Institut fr Integrierte Systeme Integrated Systems Laboratory

Fachpraktikum 5. / 6. Semester Studiengang Elektrotechnik IS 1: CryptoFun

cryptfun@iis.ee.ethz.ch

Advisors:

Luca Henzen Lukas Bruderer Christoph Roth

ETZ J71.2 ETZ J68.2 ETZ J89

Introduction

The goal of this Fachpraktikum is to learn some basic notions of cryptography and to understand the main potentiality of an FPGA device. Parts of the text that have a gray background, like the current paragraph, indicate steps with the FPGA required to complete the exercise. Parts of the text, instead, have a lighter gray background, like the current paragraph. They indicate steps required in MATLAB to complete the exercise.

1.1

Goals of this Fachpraktikum

By completing this Fachpraktikum you will learn: 1. some essential rudiments about cryptography, 2. some basics on MATLAB coding, 3. how to program and to use an FPGA, 4. how to draw block diagrams and nite state machines for hardware design. We hope you will have fun. Login: Password : cryptfun iisfach1

1.2

Usage of Cryptography

The word cryptography stems from the two Greek words kryptos (hidden, secret) and graphia (to write). In brief, it means to write in a secret way. It is almost as old as human history and writing. The rst usage dates back to Egyptians! After them Spartans, Romans, thinkers of the Middle Ages, and especially armies made use of cryptography. No doubt, however, that cryptography experienced a renaissance after the introduction of digital computation. Nowadays, exchanging information has become terribly simple and fast. However, keeping condentiality is the real challenging issue of modern communication.

Cryptography relies on a very basic idea: plaintext is encrypted through a cipherkey, resulting in ciphertext. The same cipherkey can then be used to retrieve the ciphertext. The security of a cryptographic algorithm is dened as the diculty to decrypt the ciphertext without knowing the cipherkey. The ultimate goal of security is the so called unconditional security, which cannot be broken even with an innite amount of computation resources. Since unconditional secure algorithms are very unpractical, computationally secure algorithms are generally considered as an acceptable standard. Computational security translates into a suciently high eort (in terms of time and resources) to break the system. Most crypto-algorithms rely on mathematical problems that are considered to be very dicult to solve.

1.3

Advanced Encryption Standard (AES)

plaintext AddRoundKey plaintext AddRoundKey InvSubBytes InvShiftRows

SubBytes 10 rounds ShiftRows

ENCRYPTION

MixColumns AddRoundKey

DECRYPTION

AddRoundKey InvMixColumns InvSubBytes InvShiftRows 10 rounds

SubBytes ShiftRows AddRoundKey ciphertext

AddRoundKey ciphertext

Figure 1: Flow charts of encryption and decryption of the AES algorithm. The rst widely used encryption algorithm was called Digital Encryption Standard (DES), and was introduced in U.S. in 1976. It made use of 56-bit cipherkeys; therefore, the number of possible keys was 2 56 . Although this might appear a fairly large number, in 1999 DES was decrypted in less than 24 hours. The Advanced Encryption Standard (AES)1 represents the evolution of DES and was dened in 2000. Cipherkeys of 128 bits2 are adopted, making the possibility of brute force decryption practically impossible. The sequence of operations that are needed to encrypt/decrypt is shown in Fig. 1. Same insight in the single operation is given in section3.1.

(ECB) xj n key AES cj AES

-1

(CBC) cj-1 key xj key n n AES

-1

key

xj

AES cj xj (OFB) ij n key key

cj-1

(CFB) r-bit shift ij n key AES r key

r-bit shift ij

ij

AES n leftmost r bits

AES

AES

xj

leftmost r bits

cj

xj

xj

leftmost r bits

cj

leftmost r bits

xj

Figure 2: Modes of operation: xj is the j-th block of the plaintext, cj is the j-th cipher block, and xj is the the j-th decrypted block.

1.4

Modes (ECB, CBC, CFB, OFB)

A single block cipher encrypts/decrypts 128-bit blocks. However, the plaintext is normally much longer. The modes of operation are various arrangements of block ciphers that allow the encoding/decoding of long plaintexts. The most common alternatives (see Fig. 2) are [1]: 1. Electronic CodeBook (ECB); 2. Cipher-Block Chaining (CBC); 3. Cipher FeedBack (CFB); 4. Output FeedBack (OFB). ECB is the easiest approach: the long ciphertext is subdivided into 128-bit blocks that are encrypted/decrypted individually. The ow of the data is plain and no feedback paths are implemented. Identical plaintext blocks result in identical ciphertexts. For this reason, input data patterns are not hidden. We will exploit this property of ECB later on. For the moment, it is worth observing that ECB is not safe to encrypt/decrypt messages longer than one block. In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. In this way, each ciphertext block is dependent on all plaintext blocks processed up
1 http://csrc.nist.gov/CryptoToolkit/aes 2 Also

196 and 256 bits are supported.

to that point. CBC exploits the feedback of the ciphertext to improve security. As a consequence, identical plaintexts normally generate dierent ciphertexts. CFB is similar, but makes use of shift registers. OFB mode converts a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext.

