forthematrixto generate a MDS code, is that all possible square submatrices of matrix ‘A’ obtainedbydiscardingrowsandcolumns,arenonsingular.SincetheTwofish matrixsatisfiesthiscondition,itisMDSwithd=5. This guarantees that if a single input changes, all four outputs are bound to change.ThisisverydesirableinanEncryptionAlgorithmtocreatemaximum randomnessandrendersthealgorithmresistanttoeasycryptanalysis.

OthercriteriausedinchoiceofTwofishMDSmatrix:

Apartfromthenonsingularnatureofallitssubmatrices,whichmakesitMDS, many other requirements were needed to be fulfilled by this matrix, which helpedintheprecisedeterminationofitsformandelements. 1. Sincetheprimitivepolynomialchosenisp(x)=x 8+x 6+x 5+x 3+1,three elementsneededtobechosenwhichcouldbeexpressedintermsofthe primitiveelementβandwereatthesametimesimpleenoughfor multiplicationwiththemtobeimplementedinhardwarewithfewshifts andXORs.Aswillbeseenlatertheelements01,5BandEFsatisfythis. as 5B=1+β2 and EF=1+β1+β2 2. DuringrightrotationoftheunshiftedPHTadditionsoutsidethefunction F,thosebytes,whichyielda1aftermultiplicationwithoneelement,lose thisonlynonzerobitandtheleastsignificantbitofthenexthigherbyteis shiftedin.TopreserveMDSpropertyevenafterrotation,theelementsare chosensothatforeachpairifa*x=1,thenb*xhastheleastsignificantbit set.Obviously,thisalsoholdsforanypaira,a.theelements01,5BandEF aresuchelements.

3. Ofallthe4x4MDSmatriceswiththeelements01,5BandEF,onlythis particularmatrixhadthepropertythatifasinglebyteinputischanged,not onlyareallfouroutputbyteschangedbutalso,amaximumHamming weightdifferenceof8bitsisobservedinthe32bitoutputi.e.inallthe32 bitsatleast8bitsaresuretobechanged.Thisagainguaranteesmaximum possiblerandomnessproducedbyamatrixofthissizeandsuchsimple elements.

HardwareImplementationofMDSmatrix

In software, the MDS matrix can be implemented easily by a table lookup procedure.Howeverforhardwareimplementation,simpleelementshavebeen chosenwhichcanbeimplementedusingafewshiftsandXORs. ThetwofishMDSmatrixrequiresjust2basicblocksmultiplicationby 5BandbyEFsincemultiplicationby01isnothingbutthenumberitself.

x 8 5B 8 5B.xx 8 EF 8EF.x Themultiplicationiscarriedoutmodp(x),wherep(x)=x 8+x 6+x 5+x 3+1isthe primitiveelementchosen.Nowouraimistosimplifythesemultiplicationsso thattheycanbeimplementedusingausingafewshiftsandXORs. Withtheearlierdefinedcorrespondence,p(x)mapsto2 8+2 6+2 5+2 3+2 0 =101101001 =169(H) Here+representsadditionmodulo2i.e.XOR. Also, 5B(H)=01011011=2 6+2 4+2 3+2 1+2 0 EF(H)=11101111=2 7+2 6+2 5+2 3+2 2+2 1+2 0 Therefore, 5B.x=(2 6+2 4+2 3+2 1+2 0 ).x =2 0.x+(2 6+2 4+2 3+2 1).x =x+2 2.x +(2 6+2 4+2 3+2 1+2 2).x =x+(x>>2)+169(H) .x 4 0 1 2 7 =x+(x>>2)+169(H) .x 0.2 +169(H) .x 1.2 +169(H) .x 2.2 +...+169(H) .x 7.2 4 4 4 4 Now,169(H)isa9bitnumberand169(H) isa7bitnumber.Allmultiplications 4 with2 2ormore makethattermgreaterthan8bits.Sincemultiplicationiscarried outmodp(x)i.e.mod169(H),allsuchtermscomeouttobezero.

