Docstoc

AES Mode Discussion

Document Sample
AES Mode Discussion Powered By Docstoc
					     July, 2002                                                             doc.: IEEE 802.15-02/218r2
  Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs)

Submission Title: [AES Mode Discussion]
Date Submitted: [15 May, 2002]
Source: [Rene Struik] Company [Certicom Corp.]
Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1]
Voice:[+1 (905) 501-6083], FAX: [+1 (905) 507-4230], E-Mail:[rstruik@certicom.com]
Re: []
Abstract: [This document discusses trade-offs between different block-cipher modes of operation and their
suitability within the IEEE 802.15.3 High-Rate WPAN context.]
Purpose: [Highlight trade-offs that govern the choice of symmetric algorithms for the IEEE 802.15.3
WPAN.]
Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for
discussion and is not binding on the contributing individual(s) or organization(s). The material in this
document is subject to change in form and content after further study. The contributor(s) reserve(s) the right
to add, amend or withdraw material contained herein.
Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE
and may be made publicly available by P802.15.




     Submission                                    Slide 1                        Rene Struik, Certicom Corp.
July, 2002                               doc.: IEEE 802.15-02/218r2




              AES-Mode of Operation
                 (and MAC-function)
                      Discussion
             for IEEE 802.15.3 WPANs

             René Struik, Certicom Research




Submission                 Slide 2             Rene Struik, Certicom Corp.
July, 2002                                         doc.: IEEE 802.15-02/218r2

 Outline:
 • Block Cipher Modes of Operation:
          - Cipher-Block Chaining (CBC Mode);
          - Counter Mode (CTR Mode)
 • Message Authentication Codes:
          - Based on Block Codes: CBC-MAC;
          - Based on Un-Keyed Hash Functions: HMAC
 • Implementation Issues
          - Hardware vs. software implementation;
          - Computational efficiency considerations.




Submission                       Slide 3                 Rene Struik, Certicom Corp.
     July, 2002                                          doc.: IEEE 802.15-02/218r2

              Block-Cipher Modes of Operation: CBC Mode (1)
Encryption:       x1   x2   x3               xm-1   xm

                                                           Encryption algorithm:
                  EK   EK   EK               EK     EK     cj:=EK(xj cj-1) for all j>0;
                                                           c0:=IV.
   c0:=IV         c1   c2   c3               cm-1   cm

Decryption:
   c0:=IV         c1   c2   c3               cm-1   cm

                                                            Decryption algorithm:

                  DK   DK   DK               DK     DK      xj:=DK(cj) cj-1 for all j>0;
                                                            c0:=IV.

                  x1   x2   x3               xm-1   xm

     Submission                    Slide 4                     Rene Struik, Certicom Corp.
  July, 2002                                               doc.: IEEE 802.15-02/218r2

         Block-Cipher Modes of Operation: CBC Mode (2)

• Security requirement:
         -IV should be unpredictable.
• Encryption computation:                                    Encryption algorithm:
         -No parallelization of computation possible;        cj:=EK(xj cj-1) for all j>0;
         -Access to plaintext required for computation;      c0:=IV.
         -Access to IV needed for computation.
• Decryption computation:
         -Full parallelization of computation possible;
         -Access to ciphertext required for computation;
         -Access to IV needed for computation.
• Message size:
                                                              Decryption algorithm:
         -Plaintext expansion might be needed
          (size is multiple of encryption block length).      xj:=DK(cj) cj-1 for all j>0;
• Implementation:                                             c0:=IV.
         -Both encryption function EK and decryption
          function DK need to be implemented.
  Submission                          Slide 5                    Rene Struik, Certicom Corp.
  July, 2002                                                              doc.: IEEE 802.15-02/218r2

         Block-Cipher Modes of Operation: CBC Mode (3)
Example: Use of CBC-mode of operation in IEEE 802.15.3 High-Rate WPAN.

Block-cipher: AES-128 {block-cipher length: 128 bits}.

IV=EK( IdA || Nonce || j), where

                       IdA:         identifier of sender (64-bits field, right-adjusted);
                       Nonce:      inter-frame sequence number (48-bits field, right-adjusted);
                       j:           intra-frame sequence number (16-bits field, right-adjusted).
Motivation:
• IV is obtained via encryption, to ensure unpredictability hereof for outsiders;
• IdA is included to ensure logical separation between senders who have same key
  (no re-use of same IV value between different senders; no synchronization required);
• Nonce and j are included to ensure no re-use of same IV between different data
  frames (via increment of Nonce-value) and within data blocks in a frame (via increment of j-value).

