WO2004014016A1 - Method and device of manipulating data in finite fields - Google Patents
Method and device of manipulating data in finite fields Download PDFInfo
- Publication number
- WO2004014016A1 WO2004014016A1 PCT/IL2003/000647 IL0300647W WO2004014016A1 WO 2004014016 A1 WO2004014016 A1 WO 2004014016A1 IL 0300647 W IL0300647 W IL 0300647W WO 2004014016 A1 WO2004014016 A1 WO 2004014016A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- representation
- data
- transformation
- conversion
- processed
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0637—Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7209—Calculation via subfield, i.e. the subfield being GF(q) with q a prime power, e.g. GF ((2**m)**n) via GF(2**m)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Definitions
- the present invention relates to computations in finite fields, and to conversion between representations of finite fields.
- AES Advanced Encryption Standard
- the Rijndael algorithm includes a ByteSub bit level operation on an input byte, x.
- the ByteSub operation includes an encryption mode and a decryption mode.
- the encryption mode includes a combination of an inverse operation and an affine transformation, e.g., x is converted into Ax '! +b, wherein A and b are predetermined parameters.
- the decryption mode includes a combination of an affine transformation followed by an inverse operation, e.g., x is transformed into (A "1 (x+b)) '1 .
- the inverse operation is preformed over a Galois Field, GF(2 8 ).
- Block Cipher algorithms which implement an inversion operation in the GF(2 8 ).
- These algorithms include, for example, a Camelia cipher algorithm described by K. Aoki et al. in "Specification of Camellia — a 128-bit Block Cipher", http://info.isl.ntt.co.jp/camellia/, and a Zodiac cipher algorithm described by C. H. Lee in “Zodiac: Block Cipher Proposal", http://www.safedigm.com/productpds/download/Safedigm_Zodiac.pdf.
- One method of the AES implements two lookup tables, also referred to as S-boxes, each including 256 values corresponding to 256 possible x values when using the GF(2 ).
- An encryption S-box includes 256 values of Ax +b and a decryption S-box includes 256 values of (A '1 (x+b)) '1 .
- Another method of the AES implements one table, denoted F(x), including 256 values of the inverse of x, namely, x '1 .
- This method requires storage of one table containing 256 values, as well as additional circuitry for implementing the encrypt/decrypt affine transformations, i.e. by multiplying x by A or A '1 and adding b.
- the overall conventional implementation of the AES S-box with the set of computations defined by the Rijndael algorithm is not sufficiently efficient.
- Designing a more efficient S-box may significantly reduce the complexity of AES implementations, since a conventional hardware implementation of AES requires several, e.g. sixteen, S-boxes.
- the Rijmen reference concludes that even if an AES S-box based on an expanded GE(2 4 ) could be implemented, such implementation may have no practical use if a good VHDL compiler is used. Therefore, the Rijmen reference teaches away from seeking ways to implement an AES S-box based on an expanded GF(2 4 ) .
- Embodiments of the invention provide a method and a device for efficiently manipulating data provided in a GF(2 2s ) representation, e.g., for implementing at least some AES encryption and/or decryption operations on data provided in a GF(2 2s ) representation, by converting the GF(2 2s ) data into a GF((2 S ) 2 ) representation and performing GF(2 s ) equivalent operations in the GF((2 S ) 2 ) representation.
- Exemplary embodiments of the invention may solve a fundamental problem of implementing an AES S-box based on an expanded GF(2 4 ) , for example, an inherent problem of efficiently translating the data from a GF(2 S ) representation into a GF((2 4 ) 2 ) representation, such that the overall procedure of the translation and the operations is more efficient than the conventional implementation.
- the method of manipulating data may include converting the GF(2 2s ) data into corresponding data in a GF((2 S ) 2 ) representation. This may be achieved by applying to the GF(2 2s ) data a conversion operator related to a pre-determined representation-transformation from the GF(2 2s ) representation to the GF((2 S ) 2 ) representation.
- the conversion operator may include a combination of a linear transformation and the predetermined representation-transformation.
- the conversion operator may only be related to the representation-transformation.
- the conversion operator may include a representation-transformation matrix corresponding to the desired transformation.
- the representation-transformation matrix may be selected from a set of possible representation-transformation matrices according to desired criteria, e.g. minimum area for circuit implementation.
- Each matrix of the set of matrices may be defined by two field generators, i.e., a root of an irreducible polynomial over the GF(2 2s ) representation, and a field generator of the GF((2 S ) 2 ) representation.
- the GF((2 S ) 2 ) representation may be defined by an irreducible reduction polynomial over GF(2 S ) and an extension polynomial over GF(2 S ), e.g., an irreducible polynomial of a second degree over GF(2 S ).
- the method may also include performing on the GF((2 S ) 2 ) data at least one operation equivalent to at least one desired operation in the GF(2 2s ) representation, to provide processed GF((2 S ) 2 ) data.
- the method may also include converting the processed GF((2 S ) 2 ) data back into the GF(2 2s ) representation. This may be achieved by applying to the processed GF((2 S ) 2 ) data a de-conversion operator related to the pre-determined representation-transformation.
- the de-conversion operator may include applying a combination of a linear transformation and an inverse of the predetermined representation-transformation.