Interactive Examples of Encryption/Decryption in ECB Mode

Now, you will play around with the ECB mode of operation.

2.1

MATLAB Code

The ECB mode has been coded in MATLAB. Therefore, go to the matlab directory and take a look at the content You will nd the encryptImage.m script, which encrypts images, and the encryptSound.m, which encrypts audio les. They are both based on the same implementation of the AES algorithm (cipher.m). Have a look at the cipher.m script and compare it to Fig. 1. Is there any dierence? Start MATLAB. 2.1.1 Encrypting/Decrypting Images

You will encrypt images, by following these steps: 1. Have a look at the well-known picture of Lena lena = imread(../data/lena.tif); figure(1); colormap gray; imagesc(lena); 2. Encrypt it by invoking this function (it takes a few minutes) lena_encrypted = encryptImage(lena); 3. Display the encrypted picture, by typing figure(2); colormap gray; imagesc(lena_encrypted); Can you still recognize the lady with the hat? Why? 4. To show that the original picture can be retrieved, try the decryption lena_decrypted = decryptImage(lena_encrypted); 5. Diplay the decrypted image figure(3); colormap gray; imagesc(lena_decrypted); Is it identical to the original picture of Lena?

2.1.2

Encrypting/Decrypting Audio

Now, let us play some music. Listen to the short piece of music we prepared for you. The audio le is located in ../data/sound.wav. Now, follow these steps: 1. Go back to MATLAB and load the piece of music music = wavread(../data/sound.wav); 2. Cut it down to one second. Sampling frequency is 22.05kHz, thus it is sucient to take the rst 22050 samples music = music(1:22050); 3. Encrypt it by invoking the script music_encrypted = encryptSound(music); Again, be aware that data preparation and encryption take a few minutes 4. Run also the decryption music_decrypted = decryptSound(music_encrypted); 5. Write out both the encrypted and the decrypted piece of music wavwrite(music_encrypted,22050,../data/sound_encrypted.wav); wavwrite(music_decrypted,22050,../data/sound_decrypted.wav); Listen to the encrypted piece of music, by starting the le ../data/sound_encrypted.wav (BE CAREFUL WITH THE VOLUME), or by typing in MATLAB wavplay(music, 22050) wavplay(music_encrypted, 22050) wavplay(music_decrypted, 22050) What do you hear? Is the original piece of music still recognizable? Why? Then, listen to the decrypted song and verify that it is the same as the original one.

2.2

ECB with Constant Data Values

If you completed all previous steps, you should be of the opinion that cryptography actually works. In the end, why should it be possible to recognize encrypted data? Be prepared for a surprise. Bear in mind that in ECB mode identical input blocks are converted into identical cipher blocks, regardless of the history of the sent ciphertext. So, which output would you expect from a constant input? Suppose you are given the simple drawing in Fig. 3. Assume to send it through an AES block, columnwise from top to bottom. Take a pen and try to draw the encrypted image. Do you think that the encrypted image depends on the choice of the cipherkey? In which sense? Now, you can go at the end of this assignment and have a look at Fig. 8 and Fig. 9. They represent the drawing encrypted with two dierent cipherkeys. Do they match your expectations?

2.3

ECB with Clipped Data

It seems that some pictures can still be recognized after encryption and, by now, you should also know the reason. Yet, normally pictures are not as simple as Fig. 3. They present details, such as Lena, which prevent encrypted data from preserving the countours of the original data. Yet, by converting Lena to black and white, large regions with the same color may still be recognized after encryption. So, let us try this.

Figure 3: Simple test image. 2.3.1 Video: Lena

Go back to MATLAB. 1. Convert the picture of Lena into a black and white image, by using the following script lenaBW = clipImage(lena); 2. Have a look at the black and white Lena figure(4); colormap gray; imagesc(lenaBW); 3. Encrypt lenaBW by invoking: lenaBW_encrypted = encryptImage(lenaBW); 4. Display the encrypted lenaBW: figure(5); colormap gray; imagesc(lenaBW_encrypted); What happened to poor Lena? 2.3.2 Audio

So far the images. Yet, audio may behave analogously. Increasing the contrast in a picture is similar to hard clipping the audio wave. When clipping a signal, data above/below a certain threshold are set to the maximum/minimum allowed values.