Combinatorial freedom:
• Maximum size of data frame= max. #blocks  encryption block size = 216 * 27= 223 = 1Mbytes;
• Maximum #data frames = max. #Nonce values = 248 data frames
  (At 1Gbps data rate, exhaustion after roughly 1 year, if all data frames consist of only 1 block.)

NB: current max. frame length: 214 bits = 2 kbytes; at 55 Mbps data rate, exhaustion after >20 yrs.
  Submission                                      Slide 6                       Rene Struik, Certicom Corp.
     July, 2002                                                       doc.: IEEE 802.15-02/218r2

              Block-Cipher Modes of Operation: CTR Mode (1)
Encryption:       t1        t2        t3             tm-1        tm       counters


                  EK        EK        EK             EK          EK     Encryption algorithm:

           x1                    x3        xm-1             xm          cj:=EK(tj) xj for all j>0.
                       x2


                  c1        c2        c3             cm-1        cm


Decryption:
                  t1        t2        t3             tm-1        tm       counters


                  EK        EK        EK             EK          EK      Decryption algorithm:

           c1          c2        c3        cm-1             cm           xj:=DK(tj) cj for all j>0.


                  x1        x2        x3             xm-1        xm


     Submission                            Slide 7                          Rene Struik, Certicom Corp.
  July, 2002                                                   doc.: IEEE 802.15-02/218r2

         Block-Cipher Modes of Operation: CTR Mode (2)
• Security requirement:
         -Counters t1, t2, t3, … shall all be distinct over
          lifetime key K.
                                                              Encryption algorithm:
• Encryption computation:
         -Full parallelization of computation possible;       cj:=EK(tj) xj for all j>0.
         -No access to plaintext required for computation;
         -Access to t1, t2, t3, … needed for computation.
• Decryption computation:
         -Full parallelization of computation possible;
         -No access to ciphertext required for computation;
         -Access to t1, t2, t3, … needed for computation.
• Message size:                                                Decryption algorithm:
         -No plaintext expansion needed!
                                                               x :=D (t ) x for all j>0.
           (ciphertext can be truncated to plaintext length). j K j j
• Implementation:
         -Only encryption function EK needs to be
          implemented.
  Submission                              Slide 8                    Rene Struik, Certicom Corp.
  July, 2002                                                              doc.: IEEE 802.15-02/218r2

         Block-Cipher Modes of Operation: CTR Mode (3)
Example: Use of CTR-mode of operation in IEEE 802.15.3 High-Rate WPAN.

Block-cipher: AES-128 {block-cipher length: 128 bits}.

counter value=(IdA || Nonce || j), where

                       IdA:        identifier of sender (64-bits field, right-adjusted);
                       Nonce:     inter-frame sequence number (48-bits field, right-adjusted);
                       j:          intra-frame sequence number (16-bits field, right-adjusted).
Motivation:
• IdA is included to ensure logical separation between senders who have same key
  (no re-use of same IV value between different senders; no synchronization required);
• Nonce and j are included to ensure no re-use of same IV between different data
  frames (via increment of Nonce-value) and within blocks in a frame (via increment of j-value).

Combinatorial freedom:
• Maximum size of data frame= max. #blocks  encryption block size = 216 * 27= 223 = 1Mbytes;
• Maximum #data frames = max. #Nonce values = 248 data frames.
  (At 1Gbps data rate, exhaustion after roughly 1 year, if all data frames consist of only 1 block.)

NB: current max. frame length: 214 bits = 2 kbytes; at 55 Mbps data rate, exhaustion after >20 yrs.
  Submission                                     Slide 9                        Rene Struik, Certicom Corp.
    July, 2002                                      doc.: IEEE 802.15-02/218r2

             MACs Based on Block-Ciphers : CBC-MAC (1)
CBC-MAC:
            x1    x2     x3       xm-1      xm

IV:=0
                                                 CBC-MAC algorithm:
           EK     EK     EK       EK       EK    cj:=EK(xj cj-1) for j=1,…,m;
                                                 c0:=IV:=0;
Strengthened CBC-MAC:                            MAC:=cm.
                                            cm
            x1    x2     x3       xm-1      xm

IV:=0                                            Strengthened CBC-MAC algorithm:
           EK     EK     EK       EK       EK    cj:=EK(xj cj-1) for j=1,…,m;
                                                 c0:=IV:=0;
                                           DK’
                                                 MAC:=EK(DK’(cm)).