- a method for determining the representation-transformation matrix may include synthesizing, e.g., by constructing and/or simulating, a plurality of circuits, each corresponding to a representation-transformation matrix from the GF(2 2s ) representation into the GF((2 S ) 2 ) representation, and/or to an inverse of the representation-transformation matrix.
- the method may also include selecting one of the matrices based on predetermined optimized criteria, e.g. minimal circuit area.
- GF(2 8 ) input data to be encrypted and/or decrypted by an AES device may be converted from a GF(2 & ) representation into data in a GF((2 4 ) 2 ) representation.
- the conversion may include a linear transformation and/or a predetennined representation-transformation from the GF(2 S ) representation into the GF((2 4 ) 2 ) representation.
- GF(2 4 ) operations equivalent to the GF(2 S ) AES encryption decryption operations may be performed on the GF((2 ) 2 ) data to provide processed GF((2 4 ) 2 ) data.
- the processed GF((2 4 ) 2 ) data may then be converted back into the GF(2 S ) representation.
- the hardware implementation of the overall process e.g., the process of converting the data into the GF((2 ) ) representation, performing the equivalent encryption/decryption operations and converting the processed data back into the GF(2 8 ) representation, may be significantly more efficient than in a conventional hardware implementation of the AES S-box.
- a secure memory storage device compliant with an AES S-box.
- the storage device may include an input conversion module adapted to convert GF(2 8 ) data to be stored into a GF((2 4 ) 2 ) representation.
- the input conversion module may include decryption conversion circuitry and encryption conversion circuitry.
- the storage device may further include an operations-module adapted to perform operations on the GF((2 4 ) 2 ) data and provide processed GF((2 4 ) 2 ) data.
- the operations to be preformed by the operations module may be equivalent to the GF(2 S ) AES encryption/decryption operations.
- the storage device may further include an output de-conversion module adapted to convert the processed GF((2 4 ) 2 ) data back into the GF(2 ) representation.
- the output conversion module may include decryption de-conversion circuitry and encryption de-conversion circuitry.
- FIG. 1 is a flow chart illustration of a method of manipulating data, in accordance with embodiments of the invention.
- FIG. 2 is a schematic illustration of a circuit implementing an AES S-box for encryption and/or decryption of data, according to some exemplary embodiments of the present invention.
- FIG. 3 is a schematic illustration of an operation module, according to further exemplary embodiments of the invention.
- GF(2 2s ) refers to a representation of a Galois Field (GF) of order 2 2s as an extension field of GF(2) consisting a plurality of polynomials over GF(2) modulo p(t), wherein p(t) is an irreducible polynomial of the degree 2s over GF(2).
- a polynomial may be represented in the GF(2 2s ) representation, by a string of 2s bits.
- the notation GF((2 S ) 2 ) refers to a representation of a GF of order 2 2s as an extension field of GF(2 S ) consisting of a plurality of polynomials over GF(2 S ) modulo r(t), wherein r(t) is an irreducible polynomial of a second degree over GF(2 S ); i.e., wherein ⁇ and ⁇ are elements of GF(2 S ).
- the GF(2 S ) is represented as an extension field of GF(2) consisting of a plurality of polynomials over GF(2) modulo q(t), wherein q(t) is an irreducible polynomial of the degree s over GF(2).
- FIG. 1 schematically illustrates a flow chart of a method of manipulating data, in accordance with embodiments of the invention.
- the method may include converting data in a
- GF(2 2s ) representation into corresponding data in a GF((2 S ) 2 ) representation, which corresponds to an extension of GF(2 2s ), by applying to the GF(2 2s ) data a conversion operator, as described in detail below.
- the method may also include performing on the GF((2 S ) 2 ) data at least one operation equivalent to at least one desired operation in the GF(2 2s ) representation to provide processed GF((2 S ) 2 ) data, as described in detail below.
- the method may further include converting the processed GF((2 S ) 2 ) data back into the GF(2 2s ) representation, as described in detail below.
- the GF(2 2s ) data may include two or more data blocks.
- the method may be implemented to perform on the two or more data blocks at least one operation in the GF((2 S ) 2 ) representation equivalent to at least one desired operation in the GF(2 s ) representation.
- the method may be used as part of encrypting and/or decrypting of input data, for example, by performing at least some AES S-box encryption/decryption operations, as described below.
- s equals four. These embodiments are useful for converting data in a GF(2 S ) representation into corresponding data in a GF((2 4 ) 2 ) representation.
- the conversion from the GF(2 2s ) representation into the GF((2 S ) 2 ) representation may be performed in stages or recursively, e.g., by applying one or more intermediate conversion operators, as described below.
- the method may be used for performing at least some AES S-box encryption operations wherein s equals four.
- the input data to be encrypted may be converted from an extended GF representation, e.g., GF(2 S ) , into a new representation, e.g., GF((2 ) 2 ), corresponding to an extension of GF(2 A ) , as described below.
- GF(2 4 ) operations which may be effectively equivalent to corresponding AES operations in GF(2 S ) , may be performed on the GF((2 4 ) 2 ) data, significantly reducing the complexity level of the calculations.
- the processed data may then be converted back into the AES GF(2 S ) representation, as described below.
- an encryption block to perform encryption, and/or a decryption block to perform decryption may be implemented in embedded electrical circuitry, e.g., of the type that may be used in a smartcard.