Follow these steps: 1. Clip the audio musicClipped = clipSound(music,1000); 2. Export it wavwrite(musicClipped,22050,../data/soundClipped.wav); Now you can listen to it, as you did before. 1. Go back to MATLAB and encrypt the clipped piece of music musicClipped_encrypted = encryptSound(musicClipped); 2. Write out the encrypted clipped piece of music wavwrite(musicClipped_encrypted,22050,../data/soundClipped_encrypted.wav); Finally, listen to it. Can you recognize the original song? The clipSound script accepts two arguments, the piece of music to be clipped and the clipping factor (see Fig.4 for a clipping factor of 2.5). Repeat the previous steps with a clippling factor of 10. Now, the song is much less distorted before encryption. Yet, what happens after encryption?

2.4

FPGA Demonstration of ECB Encryption/Decryption

You have learnt by experience that encrypting a short one-second audio le takes approximately 2-4 minutes in MATLAB, thus around 240 times longer! To encode audio real-time we need dedicated hardware. First, the MATLAB code has been translated into VHDL (Very high speed integrated circuit Hardware Description
2.5 2 1.5 1 0.5 0 -0.5 -1 -1.5 -2 -2.5 0 /4

amplified wave (x2.5)

sin()

original wave

clipped wave
3/2 2

/2

Figure 4: Clipped sinusoidal wave with clipping factor of 2.5.

Language). The hardware description language allows, among other things, the programming of an FPGA, which will fulll our requirements of real-time audio encoding. Introduction FPGAs (Field Programmable Gate Arrays) are programmable devices consisting of congurable logic blocks CLBs (logic and ip-ops) arranged in a matrix structure with programmable routing channels in between. They are used extensively for prototyping and for production where short design cycles and sometimes the possibility of in-system (re-)programming (ISP) are important. The term rmware is often used for such solutions if the programming data for an FPGA resides in a platform ash or EEPROM (electrically erasable and programmable ROM). Description of the system The encryption algorithm has been implemented in VHDL to be run on such a dedicated hardware platform. Fig.5 presents the development platform providing an FPGA, PROM, connectors. A stereo 24-bit audio codec and a VGA video interface are provided on 2 daughter boards. All the boards have been designed at the institute. Xilinx Spartan-3E XC3S500E-4 PQ208 FPGA 1MByte SRAM USB 4 User impulse push-buttons 4 User DIP switches 4 User LEDs EEPROM 25MHz Oscillator Design programming interfaces 1. Platform ash Xilinx XCF04 2. JTAG port 3. Parallel interface to on-board JTAG Button/LED(3) o o o o on on on on Button/LED(2) o o on on o o on on Button/LED(1) o on o on o on o on Clipping conguration no clipping Factor 8 Factor 64 Factor 256 Factor 1024 Factor 4096 Factor 16384 Decryption

Table 1: Congurations for clipping audio data.

For a rst demonstration connect the Line-Out of the work station to the Line-In of the FPGA board (Fig.5) and the head phones to Line-Out. Connect the power supply. The provided design is stored in the Platform Flash. This conguration is loaded after power-up into the FPGA. LED(0) provides a toggling status and Push-Button(0) is an asynchronous reset. Play the music and listen to the encrypted data without clipping the incoming music data.

Figure 5: FPGA board with audio CODEC and video VGA daughter boards. The design enable the parametrization the clipping functionality by Push-Button[1..3] according to Tab.1. The status is visualized by the corresponding LED[1..3]. Check your expectations on the dierent clipping congurations. And, if you do not trust encryption, experiment decryption.

2.5

Cipher Block Chaining (CBC) with Clipping

At this point, you probably noticed that ECB mode is not very safe. Inputs can maliciously be manipulated in order to reveal the encrypted data. The other modes of operation indeed reach a much higher degree of security through feedback data paths, which basically make encryption dependent on the previous cipher blocks. To make you more condent with cryptography, and to show you that it actually works, CBC mode has been coded in MATLAB too. In order to demonstrate the benets of the CBC mode, you will work only with the black and white picture of Lena and with the clipped song.