(Bellare, Kilian, Rogaway)                 EK

                                           MAC
    Submission                  Slide 10                   Rene Struik, Certicom Corp.
  July, 2002                                               doc.: IEEE 802.15-02/218r2

               MACs Based on Block-Ciphers: CBC-MAC (2)

• Security requirement:
         -Keys K and K’ should be independent;
          {This prevents chosen-text existential forgery attacks.}
         - If K=K’, then
                   Strengthened CBC-MAC reduces to ‘folklore’ CBC-MAC
                   (which is only secure for fixed length messages)
• (Strengthened) CBC-MAC computation:
         -No parallelization of computation possible;
         -Management of two keys, K and K’, required.
•Data integrity field size:
         -MAC value has size equal to encryption block length
          (truncated outputs possible, in exchange for reduced security level).
• Implementation:
         -Both encryption function EK and decryption function DK’
          need to be implemented.
• Standard: FIPS Pub 113 for DES; unknown whether continued for AES-128
  Submission                           Slide 11                  Rene Struik, Certicom Corp.
  July, 2002                                               doc.: IEEE 802.15-02/218r2

     MACs Based on Un-keyed Hash Functions: HMAC (1)

• Security requirement:
         - HMAC should use un-keyed hash function of same security level;
• HMAC computation:
         -No parallelization of computation possible;
         -Management of 1 key, viz. K, required.
• Data integrity field size:
         -HMAC value has size equal to 1 encryption block length
          (truncated outputs possible, in exchange for reduced security level).
• Implementation:
         -Un-keyed hash function needs to be implemented.
• Standard:
         -Draft FIPS Pub #HMAC (specification of HMAC)
         -Draft FIPS Pub 180-2 (specification of SHA-256)



  Submission                           Slide 12                  Rene Struik, Certicom Corp.
July, 2002                                              doc.: IEEE 802.15-02/218r2

   MACs Based on Un-keyed Hash Functions: HMAC (2)
HMAC-256:
-Building block: SHA-256.
-Block size:       512 bits.
-Operations on 32-bits words:
         - logical AND, XOR, NOT;
         - integer additions modulo 232;
         - rotations, shifts.
-Storage:
         - temporary storage: roughly 10 words (of 32 bits);
         - permanent storage: roughly 8 words (of 32 bits).
-Computational overhead:
         - roughly same as SHA-256.




Submission                          Slide 13                   Rene Struik, Certicom Corp.
  July, 2002                                                            doc.: IEEE 802.15-02/218r2

                            Implementation Issues (1)
Block-Cipher:                    AES-128 in one of the following modes:
                                 (1) CBC mode;
                                 (2) CTR mode.
Un-keyed hash function:          SHA-256 {block length: 512 bits}.
Keyed hash function:             (1) HMAC-256;
                                 (2) CBC-MAC function.
AES-128 implementation:
CBC Mode: implement both AES-128 encryption and AES-128 decryption;
CTR Mode: implement AES-128 encryption only.
         Lowest gate count: AES-128 in CTR mode.

SHA-256 cost during key agreement (if implemented in software):
Full MQV with Key Confirmation:             additional 15% workload compared to hardware only.
Modified-ECIES TLS-Variant Key agreement: additional 30% workload compared to hardware only.

MAC implementation (in hardware):
CBC-MAC: implement both AES-128 encryption and AES-128 decryption
HMAC: implement SHA-256.
    Lowest gate count: roughly equal!!! (if encr + auth computations not carried out in parallel)

*AES-OCB with Authentic Side Information: implement both AES-128 encryption and decryption
    (Note: Attractive if 55 Mbps 500 Mbps, since encr + auth computations carried out in parallel.)
  Submission                                   Slide 14                       Rene Struik, Certicom Corp.
July, 2002                                                             doc.: IEEE 802.15-02/218r2

                Implementation Issues (2)
Gate count figures1
Option 1: AES-128 in CBC Mode + SHA-256:                            30.7k (21.7k if slow SHA-256 used)