- the conversion operator that may be used for converting the data to and from the AES GF(2 S ) representation to and from the GF((2 4 ) 2 ) representation may be pre-programmed, e.g., into a smart card. Other configurations may be used additionally or alternatively.
- the conversion operator may be related to a representation-transformation from the GF(2 s ) representation into the GF((2 S ) 2 ) representation.
- the conversion operator may be related to a representation-transformation matrix corresponding to the representation-transformation.
- the representation-transformation matrix may be selected from a set of possible representation-transformation matrices according to desired criteria, e.g. minimum area for circuit implementation, as described below.
- Each matrix of the set of matrices may be defined by a root of an irreducible polynomial over the GF(2 2s ), e.g., GF(2 8 ), and by a generator of the field extension of the GF((2 S ) 2 ) , e.g., GF((2 4 ) 2 ) representation, as described below.
- Polynomial representations of GF(2 A ) over GF(2) may be defined by each of three irreducible reduction polynomials over GF(2 4 ) , e.g., 1 + t + t 4 , 1 + t 3 +t 4 , l + t + t 2 + t 3 +t 4 .
- field extensions of one or more of the polynomial representations of GE(2 4 ) in GE(2 8 ) may be computed using irreducible extension polynomials, e.g., polynomials of the type t 2 + t + ⁇ , wherein ⁇ and a may be elements of GF(2 4 ), such that t 2 + at + ⁇ is irreducible over GF(2 4 ), as described below.
- irreducible extension polynomials e.g., polynomials of the type t 2 + t + ⁇ , wherein ⁇ and a may be elements of GF(2 4 ), such that t 2 + at + ⁇ is irreducible over GF(2 4 ), as described below.
- a total number of relevant GF((2 4 ) 2 ) representations may be reduced from 360 to 24.
- the present invention is not limited in this respect.
- the description of some embodiments of the present invention may be restricted to the context of using irreducible extension polynomials of the type t 2 +ctt + ⁇ wherein a - ⁇ , it would be apparent to those of ordinary skill in the art how to adapt these methods using any extension polynomials of the type t 2 +oct + ⁇ .
- a total of twenty-four GF((2 4 ) 2 ) representations may be computed for converting the data from the standard AES representation into the GF((2 ) ) representation.
- Each of the two representations may be a linear space of dimension n over GF(2) , and each isomorphism may be a linear transformation between the representations.
- an nxn binary representation-transformation matrix, M may be computed for transforming, e.g. by matrix multiplication, elements in Repi into corresponding elements in Rep 2 .
- an inverse representation-transformation matrix, M "1 may exist for each representation-transformation.
- An irreducible polynomial, po, having n roots may represent Repj.
- Each root of p 0 is a generator of the GF(2 n ) and invariant under field isomorphism.
- a pair of corresponding generators of representations Rep j and Rep 2 may uniquely determine an isomorphism between Repi and Rep 2 , since a multiplicative group of the GF(2 n ) is cyclic.
- (rj) c denotes field generator r, raised to the k-th power in representation Rep,, to produce an element (ri) in representation Rep*; and wherein field element (ri) in representation Repi may be treated as a vector in a linear space of dimension n over GF(2), and may be multiplied by representation-transformation matrix, M to provide
- Equation system 1 includes 2 n linear equations, which may be solved to determine the representation-transformation matrix, M, corresponding to the pair of generators rj and r 2 .
- Equation system 1 may include redundant equations, which may be ignored in order to reduce the number of computations. For example, only the first n equations may be used to provide one representation-transformation matrix.
- Another representation-transformation matrix may be provided by a solution of Equation set 1 using a different pair of generators r; and r 2 .
- there may be n different equation systems corresponding to the n different generators in Re 2 which are the image of rj, providing n different representation-transformation matrices from Repi to Rep 2 .
- each root of the irreducible polynomial over GF(2 & ) may be a generator of the GF(2 & ) Field.
- each of the possible representation-transformation matrices may enable transformation from the standard AES representation into a different GF((2 4 ) 2 ) representation of GF(2 & ) corresponding to a different extension of GF(2 A ) .
- the input data, x, in the AES representation may be converted into the GF((2 4 ) 2 ) representation by applying the representation-transformation, e.g., representation-transformation matrix M.
- An operation x > x '1 , denoted T(x), in the GF((2 4 ) 2 ) representation may be performed on the converted data, e.g., M x.
- F(x) and T(M x) may be provided by the following nonlinear equation:
- Equation 2 may be rewritten as follows:
- Equation 3 may have eight solutions, representing the eight possible isomorphisms between the two representations, e.g., between the AES GF(2 8 ) representation and a corresponding GF((2 4 ) 2 ) representation.
- An isomorphism between the two representations may be determined by choosing a generator in one representation to be mapped to a specific generator in the other representation, as described above.
- 01 el 5c Oc fe 16 e2 64, 01 el 5c Oc ff f7 be 68, 01 5c eO 50 12 Of 59 d7, 01 5c eO 50 13 53 b9 87, 01 eO 5d bO If 55 fl 3f, 01 eO 5d bO le b5 ac 8f, 01 5d el ed 4e al 47 22, 01 5d el ed 4f fc a6 cf.