2.5.1

Video: Lena

1. Encrypt the black-and-white Lena with this function lenaBW_encrypted_CBC = encryptImageCBC(lenaBW); 2. Display the picture encrypted in CBC mode, by typing figure(6); colormap gray; imagesc(lenaBW_encrypted_CBC); Is it equal to the Lena encrypted in ECB mode? Can you still see the lady? 3. Decrypt the picture encoded in CBC mode lenaBW_decrypted_CBC = decryptImageCBC(lenaBW_encrypted_CBC); 4. Diplay the decrypted image figure(7); colormap gray; imagesc(lenaBW_decrypted_CBC); 2.5.2 Audio

1. Encrypt in CBC mode the song clipped with a factor of 1000 by invoking the script musicClipped_encrypted_CBC = encryptSoundCBC(musicClipped); 2. Run the decryption musicClipped_decrypted_CBC = decryptSoundCBC(musicClipped_encrypted_CBC); 3. Write out both the encrypted and the decrypted piece of music wavwrite(musicClipped_encrypted_CBC,22050,../data/soundClipped_encrypted_CBC.wav); wavwrite(musicClipped_decrypted_CBC,22050,../data/soundClipped_decrypted_CBC.wav); Now you can listen to them. What do you hear after encryption with CBC mode?

AES Architecture

The sequence of operations depicted in Fig. 1 is carried out according to the architecture shown in Fig. 6. Although the kind of operations and their ordering are the same, it is worth observing that: 1. The rst AddRoundKey in Fig. 1 is actually only the EXOR between the plaintext and the cipherkey. 2. The loop in Fig. 1 is translated into a feedback with MUX1. 3. The operations of SubBytes, ShiftRows, and AddRoundKey (in other words all but MixColumns) are repeated once outside the loop in Fig. 1. In order to save hardware, MUX2 gives the possibility of bypassing MixColumns only for the very last round. 4. The register State keeps trace of the performed operations. Ciphertext is the output of State after all rounds have been completed.

plaintext cipherkey MUX1 State SubBytes ShiftRows MixColumns MUX2 RoundKey NewData Sel1 FSM

encryption round

ciphertext

Sel1

Sel2 DataReady

cipherkey

keygen Sel2 RoundKey

AddRoundKey

Figure 6: Architecture of the AES encryption.

State
S0,0 S0,1 S0,2 S0,3 S1,0 S1,1 S1,2 S1,3 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3

SubBytes

ShiftRows
S0,0 S0,1 S0,2 S0,3 S0,0 S0,1 S0,2 S0,3 S1,1 S1,2 S1,3 S1,0 S2,2 S2,3 S2,0 S2,1 S3,3 S3,0 S3,1 S3,2

In 8

sbox

Out 8

S1,0 S1,1 S1,2 S1,3 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3

MixColumns
S0,0 S0,1 S0,2 S0,3 S1,1 S1,2 S1,3 S1,0 S2,2 S2,3 S2,0 S2,1 S3,3 S3,0 S3,1 S3,2 S0,0 S0,1 S0,2 S0,3 S1,1 S1,2 S1,3 S1,0 S2,2 S2,3 S2,0 S2,1 S3,3 S3,0 S3,1 S3,2

AddRoundKey RoundKey

In 32

mixcolumns

Out 32
Figure 7: Basic transformation blocks.

3.1

AES Modules

In this subsection, you will gain the insight in the single AES blocks that are needed for drawing a nice block diagram of the architecture. State

In the AES, the State contains 128 bit, which are organized as a matrix. SubBytes The SubBytes transformation is a non-linear byte substitution that operates independently on each byte of the State using a substitution table, which we will call sbox. More information would be an overkill here; just consider this operation as a look-up table that works on a single byte. ShiftRows In the ShiftRows transformation, the bytes in the last three rows of the State are cyclically oset over dierent numbers of bytes. The rst row, however, is not shifted. MixColumns The MixColumns transformation operates on the output of ShiftRows column by column. Consider also MixColumns as a black box, but be aware that it operates on four bytes. AddRoundKey In the AddRoundKey transformation, the RoundKey is added by a simple EXOR operation. RoundKeys are dierent at each encryption round. They are generated by a keygen function, which takes as input the cipherkey. Finite State Machine (FSM) The FSM is started by the signal NewData, which announces when a new data is ready to be encrypted. Ten clock cycles are necessary to complete the encryption. Outputs of the FSM are the select signals for the two MUXes and, additionally, a DataReady signal that is set to 0 during the elaboration and goes to 1 when the encryption is over.

3.2

Block Diagram and Finite State Machine

On the basis of the information above, try to draw a complete block diagram of the AES architecture. Try also to draw the simple FSM that is required. Start from Fig. 6 and replace each block by the proper transformation, as explained in the previous subsection. Remember that plaintext, cipherkey, and ciphertext are 128-bit wide. Yet, do not represent the single bits! Work with 128- 32- and 8-bit buses instead. (Hint: as SubBytes applies to bytes, you should draw 16 independent sboxes . . . )

References
[1] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. Boca Raton, FL: CRC Press, 2006.

Figure 8: Simple test image after encryption.

Figure 9: Simple test image after encryption with a dierent cipherkey.