So,finally 5B.x=x+(x>>2)+169(H) .x0+169(H) .x 1 …(i) 4 2 SimilarlyproceedingforEF.x, EF.x=(2 7+2 6+2 5+2 3+2 2+2 1+2 0 ).x =2 0.x+(2 7+2 6+2 5+2 3+2 2+2 1).x =x+2 1.x+2 2.x +(2 7+2 6+2 5+2 3+2 2+2 1+2 1+2 2).x =x+(x>>1)+(x>>2)+169(H) +169(H) .x 2 4 (2 7+2 5+2 4+2 2+2 1) (2 6+2 4+2 3+2 1+2 2)

0 0 1 =x+(x>>1)+(x>>2)+169(H) .x 0.2 +169(H) .x 0.2 +169(H) .x 1.2 24 4 (retainingonlythosetermsthatare<8bitssincerestarereducedtozero ontakingmod169(H)) So,finally EF.x=x+(x>>1)+(x>>2)+169(H) .x 0 +169(H) .x 0 +169(H) .x 1 .. (ii) 24 2 =x+(x>>2)+169(H) .x 0+169(H) .x 1 +(x>>1)+169(H) .x 0 4 2 2 5B.x Hencethetworequiredmultiplicationshavebeenreducedtoverysimpleforms. Basedonthetwoequations(i)and(ii),thefollowingVHDLmodelhasbeen proposed.MDS.vhdisthemainfilethatcomputestheMDStransformationand itusesthefileutils.vhdfordeclarations.Anautomaticallygeneratedtestbench isalsoincluded.ThesoftwareusedisfromAldec:ActiveHDL3.6

1: library MDS; use MDS.utils. all ; 2: --declaration to include utility package 3: entity MDS is 4: port (y: in input_data; 5: Z: out bit_vector (((input_data'length*byte'length) 6: -1)downto 0)); 7: end entity MDS; 8: 9: architecture behav of MDS is 10: constant set_up_time: time := 2ns; 11: begin 12: process is 13: variable z_temp:input_data; --stores z(0)..z(3) 14: variable temp: bit_vector (((input_data'length* 15: byte'length)-1)downto 0); 16: variable op:byte; 17: variable p,m: integer ; 18: begin 19: wait for set_up_time; 20: for i in z_temp' range loop 21: z_temp(i):=x "00" ; 22: for j in y' range loop 23: case MDS_matrix(i,j) is 24: when x "01" => 25: op:=y(j); 26: when x "5B" => 27: op:=op1(MDS_matrix(i,j),y(j)); 28: when x "EF" => 29: op:=op2(MDS_matrix(i,j),y(j)); 30: when others => 31: report "inconsistency in MDS-matrix" 32: severity failure; 33: end case ; 34: z_temp(i):=op xor z_temp(i); 35: end loop ; 36: end loop ; 37: p:=Z'high; 38: for k in z_temp'reverse_range loop 39: m:=p-(byte'length-1); 40: temp(p downto m):=z_temp(k); 41: p:=m-1; 42: end loop ; 43: Z<=temp; --Z=z(3)z(2)z(1)z(0) 44: wait on y; 45: end process ; 46: end architecture behav;