- 01 el 5c Oc If 4a ee 84, 01 el 5c Oc le ab b2 88, 01 5c eO 50 4f b3 e9 da, 01 5c eO 50 4e ef 09 8a, 01 eO 5d bO ff 08 41 de, 01 eO 5d bO fe e8 lc 6e, 01 5d el ed 12 Id 4b 93, 01 5d el ed l3 40 aa 7e.
- 01 50 bO Oc a3 8b d3 d5, 01 50 bO Oc a2 db 63 d9, 01 bO ed 50 £2 6f c2 6b, 01 bO ed 50 ⁇ df 2f 3b, 01 ed Oc bO 43 7f 39 32, 01 ed Oc bO 42 92 35 82, 01 Oc 50 ed af 85 66 9e, 01 Oc 50 ed ae 89 36 73.
- 01 50 bO Oc 4e 8a 83 65, 01 50 bO Oc 4f da 33 69, 01 bO ed 50 fe 6e 72 86, 01 bO ed 50 ff de 9f d ⁇ , 01 ed Oc bO 13 7e d4 3e, 01 ed Oc bO 12 93 d8 8e, 01 Oc 50 ed If 84 6a ce, 01 0c 50 ed le 88 3a 23.
- each group of 8 matrix string values is associated with one of the 8 extension polynomials of the type t 2 +at + ⁇ and one of the three irreducible reduction polynomials over GF(2 ), as described above.
- the matrix string values are listed in the form of 8 pairs of values in hexadecimal form, representing an 8 x 8 binary matrix.
- Equation set 4 with the boundary conditions of Equation set 5 may yield a set of the values Ql, Q2, RI, R2 corresponding to a desired i-th representation-transformation matrix.
- the location of a desired representation-transformation matrix e.g. the i-th matrix in the above list may be defined by the Ql+1 reduction polynomial, the Q2+1 extension polynomial, and the R2+1 matrix string.
- the matrix string values may be converted into the transformation matrix representation, by separating the matrix string into pairs of numbers in hexadecimal form. Each column of the transformation matrix may then be represented using the binary representation of a corresponding hexadecimal pair, e.g., using eight binary digits.
- Some embodiments of the present invention include an AES compatible
- the AES compatible S-box may be configured to perform AES S-box equivalent operations, e.g., encryption and or decryption operations, over the GF((2 S ) 2 ) representation.
- the AES compatible S-box may include, for example, conversion circuitry enabling the conversion of data from the standard AES S-box based representation into the GF((2 S ) 2 ) representation, as described above.
- the AES compatible S-box may also include an operations module, which may include operation circuitry and/or software to process the converted data, e.g. to perform AES equivalent operations on the converted data.
- the AES compatible S-box may also include de-conversion circuitry to convert the processed data back into the AES representation.
- the conversion circuitry or software may include circuitry implementing the representation-transformation matrix M.
- the circuitry or software implementing the representation-transformation matrix M may be combined with the circuitry or software implementing a linear transformation, for example, AES S-Box parameters, e.g., A.
- the conversion circuitry or software may include four multiplication modules, e.g., as described below, for multiplication by M , AM ,M ⁇ X , and(AM ⁇ l ) , respectively.
- the conversion circuitry may consist of a combination of applying a linear transformation and the predetermined representation-transformation.
- the conversion circuitry may implement the addition of AES S-box parameter b, e.g. by a XOR circuit, to provide the sum x+b, which may further be multiplied by an inverse of AM.
- the conversion circuitry may implement other combinations of a linear transformation and the representation-transformation matrix, e.g., the specific implementations described herein. The use of such operation modules may enhance the efficiency of the conversion circuitry.
- a hardware implementation of matrix multiplication may include any hardware implementation of matrix multiplication, as is known in the art.
- values of y may be computed using Equation 10. This may be achieved by determining which of the elements of row D are nonzero and performing a XOR operation of the corresponding values of X j .
- operations e.g. inverse, adding, and/or multiplication operations, equivalent to AES operations may be defined in the new representation, as described below.
- An element x of a GF(2 8 ) may be defined by an eight-digit binary number and an element z of a GF(2 4 ) may be defined by a four-digit binary number
- a bit octet, of GF(2 8 ) may be analogous to a linear polynomial z ⁇ m> t+z ⁇ ⁇ > , wherein and are elements of GF(2 ).
- the new representation may include elements z ⁇ m> and z ⁇ /> of GF(2 4 ).
- multiplication and addition operations in the new representation may be defined in terms of operations on GF(2 ) .
- Provided below is one possible definition of multiplication and addition in the new representation in terms of operations over GF(2 ) . It will be appreciated that other definitions may also be used as part of some embodiments of the present invention.
- Addition and subtraction of two elements, e.g., a, d e GF(2 S ) , in the new representation may be defined as a bitwise XOR of the two elements, as is known in the art.
- the product of the two elements, a and d may be defined as a polynomial product (a ⁇ m> t + a l> ) x (d ⁇ m> t + d ⁇ l:> ) mod(t 2 +at + ⁇ ) , wherein multiplication and addition of the polynomial coefficients may be defined by operations over GF(2 ) using a given representation.
- the product of elements a and d may be calculated using the following equation:
- the product of elements a and d in the AES GF(2 8 ) may be defined as ⁇ r ⁇ r ⁇ r ⁇ r ⁇ ] .