Option 2: AES-128 in CTR Mode + SHA-256:                            27k (18k if slow SHA-256 used)

Option 3: AES-128 in CTR Mode + Strengthened CBC-MAC:               35.1k [26.7k]*
           Same but with ‘basic’ CBC-MAC                            26.7k [21.1k]*

Option 4: AES-128 in OCB Mode:                                      32.1k [29.3k]*

Figures are based on the following:
1.   Gate count for temporary and permanent storage (e.g., keying material and status info), both
     at cost of 6 gates/bit and 4 gates/bit {latter in square brackets *}.
2.   Cost include gate count core algorithm plus mode gate count and the minimum number of
     registers to support base core function.
3.   0.13 technology, based on 8051 processor, RAM/ROM, RF circuitry, and Register File.
4. Throughput rate: 50 Mbps; clock rate: 40 MHz.

The architecture of the system IC design could have impact on both the gate count and perform
of the hardware macro modules.
             1Estimates
                      courtesy of Motorola Labs - Advanced Systems Architecture Security Technology Center
             (improved gate count figures using ‘slow’ SHA-256 courtesy of Certicom Embedded Systems Gro
Submission                                     Slide 15                      Rene Struik, Certicom Corp.
July, 2002                                                               doc.: IEEE 802.15-02/218r2

               Implementation Issues (3)
Speed comparison of Message Authentication Codes
CBC-MAC Function:
Cost of message authentication  Cost of data encryption (per bit)
[Message integrity over n blocks: n+2 block cipher applications;
 Encryption over n blocks: n block cipher operations (discarding initialization of IV vector)]

HMAC-256 based on the un-keyed hash function SHA-256:
Cost of message authentication  14% of cost of data encryption (per bit)
[At 40MHz clock rate, the throughput figures are as follows (example):
                     -AES-128 in CTR mode: ±50Mbps
                     -SHA-256: ±350Mbps]

Important Note: (Trade-offs gate count – efficiency of SHA-256 implementation) (!!!)
- Full speed HMAC-256: 5k+17.5k gates; Slow HMAC-256: 5k+4.6k gates
            (‘Full speed’ HMAC-256 operates < 2 as fast as ‘Slow’ HMAC-256)
Note: ‘slow’ HMAC-256 is relatively still much faster than AES-128 (so slow-down not noticeable)

Message authentication based on AES-OCB mode of operation:
Cost of message authentication  2/L Cost of data encryption (per bit)
[L is message length in #encryption block sizes]
Submission                                    Slide 16                         Rene Struik, Certicom Corp.
July, 2002                                                         doc.: IEEE 802.15-02/218r2

                         Implementation Issues (4)

Side Effect of Choice of Message Authentication Codes

SHA-256 cost during key agreement (if implemented in software):
Full MQV with Key Confirmation:             additional 15% workload compared to hardware only.
Modified-ECIES TLS-Variant Key agreement: additional 30% workload compared to hardware only.

SHA-256 cost during Implicit Certificate Verification (if implemented in software):
Full MQV with Key Confirmation:                additional 37% workload compared to hardware only.
Modified-ECIES TLS-Variant Key agreement: additional 37% workload compared to hardware only.

SHA-256 cost during ACL Processing (if implemented in software):
Additional 100% workload compared to hardware only.




Submission                                 Slide 17                      Rene Struik, Certicom Corp.
July, 2002                                                           doc.: IEEE 802.15-02/218r2

                                     Conclusion

Optimum Choice of Symmetric encryption Algorithms
• Block cipher: AES-128 in CTR Mode;
• Hash function: SHA-256;
• Message authentication code: HMAC-256 based on SHA-256, truncated to leftmost 128 output bits.

Required Changes to the Draft
Replace §2.2.4.6 of document 02/210r0 by the following text:

§2.2.4.6 CTR Mode of Operation:
The counter mode of operation (CTR Mode) for block ciphers used in this security suite shall be
preceded by a counter CTR and performed as specified in NIST Special Publication 800-38A
[{xref} MODES}].

Recommendation to the Editor: define CTR as specified on Slide 9 of this presentation.




Submission                                   Slide 18                      Rene Struik, Certicom Corp.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:16
posted:12/8/2011
language:English
pages:18