1: --Utility package for MDS 2: package utils is 3: constant n: natural := 4; 4: constant GF_base: bit_vector :=x "169" ; 5: constant GF_base_2: bit_vector (7 downto 0):=x "B4" ; 6: --to make the GF base 169(H)/2, a 8-bit number 7: subtype byte is bit_vector (7 downto 0); 8: --little-endian format 9: type Matrix_nxn is array (0 to n-1,0 to n-1)of byte; 10: type input_data is array (0 to n-1) of byte; 11: constant MDS_matrix :Matrix_nxn:= 12: ( 0=>( 0=>x "01" ,1=>x "EF" ,2=>x "5B" ,3=>x "5B" ), 13: 1=>( 0=>x "5B" ,1=>x "EF" ,2=>x "EF" ,3=>x "01" ), 14: 2=>( 0=>x "EF" ,1=>x "5B" ,2=>x "01" ,3=>x "EF" ), 15: 3=>( 0=>x "EF" ,1=>x "01" ,2=>x "EF" ,3=>x "5B" )); 16: --MDS matrix for Twofish 17: function op1(element,x:byte) return byte; 18: function op2(element,x:byte) return byte; 19: end package utils; 20: 21: package body utils is 22: function op1 (element,x:byte) return byte is --5B.x 23: variable result:byte; 24: begin 25: result:=(x xor (x srl 2)); 26: if x( 0)= '1' then 27: result:=result xor (GF_base_2 srl 1); 28: --eqv. to GF_base srl 2 29: end if ; 30: if x( 1)= '1' then 31: result:=result xor (GF_base_2); 32: --eqv. to GF base srl 1 33: end if ; 34: return result; 35: end function op1; 36: function op2(element,x:byte) return byte is --EF.x 37: variable result:byte; 38: begin 39: result:=(op1(element,x) xor (x srl 1)); 40: if x( 0)= '1' then 41: result:=result xor (GF_base_2); 42: --eqv. to GF_base srl 1 43: end if ; 44: return result; 45: end function op2; 46: end package body utils;

1: --************************************************************* 2: --* This file is automatically generated test bench template * 3: --* By ACTIVE-VHDL . Copyright (C) ALDEC Inc. * 4: --* * 5: --* This file was generated on: 12:11 AM, 7/30/00 * 6: --* Tested entity name: MDS * 7: --* File name contains tested entity: $DSN\src\MDS.vhd * 8: --************************************************************* 9: library MDS; 10: use MDS.utils. all ; 11: -- Add your library and packages declaration here ... 12: entity mds_tb is 13: end mds_tb; 14: 15: architecture TB_ARCHITECTURE of mds_tb is 16: -- Component declaration of the tested unit 17: component MDS 18: port ( y : in input_data; 19: Z : out BIT_VECTOR (((input_data'length* 20: byte'length)-1) downto 0) ); 21: end component ; 22: 23: -- Stimulus signals- signals mapped to the input and inout 24: -- ports of tested entity 25: signal y : input_data; 26: -- Observed signals-signals mapped to the output ports of 27: --tested entity 28: signal Z : BIT_VECTOR (((input_data'length* 29: byte'length)-1) downto 0); 30: -- Add your code here ... 31: begin 32: -- Unit Under Test port map 33: UUT : MDS 34: port map (y => y, 35: Z => Z ); 36: process is 37: begin 38: -- Add your stimulus here ... 39: y<=( 0=>(x "01" ), 1=>(x "23" ), 2=>(x "45" ), 3=>(x "67" )), 40: ( 0=>(x "67" ), 1=>(x "45" ), 2=>(x "23" ), 3=>(x "01" ))after 200 ns; 41: wait ; 42: end process ; 43: end TB_ARCHITECTURE; 44: 45: configuration TESTBENCH_FOR_MDS of mds_tb is 46: for TB_ARCHITECTURE 47: for UUT : MDS 48: use entity work.MDS(behav); 49: end for ; 50: end for ; 51: end TESTBENCH_FOR_MDS;

AnAlternativeCircuitDesignApproachtoHardwareImplementation

Fromequation(1), z0 =01.y 0 +EF.y 1 +5B.y 2 +5B.y 3 z1 =5B.y 0 +EF.y 1 +EF.y 2 +01.y 3 z2=EF.y 0 +5B.y 1 +01.y 2 +EF.y 3 z3 =EF.y 0 +01.y 1 +EF.y 2 +5B.y 3