- Ox + 1 (c ⁇ m> a ⁇ m> a + c ⁇ m>a ⁇ 1> + c ⁇ l>a ⁇ m> )t + C ⁇ 1> a ⁇ t> + c ⁇ m> a ⁇ m> ⁇
- Equation set 13 may be translated into the following system of liner equations over GF(2) :
- C ⁇ m> and C ⁇ / > may be calculated, as described above.
- Equation system 14 may require two square computations, e.g., ⁇ 2 ⁇ , complicat > and 2 ⁇ /> , five multiplication computations, one inversion and three additions, all taken over GF(2 ) . However, as part of some embodiments of the present invention, the number of these computations may be reduced, as explained below.
- additions over GF(2 A ) may be implemented as XOR circuits, as is known in the art. According to other embodiments of the invention, the multiplication over GF(2 A ) may be performed more efficiently by defining GF(2 ) multipliers and selecting the appropriate multiplier in each case, as explained below.
- the solutions of the multiplication of two elements may be as follows:
- An appropriate GF(2 A ) multiplier may be constructed for a given representation-transformation matrix. Since each representation-transformation matrix may be defined by one of the three irreducible reduction polynomials over GF(2 A ) in combination with an extension polynomial, as described above, theGE(2 4 ) multipliers may be predetermined. It may be appreciated by a person skilled in the art that other suitable implementations of GF(2 A ) multipliers may be used additionally or alternatively in accordance with exemplary embodiments of the invention.
- Inversion, denoted INV, and squaring, denoted SQR, in GE(2 4 ) may be implemented by two respective, relatively small, Look-Up-Tables (LUTs) having a size of 8-bytes each, e.g., 16 nibbles.
- LUTs Look-Up-Tables
- coefficient ⁇ may be predetermined.
- the value ⁇ x g 2 for an element g e GF(2 ) may also be stored in an 8-byte LUT, which may be denoted ⁇ SQR, thereby eliminating one multiplication from the set of computations required for computing Equation System 14.
- SQR, INV and/or ⁇ SQR in GF(2 4 ) may be implemented by any suitable circuit, as is known in the art.
- the SQR circuits may implement the following solutions:
- [a 3 ,a 2 ,a ⁇ ,a 0 ] [a 2 +a 3 , a ⁇ + a 3 , a 3 , a 0 +a 2 +a 3 ]
- circuitry implementation of embodiments of the invention may be more compact than the corresponding LUT implementation.
- a LUT may provide more efficient processing of the data.
- LUTs listed in hexadecimal notation, may be used to calculate respective values of SQR, ⁇ SQR and/or INV corresponding to an input number, /, between 0 and 15:
- SQR 0,l,4,5,f,e,b,a,2,3,6,7,d,c,9,8 (15)
- ⁇ SQR 0,2,8,a,l,3,9,bA6,c,e,5, 7,df
- INV 0,l,f,a,8,6,5,9,4,7,3,e,d,c,b,2 wherein the output of each table may be the l-th entry of the table.
- FIG. 2 illustrates a circuit implementation of an AES compatible S-box 200 for encrypting/decrypting data, in accordance with some exemplary embodiments of the present invention.
- S-box 200 may be implemented to provide an output sboxfxj or sbox '1 [x] corresponding to the block data x according to Equations 8 and 9, as described below.
- conversion module 221 may also apply the decrypt affine transformation to x, as described below.
- S-box 200 may also include an operation module 230 to process the converted data, e.g.
- S-box 200 may also include an output de-conversion module 223, to convert the processed data back into the AES representation, as described below.
- Module 223 may also apply the encrypt affine transformation to the output of module 230, as described below.
- module 221 may include a first data input path 202 corresponding to an encryption mode of operation, i.e., to perform the conversion sboxfxj, as described above.
- Module 221 may also include a second data input path 204 corresponding to a decryption mode of operation, i.e. to perform the conversion sbox '! fxJ.
- module 221 may include encryption conversion circuitry 214, and decryption conversion circuitry 210.
- Circuitry 214 may include an l multiplier adapted to apply a conversion operator to x, e.g., to implement multiplication of x by M 1 .
- Circuitry 210 may be adapted to apply a conversion operator to x, e.g., circuitry 210 may include a XOR module 216 for implementing a XOR operation of x with b, and an (AM) '1 multiplier 218 to implement multiplication of the output of module 216 by (AM) '1 .
- the output of circuitry 214 may be M ⁇ x, corresponding to the expression in brackets of Equation 8.
- the output of circuitry 210 may be (AM) '1 x (x ® b), corresponding to the expression in brackets of Equation 9.
- module 221 may also include a multiplexer 220, which may have two inputs associated with the outputs of circuits 214 and 210, respectively. Multiplexer 220 may be used to select between these two inputs, such that an output of multiplexer 220 may include one output of converted data 231 corresponding to the selected input. Multiplexer 220 may include any suitable circuitry known in the art for selection between two inputs.
- multiplexer 220 may include a control register (not shown). The control register may store an indication bit to indicate the required mode of operation, e.g., the indication bit may equal zero for the encrypt mode of operation and may equal one for the decrypt mode of operation.
- the output of multiplexer 220 may be selected according to the value of the indication bit, as is known in the art.
- the value of the indication bit may be set before performing an encryption or a decryption operation on a plurality of data blocks.
- Converted GF((2 4 ) 2 ) data 231 may include 8 bits carried, for example, by eight parallel electric conductors (not shown), as is known in the art. The eight conductors may be separated into two sets of four conductors, respectively.
- the 230 may include operation circuitry for performing AES equivalent operations on converted data 231, as described above.
- the operation circuitry may include a first 8 bitwise XOR box 232 and a second 8 bitwise XOR box 234.
- the operation circuitry may also include three copies, 236, 238 and 240 of the GF(2 4 ) multiplier, as described above.
- the operation circuitry may also include three circuits/8-byte tables implementing INV 242, SQR 244 and ⁇ SQR 246, respectively, as described above. Circuits/tables 242, 244 and 246 and multipliers 236, 238, and 240 may be predetermined according to the selected reduction polynomial, as described above.
- the respective outputs c ⁇ /> and c ⁇ m>t of multipliers 240 and 238, may equal (z ⁇ >+z ⁇ m >)(z 2 ⁇ m> ⁇ + z 2 ⁇ ⁇ > +z ⁇ ⁇ > z ⁇ m> ) '1 and z ⁇ m> (z 2 ⁇ m > ⁇ + z 2 ⁇ >+z ⁇ > z ⁇ m> ) '1 , respectively.
- the output of module 230 may include the value of TfM 1 x xj according to Equation 8.
- the output of module 230 may include the value of TffAM) '1 x (x ® b)J according to Equation 9.
- the eight-bit output of module 230 may be received by module 223.
- Module 223 may include a first data path 272 corresponding to an encryption mode of operation, and a second data path 274 corresponding to a decryption mode of operation.
- Module 223 may include encryption de-conversion circuitry 285, and decryption de-conversion circuitry 282.
- Circuitry 282 may include an M multiplier associated with path 272.
- Multiplier 282 may be used in the decryption mode to convert the processed GF((2 ) 2 ) data back into the AES representation, e.g., to provide MTffAM) '1 (x ⁇ b)J in accordance with Equation 9. .
- Circuitry 285 may include an AM multiplier 284 associated with path 274, and a XOR block 286 associated with an output of multiplier 284.
- Multiplier 284 may be used in combination with XOR block 286 to convert the processed GF((2 4 ) 2 ) data back into the AES representation in the encryption mode of operation, e.g., to provide AM x TfM 1 x xj ® b, in accordance with Equation 8.
- module 223 may also include a multiplexer 290, which may have two inputs associated with outputs of XOR block 286 and multiplier 282, respectively.
- Multiplexer 290 may be used to select between these two inputs, such that an output of multiplexer 290 may include one output corresponding to the mode of operation.
- Multiplexer 290 may include any suitable circuitry known in the art for selection between two inputs.
- multiplexer 290 may include circuitry similar to the circuitry of multiplexer 220, as described above.
- Examples of the operation of S-box 200 are provided below.
- a first example demonstrates encrypting data using an AES compliant S-box, in accordance with an embodiment of the present invention.
- a second example demonstrates decryption of data according to other exemplary embodiments.
- the 129 ⁇ h representation-transformation matrix from the set of matrices listed above is used, and the input data, x, is chosen to have a value of 67. It should be noted that the representation-transformation matrix and the input data in these examples have been randomly selected for demonstrative purposes only and are not intended to limit the scope of the invention to any particular choice of representation-transformation matrix or to any specific input data value.
- the input data in this exemplary embodiment represented by the hexadecimal value 67 (Tl), may be loaded through input path 202.
- the input data may be multiplied by M 1 at multiplier 214, resulting in 2e (73).
- T3 is input to multiplexer 220, which is set at the encryption mode.
- 74 is selected by multiplexer 220 (set to the decryption mode) to receive 75.
- Multiplier 238 has an input of 711 and 713, and multiplier 240 has an input of 77 and 713. The resulting output of multipliers 240 and 238 is
- Fig. 3 schematically illustrates an operation module 330, according to further exemplary embodiments of the invention.
- module 230 (Fig. 2) of S-box 200 (Fig. 2) may be replaced by module 330 to allow performing the AES equivalent operations for ⁇ l .
- Module 330 may include an alpha multiplier 332 to multiply value 235 by ⁇ .
- the output of multiplier 332 may be provided as inputs to XOR block 232 and multiplier 236, respectively.
- the c ⁇ m> output of multiplier 238 and the c ⁇ /> output of multiplier 240 may be provided according to Equation set 14, as described above.
- a method for determining the representation-transformation matrix from the set of representation-transformation may include synthesizing, e.g. by constructing and/or simulating, a plurality of circuits, each corresponding to a representation-transformation matrix from the GF(2 s ) representation into the GF((2 S ) ) representation, as described above.
- the method may also include selecting one of the matrices based on predetermined optimized criteria, e.g. minimal circuit area, as described below.
- each representation-transformation matrix M of the set of possible representation-transformation matrices may be implemented to provide conversion from the AES representation into the GF((2 4 ) 2 ) representation, as described above.
- Each representation-transformation matrix may be implemented by an appropriate electrical circuit, e.g., as described above, and/or appropriate software process, and may have different performance characteristics, as discussed below.
- a representation-transformation matrix may be selected from the set of matrices according to any desired criteria, as described below.