Assuming databus to be of 8 bits, we’ll generate z i sequentially and enable8bitsofthe32bitfinalregisterinturn. Now,foreachz i fourmultiplicationblocksarerequiredi.e.01,EF,EF(5Bfor z0)and5B.Thiscanberepresentedas:

8

8 5B

8 Disabledfor z0 z i

8 5B EF

8 EF sinceasshownbyeq.(ii),EF.xincludesthetermsfor5B.x. To generate z i for i=0..3, the inputs required for the 4 blocks are as follows: Inputsforz i 01 5B 5B/EFEF z 0 y0 y 2 y3 y 1 z 1 y3 y 0 y 2 y 1 z 2 y2 y 1 y 3 y 0 z 3 y1 y 3 y 2 y 0 Thiscanbeachievedusingmultiplexerstochoosetheinputstoeachblock. Let T 0 be the control signal used to load data into the blocks. The overall circuitdiagramcannowbedrawn.(Notetheuseoftheabove block).T 7is thecontrolsignalthatoutputseachz iandclocksitintoanoutput32bitlatch. Thusafterallfourz iarelatched,thefinaloutputZisavailable.

2bitbinary 2bitbinary counter counter clk clk clk clk T0 CE T7 CE 2x4 DECODER y0 y1 4x1 OE y2 MUX LE y3

y2 T 0 andT 7are LE y0 4x1 produced y1 MUX inthisblock. Output y3 Latch (32bit)

z i LE y3 y2 4x1 y3 MUX y2

LE y1 y1 4x1 y0 MUX y0

clk

Nowforthe block,wedesigna5B/EFboxi.e.amultiplierthatmultiplies theinputby5BaswellasEF(providedsignal‘EF’=1).Fromeq n.(ii), EF.x=x+(x>>2)+169(H) .x 0+169(H) .x 1 +(x>>1)+169(H) .x 0 4 2 2 5B.x Thereforethealgorithmtobefollowedis: Tstate Operation T 0 Clear T 1 XORx T 2 Ifx 0=1,XOR169(H)/4 T 3 IfEF=1,XORx/2 T 4 Ifx 0=1&EF=1,XOR169(H)/2 T 5 Ifx 1=1,XOR169(H)/2 T 6 XORx/4 T 7 Output Hencethefollowingcircuitisproposed:

3bitbinary clk counter 3x8 Decoder

x0 EFx 0 EFx 1

S0 S1S 2S 3S 4S 5 S6S7 T2T 4 T0 169(H)/4 T 3 T 0 x S2 8 8 S1 S4S3 S6 OE LoadL.Shiftclk clk LoadR.Shift OE S6

IO IO T0 clkclear Latch OE T7

O

CONCLUSION

ThestudyoftheAEScandidateTwofish,helpedtogainsomeinsight into the presentday requirements of commercial security. With special emphasis on the MDS (Maximum Distance Separable) matrix, the applicationofcodingtheoryelementsinEncryptionAlgorithmwasseen.The importance of MDS codes in producing diffusion was analysed and this revealedthesignificanceofmaximumdiffusioninpreventingcryptanalytic attacks. Finally,ahardwareimplementableVHDLmodelwasproposedwhich couldbeusedtoobserveoutputsthatconformedtheexpectedresultsfrom theory.

References:

1. TwofishEncryptionAlgorithmA128bitBlockCipher ByBruceSchneier,JohnKelsey,DougWhiting,DavidWagner, ChrisHall,NielsFerguson 2. TheTheoryofErrorCorrectingCodes ByN.J.A.SloaneandF.J.MacWilliams 3. CodingTheoryTheEssentials ByD.G.Hoffman,D.A.Leonard,C.C.Lindner,K.T.Phelps, C.A.Rodger,J.R.Wall 4. TheDesigner’sGuidetoVHDL ByPeterJ.Ashenden 5. www.nist.gov/aes 6. www.counterpane.com/twofish

Web Analytics