- the operation parameters under which the circuits are tested may affect the relative results of the circuits.
- the optimality of a circuit or process may depend on the operation parameters used, as described below.
- the determination of a circuit or process as being optimal may also depend on the criteria used to evaluate the circuits/processes.
- different circuits/processes may be determined to be optimal for different operation parameters and/or criteria, as described below.
- the comparison criteria may include the number of gates and/or power consumption required by each of the circuits/processes to convert the sample data and to perform the AES equivalent operations described above. According to other embodiments of the invention, any other desired optimization criteria may be applied.
- a set of circuits e.g. 192 circuits, corresponding to the 192 possible transformation matrices, respectively, may be fabricated, e.g. corresponding to s-box 200 (Fig. 2) described above.
- each one of the circuits may be synthesized using a DC Shell 2001.08-spl (DC Expert) available from Synopsis.
- a target library TSMC 0.18 ⁇ SAAG-X Artisane
- the synthesis may be performed for various timings, e.g., time propagation delays, for example, ranging from 12nSec to 6nSec.
- circuits may appear to be more desirable than others in terms of minimum area required for implementation, as well as in terms of other criteria and/or under certain operation parameters.
- performances of each of the circuits may be dependent upon the operation parameters of the circuit.
- the modification of certain operation parameters may affect the individual circuits in a generally similar manner. It should be appreciated, however, that some circuits may yield optimal results when operated under certain operation parameters, and significantly non-optimal results when the operation parameters are changed.
- the area of the circuits may increase with frequency, regardless of the selected representation-transformation matrix; however, for different frequencies, different circuits may provide optimal results, for example, a different optimal area required for implementing the circuits.
- circuits 82, 105, 124 and 128, corresponding to respective equivalent representation-transformation matrices, as described above, may provide desirable results under various operation parameters.
- the differences in the performances of the various circuits, as well as the desirability of some of the circuits in a substantially large number of cases, may be associated with the use of the three alternatives for the INV and SQR circuits/tables and the GF(2 A ) multiplier, as described above.
- different circuits may dictate different ⁇ SQR circuits/tables, and the multiplication by M ,AM ,M ⁇ l ,(AM ⁇ ) may also differ, as described above.
- the conversion from the GF(2 2s ) representation into the GF((2 S ) 2 ) representation may be performed in stages or recursively, e.g., by applying one or more intermediate conversion operators.
- the operations in the GF(2 2u ) representation may be performed in a GF((2 U ) 2 ) representation.
- an intermediate conversion operator may be applied to convert data in the GF((2 S ) 2 ) representation into corresponding data in the GF((2 U ) 2 ) representation.
- operations in a GF(2 q ) wherein q is odd, may be performed using operations in a GF((..(((2 q ) 2 ) 2 ) mecanic 2 ) representation, by using operations in GF(2 q ).
- the conversion from one GF representation to another GF representation e.g., having half the size, may be designed according to efficiency criteria, e.g., circuitry and/or power efficiency, of specific implementations.
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2003249548A AU2003249548A1 (en) | 2002-08-06 | 2003-08-06 | Method and device of manipulating data in finite fields |
JP2004525729A JP2005534973A (en) | 2002-08-06 | 2003-08-06 | Method and apparatus for manipulating data within a finite body |
EP03766605A EP1547301A1 (en) | 2002-08-06 | 2003-08-06 | Method and device of manipulating data in finite fields |
IL16668405A IL166684A0 (en) | 2002-08-06 | 2005-02-03 | Method and device of manipulating data in finite fields |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US40105102P | 2002-08-06 | 2002-08-06 | |
US60/401,051 | 2002-08-06 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004014016A1 true WO2004014016A1 (en) | 2004-02-12 |
Family
ID=31495918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2003/000647 WO2004014016A1 (en) | 2002-08-06 | 2003-08-06 | Method and device of manipulating data in finite fields |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1547301A1 (en) |
JP (1) | JP2005534973A (en) |
AU (1) | AU2003249548A1 (en) |
WO (1) | WO2004014016A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005266810A (en) * | 2004-03-16 | 2005-09-29 | Samsung Electronics Co Ltd | Data-ciphering processing apparatus applying masking method thereto, aes-ciphering system and aes-ciphering method |
US8316338B2 (en) | 2009-02-09 | 2012-11-20 | The United States Of America, As Represented By The Secretary Of Commerce, The National Institute Of Standards & Technology | Method of optimizing combinational circuits |
US8923510B2 (en) * | 2007-12-28 | 2014-12-30 | Intel Corporation | Method and apparatus for efficiently implementing the advanced encryption standard |
GB2574261A (en) * | 2018-06-01 | 2019-12-04 | Advanced Risc Mach Ltd | Efficient unified hardware implementation of multiple ciphers |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2871969B1 (en) * | 2004-06-18 | 2006-12-01 | Sagem | METHOD AND DEVICE FOR PERFORMING A CRYPTOGRAPHIC CALCULATION |
US7995757B2 (en) * | 2007-05-31 | 2011-08-09 | Harris Corporation | Closed galois field combination |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4322577A (en) * | 1977-12-21 | 1982-03-30 | Braendstroem Hugo | Cryptosystem |
US4975867A (en) * | 1987-06-26 | 1990-12-04 | Digital Equipment Corporation | Apparatus for dividing elements of a Galois Field GF (2QM) |
-
2003
- 2003-08-06 EP EP03766605A patent/EP1547301A1/en not_active Withdrawn
- 2003-08-06 AU AU2003249548A patent/AU2003249548A1/en not_active Abandoned
- 2003-08-06 JP JP2004525729A patent/JP2005534973A/en active Pending
- 2003-08-06 WO PCT/IL2003/000647 patent/WO2004014016A1/en not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4322577A (en) * | 1977-12-21 | 1982-03-30 | Braendstroem Hugo | Cryptosystem |
US4975867A (en) * | 1987-06-26 | 1990-12-04 | Digital Equipment Corporation | Apparatus for dividing elements of a Galois Field GF (2QM) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005266810A (en) * | 2004-03-16 | 2005-09-29 | Samsung Electronics Co Ltd | Data-ciphering processing apparatus applying masking method thereto, aes-ciphering system and aes-ciphering method |
US7965836B2 (en) | 2004-03-16 | 2011-06-21 | Samsung Electronics Co., Ltd. | Data cipher processors |
US8923510B2 (en) * | 2007-12-28 | 2014-12-30 | Intel Corporation | Method and apparatus for efficiently implementing the advanced encryption standard |
US20160204938A1 (en) * | 2007-12-28 | 2016-07-14 | Intel Corporation | Method and apparatus for efficiently implementing the advanced encryption standard |
US10050778B2 (en) * | 2007-12-28 | 2018-08-14 | Intel Corporation | Method and apparatus for efficiently implementing the advanced encryption standard |
US10148426B2 (en) * | 2007-12-28 | 2018-12-04 | Intel Corporation | Method and apparatus for efficiently implementing the advanced encryption standard |
US8316338B2 (en) | 2009-02-09 | 2012-11-20 | The United States Of America, As Represented By The Secretary Of Commerce, The National Institute Of Standards & Technology | Method of optimizing combinational circuits |
US8707224B2 (en) | 2009-02-09 | 2014-04-22 | The United States Of America, As Represented By The Secretary Of Commerce, The National Institute Of Standards & Technology | Method of optimizing combinational circuits |
GB2574261A (en) * | 2018-06-01 | 2019-12-04 | Advanced Risc Mach Ltd | Efficient unified hardware implementation of multiple ciphers |
GB2574261B (en) * | 2018-06-01 | 2020-06-03 | Advanced Risc Mach Ltd | Efficient unified hardware implementation of multiple ciphers |
US11190340B2 (en) | 2018-06-01 | 2021-11-30 | Arm Limited | Efficient unified hardware implementation of multiple ciphers |
Also Published As
Publication number | Publication date |
---|---|
EP1547301A1 (en) | 2005-06-29 |
JP2005534973A (en) | 2005-11-17 |
AU2003249548A1 (en) | 2004-02-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Sklavos et al. | Architectures and VLSI implementations of the AES-proposal Rijndael | |
US7532721B2 (en) | Implementation of a switch-box using a subfield method | |
US20030133568A1 (en) | Programmable data encryption engine for advanced encryption standard algorithm | |
US20100208885A1 (en) | Cryptographic processing and processors | |
JP2008145791A (en) | Encryption processing device, encryption processing method and computer program | |
JP2005215688A (en) | Hardware encryption/decryption apparatus using s-box operation, and method for the same | |
WO2007083528A1 (en) | Encryption/decryption device, encryption/decryption method, and computer program | |
CN106685663A (en) | Encryption method for error learning problem in ring domain and circuit | |
JP4098719B2 (en) | Programmable data encryption engine for AES algorithm | |
EP1547301A1 (en) | Method and device of manipulating data in finite fields | |
JP2005513541A6 (en) | Programmable data encryption engine for AES algorithm | |
Chiţu et al. | An FPGA implementation of the AES-Rijndael in OCB/ECB modes of operation | |
Li et al. | A reconfigurable and compact subpipelined architecture for AES encryption and decryption | |
Talha et al. | Efficient advance encryption standard (AES) implementation on FPGA using Xilinx system generator | |
WO2004056036A1 (en) | A small hardware implementation of the subbyte function of rijndael | |
CN101809638A (en) | Arithmetic operation method and arithmetic operation device | |
WO2004070510A2 (en) | Device and method of manipulating masked data | |
Gangadari et al. | FPGA implementation of compact S-box for AES algorithm using composite field arithmetic | |
Hammad | Efficient hardware implementations for the advanced encryption standard algorithm | |
Barrera et al. | Improved mix column computation of cryptographic AES | |
Farmani et al. | A high performance hardware implementation image encryption with AES algorithm | |
KR20060014420A (en) | Method and apparatus for a low memory hardware implementation of the key expansion function | |
KR20010032479A (en) | Method for cryptographic conversion of l-bit input blocks of digital data into l-bit output blocks | |
Manteena | A VHDL Implemetation of the Advanced Encryption Standard-Rijndael Algorithm | |
KR20100026358A (en) | Method and apparatus of elliptic curve cryptographic operation based on block indexing on sensor mote and recording medium using by the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 166684 Country of ref document: IL |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2004525729 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003766605 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2003766605 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2003766605 Country of ref document: EP |